1apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind SA to clusterViewer
2kind: IAMPolicyMember
3metadata:
4 name: prometheus-sa-k8s-metadata-writer
5 namespace: prometheus
6 annotations:
7 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
8 pallet.edge.ncr.com/name: prometheus
9 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
10 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
11 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-o11y'
12 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
13 labels:
14 cluster_hash: ${cluster_hash}
15 cluster_uuid: ${cluster_uuid}
16spec:
17 member: serviceAccount:o11y-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
18 resourceRef:
19 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
20 kind: Project
21 external: "projects/${gcp_project_id}"
22 role: roles/stackdriver.resourceMetadata.writer
23---
24apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind SA to clusterViewer
25kind: IAMPolicyMember
26metadata:
27 name: prometheus-sa-k8s-metric-writer
28 namespace: prometheus
29 annotations:
30 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
31 pallet.edge.ncr.com/name: prometheus
32 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
33 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
34 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-o11y'
35 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
36 labels:
37 cluster_hash: ${cluster_hash}
38 cluster_uuid: ${cluster_uuid}
39spec:
40 member: serviceAccount:o11y-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
41 resourceRef:
42 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
43 kind: Project
44 external: "projects/${gcp_project_id}"
45 role: roles/monitoring.metricWriter
46---
47apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind SA to clusterViewer
48kind: IAMPolicyMember
49metadata:
50 name: prometheus-sa-k8s-monitoring-viewer
51 namespace: prometheus
52 annotations:
53 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
54 pallet.edge.ncr.com/name: prometheus
55 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
56 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
57 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-o11y'
58 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
59 labels:
60 cluster_hash: ${cluster_hash}
61 cluster_uuid: ${cluster_uuid}
62spec:
63 member: serviceAccount:o11y-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
64 resourceRef:
65 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
66 kind: Project
67 external: "projects/${gcp_project_id}"
68 role: roles/monitoring.viewer
69---
70apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
71kind: IAMPolicyMember
72metadata:
73 name: prometheus-sa-workload-id
74 namespace: prometheus
75 annotations:
76 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
77 pallet.edge.ncr.com/name: prometheus
78 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
79 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
80 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-o11y'
81 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
82 labels:
83 cluster_hash: ${cluster_hash}
84 cluster_uuid: ${cluster_uuid}
85spec:
86 member: serviceAccount:${gcp_project_id}.svc.id.goog[prometheus/prometheus]
87 resourceRef:
88 apiVersion: iam.cnrm.cloud.google.com/v1beta1
89 kind: IAMServiceAccount
90 external: "projects/${gcp_project_id}/serviceAccounts/o11y-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com"
91 role: roles/iam.workloadIdentityUser
View as plain text