Skip to content

Instantly share code, notes, and snippets.

@krancour

krancour/template.json

Created December 17, 2015 16:51
Show Gist options
  • Save krancour/0ee98401e970b29564bd to your computer and use it in GitHub Desktop.
Save krancour/0ee98401e970b29564bd to your computer and use it in GitHub Desktop.
Download ZIP
kube-aws-with-insecure-registries
Raw
template.json
{
"AWSTemplateFormatVersion": "2010-09-09",
"Conditions": {
"EmptyAvailabilityZone": {
"Fn::Equals": [
{
"Ref": "AvailabilityZone"
},
""
]
}
},
"Description": "kube-aws Kubernetes cluster",
"Mappings": {
"RegionMap": {
"ap-northeast-1": {
"alpha": "ami-b3e3cbdd",
"beta": "ami-aab897c4"
},
"ap-southeast-1": {
"alpha": "ami-d9a86bba",
"beta": "ami-82e121e1"
},
"ap-southeast-2": {
"alpha": "ami-75edb516",
"beta": "ami-9b4c14f8"
},
"eu-central-1": {
"alpha": "ami-2a6d7146",
"beta": "ami-2ddcc141"
},
"eu-west-1": {
"alpha": "ami-7e8f2f0d",
"beta": "ami-51fb5d22"
},
"sa-east-1": {
"alpha": "ami-8057d3ec",
"beta": "ami-b422a7d8"
},
"us-east-1": {
"alpha": "ami-8dcd84e7",
"beta": "ami-a4eeacce"
},
"us-gov-west-1": {
"alpha": "ami-3b7cc15a",
"beta": "ami-47912c26"
},
"us-west-1": {
"alpha": "ami-cbff97ab",
"beta": "ami-2d2c444d"
},
"us-west-2": {
"alpha": "ami-13607c72",
"beta": "ami-1dddcf7c"
}
}
},
"Parameters": {
"APIServerCert": {
"Description": "PEM-formatted kube-apiserver certificate, base64-encoded",
"Type": "String"
},
"APIServerKey": {
"Description": "PEM-formatted kube-apiserver key, base64-encoded",
"Type": "String"
},
"ArtifactURL": {
"Default": "https://coreos-kubernetes.s3.amazonaws.com/v0.3.0",
"Description": "Public location of coreos-kubernetes deployment artifacts",
"Type": "String"
},
"AvailabilityZone": {
"Default": "",
"Description": "Specific availability zone (optional)",
"Type": "String"
},
"CACert": {
"Description": "PEM-formattd CA certificate, base64-encoded",
"Type": "String"
},
"ClusterName": {
"Default": "kubernetes",
"Description": "Name of Kubernetes cluster",
"Type": "String"
},
"ControllerInstanceType": {
"Default": "m3.medium",
"Description": "EC2 instance type used for each controller instance",
"Type": "String"
},
"ControllerRootVolumeSize": {
"Default": "30",
"Description": "Controller root volume size (GiB)",
"Type": "String"
},
"KeyName": {
"Description": "Name of SSH keypair to authorize on each instance",
"Type": "String"
},
"ReleaseChannel": {
"AllowedValues": [
"alpha",
"beta"
],
"Default": "alpha",
"Description": "CoreOS Linux release channel to use as instance operating system",
"Type": "String"
},
"WorkerCert": {
"Description": "PEM-formatted kubelet (worker) certificate, base64-encoded",
"Type": "String"
},
"WorkerCount": {
"Default": "1",
"Description": "Number of worker instances to create, may be modified later",
"Type": "String"
},
"WorkerInstanceType": {
"Default": "m3.medium",
"Description": "EC2 instance type used for each worker instance",
"Type": "String"
},
"WorkerKey": {
"Description": "PEM-formatted kubelet (worker) key, base64-encoded",
"Type": "String"
},
"WorkerRootVolumeSize": {
"Default": "30",
"Description": "Worker root volume size (GiB)",
"Type": "String"
}
},
"Resources": {
"AlarmControllerRecover": {
"Properties": {
"AlarmActions": [
{
"Fn::Join": [
"",
[
"arn:aws:automate:",
{
"Ref": "AWS::Region"
},
":ec2:recover"
]
]
}
],
"AlarmDescription": "Trigger a recovery when system check fails for 5 consecutive minutes.",
"ComparisonOperator": "GreaterThanThreshold",
