From 0c3aa1a82beda607f7c5336940ceca892d38d8d4 Mon Sep 17 00:00:00 2001 From: Rayan Das Date: Thu, 13 Oct 2022 11:28:22 +0530 Subject: [PATCH 1/2] add a new template metrics_v0.5.2.go --- rke/k8s_rke_system_images.go | 2 +- rke/templates/metrics_v0.5.2.go | 237 ++++++++++++++++++++++++++++++++ rke/templates/templates.go | 11 +- 3 files changed, 245 insertions(+), 5 deletions(-) create mode 100644 rke/templates/metrics_v0.5.2.go diff --git a/rke/k8s_rke_system_images.go b/rke/k8s_rke_system_images.go index 7c731e808..7eb2c914e 100644 --- a/rke/k8s_rke_system_images.go +++ b/rke/k8s_rke_system_images.go @@ -7796,7 +7796,7 @@ func loadK8sRKESystemImages() map[string]v3.RKESystemImages { Ingress: "rancher/nginx-ingress-controller:nginx-1.2.1-rancher1", IngressBackend: "rancher/mirrored-nginx-ingress-controller-defaultbackend:1.5-rancher1", IngressWebhook: "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v1.1.1", - MetricsServer: "rancher/mirrored-metrics-server:v0.5.1", + MetricsServer: "rancher/mirrored-metrics-server:v0.5.2", CoreDNS: "rancher/mirrored-coredns-coredns:1.8.6", CoreDNSAutoscaler: "rancher/mirrored-cluster-proportional-autoscaler:1.8.5", WindowsPodInfraContainer: "rancher/mirrored-pause:3.6", diff --git a/rke/templates/metrics_v0.5.2.go b/rke/templates/metrics_v0.5.2.go new file mode 100644 index 000000000..73c71f3b0 --- /dev/null +++ b/rke/templates/metrics_v0.5.2.go @@ -0,0 +1,237 @@ +package templates + +const MetricsServerTemplateV0_5_2 = ` +{{- if eq .RBACConfig "rbac"}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + k8s-app: metrics-server + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: system:aggregated-metrics-reader +rules: +- apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + k8s-app: metrics-server + name: system:metrics-server +rules: +- apiGroups: + - "" + resources: + - pods + - nodes + - nodes/stats + - namespaces + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + k8s-app: metrics-server + name: metrics-server-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + k8s-app: metrics-server + name: metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + k8s-app: metrics-server + name: system:metrics-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-server +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +{{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + k8s-app: metrics-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metrics-server + namespace: kube-system + labels: + k8s-app: metrics-server +spec: +{{if .Replicas}} + replicas: {{.Replicas}} +{{end}} + selector: + matchLabels: + k8s-app: metrics-server +{{if .UpdateStrategy}} + strategy: +{{ toYaml .UpdateStrategy | indent 4}} +{{end}} + template: + metadata: + name: metrics-server + labels: + k8s-app: metrics-server + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/os + operator: NotIn + values: + - windows + - key: node-role.kubernetes.io/worker + operator: Exists +{{if .NodeSelector}} + nodeSelector: + {{ range $k, $v := .NodeSelector }} + {{ $k }}: "{{ $v }}" + {{ end }} +{{end}} + serviceAccountName: metrics-server +{{- if .Tolerations}} + tolerations: +{{ toYaml .Tolerations | indent 6}} +{{- else }} + tolerations: + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists +{{- end }} + volumes: + - emptyDir: {} + name: tmp-dir + # Rancher specific change + priorityClassName: {{ .MetricsServerPriorityClassName | default "system-cluster-critical" }} + containers: + - name: metrics-server + image: {{ .MetricsServerImage }} + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: https + scheme: HTTPS + periodSeconds: 10 + args: + - --cert-dir=/tmp + - --secure-port=4443 + # Rancher specific: connecting to kubelet using insecure tls + - --kubelet-insecure-tls + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --metric-resolution=15s + - --logtostderr + {{ range $k,$v := .Options }} + - --{{ $k }}={{ $v }} + {{ end }} + ports: + - containerPort: 4443 + name: https + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp + name: tmp-dir +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + k8s-app: metrics-server + name: v1beta1.metrics.k8s.io +spec: + group: metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: metrics-server + namespace: kube-system + version: v1beta1 + versionPriority: 100 +--- +` diff --git a/rke/templates/templates.go b/rke/templates/templates.go index 9bc479bd0..1d4f3a0f6 100644 --- a/rke/templates/templates.go +++ b/rke/templates/templates.go @@ -58,6 +58,7 @@ const ( metricsServerv18 = "metricsserver-v1.8" metricsServerv120 = "metricsserver-v1.20" metricsServerv050 = "metricsserver-v0.5.0" + metricsServerv052 = "metricsserver-v0.5.2" metricsServerv061 = "metricsserver-v0.6.1" weavev18 = "weave-v1.8" @@ -156,10 +157,11 @@ func LoadK8sVersionedTemplates() map[string]map[string]string { ">=1.8.0-rancher0 <1.16.0-alpha": kubeDnsv18, }, kdm.MetricsServer: { - ">=1.23.3-rancher1-1": metricsServerv061, - ">=1.20.14-rancher2-1 <1.23.3-rancher1-1": metricsServerv050, - ">=1.20.4-rancher1-1 <1.20.14-rancher2-1": metricsServerv120, - ">=1.8.0-rancher0 <1.20.4-rancher1-1": metricsServerv18, + ">=1.23.3-rancher1-1": metricsServerv061, + ">=1.22.15-rancher1-1 <1.23.3-rancher1-1": metricsServerv052, + ">=1.20.14-rancher2-1 <1.22.15-rancher1-1": metricsServerv050, + ">=1.20.4-rancher1-1 <1.20.14-rancher2-1": metricsServerv120, + ">=1.8.0-rancher0 <1.20.4-rancher1-1": metricsServerv18, }, kdm.Weave: { ">=1.22.0-rancher1-1": weavev122, @@ -270,6 +272,7 @@ func getTemplates() map[string]string { metricsServerv18: MetricsServerTemplate, metricsServerv120: MetricsServerTemplateV0_4_1, metricsServerv050: MetricsServerTemplateV0_5_0, + metricsServerv052: MetricsServerTemplateV0_5_2, metricsServerv061: MetricsServerTemplateV0_6_1, weavev18: WeaveTemplate, From d70b9dd4fe4c72941bc0c024af00759b11bd5389 Mon Sep 17 00:00:00 2001 From: Rayan Das Date: Fri, 14 Oct 2022 17:43:39 +0530 Subject: [PATCH 2/2] go generate --- data/data.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/data/data.json b/data/data.json index db04c98a3..48b8dfb36 100644 --- a/data/data.json +++ b/data/data.json @@ -10281,7 +10281,7 @@ "ingress": "rancher/nginx-ingress-controller:nginx-1.2.1-rancher1", "ingressBackend": "rancher/mirrored-nginx-ingress-controller-defaultbackend:1.5-rancher1", "ingressWebhook": "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v1.1.1", - "metricsServer": "rancher/mirrored-metrics-server:v0.5.1", + "metricsServer": "rancher/mirrored-metrics-server:v0.5.2", "windowsPodInfraContainer": "rancher/mirrored-pause:3.6", "aciCniDeployContainer": "noiro/cnideploy:5.2.3.2.1d150da", "aciHostContainer": "noiro/aci-containers-host:5.2.3.2.1d150da", @@ -11193,8 +11193,9 @@ "\u003e=1.8.0-rancher0 \u003c1.16.0-alpha": "kubedns-v1.8" }, "metricsServer": { - "\u003e=1.20.14-rancher2-1 \u003c1.23.3-rancher1-1": "metricsserver-v0.5.0", + "\u003e=1.20.14-rancher2-1 \u003c1.22.15-rancher1-1": "metricsserver-v0.5.0", "\u003e=1.20.4-rancher1-1 \u003c1.20.14-rancher2-1": "metricsserver-v1.20", + "\u003e=1.22.15-rancher1-1 \u003c1.23.3-rancher1-1": "metricsserver-v0.5.2", "\u003e=1.23.3-rancher1-1": "metricsserver-v0.6.1", "\u003e=1.8.0-rancher0 \u003c1.20.4-rancher1-1": "metricsserver-v1.8" }, @@ -11279,6 +11280,7 @@ "kubedns-v1.16": "\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: kube-dns-autoscaler\n namespace: kube-system\n labels:\n k8s-app: kube-dns-autoscaler\nspec:\n selector:\n matchLabels:\n k8s-app: kube-dns-autoscaler\n template:\n metadata:\n labels:\n k8s-app: kube-dns-autoscaler\n spec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n - key: node-role.kubernetes.io/worker\n operator: Exists\n serviceAccountName: kube-dns-autoscaler\n# Rancher specific change\n{{- if .KubeDNSAutoscalerPriorityClassName }}\n priorityClassName: {{ .KubeDNSAutoscalerPriorityClassName }}\n{{- end }}\n{{- if .Tolerations}}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n{{- end }}\n containers:\n - name: autoscaler\n image: {{.KubeDNSAutoScalerImage}}\n resources:\n requests:\n cpu: \"20m\"\n memory: \"10Mi\"\n command:\n - /cluster-proportional-autoscaler\n - --namespace=kube-system\n - --configmap=kube-dns-autoscaler\n - --target=Deployment/kube-dns\n # When cluster is using large nodes(with more cores), \"coresPerReplica\" should dominate.\n # If using small nodes, \"nodesPerReplica\" should dominate.\n{{if .LinearAutoscalerParams}}\n - --default-params={\"linear\":{{.LinearAutoscalerParams}}}\n{{else}}\n - --default-params={\"linear\":{\"coresPerReplica\":128,\"nodesPerReplica\":4,\"min\":1,\"preventSinglePointFailure\":true}}\n{{end}}\n - --logtostderr=true\n - --v=2\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: kube-dns-autoscaler\n namespace: kube-system\n labels:\n kubernetes.io/cluster-service: \"true\"\n addonmanager.kubernetes.io/mode: Reconcile\n{{- if eq .RBACConfig \"rbac\"}}\n---\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: system:kube-dns-autoscaler\nrules:\n - apiGroups: [\"\"]\n resources: [\"nodes\"]\n verbs: [\"list\", \"watch\"]\n - apiGroups: [\"\"]\n resources: [\"replicationcontrollers/scale\"]\n verbs: [\"get\", \"update\"]\n - apiGroups: [\"extensions\",\"apps\"]\n resources: [\"deployments/scale\", \"replicasets/scale\"]\n verbs: [\"get\", \"update\"]\n - apiGroups: [\"\"]\n resources: [\"configmaps\"]\n verbs: [\"get\", \"create\"]\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: system:kube-dns-autoscaler\nsubjects:\n - kind: ServiceAccount\n name: kube-dns-autoscaler\n namespace: kube-system\nroleRef:\n kind: ClusterRole\n name: system:kube-dns-autoscaler\n apiGroup: rbac.authorization.k8s.io\n{{- end }}\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: kube-dns\n namespace: kube-system\n labels:\n kubernetes.io/cluster-service: \"true\"\n addonmanager.kubernetes.io/mode: Reconcile\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: kube-dns\n namespace: kube-system\n labels:\n k8s-app: kube-dns\n kubernetes.io/cluster-service: \"true\"\n addonmanager.kubernetes.io/mode: Reconcile\nspec:\n # replicas: not specified here:\n # 1. In order to make Addon Manager do not reconcile this replicas parameter.