Update k8s dashboard to v1.8.3 + RBAC
Most recent original template for kubernetes dashboard:
https://github.com/kubernetes/dashboard/blob/ec1d7de4456e6a397c7f931f0a2bfc74a6ca2e9c/src/deploy/recommended/kubernetes-dashboard.yaml
Change-Id: I6cfcd41adb934d41e692c84ba083c7064224f96e
diff --git a/README.rst b/README.rst
index 3795e8f..22df406 100644
--- a/README.rst
+++ b/README.rst
@@ -447,7 +447,8 @@
kubernetes:
common:
addons:
- public_ip: 1.1.1.1
+ dashboard:
+ public_ip: 1.1.1.1
Kubernetes control plane running in systemd
-------------------------------------------
diff --git a/kubernetes/files/kube-addons/dashboard/dashboard-address.yaml b/kubernetes/files/kube-addons/dashboard/dashboard-address.yaml
deleted file mode 100644
index 763b98f..0000000
--- a/kubernetes/files/kube-addons/dashboard/dashboard-address.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-{%- from "kubernetes/map.jinja" import common with context -%}
-apiVersion: v1
-kind: Service
-metadata:
- name: kubernetes-dashboard-address
- namespace: kube-system
- labels:
- k8s-app: kubernetes-dashboard
- kubernetes.io/cluster-service: "true"
- addonmanager.kubernetes.io/mode: Reconcile
-spec:
- selector:
- k8s-app: kubernetes-dashboard
- deprecatedPublicIPs: ["{{ common.addons.dashboard.public_ip }}"]
- type: LoadBalancer
- ports:
- - port: 80
- targetPort: 9090
diff --git a/kubernetes/files/kube-addons/dashboard/dashboard-controller.yaml b/kubernetes/files/kube-addons/dashboard/dashboard-controller.yaml
deleted file mode 100644
index c4b22ee..0000000
--- a/kubernetes/files/kube-addons/dashboard/dashboard-controller.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-{%- from "kubernetes/map.jinja" import common with context -%}
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
- name: kubernetes-dashboard
- namespace: kube-system
- labels:
- k8s-app: kubernetes-dashboard
- kubernetes.io/cluster-service: "true"
- addonmanager.kubernetes.io/mode: Reconcile
-spec:
- selector:
- matchLabels:
- k8s-app: kubernetes-dashboard
- template:
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- annotations:
- scheduler.alpha.kubernetes.io/critical-pod: ''
- scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
-{%- if common.addons.dashboard.cni is defined %}
- cni: {{ common.addons.dashboard.cni }}
-{%- endif %}
- spec:
- tolerations:
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
- containers:
- - name: kubernetes-dashboard
- image: {{ common.addons.dashboard.get('image', 'gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1') }}
- resources:
- # keep request = limit to keep this container in guaranteed class
- limits:
- cpu: 100m
- memory: 50Mi
- requests:
- cpu: 100m
- memory: 50Mi
- ports:
- - containerPort: 9090
- livenessProbe:
- httpGet:
- path: /
- port: 9090
- initialDelaySeconds: 30
- timeoutSeconds: 30
diff --git a/kubernetes/files/kube-addons/dashboard/dashboard-deployment.yaml b/kubernetes/files/kube-addons/dashboard/dashboard-deployment.yaml
new file mode 100644
index 0000000..1a4167b
--- /dev/null
+++ b/kubernetes/files/kube-addons/dashboard/dashboard-deployment.yaml
@@ -0,0 +1,56 @@
+{%- from "kubernetes/map.jinja" import common with context -%}
+kind: Deployment
+apiVersion: apps/v1beta2
+metadata:
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+ namespace: kube-system
+spec:
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ k8s-app: kubernetes-dashboard
+ template:
+ metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ spec:
+ containers:
+ - name: kubernetes-dashboard
+ image: {{ common.addons.dashboard.get('image', 'k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3') }}
+ ports:
+ - containerPort: 8443
+ protocol: TCP
+ args:
+ - --auto-generate-certificates
+ # Uncomment the following line to manually specify Kubernetes API server Host
+ # If not specified, Dashboard will attempt to auto discover the API server and connect
+ # to it. Uncomment only if the default does not work.
+ # - --apiserver-host=http://my-address:port
+ volumeMounts:
+ - name: kubernetes-dashboard-certs
+ mountPath: /certs
+ # Create on-disk volume to store exec logs
+ - mountPath: /tmp
+ name: tmp-volume
+ livenessProbe:
+ httpGet:
+ scheme: HTTPS
+ path: /
+ port: 8443
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+ volumes:
+ - name: kubernetes-dashboard-certs
+ secret:
+ secretName: kubernetes-dashboard-certs
+ - name: tmp-volume
+ emptyDir: {}
+ serviceAccountName: kubernetes-dashboard
+ # Comment the following tolerations if Dashboard must not be deployed on master
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
diff --git a/kubernetes/files/kube-addons/dashboard/dashboard-endpoint.yaml b/kubernetes/files/kube-addons/dashboard/dashboard-endpoint.yaml
deleted file mode 100644
index 6e971b2..0000000
--- a/kubernetes/files/kube-addons/dashboard/dashboard-endpoint.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{%- from "kubernetes/map.jinja" import common with context -%}
-apiVersion: v1
-kind: Endpoints
-metadata:
- name: kubernetes-dashboard
- namespace: kube-system
- labels:
- k8s-app: kubernetes-dashboard
- kubernetes.io/cluster-service: "true"
- addonmanager.kubernetes.io/mode: Reconcile
-subsets:
- - addresses:
- - ip: {{ common.addons.dashboard.public_ip }}
-
- ports:
- - port: 9090
- protocol: TCP
diff --git a/kubernetes/files/kube-addons/dashboard/dashboard-role.yaml b/kubernetes/files/kube-addons/dashboard/dashboard-role.yaml
new file mode 100644
index 0000000..a6742ec
--- /dev/null
+++ b/kubernetes/files/kube-addons/dashboard/dashboard-role.yaml
@@ -0,0 +1,35 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ name: kubernetes-dashboard-minimal
+ namespace: kube-system
+rules:
+ # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["create"]
+ # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create"]
+ # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
+- apiGroups: [""]
+ resources: ["secrets"]
+ resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
+ verbs: ["get", "update", "delete"]
+ # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+ resources: ["configmaps"]
+ resourceNames: ["kubernetes-dashboard-settings"]
+ verbs: ["get", "update"]
+ # Allow Dashboard to get metrics from heapster.
