feat: add runtimeclass for crio, reorg kubeadm for 1.20

charts/kubeadm/.helmignore

@@ -0,0 +1,2 @@
+*.sh
+*.md

charts/kubeadm/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubeadm
 description: KubeZero Kubeadm golden config
 type: application
-version: 1.19.9
+version: 1.20.0
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubeadm/templates/README.md

@@ -0,0 +1,2 @@
+# aws-iam-authenticator
+- https://github.com/kubernetes-sigs/aws-iam-authenticator

charts/kubeadm/templates/k8s-ecr-login-renew/README.md

@@ -0,0 +1,8 @@
+# Create IAM role for ECR read-only access
+- Attach managed policy: `AmazonEC2ContainerRegistryReadOnly`
+
+# Create secret for IAM user for ecr-renew
+`kubectl create secret -n kube-system generic ecr-renew-cred --from-literal=AWS_REGION=<AWS_REGION> --from-literal=AWS_ACCESS_KEY_ID=<AWS_SECRET_ID> --from-literal=AWS_SECRET_ACCESS_KEY=<AWS_SECRET_KEY>
+
+# Resources
+- https://github.com/nabsul/k8s-ecr-login-renew

charts/kubeadm/templates/k8s-ecr-login-renew/cronjob.yaml

@@ -0,0 +1,40 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  namespace: kube-system
+  name: ecr-renew
+  labels:
+    app: ecr-renew
+spec:
+  schedule: "0 */6 * * *"
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 5
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: ecr-renew
+          containers:
+            - name: ecr-renew
+              image: nabsul/k8s-ecr-login-renew:v1.4
+              env:
+                - name: DOCKER_SECRET_NAME
+                  value: ecr-login
+                - name: TARGET_NAMESPACE
+                  value: "*"
+                - name: AWS_REGION
+                  valueFrom:
+                    secretKeyRef:
+                      name: ecr-renew-cred
+                      key: AWS_REGION
+                - name: AWS_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: ecr-renew-cred
+                      key: AWS_ACCESS_KEY_ID
+                - name: AWS_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: ecr-renew-cred
+                      key: AWS_SECRET_ACCESS_KEY

charts/kubeadm/templates/k8s-ecr-login-renew/service-account.yml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: kube-system
+  name: ecr-renew
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ecr-renew
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create", "update", "get", "delete"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  namespace: kube-system
+  name: ecr-renew
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ecr-renew
+subjects:
+  - kind: ServiceAccount
+    name: ecr-renew
+    namespace: kube-system

charts/kubeadm/templates/resources/10-runtimeClass.yaml

@@ -0,0 +1,8 @@
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: crio
+handler: runc
+overhead:
+  podFixed:
+    memory: 16Mi

charts/kubeadm/values.yaml

@@ -13,5 +13,4 @@ systemd: true
 protectKernelDefaults: true
 
 WorkerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode"
-WorkerIamRole: "arn:aws:iam::000000000000:role/KubernetesNode"
 KubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"