\n # 2. Default is 1.\n # 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.\n strategy:\n{{if .UpdateStrategy}}\n{{ toYaml .UpdateStrategy | indent 4}}\n{{else}}\n rollingUpdate:\n maxSurge: 10%\n maxUnavailable: 0\n{{end}}\n selector:\n matchLabels:\n k8s-app: kube-dns\n template:\n metadata:\n labels:\n k8s-app: kube-dns\n annotations:\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n# Rancher specific change\n{{- if .KubeDNSPriorityClassName }}\n priorityClassName: {{ .KubeDNSPriorityClassName }}\n{{- end }}\n{{if .NodeSelector}}\n nodeSelector:\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n{{end}}\n affinity:\n podAntiAffinity:\n preferredDuringSchedulingIgnoredDuringExecution:\n - weight: 100\n podAffinityTerm:\n labelSelector:\n matchExpressions:\n - key: k8s-app\n operator: In\n values: [\"kube-dns\"]\n topologyKey: kubernetes.io/hostname\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n - key: node-role.kubernetes.io/worker\n operator: Exists\n{{- if .Tolerations}}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - key: \"CriticalAddonsOnly\"\n operator: \"Exists\"\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n{{- end }}\n volumes:\n - name: kube-dns-config\n configMap:\n name: kube-dns\n optional: true\n containers:\n - name: kubedns\n image: {{.KubeDNSImage}}\n resources:\n # TODO: Set memory limits when we've profiled the container for large\n # clusters, then set request = limit to keep this container in\n # guaranteed class. Currently, this container falls into the\n # \"burstable\" category so the kubelet doesn't backoff from restarting it.\n limits:\n memory: 170Mi\n requests:\n cpu: 100m\n memory: 70Mi\n livenessProbe:\n httpGet:\n path: /healthcheck/kubedns\n port: 10054\n scheme: HTTP\n initialDelaySeconds: 60\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n readinessProbe:\n httpGet:\n path: /readiness\n port: 8081\n scheme: HTTP\n # we poll on pod startup for the Kubernetes master service and\n # only setup the /readiness HTTP server once that's available.\n initialDelaySeconds: 3\n timeoutSeconds: 5\n args:\n - --domain={{.ClusterDomain}}.\n - --dns-port=10053\n - --config-dir=/kube-dns-config\n - --v=2\n env:\n - name: PROMETHEUS_PORT\n value: \"10055\"\n ports:\n - containerPort: 10053\n name: dns-local\n protocol: UDP\n - containerPort: 10053\n name: dns-tcp-local\n protocol: TCP\n - containerPort: 10055\n name: metrics\n protocol: TCP\n volumeMounts:\n - name: kube-dns-config\n mountPath: /kube-dns-config\n - name: dnsmasq\n image: {{.DNSMasqImage}}\n livenessProbe:\n httpGet:\n path: /healthcheck/dnsmasq\n port: 10054\n scheme: HTTP\n initialDelaySeconds: 60\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n args:\n - -v=2\n - -logtostderr\n - -configDir=/etc/k8s/dns/dnsmasq-nanny\n - -restartDnsmasq=true\n - --\n - -k\n - --cache-size=1000\n - --log-facility=-\n - --server=/{{.ClusterDomain}}/127.0.0.1#10053\n\t{{- if .ReverseCIDRs }}\n\t{{- range .ReverseCIDRs }}\n - --server=/{{.}}/127.0.0.1#10053\n\t{{- end }}\n\t{{- else }}\n - --server=/in-addr.arpa/127.0.0.1#10053\n - --server=/ip6.arpa/127.0.0.1#10053\n\t{{- end }}\n ports:\n - containerPort: 53\n name: dns\n protocol: UDP\n - containerPort: 53\n name: dns-tcp\n protocol: TCP\n # see: https://github.com/kubernetes/kubernetes/issues/29055 for details\n resources:\n requests:\n cpu: 150m\n memory: 20Mi\n volumeMounts:\n - name: kube-dns-config\n mountPath: /etc/k8s/dns/dnsmasq-nanny\n - name: sidecar\n image: {{.KubeDNSSidecarImage}}\n livenessProbe:\n httpGet:\n path: /metrics\n port: 10054\n scheme: HTTP\n initialDelaySeconds: 60\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n args:\n - --v=2\n - --logtostderr\n - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.{{.ClusterDomain}},5,A\n - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.{{.ClusterDomain}},5,A\n ports:\n - containerPort: 10054\n name: metrics\n protocol: TCP\n resources:\n requests:\n memory: 20Mi\n cpu: 10m\n dnsPolicy: Default # Don't use cluster DNS.\n serviceAccountName: kube-dns\n---\napiVersion: v1\nkind: Service\nmetadata:\n name: kube-dns\n namespace: kube-system\n labels:\n k8s-app: kube-dns\n kubernetes.io/cluster-service: \"true\"\n addonmanager.kubernetes.io/mode: Reconcile\n kubernetes.io/name: \"KubeDNS\"\nspec:\n selector:\n k8s-app: kube-dns\n clusterIP: {{.ClusterDNSServer}}\n ports:\n - name: dns\n port: 53\n protocol: UDP\n - name: dns-tcp\n port: 53\n protocol: TCP\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: kube-dns\n namespace: kube-system\ndata:\n{{- if .UpstreamNameservers }}\n upstreamNameservers: |\n [{{range $i, $v := .UpstreamNameservers}}{{if $i}}, {{end}}{{printf \"%q\" .