chore(addons):changes cluster role to role and clusterrolebinding to rolebinding

EamonZhang · EamonZhang · commit d5c8be97976a · 2024-04-29T08:53:53.000+08:00
diff --git a/addons/pmm/2.41/chart/pmm/templates/role.yaml b/addons/pmm/2.41/chart/pmm/templates/role.yaml
@@ -1,28 +1,29 @@
 {{- if .Values.serviceAccount.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
+  namespace: {{ include "common.names.namespace" . | quote }}
   name:  {{ include "pmm.fullname" . }}
   labels:
     {{- include "pmm.labels" . | nindent 4 }}
 rules:
 # standard RBAC
 - apiGroups: [""] # "" indicates the core API group
   resources:
-  - namespaces
+  # - namespaces
   - endpoints
   - services
-  - nodes
+  # - nodes
   - pods
   - secrets
   - serviceaccounts
   verbs:
   - get
   - watch
   - list
-- nonResourceURLs:
-  - /metrics
-  - /metrics/resources
-  verbs:
-  - get
+# - nonResourceURLs:
+#   - /metrics
+#   - /metrics/resources
+#   verbs:
+#   - get
 {{- end }}
diff --git a/addons/pmm/2.41/chart/pmm/templates/rolebinding.yaml b/addons/pmm/2.41/chart/pmm/templates/rolebinding.yaml
@@ -1,25 +1,26 @@
 {{- if .Values.serviceAccount.create -}}
 {{- if .Values.pmmEnv.ENABLE_CLUSTER_ROLE_ADMIN -}}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
+  namespace: {{ include "common.names.namespace" . | quote }}
   name: {{ include "pmm.fullname" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: cluster-admin
 subjects:
 - kind: ServiceAccount
   name: {{ include "pmm.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 {{- else }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: {{ include "pmm.fullname" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: {{ include "pmm.fullname" . }}
 subjects:
 - kind: ServiceAccount
diff --git a/addons/prometheus/2/chart/prometheus/templates/_scrape_config.tpl b/addons/prometheus/2/chart/prometheus/templates/_scrape_config.tpl
@@ -94,9 +94,6 @@ kubernetes_sd_configs:
       own_namespace: true
       names: 
       - {{ include "common.names.namespace" .context }}
-      {{- range .value }}
-      - {{ include "common.tplvalues.render" (dict "value" . "context" $) }}
-      {{- end }}
 
 relabel_configs:
   - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
diff --git a/addons/prometheus/2/chart/prometheus/templates/server/role.yaml b/addons/prometheus/2/chart/prometheus/templates/server/role.yaml
@@ -4,9 +4,10 @@ SPDX-License-Identifier: APACHE-2.0
 */}}
 
 {{- if .Values.server.rbac.create }}
-kind: ClusterRole
+kind: Role
 apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 metadata:
+  namespace: {{ include "common.names.namespace" . | quote }}
   name: {{ include "prometheus.server.fullname.namespace" . }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
     app.kubernetes.io/part-of: prometheus
@@ -19,14 +20,9 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - nodes
-      - nodes/proxy
-      - nodes/metrics
       - services
       - endpoints
       - pods
-      - ingresses
-      - configmaps
     verbs:
       - get
       - list
@@ -41,8 +37,7 @@ rules:
       - get
       - list
       - watch
-  - nonResourceURLs:
-      - "/metrics"
+
     verbs:
       - get
   {{- if .Values.server.rbac.rules }}
diff --git a/addons/prometheus/2/chart/prometheus/templates/server/rolebinding.yaml b/addons/prometheus/2/chart/prometheus/templates/server/rolebinding.yaml
@@ -3,9 +3,10 @@ Copyright Drycc Community.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 
-kind: ClusterRoleBinding
+kind: RoleBinding
 apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 metadata:
+  namespace: {{ include "common.names.namespace" . | quote }}
   name: {{ template "prometheus.server.fullname.namespace" . }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
     app.kubernetes.io/part-of: prometheus
@@ -15,7 +16,7 @@ metadata:
   {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: {{ template "prometheus.server.fullname.namespace" . }}
 subjects:
   - kind: ServiceAccount
diff --git a/addons/prometheus/2/chart/prometheus/values.yaml b/addons/prometheus/2/chart/prometheus/values.yaml
@@ -636,7 +636,7 @@ server:
     {{- end }}
     {{- if .Values.scrapeAddons.enabled }}
       - job_name: addons
-        {{- include "addons.ds_scrape_config"  (dict "value" .Values.scrapeNamespaces "context" $) | nindent 4 }}
+        {{- include "addons.ds_scrape_config"  (dict "context" $) | nindent 4 }}
     {{- end }}  
     {{- if .Values.server.extraScrapeConfigs}}
     {{- include "common.tplvalues.render" (dict "value" .Values.server.extraScrapeConfigs "context" $) | nindent 2 }}
@@ -654,8 +654,6 @@ server:
           static_configs:
             - targets: [ "{{ printf "%s.%s.svc.%s:%d" (include "prometheus.alertmanager.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain (int .Values.alertmanager.service.ports.http) }}" ]
     {{- end }}
-    rule_files:
-      - rules.yaml
     
   ## @param server.alertingRules Prometheus alerting rules. This content will be stored in the the rules.yaml file and the content can be a template.
   ## ref: <https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/>
diff --git a/template/CHART_NAME/templates/rolebinding.yaml b/template/CHART_NAME/templates/rolebinding.yaml
@@ -3,7 +3,7 @@ Copyright Drycc Community.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 
-kind: ClusterRoleBinding
+kind: RoleBinding
 apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 metadata:
   name: {{ template "common.names.fullname" . }}
@@ -14,7 +14,7 @@ metadata:
   {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: {{ template "common.names.fullname" . }}
 subjects:
   - kind: ServiceAccount
