From 16e5b73622d0018ef7acf7554029515624a8bf45 Mon Sep 17 00:00:00 2001 From: Teck Meng Date: Mon, 15 Jul 2024 19:25:57 +0800 Subject: [PATCH] Refactor Kubernetes configuration to use Traefik for dashboard routing --- kubernetes/ccm.yaml | 80 +++++++ kubernetes/config/kubeconfig.yaml | 19 ++ kubernetes/coredns.yaml | 191 +++++++++++++++ kubernetes/k3s.yml | 86 ++++--- kubernetes/local-storage.yaml | 100 ++++++++ kubernetes/manifests/ccm.yaml | 118 ++++++++++ kubernetes/manifests/coredns.yaml | 219 ++++++++++++++++++ kubernetes/manifests/local-storage.yaml | 134 +++++++++++ .../aggregated-metrics-reader.yaml | 12 + .../metrics-server/auth-delegator.yaml | 13 ++ .../manifests/metrics-server/auth-reader.yaml | 14 ++ .../metrics-server/metrics-apiservice.yaml | 14 ++ .../metrics-server-deployment.yaml | 90 +++++++ .../metrics-server-service.yaml | 18 ++ .../metrics-server/resource-reader.yaml | 34 +++ kubernetes/manifests/rolebindings.yaml | 91 ++++++++ kubernetes/manifests/runtimes.yaml | 59 +++++ .../aggregated-metrics-reader.yaml | 12 + kubernetes/metrics-server/auth-delegator.yaml | 13 ++ kubernetes/metrics-server/auth-reader.yaml | 14 ++ .../metrics-server/metrics-apiservice.yaml | 14 ++ .../metrics-server-deployment.yaml | 36 +++ .../metrics-server-service.yaml | 16 ++ .../metrics-server/resource-reader.yaml | 30 +++ kubernetes/rolebindings.yaml | 62 +++++ 25 files changed, 1460 insertions(+), 29 deletions(-) create mode 100644 kubernetes/ccm.yaml create mode 100644 kubernetes/config/kubeconfig.yaml create mode 100644 kubernetes/coredns.yaml create mode 100644 kubernetes/local-storage.yaml create mode 100644 kubernetes/manifests/ccm.yaml create mode 100644 kubernetes/manifests/coredns.yaml create mode 100644 kubernetes/manifests/local-storage.yaml create mode 100644 kubernetes/manifests/metrics-server/aggregated-metrics-reader.yaml create mode 100644 kubernetes/manifests/metrics-server/auth-delegator.yaml create mode 100644 kubernetes/manifests/metrics-server/auth-reader.yaml create mode 100644 kubernetes/manifests/metrics-server/metrics-apiservice.yaml create mode 100644 kubernetes/manifests/metrics-server/metrics-server-deployment.yaml create mode 100644 kubernetes/manifests/metrics-server/metrics-server-service.yaml create mode 100644 kubernetes/manifests/metrics-server/resource-reader.yaml create mode 100644 kubernetes/manifests/rolebindings.yaml create mode 100644 kubernetes/manifests/runtimes.yaml create mode 100644 kubernetes/metrics-server/aggregated-metrics-reader.yaml create mode 100644 kubernetes/metrics-server/auth-delegator.yaml create mode 100644 kubernetes/metrics-server/auth-reader.yaml create mode 100644 kubernetes/metrics-server/metrics-apiservice.yaml create mode 100644 kubernetes/metrics-server/metrics-server-deployment.yaml create mode 100644 kubernetes/metrics-server/metrics-server-service.yaml create mode 100644 kubernetes/metrics-server/resource-reader.yaml create mode 100644 kubernetes/rolebindings.yaml diff --git a/kubernetes/ccm.yaml b/kubernetes/ccm.yaml new file mode 100644 index 0000000..b0e9049 --- /dev/null +++ b/kubernetes/ccm.yaml @@ -0,0 +1,80 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cloud-controller-manager +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - "" + resources: + - nodes + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +- apiGroups: + - "" + resources: + - services + verbs: + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - get + - list + - watch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cloud-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cloud-controller-manager +subjects: +- kind: User + name: cloud-controller-manager + namespace: kube-system diff --git a/kubernetes/config/kubeconfig.yaml b/kubernetes/config/kubeconfig.yaml new file mode 100644 index 0000000..5eeac03 --- /dev/null +++ b/kubernetes/config/kubeconfig.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +clusters: +- cluster: + certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTWpFd05ESTBPVEl3SGhjTk1qUXdOekUxTVRFeU1UTXlXaGNOTXpRd056RXpNVEV5TVRNeQpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTWpFd05ESTBPVEl3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTbjRUazdMRUZYMUM3UmtDRlRoTGNSK2RVL0g5ZmRHWHE5cVc0dmZ1MnoKUnJXVGowR1F0OHlyWUtPbnE1QWdOSGtlSGlpWkVOenhOY2tGL3dOSFNZME9vMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTRqS1FQOFEzaXBEdXlZNUVQeHo1CkttaXRxelV3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnQ3dvQ1FscTFXLzVVM2kvN3dueGhGU3hodklmKzRiREgKK2ViYmJMci8xNkVDSUcwRDExa1hBWC9YeElIQk9ydytmdStzWEpUZ2crWVR6WXNWRkEwaHdmNXkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + