dsk-dev kubespray 이동

2023-12-19 14:31:22 +09:00
parent a35325e16b
commit 5671a92148
2568 changed files with 0 additions and 0 deletions
--- a/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/auth-delegator.yaml.j2
+++ b/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/auth-delegator.yaml.j2
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: metrics-server:system:auth-delegator
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
--- a/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/auth-reader.yaml.j2
+++ b/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/auth-reader.yaml.j2
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: metrics-server-auth-reader
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
--- a/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/metrics-apiservice.yaml.j2
+++ b/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/metrics-apiservice.yaml.j2
@@ -0,0 +1,15 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1beta1.metrics.k8s.io
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  service:
+    name: metrics-server
+    namespace: kube-system
+  group: metrics.k8s.io
+  version: v1beta1
+  insecureSkipTLSVerify: {{ metrics_server_kubelet_insecure_tls }}
+  groupPriorityMinimum: 100
+  versionPriority: 100
--- a/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/metrics-server-deployment.yaml.j2
+++ b/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/metrics-server-deployment.yaml.j2
@@ -0,0 +1,107 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: metrics-server
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: metrics-server
+    addonmanager.kubernetes.io/mode: Reconcile
+    version: {{ metrics_server_version }}
+spec:
+  replicas: {{ metrics_server_replicas }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: metrics-server
+      version: {{ metrics_server_version }}
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+  template:
+    metadata:
+      name: metrics-server
+      labels:
+        app.kubernetes.io/name: metrics-server
+        version: {{ metrics_server_version }}
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
+    spec:
+      priorityClassName: system-cluster-critical
+      serviceAccountName: metrics-server
+      hostNetwork: {{ metrics_server_host_network | default(false) }}
+      containers:
+      - name: metrics-server
+        image: {{ metrics_server_image_repo }}:{{ metrics_server_image_tag }}
+        imagePullPolicy: {{ k8s_image_pull_policy }}
+        args:
+        - --logtostderr
+        - --cert-dir=/tmp
+        - --secure-port={{ metrics_server_container_port }}
+{% if metrics_server_kubelet_preferred_address_types %}
+        - --kubelet-preferred-address-types={{ metrics_server_kubelet_preferred_address_types }}
+{% endif %}
+        - --kubelet-use-node-status-port
+{% if metrics_server_kubelet_insecure_tls %}
+        - --kubelet-insecure-tls
+{% endif %}
+        - --metric-resolution={{ metrics_server_metric_resolution }}
+        ports:
+        - containerPort: {{ metrics_server_container_port }}
+          name: https
+          protocol: TCP
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+        livenessProbe:
+          httpGet:
+            path: /livez
+            port: https
+            scheme: HTTPS
+          periodSeconds: 10
+          failureThreshold: 3
+          initialDelaySeconds: 40
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: https
+            scheme: HTTPS
+          periodSeconds: 10
+          failureThreshold: 3
+          initialDelaySeconds: 40
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsGroup: 10001
+          runAsNonRoot: true
+          runAsUser: 10001
+          allowPrivilegeEscalation: false
+        resources:
+          limits:
+            cpu: {{ metrics_server_limits_cpu }}
+            memory: {{ metrics_server_limits_memory }}
+          requests:
+            cpu: {{ metrics_server_requests_cpu }}
+            memory: {{ metrics_server_requests_memory }}
+      volumes:
+        - name: tmp
+          emptyDir: {}
+{% if not masters_are_not_tainted %}
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+        - key: node-role.kubernetes.io/control-plane
+          effect: NoSchedule
+{% endif %}
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app.kubernetes.io/name
+                  operator: In
+                  values:
+                  - metrics-server
+              topologyKey: kubernetes.io/hostname
+              namespaces:
+              - kube-system
--- a/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/metrics-server-sa.yaml.j2
+++ b/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/metrics-server-sa.yaml.j2
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metrics-server
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
--- a/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/metrics-server-service.yaml.j2
+++ b/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/metrics-server-service.yaml.j2
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: metrics-server
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    app.kubernetes.io/name: "metrics-server"
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: metrics-server
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
--- a/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/resource-reader-clusterrolebinding.yaml.j2
+++ b/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/resource-reader-clusterrolebinding.yaml.j2
@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:metrics-server
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
--- a/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/resource-reader.yaml.j2
+++ b/ansible/kubespray/roles/kubernetes-apps/metrics_server/templates/resource-reader.yaml.j2
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:metrics-server
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - nodes
+      - nodes/metrics
+    verbs:
+      - get
+      - list
+      - watch