use namespaced-role/rolebinding

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
projectcontour · May 7, 2024 · af7fbff · af7fbff
1 parent 23a1bb4
commit af7fbff
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 42 deletions.
diff --git a/examples/prometheus/clusterrole-patch.json b/examples/prometheus/clusterrole-patch.json
diff --git a/examples/prometheus/rbac.yaml b/examples/prometheus/rbac.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: prometheus
+  namespace: projectcontour
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services", "endpoints"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prometheus
+  namespace: projectcontour
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prometheus
diff --git a/site/content/docs/main/guides/prometheus.md b/site/content/docs/main/guides/prometheus.md
@@ -40,12 +40,10 @@ $ kubectl apply -f examples/grafana/httpproxy.yaml
 
 ### Scrape Contour and Envoy metrics
 
-To enable Prometheus to scrape metrics from the Contour and Envoy pods, some small customizations are needed to the sample deployment:
-
-Update `ClusterRole` to enable the installed Prometheus instance to monitor `Pods` and other resources in all namespaces:
+To enable Prometheus to scrape metrics from the Contour and Envoy pods, we can add some RBAC customizations with a `Role` and `RoleBinding` in the `projectcontour` namespace:
 
 ```sh
-$ kubectl patch clusterrole prometheus-k8s --type=json --patch-file examples/prometheus/clusterrole-patch.json
+kubectl apply -f examples/prometheus/rbac.yaml
 ```
 
 Now add [`PodMonitor`][6] resources for scraping metrics from Contour and Envoy pods in the `projectcontour` namespace: