| # Copyright 2017 The Kubernetes Authors. |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| # ------------------- Dashboard Secrets ------------------- # |
| |
| apiVersion: v1 |
| kind: Secret |
| metadata: |
| labels: |
| k8s-app: kubernetes-dashboard |
| name: kubernetes-dashboard-certs |
| namespace: kube-system |
| type: Opaque |
| |
| --- |
| |
| apiVersion: v1 |
| kind: Secret |
| metadata: |
| labels: |
| k8s-app: kubernetes-dashboard |
| name: kubernetes-dashboard-csrf |
| namespace: kube-system |
| type: Opaque |
| data: |
| csrf: "" |
| |
| --- |
| # ------------------- Dashboard Service Account ------------------- # |
| |
| apiVersion: v1 |
| kind: ServiceAccount |
| metadata: |
| labels: |
| k8s-app: kubernetes-dashboard |
| name: kubernetes-dashboard |
| namespace: kube-system |
| |
| --- |
| # ------------------- Dashboard Role & Role Binding ------------------- # |
| |
| kind: Role |
| apiVersion: rbac.authorization.k8s.io/v1 |
| metadata: |
| name: kubernetes-dashboard-minimal |
| namespace: kube-system |
| rules: |
| # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. |
| - apiGroups: [""] |
| resources: ["secrets"] |
| verbs: ["create"] |
| # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. |
| - apiGroups: [""] |
| resources: ["configmaps"] |
| verbs: ["create"] |
| # Allow Dashboard to get, update and delete Dashboard exclusive secrets. |
| - apiGroups: [""] |
| resources: ["secrets"] |
| resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] |
| verbs: ["get", "update", "delete"] |
| # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. |
| - apiGroups: [""] |
| resources: ["configmaps"] |
| resourceNames: ["kubernetes-dashboard-settings"] |
| verbs: ["get", "update"] |
| # Allow Dashboard to get metrics from heapster. |
| - apiGroups: [""] |
| resources: ["services"] |
| resourceNames: ["heapster"] |
| verbs: ["proxy"] |
| - apiGroups: [""] |
| resources: ["services/proxy"] |
| resourceNames: ["heapster", "http:heapster:", "https:heapster:"] |
| verbs: ["get"] |
| |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: RoleBinding |
| metadata: |
| name: kubernetes-dashboard-minimal |
| namespace: kube-system |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: Role |
| name: kubernetes-dashboard-minimal |
| subjects: |
| - kind: ServiceAccount |
| name: kubernetes-dashboard |
| namespace: kube-system |
| |
| --- |
| # ------------------- Dashboard Deployment ------------------- # |
| |
| kind: Deployment |
| apiVersion: apps/v1 |
| metadata: |
| labels: |
| k8s-app: kubernetes-dashboard |
| name: kubernetes-dashboard |
| namespace: kube-system |
| spec: |
| replicas: 1 |
| revisionHistoryLimit: 10 |
| selector: |
| matchLabels: |
| k8s-app: kubernetes-dashboard |
| template: |
| metadata: |
| labels: |
| k8s-app: kubernetes-dashboard |
| spec: |
| containers: |
| - name: kubernetes-dashboard |
| image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 |
| ports: |
| - containerPort: 8443 |
| protocol: TCP |
| args: |
| - --auto-generate-certificates |
| # Uncomment the following line to manually specify Kubernetes API server Host |
| # If not specified, Dashboard will attempt to auto discover the API server and connect |
| # to it. Uncomment only if the default does not work. |
| # - --apiserver-host=http://my-address:port |
| volumeMounts: |
| - name: kubernetes-dashboard-certs |
| mountPath: /certs |
| # Create on-disk volume to store exec logs |
| - mountPath: /tmp |
| name: tmp-volume |
| livenessProbe: |
| httpGet: |
| scheme: HTTPS |
| path: / |
| port: 8443 |
| initialDelaySeconds: 30 |
| timeoutSeconds: 30 |
| volumes: |
| - name: kubernetes-dashboard-certs |
| secret: |
| secretName: kubernetes-dashboard-certs |
| - name: tmp-volume |
| emptyDir: {} |
| serviceAccountName: kubernetes-dashboard |
| # Comment the following tolerations if Dashboard must not be deployed on master |
| tolerations: |
| - key: node-role.kubernetes.io/master |
| effect: NoSchedule |
| |
| --- |
| # ------------------- Dashboard Service ------------------- # |
| |
| kind: Service |
| apiVersion: v1 |
| metadata: |
| labels: |
| k8s-app: kubernetes-dashboard |
| name: kubernetes-dashboard |
| namespace: kube-system |
| spec: |
| ports: |
| - port: 443 |
| targetPort: 8443 |
| selector: |
| k8s-app: kubernetes-dashboard |
| {% if rke_dashboard_exposed %} |
| type: NodePort |
| {% endif %} |