From 0440620694294cba5d2661f62b9594edd955601d Mon Sep 17 00:00:00 2001
From: Sunil Thaha <sthaha@redhat.com>
Date: Wed, 11 Oct 2023 15:30:38 +1000
Subject: [PATCH] fix(kind): ensure prometheus can discover all services (#272)

Previously, prometheus deployed to monitoring namespace wasn't able to
discover kepler deployed to `openshift-kepler-operator` because it
lacked the rbac to discover services outside `monitoring` namespace.
This commit fixes it by adding additional rbac rules allowing all
services to be discovered.

Signed-off-by: Sunil Thaha <sthaha@redhat.com>
---
 hack/cluster.sh                               |  3 +++
 hack/monitoring/rbac/prometheus-cr.yaml       | 25 +++++++++++++++++++
 .../rbac/prometheus-k8s-full-crb.yaml         | 15 +++++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 hack/monitoring/rbac/prometheus-cr.yaml
 create mode 100644 hack/monitoring/rbac/prometheus-k8s-full-crb.yaml

diff --git a/hack/cluster.sh b/hack/cluster.sh
index 1a146ca0..25923187 100755
--- a/hack/cluster.sh
+++ b/hack/cluster.sh
@@ -75,6 +75,9 @@ cluster_prereqs() {
 
 	info "Ensure openshift namespace for dashboard exists"
 	run kubectl create namespace openshift-config-managed
+
+	info "Ensure prometheus can monitor all namespaces"
+	run kubectl create -f hack/monitoring/rbac
 }
 
 ensure_all_tools() {
diff --git a/hack/monitoring/rbac/prometheus-cr.yaml b/hack/monitoring/rbac/prometheus-cr.yaml
new file mode 100644
index 00000000..c4e3ed91
--- /dev/null
+++ b/hack/monitoring/rbac/prometheus-cr.yaml
@@ -0,0 +1,25 @@
+# NOTE: prometheus itself requires these rbac for service discovery
+# ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/rbac.md#prometheus-rbac
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: prometheus-discovery
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes
+  - nodes/metrics
+  - services
+  - endpoints
+  - pods
+  - configmaps
+  - secrets
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs: ["get", "list", "watch"]
+- nonResourceURLs: ["/metrics"]
+  verbs: ["get"]
diff --git a/hack/monitoring/rbac/prometheus-k8s-full-crb.yaml b/hack/monitoring/rbac/prometheus-k8s-full-crb.yaml
new file mode 100644
index 00000000..867f4aaf
--- /dev/null
+++ b/hack/monitoring/rbac/prometheus-k8s-full-crb.yaml
@@ -0,0 +1,15 @@
+# NOTE: prometheus itself requires these rbac for service discovery
+# ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/rbac.md#prometheus-rbac
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus-k8s-full
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-discovery
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: monitoring