apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: prometheus-k8s
  labels:
    app.kubernetes.io/component: prometheus
    app.kubernetes.io/instance: k8s
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/part-of: kube-prometheus
    app.kubernetes.io/version: 3.10.0
rules:
  # 1. 核心 API 组 (Core)
  - apiGroups:
      - ""
    resources:
      - nodes
      - nodes/metrics
      - services
      - endpoints # 为了兼容旧版本，保留
      - pods
      - services/proxy
    verbs:
      - get
      - list
      - watch
  
  # 2. Discovery API 组 (关键：用于 EndpointSlice)
  - apiGroups:
      - "discovery.k8s.io"
    resources:
      - endpointslices # 这是 Prometheus 3.10 发现服务的关键
    verbs:
      - get
      - list
      - watch

  # 3. 其他必要资源
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      
  - apiGroups:
      - "metrics.k8s.io"
    resources:
      - pods
      - nodes
    verbs:
      - get
      - list
      - watch
      
  - apiGroups:
      - "networking.k8s.io"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
      
  - apiGroups:
      - "batch"
    resources:
      - jobs
      - cronjobs
    verbs:
      - get
      - list
      - watch
      
  - apiGroups:
      - "coordination.k8s.io"
    resources:
      - leases
    verbs:
      - get
      - list
      - watch

  # 4. 非资源 URL
  - nonResourceURLs:
      - /metrics
      - /metrics/cadvisor
      - /metrics/slis
    verbs:
      - get