Dustin C. Hatch
225fd8469c
The original RBAC configuration allowed `vmagent` only to list the pods in the `victoria-metrics` namespace. In order to allow it to monitor other applications' pods, it needs to be assigned permission to list pods in all namespaces.
153 lines
3.2 KiB
YAML
153 lines
3.2 KiB
YAML
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: vmagent
|
|
labels:
|
|
app.kubernetes.io/name: vmagent
|
|
app.kubernetes.io/component: vmagent
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: vmagent
|
|
labels:
|
|
app.kubernetes.io/name: vmagent
|
|
app.kubernetes.io/component: vmagent
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- nodes
|
|
- pods
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- nodes/proxy
|
|
verbs:
|
|
- get
|
|
- nonResourceURLs:
|
|
- /metrics
|
|
verbs:
|
|
- get
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: vmagent
|
|
labels:
|
|
app.kubernetes.io/name: vmagent
|
|
app.kubernetes.io/component: vmagent
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: vmagent
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: vmagent
|
|
namespace: victoria-metrics
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: vmagent
|
|
labels:
|
|
app.kubernetes.io/name: vmagent
|
|
app.kubernetes.io/component: vmagent
|
|
spec:
|
|
ports:
|
|
- port: 8429
|
|
name: vmagent
|
|
selector:
|
|
app.kubernetes.io/name: vmagent
|
|
app.kubernetes.io/component: vmagent
|
|
clusterIP: None
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: vmagent
|
|
labels:
|
|
app.kubernetes.io/name: vmagent
|
|
app.kubernetes.io/component: vmagent
|
|
spec:
|
|
serviceName: vmagent
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: vmagent
|
|
app.kubernetes.io/component: vmagent
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: vmagent
|
|
app.kubernetes.io/component: vmagent
|
|
spec:
|
|
containers:
|
|
- name: vmagent
|
|
image: docker.io/victoriametrics/vmagent:v1.96.0
|
|
args:
|
|
- -envflag.enable=true
|
|
- -envflag.prefix=vmagent_
|
|
- -remoteWrite.tmpDataPath=/data
|
|
- -httpListenAddr=0.0.0.0:8429
|
|
- -promscrape.config=/config/scrape.yml
|
|
- -promscrape.configCheckInterval=30s
|
|
env:
|
|
- name: vmagent_remoteWrite_url
|
|
value: http://vminsert:8480/insert/1/prometheus/api/v1/write
|
|
ports:
|
|
- containerPort: 8429
|
|
name: http
|
|
readinessProbe: &probe
|
|
httpGet:
|
|
port: http
|
|
path: /health
|
|
periodSeconds: 60
|
|
startupProbe:
|
|
<<: *probe
|
|
periodSeconds: 1
|
|
successThreshold: 1
|
|
failureThreshold: 30
|
|
timeoutSeconds: 1
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- mountPath: /config
|
|
name: config
|
|
readOnly: true
|
|
- mountPath: /data
|
|
name: tmpdata
|
|
subPath: data
|
|
serviceAccountName: vmagent
|
|
securityContext:
|
|
fsGroup: 2093
|
|
runAsGroup: 2093
|
|
runAsNonRoot: true
|
|
runAsUser: 2093
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: vmagent
|
|
volumeClaimTemplates:
|
|
- apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: tmpdata
|
|
labels:
|
|
app.kubernetes.io/name: vmagent
|
|
app.kubernetes.io/component: vmagent
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
resources:
|
|
requests:
|
|
storage: 4G
|