Add RBAC and API Aggregation rules to example manifest

deploy/README.md

@@ -1,17 +1,13 @@
 Example Deployment
 ==================
 
-1. Make sure you've built the included Dockerfile with `make
+1. Make sure you've built the included Dockerfile with `make docker-build`. The image should be tagged as `directxman12/k8s-prometheus-adapter:latest`.
-   docker-build`.  The image should be tagged as `cm-adapter:latest`.
    
 2. Create a secret called `cm-adapter-serving-certs` with two values:
-   `serving.crt` and `serving.key`.  For more information on how to
+   `serving.crt` and `serving.key`. For more information on how to
    generate these certificates, see the [auth concepts
    documentation](https://github.com/kubernetes-incubator/apiserver-builder/blob/master/docs/concepts/auth.md)
    in the apiserver-builder repository.
 
 3. `kubectl create -f example-deployment.yaml`, modifying as necessary to
    point to your prometheus server.
-
-
-

deploy/example-deployment.yaml

@@ -1,34 +1,100 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: custom-metrics
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: custom-metrics-apiserver
+  namespace: custom-metrics
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: custom-metrics:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: custom-metrics-apiserver
+  namespace: custom-metrics
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: custom-metrics-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: custom-metrics-apiserver
+  namespace: custom-metrics
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: custom-metrics-resource-reader
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - pods
+  - services
+  verbs:
+  - get
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: custom-metrics-resource-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: custom-metrics-resource-reader
+subjects:
+- kind: ServiceAccount
+  name: custom-metrics-apiserver
+  namespace: custom-metrics
+---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   labels:
-    app: cm-adapter
+    app: custom-metrics-apiserver
-  name: cm-adapter
+  name: custom-metrics-apiserver
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: cm-adapter
+      app: custom-metrics-apiserver
   template:
     metadata:
       labels:
-        app: cm-adapter
+        app: custom-metrics-apiserver
-      name: cm-adapter
+      name: custom-metrics-apiserver
     spec:
+      serviceAccountName: custom-metrics-apiserver
       containers:
-      - name: cm-adapter
+      - name: custom-metrics-apiserver
-        image: cm-adapter
+        image: directxman12/k8s-prometheus-adapter
-        imagePullPolicy: Never
         args:
-        - "/cm-adapter"
+        - /adapter
-        - "--secure-port=6443"
+        - --secure-port=6443
-        - "--tls-cert-file=/var/run/serving-cert/serving.crt"
+        - --tls-cert-file=/var/run/serving-cert/serving.crt
-        - "--tls-private-key-file=/var/run/serving-cert/serving.key"
+        - --tls-private-key-file=/var/run/serving-cert/serving.key
-        - "--logtostderr=true"
+        - --logtostderr=true
-        - "--prometheus-url=http://prometheus.prom.svc:9090/"
+        - --prometheus-url=http://prometheus.prom.svc:9090/
-        - "--metrics-relist-interval=30s"
+        - --metrics-relist-interval=30s
-        - "--rate-interval=30s"
+        - --rate-interval=30s
-        - "--v=10"
+        - --v=10
         ports:
         - containerPort: 6443
         volumeMounts:
@@ -39,3 +105,52 @@ spec:
       - name: volume-serving-cert
         secret:
           secretName: cm-adapter-serving-certs
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: api
+  namespace: custom-metrics
+spec:
+  ports:
+  - port: 443
+    targetPort: 6443
+  selector:
+    app: custom-metrics-apiserver
+---
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+  name: v1alpha1.custom-metrics.metrics.k8s.io
+spec:
+  insecureSkipTLSVerify: true
+  group: custom-metrics.metrics.k8s.io
+  priority: 150
+  service:
+    name: api
+    namespace: custom-metrics
+  version: v1alpha1
+---
+# Make a ClusterRole so that the HPA controller is able to read the custom metrics this adapter provides
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: custom-metrics-server-resources
+rules:
+- apiGroups:
+  - custom-metrics.metrics.k8s.io
+  resources: ["*"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: hpa-controller-custom-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: custom-metrics-server-resources
+subjects:
+- kind: ServiceAccount
+  name: horizontal-pod-autoscaler
+  namespace: kube-system