}}{{end}}]\n{{- end }}\n{{- if .StubDomains }}\n stubDomains: |\n {{ GetKubednsStubDomains .StubDomains }}\n{{- end }}", "kubedns-v1.8": "\n---\napiVersion: apps/v1beta1\nkind: Deployment\nmetadata:\n name: kube-dns-autoscaler\n namespace: kube-system\n labels:\n k8s-app: kube-dns-autoscaler\nspec:\n template:\n metadata:\n labels:\n k8s-app: kube-dns-autoscaler\n spec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n - key: node-role.kubernetes.io/worker\n operator: Exists\n serviceAccountName: kube-dns-autoscaler\n tolerations:\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n containers:\n - name: autoscaler\n image: {{.KubeDNSAutoScalerImage}}\n resources:\n requests:\n cpu: \"20m\"\n memory: \"10Mi\"\n command:\n - /cluster-proportional-autoscaler\n - --namespace=kube-system\n - --configmap=kube-dns-autoscaler\n - --target=Deployment/kube-dns\n # When cluster is using large nodes(with more cores), \"coresPerReplica\" should dominate.\n # If using small nodes, \"nodesPerReplica\" should dominate.\n{{if .LinearAutoscalerParams}}\n - --default-params={\"linear\":{{.LinearAutoscalerParams}}}\n{{else}}\n - --default-params={\"linear\":{\"coresPerReplica\":128,\"nodesPerReplica\":4,\"min\":1}}\n{{end}}\n - --logtostderr=true\n - --v=2\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: kube-dns-autoscaler\n namespace: kube-system\n labels:\n kubernetes.io/cluster-service: \"true\"\n addonmanager.kubernetes.io/mode: Reconcile\n{{- if eq .RBACConfig \"rbac\"}}\n---\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: system:kube-dns-autoscaler\nrules:\n - apiGroups: [\"\"]\n resources: [\"nodes\"]\n verbs: [\"list\", \"watch\"]\n - apiGroups: [\"\"]\n resources: [\"replicationcontrollers/scale\"]\n verbs: [\"get\", \"update\"]\n - apiGroups: [\"extensions\"]\n resources: [\"deployments/scale\", \"replicasets/scale\"]\n verbs: [\"get\", \"update\"]\n - apiGroups: [\"\"]\n resources: [\"configmaps\"]\n verbs: [\"get\", \"create\"]\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: system:kube-dns-autoscaler\nsubjects:\n - kind: ServiceAccount\n name: kube-dns-autoscaler\n namespace: kube-system\nroleRef:\n kind: ClusterRole\n name: system:kube-dns-autoscaler\n apiGroup: rbac.authorization.k8s.io\n{{- end }}\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: kube-dns\n namespace: kube-system\n labels:\n kubernetes.io/cluster-service: \"true\"\n addonmanager.kubernetes.io/mode: Reconcile\n---\napiVersion: extensions/v1beta1\nkind: Deployment\nmetadata:\n name: kube-dns\n namespace: kube-system\n labels:\n k8s-app: kube-dns\n kubernetes.io/cluster-service: \"true\"\n addonmanager.kubernetes.io/mode: Reconcile\nspec:\n # replicas: not specified here:\n # 1. In order to make Addon Manager do not reconcile this replicas parameter.\n # 2. Default is 1.\n # 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.\n strategy:\n{{if .UpdateStrategy}}\n{{ toYaml .UpdateStrategy | indent 4}}\n{{else}}\n rollingUpdate:\n maxSurge: 10%\n maxUnavailable: 0\n{{end}}\n selector:\n matchLabels:\n k8s-app: kube-dns\n template:\n metadata:\n labels:\n k8s-app: kube-dns\n annotations:\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n{{if .NodeSelector}}\n nodeSelector:\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n{{end}}\n affinity:\n podAntiAffinity:\n preferredDuringSchedulingIgnoredDuringExecution:\n - weight: 100\n podAffinityTerm:\n labelSelector:\n matchExpressions:\n - key: k8s-app\n operator: In\n values: [\"kube-dns\"]\n topologyKey: kubernetes.io/hostname\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n - key: node-role.kubernetes.io/worker\n operator: Exists\n tolerations:\n - key: \"CriticalAddonsOnly\"\n operator: \"Exists\"\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n volumes:\n - name: kube-dns-config\n configMap:\n name: kube-dns\n optional: true\n containers:\n - name: kubedns\n image: {{.KubeDNSImage}}\n resources:\n # TODO: Set memory limits when we've profiled the container for large\n # clusters, then set request = limit to keep this container in\n # guaranteed class. Currently, this container falls into the\n # \"burstable\" category so the kubelet doesn't backoff from restarting it.\n limits:\n memory: 170Mi\n requests:\n cpu: 100m\n memory: 70Mi\n livenessProbe:\n httpGet:\n path: /healthcheck/kubedns\n port: 10054\n scheme: HTTP\n initialDelaySeconds: 60\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n readinessProbe:\n httpGet:\n path: /readiness\n port: 8081\n scheme: HTTP\n # we poll on pod startup for the Kubernetes master service and\n # only setup the /readiness HTTP server once that's available.\n initialDelaySeconds: 3\n timeoutSeconds: 5\n args:\n - --domain={{.ClusterDomain}}.