diff --git a/bin/run_tests b/bin/run_tests
index c804a423..e21c84c3 100755
--- a/bin/run_tests
+++ b/bin/run_tests
@@ -132,7 +132,7 @@ main() {
echo
echo -e "${LIGHT_GREEN} ***** Begin affirmative readme operations tests ***** ${NOCOLOR}"
local ops_files;
- ops_files=$(ls ${home}/manifests/ops-files/*.yml ${home}/manifests/ops-files/iaas/{aws,azure,gcp,openstack,vsphere,virtualbox}/*.yml ${home}/manifests/ops-files/addons-spec/*.yml)
+ ops_files=$(ls ${home}/manifests/ops-files/*.yml ${home}/manifests/ops-files/iaas/{aws,azure,gcp,openstack,vsphere,virtualbox}/*.yml)
ensure_opsfiles_in_readme "$home/manifests/README.md" "$ops_files"
echo
diff --git a/bin/test-standard-ops.sh b/bin/test-standard-ops.sh
index cbf9e326..6808e19d 100755
--- a/bin/test-standard-ops.sh
+++ b/bin/test-standard-ops.sh
@@ -58,6 +58,7 @@ test_standard_ops() {
check_interpolation "add-hostname-to-master-certificate.yml" "-v api-hostname=example.com"
check_interpolation "add-oidc-endpoint.yml" "-l example-vars-files/misc/oidc.yml"
check_interpolation "change-audit-log-flags.yml" "-l example-vars-files/change-audit-log-flags.yml"
+ check_interpolation "addons-spec.yml" "-v addons-spec={}"
check_interpolation "allow-privileged-containers.yml"
check_interpolation "change-cidrs.yml" "-l example-vars-files/new-cidrs.yml"
check_interpolation "disable-anonymous-auth.yml"
@@ -69,12 +70,6 @@ test_standard_ops() {
check_interpolation "use-hostgw.yml"
check_interpolation "set-fs-inotify-limit.yml" "-l example-vars-files/fs-inotify-limit.yml"
- ## Addons
- check_interpolation "addons-spec/addons.yml" "-v addons-spec={}"
- check_interpolation "addons-spec/coredns.yml" "-v kubedns_service_ip=192.168.20.50"
- check_interpolation "addons-spec/kubernetes-dashboard.yml"
- check_interpolation "addons-spec/metrics-server.yml"
-
# Etcd
check_interpolation "change-etcd-metrics-url.yml" "-v etcd_metrics_protocol=http -v etcd_metrics_port=2378"
diff --git a/manifests/README.md b/manifests/README.md
index 5c3a9378..2b7d2e4d 100644
--- a/manifests/README.md
+++ b/manifests/README.md
@@ -83,6 +83,7 @@ For deeper documentation to deploy CFCR go [here](https://github.com/cloudfoundr
| Name | Purpose | Notes |
|:--- |:--- |:--- |
+| [`ops-files/addons-spec.yml`](ops-files/addons-spec.yml) | Addons to be deployed into the Kubernetes cluster | - |
| [`ops-files/allow-privileged-containers.yml`](ops-files/allow-privileged-containers.yml) | Allows privileged containers for the Kubernetes cluster. | It is not recommended to use privileged containers however some workloads require it. Container privileges can be limited with the SecurityContextDeny admission plugin (set by default in CFCR). See kubernetes documentation for more information |
| [`ops-files/disable-anonymous-auth.yml`](ops-files/disable-anonymous-auth.yml) | Disable `anonymous-auth` on the API server | - |
| [`ops-files/add-oidc-endpoint.yml`](ops-files/add-oidc-endpoint.yml) | Enable OIDC authentication for the Kubernetes cluster | - |
@@ -97,15 +98,6 @@ For deeper documentation to deploy CFCR go [here](https://github.com/cloudfoundr
| [`ops-files/use-hostgw.yml`](ops-files/use-hostgw.yml) | Sets the cluster to use host-gw backend in flannel. Necessary for Windows workers. | - |
| [`ops-files/set-fs-inotify-limit.yml`](ops-files/set-fs-inotify-limit.yml) | Configure fs.inotify.max_user_watches.| Extra Vars Required:
- **fs_inotify_max_user_watches:** Required for configuring the max inotify user watches. |
-### Addons
-
-| Name | Purpose | Notes |
-|:--- |:--- |:--- |
