limiting permissions for the prometheus ClusterRole?

[Victor Sudakov]

Dear Colleagues,

There is a good working example of RBAC setup in
https://github.com/prometheus/prometheus/blob/main/documentation/examples/rbac-setup.yml
However if I want to discover and scrape only pods for metrics, these
permissions seem a bit excessive.

What RBAC permissions can be safely removed from the prometheus
ClusterRole if only "role: pod" is required? There is also a discussion
open at https://github.com/prometheus/prometheus/discussions/9672 ,
you can comment there if you like.

Thanks in advance for any input.

--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet

[Matthias Rampke]

I think it should work with just get/list/watch on pods. Try it and see what happens?

/MR

--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/YYi305hUXdhYBL/U%40admin.sibptus.ru.

[Victor Sudakov]

Hello Matthias,

I've tried the set of permissions as quoted below and discovery did
NOT work. So the desired set of permissions should be somewhere in
between.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-prometheus
rules:
- apiGroups: [""]
resources:
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]