Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 8b8f3876a91d582795712d1b1355e69eba1f97ce / . / cluster / kube / lib / metrics.libsonnet
blob: f4d548a8a2e651b3c6f8bbbc44dd9b3dcfebaf62 [file] [log] [blame]
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]1# Deploy a per-cluster Metrics Server setup.
Sergiusz Bazanskice81c392020-06-06 12:35:06 +0200[diff] [blame]2# These are Kubernetes metrics, not Prometheus/whatever.
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]3
4local kube = import "../../../kube/kube.libsonnet";
5
6{
7 Environment: {
8 local env = self,
9 local cfg = env.cfg,
10 cfg:: {
11 image: "k8s.gcr.io/metrics-server-amd64:v0.3.1",
12 namespace: "kube-system",
13 },
14
15 sa: kube.ServiceAccount("metrics-server") {
16 metadata+: {
17 namespace: cfg.namespace,
18 },
19 },
20
21 # Cluster Role and Binding for the metrics server to allow reading node state.
22 crServer: kube.ClusterRole("system:metrics-server") {
23 rules: [
24 {
25 apiGroups: [""],
26 resources: ["pods", "nodes", "nodes/stats"],
27 verbs: ["get", "list", "watch"]
28 },
29 ],
30 },
31 crbServer: kube.ClusterRoleBinding("system:metrics-server") {
32 roleRef: {
33 apiGroup: "rbac.authorization.k8s.io",
34 kind: "ClusterRole",
35 name: env.crServer.metadata.name,
36 },
37 subjects: [
38 {
39 kind: "ServiceAccount",
40 name: env.sa.metadata.name,
41 namespace: env.sa.metadata.namespace,
42 },
43 ],
44 },
45
46 # Let the metrics server act as an auth delegator.
47 crbAuthDelegator: kube.ClusterRoleBinding("metrics-server:system:auth-delegator") {
48 roleRef: {
49 apiGroup: "rbac.authorization.k8s.io",
50 kind: "ClusterRole",
51 name: "system:auth-delegator",
52 },
53 subjects: [
54 {
55 kind: "ServiceAccount",
56 name: env.sa.metadata.name,
57 namespace: env.sa.metadata.namespace,
58 },
59 ],
60 },
61
62 # Let the metrics server access the apiserver extensions configmap.
63 rbAPIExtensionsMap: kube.RoleBinding("metrics-server-auth-reader") {
64 metadata+: {
65 namespace: cfg.namespace,
66 },
67 roleRef: {
68 apiGroup: "rbac.authorization.k8s.io",
69 kind: "Role",
70 name: "extension-apiserver-authentication-reader",
71 },
72 subjects: [
73 {
74 kind: "ServiceAccount",
75 name: env.sa.metadata.name,
76 namespace: env.sa.metadata.namespace,
77 },
78 ],
79 },
80
81
82 deployment: kube.Deployment("metrics-server") {
83 metadata+: {
84 namespace: cfg.namespace,
85 labels+: {
86 "k8s-app": "metrics-server",
87 },
88 },
89 spec+: {
90 template+: {
91 spec+: {
92 serviceAccountName: env.sa.metadata.name,
93 volumes_: {
94 tmp: {
95 emptyDir: {},
96 },
97 },
98 containers_: {
99 coredns: kube.Container("metrics-server") {
100 local container = self,
101
102 image: cfg.image,
103 imagePullPolicy: "IfNotPresent",
104 # TODO(q3k): define resource limits
105 ports_: {
106 https: {
107 containerPort: 443,
108 protocol: "TCP",
109 },
110 },
111 volumeMounts_: {
112 tmp: {
113 mountPath: "/tmp",
114 },
115 },
116 },
117 },
118 },
119 },
120 },
121 },
122 svc: kube.Service("metrics-server") {
123 local svc = self,
124 metadata+: {
125 namespace: cfg.namespace,
126 },
radex8b8f3872023-11-24 11:09:46 +0100[diff] [blame^]127 target:: env.deployment,
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]128 },
129 api: kube._Object("apiregistration.k8s.io/v1beta1", "APIService", "v1beta1.metrics.k8s.io") {
130 spec+: {
131 service: {
132 name: env.svc.metadata.name,
133 namespace: env.svc.metadata.namespace,
134 },
135 group: "metrics.k8s.io",
136 version: "v1beta1",
137 insecureSkipTLSVerify: true,
138 groupPriorityMinimum: 100,
139 versionPriority: 100,
140 },
141 },
142 },
143}