-| [`ops-files/addons-spec/addons.yml`](ops-files/addons-spec/addons.yml) | Addons to be deployed into the Kubernetes cluster | - |
-| [`ops-files/addons-spec/coredns.yml`](ops-files/addons-spec/coredns.yml) | Coredns to be deployed into the Kubernetes cluster | `kubedns_service_ip` variable is needed, for example: `10.100.200.10` |
-| [`ops-files/addons-spec/kubernetes-dashboard.yml`](ops-files/addons-spec/kubernetes-dashboard.yml) | Kubernetes dashboard to be deployed into the Kubernetes cluster | - |
-| [`ops-files/addons-spec/metrics-server.yml`](ops-files/addons-spec/metrics-server.yml) | Metrics server to be deployed into the Kubernetes cluster | - |
-
### Etcd
| Name | Purpose | Notes|
diff --git a/manifests/cfcr.yml b/manifests/cfcr.yml
index 46e8f4a2..504e68cd 100644
--- a/manifests/cfcr.yml
+++ b/manifests/cfcr.yml
@@ -26,6 +26,541 @@ instance_groups:
kubernetes: ((tls-kubernetes))
kubernetes-dashboard: ((tls-kubernetes-dashboard))
metrics-server: ((tls-metrics-server))
+ specs:
+ coredns:
+ - name: service-account
+ value:
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: coredns
+ namespace: kube-system
+ - name: cluster-role
+ value:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ kubernetes.io/bootstrapping: rbac-defaults
+ name: system:coredns
+ rules:
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - services
+ - pods
+ - namespaces
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - name: cluster-role-binding
+ value:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ annotations:
+ rbac.authorization.kubernetes.io/autoupdate: "true"
+ labels:
+ kubernetes.io/bootstrapping: rbac-defaults
+ name: system:coredns
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:coredns
+ subjects:
+ - kind: ServiceAccount
+ name: coredns
+ namespace: kube-system
+ - name: config-map
+ value:
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: coredns
+ namespace: kube-system
+ data:
+ Corefile: |
+ .:53 {
+ errors
+ health
+ kubernetes cluster.local in-addr.arpa ip6.arpa {
+ pods insecure
+ upstream
+ fallthrough in-addr.arpa ip6.arpa
+ }
+ prometheus :9153
+ proxy . /etc/resolv.conf {
+ policy sequential # needed for workloads to be able to use BOSH-DNS
+ }
+ cache 30
+ loop
+ reload
+ loadbalance
+ }
+ - name: deployment
+ value:
+ apiVersion: extensions/v1beta1
+ kind: Deployment
+ metadata:
+ name: coredns
+ namespace: kube-system
+ labels:
+ k8s-app: kube-dns
+ kubernetes.io/name: "CoreDNS"
+ spec:
+ replicas: 3
+ strategy:
+ type: RollingUpdate
+ rollingUpdate:
+ maxUnavailable: 1
+ selector:
+ matchLabels:
+ k8s-app: kube-dns
+ template:
+ metadata:
+ labels:
+ k8s-app: kube-dns
+ annotations:
+ seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+ spec:
+ priorityClassName: system-cluster-critical # Added for Guaranteed Scheduling
+ serviceAccountName: coredns
+ tolerations:
+ - key: "CriticalAddonsOnly"
+ operator: "Exists"
+ containers:
+ - name: coredns
+ image: coredns/coredns:1.3.1
+ imagePullPolicy: IfNotPresent
+ resources:
+ limits:
+ memory: 170Mi
+ requests:
+ cpu: 100m
+ memory: 70Mi
+ args: [ "-conf", "/etc/coredns/Corefile" ]
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/coredns
+ readOnly: true
+ ports:
+ - containerPort: 53
+ name: dns
+ protocol: UDP
+ - containerPort: 53
+ name: dns-tcp
+ protocol: TCP
+ - containerPort: 9153
+ name: metrics
+ protocol: TCP
+ # NOTE: Security Context is denied unless privileged containers
+ # are enabled. Once security context can be separated from
+ # allow-privileged in the release, then this should become
+ # conditional.
+ # securityContext:
+ # allowPrivilegeEscalation: false
+ # capabilities:
+ # add:
+ # - NET_BIND_SERVICE
+ # drop:
+ # - all
+ # readOnlyRootFilesystem: true
+ livenessProbe:
+ httpGet:
+ path: /health
+ port: 8080
+ scheme: HTTP
+ initialDelaySeconds: 60
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ dnsPolicy: Default
+ volumes:
+ - name: config-volume
+ configMap:
+ name: coredns
+ items:
+ - key: Corefile
+ path: Corefile
+ - name: service
+ value:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ name: kube-dns
+ namespace: kube-system
+ annotations:
+ prometheus.io/port: "9153"
+ prometheus.io/scrape: "true"
+ labels:
+ k8s-app: kube-dns
+ kubernetes.io/cluster-service: "true"
+ kubernetes.io/name: "CoreDNS"
+ spec:
+ selector:
+ k8s-app: kube-dns
+ clusterIP: 10.100.200.10
+ ports:
+ - name: dns
+ port: 53
+ protocol: UDP
+ - name: dns-tcp
+ port: 53
+ protocol: TCP
+ kubernetes-dashboard: |
+ # Copyright 2017 The Kubernetes Authors.
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+
+ # Configuration to deploy release version of the Dashboard UI compatible with
+ # Kubernetes 1.8.
+ #
+ # Example usage: kubectl create -f
+
+ ---
+ # ------------------- Dashboard Service Account ------------------- #
+
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+ namespace: kube-system
+
+ ---
+ # ------------------- Dashboard Role & Role Binding ------------------- #
+
+ kind: Role
+ apiVersion: rbac.authorization.k8s.io/v1
+ metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard-minimal
+ namespace: kube-system
+ rules:
+ # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. Added separately from Addons Spec
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["create"]
+
+ # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
+ - apiGroups: [""]
+ resources: ["secrets"]
+ resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
+ verbs: ["get", "update", "delete"]
+ # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ resourceNames: ["kubernetes-dashboard-settings"]
+ verbs: ["get", "update"]
+
+ ---
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ name: kubernetes-dashboard-minimal
+ namespace: kube-system
+ labels:
+ k8s-app: kubernetes-dashboard
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: kubernetes-dashboard-minimal
+ subjects:
+ - kind: ServiceAccount
+ name: kubernetes-dashboard
+ namespace: kube-system
+
+ ---
+ # ------------------- Dashboard Config ------------------- #
+
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: kubernetes-dashboard-settings
+ namespace: kube-system
+ labels:
+ k8s-app: kubernetes-dashboard
+ ---
+ # ------------------- Dashboard Deployment ------------------- #
+
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: kubernetes-dashboard
+ namespace: kube-system
+ labels:
+ k8s-app: kubernetes-dashboard
+ spec:
+ selector:
+ matchLabels:
+ k8s-app: kubernetes-dashboard
+ template:
+ metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+ spec:
+ priorityClassName: system-cluster-critical
+ containers:
+ - name: kubernetes-dashboard
+ image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
+ resources:
+ limits:
+ cpu: 100m
+ memory: 300Mi
+ requests:
+ cpu: 50m
+ memory: 100Mi
+ ports:
+ - containerPort: 8443
+ protocol: TCP
+ args:
+ - --default-cert-dir=/certs
+ - --tls-cert-file=kubernetes-dashboard-cert
+ - --tls-key-file=kubernetes-dashboard-key
+ # Uncomment the following line
+ # Create on-disk volume to store exec logs
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmp-volume
+ - mountPath: /certs
+ name: kubernetes-dashboard-certs
+ readOnly: true
+ livenessProbe:
+ httpGet:
+ scheme: HTTPS
+ path: /
+ port: 8443
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+ volumes:
+ - name: kubernetes-dashboard-certs
+ secret:
+ secretName: kubernetes-dashboard-certs
+ - name: tmp-volume
+ emptyDir: {}
