Limit the Prometheus role to two namespaces by default #720
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Unless clusterRole is specified, the Prometheus role will be restricted to scraping from only a single namespace. This fixes issue: #717 where I user complained that they did not want to create a ClusterRole in their cluster. It has been tested with k3d and K8s 1.19 with and without the --set clusterRole=true flag passed into the faas-netes helm chart. The second Role and RoleBinding needed a different name to the ones in the primary namespace in order for the RBAC error to go away in Prometheus. Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
When the namespace was the same as the function namespace, the Prometheus configuration was set to scrape openfaas twice. I assume that this was either not a problem for users, or it was de-duplicated by Prometheus. Tested by looking at the output of the configmap with and without differing namespaces set. Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
|
Thank you to @meyskens for suggesting that two Roles may be necessary. I tried two roles and bindings with the same name (but differing namespaces) which failed, but with unique names, it worked as expected. |
|
@LucasRoesler just wondering when you could get to this? |
LucasRoesler
approved these changes
Dec 5, 2020
|
Thank you |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Alex Ellis (OpenFaaS Ltd) alexellis2@gmail.com
Description
Limit the Prometheus role to two namespaces by default
Motivation and Context
Limit the Prometheus role to two namespaces
Unless clusterRole is specified, the Prometheus role will be
restricted to scraping from only a single namespace.
This fixes issue: #717 where I user complained that they did
not want to create a ClusterRole in their cluster.
How Has This Been Tested?
It has been tested with k3d and K8s 1.19 with and without the
--set clusterRole=true flag passed into the faas-netes helm
chart.
The second Role and RoleBinding needed a different name to the
ones in the primary namespace in order for the RBAC error to
go away in Prometheus.
Types of changes
Checklist:
This is likely to break for any users wishing to upgrade, due to the existing
ClusterRolewhich theywill have in their cluster and its mapping.
The upgrade procedure is to delete the roles and bindings and then to run a helm upgrade.