Skip to content

Commit db35c0a

Browse files
bmonkmanbmonkman
authored
Merge pull request #12 from commitdev/add-dashboard-to-k8s
#9: Added kubernetes dashboard and metrics scraper, plus some documen…
2 parents 2803a14 + 9a1a851 commit db35c0a

2 files changed

Lines changed: 330 additions & 0 deletions

File tree

kubernetes/terraform/modules/kubernetes/README.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,13 @@ Alongside external-dns, this allows you to make sure your new domains are always
2020
[Cloudwatch Agent/Fluentd](https://github.com/fluent/fluentd)
2121
A unified logging layer, Fluentd handles capturing all log output from your cluster and routing it to various sources like Cloudwatch, Elasticsearch, etc.
2222

23+
[Metrics Server](https://github.com/kubernetes-sigs/metrics-server)
24+
A collector of cluster-wide resource metrics.
25+
Used by things like HorizontalPodAutoscaler to determine the current usage of pods. Also allows the `kubectl top` command
26+
27+
[Kubernetes Dashboard](https://github.com/kubernetes/dashboard)
28+
A web-based GUI for viewing and modifying resources in a Kubernetes cluster. Usage instructions below.
29+
2330

2431
## AWS IAM / Kubernetes RBAC integration
2532

@@ -69,3 +76,17 @@ Any pods that come up in that deployment will automatically have env vars inject
6976
ingress/ - Provision nginx-ingress-controller.
7077
monitoring/ - Provision cluster monitoring (cloudwatch agent and fluentd).
7178
```
79+
80+
81+
## Dashboard
82+
83+
Kubernetes dashboard will be installed and can be reached by running the following:
84+
(MacOS specific - requires `kubectl`, `jq`)
85+
86+
```
87+
kubectl get secret -o json -n kubernetes-dashboard $(kubectl get secret -n kubernetes-dashboard | grep dashboard-user-token | awk '{print $1}') | jq -r .data.token | base64 -D | pbcopy && \
88+
open "http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/login" && kubectl proxy
89+
```
90+
91+
This will get the token from k8s secrets, copy it to your clipboard, open a browser to the dashboard, and forward the appropriate port.
92+

kubernetes/terraform/modules/kubernetes/kubernetes_dashboard.tf

Lines changed: 309 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,309 @@
1+
resource "kubernetes_service_account" "kubernetes_dashboard_user" {
2+
metadata {
3+
name = "dashboard-user"
4+
namespace = "kubernetes-dashboard"
5+
}
6+
}
7+
8+
resource "kubernetes_cluster_role_binding" "kubernetes_dashboard_user" {
9+
metadata {
10+
name = "dashboard-user"
11+
}
12+
subject {
13+
kind = "ServiceAccount"
14+
name = "dashboard-user"
15+
namespace = "kubernetes-dashboard"
16+
}
17+
role_ref {
18+
api_group = "rbac.authorization.k8s.io"
19+
kind = "ClusterRole"
20+
name = "cluster-admin"
21+
}
22+
}
23+
24+
resource "kubernetes_namespace" "kubernetes_dashboard" {
25+
metadata {
26+
name = "kubernetes-dashboard"
27+
}
28+
}
29+
30+
resource "kubernetes_service_account" "kubernetes_dashboard" {
31+
metadata {
32+
name = "kubernetes-dashboard"
33+
namespace = "kubernetes-dashboard"
34+
labels = { k8s-app = "kubernetes-dashboard" }
35+
}
36+
}
37+
38+
resource "kubernetes_service" "kubernetes_dashboard" {
39+
metadata {
40+
name = "kubernetes-dashboard"
41+
namespace = "kubernetes-dashboard"
42+
labels = { k8s-app = "kubernetes-dashboard" }
43+
}
44+
spec {
45+
port {
46+