+ serviceAccountName: kubernetes-dashboard
+ tolerations:
+ - key: "CriticalAddonsOnly"
+ operator: "Exists"
+ # Comment the following tolerations if Dashboard must not be deployed on master
+ # tolerations:
+ # - key: node-role.kubernetes.io/master
+ # effect: NoSchedule
+
+ ---
+ # ------------------- Dashboard Service ------------------- #
+
+ apiVersion: v1
+ kind: Service
+ metadata:
+ name: kubernetes-dashboard
+ namespace: kube-system
+ labels:
+ k8s-app: kubernetes-dashboard
+ spec:
+ selector:
+ k8s-app: kubernetes-dashboard
+ ports:
+ - port: 443
+ targetPort: 8443
+ type: NodePort
+ metrics-server: |
+ ---
+ # ------------------- Auth Delegator ------------------- #
+
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ name: metrics-server:system:auth-delegator
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:auth-delegator
+ subjects:
+ - kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system
+
+ ---
+ # ------------------- Auth Reader ------------------- #
+
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ name: metrics-server-auth-reader
+ namespace: kube-system
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: extension-apiserver-authentication-reader
+ subjects:
+ - kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system
+
+ ---
+ # ------------------- Metrics APIService ------------------- #
+
+ apiVersion: apiregistration.k8s.io/v1beta1
+ kind: APIService
+ metadata:
+ name: v1beta1.metrics.k8s.io
+ spec:
+ service:
+ name: metrics-server
+ namespace: kube-system
+ group: metrics.k8s.io
+ version: v1beta1
+ insecureSkipTLSVerify: true
+ groupPriorityMinimum: 100
+ versionPriority: 100
+
+ ---
+ # ------------------- Metrics Server Deployment ------------------- #
+
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: metrics-server
+ namespace: kube-system
+ ---
+ apiVersion: extensions/v1beta1
+ kind: Deployment
+ metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ k8s-app: metrics-server
+ version: v0.3.1
+ spec:
+ selector:
+ matchLabels:
+ k8s-app: metrics-server
+ template:
+ metadata:
+ name: metrics-server
+ labels:
+ k8s-app: metrics-server
+ spec:
+ serviceAccountName: metrics-server
+ volumes:
+ # mount in tmp so we can safely use from-scratch images and/or read-only containers
+ - name: tmp-dir
+ emptyDir: {}
+ - name: metrics-server-secrets
+ secret:
+ secretName: metrics-server-certs
+ containers:
+ - name: metrics-server
+ image: k8s.gcr.io/metrics-server-amd64:v0.3.2
+ imagePullPolicy: IfNotPresent
+ command:
+ - /metrics-server
+ - --kubelet-preferred-address-types=InternalIP
+ - --kubelet-insecure-tls
+ - --client-ca-file=/var/run/kubernetes/client-ca.crt
+ - --requestheader-client-ca-file=/var/run/kubernetes/requestheader-client-ca.crt
+ - --tls-cert-file=/var/run/kubernetes/client.crt
+ - --tls-private-key-file=/var/run/kubernetes/client.key
+ ports:
+ - containerPort: 443
+ name: https
+ protocol: TCP
+ volumeMounts:
+ - name: tmp-dir
+ mountPath: /tmp
+ - name: metrics-server-secrets
+ mountPath: /var/run/kubernetes
+ tolerations:
+ - key: "CriticalAddonsOnly"
+ operator: "Exists"
+
+ ---
+ # ------------------- Metrics Server Service ------------------- #
+
+ apiVersion: v1
+ kind: Service
+ metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ kubernetes.io/name: "Metrics-server"
+ spec:
+ selector:
+ k8s-app: metrics-server
+ ports:
+ - port: 443
+ protocol: TCP
+ targetPort: https
+
+ ---
+ # ------------------- Resource Reader ------------------- #
+
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ name: system:metrics-server
+ rules:
+ - apiGroups:
+ - ""
+ resources:
+ - nodes/stats
+ verbs:
+ - create
+ - get
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - nodes
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - "extensions"
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
+ ---
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ name: system:metrics-server
