From 98a6cd5bce4f97caca2c8c78809ea77a75261bc0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucas=20K=C3=A4ldstr=C3=B6m?= Date: Mon, 26 Jun 2017 22:18:29 +0300 Subject: [PATCH] Add RBAC and API Aggregation rules to example manifest --- deploy/README.md | 8 +- deploy/example-deployment.yaml | 149 +++++++++++++++++++++++++++++---- 2 files changed, 134 insertions(+), 23 deletions(-) diff --git a/deploy/README.md b/deploy/README.md index d36e9328..bf58cf6e 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -1,17 +1,13 @@ Example Deployment ================== -1. Make sure you've built the included Dockerfile with `make - docker-build`. The image should be tagged as `cm-adapter:latest`. +1. Make sure you've built the included Dockerfile with `make docker-build`. The image should be tagged as `directxman12/k8s-prometheus-adapter:latest`. 2. Create a secret called `cm-adapter-serving-certs` with two values: - `serving.crt` and `serving.key`. For more information on how to + `serving.crt` and `serving.key`. For more information on how to generate these certificates, see the [auth concepts documentation](https://github.com/kubernetes-incubator/apiserver-builder/blob/master/docs/concepts/auth.md) in the apiserver-builder repository. 3. `kubectl create -f example-deployment.yaml`, modifying as necessary to point to your prometheus server. - - - diff --git a/deploy/example-deployment.yaml b/deploy/example-deployment.yaml index a21f62a4..69c7a248 100644 --- a/deploy/example-deployment.yaml +++ b/deploy/example-deployment.yaml @@ -1,34 +1,100 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: custom-metrics +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: custom-metrics-apiserver + namespace: custom-metrics +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: custom-metrics:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: custom-metrics-apiserver + namespace: custom-metrics +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: custom-metrics-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: custom-metrics-apiserver + namespace: custom-metrics +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: custom-metrics-resource-reader +rules: +- apiGroups: + - "" + resources: + - namespaces + - pods + - services + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: custom-metrics-resource-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-metrics-resource-reader +subjects: +- kind: ServiceAccount + name: custom-metrics-apiserver + namespace: custom-metrics +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: - app: cm-adapter - name: cm-adapter + app: custom-metrics-apiserver + name: custom-metrics-apiserver spec: replicas: 1 selector: matchLabels: - app: cm-adapter + app: custom-metrics-apiserver template: metadata: labels: - app: cm-adapter - name: cm-adapter + app: custom-metrics-apiserver + name: custom-metrics-apiserver spec: + serviceAccountName: custom-metrics-apiserver containers: - - name: cm-adapter - image: cm-adapter - imagePullPolicy: Never + - name: custom-metrics-apiserver + image: directxman12/k8s-prometheus-adapter args: - - "/cm-adapter" - - "--secure-port=6443" - - "--tls-cert-file=/var/run/serving-cert/serving.crt" - - "--tls-private-key-file=/var/run/serving-cert/serving.key" - - "--logtostderr=true" - - "--prometheus-url=http://prometheus.prom.svc:9090/" - - "--metrics-relist-interval=30s" - - "--rate-interval=30s" - - "--v=10" + - /adapter + - --secure-port=6443 + - --tls-cert-file=/var/run/serving-cert/serving.crt + - --tls-private-key-file=/var/run/serving-cert/serving.key + - --logtostderr=true + - --prometheus-url=http://prometheus.prom.svc:9090/ + - --metrics-relist-interval=30s + - --rate-interval=30s + - --v=10 ports: - containerPort: 6443 volumeMounts: @@ -39,3 +105,52 @@ spec: - name: volume-serving-cert secret: secretName: cm-adapter-serving-certs +--- +apiVersion: v1 +kind: Service +metadata: + name: api + namespace: custom-metrics +spec: + ports: + - port: 443 + targetPort: 6443 + selector: + app: custom-metrics-apiserver +--- +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1alpha1.custom-metrics.metrics.k8s.io +spec: + insecureSkipTLSVerify: true + group: custom-metrics.metrics.k8s.io + priority: 150 + service: + name: api + namespace: custom-metrics + version: v1alpha1 +--- +# Make a ClusterRole so that the HPA controller is able to read the custom metrics this adapter provides +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: custom-metrics-server-resources +rules: +- apiGroups: + - custom-metrics.metrics.k8s.io + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: hpa-controller-custom-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-metrics-server-resources +subjects: +- kind: ServiceAccount + name: horizontal-pod-autoscaler + namespace: kube-system \ No newline at end of file