| Sergiusz Bazanski | af3be42 | 2019-01-17 18:57:19 +0100 | [diff] [blame] | 1 | # Deploy a per-cluster Metrics Server setup. |
| 2 | |
| 3 | local kube = import "../../../kube/kube.libsonnet"; |
| 4 | |
| 5 | { |
| 6 | Environment: { |
| 7 | local env = self, |
| 8 | local cfg = env.cfg, |
| 9 | cfg:: { |
| 10 | image: "k8s.gcr.io/metrics-server-amd64:v0.3.1", |
| 11 | namespace: "kube-system", |
| 12 | }, |
| 13 | |
| 14 | sa: kube.ServiceAccount("metrics-server") { |
| 15 | metadata+: { |
| 16 | namespace: cfg.namespace, |
| 17 | }, |
| 18 | }, |
| 19 | |
| 20 | # Cluster Role and Binding for the metrics server to allow reading node state. |
| 21 | crServer: kube.ClusterRole("system:metrics-server") { |
| 22 | rules: [ |
| 23 | { |
| 24 | apiGroups: [""], |
| 25 | resources: ["pods", "nodes", "nodes/stats"], |
| 26 | verbs: ["get", "list", "watch"] |
| 27 | }, |
| 28 | ], |
| 29 | }, |
| 30 | crbServer: kube.ClusterRoleBinding("system:metrics-server") { |
| 31 | roleRef: { |
| 32 | apiGroup: "rbac.authorization.k8s.io", |
| 33 | kind: "ClusterRole", |
| 34 | name: env.crServer.metadata.name, |
| 35 | }, |
| 36 | subjects: [ |
| 37 | { |
| 38 | kind: "ServiceAccount", |
| 39 | name: env.sa.metadata.name, |
| 40 | namespace: env.sa.metadata.namespace, |
| 41 | }, |
| 42 | ], |
| 43 | }, |
| 44 | |
| 45 | # Let the metrics server act as an auth delegator. |
| 46 | crbAuthDelegator: kube.ClusterRoleBinding("metrics-server:system:auth-delegator") { |
| 47 | roleRef: { |
| 48 | apiGroup: "rbac.authorization.k8s.io", |
| 49 | kind: "ClusterRole", |
| 50 | name: "system:auth-delegator", |
| 51 | }, |
| 52 | subjects: [ |
| 53 | { |
| 54 | kind: "ServiceAccount", |
| 55 | name: env.sa.metadata.name, |
| 56 | namespace: env.sa.metadata.namespace, |
| 57 | }, |
| 58 | ], |
| 59 | }, |
| 60 | |
| 61 | # Let the metrics server access the apiserver extensions configmap. |
| 62 | rbAPIExtensionsMap: kube.RoleBinding("metrics-server-auth-reader") { |
| 63 | metadata+: { |
| 64 | namespace: cfg.namespace, |
| 65 | }, |
| 66 | roleRef: { |
| 67 | apiGroup: "rbac.authorization.k8s.io", |
| 68 | kind: "Role", |
| 69 | name: "extension-apiserver-authentication-reader", |
| 70 | }, |
| 71 | subjects: [ |
| 72 | { |
| 73 | kind: "ServiceAccount", |
| 74 | name: env.sa.metadata.name, |
| 75 | namespace: env.sa.metadata.namespace, |
| 76 | }, |
| 77 | ], |
| 78 | }, |
| 79 | |
| 80 | |
| 81 | deployment: kube.Deployment("metrics-server") { |
| 82 | metadata+: { |
| 83 | namespace: cfg.namespace, |
| 84 | labels+: { |
| 85 | "k8s-app": "metrics-server", |
| 86 | }, |
| 87 | }, |
| 88 | spec+: { |
| 89 | template+: { |
| 90 | spec+: { |
| 91 | serviceAccountName: env.sa.metadata.name, |
| 92 | volumes_: { |
| 93 | tmp: { |
| 94 | emptyDir: {}, |
| 95 | }, |
| 96 | }, |
| 97 | containers_: { |
| 98 | coredns: kube.Container("metrics-server") { |
| 99 | local container = self, |
| 100 | |
| 101 | image: cfg.image, |
| 102 | imagePullPolicy: "IfNotPresent", |
| 103 | # TODO(q3k): define resource limits |
| 104 | ports_: { |
| 105 | https: { |
| 106 | containerPort: 443, |
| 107 | protocol: "TCP", |
| 108 | }, |
| 109 | }, |
| 110 | volumeMounts_: { |
| 111 | tmp: { |
| 112 | mountPath: "/tmp", |
| 113 | }, |
| 114 | }, |
| 115 | }, |
| 116 | }, |
| 117 | }, |
| 118 | }, |
| 119 | }, |
| 120 | }, |
| 121 | svc: kube.Service("metrics-server") { |
| 122 | local svc = self, |
| 123 | metadata+: { |
| 124 | namespace: cfg.namespace, |
| 125 | }, |
| 126 | target_pod: env.deployment.spec.template, |
| 127 | }, |
| 128 | api: kube._Object("apiregistration.k8s.io/v1beta1", "APIService", "v1beta1.metrics.k8s.io") { |
| 129 | spec+: { |
| 130 | service: { |
| 131 | name: env.svc.metadata.name, |
| 132 | namespace: env.svc.metadata.namespace, |
| 133 | }, |
| 134 | group: "metrics.k8s.io", |
| 135 | version: "v1beta1", |
| 136 | insecureSkipTLSVerify: true, |
| 137 | groupPriorityMinimum: 100, |
| 138 | versionPriority: 100, |
| 139 | }, |
| 140 | }, |
| 141 | }, |
| 142 | } |