Hello Matthias, I've tried the set of permissions as quoted below and discovery did NOT work. So the desired set of permissions should be somewhere in between.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: test-prometheus rules: - apiGroups: [""] resources: - services - endpoints - pods verbs: ["get", "list", "watch"] Matthias Rampke wrote: > I think it should work with just get/list/watch on pods. Try it and see > what happens? > > /MR > > On Mon, Nov 8, 2021, 06:38 Victor Sudakov <[email protected]> wrote: > > > Dear Colleagues, > > > > There is a good working example of RBAC setup in > > > > https://github.com/prometheus/prometheus/blob/main/documentation/examples/rbac-setup.yml > > However if I want to discover and scrape only pods for metrics, these > > permissions seem a bit excessive. > > > > What RBAC permissions can be safely removed from the prometheus > > ClusterRole if only "role: pod" is required? There is also a discussion > > open at https://github.com/prometheus/prometheus/discussions/9672 , > > you can comment there if you like. > > > > Thanks in advance for any input. > > -- Victor Sudakov VAS4-RIPE http://vas.tomsk.ru/ 2:5005/49@fidonet -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/YYnbV4jBxoWo/1GJ%40admin.sibptus.ru.