"Dimensions": [
{
"Name": "InstanceId",
"Value": {
"Ref": "InstanceController"
}
}
],
"EvaluationPeriods": "5",
"MetricName": "StatusCheckFailed_System",
"Namespace": "AWS/EC2",
"Period": "60",
"Statistic": "Minimum",
"Threshold": "0"
},
"Type": "AWS::CloudWatch::Alarm"
},
"AutoScaleWorker": {
"Properties": {
"AvailabilityZones": [
{
"Fn::If": [
"EmptyAvailabilityZone",
{
"Fn::Select": [
"0",
{
"Fn::GetAZs": {
"Ref": "AWS::Region"
}
}
]
},
{
"Ref": "AvailabilityZone"
}
]
}
],
"DesiredCapacity": {
"Ref": "WorkerCount"
},
"HealthCheckGracePeriod": 600,
"HealthCheckType": "EC2",
"LaunchConfigurationName": {
"Ref": "LaunchConfigurationWorker"
},
"MaxSize": {
"Ref": "WorkerCount"
},
"MinSize": {
"Ref": "WorkerCount"
},
"Tags": [
{
"Key": "KubernetesCluster",
"PropagateAtLaunch": "true",
"Value": {
"Ref": "ClusterName"
}
},
{
"Key": "Name",
"PropagateAtLaunch": "true",
"Value": "kube-aws-worker"
}
],
"VPCZoneIdentifier": [
{
"Ref": "Subnet"
}
]
},
"Type": "AWS::AutoScaling::AutoScalingGroup"
},
"EIPController": {
"Properties": {
"Domain": "vpc",
"InstanceId": {
"Ref": "InstanceController"
}
},
"Type": "AWS::EC2::EIP"
},
"IAMInstanceProfileController": {
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "IAMRoleController"
}
]
},
"Type": "AWS::IAM::InstanceProfile"
},
"IAMInstanceProfileWorker": {
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "IAMRoleWorker"
}
]
},
"Type": "AWS::IAM::InstanceProfile"
},
"IAMRoleController": {
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
}
}
],
"Version": "2012-10-17"
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "elasticloadbalancing:*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "root"
}
]
},
"Type": "AWS::IAM::Role"
},
"IAMRoleWorker": {
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
}
}
],
"Version": "2012-10-17"
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": "ec2:Describe*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:AttachVolume",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DetachVolume",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "root"
}
]
},
"Type": "AWS::IAM::Role"
},
"InstanceController": {
"Properties": {
"AvailabilityZone": {
"Fn::If": [
"EmptyAvailabilityZone",
{
"Fn::Select": [
"0",
{
"Fn::GetAZs": {
"Ref": "AWS::Region"
}
}
]
},
{
"Ref": "AvailabilityZone"
}
]
},
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": {
"Ref": "ControllerRootVolumeSize"
}
}
}
],
"IamInstanceProfile": {
"Ref": "IAMInstanceProfileController"
},
"ImageId": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
{
"Ref": "ReleaseChannel"
}
]
},
"InstanceType": {
"Ref": "ControllerInstanceType"
},
"KeyName": {
"Ref": "KeyName"
},
"NetworkInterfaces": [
{
"AssociatePublicIpAddress": false,
"DeleteOnTermination": true,
"DeviceIndex": "0",
"GroupSet": [
{
"Ref": "SecurityGroupController"
}
],
"PrivateIpAddress": "10.0.0.50",
"SubnetId": {
"Ref": "Subnet"
}
}
],
"Tags": [
{
"Key": "KubernetesCluster",
"Value": {
"Ref": "ClusterName"
}
},
{
"Key": "Name",
"Value": "kube-aws-controller"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#cloud-config\ncoreos:\n update:\n reboot-strategy: \"off\"\n\n flannel:\n interface: $private_ipv4\n\n etcd2:\n name: controller\n advertise-client-urls: http://$private_ipv4:2379\n initial-advertise-peer-urls: http://$private_ipv4:2380\n listen-client-urls: http://0.0.0.0:2379\n listen-peer-urls: http://0.0.0.0:2380\n initial-cluster: controller=http://$private_ipv4:2380\n\n units:\n - name: etcd2.service\n command: start\n\n - name: install-controller.service\n command: start\n content: |\n [Service]\n ExecStart=/bin/bash /tmp/install-controller.sh\n Type=oneshot\n\nwrite_files:\n- path: /run/coreos-kubernetes/options.env\n content: |\n ETCD_ENDPOINTS=http://127.0.0.1:2379\n ARTIFACT_URL=",
