diff --git a/k8s/efk.yaml b/k8s/efk.yaml index cb1e97d4..a0865312 100644 --- a/k8s/efk.yaml +++ b/k8s/efk.yaml @@ -5,7 +5,7 @@ metadata: name: fluentd namespace: default --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: fluentd @@ -21,7 +21,7 @@ rules: - watch --- kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: fluentd roleRef: diff --git a/k8s/elasticsearch-operator.yaml b/k8s/elasticsearch-operator.yaml index 0049541e..df6429ce 100644 --- a/k8s/elasticsearch-operator.yaml +++ b/k8s/elasticsearch-operator.yaml @@ -11,7 +11,7 @@ metadata: name: elasticsearch-operator namespace: elasticsearch-operator --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: elasticsearch-operator @@ -41,7 +41,7 @@ rules: resources: ["elasticsearchclusters"] verbs: ["*"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: elasticsearch-operator @@ -55,13 +55,16 @@ subjects: name: elasticsearch-operator namespace: elasticsearch-operator --- -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: elasticsearch-operator namespace: elasticsearch-operator spec: replicas: 1 + selector: + matchLabels: + name: elasticsearch-operator template: metadata: labels: diff --git a/k8s/filebeat.yaml b/k8s/filebeat.yaml index 4b612871..e5812fc5 100644 --- a/k8s/filebeat.yaml +++ b/k8s/filebeat.yaml @@ -131,7 +131,7 @@ spec: path: /var/lib/filebeat-data type: DirectoryOrCreate --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: filebeat @@ -144,7 +144,7 @@ roleRef: name: filebeat apiGroup: rbac.authorization.k8s.io --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: filebeat diff --git a/k8s/grant-admin-to-dashboard.yaml b/k8s/grant-admin-to-dashboard.yaml index 59daae9e..a0007d76 100644 --- a/k8s/grant-admin-to-dashboard.yaml +++ b/k8s/grant-admin-to-dashboard.yaml @@ -1,4 +1,4 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard @@ -11,4 +11,4 @@ roleRef: subjects: - kind: ServiceAccount name: kubernetes-dashboard - namespace: kube-system \ No newline at end of file + namespace: kube-system diff --git a/k8s/local-path-storage.yaml b/k8s/local-path-storage.yaml index b163792a..1fba4f5b 100644 --- a/k8s/local-path-storage.yaml +++ b/k8s/local-path-storage.yaml @@ -1,49 +1,50 @@ # This is a local copy of: # https://github.com/rancher/local-path-provisioner/blob/master/deploy/local-path-storage.yaml ---- apiVersion: v1 kind: Namespace metadata: name: local-path-storage + --- apiVersion: v1 kind: ServiceAccount metadata: name: local-path-provisioner-service-account namespace: local-path-storage + --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: local-path-provisioner-role - namespace: local-path-storage rules: -- apiGroups: [""] - resources: ["nodes", "persistentvolumeclaims"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["endpoints", "persistentvolumes", "pods"] - verbs: ["*"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] + - apiGroups: [ "" ] + resources: [ "nodes", "persistentvolumeclaims", "configmaps" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "endpoints", "persistentvolumes", "pods" ] + verbs: [ "*" ] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "create", "patch" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "storageclasses" ] + verbs: [ "get", "list", "watch" ] + --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: local-path-provisioner-bind - namespace: local-path-storage roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: local-path-provisioner-role subjects: -- kind: ServiceAccount - name: local-path-provisioner-service-account - namespace: local-path-storage + - kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: local-path-storage + --- apiVersion: apps/v1 kind: Deployment @@ -62,27 +63,28 @@ spec: spec: serviceAccountName: local-path-provisioner-service-account containers: - - name: local-path-provisioner - image: rancher/local-path-provisioner:v0.0.8 - imagePullPolicy: Always - command: - - local-path-provisioner - - --debug - - start - - --config - - /etc/config/config.json - volumeMounts: - - name: config-volume - mountPath: /etc/config/ - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + - name: local-path-provisioner + image: rancher/local-path-provisioner:v0.0.19 + imagePullPolicy: IfNotPresent + command: + - local-path-provisioner + - --debug + - start + - --config + - /etc/config/config.json + volumeMounts: + - name: config-volume + mountPath: /etc/config/ + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace volumes: - name: config-volume configMap: name: local-path-config + --- apiVersion: storage.k8s.io/v1 kind: StorageClass @@ -91,6 +93,7 @@ metadata: provisioner: rancher.io/local-path volumeBindingMode: WaitForFirstConsumer reclaimPolicy: Delete + --- kind: ConfigMap apiVersion: v1 @@ -99,12 +102,59 @@ metadata: namespace: local-path-storage data: config.json: |- - { - "nodePathMap":[ - { - "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES", - "paths":["/opt/local-path-provisioner"] - } - ] - } + { + "nodePathMap":[ + { + "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES", + "paths":["/opt/local-path-provisioner"] + } + ] + } + setup: |- + #!/bin/sh + while getopts "m:s:p:" opt + do + case $opt in + p) + absolutePath=$OPTARG + ;; + s) + sizeInBytes=$OPTARG + ;; + m) + volMode=$OPTARG + ;; + esac + done + + mkdir -m 0777 -p ${absolutePath} + teardown: |- + #!