Merge pull request #1816 from mrueg/disable-rbac-metrics

Remove RBAC resources from default exposed metric set
kubernetes · Aug 24, 2022 · 6dfeab3 · 6dfeab3
2 parents 4c141d5 + 93e79fc
commit 6dfeab3
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 15 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -27,11 +27,12 @@ As of v2.3.0, kube-state-metrics supports additional opt-in metrics via the CLI
 
 ## Exposed Metrics
 
-Per group of metrics there is one file for each metrics. See each file for specific documentation about the exposed metrics:
+Per group of metrics there is one file for each metrics.
+See each file for specific documentation about the exposed metrics:
+
+### Default Resources
 
 - [CertificateSigningRequest Metrics](certificatesigningrequest-metrics.md)
-- [ClusterRole Metrics](clusterrole-metrics.md)
-- [ClusterRoleBinding Metrics](clusterrolebinding-metrics.md)
 - [ConfigMap Metrics](configmap-metrics.md)
 - [CronJob Metrics](cronjob-metrics.md)
 - [DaemonSet Metrics](daemonset-metrics.md)
@@ -53,17 +54,22 @@ Per group of metrics there is one file for each metrics. See each file for speci
 - [ReplicaSet Metrics](replicaset-metrics.md)
 - [ReplicationController Metrics](replicationcontroller-metrics.md)
 - [ResourceQuota Metrics](resourcequota-metrics.md)
-- [Role Metrics](role-metrics.md)
-- [RoleBinding Metrics](rolebinding-metrics.md)
 - [Secret Metrics](secret-metrics.md)
 - [Service Metrics](service-metrics.md)
-- [ServiceAccount Metrics](serviceaccount-metrics.md)
 - [StatefulSet Metrics](statefulset-metrics.md)
 - [StorageClass Metrics](storageclass-metrics.md)
 - [ValidatingWebhookConfiguration Metrics](validatingwebhookconfiguration-metrics.md)
-- [VerticalPodAutoscaler Metrics](verticalpodautoscaler-metrics.md)
 - [VolumeAttachment Metrics](volumeattachment-metrics.md)
 
+### Optional Resources
+
+- [ClusterRole Metrics](clusterrole-metrics.md)
+- [ClusterRoleBinding Metrics](clusterrolebinding-metrics.md)
+- [Role Metrics](role-metrics.md)
+- [RoleBinding Metrics](rolebinding-metrics.md)
+- [ServiceAccount Metrics](serviceaccount-metrics.md)
+- [VerticalPodAutoscaler Metrics](verticalpodautoscaler-metrics.md)
+
 ## Join Metrics
 
 When an additional, not provided by default label is needed, a [Prometheus matching operator](https://prometheus.io/docs/prometheus/latest/querying/operators/#vector-matching)

diff --git a/docs/cli-arguments.md b/docs/cli-arguments.md
@@ -50,7 +50,7 @@ Usage of ./kube-state-metrics:
       --pod string                                 Name of the pod that contains the kube-state-metrics container. When set, it is expected that --pod and --pod-namespace are both set. Most likely this should be passed via the downward API. This is used for auto-detecting sharding. If set, this has preference over statically configured sharding. This is experimental, it may be removed without notice.
       --pod-namespace string                       Name of the namespace of the pod specified by --pod. When set, it is expected that --pod and --pod-namespace are both set. Most likely this should be passed via the downward API. This is used for auto-detecting sharding. If set, this has preference over statically configured sharding. This is experimental, it may be removed without notice.
       --port int                                   Port to expose metrics on. (default 8080)
-      --resources string                           Comma-separated list of Resources to be enabled. Defaults to "certificatesigningrequests,clusterrolebindings,clusterroles,configmaps,cronjobs,daemonsets,deployments,endpoints,horizontalpodautoscalers,ingresses,jobs,leases,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,rolebindings,roles,secrets,serviceaccounts,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments"
+      --resources string                           Comma-separated list of Resources to be enabled. Defaults to "certificatesigningrequests,configmaps,cronjobs,daemonsets,deployments,endpoints,horizontalpodautoscalers,ingresses,jobs,leases,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,secrets,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments"
       --shard int32                                The instances shard nominal (zero indexed) within the total number of shards. (default 0)
       --skip_headers                               If true, avoid header prefixes in the log messages
       --skip_log_headers                           If true, avoid headers when opening log files (no effect when -logtostderr=true)

diff --git a/pkg/options/resource.go b/pkg/options/resource.go
@@ -27,8 +27,6 @@ var (
 	// DefaultResources represents the default set of resources in kube-state-metrics.
 	DefaultResources = ResourceSet{
 		"certificatesigningrequests":      struct{}{},
-		"clusterrolebindings":             struct{}{},
-		"clusterroles":                    struct{}{},
 		"configmaps":                      struct{}{},
 		"cronjobs":                        struct{}{},
 		"daemonsets":                      struct{}{},
@@ -50,10 +48,7 @@ var (
 		"replicasets":                     struct{}{},
 		"replicationcontrollers":          struct{}{},
 		"resourcequotas":                  struct{}{},
-		"rolebindings":                    struct{}{},
-		"roles":                           struct{}{},
 		"secrets":                         struct{}{},
-		"serviceaccounts":                 struct{}{},
 		"services":                        struct{}{},
 		"statefulsets":                    struct{}{},
 		"storageclasses":                  struct{}{},

diff --git a/tests/e2e/main_test.go b/tests/e2e/main_test.go
@@ -252,6 +252,20 @@ func TestDefaultCollectorMetricsAvailable(t *testing.T) {
 	}
 
 	resources := map[string]struct{}{}
+	nonDefaultResources := map[string]bool{
+		"clusterrole":           true,
+		"clusterrolebinding":    true,
+		"role":                  true,
+		"rolebinding":           true,
+		"serviceaccount":        true,
+		"verticalpodautoscaler": true,
+	}
+	nonResources := map[string]bool{
+		"builder":   true,
+		"utils":     true,
+		"testutils": true,
+	}
+
 	files, err := os.ReadDir("../../internal/store/")
 	if err != nil {
 		t.Fatalf("failed to read dir to get all resouces name: %v", err)
@@ -263,11 +277,11 @@ func TestDefaultCollectorMetricsAvailable(t *testing.T) {
 		if len(params) != 2 {
 			continue
 		}
-		if params[1] == "builder" || params[1] == "utils" || params[1] == "testutils" {
+		if nonResources[params[1]] {
 			// Non resource file
 			continue
 		}
-		if params[1] == "verticalpodautoscaler" {
+		if nonDefaultResources[params[1]] {
 			// Resource disabled by default
 			continue
 		}