{
"Ref": "ArtifactURL"
},
"\n\n- path: /tmp/install-controller.sh\n content: |\n #!/bin/bash\n\n exec bash -c \"$(curl --fail --silent --show-error --location '",
{
"Ref": "ArtifactURL"
},
"/scripts/install-controller.sh')\"\n\n- path: /etc/kubernetes/ssl/ca.pem\n encoding: base64\n content: ",
{
"Ref": "CACert"
},
"\n\n- path: /etc/kubernetes/ssl/apiserver.pem\n encoding: base64\n content: ",
{
"Ref": "APIServerCert"
},
"\n\n- path: /etc/kubernetes/ssl/apiserver-key.pem\n encoding: base64\n content: ",
{
"Ref": "APIServerKey"
},
"\n"
]
]
}
}
},
"Type": "AWS::EC2::Instance"
},
"InternetGateway": {
"Properties": {
"Tags": [
{
"Key": "KubernetesCluster",
"Value": {
"Ref": "ClusterName"
}
}
]
},
"Type": "AWS::EC2::InternetGateway"
},
"LaunchConfigurationWorker": {
"Properties": {
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": {
"Ref": "WorkerRootVolumeSize"
}
}
}
],
"IamInstanceProfile": {
"Ref": "IAMInstanceProfileWorker"
},
"ImageId": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
{
"Ref": "ReleaseChannel"
}
]
},
"InstanceType": {
"Ref": "WorkerInstanceType"
},
"KeyName": {
"Ref": "KeyName"
},
"SecurityGroups": [
{
"Ref": "SecurityGroupWorker"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#cloud-config\ncoreos:\n update:\n reboot-strategy: \"off\"\n\n flannel:\n interface: $private_ipv4\n etcd_endpoints: http://10.0.0.50:2379\n\n units:\n - name: install-worker.service\n command: start\n content: |\n [Service]\n ExecStart=/bin/bash /tmp/install-worker.sh\n Type=oneshot\n\n - name: docker.service\n drop-ins:\n - name: 50-insecure-registry.conf\n content: |\n [Service]\n Environment=\"DOCKER_OPTS=--insecure-registry 10.0.0.0/8 --insecure-registry 172.16.0.0/12 --insecure-registry 192.168.0.0/16 --insecure-registry 100.64.0.0/10\"\n\nwrite_files:\n- path: /run/coreos-kubernetes/options.env\n content: |\n ETCD_ENDPOINTS=http://10.0.0.50:2379\n CONTROLLER_ENDPOINT=https://10.0.0.50\n ARTIFACT_URL=",
{
"Ref": "ArtifactURL"
},
"\n\n- path: /tmp/install-worker.sh\n content: |\n #!/bin/bash\n\n exec bash -c \"$(curl --fail --silent --show-error --location '",
{
"Ref": "ArtifactURL"
},
"/scripts/install-worker.sh')\"\n\n- path: /etc/kubernetes/ssl/ca.pem\n encoding: base64\n content: ",
{
"Ref": "CACert"
},
"\n\n- path: /etc/kubernetes/ssl/worker.pem\n encoding: base64\n content: ",
{
"Ref": "WorkerCert"
},
"\n\n- path: /etc/kubernetes/ssl/worker-key.pem\n encoding: base64\n content: ",
{
"Ref": "WorkerKey"
},
"\n"
]
]
}
}
},
"Type": "AWS::AutoScaling::LaunchConfiguration"
},
"RouteTable": {
"Properties": {
"Tags": [
{
"Key": "KubernetesCluster",
"Value": {
"Ref": "ClusterName"
}
}
],
"VpcId": {
"Ref": "VPC"
}
},
"Type": "AWS::EC2::RouteTable"
},
"RouteToInternet": {
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "InternetGateway"
},
"RouteTableId": {
"Ref": "RouteTable"
}
},
"Type": "AWS::EC2::Route"
},
"SecurityGroupController": {
"Properties": {
"GroupDescription": {
"Ref": "AWS::StackName"
},
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 0,
"IpProtocol": "tcp",
"ToPort": 65535
},
{
"CidrIp": "0.0.0.0/0",
