Merge "Explicitly specify node-ip for kubelet"
diff --git a/kubernetes/files/kube-addons/metrics-server/aggregated-metrics-reader.yaml b/kubernetes/files/kube-addons/metrics-server/aggregated-metrics-reader.yaml
new file mode 100644
index 0000000..873cd0d
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/aggregated-metrics-reader.yaml
@@ -0,0 +1,13 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: system:aggregated-metrics-reader
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups: ["metrics.k8s.io"]
+ resources: ["pods"]
+ verbs: ["get", "list", "watch"]
diff --git a/kubernetes/files/kube-addons/metrics-server/auth-delegator.yaml b/kubernetes/files/kube-addons/metrics-server/auth-delegator.yaml
new file mode 100644
index 0000000..6f9cc97
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/auth-delegator.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: metrics-server:system:auth-delegator
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system
diff --git a/kubernetes/files/kube-addons/metrics-server/auth-reader.yaml b/kubernetes/files/kube-addons/metrics-server/auth-reader.yaml
new file mode 100644
index 0000000..59d6904
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/auth-reader.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: metrics-server-auth-reader
+ namespace: kube-system
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system
diff --git a/kubernetes/files/kube-addons/metrics-server/metrics-apiservice.yaml b/kubernetes/files/kube-addons/metrics-server/metrics-apiservice.yaml
new file mode 100644
index 0000000..ed73207
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/metrics-apiservice.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+ name: v1beta1.metrics.k8s.io
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ service:
+ name: metrics-server
+ namespace: kube-system
+ group: metrics.k8s.io
+ version: v1beta1
+ insecureSkipTLSVerify: true
+ groupPriorityMinimum: 100
+ versionPriority: 100
diff --git a/kubernetes/files/kube-addons/metrics-server/metrics-server-deployment.yaml b/kubernetes/files/kube-addons/metrics-server/metrics-server-deployment.yaml
new file mode 100644
index 0000000..0729e0a
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/metrics-server-deployment.yaml
@@ -0,0 +1,51 @@
+{%- from "kubernetes/map.jinja" import common with context -%}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ k8s-app: metrics-server
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ selector:
+ matchLabels:
+ k8s-app: metrics-server
+ template:
+ metadata:
+ name: metrics-server
+ labels:
+ k8s-app: metrics-server
+ spec:
+ serviceAccountName: metrics-server
+ volumes:
+ # mount in tmp so we can safely use from-scratch images and/or read-only containers
+ - name: tmp-dir
+ emptyDir: {}
+ - name: hosts-file
+ hostPath:
+ path: /etc/hosts
+ type: File
+ containers:
+ - name: metrics-server
+ command:
+ - /metrics-server
+ # TODO: remove it when cert rotating is enabled in kubelet
+ - --kubelet-insecure-tls
+ image: {{ common.addons.get('metrics-server', {}).get('controller_image', 'k8s.gcr.io/metrics-server-amd64:v0.3.1') }}
+ imagePullPolicy: Always
+ volumeMounts:
+ - name: tmp-dir
+ mountPath: /tmp
+ - name: hosts-file
+ mountPath: /etc/hosts
+
diff --git a/kubernetes/files/kube-addons/metrics-server/metrics-server-service.yaml b/kubernetes/files/kube-addons/metrics-server/metrics-server-service.yaml
new file mode 100644
index 0000000..afe4b88
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/metrics-server-service.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ kubernetes.io/name: "Metrics-server"
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ selector:
+ k8s-app: metrics-server
+ ports:
+ - port: 443
+ protocol: TCP
+ targetPort: 443
diff --git a/kubernetes/files/kube-addons/metrics-server/resource-reader.yaml b/kubernetes/files/kube-addons/metrics-server/resource-reader.yaml
new file mode 100644
index 0000000..22dff82
--- /dev/null
+++ b/kubernetes/files/kube-addons/metrics-server/resource-reader.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: system:metrics-server
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - nodes
+ - nodes/stats
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - "extensions"
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: system:metrics-server
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system
