diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index 5951086e9507e486b5e80bcf19f29ed16b0635be..2e9defcce0dad183564dfd8ff39830dfed83285c 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -39,9 +39,9 @@ netchecker_server_cpu_requests: 50m
netchecker_server_memory_requests: 64M
# Dashboard
-dashboard_enabled: false
+dashboard_enabled: true
dashboard_image_repo: gcr.io/google_containers/kubernetes-dashboard-amd64
-dashboard_image_tag: v1.7.1
+dashboard_image_tag: v1.8.1
dashboard_init_image_repo: gcr.io/google_containers/kubernetes-dashboard-init-amd64
dashboard_init_image_tag: v1.0.1
@@ -51,9 +51,6 @@ dashboard_memory_limit: 256M
dashboard_cpu_requests: 50m
dashboard_memory_requests: 64M
-# SSL
-etcd_cert_dir: "/etc/ssl/etcd/ssl"
-canal_cert_dir: "/etc/canal/certs"
# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that
# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs
dashboard_use_custom_certs: false
@@ -61,6 +58,10 @@ dashboard_certs_secret_name: kubernetes-dashboard-certs
dashboard_tls_key_file: dashboard.key
dashboard_tls_cert_file: dashboard.crt
+# SSL
+etcd_cert_dir: "/etc/ssl/etcd/ssl"
+canal_cert_dir: "/etc/canal/certs"
+
rbac_resources:
- sa
- clusterrole
diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
index b16ddd467af0f00ce87676d9573ca9b4332b895f..b1ba1481de20b95ebd54575cf1767f207e5a25d4 100644
--- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
@@ -13,7 +13,7 @@
# limitations under the License.
# Configuration to deploy release version of the Dashboard UI compatible with
-# Kubernetes 1.7.
+# Kubernetes 1.8.
#
# Example usage: kubectl create -f <this_file>
@@ -43,28 +43,41 @@ metadata:
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: {{ system_namespace }}
rules:
- # Allow Dashboard to create and watch for changes of 'kubernetes-dashboard-key-holder' secret.
+ # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["create", "watch"]
+ verbs: ["create"]
+ # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create"]
+ # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
- # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret.
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
+ # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+ resources: ["configmaps"]
+ resourceNames: ["kubernetes-dashboard-settings"]
+ verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
+- apiGroups: [""]
+ resources: ["services/proxy"]
+ resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
+ verbs: ["get"]
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
@@ -110,7 +123,7 @@ subjects:
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
@@ -127,18 +140,10 @@ spec:
labels:
k8s-app: kubernetes-dashboard
spec:
-{% if not dashboard_use_custom_certs %}
- initContainers:
- - name: kubernetes-dashboard-init
- image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }}
- volumeMounts:
- - name: kubernetes-dashboard-certs
- mountPath: /certs
-{% endif %}
containers:
- name: kubernetes-dashboard
image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
- imagePullPolicy: Always
+ imagePullPolicy: {{ k8s_image_pull_policy }}
resources:
limits:
cpu: {{ dashboard_cpu_limit }}
@@ -150,8 +155,12 @@ spec:
- containerPort: 8443
protocol: TCP
args:
- - --tls-key-file=/certs/{{ dashboard_tls_key_file }}
- - --tls-cert-file=/certs/{{ dashboard_tls_cert_file }}
+{% if dashboard_use_custom_certs %}
+ - --tls-key-file={{ dashboard_tls_key_file }}
+ - --tls-cert-file={{ dashboard_tls_cert_file }}
+{% else %}
+ - --auto-generate-certificates
+{% endif %}
- --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %}
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
@@ -160,7 +169,6 @@ spec:
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
- readOnly: true
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
@@ -198,4 +206,4 @@ spec:
- port: 443
targetPort: 8443
selector:
- k8s-app: kubernetes-dashboard
\ No newline at end of file
+ k8s-app: kubernetes-dashboard