apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: prometheus-operator namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: prometheus-operator subjects: - kind: ServiceAccount name: prometheus-operator namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: prometheus-operator namespace: kube-system rules: - apiGroups: - extensions resources: - thirdpartyresources verbs: ["*"] - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: ["*"] - apiGroups: - monitoring.coreos.com resources: - alertmanagers - prometheuses - prometheuses/finalizers - servicemonitors - prometheusrules - podmonitors - thanosrulers verbs: ["*"] - apiGroups: - apps resources: - statefulsets verbs: ["*"] - apiGroups: [""] resources: - configmaps - secrets verbs: ["*"] - apiGroups: [""] resources: - pods verbs: ["list", "delete"] - apiGroups: [""] resources: - services - endpoints verbs: ["get", "create", "update"] - apiGroups: [""] resources: - nodes verbs: ["list", "watch"] - apiGroups: [""] resources: - namespaces verbs: ["list", "watch"] --- apiVersion: v1 kind: ServiceAccount metadata: name: prometheus-operator namespace: kube-system --- apiVersion: apps/v1 kind: Deployment metadata: labels: k8s-app: prometheus-operator name: prometheus-operator namespace: kube-system spec: selector: matchLabels: k8s-app: prometheus-operator replicas: 1 template: metadata: labels: k8s-app: prometheus-operator spec: containers: - args: - --kubelet-service=kube-system/kubelet - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1 image: quay.io/coreos/prometheus-operator:v0.36.0 name: prometheus-operator ports: - containerPort: 8080 name: http resources: limits: cpu: 200m memory: 100Mi requests: cpu: 100m memory: 50Mi securityContext: runAsNonRoot: true runAsUser: 65534 serviceAccountName: prometheus-operator