ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 24 Packages Projects Releases Wiki Activity

feat: add runtimeclass for crio, reorg kubeadm for 1.20

Browse Source
This commit is contained in:
Stefan Reimer 2021-04-14 16:05:16 +02:00
parent f2d7d7821f
commit f9dbcee502
11 changed files with 92 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/kubeadm/.helmignore Normal file
View File

@ -0,0 +1,2 @@
*.sh
*.md

2
charts/kubeadm/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubeadm
description: KubeZero Kubeadm golden config
type: application
version: 1.19.9
version: 1.20.0
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:

2
charts/kubeadm/templates/README.md Normal file
View File

@ -0,0 +1,2 @@
# aws-iam-authenticator
- https://github.com/kubernetes-sigs/aws-iam-authenticator

8
charts/kubeadm/templates/k8s-ecr-login-renew/README.md Normal file
View File

@ -0,0 +1,8 @@
# Create IAM role for ECR read-only access
- Attach managed policy: `AmazonEC2ContainerRegistryReadOnly`
# Create secret for IAM user for ecr-renew
`kubectl create secret -n kube-system generic ecr-renew-cred --from-literal=AWS_REGION=<AWS_REGION> --from-literal=AWS_ACCESS_KEY_ID=<AWS_SECRET_ID> --from-literal=AWS_SECRET_ACCESS_KEY=<AWS_SECRET_KEY>
# Resources
- https://github.com/nabsul/k8s-ecr-login-renew

40
charts/kubeadm/templates/k8s-ecr-login-renew/cronjob.yaml Normal file
View File

@ -0,0 +1,40 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
namespace: kube-system
name: ecr-renew
labels:
app: ecr-renew
spec:
schedule: "0 */6 * * *"
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 5
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
serviceAccountName: ecr-renew
containers:
- name: ecr-renew
image: nabsul/k8s-ecr-login-renew:v1.4
env:
- name: DOCKER_SECRET_NAME
value: ecr-login
- name: TARGET_NAMESPACE
value: "*"
- name: AWS_REGION
valueFrom:
secretKeyRef:
name: ecr-renew-cred
key: AWS_REGION
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: ecr-renew-cred
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: ecr-renew-cred
key: AWS_SECRET_ACCESS_KEY

31
charts/kubeadm/templates/k8s-ecr-login-renew/service-account.yml Normal file
View File

@ -0,0 +1,31 @@
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: ecr-renew
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ecr-renew
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "update", "get", "delete"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
namespace: kube-system
name: ecr-renew
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ecr-renew
subjects:
- kind: ServiceAccount
name: ecr-renew
namespace: kube-system

0
charts/kubeadm/templates/aws-iam-authenticator/crds.yaml → charts/kubeadm/templates/resources/00-aws-iam-authenticator-crds.yaml
View File

0
charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml → charts/kubeadm/templates/resources/01-aws-iam-authenticator-deployment.yaml
View File

0
charts/kubeadm/templates/aws-iam-authenticator/mappings.yaml → charts/kubeadm/templates/resources/02-aws-iam-authenticator-mappings.yaml
View File

8
charts/kubeadm/templates/resources/10-runtimeClass.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: crio
handler: runc
overhead:
podFixed:
memory: 16Mi

1
charts/kubeadm/values.yaml
View File

@ -13,5 +13,4 @@ systemd: true
protectKernelDefaults: true
WorkerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode"
WorkerIamRole: "arn:aws:iam::000000000000:role/KubernetesNode"
KubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"