jsonnet/prometheus-operator: restrict api extension RBAC rules

[s-urbaniak]

/cc @coreos/team-monitoring

[s-urbaniak]

hmm, something seems to be off with the new policy, investigating 🤔

[s-urbaniak]

ok, i need to investigate further, the e2e tests imply that with this change prometheus-operator does not have permissions to create CRDs:

$ kubectl -n allns-q4toex-0 logs prometheus-operator-5df9b9658-qz5xb -c prometheus-operator
ts=2020-01-28T15:04:47.612811309Z caller=main.go:199 msg="Starting Prometheus Operator version '0.35.0'."
ts=2020-01-28T15:04:47.616275563Z caller=main.go:96 msg="Staring insecure server on :8080"
level=info ts=2020-01-28T15:04:47.628209373Z caller=operator.go:451 component=prometheusoperator msg="connection established" cluster-version=v1.16.4
level=info ts=2020-01-28T15:04:47.628241566Z caller=operator.go:214 component=alertmanageroperator msg="connection established" cluster-version=v1.16.4
ts=2020-01-28T15:04:48.527183847Z caller=main.go:288 msg="Unhandled error received. Exiting..." err="creating CRD: Alertmanager: customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:allns-q4toex-0:prometheus-operator\" cannot create resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope"

[brancz]

I think create cannot be bound to a resourceName. And I don’t think cluster monitoring operator (and prometheus operator) needs anything other than get/update on specific ones and generic create. I don’t think it needs list, delete, delete collection or watch at all.

[s-urbaniak]

thanks @brancz. I should have studied the documentation more intensely as per https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources.

Indeed it states that create cannot be bound to resourceName. I will update this PR accordingly, thanks!

[s-urbaniak]

ok, i was missing the thanosrulers crd in the policy,

cc @coreos/team-monitoring ptal