From 1bee4c0c844496a60a016026231959790df674b6 Mon Sep 17 00:00:00 2001
From: V <vlad@dev.local>
Date: Sat, 6 Dec 2025 17:58:58 +0000
Subject: [PATCH] fixing metrics server RBAC

---
 .../monitoring/controllers/base/rbac.yaml     | 69 ++++++++++++-------
 1 file changed, 44 insertions(+), 25 deletions(-)

diff --git a/components/monitoring/controllers/base/rbac.yaml b/components/monitoring/controllers/base/rbac.yaml
index 4b3ccbb..2936117 100644
--- a/components/monitoring/controllers/base/rbac.yaml
+++ b/components/monitoring/controllers/base/rbac.yaml
@@ -9,22 +9,6 @@ metadata:
     toolkit.fluxcd.io/tenant: platform-team
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/component: monitoring
-    toolkit.fluxcd.io/tenant: platform-team
-  name: flux-monitoring
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: flux
-    namespace: monitoring
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
@@ -42,6 +26,49 @@ subjects:
   namespace: monitoring
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:metrics-server
+  labels:
+    app.kubernetes.io/component: monitoring
+    toolkit.fluxcd.io/tenant: platform-team
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "nodes/stats", "nodes/log", "services", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["metrics.k8s.io"]
+    resources: ["pods", "nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics-server-subjectaccessreview
+rules:
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: monitoring
+    toolkit.fluxcd.io/tenant: platform-team
+  name: flux-monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: flux
+    namespace: monitoring
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
@@ -56,15 +83,7 @@ subjects:
 - kind: ServiceAccount
   name: metrics-server
   namespace: monitoring
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: metrics-server-subjectaccessreview
-rules:
-- apiGroups: ["authorization.k8s.io"]
-  resources: ["subjectaccessreviews"]
-  verbs: ["create"]
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding