diff --git a/.swp b/.swp deleted file mode 100644 index 1bac88c..0000000 Binary files a/.swp and /dev/null differ diff --git a/README.md b/README.md index a2d15ec..7100311 100644 --- a/README.md +++ b/README.md @@ -146,6 +146,10 @@ Most aspects of your cluster setup can be customized with environment variables. Defaults to `false`. + - **USE_METRICS_SERVER** defines whether to deploy or not the [Kubernetes Metrics Server](https://github.com/kubernetes-incubator/metrics-server) + + Defaults to `false`. + - **AUTHORIZATION_MODE** setting this to `RBAC` enables RBAC for the kubernetes cluster. Defaults to `AlwaysAllow`. diff --git a/Vagrantfile b/Vagrantfile index ad8ee86..ea01f84 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -122,6 +122,7 @@ DNS_DOMAIN = ENV["DNS_DOMAIN"] || "cluster.local" SERIAL_LOGGING = (ENV["SERIAL_LOGGING"].to_s.downcase == "true") GUI = (ENV["GUI"].to_s.downcase == "true") USE_KUBE_UI = (ENV["USE_KUBE_UI"].to_s.downcase == "true") || false +USE_METRICS_SERVER = (ENV["USE_METRICS_SERVER"].to_s.downcase == "true") || false BOX_TIMEOUT_COUNT = (ENV["BOX_TIMEOUT_COUNT"] || 50).to_i @@ -362,6 +363,18 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| info "Kubernetes Dashboard will be available at http://#{MASTER_IP}:8080/ui/" end + + if USE_METRICS_SERVER + info "Configuring Kubernetes Metrics Server..." + + if OS.windows? + run_remote "/opt/bin/kubectl apply -f /home/core/metrics-server/" + else + system "kubectl apply -f plugins/metrics-server/" + end + + info "Kubernetes Metrics Server will be available at http://#{MASTER_IP}:8080/apis/metrics.k8s.io/" + end end # copy setup files to master vm if host is windows @@ -377,6 +390,10 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| kHost.vm.provision :file, :source => File.join(File.dirname(__FILE__), "plugins/dashboard/dashboard-rbac.yaml"), :destination => "/home/core/dashboard-rbac.yaml" kHost.vm.provision :file, :source => File.join(File.dirname(__FILE__), "plugins/dashboard/dashboard.yaml"), :destination => "/home/core/dashboard.yaml" end + + if USE_METRICS_SERVER + kHost.vm.provision :file, :source => File.join(File.dirname(__FILE__), "plugins/dashboard/metrics-server"), :destination => "/home/core/metrics-server" + end end # clean temp directory after master is destroyed diff --git a/env b/env new file mode 100644 index 0000000..c29b273 --- /dev/null +++ b/env @@ -0,0 +1,11 @@ +export NODES=3 +export MASTER_MEM=2048 +export MASTER_CPUS=2 +export NODE_MEM=4096 +export NODE_CPUS=3 +export USE_KUBE_UI=true +export KUBERNETES_VERSION=1.12.1 +export VAGRANT_USE_VAGRANT_TRIGGERS=false +export AUTHORIZATION_MODE=AlwaysAllow +# export AUTHORIZATION_MODE=RBAC +export USE_METRICS_SERVER=true diff --git a/manifests/master-apiserver-rbac.yaml b/manifests/master-apiserver-rbac.yaml index 428b416..330f4e5 100644 --- a/manifests/master-apiserver-rbac.yaml +++ b/manifests/master-apiserver-rbac.yaml @@ -24,6 +24,13 @@ spec: - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem - --client-ca-file=/etc/kubernetes/ssl/ca.pem - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem + - --proxy-client-cert-file=/etc/kubernetes/ssl/apiserver.pem + - --proxy-client-key-file=/etc/kubernetes/ssl/apiserver-key.pem + - --requestheader-allowed-names= + - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem + - --requestheader-extra-headers-prefix=X-Remote-Extra- + - --requestheader-group-headers=X-Remote-Group + - --requestheader-username-headers=X-Remote-User - --runtime-config=extensions/v1beta1=true,networking.k8s.io/v1,batch/v2alpha1=true,admissionregistration.k8s.io/v1alpha1=true - --authorization-mode=RBAC ports: diff --git a/manifests/master-apiserver.yaml b/manifests/master-apiserver.yaml index bd4f775..eee3b7d 100644 --- a/manifests/master-apiserver.yaml +++ b/manifests/master-apiserver.yaml @@ -24,6 +24,13 @@ spec: - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem - --client-ca-file=/etc/kubernetes/ssl/ca.pem - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem + - --proxy-client-cert-file=/etc/kubernetes/ssl/apiserver.pem + - --proxy-client-key-file=/etc/kubernetes/ssl/apiserver-key.pem + - --requestheader-allowed-names= + - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem + - --requestheader-extra-headers-prefix=X-Remote-Extra- + - --requestheader-group-headers=X-Remote-Group + - --requestheader-username-headers=X-Remote-User ports: - containerPort: 443 hostPort: 443 diff --git a/plugins/metrics-server/aggregated-metrics-reader.yaml b/plugins/metrics-server/aggregated-metrics-reader.yaml new file mode 100644 index 0000000..cdf3415 --- /dev/null +++ b/plugins/metrics-server/aggregated-metrics-reader.yaml @@ -0,0 +1,12 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: system:aggregated-metrics-reader + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: ["metrics.k8s.io"] + resources: ["pods"] + verbs: ["get", "list", "watch"] diff --git a/plugins/metrics-server/auth-delegator.yaml b/plugins/metrics-server/auth-delegator.yaml new file mode 100644 index 0000000..e3442c5 --- /dev/null +++ b/plugins/metrics-server/auth-delegator.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system diff --git a/plugins/metrics-server/auth-reader.yaml b/plugins/metrics-server/auth-reader.yaml new file mode 100644 index 0000000..f0616e1 --- /dev/null +++ b/plugins/metrics-server/auth-reader.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: metrics-server-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system diff --git a/plugins/metrics-server/metrics-apiservice.yaml b/plugins/metrics-server/metrics-apiservice.yaml new file mode 100644 index 0000000..08b0530 --- /dev/null +++ b/plugins/metrics-server/metrics-apiservice.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1beta1.metrics.k8s.io +spec: + service: + name: metrics-server + namespace: kube-system + group: metrics.k8s.io + version: v1beta1 + insecureSkipTLSVerify: true + groupPriorityMinimum: 100 + versionPriority: 100 diff --git a/plugins/metrics-server/metrics-server-deployment.yaml b/plugins/metrics-server/metrics-server-deployment.yaml new file mode 100644 index 0000000..ad2abaf --- /dev/null +++ b/plugins/metrics-server/metrics-server-deployment.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: metrics-server + namespace: kube-system +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: metrics-server + namespace: kube-system + labels: + k8s-app: metrics-server +spec: + selector: + matchLabels: + k8s-app: metrics-server + template: + metadata: + name: metrics-server + labels: + k8s-app: metrics-server + spec: + serviceAccountName: metrics-server + volumes: + # mount in tmp so we can safely use from-scratch images and/or read-only containers + - name: tmp-dir + emptyDir: {} + containers: + - name: metrics-server + image: k8s.gcr.io/metrics-server-amd64:v0.3.1 + imagePullPolicy: Always + volumeMounts: + - name: tmp-dir + mountPath: /tmp + diff --git a/plugins/metrics-server/metrics-server-service.yaml b/plugins/metrics-server/metrics-server-service.yaml new file mode 100644 index 0000000..082b00c --- /dev/null +++ b/plugins/metrics-server/metrics-server-service.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: metrics-server + namespace: kube-system + labels: + kubernetes.io/name: "Metrics-server" +spec: + selector: + k8s-app: metrics-server + ports: + - port: 443 + protocol: TCP + targetPort: 443 diff --git a/plugins/metrics-server/resource-reader.yaml b/plugins/metrics-server/resource-reader.yaml new file mode 100644 index 0000000..34294a3 --- /dev/null +++ b/plugins/metrics-server/resource-reader.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:metrics-server +rules: +- apiGroups: + - "" + resources: + - pods + - nodes + - nodes/stats + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + resources: + - deployments + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:metrics-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-server +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system