github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/ansible/roles/kube-dashboard/templates/kubernetes-dashboard.yaml (about) 1 # ------------------- Dashboard Secret ------------------- # 2 3 apiVersion: v1 4 kind: Secret 5 metadata: 6 labels: 7 k8s-app: kubernetes-dashboard 8 name: kubernetes-dashboard-certs 9 namespace: kube-system 10 type: Opaque 11 12 --- 13 # ------------------- Dashboard Service Account ------------------- # 14 15 apiVersion: v1 16 kind: ServiceAccount 17 metadata: 18 labels: 19 k8s-app: kubernetes-dashboard 20 name: kubernetes-dashboard 21 namespace: kube-system 22 23 --- 24 # ------------------- Dashboard Role & Role Binding ------------------- # 25 26 kind: Role 27 apiVersion: rbac.authorization.k8s.io/v1 28 metadata: 29 labels: 30 k8s-app: kubernetes-dashboard 31 name: kubernetes-dashboard-minimal 32 namespace: kube-system 33 rules: 34 # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. 35 - apiGroups: [""] 36 resources: ["secrets"] 37 verbs: ["create"] 38 # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. 39 - apiGroups: [""] 40 resources: ["configmaps"] 41 verbs: ["create"] 42 # Allow Dashboard to get, update and delete Dashboard exclusive secrets. 43 - apiGroups: [""] 44 resources: ["secrets"] 45 resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] 46 verbs: ["get", "update", "delete"] 47 # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. 48 - apiGroups: [""] 49 resources: ["configmaps"] 50 resourceNames: ["kubernetes-dashboard-settings"] 51 verbs: ["get", "update"] 52 # Allow Dashboard to get metrics from heapster. 53 - apiGroups: [""] 54 resources: ["services"] 55 resourceNames: ["heapster"] 56 verbs: ["proxy"] 57 - apiGroups: [""] 58 resources: ["services/proxy"] 59 resourceNames: ["heapster", "http:heapster:", "https:heapster:"] 60 verbs: ["get"] 61 62 --- 63 apiVersion: rbac.authorization.k8s.io/v1 64 kind: RoleBinding 65 metadata: 66 name: kubernetes-dashboard-minimal 67 namespace: kube-system 68 labels: 69 k8s-app: kubernetes-dashboard 70 roleRef: 71 apiGroup: rbac.authorization.k8s.io 72 kind: Role 73 name: kubernetes-dashboard-minimal 74 subjects: 75 - kind: ServiceAccount 76 name: kubernetes-dashboard 77 namespace: kube-system 78 79 --- 80 # ------------------- Dashboard Admin User ------------------- # 81 apiVersion: rbac.authorization.k8s.io/v1 82 kind: ClusterRoleBinding 83 metadata: 84 name: kubernetes-dashboard-admin 85 labels: 86 k8s-app: kubernetes-dashboard 87 kismatic/dashboard: kubernetes-dashboard-admin 88 roleRef: 89 apiGroup: rbac.authorization.k8s.io 90 kind: ClusterRole 91 name: cluster-admin 92 subjects: 93 - kind: ServiceAccount 94 name: kubernetes-dashboard-admin 95 namespace: kube-system 96 97 --- 98 apiVersion: v1 99 kind: ServiceAccount 100 metadata: 101 labels: 102 k8s-app: kubernetes-dashboard 103 kismatic/dashboard: kubernetes-dashboard-admin 104 name: kubernetes-dashboard-admin 105 namespace: kube-system 106 107 --- 108 apiVersion: v1 109 kind: Secret 110 metadata: 111 name: kubernetes-dashboard-admin-secret 112 annotations: 113 kubernetes.io/service-account.name: kubernetes-dashboard-admin 114 labels: 115 k8s-app: kubernetes-dashboard 116 kismatic/dashboard: kubernetes-dashboard-admin 117 type: kubernetes.io/service-account-token 118 119 --- 120 # ------------------- Dashboard Deployment ------------------- # 121 122 apiVersion: apps/v1 123 kind: Deployment 124 metadata: 125 name: kubernetes-dashboard 126 namespace: kube-system 127 labels: 128 k8s-app: kubernetes-dashboard 129 kubernetes.io/cluster-service: "true" 130 addonmanager.kubernetes.io/mode: Reconcile 131 spec: 132 replicas: {{ [2, groups['worker'] | length] | min }} # create 2 replicas or the number of worker nodes 133 selector: 134 matchLabels: 135 k8s-app: kubernetes-dashboard 136 template: 137 metadata: 138 labels: 139 k8s-app: kubernetes-dashboard 140 annotations: 141 scheduler.alpha.kubernetes.io/critical-pod: '' 142 spec: 143 affinity: 144 podAntiAffinity: 145 preferredDuringSchedulingIgnoredDuringExecution: 146 - weight: 100 147 podAffinityTerm: 148 labelSelector: 149 matchExpressions: 150 - key: k8s-app 151 operator: In 152 values: 153 - kubernetes-dashboard 154 topologyKey: kubernetes.io/hostname 155 containers: 156 - name: kubernetes-dashboard 157 image: {{ images.kubernetes_dashboard }} 158 imagePullPolicy: IfNotPresent 159 resources: 160 limits: 161 cpu: 100m 162 memory: 300Mi 163 requests: 164 cpu: 100m 165 memory: 100Mi 166 ports: 167 - containerPort: 8443 168 protocol: TCP 169 args: 170 - --auto-generate-certificates 171 volumeMounts: 172 - name: kubernetes-dashboard-certs 173 mountPath: /certs 174 - name: tmp-volume 175 mountPath: /tmp 176 livenessProbe: 177 httpGet: 178 scheme: HTTPS 179 path: / 180 port: 8443 181 initialDelaySeconds: 30 182 timeoutSeconds: 30 183 volumes: 184 - name: kubernetes-dashboard-certs 185 secret: 186 secretName: kubernetes-dashboard-certs 187 - name: tmp-volume 188 emptyDir: {} 189 serviceAccountName: kubernetes-dashboard 190 tolerations: 191 - key: "CriticalAddonsOnly" 192 operator: "Exists" 193 194 --- 195 # ------------------- Dashboard Service ------------------- # 196 197 kind: Service 198 apiVersion: v1 199 metadata: 200 labels: 201 k8s-app: kubernetes-dashboard 202 name: kubernetes-dashboard 203 namespace: kube-system 204 spec: 205 ports: 206 - port: 443 207 targetPort: 8443 208 nodePort: {{ dashboard.options.node_port }} 209 selector: 210 k8s-app: kubernetes-dashboard 211 type: {{ dashboard.options.service_type }}