diff --git a/kubernetes/map.jinja b/kubernetes/map.jinja
index 5d1f39f..615404c 100644
--- a/kubernetes/map.jinja
+++ b/kubernetes/map.jinja
@@ -38,6 +38,14 @@
'extra': 'X-Remote-Extra-',
},
},
+ 'proxy': {
+ 'enabled': true,
+ 'header': {
+ 'user': 'X-Remote-User',
+ 'group': 'X-Remote-Group',
+ 'extra': 'X-Remote-Extra-',
+ },
+ },
'anonymous': {
'enabled': false,
},
@@ -66,6 +74,14 @@
'extra': 'X-Remote-Extra-',
},
},
+ 'proxy': {
+ 'enabled': true,
+ 'header': {
+ 'user': 'X-Remote-User',
+ 'group': 'X-Remote-Group',
+ 'extra': 'X-Remote-Extra-',
+ },
+ },
'anonymous': {
'enabled': false,
},
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index 54bcf34..9d92467 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -154,10 +154,13 @@
--client-ca-file={{ master.auth.get('ssl', {}).ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
{%- endif %}
{%- if master.auth.get('proxy', {}).enabled|default(False) %}
+ --requestheader-allowed-names=system:kube-controller-manager
--requestheader-username-headers={{ master.auth.proxy.header.user }}
--requestheader-group-headers={{ master.auth.proxy.header.group }}
--requestheader-extra-headers-prefix={{ master.auth.proxy.header.extra }}
--requestheader-client-ca-file={{ master.auth.proxy.ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
+ --proxy-client-cert-file={{ master.auth.proxy.client_cert|default("/etc/kubernetes/ssl/kube-aggregator-proxy-client.crt") }}
+ --proxy-client-key-file={{ master.auth.proxy.client_key|default("/etc/kubernetes/ssl/kube-aggregator-proxy-client.key") }}
{%- endif %}
--anonymous-auth={{ master.auth.get('anonymous', {}).enabled|default(False) }}
--etcd-quorum-read=true
diff --git a/kubernetes/master/kube-addons.sls b/kubernetes/master/kube-addons.sls
index 2d5dc1b..33140e0 100644
--- a/kubernetes/master/kube-addons.sls
+++ b/kubernetes/master/kube-addons.sls
@@ -375,6 +375,29 @@
- makedirs: True
{% endif %}
+{%- if common.addons.get('metrics-server', {}).get('enabled', False) %}
+
+{%- set metrics_server_resources = ['aggregated-metrics-reader.yaml','auth-delegator.yaml','auth-reader.yaml','metrics-apiservice.yaml','metrics-server-deployment.yaml','metrics-server-service.yaml','resource-reader.yaml'] %}
+
+{%- for resource in metrics_server_resources %}
+
+/etc/kubernetes/addons/metrics-server/{{ resource }}:
+ file.managed:
+ - source: salt://kubernetes/files/kube-addons/metrics-server/{{ resource }}
+ - template: jinja
+ - group: root
+ - dir_mode: 755
+ - makedirs: True
+
+{%- endfor %}
+
+{%- else %}
+
+/etc/kubernetes/addons/metrics-server:
+ file.absent
+
+{% endif %}
+
{% endif %}
{%- if common.addons.get('fluentd', {}).get('enabled') %}
diff --git a/kubernetes/meta/fluentd.yml b/kubernetes/meta/fluentd.yml
index 3a38245..623fcea 100644
--- a/kubernetes/meta/fluentd.yml
+++ b/kubernetes/meta/fluentd.yml
@@ -16,6 +16,7 @@
deb: ['td-agent-additional-plugins']
config:
label:
+ {%- if pillar.docker is defined %}
docker:
filter:
add_drop_tag:
@@ -25,6 +26,7 @@
record:
- name: drop_event
value: ${ record.fetch('attrs', {}).fetch('io.kubernetes.pod.name', '') }
+ {%- endif %}
kubernetes:
input:
container:
diff --git a/kubernetes/meta/prometheus.yml b/kubernetes/meta/prometheus.yml
index 6a19156..4b52d61 100644
--- a/kubernetes/meta/prometheus.yml
+++ b/kubernetes/meta/prometheus.yml
@@ -21,7 +21,9 @@
{%- set calico_address = network.calico.prometheus.get('address', master.address) %}
{%- endif %}
{%- endif %}
-
+{%- if master.get('enabled', False) %}
+ {%- set api_server_endpoint = master.get('apiserver', {}).get('address') + ':' + master.get('apiserver', {}).get('secure_port')|string %}
+{%- endif %}
server:
target:
@@ -30,6 +32,9 @@
api_ip: {{ apiServerPoint }}
cert_name: prometheus-server.crt
key_name: prometheus-server.key
+ {%- if api_server_endpoint is defined %}
+ api_server_endpoint: {{ api_server_endpoint }}
+ {%- endif %}
{%- if calico_address is defined %}
static:
calico:
diff --git a/metadata/service/common.yml b/metadata/service/common.yml
index aabc8a4..09e5adb 100644
--- a/metadata/service/common.yml
+++ b/metadata/service/common.yml
@@ -126,6 +126,9 @@
image: mirantis/virtlet:v1.0.3
criproxy_version: v0.10.0
criproxy_source: md5=52717b1f70f15558ef4bdb0e4d4948da
+ metrics-server:
+ enabled: False
+ controller_image: k8s.gcr.io/metrics-server-amd64:v0.3.1
cni:
plugins:
source: https://github.com/containernetworking/plugins/releases/download/v0.7.1/cni-plugins-amd64-v0.7.1.tgz