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:metrics-server
+ subjects:
+ - kind: ServiceAccount
+ name: metrics-server
+ namespace: kube-system
release: kubo
- name: kubernetes-dependencies
release: kubernetes
diff --git a/manifests/cloud-config/iaas/gcp/use-vm-extensions.yml b/manifests/cloud-config/iaas/gcp/use-vm-extensions.yml
index 3ba17ad9..1d7d3a78 100644
--- a/manifests/cloud-config/iaas/gcp/use-vm-extensions.yml
+++ b/manifests/cloud-config/iaas/gcp/use-vm-extensions.yml
@@ -1,7 +1,8 @@
vm_extensions:
- cloud_properties:
+ backend_service: ((cfcr_backend_service))
service_account: ((cfcr_master_service_account_address))
name: ((deployment_name))-master-cloud-properties
- cloud_properties:
- service_account: ((cfcr_worker_service_account_address))
+ service_accoqunt: ((cfcr_worker_service_account_address))
name: ((deployment_name))-worker-cloud-properties
diff --git a/manifests/ops-files/addons-spec/addons.yml b/manifests/ops-files/addons-spec.yml
similarity index 100%
rename from manifests/ops-files/addons-spec/addons.yml
rename to manifests/ops-files/addons-spec.yml
diff --git a/manifests/ops-files/addons-spec/coredns.yml b/manifests/ops-files/addons-spec/coredns.yml
deleted file mode 100644
index 49122ea8..00000000
--- a/manifests/ops-files/addons-spec/coredns.yml
+++ /dev/null
@@ -1,183 +0,0 @@
-- type: replace
- path: /instance_groups/name=apply-addons/jobs/name=apply-specs/properties/specs?/coredns?
- value: |
- ---
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: coredns
- namespace: kube-system
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- labels:
- kubernetes.io/bootstrapping: rbac-defaults
- name: system:coredns
- rules:
- - apiGroups:
- - ""
- resources:
- - endpoints
- - services
- - pods
- - namespaces
- verbs:
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- annotations:
- rbac.authorization.kubernetes.io/autoupdate: "true"
- labels:
- kubernetes.io/bootstrapping: rbac-defaults
- name: system:coredns
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: system:coredns
- subjects:
- - kind: ServiceAccount
- name: coredns
- namespace: kube-system
- ---
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: coredns
- namespace: kube-system
- data:
- Corefile: |
- .:53 {
- errors
- health
- kubernetes cluster.local in-addr.arpa ip6.arpa {
- pods insecure
- upstream
- fallthrough in-addr.arpa ip6.arpa
- }
- prometheus :9153
- proxy . /etc/resolv.conf {
- policy sequential # needed for workloads to be able to use BOSH-DNS
- }
- cache 30
- loop
- reload
- loadbalance
- }
- ---
- apiVersion: extensions/v1beta1
- kind: Deployment
- metadata:
- name: coredns
- namespace: kube-system
- labels:
- k8s-app: kube-dns
- kubernetes.io/name: "CoreDNS"
- spec:
- replicas: 3
- strategy:
- type: RollingUpdate
- rollingUpdate:
- maxUnavailable: 1
- selector:
- matchLabels:
- k8s-app: kube-dns
- template:
- metadata:
- labels:
- k8s-app: kube-dns
- annotations:
- seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
- spec:
- priorityClassName: system-cluster-critical # Added for Guaranteed Scheduling
- serviceAccountName: coredns
- tolerations:
- - key: "CriticalAddonsOnly"
- operator: "Exists"
- containers:
- - name: coredns
- image: coredns/coredns:1.3.1
- imagePullPolicy: IfNotPresent
- resources:
- limits:
- memory: 170Mi
- requests:
- cpu: 100m
- memory: 70Mi
- args: [ "-conf", "/etc/coredns/Corefile" ]
- volumeMounts:
- - name: config-volume
- mountPath: /etc/coredns
- readOnly: true
- ports:
- - containerPort: 53
- name: dns
- protocol: UDP
- - containerPort: 53
- name: dns-tcp
- protocol: TCP
- - containerPort: 9153
- name: metrics
- protocol: TCP
- # NOTE: Security Context is denied unless privileged containers
- # are enabled. Once security context can be separated from
- # allow-privileged in the release, then this should become
- # conditional.
