Fix broken metrics-server deployment not starting (#4651)

* Fix metrics-server deployment

* Make metrics server work

* Fix sample inventory

roles/download/defaults/main.yml

@@ -246,8 +246,8 @@ registry_image_repo: "docker.io/registry"
 registry_image_tag: "2.6"
 registry_proxy_image_repo: "gcr.io/google_containers/kube-registry-proxy"
 registry_proxy_image_tag: "0.4"
-metrics_server_version: "v0.3.1"
+metrics_server_version: "v0.3.2"
-metrics_server_image_repo: "k8s.gcr.io/metrics-server-amd64"
+metrics_server_image_repo: "gcr.io/google_containers/metrics-server-amd64"
 metrics_server_image_tag: "{{ metrics_server_version }}"
 local_volume_provisioner_image_repo: "quay.io/external_storage/local-volume-provisioner"
 local_volume_provisioner_image_tag: "v2.1.0"

roles/kubernetes-apps/metrics_server/templates/metrics-server-deployment.yaml.j2

@@ -32,6 +32,9 @@ spec:
         image: {{ metrics_server_image_repo }}:{{ metrics_server_image_tag }}
         command:
         - /metrics-server
+        - --logtostderr
+        - --cert-dir=/tmp
+        - --secure-port=8443
 {% if metrics_server_kubelet_preferred_address_types %}
         - --kubelet-preferred-address-types={{ metrics_server_kubelet_preferred_address_types }}
 {% endif %}
@@ -40,9 +43,12 @@ spec:
 {% endif %}
         - --metric-resolution={{ metrics_server_metric_resolution }}
         ports:
-        - containerPort: 443
+        - containerPort: 8443
           name: https
           protocol: TCP
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
         livenessProbe:
           httpGet:
             path: /healthz
@@ -55,23 +61,20 @@ spec:
         readinessProbe:
           httpGet:
             path: /healthz
-            port: 443
+            port: https
             scheme: HTTPS
           successThreshold: 1
           initialDelaySeconds: 20
           failureThreshold: 3
           timeoutSeconds: 10
         securityContext:
-          # Currently non root is not supported:
+          allowPrivilegeEscalation: false
-          #   https://github.com/kubernetes-incubator/metrics-server/issues/37
-          #
-          # runAsNonRoot: true
-          # runAsUser: 65534
           capabilities:
-            drop:
+            drop: ["all"]
-            - ALL
+          readOnlyRootFilesystem: true
-            add:
+          runAsGroup: 10001
-            - NET_BIND_SERVICE
+          runAsNonRoot: true
+          runAsUser: 10001
       - name: metrics-server-nanny
         image: {{ addon_resizer_image_repo }}:{{ addon_resizer_image_tag }}
         resources:
@@ -112,6 +115,8 @@ spec:
         - name: metrics-server-config-volume
           configMap:
             name: metrics-server-config
+        - name: tmp
+          emptyDir: {}
 {% if not masters_are_not_tainted %}
       tolerations:
         - key: node-role.kubernetes.io/master

tests/files/packet_centos7-flannel-addons.yml

@@ -17,8 +17,7 @@ dns_min_replicas: 1
 kube_encrypt_secret_data: true
 ingress_nginx_enabled: true
 cert_manager_enabled: true
-# Disabled temporarily
+metrics_server_enabled: true
-metrics_server_enabled: false
 metrics_server_kubelet_insecure_tls: true
 kube_token_auth: true
 kube_basic_auth: true