update components

2024-05-18 15:06:04 +08:00 · 2024-05-18 15:06:04 +08:00 · a9bd7f4163
parent 1cc6b8c878
commit a9bd7f4163
3 changed files with 58 additions and 24 deletions
--- a/16
+++ b/16
@ -13,14 +13,14 @@ set -o pipefail
 #set -o xtrace

 # default settings, can be overridden by cmd line options, see usage
-DOCKER_VER=25.0.3
+DOCKER_VER=26.1.3
 KUBEASZ_VER=3.6.3
-K8S_BIN_VER=v1.29.2
+K8S_BIN_VER=v1.30.1
 # https://github.com/easzlab/dockerfile-kubeasz-ext-bin
-EXT_BIN_VER=1.10.0
+EXT_BIN_VER=1.10.1
 # https://github.com/easzlab/dockerfile-kubeasz-sys-pkg
-SYS_PKG_VER=1.0.0
-HARBOR_VER=v2.8.4
+SYS_PKG_VER=1.0.1
+HARBOR_VER=v2.10.2
 REGISTRY_MIRROR=CN

 # images downloaded by default(with 'ezdown -D')
@ -29,11 +29,11 @@ calicoVer=v3.26.4
 # https://github.com/coredns/coredns
 corednsVer=1.11.1
 # https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/
-dnsNodeCacheVer=1.22.23
+dnsNodeCacheVer=1.22.28
 dashboardVer=v2.7.0
 dashboardMetricsScraperVer=v1.0.8
 # https://github.com/kubernetes-sigs/metrics-server
-metricsVer=v0.6.4
+metricsVer=v0.7.1
 pauseVer=3.9

 # images not downloaded by default(only download  with 'ezdown -X ***')
@ -46,7 +46,7 @@ kubeRouterVer=v1.5.4
 # https://github.com/kubeovn/kube-ovn
 kubeOvnVer=v1.11.5
 # https://github.com/rancher/local-path-provisioner
-localpathProvisionerVer=v0.0.24
+localpathProvisionerVer=v0.0.26
 # https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner
 nfsProvisionerVer=v4.0.2
 #https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
--- a/roles/cluster-addon/templates/local-storage/local-path-storage.yaml.j2
+++ b/roles/cluster-addon/templates/local-storage/local-path-storage.yaml.j2
@ -5,24 +5,50 @@ metadata:
  name: local-path-provisioner-service-account
  namespace: kube-system

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: local-path-provisioner-role
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: local-path-provisioner-role
 rules:
-  - apiGroups: [ "" ]
-    resources: [ "nodes", "persistentvolumeclaims", "configmaps" ]
-    verbs: [ "get", "list", "watch" ]
-  - apiGroups: [ "" ]
-    resources: [ "endpoints", "persistentvolumes", "pods" ]
-    verbs: [ "*" ]
-  - apiGroups: [ "" ]
-    resources: [ "events" ]
-    verbs: [ "create", "patch" ]
-  - apiGroups: [ "storage.k8s.io" ]
-    resources: [ "storageclasses" ]
-    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [""]
+    resources: ["nodes", "persistentvolumeclaims", "configmaps", "pods", "pods/log"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: local-path-provisioner-bind
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: local-path-provisioner-role
+subjects:
+  - kind: ServiceAccount
+    name: local-path-provisioner-service-account
+    namespace: kube-system

 ---
 apiVersion: rbac.authorization.k8s.io/v1
@ -117,9 +143,12 @@ data:
    metadata:
      name: helper-pod
    spec:
+      priorityClassName: system-node-critical
+      tolerations:
+        - key: node.kubernetes.io/disk-pressure
+          operator: Exists
+          effect: NoSchedule
      containers:
      - name: helper-pod
        image: easzlab.io.local:5000/rancher/local-path-provisioner:{{ local_path_provisioner_ver }}
        imagePullPolicy: IfNotPresent
-
-
--- a/roles/cluster-addon/templates/metrics-server/components.yaml.j2
+++ b/roles/cluster-addon/templates/metrics-server/components.yaml.j2
@ -133,7 +133,7 @@ spec:
      containers:
      - args:
        - --cert-dir=/tmp
-        - --secure-port=4443
+        - --secure-port=10250
        - --kubelet-insecure-tls
        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
        - --kubelet-use-node-status-port
@ -150,7 +150,7 @@ spec:
          periodSeconds: 10
        name: metrics-server
        ports:
-        - containerPort: 4443
+        - containerPort: 10250
          name: https
          protocol: TCP
        readinessProbe:
@ -167,9 +167,14 @@ spec:
            memory: 200Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
        volumeMounts:
        - mountPath: /tmp
          name: tmp-dir