From cbb245af2053a3a8634d51e34820dfd173d2cc8b Mon Sep 17 00:00:00 2001 From: Thomas Schweizer-Bolzonello Date: Tue, 18 Dec 2018 22:42:21 +0200 Subject: [PATCH 1/2] kubernetes-dashboard v1.10.1 deployment to kops addons --- addons/kubernetes-dashboard/addon.yaml | 5 + addons/kubernetes-dashboard/v1.10.1.yaml | 167 +++++++++++++++++++++++ 2 files changed, 172 insertions(+) create mode 100644 addons/kubernetes-dashboard/v1.10.1.yaml diff --git a/addons/kubernetes-dashboard/addon.yaml b/addons/kubernetes-dashboard/addon.yaml index e3a40e48f5b24..0fb3502e83d28 100644 --- a/addons/kubernetes-dashboard/addon.yaml +++ b/addons/kubernetes-dashboard/addon.yaml @@ -51,3 +51,8 @@ spec: selector: k8s-addon: kubernetes-dashboard.addons.k8s.io manifest: v1.10.0.yaml + - version: 1.10.1 + kubernetesVersion: ">=1.10.0" + selector: + k8s-addon: kubernetes-dashboard.addons.k8s.io + manifest: v1.10.1.yaml diff --git a/addons/kubernetes-dashboard/v1.10.1.yaml b/addons/kubernetes-dashboard/v1.10.1.yaml new file mode 100644 index 0000000000000..9751d55aa4b6c --- /dev/null +++ b/addons/kubernetes-dashboard/v1.10.1.yaml @@ -0,0 +1,167 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Configuration to deploy release version of the Dashboard UI compatible with +# Kubernetes 1.10. +# +# Example usage: kubectl create -f + +# ------------------- Dashboard Secret ------------------- # + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-certs + namespace: kube-system +type: Opaque + +--- +# ------------------- Dashboard Service Account ------------------- # + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system + +--- +# ------------------- Dashboard Role & Role Binding ------------------- # + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubernetes-dashboard-minimal + namespace: kube-system +rules: + # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] + # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics from heapster. +- apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster"] + verbs: ["proxy"] +- apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:"] + verbs: ["get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-dashboard-minimal + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-dashboard-minimal +subjects: +- kind: ServiceAccount + name: kubernetes-dashboard + namespace: kube-system + +--- +# ------------------- Dashboard Deployment ------------------- # + +kind: Deployment +apiVersion: apps/v1beta2 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + template: + metadata: + labels: + k8s-app: kubernetes-dashboard + spec: + containers: + - name: kubernetes-dashboard + image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} + serviceAccountName: kubernetes-dashboard + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + +--- +# ------------------- Dashboard Service ------------------- # + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard From 5210708ef8d8ee14920b83c5c1d120bf6d35cf8c Mon Sep 17 00:00:00 2001 From: Thomas Schweizer-Bolzonello Date: Wed, 19 Dec 2018 00:50:11 +0200 Subject: [PATCH 2/2] Remove kubernetes-dashboard 1.10.0 (CVE-2018-18264) --- addons/kubernetes-dashboard/addon.yaml | 5 - addons/kubernetes-dashboard/v1.10.0.yaml | 167 ----------------------- 2 files changed, 172 deletions(-) delete mode 100644 addons/kubernetes-dashboard/v1.10.0.yaml diff --git a/addons/kubernetes-dashboard/addon.yaml b/addons/kubernetes-dashboard/addon.yaml index 0fb3502e83d28..36dbdedbbe298 100644 --- a/addons/kubernetes-dashboard/addon.yaml +++ b/addons/kubernetes-dashboard/addon.yaml @@ -46,11 +46,6 @@ spec: selector: k8s-addon: kubernetes-dashboard.addons.k8s.io manifest: v1.8.3.yaml - - version: 1.10.0 - kubernetesVersion: ">=1.10.0" - selector: - k8s-addon: kubernetes-dashboard.addons.k8s.io - manifest: v1.10.0.yaml - version: 1.10.1 kubernetesVersion: ">=1.10.0" selector: diff --git a/addons/kubernetes-dashboard/v1.10.0.yaml b/addons/kubernetes-dashboard/v1.10.0.yaml deleted file mode 100644 index f79097b85572e..0000000000000 --- a/addons/kubernetes-dashboard/v1.10.0.yaml +++ /dev/null @@ -1,167 +0,0 @@ -# Copyright 2017 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Configuration to deploy release version of the Dashboard UI compatible with -# Kubernetes 1.10. -# -# Example usage: kubectl create -f - -# ------------------- Dashboard Secret ------------------- # - -apiVersion: v1 -kind: Secret -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard-certs - namespace: kube-system -type: Opaque - ---- -# ------------------- Dashboard Service Account ------------------- # - -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard - namespace: kube-system - ---- -# ------------------- Dashboard Role & Role Binding ------------------- # - -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kubernetes-dashboard-minimal - namespace: kube-system -rules: - # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] - # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] - # Allow Dashboard to get, update and delete Dashboard exclusive secrets. -- apiGroups: [""] - resources: ["secrets"] - resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] - verbs: ["get", "update", "delete"] - # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["kubernetes-dashboard-settings"] - verbs: ["get", "update"] - # Allow Dashboard to get metrics from heapster. -- apiGroups: [""] - resources: ["services"] - resourceNames: ["heapster"] - verbs: ["proxy"] -- apiGroups: [""] - resources: ["services/proxy"] - resourceNames: ["heapster", "http:heapster:", "https:heapster:"] - verbs: ["get"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kubernetes-dashboard-minimal - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kubernetes-dashboard-minimal -subjects: -- kind: ServiceAccount - name: kubernetes-dashboard - namespace: kube-system - ---- -# ------------------- Dashboard Deployment ------------------- # - -kind: Deployment -apiVersion: apps/v1beta2 -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard - namespace: kube-system -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - k8s-app: kubernetes-dashboard - template: - metadata: - labels: - k8s-app: kubernetes-dashboard - spec: - containers: - - name: kubernetes-dashboard - image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0 - ports: - - containerPort: 8443 - protocol: TCP - args: - - --auto-generate-certificates - # Uncomment the following line to manually specify Kubernetes API server Host - # If not specified, Dashboard will attempt to auto discover the API server and connect - # to it. Uncomment only if the default does not work. - # - --apiserver-host=http://my-address:port - volumeMounts: - - name: kubernetes-dashboard-certs - mountPath: /certs - # Create on-disk volume to store exec logs - - mountPath: /tmp - name: tmp-volume - livenessProbe: - httpGet: - scheme: HTTPS - path: / - port: 8443 - initialDelaySeconds: 30 - timeoutSeconds: 30 - volumes: - - name: kubernetes-dashboard-certs - secret: - secretName: kubernetes-dashboard-certs - - name: tmp-volume - emptyDir: {} - serviceAccountName: kubernetes-dashboard - # Comment the following tolerations if Dashboard must not be deployed on master - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - ---- -# ------------------- Dashboard Service ------------------- # - -kind: Service -apiVersion: v1 -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard - namespace: kube-system -spec: - ports: - - port: 443 - targetPort: 8443 - selector: - k8s-app: kubernetes-dashboard