diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index 6ad110274..8708e87b3 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -597,8 +597,10 @@ gcp_pd_csi_attacher_image_tag: "v2.1.1-gke.0" gcp_pd_csi_resizer_image_tag: "v0.4.0-gke.0" gcp_pd_csi_registrar_image_tag: "v1.2.0-gke.0" -dashboard_image_repo: "{{ gcr_image_repo }}/google_containers/kubernetes-dashboard-{{ image_arch }}" -dashboard_image_tag: "v1.10.1" +dashboard_image_repo: "{{ docker_image_repo }}/kubernetesui/dashboard-{{ image_arch }}" +dashboard_image_tag: "v2.0.0" +dashboard_metrics_scraper_repo: "{{ docker_image_repo }}/kubernetesui/metrics-scraper" +dashboard_metrics_scraper_tag: "v1.0.4" image_pull_command: "{{ docker_bin_dir }}/docker pull" image_save_command: "{{ docker_bin_dir }}/docker save {{ image_reponame }} | gzip -{{ download_compress }} > {{ image_path_final }}" @@ -1137,6 +1139,15 @@ downloads: groups: - kube-master + dashboard_metrics_scrapper: + enabled: "{{ dashboard_enabled }}" + container: true + repo: "{{ dashboard_metrics_scraper_repo }}" + tag: "{{ dashboard_metrics_scraper_tag }}" + sha256: "{{ dashboard_digest_checksum|default(None) }}" + groups: + - kube-master + download_defaults: container: false file: false diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index 18d3e2bcd..a68ecec01 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -41,6 +41,9 @@ netchecker_server_group: 1000 dashboard_enabled: true dashboard_replicas: 1 +# Namespace for dashboad +dashboard_namespace: kube-system + # Limits for dashboard dashboard_cpu_limit: 100m dashboard_memory_limit: 256M diff --git a/roles/kubernetes-apps/ansible/tasks/dashboard.yml b/roles/kubernetes-apps/ansible/tasks/dashboard.yml index 067830446..ba6c13b2b 100644 --- a/roles/kubernetes-apps/ansible/tasks/dashboard.yml +++ b/roles/kubernetes-apps/ansible/tasks/dashboard.yml @@ -11,7 +11,7 @@ - name: Kubernetes Apps | Start dashboard kube: name: "{{ item.item.name }}" - namespace: "kube-system" + namespace: "{{ dashboard_namespace }}" kubectl: "{{ bin_dir }}/kubectl" resource: "{{ item.item.type }}" filename: "{{ kube_config_dir }}/{{ item.item.file }}" diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 index 024f5adde..aafa87dcc 100644 --- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 @@ -26,7 +26,7 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-certs - namespace: kube-system + namespace: {{ dashboard_namespace }} type: Opaque --- @@ -36,7 +36,7 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-csrf - namespace: kube-system + namespace: {{ dashboard_namespace }} type: Opaque data: csrf: "" @@ -48,7 +48,7 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-key-holder - namespace: kube-system + namespace: {{ dashboard_namespace }} type: Opaque --- @@ -59,7 +59,7 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-settings - namespace: kube-system + namespace: {{ dashboard_namespace }} --- # ------------------- Dashboard Service Account ------------------- # @@ -70,79 +70,68 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard - namespace: kube-system + namespace: {{ dashboard_namespace }} --- # ------------------- Dashboard Role & Role Binding ------------------- # - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: kubernetes-dashboard-minimal - namespace: kube-system + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: {{ dashboard_namespace }} rules: # Allow Dashboard to get, update and delete Dashboard exclusive secrets. -- apiGroups: [""] - resources: ["secrets"] - resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] - verbs: ["get", "update", "delete"] - # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["kubernetes-dashboard-settings"] - verbs: ["get", "update"] - # Allow Dashboard to get metrics from heapster. -- apiGroups: [""] - resources: ["services"] - resourceNames: ["heapster"] - verbs: ["proxy"] -- apiGroups: [""] - resources: ["services/proxy"] - resourceNames: ["heapster", "http:heapster:", "https:heapster:"] - verbs: ["get"] + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics. + - apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster", "dashboard-metrics-scraper"] + verbs: ["proxy"] + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] + verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: kubernetes-dashboard-minimal - namespace: kube-system + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: {{ dashboard_namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: kubernetes-dashboard-minimal -subjects: -- kind: ServiceAccount name: kubernetes-dashboard - namespace: kube-system - ---- -# ------------------- Gross Hack For anonymous auth through api proxy ------------------- # -# Allows users to reach login page and other proxied dashboard URLs -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kubernetes-dashboard-anonymous -rules: -- apiGroups: [""] - resources: ["services/proxy"] - resourceNames: ["https:kubernetes-dashboard:"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: {{ dashboard_namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: kubernetes-dashboard-anonymous + name: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: kubernetes-dashboard-anonymous + name: kubernetes-dashboard subjects: -- kind: User - name: system:anonymous + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: {{ dashboard_namespace }} --- # ------------------- Dashboard Deployment ------------------- # @@ -153,7 +142,7 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard - namespace: kube-system + namespace: {{ dashboard_namespace }} spec: replicas: {{ dashboard_replicas }} revisionHistoryLimit: 10 @@ -167,57 +156,60 @@ spec: spec: priorityClassName: system-cluster-critical containers: - - name: kubernetes-dashboard - image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }} - imagePullPolicy: {{ k8s_image_pull_policy }} - resources: - limits: - cpu: {{ dashboard_cpu_limit }} - memory: {{ dashboard_memory_limit }} - requests: - cpu: {{ dashboard_cpu_requests }} - memory: {{ dashboard_memory_requests }} - ports: - - containerPort: 8443 - protocol: TCP - args: + - name: kubernetes-dashboard + image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }} + imagePullPolicy: {{ k8s_image_pull_policy }} + resources: + limits: + cpu: {{ dashboard_cpu_limit }} + memory: {{ dashboard_memory_limit }} + requests: + cpu: {{ dashboard_cpu_requests }} + memory: {{ dashboard_memory_requests }} + ports: + - containerPort: 8443 + protocol: TCP + args: + - --namespace={{ dashboard_namespace }} {% if dashboard_use_custom_certs %} - - --tls-key-file={{ dashboard_tls_key_file }} - - --tls-cert-file={{ dashboard_tls_cert_file }} + - --tls-key-file={{ dashboard_tls_key_file }} + - --tls-cert-file={{ dashboard_tls_cert_file }} {% else %} - - --auto-generate-certificates + - --auto-generate-certificates {% endif %} {% if dashboard_skip_login %} - --enable-skip-login {% endif %} - - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %} - # Uncomment the following line to manually specify Kubernetes API server Host - # If not specified, Dashboard will attempt to auto discover the API server and connect - # to it. Uncomment only if the default does not work. - # - --apiserver-host=http://my-address:port - - --token-ttl={{ dashboard_token_ttl }} - volumeMounts: - - name: kubernetes-dashboard-certs - mountPath: /certs - # Create on-disk volume to store exec logs - - mountPath: /tmp - name: tmp-volume - livenessProbe: - httpGet: - scheme: HTTPS - path: / - port: 8443 + - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %} + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port + - --token-ttl={{ dashboard_token_ttl }} + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 volumes: - - name: kubernetes-dashboard-certs - secret: - secretName: {{ dashboard_certs_secret_name }} - - name: tmp-volume - emptyDir: {} + - name: kubernetes-dashboard-certs + secret: + secretName: {{ dashboard_certs_secret_name }} + - name: tmp-volume + emptyDir: {} serviceAccountName: kubernetes-dashboard {% if dashboard_master_toleration %} tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule {% endif %} --- @@ -229,10 +221,83 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard - namespace: kube-system + namespace: {{ dashboard_namespace }} spec: ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard + +--- +# ------------------- Metrics Scrapper Service Account ------------------- # + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard +rules: + # Allow Metrics Scraper to get metrics from the Metrics server + - apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list", "watch"] + +--- + +# ------------------- Metrics Scrapper Service ------------------- # +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-metrics-scraper + name: dashboard-metrics-scraper + namespace: {{ dashboard_namespace }} +spec: + ports: + - port: 8000 + targetPort: 8000 + selector: + k8s-app: kubernetes-metrics-scraper + +--- + +# ------------------- Metrics Scrapper Deployment ------------------- # +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: kubernetes-metrics-scraper + name: kubernetes-metrics-scraper + namespace: {{ dashboard_namespace }} +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-metrics-scraper + template: + metadata: + labels: + k8s-app: kubernetes-metrics-scraper + spec: + containers: + - name: kubernetes-metrics-scraper + image: {{ dashboard_metrics_scraper_repo }}:{{ dashboard_metrics_scraper_tag }} + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: 30 + timeoutSeconds: 30 + serviceAccountName: kubernetes-dashboard +{% if dashboard_master_toleration %} + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule +{% endif %}