server: https://127.0.0.1:6443 + name: default +contexts: +- context: + cluster: default + user: default + name: default +current-context: default +kind: Config +preferences: {} +users: +- name: default + user: + client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrakNDQVRlZ0F3SUJBZ0lJRTd0dmVwSXpxK0F3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOekl4TURReU5Ea3lNQjRYRFRJME1EY3hOVEV4TWpFek1sb1hEVEkxTURjeApOVEV4TWpFek1sb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJLVEtmWlE4Uy8yaTQ4NzAKVUJjcmFLakg3L2hxUHNsTmVZY3I3c2NSenpNWFd6SHJnQS9mUEUwUk9NMXNHUmtWeUt5YTdseFBoK01sVGVvWQpUTk03R1ZDalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUzFNWlpIOVY1MytvQWxJcnBMNDVWREgwekVhVEFLQmdncWhrak9QUVFEQWdOSkFEQkcKQWlFQXFjQkNtbmxncTNtWUhmNVAvQm1LWEpzcmFKbTJudVFWRzlSb0FLYUtKVXNDSVFEZmtWdGFSWW4wd3U2awp3UHVBNTZ2REtBUU5QM0VaTHBuL1k1ZndiNitXUGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlCZGpDQ0FSMmdBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwClpXNTBMV05oUURFM01qRXdOREkwT1RJd0hoY05NalF3TnpFMU1URXlNVE15V2hjTk16UXdOekV6TVRFeU1UTXkKV2pBak1TRXdId1lEVlFRRERCaHJNM010WTJ4cFpXNTBMV05oUURFM01qRXdOREkwT1RJd1dUQVRCZ2NxaGtqTwpQUUlCQmdncWhrak9QUU1CQndOQ0FBUUJ1REdJdGlYVFd2UGM5L2pnM2pMajYvZUtKTWtEYUxBcXRvdnZ6TE1GCmJMNU8xTkhlcU1ucmZmYmJoa3JxUy96SUsrYVg5a3J5enprUjNSSGQ4MVhtbzBJd1FEQU9CZ05WSFE4QkFmOEUKQkFNQ0FxUXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVV0VEdXUi9WZWQvcUFKU0s2UytPVgpReDlNeEdrd0NnWUlLb1pJemowRUF3SURSd0F3UkFJZ0U0c254Z3hJOWNTOE9aeHpPckV3eEVLZUx4b1R2UWhpCmttZWJOeFdualFjQ0lBdDhPeG1yQVg0STFRNDBIVmRPQzFkaW5wMEFoZHlkcjAyMW92eGxIaDM2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU55ZFM4ckZGYTR5L1pXKzNkL3R4cmZXbnNuakVLSnBZdGFSeFA0d0p3NlFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFcE1wOWxEeEwvYUxqenZSUUZ5dG9xTWZ2K0dvK3lVMTVoeXZ1eHhIUE14ZGJNZXVBRDk4OApUUkU0eld3WkdSWElySnJ1WEUrSDR5Vk42aGhNMHpzWlVBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= diff --git a/kubernetes/coredns.yaml b/kubernetes/coredns.yaml new file mode 100644 index 0000000..6d09684 --- /dev/null +++ b/kubernetes/coredns.yaml @@ -0,0 +1,191 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: coredns + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:coredns +rules: +- apiGroups: + - "" + resources: + - endpoints + - services + - pods + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:coredns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:coredns +subjects: +- kind: ServiceAccount + name: coredns + namespace: kube-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system +data: + Corefile: | + .:53 { + errors + health + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + upstream + fallthrough in-addr.arpa ip6.arpa + } + hosts /etc/coredns/NodeHosts { + reload 1s + fallthrough + } + prometheus :9153 + forward . /etc/resolv.conf + cache 30 + loop + reload + loadbalance + } +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: coredns + namespace: kube-system + labels: + k8s-app: kube-dns + kubernetes.io/name: "CoreDNS" +spec: + #replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: kube-dns + template: + metadata: + labels: + k8s-app: kube-dns + spec: + serviceAccountName: coredns + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - name: coredns + image: coredns/coredns:1.6.3 + imagePullPolicy: IfNotPresent + resources: + limits: + memory: 170Mi + requests: + cpu: 100m + memory: 70Mi + args: [ "-conf", "/etc/coredns/Corefile" ] + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + readOnly: true + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + - containerPort: 9153 + name: metrics + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + readOnlyRootFilesystem: true + livenessProbe: + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /ready + port: 8181 + scheme: HTTP + initialDelaySeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + dnsPolicy: Default + volumes: + - name: config-volume + configMap: + name: coredns + items: + - key: Corefile + path: Corefile + - key: NodeHosts + path: NodeHosts +--- +apiVersion: v1 +kind: Service +metadata: + name: kube-dns + namespace: kube-system + annotations: + prometheus.io/port: "9153" + prometheus.io/scrape: "true" + labels: + k8s-app: kube-dns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: "CoreDNS" +spec: + selector: + k8s-app: kube-dns + clusterIP: 10.43.0.10 + ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP + - name: metrics + port: 9153 + protocol: TCP diff --git a/kubernetes/k3s.yml b/kubernetes/k3s.yml index 29ea4f4..ed4129a 100644 --- a/kubernetes/k3s.yml +++ b/kubernetes/k3s.yml @@ -1,30 +1,58 @@ -server: - image: rancher/k3s:v1.17.2-k3s1 - command: server --disable-agent --no-deploy traefik - environment: - - K3S_CLUSTER_SECRET=somethingtotallyrandom - - K3S_KUBECONFIG_OUTPUT=/output/kubeconfig.yaml - - K3S_KUBECONFIG_MODE=666 - volumes: - # k3s will generate a kubeconfig.yaml in this directory. This volume is mounted - # on your host, so you can then 'export KUBECONFIG=/somewhere/on/your/host/out/kubeconfig.yaml', - # in order for your kubectl commands to work. - - ./config:/output - # This directory is where you put all the (yaml) configuration files of - # the Kubernetes resources. - - ./:/var/lib/rancher/k3s/server/manifests - ports: - - 6443:6443 +# to run define K3S_TOKEN, K3S_VERSION is optional, eg: +# K3S_TOKEN=${RANDOM}${RANDOM}${RANDOM} docker compose -f k3s.yml up -d +services: + server: + image: "rancher/k3s:${K3S_VERSION:-latest}" + command: server --disable-agent --disable traefik + tmpfs: + - /run + - /var/run + ulimits: + nproc: 65535 + nofile: + soft: 65535 + hard: 65535 + privileged: true + restart: always + environment: + - K3S_TOKEN=${K3S_TOKEN:?err} + - K3S_KUBECONFIG_OUTPUT=/output/kubeconfig.yaml + - K3S_KUBECONFIG_MODE=666 + volumes: + # k3s will generate a kubeconfig.yaml in this directory. This volume is mounted + # on your host, so you can then 'export KUBECONFIG=/somewhere/on/your/host/out/kubeconfig.yaml', + # in order for your kubectl commands to work. + - ./config:/output + # This directory is where you put all the (yaml) configuration files of + # the Kubernetes resources. + - k3s-server:/var/lib/rancher/k3s + ports: + - 6443:6443 + - 80:80 # Ingress controller port 80 + - 443:443 # Ingress controller port 443 -node: - image: rancher/k3s:v1.17.2-k3s1 - privileged: true - links: - - server - environment: - - K3S_URL=https://server:6443 - - K3S_CLUSTER_SECRET=somethingtotallyrandom - volumes: - # this is where you would place a alternative traefik image (saved as a .tar file with - # 'docker save'), if you want to use it, instead of the traefik:v3.0 image. - - ~/custom-image:/var/lib/rancher/k3s/agent/images \ No newline at end of file + node: + image: "rancher/k3s:${K3S_VERSION:-latest}" + tmpfs: + - /run + - /var/run + ulimits: + nproc: 65535 + nofile: + soft: 65535 + hard: 65535 + privileged: true + restart: always + links: + - server + environment: + - K3S_TOKEN=${K3S_TOKEN:?err} + - K3S_URL=https://server:6443 + volumes: + # this is where you would place a alternative traefik image (saved as a .tar file with + # 'docker save'), if you want to use it, instead of the traefik:v3.0 image. + - k3s-agent:/var/lib/rancher/k3s + +volumes: + k3s-server: {} + k3s-agent: {} \ No newline at end of file diff --git a/kubernetes/local-storage.yaml b/kubernetes/local-storage.yaml new file mode 100644 index 0000000..d9c1f90 --- /dev/null +++ b/kubernetes/local-storage.yaml @@ -0,0 +1,100 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: local-path-provisioner-service-account + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: local-path-provisioner-role +rules: +- apiGroups: [""] + resources: ["nodes", "persistentvolumeclaims"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["endpoints", "persistentvolumes", "pods"] + verbs: ["*"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: local-path-provisioner-bind +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: local-path-provisioner-role +subjects: +- kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: kube-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: local-path-provisioner + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: local-path-provisioner + template: + metadata: + labels: + app: local-path-provisioner + spec: + serviceAccountName: local-path-provisioner-service-account + containers: + - name: local-path-provisioner + image: rancher/local-path-provisioner:v0.0.11 + imagePullPolicy: IfNotPresent + command: + - local-path-provisioner + - start + - --config + - /etc/config/config.json + volumeMounts: + - name: config-volume + mountPath: /etc/config/ + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumes: + - name: config-volume + configMap: + name: local-path-config +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: local-path + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: rancher.io/local-path +volumeBindingMode: WaitForFirstConsumer +reclaimPolicy: Delete +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: local-path-config + namespace: kube-system +data: + config.json: |- + { + "nodePathMap":[ + { + "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES", + "paths":["/var/lib/rancher/k3s/storage"] + } + ] + } diff --git a/kubernetes/manifests/ccm.yaml b/kubernetes/manifests/ccm.yaml new file mode 100644 index 0000000..e8f5403 --- /dev/null +++ b/kubernetes/manifests/ccm.yaml @@ -0,0 +1,118 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: k3s-cloud-controller-manager +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - "" + resources: + - nodes + verbs: + - "*" +- apiGroups: + - "" + resources: + - nodes/status + - services/status + verbs: + - patch +- apiGroups: + - "" + resources: + - services + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - patch + - update +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get +- apiGroups: + - "" + resources: + - namespaces + verbs: + - create + - get +- apiGroups: + - apps + resources: + - daemonsets + verbs: + - "*" +- apiGroups: + - "discovery.k8s.io" + resources: + - endpointslices + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: k3s-cloud-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: k3s-cloud-controller-manager +subjects: +- kind: User + name: k3s-cloud-controller-manager + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: k3s-cloud-controller-manager-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: User + name: k3s-cloud-controller-manager + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: k3s-cloud-controller-manager-authentication-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: User + name: k3s-cloud-controller-manager + namespace: kube-system diff --git a/kubernetes/manifests/coredns.yaml b/kubernetes/manifests/coredns.yaml new file mode 100644 index 0000000..5820232 --- /dev/null +++ b/kubernetes/manifests/coredns.yaml @@ -0,0 +1,219 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: coredns + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:coredns +rules: +- apiGroups: + - "" + resources: + - endpoints + - services + - pods + - namespaces + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:coredns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:coredns +subjects: +- kind: ServiceAccount + name: coredns + namespace: kube-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system +data: + Corefile: | + .:53 { + errors + health + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + } + hosts /etc/coredns/NodeHosts { + ttl 60 + reload 15s + fallthrough + } + prometheus :9153 + forward . /etc/resolv.conf + cache 30 + loop + reload + loadbalance + import /etc/coredns/custom/*.override + } + import /etc/coredns/custom/*.server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: coredns + namespace: kube-system + labels: + k8s-app: kube-dns + kubernetes.io/name: "CoreDNS" +spec: + revisionHistoryLimit: 0 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: kube-dns + template: + metadata: + labels: + k8s-app: kube-dns + spec: + priorityClassName: "system-cluster-critical" + serviceAccountName: coredns + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: linux + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + k8s-app: kube-dns + containers: + - name: coredns + image: "rancher/mirrored-coredns-coredns:1.10.1" + imagePullPolicy: IfNotPresent + resources: + limits: + memory: 170Mi + requests: + cpu: 100m + memory: 70Mi + args: [ "-conf", "/etc/coredns/Corefile" ] + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + readOnly: true + - name: custom-config-volume + mountPath: /etc/coredns/custom + readOnly: true + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + - containerPort: 9153 + name: metrics + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + readOnlyRootFilesystem: true + livenessProbe: + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /ready + port: 8181 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 2 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + dnsPolicy: Default + volumes: + - name: config-volume + configMap: + name: coredns + items: + - key: Corefile + path: Corefile + - key: NodeHosts + path: NodeHosts + - name: custom-config-volume + configMap: + name: coredns-custom + optional: true +--- +apiVersion: v1 +kind: Service +metadata: + name: kube-dns + namespace: kube-system + annotations: + prometheus.io/port: "9153" + prometheus.io/scrape: "true" + labels: + k8s-app: kube-dns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: "CoreDNS" +spec: + selector: + k8s-app: kube-dns + clusterIP: 10.43.0.10 + clusterIPs: [10.43.0.10] + ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP + - name: metrics + port: 9153 + protocol: TCP + ipFamilyPolicy: SingleStack diff --git