port = 443
47+
target_port = "8443"
48+
}
49+
selector = { k8s-app = "kubernetes-dashboard" }
50+
}
51+
}
52+
53+
resource "kubernetes_secret" "kubernetes_dashboard_certs" {
54+
metadata {
55+
name = "kubernetes-dashboard-certs"
56+
namespace = "kubernetes-dashboard"
57+
labels = { k8s-app = "kubernetes-dashboard" }
58+
}
59+
type = "Opaque"
60+
}
61+
62+
resource "kubernetes_secret" "kubernetes_dashboard_csrf" {
63+
metadata {
64+
name = "kubernetes-dashboard-csrf"
65+
namespace = "kubernetes-dashboard"
66+
labels = { k8s-app = "kubernetes-dashboard" }
67+
}
68+
type = "Opaque"
69+
}
70+
71+
resource "kubernetes_secret" "kubernetes_dashboard_key_holder" {
72+
metadata {
73+
name = "kubernetes-dashboard-key-holder"
74+
namespace = "kubernetes-dashboard"
75+
labels = { k8s-app = "kubernetes-dashboard" }
76+
}
77+
type = "Opaque"
78+
}
79+
80+
resource "kubernetes_config_map" "kubernetes_dashboard_settings" {
81+
metadata {
82+
name = "kubernetes-dashboard-settings"
83+
namespace = "kubernetes-dashboard"
84+
labels = { k8s-app = "kubernetes-dashboard" }
85+
}
86+
}
87+
88+
resource "kubernetes_role" "kubernetes_dashboard" {
89+
metadata {
90+
name = "kubernetes-dashboard"
91+
namespace = "kubernetes-dashboard"
92+
labels = { k8s-app = "kubernetes-dashboard" }
93+
}
94+
rule {
95+
verbs = ["get", "update", "delete"]
96+
api_groups = [""]
97+
resources = ["secrets"]
98+
resource_names = ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
99+
}
100+
rule {
101+
verbs = ["get", "update"]
102+
api_groups = [""]
103+
resources = ["configmaps"]
104+
resource_names = ["kubernetes-dashboard-settings"]
105+
}
106+
rule {
107+
verbs = ["proxy"]
108+
api_groups = [""]
109+
resources = ["services"]
110+
resource_names = ["heapster", "dashboard-metrics-scraper"]
111+
}
112+
rule {
113+
verbs = ["get"]
114+
api_groups = [""]
115+
resources = ["services/proxy"]
116+
resource_names = ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
117+
}
118+
}
119+
120+
resource "kubernetes_cluster_role" "kubernetes_dashboard" {
121+
metadata {
122+
name = "kubernetes-dashboard"
123+
labels = { k8s-app = "kubernetes-dashboard" }
124+
}
125+
rule {
126+
verbs = ["get", "list", "watch"]
127+
api_groups = ["metrics.k8s.io"]
128+
resources = ["pods", "nodes"]
129+
}
130+
}
131+
132+
resource "kubernetes_role_binding" "kubernetes_dashboard" {
133+
metadata {
134+
name = "kubernetes-dashboard"
135+
namespace = "kubernetes-dashboard"
136+
labels = { k8s-app = "kubernetes-dashboard" }
137+
}
138+
subject {
139+
kind = "ServiceAccount"
140+
name = "kubernetes-dashboard"
141+
namespace = "kubernetes-dashboard"
142+
}
143+
role_ref {
144+
api_group = "rbac.authorization.k8s.io"
145+
kind = "Role"
146+
name = "kubernetes-dashboard"
147+
}
148+
}
149+
150+
resource "kubernetes_cluster_role_binding" "kubernetes_dashboard" {
151+
metadata {
152+
name = "kubernetes-dashboard"
153+
}
154+
subject {
155+
kind = "ServiceAccount"
156+
name = "kubernetes-dashboard"
157+
namespace = "kubernetes-dashboard"
158+
}
159+
role_ref {
160+
api_group = "rbac.authorization.k8s.io"
161+
kind = "ClusterRole"
162+
name = "kubernetes-dashboard"
163+
}
164+
}
165+
166+
resource "kubernetes_deployment" "kubernetes_dashboard" {
167+
metadata {
168+
name = "kubernetes-dashboard"
169+
namespace = "kubernetes-dashboard"
170+
