From 40edf8c6f57913dd105e9032ff5be8e4b183fd2a Mon Sep 17 00:00:00 2001 From: "rong.zhang" Date: Wed, 13 Dec 2017 12:50:44 +0800 Subject: [PATCH 1/6] Update dashboard version to v1.8.0 Update dependencies to be compatible with Kubernetes v1.8 --- roles/kubernetes-apps/ansible/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index 5951086e9..2314f34f6 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -39,9 +39,9 @@ netchecker_server_cpu_requests: 50m netchecker_server_memory_requests: 64M # Dashboard -dashboard_enabled: false +dashboard_enabled: true dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64 -dashboard_image_tag: v1.7.1 +dashboard_image_tag: v1.8.0 dashboard_init_image_repo: gcr.io/google_containers/kubernetes-dashboard-init-amd64 dashboard_init_image_tag: v1.0.1 From 0771cd859980b4d7f8148101117fc38d62becde1 Mon Sep 17 00:00:00 2001 From: "rong.zhang" Date: Wed, 13 Dec 2017 13:31:48 +0800 Subject: [PATCH 2/6] Remove dashboard_tls_key and dashboard_tls_cert --- .../kubernetes-apps/ansible/defaults/main.yml | 8 -- .../ansible/templates/dashboard.yml.j2 | 74 ++++++------------- 2 files changed, 24 insertions(+), 58 deletions(-) diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index 2314f34f6..828052673 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -42,8 +42,6 @@ netchecker_server_memory_requests: 64M dashboard_enabled: true dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64 dashboard_image_tag: v1.8.0 -dashboard_init_image_repo: gcr.io/google_containers/kubernetes-dashboard-init-amd64 -dashboard_init_image_tag: v1.0.1 # Limits for dashboard dashboard_cpu_limit: 100m @@ -54,12 +52,6 @@ dashboard_memory_requests: 64M # SSL etcd_cert_dir: "/etc/ssl/etcd/ssl" canal_cert_dir: "/etc/canal/certs" -# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that -# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs -dashboard_use_custom_certs: false -dashboard_certs_secret_name: kubernetes-dashboard-certs -dashboard_tls_key_file: dashboard.key -dashboard_tls_cert_file: dashboard.crt rbac_resources: - sa diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 index b16ddd467..90eee47ba 100644 --- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 @@ -13,7 +13,7 @@ # limitations under the License. # Configuration to deploy release version of the Dashboard UI compatible with -# Kubernetes 1.7. +# Kubernetes 1.8. # # Example usage: kubectl create -f @@ -43,28 +43,41 @@ metadata: # ------------------- Dashboard Role & Role Binding ------------------- # kind: Role -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kubernetes-dashboard-minimal namespace: {{ system_namespace }} rules: - # Allow Dashboard to create and watch for changes of 'kubernetes-dashboard-key-holder' secret. + # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. - apiGroups: [""] resources: ["secrets"] - verbs: ["create", "watch"] + verbs: ["create"] + # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - apiGroups: [""] resources: ["secrets"] - # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret. resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] # Allow Dashboard to get metrics from heapster. - apiGroups: [""] resources: ["services"] resourceNames: ["heapster"] verbs: ["proxy"] +- apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:"] + verbs: ["get"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kubernetes-dashboard-minimal @@ -78,39 +91,11 @@ subjects: name: kubernetes-dashboard namespace: {{ system_namespace }} ---- -# ------------------- Gross Hack For anonymous auth through api proxy ------------------- # -# Allows users to reach login page and other proxied dashboard URLs -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kubernetes-dashboard-anonymous -rules: -- apiGroups: [""] - resources: ["services/proxy"] - resourceNames: ["https:kubernetes-dashboard:"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/{{ system_namespace }}/services/https:kubernetes-dashboard:/proxy/*"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kubernetes-dashboard-anonymous -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubernetes-dashboard-anonymous -subjects: -- kind: User - name: system:anonymous - --- # ------------------- Dashboard Deployment ------------------- # kind: Deployment -apiVersion: extensions/v1beta1 +apiVersion: apps/v1beta2 metadata: labels: k8s-app: kubernetes-dashboard @@ -127,18 +112,10 @@ spec: labels: k8s-app: kubernetes-dashboard spec: -{% if not dashboard_use_custom_certs %} - initContainers: - - name: kubernetes-dashboard-init - image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }} - volumeMounts: - - name: kubernetes-dashboard-certs - mountPath: /certs -{% endif %} containers: - name: kubernetes-dashboard image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }} - imagePullPolicy: Always + imagePullPolicy: {{ k8s_image_pull_policy }} resources: limits: cpu: {{ dashboard_cpu_limit }} @@ -150,9 +127,7 @@ spec: - containerPort: 8443 protocol: TCP args: - - --tls-key-file=/certs/{{ dashboard_tls_key_file }} - - --tls-cert-file=/certs/{{ dashboard_tls_cert_file }} - - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %} + - --auto-generate-certificates # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. @@ -160,7 +135,6 @@ spec: volumeMounts: - name: kubernetes-dashboard-certs mountPath: /certs - readOnly: true # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume @@ -174,7 +148,7 @@ spec: volumes: - name: kubernetes-dashboard-certs secret: - secretName: {{ dashboard_certs_secret_name }} + secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard @@ -198,4 +172,4 @@ spec: - port: 443 targetPort: 8443 selector: - k8s-app: kubernetes-dashboard \ No newline at end of file + k8s-app: kubernetes-dashboard From b974b144a81cd4dbfc23ecaa64abb1ee6f6ccba1 Mon Sep 17 00:00:00 2001 From: "rong.zhang" Date: Mon, 18 Dec 2017 23:07:19 +0800 Subject: [PATCH 3/6] Add RBAC to binding Dahsboard UI --- .../kubernetes-apps/ansible/defaults/main.yml | 9 ++++ .../ansible/templates/dashboard.yml.j2 | 43 +++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index 828052673..414943842 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -42,6 +42,8 @@ netchecker_server_memory_requests: 64M dashboard_enabled: true dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64 dashboard_image_tag: v1.8.0 +dashboard_init_image_repo: gcr.io/google_containers/kubernetes-dashboard-init-amd64 +dashboard_init_image_tag: v1.0.1 # Limits for dashboard dashboard_cpu_limit: 100m @@ -53,6 +55,13 @@ dashboard_memory_requests: 64M etcd_cert_dir: "/etc/ssl/etcd/ssl" canal_cert_dir: "/etc/canal/certs" +# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that +# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs +dashboard_use_custom_certs: false +dashboard_certs_secret_name: kubernetes-dashboard-certs +dashboard_tls_key_file: dashboard.key +dashboard_tls_cert_file: dashboard.crt + rbac_resources: - sa - clusterrole diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 index 90eee47ba..cf222011c 100644 --- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 @@ -91,6 +91,34 @@ subjects: name: kubernetes-dashboard namespace: {{ system_namespace }} +--- +# ------------------- Gross Hack For anonymous auth through api proxy ------------------- # +# Allows users to reach login page and other proxied dashboard URLs +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubernetes-dashboard-anonymous +rules: +- apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["https:kubernetes-dashboard:"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/{{ system_namespace }}/services/https:kubernetes-dashboard:/proxy/*"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard-anonymous +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-dashboard-anonymous +subjects: +- kind: User + name: system:anonymous + --- # ------------------- Dashboard Deployment ------------------- # @@ -112,6 +140,14 @@ spec: labels: k8s-app: kubernetes-dashboard spec: +{% if not dashboard_use_custom_certs %} + initContainers: + - name: kubernetes-dashboard-init + image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }} + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs +{% endif %} containers: - name: kubernetes-dashboard image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }} @@ -127,7 +163,14 @@ spec: - containerPort: 8443 protocol: TCP args: +{% if not dashboard_use_custom_certs %} + - --tls-key-file=/certs/{{ dashboard_tls_key_file }} + - --tls-cert-file=/certs/{{ dashboard_tls_cert_file }} + - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %} +{% else %} - --auto-generate-certificates +{% endif %} +{% endif %} # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. From 5aef52e8c029cddb969a2c7ac342f09b8065148e Mon Sep 17 00:00:00 2001 From: "rong.zhang" Date: Fri, 22 Dec 2017 11:17:05 +0800 Subject: [PATCH 4/6] fix dashboard certs secret --- roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 index cf222011c..ed8478dc4 100644 --- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 @@ -176,8 +176,10 @@ spec: # to it. Uncomment only if the default does not work. # - --apiserver-host=http://my-address:port volumeMounts: +{% if not dashboard_use_custom_certs %} - name: kubernetes-dashboard-certs mountPath: /certs +{% endif %} # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume @@ -189,9 +191,11 @@ spec: initialDelaySeconds: 30 timeoutSeconds: 30 volumes: +{% if not dashboard_use_custom_certs %} - name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs +{% endif %} - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard From 6ed2a60978ac1733f856203beeadfa45ffe55a2b Mon Sep 17 00:00:00 2001 From: "rong.zhang" Date: Thu, 4 Jan 2018 13:02:33 +0800 Subject: [PATCH 5/6] fix run dashboard error --- roles/kubernetes-apps/ansible/defaults/main.yml | 2 +- .../ansible/templates/dashboard.yml.j2 | 15 +++++---------- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index 414943842..f6f5cce63 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -41,7 +41,7 @@ netchecker_server_memory_requests: 64M # Dashboard dashboard_enabled: true dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64 -dashboard_image_tag: v1.8.0 +dashboard_image_tag: v1.8.1 dashboard_init_image_repo: gcr.io/google_containers/kubernetes-dashboard-init-amd64 dashboard_init_image_tag: v1.0.1 diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 index ed8478dc4..ca6feea1a 100644 --- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 @@ -140,7 +140,7 @@ spec: labels: k8s-app: kubernetes-dashboard spec: -{% if not dashboard_use_custom_certs %} +{% if dashboard_use_custom_certs %} initContainers: - name: kubernetes-dashboard-init image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }} @@ -163,23 +163,20 @@ spec: - containerPort: 8443 protocol: TCP args: -{% if not dashboard_use_custom_certs %} - - --tls-key-file=/certs/{{ dashboard_tls_key_file }} - - --tls-cert-file=/certs/{{ dashboard_tls_cert_file }} +{% if dashboard_use_custom_certs %} + - --tls-key-file={{ dashboard_tls_key_file }} + - --tls-cert-file={{ dashboard_tls_cert_file }} - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %} {% else %} - --auto-generate-certificates -{% endif %} {% endif %} # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. # - --apiserver-host=http://my-address:port volumeMounts: -{% if not dashboard_use_custom_certs %} - name: kubernetes-dashboard-certs mountPath: /certs -{% endif %} # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume @@ -191,11 +188,9 @@ spec: initialDelaySeconds: 30 timeoutSeconds: 30 volumes: -{% if not dashboard_use_custom_certs %} - name: kubernetes-dashboard-certs secret: - secretName: kubernetes-dashboard-certs -{% endif %} + secretName: {{ dashboard_certs_secret_name }} - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard From df21fc864343705c676a9d095ab30c38cb26b6c9 Mon Sep 17 00:00:00 2001 From: "rong.zhang" Date: Wed, 10 Jan 2018 10:05:46 +0800 Subject: [PATCH 6/6] Remove initContainer --- roles/kubernetes-apps/ansible/defaults/main.yml | 8 ++++---- .../kubernetes-apps/ansible/templates/dashboard.yml.j2 | 10 +--------- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index f6f5cce63..2e9defcce 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -51,10 +51,6 @@ dashboard_memory_limit: 256M dashboard_cpu_requests: 50m dashboard_memory_requests: 64M -# SSL -etcd_cert_dir: "/etc/ssl/etcd/ssl" -canal_cert_dir: "/etc/canal/certs" - # Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that # contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs dashboard_use_custom_certs: false @@ -62,6 +58,10 @@ dashboard_certs_secret_name: kubernetes-dashboard-certs dashboard_tls_key_file: dashboard.key dashboard_tls_cert_file: dashboard.crt +# SSL +etcd_cert_dir: "/etc/ssl/etcd/ssl" +canal_cert_dir: "/etc/canal/certs" + rbac_resources: - sa - clusterrole diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 index ca6feea1a..b1ba1481d 100644 --- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 @@ -140,14 +140,6 @@ spec: labels: k8s-app: kubernetes-dashboard spec: -{% if dashboard_use_custom_certs %} - initContainers: - - name: kubernetes-dashboard-init - image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }} - volumeMounts: - - name: kubernetes-dashboard-certs - mountPath: /certs -{% endif %} containers: - name: kubernetes-dashboard image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }} @@ -166,10 +158,10 @@ spec: {% if dashboard_use_custom_certs %} - --tls-key-file={{ dashboard_tls_key_file }} - --tls-cert-file={{ dashboard_tls_cert_file }} - - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %} {% else %} - --auto-generate-certificates {% endif %} + - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %} # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work.