diff --git a/argocd/apps/prometheus/prometheus.yaml b/argocd/apps/prometheus/prometheus.yaml index dac18fe..209a268 100644 --- a/argocd/apps/prometheus/prometheus.yaml +++ b/argocd/apps/prometheus/prometheus.yaml @@ -39,11 +39,29 @@ spec: requests: cpu: 100m memory: 128Mi + + # Security Context für Prometheus Server + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + fsGroup: 65534 + seccompProfile: + type: RuntimeDefault + + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + capabilities: + drop: + - ALL + # Node Exporter deaktiviert - wird separat installiert nodeExporter: - enabled: true - service: - type: ClusterIP + enabled: false kubeStateMetrics: enabled: true @@ -52,15 +70,12 @@ spec: enabled: true service: type: ClusterIP + persistentVolume: enabled: true size: 2Gi storageClass: "local-path" - - pushgateway: - enabled: true - service: - type: ClusterIP + securityContext: runAsNonRoot: true runAsUser: 65534 @@ -68,15 +83,72 @@ spec: fsGroup: 65534 seccompProfile: type: RuntimeDefault - containerSecurityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - capabilities: - drop: - - ALL + + # PUSHGATEWAY KOMPLETT DEAKTIVIEREN + pushgateway: + enabled: false + + # Zusätzliche Scrape-Konfiguration für k3s + serverFiles: + prometheus.yml: + global: + scrape_interval: 15s + evaluation_interval: 15s + + scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: 'kubernetes-apiservers' + kubernetes_sd_configs: + - role: endpoints + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: default;kubernetes;https + + - job_name: 'kubernetes-nodes' + kubernetes_sd_configs: + - role: node + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name destination: server: https://kubernetes.default.svc