labels = { k8s-app = "kubernetes-dashboard" }
171+
}
172+
spec {
173+
replicas = 1
174+
selector {
175+
match_labels = { k8s-app = "kubernetes-dashboard" }
176+
}
177+
template {
178+
metadata {
179+
labels = { k8s-app = "kubernetes-dashboard" }
180+
}
181+
spec {
182+
volume {
183+
name = "kubernetes-dashboard-certs"
184+
secret {
185+
secret_name = "kubernetes-dashboard-certs"
186+
}
187+
}
188+
volume {
189+
name = "tmp-volume"
190+
}
191+
container {
192+
name = "kubernetes-dashboard"
193+
image = "kubernetesui/dashboard:v2.0.0-rc7"
194+
args = ["--auto-generate-certificates", "--namespace=kubernetes-dashboard"]
195+
port {
196+
container_port = 8443
197+
protocol = "TCP"
198+
}
199+
volume_mount {
200+
name = "kubernetes-dashboard-certs"
201+
mount_path = "/certs"
202+
}
203+
volume_mount {
204+
name = "tmp-volume"
205+
mount_path = "/tmp"
206+
}
207+
liveness_probe {
208+
http_get {
209+
path = "/"
210+
port = "8443"
211+
scheme = "HTTPS"
212+
}
213+
initial_delay_seconds = 30
214+
timeout_seconds = 30
215+
}
216+
image_pull_policy = "IfNotPresent"
217+
security_context {
218+
run_as_user = 1001
219+
run_as_group = 2001
220+
read_only_root_filesystem = true
221+
}
222+
}
223+
node_selector = { "beta.kubernetes.io/os" = "linux" }
224+
service_account_name = "kubernetes-dashboard"
225+
automount_service_account_token = true
226+
toleration {
227+
key = "node-role.kubernetes.io/master"
228+
effect = "NoSchedule"
229+
}
230+
}
231+
}
232+
revision_history_limit = 10
233+
}
234+
}
235+
236+
resource "kubernetes_service" "dashboard_metrics_scraper" {
237+
metadata {
238+
name = "dashboard-metrics-scraper"
239+
namespace = "kubernetes-dashboard"
240+
labels = { k8s-app = "dashboard-metrics-scraper" }
241+
}
242+
spec {
243+
port {
244+
port = 8000
245+
target_port = "8000"
246+
}
247+
selector = { k8s-app = "dashboard-metrics-scraper" }
248+
}
249+
}
250+
251+
resource "kubernetes_deployment" "dashboard_metrics_scraper" {
252+
metadata {
253+
name = "dashboard-metrics-scraper"
254+
namespace = "kubernetes-dashboard"
255+
labels = { k8s-app = "dashboard-metrics-scraper" }
256+
}
257+
spec {
258+
replicas = 1
259+
selector {
260+
match_labels = { k8s-app = "dashboard-metrics-scraper" }
261+
}
262+
template {
263+
metadata {
264+
labels = { k8s-app = "dashboard-metrics-scraper" }
265+
annotations = { "seccomp.security.alpha.kubernetes.io/pod" = "runtime/default" }
266+
}
267+
spec {
268+
volume {
269+
name = "tmp-volume"
270+
}
271+
container {
272+
name = "dashboard-metrics-scraper"
273+
image = "kubernetesui/metrics-scraper:v1.0.4"
274+
port {
275+
container_port = 8000
276+
protocol = "TCP"
277+
}
278+
volume_mount {
279+
name = "tmp-volume"
280+
mount_path = "/tmp"
281+
}
282+
liveness_probe {
283+
http_get {
284+
path = "/"
285+
port = "8000"
286+
scheme = "HTTP"
287+
}
288+
initial_delay_seconds = 30
289+
timeout_seconds = 30
290+
}
291+
security_context {
292+
run_as_user = 1001
293+
run_as_group = 2001
294+
read_only_root_filesystem = true
295+
}
296+
}
297+
node_selector = { "beta.kubernetes.io/os" = "linux" }
298+
service_account_name = "kubernetes-dashboard"
299+
automount_service_account_token = true
300+
toleration {
301+
key = "node-role.kubernetes.io/master"
302+
effect = "NoSchedule"
303+
}
304+
}
305+
}
306+
revision_history_limit = 10
307+
}
308+
}
309+

0 commit comments

Comments
 (0)