From 3950556dd65fffedc42debcc7b1bfd9602b92814 Mon Sep 17 00:00:00 2001 From: Tomáš Levora Date: Thu, 3 Oct 2019 13:31:54 +0200 Subject: Update rke, kubectl and helm MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit updates rke (implementing K8S 1.15.4), kubectl binary and helm binary with tiller image: rke 0.3.0 kubernetes 1.15.4 kubectl 1.15.4 helm 2.14.2 dashboard 2.0.0-beta4 Kubernetes dashboard is also updated to be compliant with the 1.15 K8S. Note 1: There is a new datalist to split rke only images from other K8S related images. Note 2: El Alto recommendation cannot be fullfilled to the letter, because rke does not have any release supporting 1.15.2 version of kubernetes (only experimental). Issue-ID: OOM-2122 Change-Id: I02cf0955158eca622bcac40ceed42588dbdd3499 Signed-off-by: Tomáš Levora Signed-off-by: Petr Ospalý Signed-off-by: Bartek Grzybowski --- ansible/roles/rke/templates/cluster.yml.j2 | 2 +- .../roles/rke/templates/k8s-dashboard-user.yml.j2 | 6 +- .../rke/templates/kubernetes-dashboard.yaml.j2 | 283 +++++++++++++++------ 3 files changed, 203 insertions(+), 88 deletions(-) (limited to 'ansible/roles/rke/templates') diff --git a/ansible/roles/rke/templates/cluster.yml.j2 b/ansible/roles/rke/templates/cluster.yml.j2 index 51f4e28b..656c1136 100644 --- a/ansible/roles/rke/templates/cluster.yml.j2 +++ b/ansible/roles/rke/templates/cluster.yml.j2 @@ -151,4 +151,4 @@ monitoring: restore: restore: false snapshot_name: "" -dns: null +dns: {{ rke_dns }} diff --git a/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 index 9031553c..5d7a55a7 100644 --- a/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 +++ b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 @@ -3,9 +3,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: admin-user - namespace: kube-system + namespace: kubernetes-dashboard --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user @@ -16,4 +16,4 @@ roleRef: subjects: - kind: ServiceAccount name: admin-user - namespace: kube-system \ No newline at end of file + namespace: kubernetes-dashboard diff --git a/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 index 4458628a..7dd9692c 100644 --- a/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 +++ b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 @@ -12,7 +12,41 @@ # See the License for the specific language governing permissions and # limitations under the License. -# ------------------- Dashboard Secrets ------------------- # +apiVersion: v1 +kind: Namespace +metadata: + name: kubernetes-dashboard + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard +{% if rke_dashboard_exposed %} + type: NodePort +{% endif %} + +--- apiVersion: v1 kind: Secret @@ -20,7 +54,7 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-certs - namespace: kube-system + namespace: kubernetes-dashboard type: Opaque --- @@ -31,76 +65,114 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-csrf - namespace: kube-system + namespace: kubernetes-dashboard type: Opaque data: csrf: "" --- -# ------------------- Dashboard Service Account ------------------- # apiVersion: v1 -kind: ServiceAccount +kind: Secret metadata: labels: k8s-app: kubernetes-dashboard - name: kubernetes-dashboard - namespace: kube-system + name: kubernetes-dashboard-key-holder + namespace: kubernetes-dashboard +type: Opaque + +--- + +kind: ConfigMap +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-settings + namespace: kubernetes-dashboard --- -# ------------------- Dashboard Role & Role Binding ------------------- # kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: kubernetes-dashboard-minimal - namespace: kube-system + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard rules: - # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] - # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] # Allow Dashboard to get, update and delete Dashboard exclusive secrets. -- apiGroups: [""] - resources: ["secrets"] - resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] - verbs: ["get", "update", "delete"] - # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["kubernetes-dashboard-settings"] - verbs: ["get", "update"] - # Allow Dashboard to get metrics from heapster. -- apiGroups: [""] - resources: ["services"] - resourceNames: ["heapster"] - verbs: ["proxy"] -- apiGroups: [""] - resources: ["services/proxy"] - resourceNames: ["heapster", "http:heapster:", "https:heapster:"] - verbs: ["get"] + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics. + - apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster", "dashboard-metrics-scraper"] + verbs: ["proxy"] + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] + verbs: ["get"] + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard +rules: + # Allow Metrics Scraper to get metrics from the Metrics server + - apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes","namespaces","secrets","persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: ["","apps"] + resources: ["pods", "nodes","namespaces","secrets","persistentvolumeclaims","replicasets","deployments","events"] + verbs: ["get", "list", "watch"] --- + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: kubernetes-dashboard-minimal - namespace: kube-system + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: kubernetes-dashboard-minimal + name: kubernetes-dashboard subjects: -- kind: ServiceAccount + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard + namespace: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole name: kubernetes-dashboard - namespace: kube-system +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard --- -# ------------------- Dashboard Deployment ------------------- # kind: Deployment apiVersion: apps/v1 @@ -108,7 +180,7 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard - namespace: kube-system + namespace: kubernetes-dashboard spec: replicas: 1 revisionHistoryLimit: 10 @@ -121,58 +193,101 @@ spec: k8s-app: kubernetes-dashboard spec: containers: - - name: kubernetes-dashboard - image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 - ports: - - containerPort: 8443 - protocol: TCP - args: - - --auto-generate-certificates - # Uncomment the following line to manually specify Kubernetes API server Host - # If not specified, Dashboard will attempt to auto discover the API server and connect - # to it. Uncomment only if the default does not work. - # - --apiserver-host=http://my-address:port - volumeMounts: - - name: kubernetes-dashboard-certs - mountPath: /certs - # Create on-disk volume to store exec logs - - mountPath: /tmp - name: tmp-volume - livenessProbe: - httpGet: - scheme: HTTPS - path: / - port: 8443 - initialDelaySeconds: 30 - timeoutSeconds: 30 + - name: kubernetes-dashboard + image: kubernetesui/dashboard:v2.0.0-beta4 + imagePullPolicy: Always + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + - --namespace=kubernetes-dashboard + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 volumes: - - name: kubernetes-dashboard-certs - secret: - secretName: kubernetes-dashboard-certs - - name: tmp-volume - emptyDir: {} + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} serviceAccountName: kubernetes-dashboard # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule --- -# ------------------- Dashboard Service ------------------- # kind: Service apiVersion: v1 metadata: labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard - namespace: kube-system + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard spec: ports: - - port: 443 - targetPort: 8443 + - port: 8000 + targetPort: 8000 selector: - k8s-app: kubernetes-dashboard -{% if rke_dashboard_exposed %} - type: NodePort -{% endif %} + k8s-app: dashboard-metrics-scraper + +--- + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: dashboard-metrics-scraper + template: + metadata: + labels: + k8s-app: dashboard-metrics-scraper + spec: + containers: + - name: dashboard-metrics-scraper + image: kubernetesui/metrics-scraper:v1.0.1 + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumeMounts: + - mountPath: /tmp + name: tmp-volume + serviceAccountName: kubernetes-dashboard + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + volumes: + - name: tmp-volume + emptyDir: {} -- cgit 1.2.3-korg