-
Notifications
You must be signed in to change notification settings - Fork 9
/
kubernetes.yml
143 lines (135 loc) · 4.63 KB
/
kubernetes.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
---
- name: Install Kubernetes as a Service
hosts: localhost
serial: 1
become: false
tasks:
- name: Connect to the cluster
include: connection.yml
- name: Install Edge-LB
include: edgelb.yml
- name: Create a group for Mesosphere Kubernetes Engine
dcos_iam_group:
gid: kubernetes-group
description: Permissions for Mesosphere Kubernetes Engine
state: present
permissions:
- rid: dcos:mesos:master:reservation:role:kubernetes-role
action: create
- rid: dcos:mesos:master:framework:role:kubernetes-role
action: create
- rid: dcos:mesos:master:task:user:nobody
action: create
- name: Create service account for Kubernetes Cluster
dcos_iam_serviceaccount:
sid: kubernetes
description: 'Kubernetes Cluster Service Account'
secret_path: kubernetes/secret
groups:
- kubernetes-group
state: present
- name: Ensure Mesosphere Kubernetes Engine is installed
dcos_package:
name: kubernetes
app_id: kubernetes
version: 2.4.4-1.15.4
state: present
options:
{
"service": {
"name": "kubernetes",
"service_account": "kubernetes",
"service_account_secret": "kubernetes/secret"
}
}
- name: Create a group for Kubernetes Cluster
dcos_iam_group:
gid: kubernetes-cluster-group
description: Permissions for Kubernetes
state: present
permissions:
- rid: dcos:mesos:master:framework:role:*
action: read
- rid: dcos:mesos:master:framework:role:kubernetes-cluster-role
action: create
- rid: dcos:mesos:master:task:user:root
action: create
- rid: dcos:mesos:agent:task:user:root
action: create
- rid: dcos:mesos:master:reservation:role:kubernetes-cluster-role
action: create
- rid: dcos:mesos:master:reservation:principal:kubernetes-cluster
action: delete
- rid: dcos:mesos:master:volume:role:kubernetes-cluster-role
action: create
- rid: dcos:mesos:master:volume:principal:kubernetes-cluster
action: delete
- rid: dcos:service:marathon:marathon:services:/
action: create
- rid: dcos:service:marathon:marathon:services:/
action: delete
- rid: dcos:secrets:default:/kubernetes-cluster/*
action: full
- rid: dcos:secrets:list:default:/kubernetes-cluster
action: read
- rid: dcos:adminrouter:ops:ca:rw
action: full
- rid: dcos:adminrouter:ops:ca:ro
action: full
- rid: dcos:mesos:master:framework:role:slave_public/kubernetes-cluster-role
action: create
- rid: dcos:mesos:master:framework:role:slave_public/kubernetes-cluster-role
action: read
- rid: dcos:mesos:master:reservation:role:slave_public/kubernetes-cluster-role
action: create
- rid: dcos:mesos:master:volume:role:slave_public/kubernetes-cluster-role
action: create
- rid: dcos:mesos:master:framework:role:slave_public
action: read
- rid: dcos:mesos:agent:framework:role:slave_public
action: read
- name: Create service account for Kubernetes Cluster
dcos_iam_serviceaccount:
sid: kubernetes-cluster
description: 'Kubernetes Cluster Service Account'
secret_path: kubernetes-cluster/secret
groups:
- kubernetes-cluster-group
state: present
- name: Ensure Kubernetes Cluster is installed
dcos_package:
name: kubernetes-cluster
app_id: kubernetes-cluster
version: 2.4.4-1.15.4
state: present
options:
{
"service": {
"name": "kubernetes-cluster",
"service_account": "kubernetes-cluster",
"service_account_secret": "kubernetes-cluster/secret",
"virtual_network_name": "dcos",
"use_agent_docker_certs": true
},
"kubernetes": {
"authorization_mode": "RBAC", # AlwaysAllow or RBAC
"dcos_token_authentication": true,
"high_availability": false,
"private_node_count": 3,
"public_node_count": 0,
"private_reserved_resources": {
"kube_cpus": 2,
"kube_mem": 5120
},
"metrics_exporter": {
"enabled": true
},
"apiserver_edgelb": {
"expose": true,
"template": "default",
"certificate": "$AUTOCERT",
"port": 8181,
"path": ""
},
}
}