Hello,
In order to simplify monitoring our application running on the cloud-softwarefactory namespace, we require that our service account (sf-service-account) be granted the following API access via a role binding:
--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: cloud-softwarefactory name: sf-prometheus-role rules: - apiGroups: - monitoring.coreos.com resources: - podmonitors - prometheusrules - prometheuses - servicemonitors verbs: - create - delete - get - list - patch - update - watch
These role and role binding need to be scoped to the namespace (we don't want to interfere with any other prometheus resources deployed on the cluster).
Let me know if any more info is needed.
Thanks!
Metadata Update from @arrfab: - Issue assigned to arrfab - Issue tagged with: centos-ci-infra, medium-gain, medium-trouble
That role was created and following RoleBinding also added :
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: sf-prometheus-rolebinding namespace: cloud-softwarefactory subjects: - kind: ServiceAccount name: sf-service-account namespace: cloud-softwarefactory roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: sf-prometheus-role
If that works for you, we can then close ticket :)
per discussion on Slack it seems it was working so closing this one for now
Metadata Update from @arrfab: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.