added rules

DFE-Digital · Feb 27, 2024 · 8788bc8 · 8788bc8
1 parent 0916c4a
commit 8788bc8
Showing 1 changed file with 80 additions and 31 deletions.
diff --git a/cluster/terraform_kubernetes/kube_state_metrics.tf b/cluster/terraform_kubernetes/kube_state_metrics.tf
@@ -1,20 +1,17 @@
-data "kubernetes_namespace" "monitoring" {
-  metadata {
-    name = "monitoring"
-  }
-}
 
-resource "kubernetes_namespace" "monitoring" {
-  count = data.kubernetes_namespace.monitoring.id == null ? 1 : 0
 
+resource "kubernetes_service_account" "kube_state_metrics" {
   metadata {
-    name = "monitoring"
+    name = "kube-state-metrics"
+    namespace = "monitoring"
+    labels = {
+      "app.kubernetes.io/component" = "exporter"
+      "app.kubernetes.io/name" = "kube-state-metrics"
+      "app.kubernetes.io/version" = var.kube_state_metrics_version
+    }
   }
 }
 
-locals {
-  kube_system_ns = data.kubernetes_namespace.monitoring.id != null ? data.kubernetes_namespace.monitoring.id : kubernetes_namespace.monitoring[0].id
-}
 
 resource "kubernetes_cluster_role" "kube_state_metrics" {
   metadata {
@@ -26,11 +23,75 @@ resource "kubernetes_cluster_role" "kube_state_metrics" {
     }
   }
 
-  rule {
-    api_groups = [""]
-    resources = ["configmaps", "secrets", "nodes", "pods", "services", "resourcequotas", "replicationcontrollers", "limitranges", "persistentvolumeclaims", "persistentvolumes", "namespaces", "endpoints"]
-    verbs = ["list", "watch"]
+      rule {
+        api_groups = [""]
+        resources = ["configmaps", "secrets", "nodes", "pods", "services", "resourcequotas", "replicationcontrollers", "limitranges", "persistentvolumeclaims", "persistentvolumes", "namespaces", "endpoints"]
+        verbs = ["get","list", "watch"]
+      }
+
+      rule {
+        api_groups = ["certificates.k8s.io"]
+        resources = ["certificatesigningrequests"]
+        verbs = ["list", "get", "watch"] # Adjust verbs as necessary
+      }
+
+      rule {
+        api_groups = ["batch"]
+        resources = ["jobs"]
+        verbs = ["get","list", "watch"]
+      }
+
+
+    rule {
+        api_groups = ["apps"]
+        resources = ["deployments", "replicasets", "statefulsets", "daemonsets"]
+        verbs = ["list", "watch"]
+      }
+
+    rule {
+        api_groups = ["storage.k8s.io"]
+        resources = ["volumeattachments"]
+        verbs = ["get","list", "watch"]
+      }
+
+    rule {
+        api_groups = ["admissionregistration.k8s.io"]
+        resources = ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+        verbs = ["get","list", "watch"]
+      }
+
+
+    rule {
+        api_groups = ["coordination.k8s.io"]
+        resources = ["leases"]
+        verbs = ["get","list", "watch"]
+      }
+
+    rule {
+        api_groups = ["autoscaling"]
+        resources = ["horizontalpodautoscalers"]
+        verbs = ["get","list", "watch"]
+      }
+
+    rule {
+        api_groups = ["policy"]
+        resources = ["poddisruptionbudgets"]
+        verbs = ["get","list", "watch"]
+      }
+
+
+    rule {
+        api_groups = ["batch"]
+        resources = ["cronjobs"]
+        verbs = ["get","list", "watch"]
+      }
+
+    rule {
+    api_groups = ["", "apps", "batch", "networking.k8s.io", "policy", "autoscaling", "certificates.k8s.io", "coordination.k8s.io", "storage.k8s.io"]
+    resources  = ["pods", "replicasets", "cronjobs", "ingresses", "poddisruptionbudgets", "networkpolicies", "storageclasses", "certificatesigningrequests", "leases", "horizontalpodautoscalers", "configmaps", "secrets", "nodes", "services", "resourcequotas", "replicationcontrollers", "limitranges", "persistentvolumeclaims", "persistentvolumes", "namespaces", "endpoints", "deployments", "statefulsets", "daemonsets", "volumeattachments", "mutatingwebhookconfigurations", "validatingwebhookconfigurations", "jobs"]
+    verbs      = ["get", "list", "watch"]
   }
+
 }
 
 resource "kubernetes_cluster_role_binding" "kube_state_metrics" {
@@ -51,27 +112,15 @@ resource "kubernetes_cluster_role_binding" "kube_state_metrics" {
 
   subject {
     kind = "ServiceAccount"
-    name = kubernetes_service_account.kube_state_metrics.metadata[0].name
-    namespace = local.kube_system_ns
-  }
-}
-
-resource "kubernetes_service_account" "kube_state_metrics" {
-  metadata {
-    name = "kube-state-metrics"
-    namespace = local.kube_system_ns
-    labels = {
-      "app.kubernetes.io/component" = "exporter"
-      "app.kubernetes.io/name" = "kube-state-metrics"
-      "app.kubernetes.io/version" = var.kube_state_metrics_version
-    }
+    name =  "kube-state-metrics"
+    namespace = "monitoring"
   }
 }
 
 resource "kubernetes_deployment" "kube_state_metrics" {
   metadata {
     name = "kube-state-metrics"
-    namespace = local.kube_system_ns
+    namespace = "monitoring"
     labels = {
       "app.kubernetes.io/component" = "exporter"
       "app.kubernetes.io/name" = "kube-state-metrics"
@@ -158,7 +207,7 @@ resource "kubernetes_deployment" "kube_state_metrics" {
 resource "kubernetes_service" "kube_state_metrics" {
   metadata {
     name = "kube-state-metrics"
-    namespace = local.kube_system_ns
+    namespace = "monitoring"
 
     labels = {
       "app.kubernetes.io/component" = "exporter"