\n - --dns-port=10053\n - --config-dir=/kube-dns-config\n - --v=2\n env:\n - name: PROMETHEUS_PORT\n value: \"10055\"\n ports:\n - containerPort: 10053\n name: dns-local\n protocol: UDP\n - containerPort: 10053\n name: dns-tcp-local\n protocol: TCP\n - containerPort: 10055\n name: metrics\n protocol: TCP\n volumeMounts:\n - name: kube-dns-config\n mountPath: /kube-dns-config\n - name: dnsmasq\n image: {{.DNSMasqImage}}\n livenessProbe:\n httpGet:\n path: /healthcheck/dnsmasq\n port: 10054\n scheme: HTTP\n initialDelaySeconds: 60\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n args:\n - -v=2\n - -logtostderr\n - -configDir=/etc/k8s/dns/dnsmasq-nanny\n - -restartDnsmasq=true\n - --\n - -k\n - --cache-size=1000\n - --log-facility=-\n - --server=/{{.ClusterDomain}}/127.0.0.1#10053\n\t{{- if .ReverseCIDRs }}\n\t{{- range .ReverseCIDRs }}\n - --server=/{{.}}/127.0.0.1#10053\n\t{{- end }}\n\t{{- else }}\n - --server=/in-addr.arpa/127.0.0.1#10053\n - --server=/ip6.arpa/127.0.0.1#10053\n\t{{- end }}\n ports:\n - containerPort: 53\n name: dns\n protocol: UDP\n - containerPort: 53\n name: dns-tcp\n protocol: TCP\n # see: https://github.com/kubernetes/kubernetes/issues/29055 for details\n resources:\n requests:\n cpu: 150m\n memory: 20Mi\n volumeMounts:\n - name: kube-dns-config\n mountPath: /etc/k8s/dns/dnsmasq-nanny\n - name: sidecar\n image: {{.KubeDNSSidecarImage}}\n livenessProbe:\n httpGet:\n path: /metrics\n port: 10054\n scheme: HTTP\n initialDelaySeconds: 60\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n args:\n - --v=2\n - --logtostderr\n - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.{{.ClusterDomain}},5,A\n - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.{{.ClusterDomain}},5,A\n ports:\n - containerPort: 10054\n name: metrics\n protocol: TCP\n resources:\n requests:\n memory: 20Mi\n cpu: 10m\n dnsPolicy: Default # Don't use cluster DNS.\n serviceAccountName: kube-dns\n---\napiVersion: v1\nkind: Service\nmetadata:\n name: kube-dns\n namespace: kube-system\n labels:\n k8s-app: kube-dns\n kubernetes.io/cluster-service: \"true\"\n addonmanager.kubernetes.io/mode: Reconcile\n kubernetes.io/name: \"KubeDNS\"\nspec:\n selector:\n k8s-app: kube-dns\n clusterIP: {{.ClusterDNSServer}}\n ports:\n - name: dns\n port: 53\n protocol: UDP\n - name: dns-tcp\n port: 53\n protocol: TCP\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: kube-dns\n namespace: kube-system\ndata:\n{{- if .UpstreamNameservers }}\n upstreamNameservers: |\n [{{range $i, $v := .UpstreamNameservers}}{{if $i}}, {{end}}{{printf \"%q\" .}}{{end}}]\n{{- end }}\n{{- if .StubDomains }}\n stubDomains: |\n {{ GetKubednsStubDomains .StubDomains }}\n{{- end }}", "metricsserver-v0.5.0": "\n{{- if eq .RBACConfig \"rbac\"}}\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n k8s-app: metrics-server\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n rbac.authorization.k8s.io/aggregate-to-edit: \"true\"\n rbac.authorization.k8s.io/aggregate-to-view: \"true\"\n name: system:aggregated-metrics-reader\nrules:\n- apiGroups:\n - metrics.k8s.io\n resources:\n - pods\n - nodes\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n k8s-app: metrics-server\n name: system:metrics-server\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n - nodes\n - nodes/stats\n - namespaces\n - configmaps\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server-auth-reader\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: extension-apiserver-authentication-reader\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server:system:auth-delegator\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: system:auth-delegator\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: system:metrics-server\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: system:metrics-server\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n{{- end }}\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server\n namespace: kube-system\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server\n namespace: kube-system\nspec:\n ports:\n - name: https\n port: 443\n protocol: TCP\n targetPort: https\n selector:\n k8s-app: metrics-server\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: metrics-server\n namespace: kube-system\n labels:\n k8s-app: metrics-server\nspec:\n{{if .Replicas}}\n replicas: {{.Replicas}}\n{{end}}\n selector:\n matchLabels:\n k8s-app: metrics-server\n{{if .UpdateStrategy}}\n strategy:\n{{ toYaml .UpdateStrategy | indent 4}}\n{{end}}\n template:\n metadata:\n name: metrics-server\n labels:\n k8s-app: metrics-server\n spec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n - key: node-role.kubernetes.io/worker\n operator: Exists\n{{if .NodeSelector}}\n nodeSelector:\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n{{end}}\n serviceAccountName: metrics-server\n{{- if .Tolerations}}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n{{- end }}\n volumes:\n - emptyDir: {}\n name: tmp-dir\n # Rancher specific change\n priorityClassName: {{ .MetricsServerPriorityClassName | default \"system-cluster-critical\" }}\n containers:\n - name: metrics-server\n image: {{ .MetricsServerImage }}\n imagePullPolicy: IfNotPresent\n livenessProbe:\n failureThreshold: 3\n httpGet:\n path: /livez\n port: https\n scheme: HTTPS\n periodSeconds: 10\n