Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 49b9a13d28d4f33ae8914fa6e78311046aa7b228 / . / cluster / kube / cluster.jsonnet
blob: 9209cf14e920eed8728c9274b0e3952f26325d75 [file] [log] [blame]
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]1# Top level cluster configuration.
2
3local kube = import "../../kube/kube.libsonnet";
Sergiusz Bazanski49b9a132019-01-14 00:02:59 +0100[diff] [blame^]4local coredns = import "lib/coredns.libsonnet";
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]5
6local Cluster(fqdn) = {
7 local cluster = self,
8
9 // These are required to let the API Server contact kubelets.
10 crAPIServerToKubelet: kube.ClusterRole("system:kube-apiserver-to-kubelet") {
11 metadata+: {
12 annotations+: {
13 "rbac.authorization.kubernetes.io/autoupdate": "true",
14 },
15 labels+: {
16 "kubernets.io/bootstrapping": "rbac-defaults",
17 },
18 },
19 rules: [
20 {
21 apiGroups: [""],
22 resources: ["nodes/%s" % r for r in [ "proxy", "stats", "log", "spec", "metrics" ]],
23 verbs: ["*"],
24 },
25 ],
26 },
Sergiusz Bazanski5bebbeb2019-01-13 22:08:05 +0100[diff] [blame]27 crbAPIServer: kube.ClusterRoleBinding("system:kube-apiserver") {
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]28 roleRef: {
29 apiGroup: "rbac.authorization.k8s.io",
30 kind: "ClusterRole",
31 name: cluster.crAPIServerToKubelet.metadata.name,
32 },
33 subjects: [
34 {
35 apiGroup: "rbac.authorization.k8s.io",
36 kind: "User",
37 # A cluster API Server authenticates with a certificate whose CN is == to the FQDN of the cluster.
38 name: fqdn,
39 },
40 ],
Sergiusz Bazanski49b9a132019-01-14 00:02:59 +0100[diff] [blame^]41 },
42
43 // CoreDNS for this cluster.
44 dns: coredns.Environment {
45 },
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]46};
47
Sergiusz Bazanski49b9a132019-01-14 00:02:59 +0100[diff] [blame^]48
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]49{
50 k0: Cluster("k0.hswaw.net"),
51}