metric server集成配置

2018-06-17 10:46:25 +08:00 · 2018-06-17 10:46:25 +08:00 · 1b4864b669
parent 93f72599a9
commit 1b4864b669
9 changed files with 144 additions and 1 deletions
--- a/manifests/metric-server/auth-delegator.yaml
+++ b/manifests/metric-server/auth-delegator.yaml
@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: metrics-server:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
--- a/manifests/metric-server/auth-reader.yaml
+++ b/manifests/metric-server/auth-reader.yaml
@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: metrics-server-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
--- a/manifests/metric-server/metrics-apiservice.yaml
+++ b/manifests/metric-server/metrics-apiservice.yaml
@ -0,0 +1,14 @@
+---
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+  name: v1beta1.metrics.k8s.io
+spec:
+  service:
+    name: metrics-server
+    namespace: kube-system
+  group: metrics.k8s.io
+  version: v1beta1
+  insecureSkipTLSVerify: true
+  groupPriorityMinimum: 100
+  versionPriority: 100
--- a/manifests/metric-server/metrics-server-deployment.yaml
+++ b/manifests/metric-server/metrics-server-deployment.yaml
@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: metrics-server
+  namespace: kube-system
+  labels:
+    k8s-app: metrics-server
+spec:
+  selector:
+    matchLabels:
+      k8s-app: metrics-server
+  template:
+    metadata:
+      name: metrics-server
+      labels:
+        k8s-app: metrics-server
+    spec:
+      serviceAccountName: metrics-server
+      containers:
+      - name: metrics-server
+        #image: gcr.io/google_containers/metrics-server-amd64:v0.2.1
+        image: mirrorgooglecontainers/metrics-server-amd64:v0.2.1
+        imagePullPolicy: Always
+        command:
+        - /metrics-server
+        - --source=kubernetes.summary_api:''
--- a/manifests/metric-server/metrics-server-service.yaml
+++ b/manifests/metric-server/metrics-server-service.yaml
@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: metrics-server
+  namespace: kube-system
+  labels:
+    kubernetes.io/name: "Metrics-server"
+spec:
+  selector:
+    k8s-app: metrics-server
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 443
--- a/manifests/metric-server/resource-reader.yaml
+++ b/manifests/metric-server/resource-reader.yaml
@ -0,0 +1,38 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:metrics-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  - nodes/stats
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "extensions"
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:metrics-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
--- a/roles/kube-master/templates/kube-apiserver-v1.8.service.j2
+++ b/roles/kube-master/templates/kube-apiserver-v1.8.service.j2
@ -34,6 +34,14 @@ ExecStart={{ bin_dir }}/kube-apiserver \
  --audit-log-maxsize=100 \
  --audit-log-path=/var/lib/audit.log \
  --event-ttl=1h \
+  --requestheader-client-ca-file={{ ca_dir }}/ca.pem \
+  --requestheader-allowed-names=aggregator \
+  --requestheader-extra-headers-prefix=X-Remote-Extra- \
+  --requestheader-group-headers=X-Remote-Group \
+  --requestheader-username-headers=X-Remote-User \
+  --proxy-client-cert-file={{ ca_dir }}/admin.pem \
+  --proxy-client-key-file={{ ca_dir }}/admin-key.pem \
+  --enable-aggregator-routing=true \
  --v=2
 Restart=on-failure
 RestartSec=5
--- a/roles/kube-master/templates/kube-apiserver.service.j2
+++ b/roles/kube-master/templates/kube-apiserver.service.j2
@ -34,6 +34,14 @@ ExecStart={{ bin_dir }}/kube-apiserver \
  --audit-log-maxsize=100 \
  --audit-log-path=/var/lib/audit.log \
  --event-ttl=1h \
+  --requestheader-client-ca-file={{ ca_dir }}/ca.pem \
+  --requestheader-allowed-names=aggregator \
+  --requestheader-extra-headers-prefix=X-Remote-Extra- \
+  --requestheader-group-headers=X-Remote-Group \
+  --requestheader-username-headers=X-Remote-User \
+  --proxy-client-cert-file={{ ca_dir }}/admin.pem \
+  --proxy-client-key-file={{ ca_dir }}/admin-key.pem \
+  --enable-aggregator-routing=true \
  --v=2
 Restart=on-failure
 RestartSec=5
--- a/roles/kube-master/templates/kube-controller-manager.service.j2
+++ b/roles/kube-master/templates/kube-controller-manager.service.j2
@ -14,7 +14,7 @@ ExecStart={{ bin_dir }}/kube-controller-manager \
  --cluster-signing-key-file={{ ca_dir }}/ca-key.pem \
  --service-account-private-key-file={{ ca_dir }}/ca-key.pem \
  --root-ca-file={{ ca_dir }}/ca.pem \
-  --horizontal-pod-autoscaler-use-rest-clients=false \
+  --horizontal-pod-autoscaler-use-rest-clients=true \
  --leader-elect=true \
  --v=2
 Restart=on-failure