55 lines
1.2 KiB
YAML
55 lines
1.2 KiB
YAML
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: prometheus
|
|
namespace: prometheus # Prometheus 部署的命名空间
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: prometheus
|
|
rules:
|
|
# 基础资源发现权限
|
|
- apiGroups: [ "" ]
|
|
resources:
|
|
- nodes
|
|
- nodes/metrics
|
|
- nodes/proxy
|
|
- services
|
|
- endpoints
|
|
- pods
|
|
- configmaps
|
|
- namespaces # 关键:允许发现所有命名空间
|
|
verbs: [ "get", "list", "watch" ]
|
|
|
|
# Ingress 监控权限(兼容新旧版本)
|
|
- apiGroups: [ "extensions", "networking.k8s.io" ]
|
|
resources: [ "ingresses" ]
|
|
verbs: [ "get", "list", "watch" ]
|
|
|
|
# Prometheus Operator CRD 权限(如需)
|
|
- apiGroups: [ "monitoring.coreos.com" ]
|
|
resources:
|
|
- servicemonitors
|
|
- podmonitors
|
|
- prometheuses
|
|
- alertmanagers
|
|
verbs: [ "get", "list", "watch" ]
|
|
|
|
# 非资源权限(如 /metrics 端点)
|
|
- nonResourceURLs: [ "/metrics" ]
|
|
verbs: [ "get" ]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: prometheus
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: prometheus
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: prometheus
|
|
namespace: prometheus # 必须与 ServiceAccount 命名空间一致
|