a/kubernetes/manifests/local-storage.yaml b/kubernetes/manifests/local-storage.yaml new file mode 100644 index 0000000..c3ffb5d --- /dev/null +++ b/kubernetes/manifests/local-storage.yaml @@ -0,0 +1,134 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: local-path-provisioner-service-account + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: local-path-provisioner-role +rules: +- apiGroups: [""] + resources: ["nodes", "persistentvolumeclaims", "configmaps", "pods/log"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["endpoints", "persistentvolumes", "pods"] + verbs: ["*"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: local-path-provisioner-bind +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: local-path-provisioner-role +subjects: +- kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: kube-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: local-path-provisioner + namespace: kube-system +spec: + revisionHistoryLimit: 0 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + app: local-path-provisioner + template: + metadata: + labels: + app: local-path-provisioner + spec: + priorityClassName: "system-node-critical" + serviceAccountName: local-path-provisioner-service-account + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: local-path-provisioner + image: "rancher/local-path-provisioner:v0.0.27" + imagePullPolicy: IfNotPresent + command: + - local-path-provisioner + - start + - --config + - /etc/config/config.json + volumeMounts: + - name: config-volume + mountPath: /etc/config/ + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumes: + - name: config-volume + configMap: + name: local-path-config +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: local-path + annotations: + defaultVolumeType: "local" + storageclass.kubernetes.io/is-default-class: "true" +provisioner: rancher.io/local-path +volumeBindingMode: WaitForFirstConsumer +reclaimPolicy: Delete +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: local-path-config + namespace: kube-system +data: + config.json: |- + { + "nodePathMap":[ + { + "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES", + "paths":["/var/lib/rancher/k3s/storage"] + } + ] + } + setup: |- + #!/bin/sh + set -eu + mkdir -m 0777 -p "${VOL_DIR}" + chmod 700 "${VOL_DIR}/.." + teardown: |- + #!/bin/sh + set -eu + rm -rf "${VOL_DIR}" + helperPod.yaml: |- + apiVersion: v1 + kind: Pod + metadata: + name: helper-pod + spec: + containers: + - name: helper-pod + image: "rancher/mirrored-library-busybox:1.36.1" + imagePullPolicy: IfNotPresent diff --git a/kubernetes/manifests/metrics-server/aggregated-metrics-reader.yaml b/kubernetes/manifests/metrics-server/aggregated-metrics-reader.yaml new file mode 100644 index 0000000..5fbc87c --- /dev/null +++ b/kubernetes/manifests/metrics-server/aggregated-metrics-reader.yaml @@ -0,0 +1,12 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: system:aggregated-metrics-reader + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list", "watch"] diff --git a/kubernetes/manifests/metrics-server/auth-delegator.yaml b/kubernetes/manifests/metrics-server/auth-delegator.yaml new file mode 100644 index 0000000..87909da --- /dev/null +++ b/kubernetes/manifests/metrics-server/auth-delegator.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system diff --git a/kubernetes/manifests/metrics-server/auth-reader.yaml b/kubernetes/manifests/metrics-server/auth-reader.yaml new file mode 100644 index 0000000..062afa8 --- /dev/null +++ b/kubernetes/manifests/metrics-server/auth-reader.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: metrics-server-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system diff --git a/kubernetes/manifests/metrics-server/metrics-apiservice.yaml b/kubernetes/manifests/metrics-server/metrics-apiservice.yaml new file mode 100644 index 0000000..40e7bd8 --- /dev/null +++ b/kubernetes/manifests/metrics-server/metrics-apiservice.