+- apiGroups: [""]
+ resources: ["services"]
+ resourceNames: ["heapster"]
+ verbs: ["proxy"]
+- apiGroups: [""]
+ resources: ["services/proxy"]
+ resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
+ verbs: ["get"]
diff --git a/kubernetes/files/kube-addons/dashboard/dashboard-rolebinding.yaml b/kubernetes/files/kube-addons/dashboard/dashboard-rolebinding.yaml
new file mode 100644
index 0000000..18f9479
--- /dev/null
+++ b/kubernetes/files/kube-addons/dashboard/dashboard-rolebinding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+
+ name: kubernetes-dashboard-minimal
+ namespace: kube-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: kubernetes-dashboard-minimal
+subjects:
+- kind: ServiceAccount
+ name: kubernetes-dashboard
+ namespace: kube-system
diff --git a/kubernetes/files/kube-addons/dashboard/dashboard-secret.yaml b/kubernetes/files/kube-addons/dashboard/dashboard-secret.yaml
new file mode 100644
index 0000000..357cb29
--- /dev/null
+++ b/kubernetes/files/kube-addons/dashboard/dashboard-secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard-certs
+ namespace: kube-system
+type: Opaque
diff --git a/kubernetes/files/kube-addons/dashboard/dashboard-service.yaml b/kubernetes/files/kube-addons/dashboard/dashboard-service.yaml
index 3a5189f..52c11be 100644
--- a/kubernetes/files/kube-addons/dashboard/dashboard-service.yaml
+++ b/kubernetes/files/kube-addons/dashboard/dashboard-service.yaml
@@ -3,18 +3,18 @@
apiVersion: v1
kind: Service
metadata:
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
- labels:
- k8s-app: kubernetes-dashboard
- kubernetes.io/cluster-service: "true"
- addonmanager.kubernetes.io/mode: Reconcile
spec:
+ ports:
+ - port: {{ common.addons.dashboard.get('target_port', '443') }}
+ targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
-{%- if (common.addons.dashboard.cni is defined and common.addons.dashboard.cni != 'opencontrail') or master.network.get('opencontrail', {}).get('enabled', False) %}
- type: NodePort
+{%- if master.network.get('opencontrail', {}).get('enabled', False) %}
+ externalIPs: ["{{ common.addons.dashboard.public_ip }}"]
+ type: LoadBalancer
{%- endif %}
- ports:
- - port: 80
- targetPort: 9090
diff --git a/kubernetes/files/kube-addons/dashboard/dashboard-serviceaccount.yaml b/kubernetes/files/kube-addons/dashboard/dashboard-serviceaccount.yaml
new file mode 100644
index 0000000..09670c9
--- /dev/null
+++ b/kubernetes/files/kube-addons/dashboard/dashboard-serviceaccount.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+ namespace: kube-system
diff --git a/kubernetes/master/kube-addons.sls b/kubernetes/master/kube-addons.sls
index e25979e..a286266 100644
--- a/kubernetes/master/kube-addons.sls
+++ b/kubernetes/master/kube-addons.sls
@@ -323,21 +323,25 @@
{%- if common.addons.get('dashboard', {'enabled': False}).enabled %}
-/etc/kubernetes/addons/dashboard/dashboard-service.yaml:
+{%- set dashboard_resources = ['deployment', 'secret', 'service', 'serviceaccount'] %}
+
+{%- if 'RBAC' in master.auth.get('mode', "") %}
+
+{%- set dashboard_resources = dashboard_resources + ['role', 'rolebinding'] %}
+
+{%- endif %}
+
+{%- for resource in dashboard_resources %}
+
+/etc/kubernetes/addons/dashboard/dashboard-{{ resource }}.yaml:
file.managed:
- - source: salt://kubernetes/files/kube-addons/dashboard/dashboard-service.yaml
+ - source: salt://kubernetes/files/kube-addons/dashboard/dashboard-{{ resource }}.yaml
- template: jinja
- group: root
- dir_mode: 755
- makedirs: True
-/etc/kubernetes/addons/dashboard/dashboard-controller.yaml:
- file.managed:
- - source: salt://kubernetes/files/kube-addons/dashboard/dashboard-controller.yaml
- - template: jinja
- - group: root
- - dir_mode: 755
- - makedirs: True
+{%- endfor %}
{% endif %}