From f9dbcee502910dc08cb78fc9c5eb603b507c1efe Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 14 Apr 2021 16:05:16 +0200 Subject: [PATCH] feat: add runtimeclass for crio, reorg kubeadm for 1.20 --- charts/kubeadm/.helmignore | 2 + charts/kubeadm/Chart.yaml | 2 +- charts/kubeadm/templates/README.md | 2 + .../templates/k8s-ecr-login-renew/README.md | 8 ++++ .../k8s-ecr-login-renew/cronjob.yaml | 40 +++++++++++++++++++ .../k8s-ecr-login-renew/service-account.yml | 31 ++++++++++++++ .../00-aws-iam-authenticator-crds.yaml} | 0 .../01-aws-iam-authenticator-deployment.yaml} | 0 .../02-aws-iam-authenticator-mappings.yaml} | 0 .../templates/resources/10-runtimeClass.yaml | 8 ++++ charts/kubeadm/values.yaml | 1 - 11 files changed, 92 insertions(+), 2 deletions(-) create mode 100644 charts/kubeadm/.helmignore create mode 100644 charts/kubeadm/templates/README.md create mode 100644 charts/kubeadm/templates/k8s-ecr-login-renew/README.md create mode 100644 charts/kubeadm/templates/k8s-ecr-login-renew/cronjob.yaml create mode 100644 charts/kubeadm/templates/k8s-ecr-login-renew/service-account.yml rename charts/kubeadm/templates/{aws-iam-authenticator/crds.yaml => resources/00-aws-iam-authenticator-crds.yaml} (100%) rename charts/kubeadm/templates/{aws-iam-authenticator/deployment.yaml => resources/01-aws-iam-authenticator-deployment.yaml} (100%) rename charts/kubeadm/templates/{aws-iam-authenticator/mappings.yaml => resources/02-aws-iam-authenticator-mappings.yaml} (100%) create mode 100644 charts/kubeadm/templates/resources/10-runtimeClass.yaml diff --git a/charts/kubeadm/.helmignore b/charts/kubeadm/.helmignore new file mode 100644 index 00000000..0b1f83c1 --- /dev/null +++ b/charts/kubeadm/.helmignore @@ -0,0 +1,2 @@ +*.sh +*.md diff --git a/charts/kubeadm/Chart.yaml b/charts/kubeadm/Chart.yaml index 35623829..b46b7d0a 100644 --- a/charts/kubeadm/Chart.yaml +++ b/charts/kubeadm/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubeadm description: KubeZero Kubeadm golden config type: application -version: 1.19.9 +version: 1.20.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubeadm/templates/README.md b/charts/kubeadm/templates/README.md new file mode 100644 index 00000000..afb2413e --- /dev/null +++ b/charts/kubeadm/templates/README.md @@ -0,0 +1,2 @@ +# aws-iam-authenticator +- https://github.com/kubernetes-sigs/aws-iam-authenticator diff --git a/charts/kubeadm/templates/k8s-ecr-login-renew/README.md b/charts/kubeadm/templates/k8s-ecr-login-renew/README.md new file mode 100644 index 00000000..41b8bfc4 --- /dev/null +++ b/charts/kubeadm/templates/k8s-ecr-login-renew/README.md @@ -0,0 +1,8 @@ +# Create IAM role for ECR read-only access +- Attach managed policy: `AmazonEC2ContainerRegistryReadOnly` + +# Create secret for IAM user for ecr-renew +`kubectl create secret -n kube-system generic ecr-renew-cred --from-literal=AWS_REGION= --from-literal=AWS_ACCESS_KEY_ID= --from-literal=AWS_SECRET_ACCESS_KEY= + +# Resources +- https://github.com/nabsul/k8s-ecr-login-renew diff --git a/charts/kubeadm/templates/k8s-ecr-login-renew/cronjob.yaml b/charts/kubeadm/templates/k8s-ecr-login-renew/cronjob.yaml new file mode 100644 index 00000000..5d4d041e --- /dev/null +++ b/charts/kubeadm/templates/k8s-ecr-login-renew/cronjob.yaml @@ -0,0 +1,40 @@ +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + namespace: kube-system + name: ecr-renew + labels: + app: ecr-renew +spec: + schedule: "0 */6 * * *" + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 5 + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + serviceAccountName: ecr-renew + containers: + - name: ecr-renew + image: nabsul/k8s-ecr-login-renew:v1.4 + env: + - name: DOCKER_SECRET_NAME + value: ecr-login + - name: TARGET_NAMESPACE + value: "*" + - name: AWS_REGION + valueFrom: + secretKeyRef: + name: ecr-renew-cred + key: AWS_REGION + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: ecr-renew-cred + key: AWS_ACCESS_KEY_ID + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: ecr-renew-cred + key: AWS_SECRET_ACCESS_KEY diff --git a/charts/kubeadm/templates/k8s-ecr-login-renew/service-account.yml b/charts/kubeadm/templates/k8s-ecr-login-renew/service-account.yml new file mode 100644 index 00000000..0591ebc0 --- /dev/null +++ b/charts/kubeadm/templates/k8s-ecr-login-renew/service-account.yml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: kube-system + name: ecr-renew +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ecr-renew +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "update", "get", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + namespace: kube-system + name: ecr-renew +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ecr-renew +subjects: + - kind: ServiceAccount + name: ecr-renew + namespace: kube-system diff --git a/charts/kubeadm/templates/aws-iam-authenticator/crds.yaml b/charts/kubeadm/templates/resources/00-aws-iam-authenticator-crds.yaml similarity index 100% rename from charts/kubeadm/templates/aws-iam-authenticator/crds.yaml rename to charts/kubeadm/templates/resources/00-aws-iam-authenticator-crds.yaml diff --git a/charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml b/charts/kubeadm/templates/resources/01-aws-iam-authenticator-deployment.yaml similarity index 100% rename from charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml rename to charts/kubeadm/templates/resources/01-aws-iam-authenticator-deployment.yaml diff --git a/charts/kubeadm/templates/aws-iam-authenticator/mappings.yaml b/charts/kubeadm/templates/resources/02-aws-iam-authenticator-mappings.yaml similarity index 100% rename from charts/kubeadm/templates/aws-iam-authenticator/mappings.yaml rename to charts/kubeadm/templates/resources/02-aws-iam-authenticator-mappings.yaml diff --git a/charts/kubeadm/templates/resources/10-runtimeClass.yaml b/charts/kubeadm/templates/resources/10-runtimeClass.yaml new file mode 100644 index 00000000..ed979d2c --- /dev/null +++ b/charts/kubeadm/templates/resources/10-runtimeClass.yaml @@ -0,0 +1,8 @@ +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: crio +handler: runc +overhead: + podFixed: + memory: 16Mi diff --git a/charts/kubeadm/values.yaml b/charts/kubeadm/values.yaml index 6798ff8b..6260a558 100644 --- a/charts/kubeadm/values.yaml +++ b/charts/kubeadm/values.yaml @@ -13,5 +13,4 @@ systemd: true protectKernelDefaults: true WorkerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode" -WorkerIamRole: "arn:aws:iam::000000000000:role/KubernetesNode" KubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"