- # securityContext:
- # allowPrivilegeEscalation: false
- # capabilities:
- # add:
- # - NET_BIND_SERVICE
- # drop:
- # - all
- # readOnlyRootFilesystem: true
- livenessProbe:
- httpGet:
- path: /health
- port: 8080
- scheme: HTTP
- initialDelaySeconds: 60
- timeoutSeconds: 5
- successThreshold: 1
- failureThreshold: 5
- dnsPolicy: Default
- volumes:
- - name: config-volume
- configMap:
- name: coredns
- items:
- - key: Corefile
- path: Corefile
- ---
- apiVersion: v1
- kind: Service
- metadata:
- name: kube-dns
- namespace: kube-system
- annotations:
- prometheus.io/port: "9153"
- prometheus.io/scrape: "true"
- labels:
- k8s-app: kube-dns
- kubernetes.io/cluster-service: "true"
- kubernetes.io/name: "CoreDNS"
- spec:
- selector:
- k8s-app: kube-dns
- clusterIP: ((kubedns_service_ip))
- ports:
- - name: dns
- port: 53
- protocol: UDP
- - name: dns-tcp
- port: 53
- protocol: TCP
diff --git a/manifests/ops-files/addons-spec/kubernetes-dashboard.yml b/manifests/ops-files/addons-spec/kubernetes-dashboard.yml
deleted file mode 100644
index c6f7b9ce..00000000
--- a/manifests/ops-files/addons-spec/kubernetes-dashboard.yml
+++ /dev/null
@@ -1,174 +0,0 @@
-- type: replace
- path: /instance_groups/name=apply-addons/jobs/name=apply-specs/properties/specs?/kubernetes-dashboard?
- value: |
- # Copyright 2017 The Kubernetes Authors.
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- # Configuration to deploy release version of the Dashboard UI compatible with
- # Kubernetes 1.8.
- #
- # Example usage: kubectl create -f
-
- ---
- # ------------------- Dashboard Service Account ------------------- #
-
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard
- namespace: kube-system
-
- ---
- # ------------------- Dashboard Role & Role Binding ------------------- #
-
- kind: Role
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard-minimal
- namespace: kube-system
- rules:
- # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. Added separately from Addons Spec
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["create"]
-
- # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- - apiGroups: [""]
- resources: ["secrets"]
- resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
- verbs: ["get", "update", "delete"]
- # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- - apiGroups: [""]
- resources: ["configmaps"]
- resourceNames: ["kubernetes-dashboard-settings"]
- verbs: ["get", "update"]
-
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: kubernetes-dashboard-minimal
- namespace: kube-system
- labels:
- k8s-app: kubernetes-dashboard
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: kubernetes-dashboard-minimal
- subjects:
- - kind: ServiceAccount
- name: kubernetes-dashboard
- namespace: kube-system
-
- ---
- # ------------------- Dashboard Config ------------------- #
-
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: kubernetes-dashboard-settings
- namespace: kube-system
- labels:
- k8s-app: kubernetes-dashboard
- ---
- # ------------------- Dashboard Deployment ------------------- #
-
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: kubernetes-dashboard
- namespace: kube-system
- labels:
- k8s-app: kubernetes-dashboard
- spec:
- selector:
- matchLabels:
- k8s-app: kubernetes-dashboard
- template:
- metadata:
- labels:
- k8s-app: kubernetes-dashboard
- annotations:
- scheduler.alpha.kubernetes.io/critical-pod: ''
- seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
- spec:
- priorityClassName: system-cluster-critical
- containers:
- - name: kubernetes-dashboard
- image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
- resources:
- limits:
- cpu: 100m
- memory: 300Mi
- requests:
- cpu: 50m
- memory: 100Mi
- ports:
- - containerPort: 8443
- protocol: TCP
- args:
- - --default-cert-dir=/certs
- - --tls-cert-file=kubernetes-dashboard-cert
- - --tls-key-file=kubernetes-dashboard-key
- # Uncomment the following line
- # Create on-disk volume to store exec logs
- volumeMounts:
- - mountPath: /tmp
- name: tmp-volume
- - mountPath: /certs
- name: kubernetes-dashboard-certs
- readOnly: true
- livenessProbe:
- httpGet:
- scheme: HTTPS
- path: /
- port: 8443
- initialDelaySeconds: 30
- timeoutSeconds: 30
- volumes:
- - name: kubernetes-dashboard-certs
- secret:
- secretName: kubernetes-dashboard-certs
- - name: tmp-volume
- emptyDir: {}
- serviceAccountName: kubernetes-dashboard
- tolerations:
- - key: "CriticalAddonsOnly"
- operator: "Exists"
- # Comment the following tolerations if Dashboard must not be deployed on master
- # tolerations:
- # - key: node-role.kubernetes.io/master
- # effect: NoSchedule
-
- ---
- # ------------------- Dashboard Service ------------------- #
-
- apiVersion: v1
- kind: Service
- metadata:
- name: kubernetes-dashboard
- namespace: kube-system
- labels:
- k8s-app: kubernetes-dashboard
- spec:
- selector:
- k8s-app: kubernetes-dashboard
- ports:
- - port: 443
- targetPort: 8443
- type: NodePort
diff --git a/manifests/ops-files/addons-spec/metrics-server.yml b/manifests/ops-files/addons-spec/metrics-server.yml
deleted file mode 100644
index f4789cb1..00000000
--- a/manifests/ops-files/addons-spec/metrics-server.yml
+++ /dev/null
@@ -1,177 +0,0 @@
-- type: replace
- path: /instance_groups/name=apply-addons/jobs/name=apply-specs/properties/specs?/metrics-server?
- value: |
- ---
- # ------------------- Auth Delegator ------------------- #
-
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: metrics-server:system:auth-delegator
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: system:auth-delegator
- subjects:
- - kind: ServiceAccount
- name: metrics-server
- namespace: kube-system
-
- ---
- # ------------------- Auth Reader ------------------- #
-
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: metrics-server-auth-reader
- namespace: kube-system
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: extension-apiserver-authentication-reader
- subjects:
- - kind: ServiceAccount
- name: metrics-server
- namespace: kube-system
-
- ---
- # ------------------- Metrics APIService ------------------- #
-
- apiVersion: apiregistration.k8s.io/v1beta1
- kind: APIService
- metadata:
- name: v1beta1.metrics.k8s.io
- spec:
- service:
- name: metrics-server
- namespace: kube-system
- group: metrics.k8s.io
- version: v1beta1
- insecureSkipTLSVerify: true
- groupPriorityMinimum: 100
- versionPriority: 100
-
- ---
- # ------------------- Metrics Server Deployment ------------------- #
-
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: metrics-server
- namespace: kube-system
- ---
- apiVersion: extensions/v1beta1
- kind: Deployment
- metadata:
- name: metrics-server
- namespace: kube-system
- labels:
- k8s-app: metrics-server
- version: v0.3.1
- spec:
- selector:
- matchLabels:
- k8s-app: metrics-server
- template:
- metadata:
- name: metrics-server
- labels:
- k8s-app: metrics-server
- spec:
- serviceAccountName: metrics-server
- volumes:
