apiVersion: v1 kind: ServiceAccount metadata: name: kube-state-metrics namespace: kube-system labels: app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/component: exporter --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kube-state-metrics labels: app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/component: exporter rules: - apiGroups: [""] resources: - configmaps - secrets - nodes - pods - services - resourcequotas - replicationcontrollers - limitranges - persistentvolumeclaims - persistentvolumes - namespaces - endpoints verbs: ["list", "watch"] - apiGroups: ["apps"] resources: - statefulsets - daemonsets - deployments - replicasets verbs: ["list", "watch"] - apiGroups: ["batch"] resources: - cronjobs - jobs verbs: ["list", "watch"] - apiGroups: ["autoscaling"] resources: - horizontalpodautoscalers verbs: ["list", "watch"] - apiGroups: ["authentication.k8s.io"] resources: - tokenreviews verbs: ["create"] - apiGroups: ["authorization.k8s.io"] resources: - subjectaccessreviews verbs: ["create"] - apiGroups: ["policy"] resources: - poddisruptionbudgets verbs: ["list", "watch"] - apiGroups: ["certificates.k8s.io"] resources: - certificatesigningrequests verbs: ["list", "watch"] - apiGroups: ["storage.k8s.io"] resources: - storageclasses - volumeattachments - csinodes verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: ["list", "watch"] - apiGroups: ["networking.k8s.io"] resources: - networkpolicies - ingressclasses - ingresses verbs: ["list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: - leases verbs: ["list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kube-state-metrics labels: app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/component: exporter roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kube-state-metrics subjects: - kind: ServiceAccount name: kube-state-metrics namespace: kube-system --- apiVersion: apps/v1 kind: Deployment metadata: name: kube-state-metrics namespace: kube-system labels: app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/component: exporter app.kubernetes.io/version: "2.18.0" spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: kube-state-metrics template: metadata: labels: app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/component: exporter app.kubernetes.io/version: "2.18.0" spec: serviceAccountName: kube-state-metrics automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux containers: - name: kube-state-metrics image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.18.0 imagePullPolicy: IfNotPresent ports: - name: http containerPort: 8080 - name: telemetry containerPort: 8081 livenessProbe: httpGet: path: /livez port: http initialDelaySeconds: 5 timeoutSeconds: 5 readinessProbe: httpGet: path: /readyz port: telemetry initialDelaySeconds: 5 timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault resources: requests: cpu: 10m memory: 32Mi limits: memory: 256Mi --- apiVersion: v1 kind: Service metadata: name: kube-state-metrics namespace: kube-system labels: app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/component: exporter spec: selector: app.kubernetes.io/name: kube-state-metrics ports: - name: http port: 8080 targetPort: http - name: telemetry port: 8081 targetPort: telemetry