feat: add runtimeclass for crio, reorg kubeadm for 1.20

This commit is contained in:
Stefan Reimer 2021-04-14 16:05:16 +02:00
parent f2d7d7821f
commit f9dbcee502
11 changed files with 92 additions and 2 deletions

View File

@ -0,0 +1,2 @@
*.sh
*.md

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubeadm name: kubeadm
description: KubeZero Kubeadm golden config description: KubeZero Kubeadm golden config
type: application type: application
version: 1.19.9 version: 1.20.0
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

View File

@ -0,0 +1,2 @@
# aws-iam-authenticator
- https://github.com/kubernetes-sigs/aws-iam-authenticator

View File

@ -0,0 +1,8 @@
# Create IAM role for ECR read-only access
- Attach managed policy: `AmazonEC2ContainerRegistryReadOnly`
# Create secret for IAM user for ecr-renew
`kubectl create secret -n kube-system generic ecr-renew-cred --from-literal=AWS_REGION=<AWS_REGION> --from-literal=AWS_ACCESS_KEY_ID=<AWS_SECRET_ID> --from-literal=AWS_SECRET_ACCESS_KEY=<AWS_SECRET_KEY>
# Resources
- https://github.com/nabsul/k8s-ecr-login-renew

View File

@ -0,0 +1,40 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
namespace: kube-system
name: ecr-renew
labels:
app: ecr-renew
spec:
schedule: "0 */6 * * *"
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 5
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
serviceAccountName: ecr-renew
containers:
- name: ecr-renew
image: nabsul/k8s-ecr-login-renew:v1.4
env:
- name: DOCKER_SECRET_NAME
value: ecr-login
- name: TARGET_NAMESPACE
value: "*"
- name: AWS_REGION
valueFrom:
secretKeyRef:
name: ecr-renew-cred
key: AWS_REGION
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: ecr-renew-cred
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: ecr-renew-cred
key: AWS_SECRET_ACCESS_KEY

View File

@ -0,0 +1,31 @@
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: ecr-renew
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ecr-renew
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "update", "get", "delete"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
namespace: kube-system
name: ecr-renew
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ecr-renew
subjects:
- kind: ServiceAccount
name: ecr-renew
namespace: kube-system

View File

@ -0,0 +1,8 @@
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: crio
handler: runc
overhead:
podFixed:
memory: 16Mi

View File

@ -13,5 +13,4 @@ systemd: true
protectKernelDefaults: true protectKernelDefaults: true
WorkerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode" WorkerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode"
WorkerIamRole: "arn:aws:iam::000000000000:role/KubernetesNode"
KubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode" KubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"