From e5af792ad29fdbd8f401b5d0d78e8fb0d64c1fe6 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Thu, 28 May 2020 13:08:53 +0200 Subject: [PATCH] Bump Dashboard to v2.0.1 --- .../addons/dashboard/dashboard-configmap.yaml | 9 - .../dashboard/dashboard-deployment.yaml | 69 ---- cluster/addons/dashboard/dashboard-rbac.yaml | 45 --- .../addons/dashboard/dashboard-secret.yaml | 21 -- .../addons/dashboard/dashboard-service.yaml | 15 - cluster/addons/dashboard/dashboard.yaml | 296 ++++++++++++++++++ hack/local-up-cluster.sh | 8 +- 7 files changed, 298 insertions(+), 165 deletions(-) delete mode 100644 cluster/addons/dashboard/dashboard-configmap.yaml delete mode 100644 cluster/addons/dashboard/dashboard-deployment.yaml delete mode 100644 cluster/addons/dashboard/dashboard-rbac.yaml delete mode 100644 cluster/addons/dashboard/dashboard-secret.yaml delete mode 100644 cluster/addons/dashboard/dashboard-service.yaml create mode 100644 cluster/addons/dashboard/dashboard.yaml diff --git a/cluster/addons/dashboard/dashboard-configmap.yaml b/cluster/addons/dashboard/dashboard-configmap.yaml deleted file mode 100644 index 8aa6ac47db0..00000000000 --- a/cluster/addons/dashboard/dashboard-configmap.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - k8s-app: kubernetes-dashboard - # Allows editing resource and makes sure it is created first. - addonmanager.kubernetes.io/mode: EnsureExists - name: kubernetes-dashboard-settings - namespace: kube-system diff --git a/cluster/addons/dashboard/dashboard-deployment.yaml b/cluster/addons/dashboard/dashboard-deployment.yaml deleted file mode 100644 index c61fe8b595a..00000000000 --- a/cluster/addons/dashboard/dashboard-deployment.yaml +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - k8s-app: kubernetes-dashboard - addonmanager.kubernetes.io/mode: Reconcile - name: kubernetes-dashboard - namespace: kube-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kubernetes-dashboard - namespace: kube-system - labels: - k8s-app: kubernetes-dashboard - addonmanager.kubernetes.io/mode: Reconcile -spec: - selector: - matchLabels: - k8s-app: kubernetes-dashboard - template: - metadata: - labels: - k8s-app: kubernetes-dashboard - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' - spec: - priorityClassName: system-cluster-critical - containers: - - name: kubernetes-dashboard - image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 - resources: - limits: - cpu: 100m - memory: 300Mi - requests: - cpu: 50m - memory: 100Mi - ports: - - containerPort: 8443 - protocol: TCP - args: - # PLATFORM-SPECIFIC ARGS HERE - - --auto-generate-certificates - volumeMounts: - - name: kubernetes-dashboard-certs - mountPath: /certs - - name: tmp-volume - mountPath: /tmp - livenessProbe: - httpGet: - scheme: HTTPS - path: / - port: 8443 - initialDelaySeconds: 30 - timeoutSeconds: 30 - volumes: - - name: kubernetes-dashboard-certs - secret: - secretName: kubernetes-dashboard-certs - - name: tmp-volume - emptyDir: {} - serviceAccountName: kubernetes-dashboard - nodeSelector: - "kubernetes.io/os": linux - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" diff --git a/cluster/addons/dashboard/dashboard-rbac.yaml b/cluster/addons/dashboard/dashboard-rbac.yaml deleted file mode 100644 index 3c222b21db1..00000000000 --- a/cluster/addons/dashboard/dashboard-rbac.yaml +++ /dev/null @@ -1,45 +0,0 @@ -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - k8s-app: kubernetes-dashboard - addonmanager.kubernetes.io/mode: Reconcile - name: kubernetes-dashboard-minimal - namespace: kube-system -rules: - # Allow Dashboard to get, update and delete Dashboard exclusive secrets. -- apiGroups: [""] - resources: ["secrets"] - resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] - verbs: ["get", "update", "delete"] - # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["kubernetes-dashboard-settings"] - verbs: ["get", "update"] - # Allow Dashboard to get metrics from heapster. -- apiGroups: [""] - resources: ["services"] - resourceNames: ["heapster"] - verbs: ["proxy"] -- apiGroups: [""] - resources: ["services/proxy"] - resourceNames: ["heapster", "http:heapster:", "https:heapster:"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kubernetes-dashboard-minimal - namespace: kube-system - labels: - k8s-app: kubernetes-dashboard - addonmanager.kubernetes.io/mode: Reconcile -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kubernetes-dashboard-minimal -subjects: -- kind: ServiceAccount - name: kubernetes-dashboard - namespace: kube-system diff --git a/cluster/addons/dashboard/dashboard-secret.yaml b/cluster/addons/dashboard/dashboard-secret.yaml deleted file mode 100644 index a79b6a7ce34..00000000000 --- a/cluster/addons/dashboard/dashboard-secret.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - labels: - k8s-app: kubernetes-dashboard - # Allows editing resource and makes sure it is created first. - addonmanager.kubernetes.io/mode: EnsureExists - name: kubernetes-dashboard-certs - namespace: kube-system -type: Opaque ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - k8s-app: kubernetes-dashboard - # Allows editing resource and makes sure it is created first. - addonmanager.kubernetes.io/mode: EnsureExists - name: kubernetes-dashboard-key-holder - namespace: kube-system -type: Opaque diff --git a/cluster/addons/dashboard/dashboard-service.yaml b/cluster/addons/dashboard/dashboard-service.yaml deleted file mode 100644 index ae65ec232b3..00000000000 --- a/cluster/addons/dashboard/dashboard-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: kubernetes-dashboard - namespace: kube-system - labels: - k8s-app: kubernetes-dashboard - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -spec: - selector: - k8s-app: kubernetes-dashboard - ports: - - port: 443 - targetPort: 8443 diff --git a/cluster/addons/dashboard/dashboard.yaml b/cluster/addons/dashboard/dashboard.yaml new file mode 100644 index 00000000000..ca92e6bd689 --- /dev/null +++ b/cluster/addons/dashboard/dashboard.yaml @@ -0,0 +1,296 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubernetes-dashboard + labels: + k8s-app: kubernetes-dashboard + addonmanager.kubernetes.io/mode: Reconcile + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + addonmanager.kubernetes.io/mode: Reconcile + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard + + +--- + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + addonmanager.kubernetes.io/mode: EnsureExists + name: kubernetes-dashboard-certs + namespace: kubernetes-dashboard +type: Opaque + +--- + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + addonmanager.kubernetes.io/mode: EnsureExists + name: kubernetes-dashboard-csrf + namespace: kubernetes-dashboard +type: Opaque +data: + csrf: "" + +--- + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + addonmanager.kubernetes.io/mode: EnsureExists + name: kubernetes-dashboard-key-holder + namespace: kubernetes-dashboard +type: Opaque + +--- + +kind: ConfigMap +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + addonmanager.kubernetes.io/mode: EnsureExists + name: kubernetes-dashboard-settings + namespace: kubernetes-dashboard + +--- + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + addonmanager.kubernetes.io/mode: Reconcile + name: kubernetes-dashboard + namespace: kubernetes-dashboard +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] + verbs: ["get", "update", "delete"] + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + - apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster", "dashboard-metrics-scraper"] + verbs: ["proxy"] + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] + verbs: ["get"] + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + addonmanager.kubernetes.io/mode: Reconcile + name: kubernetes-dashboard +rules: + - apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list", "watch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + k8s-app: kubernetes-dashboard + addonmanager.kubernetes.io/mode: Reconcile + name: kubernetes-dashboard + namespace: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-dashboard +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard + labels: + k8s-app: kubernetes-dashboard + addonmanager.kubernetes.io/mode: Reconcile +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-dashboard +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + template: + metadata: + labels: + k8s-app: kubernetes-dashboard + spec: + containers: + - name: kubernetes-dashboard + image: kubernetesui/dashboard:v2.0.1 + imagePullPolicy: Always + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + - --namespace=kubernetes-dashboard + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} + serviceAccountName: kubernetes-dashboard + nodeSelector: + "kubernetes.io/os": linux + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - key: node-role.kubernetes.io/master + effect: NoSchedule + +--- + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + ports: + - port: 8000 + targetPort: 8000 + selector: + k8s-app: dashboard-metrics-scraper + +--- + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: dashboard-metrics-scraper + template: + metadata: + labels: + k8s-app: dashboard-metrics-scraper + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' + spec: + containers: + - name: dashboard-metrics-scraper + image: kubernetesui/metrics-scraper:v1.0.4 + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumeMounts: + - mountPath: /tmp + name: tmp-volume + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + serviceAccountName: kubernetes-dashboard + nodeSelector: + "kubernetes.io/os": linux + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + volumes: + - name: tmp-volume + emptyDir: {} diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index 3bff6d3cd6a..5c0dfceb0c7 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -802,7 +802,7 @@ function start_kubelet { if [ "${FAIL_SWAP_ON}" == "false" ]; then echo "WARNING : The kubelet is configured to not fail even if swap is enabled; production deployments should disable swap." fi - + if [[ "${REUSE_CERTS}" != true ]]; then # clear previous dynamic certs sudo rm -fr "/var/lib/kubelet/pki" "${CERT_DIR}/kubelet-rotated.kubeconfig" @@ -907,11 +907,7 @@ function start_kubedashboard { if [[ "${ENABLE_CLUSTER_DASHBOARD}" = true ]]; then echo "Creating kubernetes-dashboard" # use kubectl to create the dashboard - ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" apply -f "${KUBE_ROOT}/cluster/addons/dashboard/dashboard-secret.yaml" - ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" apply -f "${KUBE_ROOT}/cluster/addons/dashboard/dashboard-configmap.yaml" - ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" apply -f "${KUBE_ROOT}/cluster/addons/dashboard/dashboard-rbac.yaml" - ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" apply -f "${KUBE_ROOT}/cluster/addons/dashboard/dashboard-deployment.yaml" - ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" apply -f "${KUBE_ROOT}/cluster/addons/dashboard/dashboard-service.yaml" + ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" apply -f "${KUBE_ROOT}/cluster/addons/dashboard/dashboard.yaml" echo "kubernetes-dashboard deployment and service successfully deployed." fi }