apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: blackbox-exporter-psp namespace: monitoring labels: app.kubernetes.io/name: prometheus app.kubernetes.io/component: blackbox-exporter spec: privileged: false allowPrivilegeEscalation: false volumes: - configMap - secret hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 readOnlyRootFilesystem: true allowedCapabilities: - NET_RAW --- apiVersion: v1 kind: ServiceAccount metadata: name: blackbox-exporter namespace: monitoring labels: app.kubernetes.io/name: prometheus app.kubernetes.io/component: blackbox-exporter --- apiVersion: v1 kind: ConfigMap metadata: name: blackbox-exporter namespace: monitoring labels: app.kubernetes.io/name: prometheus app.kubernetes.io/component: blackbox-exporter data: blackbox.yaml: | modules: http_2xx: http: follow_redirects: true preferred_ip_protocol: ip4 tls_config: insecure_skip_verify: true valid_http_versions: - HTTP/1.1 - HTTP/2.0 prober: http timeout: 5s icmp_ping: icmp: preferred_ip_protocol: ip4 source_ip_address: 127.0.0.1 prober: icmp timeout: 5s --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/name: prometheus app.kubernetes.io/component: blackbox-exporter name: blackbox-exporter namespace: monitoring rules: - apiGroups: - policy resources: - podsecuritypolicies resourceNames: - blackbox-exporter-psp verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/name: prometheus app.kubernetes.io/component: blackbox-exporter name: blackbox-exporter namespace: monitoring roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: blackbox-exporter subjects: - kind: ServiceAccount name: blackbox-exporter --- kind: Service apiVersion: v1 metadata: name: blackbox-exporter namespace: monitoring labels: app.kubernetes.io/name: prometheus app.kubernetes.io/component: blackbox-exporter spec: type: ClusterIP ports: - name: http port: 9115 targetPort: http protocol: TCP selector: app.kubernetes.io/name: prometheus app.kubernetes.io/component: blackbox-exporter --- apiVersion: apps/v1 kind: Deployment metadata: name: blackbox-exporter namespace: monitoring labels: app.kubernetes.io/name: prometheus app.kubernetes.io/component: blackbox-exporter spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: prometheus app.kubernetes.io/component: blackbox-exporter strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 0 type: RollingUpdate template: metadata: labels: app.kubernetes.io/name: prometheus app.kubernetes.io/component: blackbox-exporter spec: serviceAccountName: blackbox-exporter restartPolicy: Always containers: - name: blackbox-exporter image: "prom/blackbox-exporter:v0.19.0" imagePullPolicy: IfNotPresent securityContext: readOnlyRootFilesystem: true capabilities: add: ["NET_RAW"] args: - "--config.file=/config/blackbox.yaml" ports: - containerPort: 9115 name: http livenessProbe: httpGet: path: /health port: http readinessProbe: httpGet: path: /health port: http volumeMounts: - mountPath: /config name: config volumes: - name: config configMap: name: blackbox-exporter