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta1.metrics.k8s.io +spec: + service: + name: metrics-server + namespace: kube-system + group: metrics.k8s.io + version: v1beta1 + insecureSkipTLSVerify: true + groupPriorityMinimum: 100 + versionPriority: 100 diff --git a/kubernetes/manifests/metrics-server/metrics-server-deployment.yaml b/kubernetes/manifests/metrics-server/metrics-server-deployment.yaml new file mode 100644 index 0000000..971a08a --- /dev/null +++ b/kubernetes/manifests/metrics-server/metrics-server-deployment.yaml @@ -0,0 +1,90 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: metrics-server + namespace: kube-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metrics-server + namespace: kube-system + labels: + k8s-app: metrics-server +spec: + revisionHistoryLimit: 0 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: metrics-server + template: + metadata: + name: metrics-server + labels: + k8s-app: metrics-server + spec: + priorityClassName: "system-node-critical" + serviceAccountName: metrics-server + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + volumes: + # mount in tmp so we can safely use from-scratch images and/or read-only containers + - name: tmp-dir + emptyDir: {} + containers: + - name: metrics-server + image: "rancher/mirrored-metrics-server:v0.7.0" + args: + - --cert-dir=/tmp + - --secure-port=10250 + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + resources: + requests: + cpu: 100m + memory: 70Mi + ports: + - name: https + containerPort: 10250 + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 0 + periodSeconds: 2 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + livenessProbe: + httpGet: + path: /livez + port: https + scheme: HTTPS + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + volumeMounts: + - name: tmp-dir + mountPath: /tmp diff --git a/kubernetes/manifests/metrics-server/metrics-server-service.yaml b/kubernetes/manifests/metrics-server/metrics-server-service.yaml new file mode 100644 index 0000000..ec24e64 --- /dev/null +++ b/kubernetes/manifests/metrics-server/metrics-server-service.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: metrics-server + namespace: kube-system + labels: + kubernetes.io/name: "Metrics-server" + kubernetes.io/cluster-service: "true" +spec: + selector: + k8s-app: metrics-server + ports: + - port: 443 + name: https + protocol: TCP + targetPort: https + ipFamilyPolicy: PreferDualStack diff --git a/kubernetes/manifests/metrics-server/resource-reader.yaml b/kubernetes/manifests/metrics-server/resource-reader.yaml new file mode 100644 index 0000000..f378745 --- /dev/null +++ b/kubernetes/manifests/metrics-server/resource-reader.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:metrics-server +rules: +- apiGroups: + - "" + resources: + - nodes/metrics + verbs: + - get +- apiGroups: + - "" + resources: + - pods + - nodes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:metrics-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-server +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system diff --git a/kubernetes/manifests/rolebindings.yaml b/kubernetes/manifests/rolebindings.yaml new file mode 100644 index 0000000..9a4d1f6 --- /dev/null +++ b/kubernetes/manifests/rolebindings.yaml @@ -0,0 +1,91 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-apiserver-kubelet-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:kubelet-api-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: kube-apiserver + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:k3s-controller +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - namespaces + verbs: + - list + - watch +- apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + - clustercidrs + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - endpoints + - pods + verbs: + - list + - get + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:k3s-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:k3s-controller +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: system:k3s-controller + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: clustercidrs-node +rules: +- apiGroups: + - networking.k8s.io + resources: + - clustercidrs + verbs: + - list + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: clustercidrs-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: clustercidrs-node +subjects: + - kind: Group + name: system:nodes + apiGroup: rbac.authorization.k8s.io diff --git a/kubernetes/manifests/runtimes.yaml b/kubernetes/manifests/runtimes.yaml new file mode 100644 index 0000000..fdbc951 --- /dev/null +++ b/kubernetes/manifests/runtimes.yaml @@ -0,0 +1,59 @@ +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: nvidia +handler: nvidia +--- +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: nvidia-experimental +handler: nvidia-experimental +--- +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: crun +handler: crun +--- +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: lunatic +handler: lunatic +--- +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: slight +handler: slight +--- +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: spin +handler: spin +--- +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: wws +handler: wws +--- +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: wasmedge +handler: wasmedge +--- +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: wasmer +handler: wasmer +--- +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: wasmtime +handler: wasmtime \ No newline at end of file diff --git a/kubernetes/metrics-server/aggregated-metrics-reader.yaml b/kubernetes/metrics-server/aggregated-metrics-reader.yaml new file mode 100644 index 0000000..5fbc87c --- /dev/null +++ b/kubernetes/metrics-server/aggregated-metrics-reader.yaml @@ -0,0 +1,12 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: system:aggregated-metrics-reader + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list", "watch"] diff --git a/kubernetes/metrics-server/auth-delegator.yaml b/kubernetes/metrics-server/auth-delegator.yaml new file mode 100644 index 0000000..e3442c5 --- /dev/null +++ b/kubernetes/metrics-server/auth-delegator.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system diff --git a/kubernetes/metrics-server/auth-reader.yaml b/kubernetes/metrics-server/auth-reader.yaml new file mode 100644 index 0000000..f0616e1 --- /dev/null +++ b/kubernetes/metrics-server/auth-reader.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: metrics-server-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system diff --git a/kubernetes/metrics-server/metrics-apiservice.yaml b/kubernetes/metrics-server/metrics-apiservice.yaml new file mode 100644 index 0000000..08b0530 --- /dev/null +++ b/kubernetes/metrics-server/metrics-apiservice.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1beta1.metrics.k8s.io +spec: + service: + name: metrics-server + namespace: kube-system + group: metrics.k8s.io + version: v1beta1 + insecureSkipTLSVerify: true + groupPriorityMinimum: 100 + versionPriority: 100 diff --git a/kubernetes/metrics-server/metrics-server-deployment.yaml b/kubernetes/metrics-server/metrics-server-deployment.yaml new file mode 100644 index 0000000..1ef9457 --- /dev/null +++ b/kubernetes/metrics-server/metrics-server-deployment.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: metrics-server + namespace: kube-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metrics-server + namespace: kube-system + labels: + k8s-app: metrics-server +spec: + selector: + matchLabels: + k8s-app: metrics-server + template: + metadata: + name: metrics-server + labels: + k8s-app: metrics-server + spec: + serviceAccountName: metrics-server + volumes: + # mount in tmp so we can safely use from-scratch images and/or read-only containers + - name: tmp-dir + emptyDir: {} + containers: + - name: metrics-server + image: rancher/metrics-server:v0.3.6 + volumeMounts: + - name: tmp-dir + mountPath: /tmp + diff --git a/kubernetes/metrics-server/metrics-server-service.yaml b/kubernetes/metrics-server/metrics-server-service.yaml new file mode 100644 index 0000000..ddf6f4a --- /dev/null +++ b/kubernetes/metrics-server/metrics-server-service.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: metrics-server + namespace: kube-system + labels: + kubernetes.io/name: "Metrics-server" + kubernetes.io/cluster-service: "true" +spec: + selector: + k8s-app: metrics-server + ports: + - port: 443 + protocol: TCP + targetPort: 443 diff --git a/kubernetes/metrics-server/resource-reader.yaml b/kubernetes/metrics-server/resource-reader.yaml new file mode 100644 index 0000000..ecafc80 --- /dev/null +++ b/kubernetes/metrics-server/resource-reader.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:metrics-server +rules: +- apiGroups: + - "" + resources: + - pods + - nodes + - nodes/stats + - namespaces + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:metrics-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-server +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system diff --git a/kubernetes/rolebindings.yaml b/kubernetes/rolebindings.yaml new file mode 100644 index 0000000..36bc949 --- /dev/null +++ b/kubernetes/rolebindings.yaml @@ -0,0 +1,62 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-apiserver-kubelet-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:kubelet-api-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: kube-apiserver + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:k3s-controller +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - namespaces + verbs: + - list + - watch +- apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - endpoints + - pods + verbs: + - list + - get + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:k3s-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:k3s-controller +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: system:k3s-controller