Add metrics-server addon
Related story: https://mirantis.jira.com/browse/PROD-24599
Change-Id: I10d40567d692af226d688e38b86fdd893f5a7339
diff --git a/kubernetes/files/kube-addons/metrics-server/aggregated-metrics-reader.yaml b/kubernetes/files/kube-addons/metrics-server/aggregated-metrics-reader.yaml
new file mode 100644
index 0000000..873cd0d
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/aggregated-metrics-reader.yaml
@@ -0,0 +1,13 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: system:aggregated-metrics-reader
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups: ["metrics.k8s.io"]
+ resources: ["pods"]
+ verbs: ["get", "list", "watch"]
diff --git a/kubernetes/files/kube-addons/metrics-server/auth-delegator.yaml b/kubernetes/files/kube-addons/metrics-server/auth-delegator.yaml
new file mode 100644
index 0000000..6f9cc97
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/auth-delegator.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: metrics-server:system:auth-delegator
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system
diff --git a/kubernetes/files/kube-addons/metrics-server/auth-reader.yaml b/kubernetes/files/kube-addons/metrics-server/auth-reader.yaml
new file mode 100644
index 0000000..59d6904
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/auth-reader.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: metrics-server-auth-reader
+ namespace: kube-system
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system
diff --git a/kubernetes/files/kube-addons/metrics-server/metrics-apiservice.yaml b/kubernetes/files/kube-addons/metrics-server/metrics-apiservice.yaml
new file mode 100644
index 0000000..ed73207
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/metrics-apiservice.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+ name: v1beta1.metrics.k8s.io
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ service:
+ name: metrics-server
+ namespace: kube-system
+ group: metrics.k8s.io
+ version: v1beta1
+ insecureSkipTLSVerify: true
+ groupPriorityMinimum: 100
+ versionPriority: 100
diff --git a/kubernetes/files/kube-addons/metrics-server/metrics-server-deployment.yaml b/kubernetes/files/kube-addons/metrics-server/metrics-server-deployment.yaml
new file mode 100644
index 0000000..0729e0a
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/metrics-server-deployment.yaml
@@ -0,0 +1,51 @@
+{%- from "kubernetes/map.jinja" import common with context -%}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ k8s-app: metrics-server
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ selector:
+ matchLabels:
+ k8s-app: metrics-server
+ template:
+ metadata:
+ name: metrics-server
+ labels:
+ k8s-app: metrics-server
+ spec:
+ serviceAccountName: metrics-server
+ volumes:
+ # mount in tmp so we can safely use from-scratch images and/or read-only containers
+ - name: tmp-dir
+ emptyDir: {}
+ - name: hosts-file
+ hostPath:
+ path: /etc/hosts
+ type: File
+ containers:
+ - name: metrics-server
+ command:
+ - /metrics-server
+ # TODO: remove it when cert rotating is enabled in kubelet
+ - --kubelet-insecure-tls
+ image: {{ common.addons.get('metrics-server', {}).get('controller_image', 'k8s.gcr.io/metrics-server-amd64:v0.3.1') }}
+ imagePullPolicy: Always
+ volumeMounts:
+ - name: tmp-dir
+ mountPath: /tmp
+ - name: hosts-file
+ mountPath: /etc/hosts
+
diff --git a/kubernetes/files/kube-addons/metrics-server/metrics-server-service.yaml b/kubernetes/files/kube-addons/metrics-server/metrics-server-service.yaml
new file mode 100644
index 0000000..afe4b88
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/metrics-server-service.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ kubernetes.io/name: "Metrics-server"
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ selector:
+ k8s-app: metrics-server
+ ports:
+ - port: 443
+ protocol: TCP
+ targetPort: 443
diff --git a/kubernetes/files/kube-addons/metrics-server/resource-reader.yaml b/kubernetes/files/kube-addons/metrics-server/resource-reader.yaml
new file mode 100644
index 0000000..22dff82
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/resource-reader.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: system:metrics-server
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - nodes
+ - nodes/stats
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - "extensions"
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: system:metrics-server
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system
diff --git a/kubernetes/master/kube-addons.sls b/kubernetes/master/kube-addons.sls
index 2d5dc1b..33140e0 100644
--- a/kubernetes/master/kube-addons.sls
+++ b/kubernetes/master/kube-addons.sls
@@ -375,6 +375,29 @@
- makedirs: True
{% endif %}
+{%- if common.addons.get('metrics-server', {}).get('enabled', False) %}
+
+{%- set metrics_server_resources = ['aggregated-metrics-reader.yaml','auth-delegator.yaml','auth-reader.yaml','metrics-apiservice.yaml','metrics-server-deployment.yaml','metrics-server-service.yaml','resource-reader.yaml'] %}
+
+{%- for resource in metrics_server_resources %}
+
+/etc/kubernetes/addons/metrics-server/{{ resource }}:
+ file.managed:
+ - source: salt://kubernetes/files/kube-addons/metrics-server/{{ resource }}
+ - template: jinja
+ - group: root
+ - dir_mode: 755
+ - makedirs: True
+
+{%- endfor %}
+
+{%- else %}
+
+/etc/kubernetes/addons/metrics-server:
+ file.absent
+
+{% endif %}
+
{% endif %}
{%- if common.addons.get('fluentd', {}).get('enabled') %}
diff --git a/metadata/service/common.yml b/metadata/service/common.yml
index 95e9c77..db01ea4 100644
--- a/metadata/service/common.yml
+++ b/metadata/service/common.yml
@@ -123,6 +123,9 @@
image: mirantis/virtlet:v1.0.3
criproxy_version: v0.10.0
criproxy_source: md5=52717b1f70f15558ef4bdb0e4d4948da
+ metrics-server:
+ enabled: False
+ controller_image: k8s.gcr.io/metrics-server-amd64:v0.3.1
cni:
plugins:
source: https://github.com/containernetworking/plugins/releases/download/v0.7.1/cni-plugins-amd64-v0.7.1.tgz