mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-10-31 22:01:06 +00:00
3d620192d9
Metrics-server's usage of privileged port 443 as targetPort requires elevated permissions than necessary and violates principle of least privilege.
130 lines
3.6 KiB
YAML
130 lines
3.6 KiB
YAML
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: metrics-server
|
|
namespace: kube-system
|
|
labels:
|
|
kubernetes.io/cluster-service: "true"
|
|
addonmanager.kubernetes.io/mode: Reconcile
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: metrics-server-config
|
|
namespace: kube-system
|
|
labels:
|
|
kubernetes.io/cluster-service: "true"
|
|
addonmanager.kubernetes.io/mode: EnsureExists
|
|
data:
|
|
NannyConfiguration: |-
|
|
apiVersion: nannyconfig/v1alpha1
|
|
kind: NannyConfiguration
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: metrics-server-v0.5.1
|
|
namespace: kube-system
|
|
labels:
|
|
k8s-app: metrics-server
|
|
addonmanager.kubernetes.io/mode: Reconcile
|
|
version: v0.5.1
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: metrics-server
|
|
version: v0.5.1
|
|
template:
|
|
metadata:
|
|
name: metrics-server
|
|
labels:
|
|
k8s-app: metrics-server
|
|
version: v0.5.1
|
|
spec:
|
|
securityContext:
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
priorityClassName: system-cluster-critical
|
|
serviceAccountName: metrics-server
|
|
nodeSelector:
|
|
kubernetes.io/os: linux
|
|
containers:
|
|
- name: metrics-server
|
|
image: k8s.gcr.io/metrics-server/metrics-server:v0.5.1
|
|
command:
|
|
- /metrics-server
|
|
- --metric-resolution=30s
|
|
- --kubelet-use-node-status-port
|
|
- --kubelet-insecure-tls
|
|
- --kubelet-preferred-address-types=InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP
|
|
- --cert-dir=/tmp
|
|
- --secure-port=10250
|
|
ports:
|
|
- containerPort: 10250
|
|
name: https
|
|
protocol: TCP
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: https
|
|
scheme: HTTPS
|
|
periodSeconds: 10
|
|
failureThreshold: 3
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /livez
|
|
port: https
|
|
scheme: HTTPS
|
|
periodSeconds: 10
|
|
failureThreshold: 3
|
|
volumeMounts:
|
|
- mountPath: /tmp
|
|
name: tmp-dir
|
|
- name: metrics-server-nanny
|
|
image: k8s.gcr.io/autoscaling/addon-resizer:1.8.14
|
|
resources:
|
|
limits:
|
|
cpu: 100m
|
|
memory: 300Mi
|
|
requests:
|
|
cpu: 5m
|
|
memory: 50Mi
|
|
env:
|
|
- name: MY_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: MY_POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
volumeMounts:
|
|
- name: metrics-server-config-volume
|
|
mountPath: /etc/config
|
|
command:
|
|
- /pod_nanny
|
|
- --config-dir=/etc/config
|
|
- --cpu={{ base_metrics_server_cpu }}
|
|
- --extra-cpu=0.5m
|
|
- --memory={{ base_metrics_server_memory }}
|
|
- --extra-memory={{ metrics_server_memory_per_node }}Mi
|
|
- --threshold=5
|
|
- --deployment=metrics-server-v0.5.1
|
|
- --container=metrics-server
|
|
- --poll-period=30000
|
|
- --estimator=exponential
|
|
# Specifies the smallest cluster (defined in number of nodes)
|
|
# resources will be scaled to.
|
|
- --minClusterSize={{ metrics_server_min_cluster_size }}
|
|
# Use kube-apiserver metrics to avoid periodically listing nodes.
|
|
- --use-metrics=true
|
|
volumes:
|
|
- name: metrics-server-config-volume
|
|
configMap:
|
|
name: metrics-server-config
|
|
- emptyDir: {}
|
|
name: tmp-dir
|
|
tolerations:
|
|
- key: "CriticalAddonsOnly"
|
|
operator: "Exists"
|