Blame - cluster/kube/lib/metrics.libsonnet - hscloud

blob: fda3a594367c0d1784b1b2de142ce77909ee28b8 [file] [log] [blame]

Sergiusz Bazanski	af3be42	2019-01-17 18:57:19 +0100	[diff] [blame]	1	# Deploy a per-cluster Metrics Server setup.
Sergiusz Bazanski	ce81c39	2020-06-06 12:35:06 +0200	[diff] [blame]	2	# These are Kubernetes metrics, not Prometheus/whatever.
Sergiusz Bazanski	af3be42	2019-01-17 18:57:19 +0100	[diff] [blame]	3
				4	local kube = import "../../../kube/kube.libsonnet";
				5
				6	{
				7	Environment: {
				8	local env = self,
				9	local cfg = env.cfg,
				10	cfg:: {
				11	image: "k8s.gcr.io/metrics-server-amd64:v0.3.1",
				12	namespace: "kube-system",
				13	},
				14
				15	sa: kube.ServiceAccount("metrics-server") {
				16	metadata+: {
				17	namespace: cfg.namespace,
				18	},
				19	},
				20
				21	# Cluster Role and Binding for the metrics server to allow reading node state.
				22	crServer: kube.ClusterRole("system:metrics-server") {
				23	rules: [
				24	{
				25	apiGroups: [""],
				26	resources: ["pods", "nodes", "nodes/stats"],
				27	verbs: ["get", "list", "watch"]
				28	},
				29	],
				30	},
				31	crbServer: kube.ClusterRoleBinding("system:metrics-server") {
				32	roleRef: {
				33	apiGroup: "rbac.authorization.k8s.io",
				34	kind: "ClusterRole",
				35	name: env.crServer.metadata.name,
				36	},
				37	subjects: [
				38	{
				39	kind: "ServiceAccount",
				40	name: env.sa.metadata.name,
				41	namespace: env.sa.metadata.namespace,
				42	},
				43	],
				44	},
				45
				46	# Let the metrics server act as an auth delegator.
				47	crbAuthDelegator: kube.ClusterRoleBinding("metrics-server:system:auth-delegator") {
				48	roleRef: {
				49	apiGroup: "rbac.authorization.k8s.io",
				50	kind: "ClusterRole",
				51	name: "system:auth-delegator",
				52	},
				53	subjects: [
				54	{
				55	kind: "ServiceAccount",
				56	name: env.sa.metadata.name,
				57	namespace: env.sa.metadata.namespace,
				58	},
				59	],
				60	},
				61
				62	# Let the metrics server access the apiserver extensions configmap.
				63	rbAPIExtensionsMap: kube.RoleBinding("metrics-server-auth-reader") {
				64	metadata+: {
				65	namespace: cfg.namespace,
				66	},
				67	roleRef: {
				68	apiGroup: "rbac.authorization.k8s.io",
				69	kind: "Role",
				70	name: "extension-apiserver-authentication-reader",
				71	},
				72	subjects: [
				73	{
				74	kind: "ServiceAccount",
				75	name: env.sa.metadata.name,
				76	namespace: env.sa.metadata.namespace,
				77	},
				78	],
				79	},
				80
				81
				82	deployment: kube.Deployment("metrics-server") {
				83	metadata+: {
				84	namespace: cfg.namespace,
				85	labels+: {
				86	"k8s-app": "metrics-server",
				87	},
				88	},
				89	spec+: {
				90	template+: {
				91	spec+: {
				92	serviceAccountName: env.sa.metadata.name,
				93	volumes_: {
				94	tmp: {
				95	emptyDir: {},
				96	},
				97	},
				98	containers_: {
				99	coredns: kube.Container("metrics-server") {
				100	local container = self,
				101
				102	image: cfg.image,
				103	imagePullPolicy: "IfNotPresent",
				104	# TODO(q3k): define resource limits
				105	ports_: {
				106	https: {
				107	containerPort: 443,
				108	protocol: "TCP",
				109	},
				110	},
				111	volumeMounts_: {
				112	tmp: {
				113	mountPath: "/tmp",
				114	},
				115	},
				116	},
				117	},
				118	},
				119	},
				120	},
				121	},
				122	svc: kube.Service("metrics-server") {
				123	local svc = self,
				124	metadata+: {
				125	namespace: cfg.namespace,
				126	},
				127	target_pod: env.deployment.spec.template,
				128	},
				129	api: kube._Object("apiregistration.k8s.io/v1beta1", "APIService", "v1beta1.metrics.k8s.io") {
				130	spec+: {
				131	service: {
				132	name: env.svc.metadata.name,
				133	namespace: env.svc.metadata.namespace,
				134	},
				135	group: "metrics.k8s.io",
				136	version: "v1beta1",
				137	insecureSkipTLSVerify: true,
				138	groupPriorityMinimum: 100,
				139	versionPriority: 100,
				140	},
				141	},
				142	},
				143	}