*: generate RBAC aware bundle

Author: brancz

Documentation/rbac.md

@@ -8,7 +8,7 @@ In order for the Prometheus Operator to work in an RBAC based authorization envi
 
 Here is a ready to use manifest of a `ClusterRole` that can be used to start the Prometheus Operator:
 
-[embedmd]:# (../example/rbac/prometheus-operator-cluster-role.yaml)
+[embedmd]:# (../example/rbac/prometheus-operator/prometheus-operator-cluster-role.yaml)
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1alpha1
 kind: ClusterRole
@@ -58,7 +58,7 @@ rules:
 
 When the Prometheus Operator boots up for the first time it registers the `thirdpartyresources` it uses, therefore the `create` action on those is required.
 
-As the Prometheus Operator work extensively with the `thirdpartyresources` it registers, it requires all actions on those objects. Those are:
+As the Prometheus Operator works extensively with the `thirdpartyresources` it registers, it requires all actions on those objects. Those are:
 
 * `alertmanagers`
 * `prometheuses`
@@ -76,13 +76,13 @@ As the kubelet is currently not self-hosted, the Prometheus Operator has a featu
 
 ## Prometheus RBAC
 
-The Prometheus server itself accesses the Kubernetes API to discover targets and Alertmanagers. Therefore a separate `ClusterRole` for those Prometheus servers need to exist.
+The Prometheus server itself accesses the Kubernetes API to discover targets and Alertmanagers. Therefore a separate `ClusterRole` for those Prometheus servers needs to exist.
 
 As Prometheus does not modify any Objects in the Kubernetes API, but just reads them it simply requires the `get`, `list`, and `watch` actions.
 
 In addition to the resources Prometheus itself needs to access, the Prometheus side-car needs to be able to `get` configmaps to be able to pull in rule files from configmap objects.
 
-[embedmd]:# (../example/rbac/prometheus-cluster-role.yaml)
+[embedmd]:# (../example/rbac/prometheus/prometheus-cluster-role.yaml)
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1alpha1
 kind: ClusterRole
@@ -110,7 +110,7 @@ To demonstrate how to use a `ClusterRole` with a `ClusterRoleBinding` and a `Ser
 
 Say the Prometheus Operator shall be deployed in the `default` namespace. First a `ServiceAccount` needs to be setup.
 
-[embedmd]:# (../example/rbac/prometheus-operator-service-account.yaml)
+[embedmd]:# (../example/rbac/prometheus-operator/prometheus-operator-service-account.yaml)
 ```yaml
 apiVersion: v1
 kind: ServiceAccount
@@ -122,7 +122,7 @@ Note that the `ServiceAccountName` also has to actually be used in the `PodTempl
 
 And then a `ClusterRoleBinding`:
 
-[embedmd]:# (../example/rbac/prometheus-operator-cluster-role-binding.yaml)
+[embedmd]:# (../example/rbac/prometheus-operator/prometheus-operator-cluster-role-binding.yaml)
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1alpha1
 kind: ClusterRoleBinding
@@ -142,7 +142,7 @@ Because the `Pod` that the Prometheus Operator is running in uses the `ServiceAc
 
 When creating `Prometheus` objects the procedure is similar. It starts with a `ServiceAccount`.
 
-[embedmd]:# (../example/rbac/prometheus-service-account.yaml)
+[embedmd]:# (../example/rbac/prometheus/prometheus-service-account.yaml)
 ```yaml
 apiVersion: v1
 kind: ServiceAccount
@@ -152,7 +152,7 @@ metadata:
 
 And then because the `ClusterRole` named `prometheus`, as described above, is likely to be used multiple times, a `ClusterRoleBinding` instead of a `RoleBinding` is used.
 
-[embedmd]:# (../example/rbac/prometheus-cluster-role-binding.yaml)
+[embedmd]:# (../example/rbac/prometheus/prometheus-cluster-role-binding.yaml)
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1alpha1
 kind: ClusterRoleBinding

Documentation/user-guides/getting-started.md

@@ -6,8 +6,69 @@ The mission of the Prometheus Operator is to make running Prometheus on top of K
 
 To follow this getting started you will need a Kubernetes cluster you have access to. Let's give the Prometheus Operator a spin:
 
-[embedmd]:# (../../deployment.yaml)
+[embedmd]:# (../../bundle.yaml)
 ```yaml
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-operator
+subjects:
+- kind: ServiceAccount
+  name: prometheus-operator
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: prometheus-operator
+rules:
+- apiGroups:
+  - extensions
+  resources:
+  - thirdpartyresources
+  verbs:
+  - create
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagers
+  - prometheuses
+  - servicemonitors
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - configmaps
+  - secrets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["list", "delete"]
+- apiGroups: [""]
+  resources:
+  - services
+  - endpoints
+  verbs: ["get", "create", "update"]
+- apiGroups: [""]
+  resources:
+  - nodes
+  verbs: ["list", "watch"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-operator
+---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -21,16 +82,17 @@ spec:
       labels:
         operator: prometheus
     spec:
+      serviceAccountName: prometheus-operator
       containers:
-       - name: prometheus-operator
-         image: quay.io/coreos/prometheus-operator:v0.7.0
-         resources:
-           requests:
-             cpu: 100m
-             memory: 50Mi
-           limits:
-             cpu: 200m
-             memory: 100Mi
+      - name: prometheus-operator
+        image: quay.io/coreos/prometheus-operator:v0.7.0
+        resources:
+          requests:
+            cpu: 100m
+            memory: 50Mi
+          limits:
+            cpu: 200m
+            memory: 100Mi
 ```
 
