From 520890270678c66319e7cb889ee14aa5f0c6408d Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 5 Nov 2022 16:23:02 -0500
Subject: [PATCH] metrics: Add role to allow anon access to metrics

By default, the Kubernetes metrics endpoints are restricted.  I don't
think they're worth protecting with authentication, so I've added a
cluster role/binding to allow anonymous access to them.
---
 metrics/metrics.yaml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 metrics/metrics.yaml

diff --git a/metrics/metrics.yaml b/metrics/metrics.yaml
new file mode 100644
index 0000000..5d716af
--- /dev/null
+++ b/metrics/metrics.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: prometheus
+rules:
+- apiGroups: ['']
+  resources:
+  - nodes/metrics
+  verbs:
+  - get
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name:  prometheus
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: system:anonymous