Add RBAC config for "kube-state-metrics". Make EC2 monitoring optiona…

…l. (#13)

* Fix RBAC for "kube-state-metrics".Make  EC2 monitoring optional.

cleanup.sh

@@ -1,10 +1,3 @@
-git checkout  k8s/ingress/01-basic-auth.secret.yaml
-git checkout  k8s/ingress/03-prometheus.ing.yaml
-git checkout  k8s/prometheus/01-prometheus.configmap.yaml
-git checkout  k8s/prometheus/02-prometheus.svc.statefulset.yaml
-git checkout  k8s/prometheus/03-alertmanager.configmap.yaml
-git checkout  k8s/prometheus/04-alertmanager.svc.deployment.yaml
-git checkout  k8s/prometheus/05-node-exporter.svc.daemonset.yaml
-git checkout  k8s/grafana/grafana.svc.deployment.yaml
-git checkout  grafana/Dockerfile
+git checkout  k8s/*
+git checkout  grafana/*
 rm auth

init.sh

@@ -89,34 +89,48 @@ if [[ $use_slack =~ ^([yY][eE][sS]|[yY])$ ]]; then
   sed -i -e 's/your_slack_channel/'"$slack_channel"'/g' k8s/prometheus/03-alertmanager.configmap.yaml
 fi
 
-#try to figure out AWS credentials for EC2 monitoring, if not...ask.
+
+#Do you want to monitor EC2 instances in your AWS account?
 echo
-echo -e "${BLUE}Detecting AWS access keys."
+echo -e "${BLUE}Do you want to monitor EC2 instances in your AWS account?"
 tput sgr0
-if [ ! -z $AWS_ACCESS_KEY_ID ] && [ ! -z $AWS_SECRET_ACCESS_KEY ]; then
-  aws_access_key=$AWS_ACCESS_KEY_ID
-  aws_secret_key=$AWS_SECRET_ACCESS_KEY
-  echo -e "${ORANGE}AWS_ACCESS_KEY_ID found, using $aws_access_key."
-  tput sgr0
-elif [ ! -z $AWS_ACCESS_KEY ] && [ ! -z $AWS_SECRET_KEY ]; then
-  aws_access_key=$AWS_ACCESS_KEY
-  aws_secret_key=$AWS_SECRET_KEY
-  echo -e "${ORANGE}AWS_ACCESS_KEY found, using $aws_access_key."
+read -p "Y/N [N]: " monitor_aws
+
+#if so, fill out this form...
+if [[ $monitor_aws =~ ^([yY][eE][sS]|[yY])$ ]]; then
+
+  #try to figure out AWS credentials for EC2 monitoring, if not...ask.
+  echo
+  echo -e "${BLUE}Detecting AWS access keys."
   tput sgr0
+  if [ ! -z $AWS_ACCESS_KEY_ID ] && [ ! -z $AWS_SECRET_ACCESS_KEY ]; then
+    aws_access_key=$AWS_ACCESS_KEY_ID
+    aws_secret_key=$AWS_SECRET_ACCESS_KEY
+    echo -e "${ORANGE}AWS_ACCESS_KEY_ID found, using $aws_access_key."
+    tput sgr0
+  elif [ ! -z $AWS_ACCESS_KEY ] && [ ! -z $AWS_SECRET_KEY ]; then
+    aws_access_key=$AWS_ACCESS_KEY
+    aws_secret_key=$AWS_SECRET_KEY
+    echo -e "${ORANGE}AWS_ACCESS_KEY found, using $aws_access_key."
+    tput sgr0
+  else
+    echo -e "${RED}Unable to determine AWS credetials from environment variables."
+    tput sgr0
+    #aws access key
+    read -p "AWS Access Key ID: " aws_access_key
+    #aws secret access key
+    read -p "AWS Secret Access Key: " aws_secret_key
+  fi
+
+  #sed in the AWS credentials. this looks odd because aws secret access keys can have '/' as a valid character
+  #so we use ',' as a delimiter for sed, since that won't appear in the secret key
+  sed -i -e 's/aws_access_key/'"$aws_access_key"'/g' k8s/prometheus/01-prometheus.configmap.yaml
+  sed -i -e 's,aws_secret_key,'"$aws_secret_key"',g' k8s/prometheus/01-prometheus.configmap.yaml
+
 else
-  echo -e "${RED}Unable to determine AWS credetials from environment variables."
-  tput sgr0
-  #aws access key
-  read -p "AWS Access Key ID: " aws_access_key
-  #aws secret access key
-  read -p "AWS Secret Access Key: " aws_secret_key
+  rm grafana/grafana-dashboards/ec2-instances.json
 fi
 
-#sed in the AWS credentials. this looks odd because aws secret access keys can have '/' as a valid character
-#so we use ',' as a delimiter for sed, since that won't appear in the secret key
-sed -i -e 's/aws_access_key/'"$aws_access_key"'/g' k8s/prometheus/01-prometheus.configmap.yaml
-sed -i -e 's,aws_secret_key,'"$aws_secret_key"',g' k8s/prometheus/01-prometheus.configmap.yaml
-
 echo
 echo -e "${BLUE}Creating ${ORANGE}'monitoring' ${BLUE}namespace."
 tput sgr0
@@ -130,7 +144,9 @@ read -p "[y/N]: " response
 if [[ $response =~ ^([yY][eE][sS]|[yY])$ ]]
 then
     kubectl create -f ./k8s/rbac/01-prometheus-rbac-config.yaml
+    kubectl create -f ./k8s/rbac/03-kube-state-metrics-rbac-config.yaml
     sed -i -e 's/default/'prometheus'/g' k8s/prometheus/02-prometheus.svc.statefulset.yaml
+    sed -i -e 's/default/'kube-state-metrics'/g' k8s/kube-state-metrics/deployment.yaml
 else
     echo -e "${GREEN}Skipping RBAC configuration"
 fi
@@ -304,6 +320,7 @@ else
   fi
   #remove  "sed" generated files
   rm k8s/ingress/*.yaml-e
+  rm k8s/kube-state-metrics/*.yaml-e
 fi
 
 

k8s/kube-state-metrics/deployment.yml → k8s/kube-state-metrics/deployment.yaml

@@ -11,6 +11,7 @@ spec:
         app: kube-state-metrics
         version: "v0.5.0"
     spec:
+      serviceAccountName: default
       containers:
       - name: kube-state-metrics
         image: gcr.io/google_containers/kube-state-metrics:v0.5.0

k8s/rbac/03-kube-state-metrics-rbac-config.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kube-state-metrics
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes
+  - pods
+  - services
+  - resourcequotas
+  - replicationcontrollers
+  - limitranges
+  verbs: ["list", "watch"]
+- apiGroups: ["extensions"]
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  verbs: ["list", "watch"]
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-state-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-state-metrics
+subjects:
+- kind: ServiceAccount
+  name: kube-state-metrics
+  namespace: monitoring

remove.sh

@@ -4,6 +4,7 @@ kubectl delete -f ./k8s/grafana
 kubectl delete -R -f ./k8s/prometheus
 kubectl delete -f ./k8s/kube-state-metrics
 kubectl delete -f ./k8s/rbac/01-prometheus-rbac-config.yaml
+kubectl delete -f ./k8s/rbac/03-kube-state-metrics-rbac-config.yaml
 
 #Remove the Nginx Ingress Controller
 echo