 The Prometheus Operator introduces third party resources in Kubernetes to declare the desired state of a Prometheus and Alertmanager cluster as well as the Prometheus configuration. The resources it introduces are:

Makefile

@@ -56,5 +56,8 @@ docs: embedmd apidocgen
 	embedmd -w `find Documentation -name "*.md"`
 	apidocgen pkg/client/monitoring/v1alpha1/types.go > Documentation/api.md
 
+generate:
+	hack/generate.sh
+	@$(MAKE) docs
 
 .PHONY: all build crossbuild test format check-license container e2e-test e2e-status e2e clean-e2e embedmd apidocgen docs

README.md

@@ -88,9 +88,11 @@ at the [design doc](Documentation/design.md).
 Install the Operator inside a cluster by running the following command:
 
 ```
-kubectl apply -f deployment.yaml
+kubectl apply -f bundle.yaml
 ```
 
+> Note: make sure to adapt the namespace in the ClusterRoleBinding if deploying in another namespace than the default namespace.
+
 To run the Operator outside of a cluster:
 
 ```
@@ -112,7 +114,7 @@ done
 After a couple of minutes you can go ahead and remove the operator itself.
 
 ```
-kubectl delete -f deployment.yaml
+kubectl delete -f bundle.yaml
 ```
 
 The operator automatically creates services in each namespace where you created a Prometheus or Alertmanager resources,

bundle.yaml

@@ -0,0 +1,85 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-operator
+subjects:
+- kind: ServiceAccount
+  name: prometheus-operator
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: prometheus-operator
+rules:
+- apiGroups:
+  - extensions
+  resources:
+  - thirdpartyresources
+  verbs:
+  - create
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagers
+  - prometheuses
+  - servicemonitors
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - configmaps
+  - secrets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["list", "delete"]
+- apiGroups: [""]
+  resources:
+  - services
+  - endpoints
+  verbs: ["get", "create", "update"]
+- apiGroups: [""]
+  resources:
+  - nodes
+  verbs: ["list", "watch"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-operator
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: prometheus-operator
+  labels:
+    operator: prometheus
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        operator: prometheus
+    spec:
+      serviceAccountName: prometheus-operator
+      containers:
+      - name: prometheus-operator
+        image: quay.io/coreos/prometheus-operator:v0.7.0
+        resources:
+          requests:
+            cpu: 100m
+            memory: 50Mi
+          limits:
+            cpu: 200m
+            memory: 100Mi

deployment.yaml

@@ -0,0 +1,23 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: prometheus-operator
+  labels:
+    operator: prometheus
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        operator: prometheus
+    spec:
+      containers:
+      - name: prometheus-operator
+        image: quay.io/coreos/prometheus-operator:v0.7.0
+        resources:
+          requests:
+            cpu: 100m
+            memory: 50Mi
+          limits:
+            cpu: 200m
+            memory: 100Mi

example/non-rbac/prometheus-operator.yaml

@@ -14,7 +14,7 @@ spec:
       serviceAccountName: prometheus-operator
       containers:
       - name: prometheus-operator
-        image: quay.io/brancz/prometheus-operator:9c58518
+        image: quay.io/coreos/prometheus-operator:v0.7.0
         resources:
           requests:
             cpu: 100m

example/rbac/prometheus-operator-cluster-role-binding.yaml example/rbac/prometheus-operator/prometheus-operator-cluster-role-binding.yaml

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# Concatenate all files with "---" because that's how to specify multiple
+# Kubernetes manifests in one file. Because the first `awk` also adds "---" in
+# the first line, we remove it with the second `awk` call.
+awk 'FNR==1{print "---"}1' $@ | awk '{if (NR!=1) {print}}'

example/rbac/prometheus-operator-cluster-role.yaml example/rbac/prometheus-operator/prometheus-operator-cluster-role.yaml

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+hack/concat-kubernetes-manifests.sh example/rbac/prometheus-operator/*.yaml > bundle.yaml
+

example/rbac/prometheus-operator-service-account.yaml example/rbac/prometheus-operator/prometheus-operator-service-account.yaml

@@ -100,7 +100,7 @@ func (f *Framework) setup(opImage string) error {
 }
 
 func (f *Framework) setupPrometheusOperator(opImage string) error {
-	fn, err := filepath.Abs("../../deployment.yaml")
+	fn, err := filepath.Abs("../../example/non-rbac/prometheus-operator.yaml")
 	if err != nil {
 		return err
 	}