args:\n - --cert-dir=/tmp\n - --secure-port=443\n # Rancher specific: connecting to kubelet using insecure tls\n - --kubelet-insecure-tls\n - --kubelet-preferred-address-types=InternalIP\n - --metric-resolution=15s\n - --logtostderr\n {{ range $k,$v := .Options }}\n - --{{ $k }}={{ $v }}\n {{ end }}\n ports:\n - containerPort: 443\n name: https\n protocol: TCP\n readinessProbe:\n failureThreshold: 3\n httpGet:\n path: /readyz\n port: https\n scheme: HTTPS\n initialDelaySeconds: 20\n periodSeconds: 10\n resources:\n requests:\n cpu: 100m\n memory: 200Mi\n securityContext:\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 1000\n volumeMounts:\n - mountPath: /tmp\n name: tmp-dir\n---\napiVersion: apiregistration.k8s.io/v1\nkind: APIService\nmetadata:\n labels:\n k8s-app: metrics-server\n name: v1beta1.metrics.k8s.io\nspec:\n group: metrics.k8s.io\n groupPriorityMinimum: 100\n insecureSkipTLSVerify: true\n service:\n name: metrics-server\n namespace: kube-system\n version: v1beta1\n versionPriority: 100\n---\n", + "metricsserver-v0.5.2": "\n{{- if eq .RBACConfig \"rbac\"}}\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n k8s-app: metrics-server\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n rbac.authorization.k8s.io/aggregate-to-edit: \"true\"\n rbac.authorization.k8s.io/aggregate-to-view: \"true\"\n name: system:aggregated-metrics-reader\nrules:\n- apiGroups:\n - metrics.k8s.io\n resources:\n - pods\n - nodes\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n k8s-app: metrics-server\n name: system:metrics-server\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n - nodes\n - nodes/stats\n - namespaces\n - configmaps\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server-auth-reader\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: extension-apiserver-authentication-reader\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server:system:auth-delegator\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: system:auth-delegator\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: system:metrics-server\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: system:metrics-server\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n{{- end }}\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server\n namespace: kube-system\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server\n namespace: kube-system\nspec:\n ports:\n - name: https\n port: 443\n protocol: TCP\n targetPort: https\n selector:\n k8s-app: metrics-server\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: metrics-server\n namespace: kube-system\n labels:\n k8s-app: metrics-server\nspec:\n{{if .Replicas}}\n replicas: {{.Replicas}}\n{{end}}\n selector:\n matchLabels:\n k8s-app: metrics-server\n{{if .UpdateStrategy}}\n strategy:\n{{ toYaml .UpdateStrategy | indent 4}}\n{{end}}\n template:\n metadata:\n name: metrics-server\n labels:\n k8s-app: metrics-server\n spec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n - key: node-role.kubernetes.io/worker\n operator: Exists\n{{if .NodeSelector}}\n nodeSelector:\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n{{end}}\n serviceAccountName: metrics-server\n{{- if .Tolerations}}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n{{- end }}\n volumes:\n - emptyDir: {}\n name: tmp-dir\n # Rancher specific change\n priorityClassName: {{ .MetricsServerPriorityClassName | default \"system-cluster-critical\" }}\n containers:\n - name: metrics-server\n image: {{ .MetricsServerImage }}\n imagePullPolicy: IfNotPresent\n livenessProbe:\n failureThreshold: 3\n httpGet:\n path: /livez\n port: https\n scheme: HTTPS\n periodSeconds: 10\n args:\n - --cert-dir=/tmp\n - --secure-port=4443\n # Rancher specific: connecting to kubelet using insecure tls\n - --kubelet-insecure-tls\n - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname\n - --metric-resolution=15s\n - --logtostderr\n {{ range $k,$v := .Options }}\n - --{{ $k }}={{ $v }}\n {{ end }}\n ports:\n - containerPort: 4443\n name: https\n protocol: TCP\n readinessProbe:\n failureThreshold: 3\n httpGet:\n path: /readyz\n port: https\n scheme: HTTPS\n initialDelaySeconds: 20\n periodSeconds: 10\n resources:\n requests:\n cpu: 100m\n memory: 200Mi\n securityContext:\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 1000\n allowPrivilegeEscalation: false\n volumeMounts:\n - mountPath: /tmp\n name: tmp-dir\n---\napiVersion: apiregistration.k8s.io/v1\nkind: APIService\nmetadata:\n labels:\n k8s-app: metrics-server\n name: v1beta1.metrics.k8s.io\nspec:\n group: metrics.k8s.io\n groupPriorityMinimum: 100\n insecureSkipTLSVerify: true\n service:\n name: metrics-server\n namespace: kube-system\n version: v1beta1\n versionPriority: 100\n---\n", "metricsserver-v0.6.1": "\n{{- if eq .RBACConfig \"rbac\"}}\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n k8s-app: metrics-server\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n rbac.authorization.k8s.io/aggregate-to-edit: \"true\"\n