Prometheus-operator: kube-prometheus: RBAC questions

#1)

prometheus-operator/helm/ has rbacEnable - e.g. in prometheus-operator/values.yaml.

Can/should kube-prometheus also have such functionality (to optionally specify that RBAC isn't enabled)?

#2)

When I run kube-prometheus v0.19.0 on AWS in a K8s cluster where RBAC is not enabled, the deploy script prints Error from server (Forbidden): error when creating errors - e.g.:
Error from server (Forbidden): error when creating "example-dist/kubeadm/manifests/node-exporter/node-exporter-cluster-role.yaml": clusterroles.rbac.authorization.k8s.io "node-exporter" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["tokenreviews"], APIGroups:["authentication.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["subjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]}] user=&{kube-admin [kube-aws system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]

That type of error is printed for each of the following 9 files:

~/prometheus-operator/contrib/kube-prometheus/example-dist/kubeadm/manifests
$ find . -type f | xargs egrep "^kind: ClusterRole$"
./kube-state-metrics/kube-state-metrics-cluster-role.yaml:kind: ClusterRole
./node-exporter/node-exporter-cluster-role.yaml:kind: ClusterRole
./prometheus-k8s/prometheus-k8s-cluster-role.yaml:kind: ClusterRole
./prometheus-operator/prometheus-operator-cluster-role.yaml:kind: ClusterRole
~/prometheus-operator/contrib/kube-prometheus/example-dist/kubeadm/manifests
$ find . -type f | xargs egrep "^kind: Role$"
./kube-state-metrics/kube-state-metrics-role.yaml:kind: Role
./prometheus-k8s/prometheus-k8s-role-config.yaml:kind: Role
./prometheus-k8s/prometheus-k8s-role-default.yaml:kind: Role
./prometheus-k8s/prometheus-k8s-role-kube-system.yaml:kind: Role
./prometheus-k8s/prometheus-k8s-role-namespace.yaml:kind: Role

That error seems to be benign - all 3 kube-prometheus apps (prometheus & alertmanager & grafana) still work as expected in my K8s cluster on AWS; so I'm just ignoring the error. If I'm not going to enable RBAC, then I believe the only way to get those errors to not occur would be if we had some sort of functionality to tell kube-prometheus that RBAC isn't enabled?

#3)

Regarding the prometheus-operator/create-minikube.sh script...

Here's the command I'm doing to start minikube on my Mac (I'm using minikube v0.25.2):
minikube start --kubernetes-version v1.9.4 --bootstrapper=kubeadm --extra-config=kubelet.authentication-token-webhook=true --extra-config=kubelet.authorization-mode=Webhook --extra-config=scheduler.address=0.0.0.0 --extra-config=controller-manager.address=0.0.0.0

prometheus-operator/getting-started.md has a link to the Prometheus Operator RBAC guide, which has a link to K8s Admin Authorization, which says "To enable RBAC, start the apiserver with --authorization-mode=RBAC".

So I believe this means RBAC should not be enabled on my minikube, right? (Because my minikube start command specifies Webhook.)

Note that I'm not doing the kubectl apply in create-minikube.sh for minikube-rbac.yaml.

Side note: regarding another RBAC issue, I added some comments today to #1324.

#4) (I don't think this one is RBAC related, but still lumping it in here.)

kube-prometheus v0.18.0 had minikube & self-hosted.

• self-hosted/kube-dns.yaml created a Service named kube-dns-prometheus-discovery.

But kube-prometheus v0.19.0 has kubeadm & bootkube.

• bootkube/kube-prometheus.jsonnet creates a Service (in kube-dns-prometheus-discovery-service.yaml) also named kube-dns-prometheus-discovery.

Can someone please confirm:

• whether bootkube is the new equivalent for self-hosted?
• what is the purpose of the Service created by bootkube/kube-prometheus.jsonnet? How can I tell whether I need that Service (when I'm running kube-prometheus in a K8s cluster on AWS)?