From 0771cd859980b4d7f8148101117fc38d62becde1 Mon Sep 17 00:00:00 2001 From: "rong.zhang" Date: Wed, 13 Dec 2017 13:31:48 +0800 Subject: [PATCH] Remove dashboard_tls_key and dashboard_tls_cert --- .../kubernetes-apps/ansible/defaults/main.yml | 8 -- .../ansible/templates/dashboard.yml.j2 | 74 ++++++------------- 2 files changed, 24 insertions(+), 58 deletions(-) diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index 2314f34f6..828052673 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -42,8 +42,6 @@ netchecker_server_memory_requests: 64M dashboard_enabled: true dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64 dashboard_image_tag: v1.8.0 -dashboard_init_image_repo: gcr.io/google_containers/kubernetes-dashboard-init-amd64 -dashboard_init_image_tag: v1.0.1 # Limits for dashboard dashboard_cpu_limit: 100m @@ -54,12 +52,6 @@ dashboard_memory_requests: 64M # SSL etcd_cert_dir: "/etc/ssl/etcd/ssl" canal_cert_dir: "/etc/canal/certs" -# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that -# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs -dashboard_use_custom_certs: false -dashboard_certs_secret_name: kubernetes-dashboard-certs -dashboard_tls_key_file: dashboard.key -dashboard_tls_cert_file: dashboard.crt rbac_resources: - sa diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 index b16ddd467..90eee47ba 100644 --- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 @@ -13,7 +13,7 @@ # limitations under the License. # Configuration to deploy release version of the Dashboard UI compatible with -# Kubernetes 1.7. +# Kubernetes 1.8. # # Example usage: kubectl create -f @@ -43,28 +43,41 @@ metadata: # ------------------- Dashboard Role & Role Binding ------------------- # kind: Role -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kubernetes-dashboard-minimal namespace: {{ system_namespace }} rules: - # Allow Dashboard to create and watch for changes of 'kubernetes-dashboard-key-holder' secret. + # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. - apiGroups: [""] resources: ["secrets"] - verbs: ["create", "watch"] + verbs: ["create"] + # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - apiGroups: [""] resources: ["secrets"] - # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret. resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] # Allow Dashboard to get metrics from heapster. - apiGroups: [""] resources: ["services"] resourceNames: ["heapster"] verbs: ["proxy"] +- apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:"] + verbs: ["get"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kubernetes-dashboard-minimal @@ -78,39 +91,11 @@ subjects: name: kubernetes-dashboard namespace: {{ system_namespace }} ---- -# ------------------- Gross Hack For anonymous auth through api proxy ------------------- # -# Allows users to reach login page and other proxied dashboard URLs -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kubernetes-dashboard-anonymous -rules: -- apiGroups: [""] - resources: ["services/proxy"] - resourceNames: ["https:kubernetes-dashboard:"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/{{ system_namespace }}/services/https:kubernetes-dashboard:/proxy/*"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kubernetes-dashboard-anonymous -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubernetes-dashboard-anonymous -subjects: -- kind: User - name: system:anonymous - --- # ------------------- Dashboard Deployment ------------------- # kind: Deployment -apiVersion: extensions/v1beta1 +apiVersion: apps/v1beta2 metadata: labels: k8s-app: kubernetes-dashboard @@ -127,18 +112,10 @@ spec: labels: k8s-app: kubernetes-dashboard spec: -{% if not dashboard_use_custom_certs %} - initContainers: - - name: kubernetes-dashboard-init - image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }} - volumeMounts: - - name: kubernetes-dashboard-certs - mountPath: /certs -{% endif %} containers: - name: kubernetes-dashboard image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }} - imagePullPolicy: Always + imagePullPolicy: {{ k8s_image_pull_policy }} resources: limits: cpu: {{ dashboard_cpu_limit }} @@ -150,9 +127,7 @@ spec: - containerPort: 8443 protocol: TCP args: - - --tls-key-file=/certs/{{ dashboard_tls_key_file }} - - --tls-cert-file=/certs/{{ dashboard_tls_cert_file }} - - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %} + - --auto-generate-certificates # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. @@ -160,7 +135,6 @@ spec: volumeMounts: - name: kubernetes-dashboard-certs mountPath: /certs - readOnly: true # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume @@ -174,7 +148,7 @@ spec: volumes: - name: kubernetes-dashboard-certs secret: - secretName: {{ dashboard_certs_secret_name }} + secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard @@ -198,4 +172,4 @@ spec: - port: 443 targetPort: 8443 selector: - k8s-app: kubernetes-dashboard \ No newline at end of file + k8s-app: kubernetes-dashboard