monitoring: grant grafana read access to all configmaps

Author: daurnimator

monitoring/grafana-role.yaml

@@ -0,0 +1,21 @@
+# Grafana sidecar needs to be able to query configmaps across all namespaces
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: grafana-clusterrolebinding
+roleRef:
+  kind: ClusterRole
+  name: grafana-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: grafana
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: grafana-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "watch", "list"]

monitoring/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
   - ./loki
   - ./promtail
   - prometheus-additional-targets.yaml
+  - grafana-role.yaml
 patches:
   - container-images.patch.yaml
   - cluster-wide.patch.yaml