- # mount in tmp so we can safely use from-scratch images and/or read-only containers
- - name: tmp-dir
- emptyDir: {}
- - name: metrics-server-secrets
- secret:
- secretName: metrics-server-certs
- containers:
- - name: metrics-server
- image: k8s.gcr.io/metrics-server-amd64:v0.3.2
- imagePullPolicy: IfNotPresent
- command:
- - /metrics-server
- - --kubelet-preferred-address-types=InternalIP
- - --kubelet-insecure-tls
- - --client-ca-file=/var/run/kubernetes/client-ca.crt
- - --requestheader-client-ca-file=/var/run/kubernetes/requestheader-client-ca.crt
- - --tls-cert-file=/var/run/kubernetes/client.crt
- - --tls-private-key-file=/var/run/kubernetes/client.key
- ports:
- - containerPort: 443
- name: https
- protocol: TCP
- volumeMounts:
- - name: tmp-dir
- mountPath: /tmp
- - name: metrics-server-secrets
- mountPath: /var/run/kubernetes
- tolerations:
- - key: "CriticalAddonsOnly"
- operator: "Exists"
-
- ---
- # ------------------- Metrics Server Service ------------------- #
-
- apiVersion: v1
- kind: Service
- metadata:
- name: metrics-server
- namespace: kube-system
- labels:
- kubernetes.io/name: "Metrics-server"
- spec:
- selector:
- k8s-app: metrics-server
- ports:
- - port: 443
- protocol: TCP
- targetPort: https
-
- ---
- # ------------------- Resource Reader ------------------- #
-
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- name: system:metrics-server
- rules:
- - apiGroups:
- - ""
- resources:
- - nodes/stats
- verbs:
- - create
- - get
- - apiGroups:
- - ""
- resources:
- - pods
- - nodes
- - namespaces
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - "extensions"
- resources:
- - deployments
- verbs:
- - get
- - list
- - watch
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: system:metrics-server
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: system:metrics-server
- subjects:
- - kind: ServiceAccount
- name: metrics-server
- namespace: kube-system
diff --git a/manifests/ops-files/change-cidrs.yml b/manifests/ops-files/change-cidrs.yml
index cf431c81..422695a8 100644
--- a/manifests/ops-files/change-cidrs.yml
+++ b/manifests/ops-files/change-cidrs.yml
@@ -7,6 +7,10 @@
path: /instance_groups/name=worker/jobs/name=kubelet/properties/kubelet-configuration/clusterDNS?
value: [((kubedns_service_ip))]
+- type: replace
+ path: /instance_groups/name=apply-addons/jobs/name=apply-specs/properties/specs/coredns/name=service/value/spec/clusterIP
+ value: ((kubedns_service_ip))
+
- type: replace
path: /instance_groups/name=worker/jobs/name=flanneld/properties?/pod-network-cidr?
value: ((pod_network_cidr))
diff --git a/manifests/ops-files/kubo-local-release.yml b/manifests/ops-files/kubo-local-release.yml
index 4983a8dc..f0cd2d61 100644
--- a/manifests/ops-files/kubo-local-release.yml
+++ b/manifests/ops-files/kubo-local-release.yml
@@ -2,4 +2,5 @@
path: /releases/name=kubo
value:
name: kubo
- version: latest
+ version: create
+ url: file://../kubo-release
diff --git a/manifests/ops-files/misc/scale-to-one-az.yml b/manifests/ops-files/misc/scale-to-one-az.yml
index 5308efa7..9a3faef5 100644
--- a/manifests/ops-files/misc/scale-to-one-az.yml
+++ b/manifests/ops-files/misc/scale-to-one-az.yml
@@ -4,10 +4,10 @@
# in a single Availability Zone.
- type: replace
path: /instance_groups/name=master/instances
- value: ((master_instance))
+ value: 1
- type: replace
path: /instance_groups/name=worker/instances
- value: ((worker_instance))
+ value: 1
- type: replace
path: /instance_groups/name=apply-addons/instances
value: 1