MON-4432: Add EndpointSlice support to DaemonSet ServiceMonitors

[slashpai]

Configure all ServiceMonitor objects for DaemonSet workloads to use EndpointSlice for service discovery instead of the default Endpoints API, improving scalability and performance for monitoring DaemonSet pods.

Changes:

• Add serviceDiscoveryRole: EndpointSlice to ServiceMonitor specs
• Add discovery.k8s.io/endpointslices RBAC permissions to prometheus-k8s Roles

Related Epic: https://issues.redhat.com/browse/MON-4216

cc @simonpasquier

/hold to test changes

[openshift-ci-robot]

@slashpai: This pull request references MON-4432 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.21.0" version, but no target version was set.

In response to this:

Configure all ServiceMonitor objects for DaemonSet workloads to use EndpointSlice for service discovery instead of the default Endpoints API, improving scalability and performance for monitoring DaemonSet pods.

Changes:

• Add serviceDiscoveryRole: EndpointSlice to ServiceMonitor specs
• Add discovery.k8s.io/endpointslices RBAC permissions to prometheus-k8s Roles

Related Epic: https://issues.redhat.com/browse/MON-4216

cc @simonpasquier

/hold to test changes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This change adds EndpointSlice-based service discovery support across multiple Prometheus monitoring configurations. ServiceMonitor resources are updated with serviceDiscoveryRole: EndpointSlice, and corresponding RBAC Role permissions are extended to grant Prometheus access to endpointslices resources in the discovery.k8s.io API group.

Changes

Cohort / File(s)	Summary
EndpointSlice Discovery Configuration bindata/kube-proxy/monitor.yaml, bindata/network/frr-k8s/monitor.yaml, bindata/network/network-metrics/002-prometheus.yaml, bindata/network/openshift-sdn/monitor.yaml, bindata/network/ovn-kubernetes/common/monitor-node.yaml	Adds serviceDiscoveryRole: EndpointSlice field to ServiceMonitor specs. Extends prometheus-k8s Role with new RBAC rule granting get, list, and watch permissions on endpointslices resource in discovery.k8s.io API group.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Homogeneous changes applied consistently across 5 manifests (low complexity pattern)
• All modifications are YAML configuration additions with no code logic changes
• Each file requires validation that RBAC permissions are correctly specified and aligned
• Verify that serviceDiscoveryRole: EndpointSlice field is syntactically valid for ServiceMonitor resources

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between fda7a9f and 57acbaf.

📒 Files selected for processing (5)

• bindata/kube-proxy/monitor.yaml (2 hunks)
• bindata/network/frr-k8s/monitor.yaml (2 hunks)
• bindata/network/network-metrics/002-prometheus.yaml (2 hunks)
• bindata/network/openshift-sdn/monitor.yaml (3 hunks)
• bindata/network/ovn-kubernetes/common/monitor-node.yaml (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/kube-proxy/monitor.yaml
• bindata/network/frr-k8s/monitor.yaml
• bindata/network/network-metrics/002-prometheus.yaml
• bindata/network/openshift-sdn/monitor.yaml
• bindata/network/ovn-kubernetes/common/monitor-node.yaml

🔇 Additional comments (5)

bindata/network/network-metrics/002-prometheus.yaml (1)

27-27: Consistent implementation across ServiceMonitor and RBAC.

Changes align with the pattern seen in other monitored workloads. RBAC rule is correctly structured with all required verbs.

Also applies to: 65-72

bindata/network/frr-k8s/monitor.yaml (1)

60-60: Consistent pattern applied across frr-k8s ServiceMonitor and RBAC.

Changes follow the established pattern. Note that serviceDiscoveryRole applies cluster-wide to the ServiceMonitor's scope, regardless of the number of endpoints defined.

Also applies to: 78-85

bindata/network/openshift-sdn/monitor.yaml (1)

27-27: Correctly applied to multiple ServiceMonitors with consolidated RBAC.

Both ServiceMonitor resources (monitor-sdn and monitor-sdn-controller) correctly receive serviceDiscoveryRole: EndpointSlice. The single RBAC rule properly covers both, avoiding duplication—this is the correct approach.

Also applies to: 76-76, 116-123

bindata/kube-proxy/monitor.yaml (1)

27-27: No issues found — serviceDiscoveryRole is valid and RBAC is correctly configured.

ServiceMonitor supports the serviceDiscoveryRole field with valid values "EndpointSlice" or "Endpoints" and is documented in the Prometheus Operator API reference. The RBAC rule at lines 67-74 correctly grants the required permissions for reading EndpointSlices.

bindata/network/ovn-kubernetes/common/monitor-node.yaml (1)

34-34: Verified: All DaemonSet ServiceMonitors have serviceDiscoveryRole field; all non-DaemonSet ServiceMonitors correctly lack it.

Verification confirms the review comment is accurate. All five DaemonSet workload ServiceMonitors (kube-proxy, frr-k8s, network-metrics-daemon, sdn, ovnkube-node) have received the serviceDiscoveryRole: EndpointSlice field. The five ServiceMonitors without this field correctly target Deployments, not DaemonSets. No DaemonSet ServiceMonitors were missed.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[simonpasquier]

/skip
/retest-required

[simonpasquier]

/lgtm

Let's see if the e2e failures are caused by the PR but it looks ok to me.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: simonpasquier, slashpai
Once this PR has been reviewed and has the lgtm label, please assign abhat for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[slashpai]

/retest-required

[slashpai]

/retest-required

[slashpai]

/test e2e-aws-ovn-windows

[openshift-ci]

@slashpai: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade	57acbaf	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade
ci/prow/4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade	57acbaf	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade
ci/prow/security	57acbaf	link	false	/test security
ci/prow/frrk8s-e2e	57acbaf	link	false	/test frrk8s-e2e
ci/prow/4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade	57acbaf	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-windows	57acbaf	link	true	/test e2e-aws-ovn-windows

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[simonpasquier]

/test e2e-aws-ovn-windows