/bin/sh + while getopts "m:s:p:" opt + do + case $opt in + p) + absolutePath=$OPTARG + ;; + s) + sizeInBytes=$OPTARG + ;; + m) + volMode=$OPTARG + ;; + esac + done + + rm -rf ${absolutePath} + helperPod.yaml: |- + apiVersion: v1 + kind: Pod + metadata: + name: helper-pod + spec: + containers: + - name: helper-pod + image: busybox + + diff --git a/k8s/metrics-server.yaml b/k8s/metrics-server.yaml index ddb2998d..bd311702 100644 --- a/k8s/metrics-server.yaml +++ b/k8s/metrics-server.yaml @@ -1,32 +1,61 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 +# This file is https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml +# But with the following arguments added to metrics-server: +# args: +# - --kubelet-insecure-tls +# - --metric-resolution=5s +apiVersion: v1 +kind: ServiceAccount metadata: - name: system:aggregated-metrics-reader labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: -- apiGroups: ["metrics.k8s.io"] - resources: ["pods"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: metrics-server:system:auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount + k8s-app: metrics-server name: metrics-server namespace: kube-system --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + k8s-app: metrics-server + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: system:aggregated-metrics-reader +rules: +- apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + k8s-app: metrics-server + name: system:metrics-server +rules: +- apiGroups: + - "" + resources: + - pods + - nodes + - nodes/stats + - namespaces + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + labels: + k8s-app: metrics-server name: metrics-server-auth-reader namespace: kube-system roleRef: @@ -38,95 +67,26 @@ subjects: name: metrics-server namespace: kube-system --- -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1beta1.metrics.k8s.io -spec: - service: - name: metrics-server - namespace: kube-system - group: metrics.k8s.io - version: v1beta1 - insecureSkipTLSVerify: true - groupPriorityMinimum: 100 - versionPriority: 100 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: metrics-server - namespace: kube-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: metrics-server - namespace: kube-system - labels: - k8s-app: metrics-server -spec: - selector: - matchLabels: - k8s-app: metrics-server - template: - metadata: - name: metrics-server - labels: - k8s-app: metrics-server - spec: - serviceAccountName: metrics-server - volumes: - # mount in tmp so we can safely use from-scratch images and/or read-only containers - - name: tmp-dir - emptyDir: {} - containers: - - name: metrics-server - image: k8s.gcr.io/metrics-server-amd64:v0.3.3 - imagePullPolicy: Always - volumeMounts: - - name: tmp-dir - mountPath: /tmp - args: - - --kubelet-preferred-address-types=InternalIP - - --kubelet-insecure-tls - - --metric-resolution=5s - ---- -apiVersion: v1 -kind: Service -metadata: - name: metrics-server - namespace: kube-system - labels: - kubernetes.io/name: "Metrics-server" -spec: - selector: - k8s-app: metrics-server - ports: - - port: 443 - protocol: TCP - targetPort: 443 ---- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: - name: system:metrics-server -rules: -- apiGroups: - - "" - resources: - - pods - - nodes - - nodes/stats - verbs: - - get - - list - - watch + labels: + k8s-app: metrics-server + name: metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + k8s-app: metrics-server name: system:metrics-server roleRef: apiGroup: rbac.authorization.k8s.io @@ -136,3 +96,98 @@ subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + k8s-app: metrics-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: metrics-server + strategy: + rollingUpdate: + maxUnavailable: 0 + template: + metadata: + labels: + k8s-app: metrics-server + spec: + containers: + - args: + - --cert-dir=/tmp + - --secure-port=4443 + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --kubelet-insecure-tls + - --metric-resolution=5s + image: k8s.gcr.io/metrics-server/metrics-server:v0.4.3 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: https + scheme: HTTPS + periodSeconds: 10 + name: metrics-server + ports: + - containerPort: 4443 + name: https + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: https + scheme: HTTPS + periodSeconds: 10 + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + volumeMounts: + - mountPath: /tmp + name: tmp-dir + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: metrics-server + volumes: + - emptyDir: {} + name: tmp-dir +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + k8s-app: metrics-server + name: v1beta1.metrics.k8s.io +spec: + group: metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: metrics-server + namespace: kube-system + version: v1beta1 + versionPriority: 100 diff --git a/k8s/traefik-v1.yaml b/k8s/traefik-v1.yaml index 959ea198..1bb8d619 100644 --- a/k8s/traefik-v1.yaml +++ b/k8s/traefik-v1.yaml @@ -49,24 +49,8 @@ spec: - --kubernetes - --logLevel=INFO --- -kind: Service -apiVersion: v1 -metadata: - name: traefik-ingress-service - namespace: kube-system -spec: - selector: - k8s-app: traefik-ingress-lb - ports: - - protocol: TCP - port: 80 - name: web - - protocol: TCP - port: 8080 - name: admin ---- kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: traefik-ingress-controller rules: @@ -90,7 +74,7 @@ rules: - watch --- kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: traefik-ingress-controller roleRef: diff --git a/k8s/traefik-v2.yaml b/k8s/traefik-v2.yaml index 6a75c4c5..275ad18f 100644 --- a/k8s/traefik-v2.yaml +++ b/k8s/traefik-v2.yaml @@ -55,28 +55,8 @@ spec: - --entrypoints.https.Address=:443 - --entrypoints.https.http.tls.certResolver=default --- -kind: Service -apiVersion: v1 -metadata: - name: traefik-ingress-service - namespace: kube-system - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8080" - prometheus.io/path: "/metrics" -spec: - selector: - k8s-app: traefik-ingress-lb - ports: - - protocol: TCP - port: 80 - name: web - - protocol: TCP - port: 8080 - name: admin ---- kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: traefik-ingress-controller rules: @@ -109,7 +89,7 @@ rules: - watch --- kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: traefik-ingress-controller roleRef: