forked from k-space/kube
294 lines
8.2 KiB
YAML
294 lines
8.2 KiB
YAML
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: kubernetes-dashboard
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
name: kubernetes-dashboard
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
name: kubernetes-dashboard-certs
|
|
type: Opaque
|
|
---
|
|
# kubernetes-dashboard-csrf
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
name: kubernetes-dashboard-csrf
|
|
type: Opaque
|
|
---
|
|
# kubernetes-dashboard-key-holder
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
name: kubernetes-dashboard-key-holder
|
|
type: Opaque
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
name: kubernetes-dashboard-settings
|
|
data:
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: "kubernetes-dashboard-metrics"
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
rules:
|
|
# Allow Metrics Scraper to get metrics from the Metrics server
|
|
- apiGroups: ["metrics.k8s.io"]
|
|
resources: ["pods", "nodes"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: "kubernetes-dashboard-metrics"
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: kubernetes-dashboard-metrics
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kubernetes-dashboard
|
|
namespace: kubernetes-dashboard
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: kubernetes-dashboard
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
rules:
|
|
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
|
|
verbs: ["get", "update", "delete"]
|
|
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
resourceNames: ["kubernetes-dashboard-settings"]
|
|
verbs: ["get", "update"]
|
|
# Allow Dashboard to get metrics.
|
|
- apiGroups: [""]
|
|
resources: ["services"]
|
|
resourceNames: ["heapster", "dashboard-metrics-scraper"]
|
|
verbs: ["proxy"]
|
|
- apiGroups: [""]
|
|
resources: ["services/proxy"]
|
|
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: kubernetes-dashboard
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: kubernetes-dashboard
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kubernetes-dashboard
|
|
namespace: kubernetes-dashboard
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
name: kubernetes-dashboard
|
|
rules:
|
|
# Other resources
|
|
- apiGroups: [""]
|
|
resources: ["nodes", "namespaces", "pods", "serviceaccounts", "services", "configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "persistentvolumeclaims", "persistentvolumes", "bindings", "events", "limitranges", "namespaces/status", "pods/log", "pods/status", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
- apiGroups: ["apps"]
|
|
resources: ["daemonsets", "deployments", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
- apiGroups: ["autoscaling"]
|
|
resources: ["horizontalpodautoscalers"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
- apiGroups: ["batch"]
|
|
resources: ["cronjobs", "jobs"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
- apiGroups: ["extensions"]
|
|
resources: ["daemonsets", "deployments", "deployments/scale", "networkpolicies", "replicasets", "replicasets/scale", "replicationcontrollers/scale"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
- apiGroups: ["networking.k8s.io"]
|
|
resources: ["ingresses", "networkpolicies"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
- apiGroups: ["policy"]
|
|
resources: ["poddisruptionbudgets"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources: ["storageclasses", "volumeattachments"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
|
resources: ["clusterrolebindings", "clusterroles", "roles", "rolebindings", ]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: kubernetes-dashboard
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: kubernetes-dashboard
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kubernetes-dashboard
|
|
namespace: kubernetes-dashboard
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: kubernetes-dashboard
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
app.kubernetes.io/component: kubernetes-dashboard
|
|
kubernetes.io/cluster-service: "true"
|
|
spec:
|
|
type: ClusterIP
|
|
ports:
|
|
- port: 80
|
|
targetPort: http
|
|
name: http
|
|
selector:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
app.kubernetes.io/component: kubernetes-dashboard
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: kubernetes-dashboard
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
app.kubernetes.io/component: kubernetes-dashboard
|
|
spec:
|
|
replicas: 1
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 0
|
|
maxUnavailable: 1
|
|
type: RollingUpdate
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
app.kubernetes.io/component: kubernetes-dashboard
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: kubernetes-dashboard
|
|
app.kubernetes.io/component: kubernetes-dashboard
|
|
spec:
|
|
serviceAccountName: kubernetes-dashboard
|
|
containers:
|
|
- name: kubernetes-dashboard
|
|
image: "kubernetesui/dashboard:v2.4.0"
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- --namespace=kubernetes-dashboard
|
|
- --metrics-provider=none
|
|
- --enable-skip-login
|
|
- --disable-settings-authorizer
|
|
- --enable-insecure-login
|
|
- --system-banner="Just hit skip!"
|
|
ports:
|
|
- name: http
|
|
containerPort: 9090
|
|
protocol: TCP
|
|
volumeMounts:
|
|
- name: kubernetes-dashboard-certs
|
|
mountPath: /certs
|
|
# Create on-disk volume to store exec logs
|
|
- mountPath: /tmp
|
|
name: tmp-volume
|
|
livenessProbe:
|
|
httpGet:
|
|
scheme: HTTP
|
|
path: /
|
|
port: 9090
|
|
initialDelaySeconds: 30
|
|
timeoutSeconds: 30
|
|
resources:
|
|
limits:
|
|
cpu: 2
|
|
memory: 200Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 200Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsGroup: 2001
|
|
runAsUser: 1001
|
|
volumes:
|
|
- name: kubernetes-dashboard-certs
|
|
secret:
|
|
secretName: kubernetes-dashboard-certs
|
|
- name: tmp-volume
|
|
emptyDir: {}
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: kubernetes-dashboard
|
|
labels:
|
|
certManager: "true"
|
|
rewriteTarget: "true"
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: default
|
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
|
kubernetes.io/ingress.class: traefik
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
spec:
|
|
rules:
|
|
- host: dashboard.k-space.ee
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: ImplementationSpecific
|
|
backend:
|
|
service:
|
|
name: kubernetes-dashboard
|
|
port:
|
|
number: 80
|
|
tls:
|
|
- hosts:
|
|
- dashboard.k-space.ee
|
|
secretName: dashboard-tls
|