forked from hswaw/hscloud
57 lines
1.6 KiB
Plaintext
57 lines
1.6 KiB
Plaintext
# Top level cluster configuration.
|
|
|
|
local kube = import "../../kube/kube.libsonnet";
|
|
local coredns = import "lib/coredns.libsonnet";
|
|
local metrics = import "lib/metrics.libsonnet";
|
|
local calico = import "lib/calico.libsonnet";
|
|
|
|
local Cluster(fqdn) = {
|
|
local cluster = self,
|
|
|
|
// These are required to let the API Server contact kubelets.
|
|
crAPIServerToKubelet: kube.ClusterRole("system:kube-apiserver-to-kubelet") {
|
|
metadata+: {
|
|
annotations+: {
|
|
"rbac.authorization.kubernetes.io/autoupdate": "true",
|
|
},
|
|
labels+: {
|
|
"kubernets.io/bootstrapping": "rbac-defaults",
|
|
},
|
|
},
|
|
rules: [
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["nodes/%s" % r for r in [ "proxy", "stats", "log", "spec", "metrics" ]],
|
|
verbs: ["*"],
|
|
},
|
|
],
|
|
},
|
|
crbAPIServer: kube.ClusterRoleBinding("system:kube-apiserver") {
|
|
roleRef: {
|
|
apiGroup: "rbac.authorization.k8s.io",
|
|
kind: "ClusterRole",
|
|
name: cluster.crAPIServerToKubelet.metadata.name,
|
|
},
|
|
subjects: [
|
|
{
|
|
apiGroup: "rbac.authorization.k8s.io",
|
|
kind: "User",
|
|
# A cluster API Server authenticates with a certificate whose CN is == to the FQDN of the cluster.
|
|
name: fqdn,
|
|
},
|
|
],
|
|
},
|
|
|
|
// Calico network fabric
|
|
calico: calico.Environment {},
|
|
// CoreDNS for this cluster.
|
|
dns: coredns.Environment {},
|
|
// Metrics Server
|
|
metrics: metrics.Environment {},
|
|
};
|
|
|
|
|
|
{
|
|
k0: Cluster("k0.hswaw.net"),
|
|
}
|