rbac.authorization.k8s.io/aggregate-to-view: \"true\"\n name: system:aggregated-metrics-reader\nrules:\n- apiGroups:\n - metrics.k8s.io\n resources:\n - pods\n - nodes\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n k8s-app: metrics-server\n name: system:metrics-server\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes/metrics\n verbs:\n - get\n- apiGroups:\n - \"\"\n resources:\n - pods\n - nodes\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server-auth-reader\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: extension-apiserver-authentication-reader\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server:system:auth-delegator\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: system:auth-delegator\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: system:metrics-server\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: system:metrics-server\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n{{- end }}\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server\n namespace: kube-system\nspec:\n ports:\n - name: https\n port: 443\n protocol: TCP\n targetPort: https\n selector:\n k8s-app: metrics-server\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n k8s-app: metrics-server \n name: metrics-server\n namespace: kube-system\nspec:\n{{if .Replicas}}\n replicas: {{.Replicas}}\n{{end}}\n selector:\n matchLabels:\n k8s-app: metrics-server\n{{if .UpdateStrategy}}\n strategy:\n{{ toYaml .UpdateStrategy | indent 4}}\n{{end}}\n template:\n metadata:\n name: metrics-server\n labels:\n k8s-app: metrics-server\n spec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n - key: node-role.kubernetes.io/worker\n operator: Exists\n{{if .NodeSelector}}\n nodeSelector:\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n{{end}}\n serviceAccountName: metrics-server\n{{- if .Tolerations}}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n{{- end }}\n volumes:\n - emptyDir: {}\n name: tmp-dir\n # Rancher specific change\n priorityClassName: {{ .MetricsServerPriorityClassName | default \"system-cluster-critical\" }}\n containers:\n - name: metrics-server\n image: {{ .MetricsServerImage }}\n imagePullPolicy: IfNotPresent\n livenessProbe:\n failureThreshold: 3\n httpGet:\n path: /livez\n port: https\n scheme: HTTPS\n periodSeconds: 10\n args:\n - --cert-dir=/tmp\n - --secure-port=4443\n # Rancher specific: connecting to kubelet using insecure tls\n - --kubelet-insecure-tls\n - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname\n - --metric-resolution=15s\n {{ range $k,$v := .Options }}\n - --{{ $k }}={{ $v }}\n {{ end }}\n ports:\n - containerPort: 4443\n name: https\n protocol: TCP\n readinessProbe:\n failureThreshold: 3\n httpGet:\n path: /readyz\n port: https\n scheme: HTTPS\n initialDelaySeconds: 20\n periodSeconds: 10\n resources:\n requests:\n cpu: 100m\n memory: 200Mi\n securityContext:\n allowPrivilegeEscalation: false \n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 1000\n volumeMounts:\n - mountPath: /tmp\n name: tmp-dir\n---\napiVersion: apiregistration.k8s.io/v1\nkind: APIService\nmetadata:\n labels:\n k8s-app: metrics-server\n name: v1beta1.metrics.k8s.io\nspec:\n group: metrics.k8s.io\n groupPriorityMinimum: 100\n insecureSkipTLSVerify: true\n service:\n name: metrics-server\n namespace: kube-system\n version: v1beta1\n versionPriority: 100\n---\n", "metricsserver-v1.20": "\n{{- if eq .RBACConfig \"rbac\"}}\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n k8s-app: metrics-server\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n rbac.authorization.k8s.io/aggregate-to-edit: \"true\"\n rbac.authorization.k8s.io/aggregate-to-view: \"true\"\n name: system:aggregated-metrics-reader\nrules:\n- apiGroups:\n - metrics.k8s.io\n resources:\n - pods\n - nodes\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n k8s-app: metrics-server\n name: system:metrics-server\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n - nodes\n - nodes/stats\n - namespaces\n - configmaps\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server-auth-reader\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: extension-apiserver-authentication-reader\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server:system:auth-delegator\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: system:auth-delegator\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n k8s-app: metrics-server\n name: system:metrics-server\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: system:metrics-server\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n{{- end }}\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server\n namespace: kube-system\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n k8s-app: metrics-server\n name: metrics-server\n namespace: kube-system\nspec:\n ports:\n - name: https\n port: 443\n protocol: TCP\n targetPort: https\n selector:\n k8s-app: metrics-server\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: metrics-server\n namespace: kube-system\n labels:\n k8s-app: metrics-server\nspec:\n{{if .Replicas}}\n replicas: {{.Replicas}}\n{{end}}\n selector:\n matchLabels:\n k8s-app: metrics-server\n{{if .UpdateStrategy}}\n strategy:\n{{ toYaml .UpdateStrategy | indent 4}}\n{{end}}\n template:\n metadata:\n name: metrics-server\n labels:\n k8s-app: metrics-server\n spec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n - key: node-role.kubernetes.io/worker\n operator: Exists\n{{if .NodeSelector}}\n nodeSelector:\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n{{end}}\n serviceAccountName: metrics-server\n{{- if .Tolerations}}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n{{- end }}\n volumes:\n - emptyDir: {}\n name: tmp-dir\n # Rancher specific change\n priorityClassName: {{ .MetricsServerPriorityClassName | default \"system-cluster-critical\" }}\n containers:\n - name: metrics-server\n image: {{ .MetricsServerImage }}\n imagePullPolicy: IfNotPresent\n livenessProbe:\n failureThreshold: 3\n httpGet:\n path: /livez\n port: https\n scheme: HTTPS\n periodSeconds: 10\n args:\n - --cert-dir=/tmp\n - --secure-port=4443\n # Rancher specific: connecting to kubelet using insecure tls\n - --kubelet-insecure-tls\n - --kubelet-preferred-address-types=InternalIP\n - --logtostderr\n {{ range $k,$v := .Options }}\n - --{{ $k }}={{ $v }}\n {{ end }}\n ports:\n - containerPort: 4443\n name: https\n protocol: TCP\n readinessProbe:\n failureThreshold: 3\n httpGet:\n path: /readyz\n port: https\n scheme: HTTPS\n periodSeconds: 10\n securityContext:\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 1000\n volumeMounts:\n - mountPath: /tmp\n name: tmp-dir\n---\napiVersion: apiregistration.k8s.io/v1\nkind: APIService\nmetadata:\n labels:\n k8s-app: metrics-server\n name: v1beta1.metrics.k8s.io\nspec:\n group: metrics.k8s.io\n groupPriorityMinimum: 100\n insecureSkipTLSVerify: true\n service:\n name: metrics-server\n namespace: kube-system\n version: v1beta1\n versionPriority: 100\n---\n", "metricsserver-v1.8": "\n{{- if eq .RBACConfig \"rbac\"}}\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n name: metrics-server:system:auth-delegator\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: system:auth-delegator\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: RoleBinding\nmetadata:\n name: metrics-server-auth-reader\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: extension-apiserver-authentication-reader\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: system:metrics-server\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n - nodes\n - nodes/stats\n - namespaces\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"extensions\"\n resources:\n - deployments\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: system:metrics-server\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: system:metrics-server\nsubjects:\n- kind: ServiceAccount\n name: metrics-server\n namespace: kube-system\n{{- end }}\n---\napiVersion: apiregistration.k8s.io/v1beta1\nkind: APIService\nmetadata:\n name: v1beta1.metrics.k8s.io\nspec:\n service:\n name: metrics-server\n namespace: kube-system\n group: metrics.k8s.io\n version: v1beta1\n insecureSkipTLSVerify: true\n groupPriorityMinimum: 100\n versionPriority: 100\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: metrics-server\n namespace: kube-system\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: metrics-server\n namespace: kube-system\n labels:\n k8s-app: metrics-server\nspec:\n{{if .Replicas}}\n replicas: {{.Replicas}}\n{{end}}\n selector:\n matchLabels:\n k8s-app: metrics-server\n{{if .UpdateStrategy}}\n strategy:\n{{ toYaml .UpdateStrategy | indent 4}}\n{{end}}\n template:\n metadata:\n name: metrics-server\n labels:\n k8s-app: metrics-server\n spec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n - key: node-role.kubernetes.io/worker\n operator: Exists\n# Rancher specific change\n{{ if .MetricsServerPriorityClassName }}\n priorityClassName: {{ .MetricsServerPriorityClassName }}\n{{ end }}\n{{if .NodeSelector}}\n nodeSelector:\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n{{end}}\n serviceAccountName: metrics-server\n{{- if .Tolerations}}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n{{- end }}\n containers:\n - name: metrics-server\n image: {{ .MetricsServerImage }}\n imagePullPolicy: Always\n command:\n - /metrics-server\n {{- if eq .Version \"v0.3\" }}\n - --kubelet-insecure-tls\n - --kubelet-preferred-address-types=InternalIP\n - --logtostderr\n {{- else }}\n - --source=kubernetes.summary_api:https://kubernetes.default.svc?kubeletHttps=true\u0026kubeletPort=10250\u0026useServiceAccount=true\u0026insecure=true\n {{- end }}\n {{ range $k,$v := .Options }}\n - --{{ $k }}={{ $v }}\n {{ end }}\n---\napiVersion: v1\nkind: Service\nmetadata:\n name: metrics-server\n namespace: kube-system\n labels:\n kubernetes.io/name: \"Metrics-server\"\nspec:\n selector:\n k8s-app: metrics-server\n ports:\n - port: 443\n protocol: TCP\n targetPort: 443\n",