| # Top level cluster configuration. |
| |
| local kube = import "../../kube/kube.libsonnet"; |
| local coredns = import "lib/coredns.libsonnet"; |
| local metrics = import "lib/metrics.libsonnet"; |
| local calico = import "lib/calico.libsonnet"; |
| |
| local Cluster(fqdn) = { |
| local cluster = self, |
| |
| // These are required to let the API Server contact kubelets. |
| crAPIServerToKubelet: kube.ClusterRole("system:kube-apiserver-to-kubelet") { |
| metadata+: { |
| annotations+: { |
| "rbac.authorization.kubernetes.io/autoupdate": "true", |
| }, |
| labels+: { |
| "kubernets.io/bootstrapping": "rbac-defaults", |
| }, |
| }, |
| rules: [ |
| { |
| apiGroups: [""], |
| resources: ["nodes/%s" % r for r in [ "proxy", "stats", "log", "spec", "metrics" ]], |
| verbs: ["*"], |
| }, |
| ], |
| }, |
| crbAPIServer: kube.ClusterRoleBinding("system:kube-apiserver") { |
| roleRef: { |
| apiGroup: "rbac.authorization.k8s.io", |
| kind: "ClusterRole", |
| name: cluster.crAPIServerToKubelet.metadata.name, |
| }, |
| subjects: [ |
| { |
| apiGroup: "rbac.authorization.k8s.io", |
| kind: "User", |
| # A cluster API Server authenticates with a certificate whose CN is == to the FQDN of the cluster. |
| name: fqdn, |
| }, |
| ], |
| }, |
| |
| // Calico network fabric |
| calico: calico.Environment {}, |
| // CoreDNS for this cluster. |
| dns: coredns.Environment {}, |
| // Metrics Server |
| metrics: metrics.Environment {}, |
| }; |
| |
| |
| { |
| k0: Cluster("k0.hswaw.net"), |
| } |