summaryrefslogtreecommitdiff
path: root/roles/kubernetes/addons
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2020-05-16 19:23:20 +0200
committerChristian Pointner <equinox@spreadspace.org>2020-05-16 19:23:20 +0200
commita7e29b93eefbc82c7740d45da0cc1e61a286a241 (patch)
tree5f411d5374fb72c2e6c8b9bbbac6042b465694d2 /roles/kubernetes/addons
parentadd apt-repo/base and backports (diff)
kubernetes: set cgroup driver to systemd, enable metrics-server and node-local-dns
Diffstat (limited to 'roles/kubernetes/addons')
-rw-r--r--roles/kubernetes/addons/metrics-server/tasks/main.yml10
-rw-r--r--roles/kubernetes/addons/metrics-server/templates/components.0.3.6.yml.j2156
2 files changed, 166 insertions, 0 deletions
diff --git a/roles/kubernetes/addons/metrics-server/tasks/main.yml b/roles/kubernetes/addons/metrics-server/tasks/main.yml
new file mode 100644
index 00000000..e09106c1
--- /dev/null
+++ b/roles/kubernetes/addons/metrics-server/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: copy config for metrics-server
+ template:
+ src: "components.{{ kubernetes_metrics_server_version }}.yml.j2"
+ dest: /etc/kubernetes/metrics-server.yml
+
+- name: install metrics-server onto the cluster
+ command: kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f /etc/kubernetes/metrics-server.yml
+ register: kube_metrics_server_apply_result
+ changed_when: (kube_metrics_server_apply_result.stdout_lines | reject("regex", " unchanged$") | list | length) > 0
diff --git a/roles/kubernetes/addons/metrics-server/templates/components.0.3.6.yml.j2 b/roles/kubernetes/addons/metrics-server/templates/components.0.3.6.yml.j2
new file mode 100644
index 00000000..1e3789bb
--- /dev/null
+++ b/roles/kubernetes/addons/metrics-server/templates/components.0.3.6.yml.j2
@@ -0,0 +1,156 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: system:aggregated-metrics-reader
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+- apiGroups: ["metrics.k8s.io"]
+ resources: ["pods", "nodes"]
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: metrics-server:system:auth-delegator
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: metrics-server-auth-reader
+ namespace: kube-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system
+---
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+ name: v1beta1.metrics.k8s.io
+spec:
+ service:
+ name: metrics-server
+ namespace: kube-system
+ group: metrics.k8s.io
+ version: v1beta1
+ insecureSkipTLSVerify: true
+ groupPriorityMinimum: 100
+ versionPriority: 100
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: metrics-server
+ namespace: kube-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ k8s-app: metrics-server
+spec:
+ selector:
+ matchLabels:
+ k8s-app: metrics-server
+ template:
+ metadata:
+ name: metrics-server
+ labels:
+ k8s-app: metrics-server
+ spec:
+ serviceAccountName: metrics-server
+ volumes:
+ # mount in tmp so we can safely use from-scratch images and/or read-only containers
+ - name: tmp-dir
+ emptyDir: {}
+ containers:
+ - name: metrics-server
+ image: k8s.gcr.io/metrics-server-amd64:v0.3.6
+ imagePullPolicy: IfNotPresent
+ args:
+ - --cert-dir=/tmp
+ - --secure-port=4443
+ - --kubelet-insecure-tls
+ - --kubelet-preferred-address-types=InternalIP,ExternalIP
+ ports:
+ - name: main-port
+ containerPort: 4443
+ protocol: TCP
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ volumeMounts:
+ - name: tmp-dir
+ mountPath: /tmp
+ nodeSelector:
+ kubernetes.io/os: linux
+ kubernetes.io/arch: "amd64"
+ tolerations:
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ kubernetes.io/name: "Metrics-server"
+ kubernetes.io/cluster-service: "true"
+spec:
+ selector:
+ k8s-app: metrics-server
+ ports:
+ - port: 443
+ protocol: TCP
+ targetPort: main-port
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: system:metrics-server
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - nodes
+ - nodes/stats
+ - namespaces
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: system:metrics-server
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system