Skip to content
Permalink
Browse files

Change the specs to be in line with K8s 1.13

* removed labels for addon manager
* change image for metrics server
* promote some APIs from beta to stable

[#162541116]

Signed-off-by: Carlo Colombo <ccolombo@pivotal.io>
  • Loading branch information
alex-slynko authored and carlo-colombo committed Jan 28, 2019
1 parent 3b20cd6 commit ec188538b569d66ab64f8c2a2ce84d8f20eac414
@@ -5,7 +5,7 @@ metadata:
name: coredns
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
@@ -22,8 +22,14 @@ rules:
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
@@ -47,7 +53,7 @@ metadata:
namespace: kube-system
data:
Corefile: |
.:53 {
.:10053 {
errors
health
kubernetes cluster.local in-addr.arpa ip6.arpa {
@@ -57,9 +63,10 @@ data:
}
prometheus :9153
proxy . /etc/resolv.conf {
policy sequential
policy sequential # needed for workloads to be able to use BOSH-DNS
}
cache 30
loop
reload
loadbalance
}
@@ -77,8 +84,7 @@ spec:
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 10%
maxUnavailable: 0
maxUnavailable: 1
selector:
matchLabels:
k8s-app: kube-dns
@@ -87,9 +93,9 @@ spec:
labels:
k8s-app: kube-dns
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec:
priorityClassName: system-cluster-critical
priorityClassName: system-cluster-critical # Added for Guaranteed Scheduling
serviceAccountName: coredns
tolerations:
- key: "CriticalAddonsOnly"
@@ -110,27 +116,27 @@ spec:
mountPath: /etc/coredns
readOnly: true
ports:
- containerPort: 53
- containerPort: 10053
name: dns
protocol: UDP
- containerPort: 53
- containerPort: 10053
name: dns-tcp
protocol: TCP
- containerPort: 9153
name: metrics
protocol: TCP
# NOTE: Security Context is denied unless privileged containers
# are enabled. Once security context can be separated from
# allow-privileged in the release, then this should become
# allow-privileged in the release, then this should become
# conditional.
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
# securityContext:
# allowPrivilegeEscalation: false
# capabilities:
# add:
# - NET_BIND_SERVICE
# drop:
# - all
# readOnlyRootFilesystem: true
livenessProbe:
httpGet:
path: /health
@@ -19,8 +19,6 @@ metadata:
namespace: kube-system
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "KubeDNS"
spec:
selector:
@@ -39,17 +37,12 @@ kind: ServiceAccount
metadata:
name: kube-dns
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-dns
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
---
apiVersion: extensions/v1beta1
kind: Deployment
@@ -126,13 +119,19 @@ spec:
- --dns-port=10053
- --config-dir=/kube-dns-config
- --v=10
env:
- name: PROMETHEUS_PORT
value: "10055"
ports:
- containerPort: 10053
name: dns-local
protocol: UDP
- containerPort: 10053
name: dns-tcp-local
protocol: TCP
- containerPort: 10055
name: metrics
protocol: TCP
volumeMounts:
- name: kube-dns-config
mountPath: /kube-dns-config
@@ -25,7 +25,6 @@ kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard
namespace: kube-system

@@ -37,14 +36,9 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
@@ -64,7 +58,6 @@ metadata:
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -84,7 +77,6 @@ metadata:
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: EnsureExists
---
# ------------------- Dashboard Deployment ------------------- #

@@ -95,11 +87,7 @@ metadata:
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
@@ -169,8 +157,6 @@ metadata:
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
k8s-app: kubernetes-dashboard
@@ -1,5 +1,5 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metrics-server:system:auth-delegator
@@ -1,5 +1,5 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: metrics-server-auth-reader
@@ -12,6 +12,7 @@ metadata:
namespace: kube-system
labels:
k8s-app: metrics-server
version: v0.3.1
spec:
selector:
matchLabels:
@@ -32,7 +33,7 @@ spec:
secretName: metrics-server-certs
containers:
- name: metrics-server
image: gcr.io/google_containers/metrics-server-amd64:v0.3.1
image: k8s.gcr.io/metrics-server-amd64:v0.3.1
imagePullPolicy: IfNotPresent
command:
- /metrics-server
@@ -42,9 +43,15 @@ spec:
- --requestheader-client-ca-file=/var/run/kubernetes/requestheader-client-ca.crt
- --tls-cert-file=/var/run/kubernetes/client.crt
- --tls-private-key-file=/var/run/kubernetes/client.key
ports:
- containerPort: 443
name: https
protocol: TCP
volumeMounts:
- name: tmp-dir
mountPath: /tmp
- name: metrics-server-secrets
mountPath: /var/run/kubernetes

tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
@@ -12,4 +12,4 @@ spec:
ports:
- port: 443
protocol: TCP
targetPort: 443
targetPort: https
@@ -14,13 +14,6 @@ rules:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes/stats
verbs:
- create
- get
- apiGroups:
- "extensions"
resources:

0 comments on commit ec18853

Please sign in to comment.