blob: aa484dca2dcdd03b70947aab8eb5ec396ff25c16 [file] [log] [blame]
# Top level cluster configuration.
local kube = import "../../kube/kube.libsonnet";
local Cluster(fqdn) = {
local cluster = self,
// These are required to let the API Server contact kubelets.
crAPIServerToKubelet: kube.ClusterRole("system:kube-apiserver-to-kubelet") {
metadata+: {
annotations+: {
"": "true",
labels+: {
"": "rbac-defaults",
rules: [
apiGroups: [""],
resources: ["nodes/%s" % r for r in [ "proxy", "stats", "log", "spec", "metrics" ]],
verbs: ["*"],
crbAPISerber: kube.ClusterRoleBinding("system:kube-apiserver") {
roleRef: {
apiGroup: "",
kind: "ClusterRole",
subjects: [
apiGroup: "",
kind: "User",
# A cluster API Server authenticates with a certificate whose CN is == to the FQDN of the cluster.
name: fqdn,
k0: Cluster(""),