Merge pull request #231 from VictoriaMetrics/additional-rbac

additional rbac for openshift
VictoriaMetrics · Apr 21, 2021 · 0ead317 · 0ead317
2 parents 3e2a248 + 173cf0a
commit 0ead317
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 2 deletions.
diff --git a/api/v1beta1/vmagent_types.go b/api/v1beta1/vmagent_types.go
@@ -179,6 +179,7 @@ type VMAgentSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Key at Configmap with relabelConfig name",xDescriptors="urn:alm:descriptor:io.kubernetes:ConfigMapKeySelector"
 	RelabelConfig *v1.ConfigMapKeySelector `json:"relabelConfig,omitempty"`
 	// InlineRelabelConfig - defines GlobalRelabelConfig for vmagent, can be defined directly at CRD.
+	// +optional
 	InlineRelabelConfig []RelabelConfig `json:"inlineRelabelConfig,omitempty"`
 	// ServiceScrapeSelector defines ServiceScrapes to be selected for target discovery.
 	// +optional

diff --git a/config/examples/vmagent_rbac.yaml b/config/examples/vmagent_rbac.yaml
@@ -22,10 +22,19 @@ rules:
     verbs: ["get", "list", "watch"]
   - apiGroups: [""]
     resources:
+      - namespaces
       - configmaps
     verbs: ["get"]
-  - nonResourceURLs: ["/metrics"]
+  - nonResourceURLs: ["/metrics","/metrics/resources"]
     verbs: ["get"]
+  - apiGroups:
+      - route.openshift.io
+      - image.openshift.io
+    resources:
+      - routers/metrics
+      - registry/metrics
+    verbs:
+      - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -306,6 +306,7 @@ rules:
     - watch
 - nonResourceURLs:
     - "/metrics"
+    - "/metrics/resources"
   verbs:
     - get
     - watch
@@ -390,3 +391,11 @@ rules:
     - list
     - get
     - watch
+- apiGroups:
+    - route.openshift.io
+    - image.openshift.io
+  resources:
+    - routers/metrics
+    - registry/metrics
+  verbs:
+    - get
diff --git a/controllers/factory/vmagent.go b/controllers/factory/vmagent.go
@@ -526,6 +526,7 @@ func addAdditionalObjectOwnership(cr *victoriametricsv1beta1.VMAgent, rclient cl
 		UID:                cr.UID,
 	})
 	object.SetOwnerReferences(existOwners)
+	victoriametricsv1beta1.MergeFinalizers(object, victoriametricsv1beta1.FinalizerName)
 
 	return rclient.Update(context.Background(), object)
 }

diff --git a/controllers/factory/vmagent/rbac.go b/controllers/factory/vmagent/rbac.go
@@ -130,6 +130,7 @@ func buildVMAgentClusterRole(cr *v1beta12.VMAgent) *v12.ClusterRole {
 					"pods",
 					"endpointslices",
 					"configmaps",
+					"namespaces",
 				},
 			},
 			{
@@ -144,9 +145,18 @@ func buildVMAgentClusterRole(cr *v1beta12.VMAgent) *v12.ClusterRole {
 				},
 			},
 			{
-				NonResourceURLs: []string{"/metrics"},
+				NonResourceURLs: []string{"/metrics", "/metrics/resources"},
 				Verbs:           []string{"get", "list", "watch"},
 			},
+			{
+				APIGroups: []string{"route.openshift.io", "image.openshift.io"},
+				Verbs: []string{
+					"get",
+				},
+				Resources: []string{
+					"routers/metrics", "registry/metrics",
+				},
+			},
 		},
 	}
 }