diff --git a/k8s/core/kubernetes-dashboard/app.yaml b/k8s/core/kubernetes-dashboard/app.yaml new file mode 100644 index 0000000..0163382 --- /dev/null +++ b/k8s/core/kubernetes-dashboard/app.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kubernetes-dashboard + namespace: argocd +spec: + project: core + destination: + namespace: kubernetes-dashboard + server: https://kubernetes.default.svc + source: + repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git + targetRevision: HEAD + path: k8s/core/kubernetes-dashboard + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true + + diff --git a/k8s/core/kubernetes-dashboard/configmap.yaml b/k8s/core/kubernetes-dashboard/configmap.yaml new file mode 100644 index 0000000..ad102f0 --- /dev/null +++ b/k8s/core/kubernetes-dashboard/configmap.yaml @@ -0,0 +1,10 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-settings + namespace: kubernetes-dashboard + + diff --git a/k8s/core/kubernetes-dashboard/deployments.yaml b/k8s/core/kubernetes-dashboard/deployments.yaml new file mode 100644 index 0000000..3c8bff5 --- /dev/null +++ b/k8s/core/kubernetes-dashboard/deployments.yaml @@ -0,0 +1,120 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + template: + metadata: + labels: + k8s-app: kubernetes-dashboard + spec: + containers: + - name: kubernetes-dashboard + image: kubernetesui/dashboard:v2.7.0 + imagePullPolicy: Always + ports: + - containerPort: 8443 + protocol: TCP + - containerPort: 9090 + protocol: TCP + args: + - --namespace=kubernetes-dashboard + - --enable-skip-login + - --disable-settings-authorizer + - --enable-insecure-login + - --insecure-bind-address=0.0.0.0 + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} + serviceAccountName: kubernetes-dashboard + nodeSelector: + kubernetes.io/os: linux + kubernetes.io/hostname: master.tail2fe2d.ts.net + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: dashboard-metrics-scraper + template: + metadata: + labels: + k8s-app: dashboard-metrics-scraper + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: dashboard-metrics-scraper + image: kubernetesui/metrics-scraper:v1.0.6 + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumeMounts: + - mountPath: /tmp + name: tmp-volume + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + serviceAccountName: kubernetes-dashboard + nodeSelector: + kubernetes.io/hostname: master.tail2fe2d.ts.net + kubernetes.io/os: linux + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + volumes: + - name: tmp-volume + emptyDir: {} + diff --git a/k8s/core/kubernetes-dashboard/kustomization.yaml b/k8s/core/kubernetes-dashboard/kustomization.yaml index 137e412..fabf9da 100644 --- a/k8s/core/kubernetes-dashboard/kustomization.yaml +++ b/k8s/core/kubernetes-dashboard/kustomization.yaml @@ -4,13 +4,8 @@ kind: Kustomization resources: - app.yaml - service-account.yaml - -helmCharts: - - name: kubernetes-dashboard - repo: https://kubernetes.github.io/dashboard - version: 7.11.1 - releaseName: authentik - namespace: authentik - valuesFile: values.yaml - includeCRDs: true + - configmap.yaml + - secrets.yaml + - service.yaml + - deployments.yaml diff --git a/k8s/core/kubernetes-dashboard/secrets.yaml b/k8s/core/kubernetes-dashboard/secrets.yaml new file mode 100644 index 0000000..cfe71ea --- /dev/null +++ b/k8s/core/kubernetes-dashboard/secrets.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-certs + namespace: kubernetes-dashboard +type: Opaque + +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-csrf + namespace: kubernetes-dashboard +type: Opaque +data: + csrf: "" + +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-key-holder + namespace: kubernetes-dashboard +type: Opaque + diff --git a/k8s/core/kubernetes-dashboard/service-account.yaml b/k8s/core/kubernetes-dashboard/service-account.yaml index 45d2be0..1f23445 100644 --- a/k8s/core/kubernetes-dashboard/service-account.yaml +++ b/k8s/core/kubernetes-dashboard/service-account.yaml @@ -2,19 +2,94 @@ apiVersion: v1 kind: ServiceAccount metadata: + labels: + k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard +rules: + # Allow Metrics Scraper to get metrics from the Metrics server + - apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list", "watch"] + --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: + labels: + k8s-app: kubernetes-dashboard name: kubernetes-dashboard + namespace: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin + kind: Role + name: kubernetes-dashboard subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kubernetes-dashboard +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard + namespace: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-dashboard +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +rules: + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics. + - apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster", "dashboard-metrics-scraper"] + verbs: ["proxy"] + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] + verbs: ["get"] + diff --git a/k8s/core/kubernetes-dashboard/service.yaml b/k8s/core/kubernetes-dashboard/service.yaml new file mode 100644 index 0000000..5cdb981 --- /dev/null +++ b/k8s/core/kubernetes-dashboard/service.yaml @@ -0,0 +1,33 @@ +--- +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + ports: + - name: https + port: 443 + targetPort: 8443 + - name: http + port: 80 + targetPort: 9090 + selector: + k8s-app: kubernetes-dashboard + +--- +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + ports: + - port: 8000 + targetPort: 8000 + selector: + k8s-app: dashboard-metrics-scraper diff --git a/k8s/core/kubernetes-dashboard/values.yaml b/k8s/core/kubernetes-dashboard/values.yaml deleted file mode 100644 index d6118e0..0000000 --- a/k8s/core/kubernetes-dashboard/values.yaml +++ /dev/null @@ -1,22 +0,0 @@ -kong: - proxy: - http: - enabled: true -ingress: - enabled: true - ingressClassName: traefik - annotations: - cert-manager.io/cluster-issuer: letsencrypt - acme.cert-manager.io/http01-edit-in-place: "true" - traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd - hosts: - - host: master.hexor.cy - paths: - - path: / - pathType: ImplementationSpecific - tls: - - secretName: dashboard-tls - hosts: - - master.hexor.cy -service: - externalPort: 80