support the Kubernetes Metrics Server

README.md

@@ -146,6 +146,10 @@ Most aspects of your cluster setup can be customized with environment variables.
 
    Defaults to `false`.
 
+ - **USE_METRICS_SERVER** defines whether to deploy or not the [Kubernetes Metrics Server](https://github.com/kubernetes-incubator/metrics-server)
+
+   Defaults to `false`.
+
  - **AUTHORIZATION_MODE** setting this to `RBAC` enables RBAC for the kubernetes cluster.
 
    Defaults to `AlwaysAllow`.

Vagrantfile

@@ -122,6 +122,7 @@ DNS_DOMAIN = ENV["DNS_DOMAIN"] || "cluster.local"
 SERIAL_LOGGING = (ENV["SERIAL_LOGGING"].to_s.downcase == "true")
 GUI = (ENV["GUI"].to_s.downcase == "true")
 USE_KUBE_UI = (ENV["USE_KUBE_UI"].to_s.downcase == "true") || false
+USE_METRICS_SERVER = (ENV["USE_METRICS_SERVER"].to_s.downcase == "true") || false
 
 BOX_TIMEOUT_COUNT = (ENV["BOX_TIMEOUT_COUNT"] || 50).to_i
 
@@ -362,6 +363,18 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
             info "Kubernetes Dashboard will be available at http://#{MASTER_IP}:8080/ui/"
           end
+
+          if USE_METRICS_SERVER
+            info "Configuring Kubernetes Metrics Server..."
+
+            if OS.windows?
+              run_remote "/opt/bin/kubectl apply -f /home/core/metrics-server/"
+            else
+              system "kubectl apply -f plugins/metrics-server/"
+            end
+
+            info "Kubernetes Metrics Server will be available at http://#{MASTER_IP}:8080/apis/metrics.k8s.io/"
+          end
         end
 
         # copy setup files to master vm if host is windows
@@ -377,6 +390,10 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
             kHost.vm.provision :file, :source => File.join(File.dirname(__FILE__), "plugins/dashboard/dashboard-rbac.yaml"), :destination => "/home/core/dashboard-rbac.yaml"
             kHost.vm.provision :file, :source => File.join(File.dirname(__FILE__), "plugins/dashboard/dashboard.yaml"), :destination => "/home/core/dashboard.yaml"
           end
+
+          if USE_METRICS_SERVER
+            kHost.vm.provision :file, :source => File.join(File.dirname(__FILE__), "plugins/dashboard/metrics-server"), :destination => "/home/core/metrics-server"
+          end
         end
 
         # clean temp directory after master is destroyed

manifests/master-apiserver-rbac.yaml

@@ -24,6 +24,13 @@ spec:
       - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
       - --client-ca-file=/etc/kubernetes/ssl/ca.pem
       - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
+      - --proxy-client-cert-file=/etc/kubernetes/ssl/apiserver.pem
+      - --proxy-client-key-file=/etc/kubernetes/ssl/apiserver-key.pem
+      - --requestheader-allowed-names=
+      - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
+      - --requestheader-extra-headers-prefix=X-Remote-Extra-
+      - --requestheader-group-headers=X-Remote-Group
+      - --requestheader-username-headers=X-Remote-User
       - --runtime-config=extensions/v1beta1=true,networking.k8s.io/v1,batch/v2alpha1=true,admissionregistration.k8s.io/v1alpha1=true
       - --authorization-mode=RBAC
     ports:

manifests/master-apiserver.yaml

@@ -24,6 +24,13 @@ spec:
       - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
       - --client-ca-file=/etc/kubernetes/ssl/ca.pem
       - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
+      - --proxy-client-cert-file=/etc/kubernetes/ssl/apiserver.pem
+      - --proxy-client-key-file=/etc/kubernetes/ssl/apiserver-key.pem
+      - --requestheader-allowed-names=
+      - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
+      - --requestheader-extra-headers-prefix=X-Remote-Extra-
+      - --requestheader-group-headers=X-Remote-Group
+      - --requestheader-username-headers=X-Remote-User
     ports:
     - containerPort: 443
       hostPort: 443

plugins/metrics-server/aggregated-metrics-reader.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:aggregated-metrics-reader
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+- apiGroups: ["metrics.k8s.io"]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]

plugins/metrics-server/auth-delegator.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: metrics-server:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system

plugins/metrics-server/auth-reader.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: metrics-server-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system

plugins/metrics-server/metrics-apiservice.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+  name: v1beta1.metrics.k8s.io
+spec:
+  service:
+    name: metrics-server
+    namespace: kube-system
+  group: metrics.k8s.io
+  version: v1beta1
+  insecureSkipTLSVerify: true
+  groupPriorityMinimum: 100
+  versionPriority: 100

plugins/metrics-server/metrics-server-deployment.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: metrics-server
+  namespace: kube-system
+  labels:
+    k8s-app: metrics-server
+spec:
+  selector:
+    matchLabels:
+      k8s-app: metrics-server
+  template:
+    metadata:
+      name: metrics-server
+      labels:
+        k8s-app: metrics-server
+    spec:
+      serviceAccountName: metrics-server
+      volumes:
+      # mount in tmp so we can safely use from-scratch images and/or read-only containers
+      - name: tmp-dir
+        emptyDir: {}
+      containers:
+      - name: metrics-server
+        image: k8s.gcr.io/metrics-server-amd64:v0.3.1
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: tmp-dir
+          mountPath: /tmp
+

plugins/metrics-server/metrics-server-service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: metrics-server
+  namespace: kube-system
+  labels:
+    kubernetes.io/name: "Metrics-server"
+spec:
+  selector:
+    k8s-app: metrics-server
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 443

plugins/metrics-server/resource-reader.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:metrics-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  - nodes/stats
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "extensions"
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:metrics-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system