"FromPort": 0,
"IpProtocol": "udp",
"ToPort": 65535
}
],
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 3,
"IpProtocol": "icmp",
"ToPort": -1
},
{
"CidrIp": "0.0.0.0/0",
"FromPort": 22,
"IpProtocol": "tcp",
"ToPort": 22
},
{
"CidrIp": "0.0.0.0/0",
"FromPort": 443,
"IpProtocol": "tcp",
"ToPort": 443
}
],
"Tags": [
{
"Key": "KubernetesCluster",
"Value": {
"Ref": "ClusterName"
}
}
],
"VpcId": {
"Ref": "VPC"
}
},
"Type": "AWS::EC2::SecurityGroup"
},
"SecurityGroupControllerIngressFromWorkerToEtcd": {
"Properties": {
"FromPort": 2379,
"GroupId": {
"Ref": "SecurityGroupController"
},
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Ref": "SecurityGroupWorker"
},
"ToPort": 2379
},
"Type": "AWS::EC2::SecurityGroupIngress"
},
"SecurityGroupWorker": {
"Properties": {
"GroupDescription": {
"Ref": "AWS::StackName"
},
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 0,
"IpProtocol": "tcp",
"ToPort": 65535
},
{
"CidrIp": "0.0.0.0/0",
"FromPort": 0,
"IpProtocol": "udp",
"ToPort": 65535
}
],
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 3,
"IpProtocol": "icmp",
"ToPort": -1
},
{
"CidrIp": "0.0.0.0/0",
"FromPort": 22,
"IpProtocol": "tcp",
"ToPort": 22
}
],
"Tags": [
{
"Key": "KubernetesCluster",
"Value": {
"Ref": "ClusterName"
}
}
],
"VpcId": {
"Ref": "VPC"
}
},
"Type": "AWS::EC2::SecurityGroup"
},
"SecurityGroupWorkerIngressFromControllerToFlannel": {
"Properties": {
"FromPort": 8285,
"GroupId": {
"Ref": "SecurityGroupWorker"
},
"IpProtocol": "udp",
"SourceSecurityGroupId": {
"Ref": "SecurityGroupController"
},
"ToPort": 8285
},
"Type": "AWS::EC2::SecurityGroupIngress"
},
"SecurityGroupWorkerIngressFromControllerToKubelet": {
"Properties": {
"FromPort": 10250,
"GroupId": {
"Ref": "SecurityGroupWorker"
},
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Ref": "SecurityGroupController"
},
"ToPort": 10250
},
"Type": "AWS::EC2::SecurityGroupIngress"
},
"SecurityGroupWorkerIngressFromControllerTocAdvisor": {
"Properties": {
"FromPort": 4194,
"GroupId": {
"Ref": "SecurityGroupWorker"
},
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Ref": "SecurityGroupController"
},
"ToPort": 4194
},
"Type": "AWS::EC2::SecurityGroupIngress"
},
"SecurityGroupWorkerIngressFromWorkerToFlannel": {
"Properties": {
"FromPort": 8285,
"GroupId": {
"Ref": "SecurityGroupWorker"
},
"IpProtocol": "udp",
"SourceSecurityGroupId": {
"Ref": "SecurityGroupWorker"
},
"ToPort": 8285
},
"Type": "AWS::EC2::SecurityGroupIngress"
},
"SecurityGroupWorkerIngressFromWorkerToKubeletReadOnly": {
"Properties": {
"FromPort": 10255,
"GroupId": {
"Ref": "SecurityGroupWorker"
},
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Ref": "SecurityGroupWorker"
},
"ToPort": 10255
},
"Type": "AWS::EC2::SecurityGroupIngress"
},
"Subnet": {
"Properties": {
"AvailabilityZone": {
"Fn::If": [
"EmptyAvailabilityZone",
{
"Fn::Select": [
"0",
{
"Fn::GetAZs": {
"Ref": "AWS::Region"
}
}
]
},
{
"Ref": "AvailabilityZone"
}
]
},
"CidrBlock": "10.0.0.0/24",
"MapPublicIpOnLaunch": true,
"Tags": [
{
"Key": "KubernetesCluster",
"Value": {
"Ref": "ClusterName"
}
}
],
"VpcId": {
"Ref": "VPC"
}
},
"Type": "AWS::EC2::Subnet"
},
"SubnetRouteTableAssociation": {
"Properties": {
"RouteTableId": {
"Ref": "RouteTable"
},
"SubnetId": {
"Ref": "Subnet"
}
},
"Type": "AWS::EC2::SubnetRouteTableAssociation"
},
"VPC": {
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsHostnames": true,
"EnableDnsSupport": true,
"InstanceTenancy": "default",
"Tags": [
{
"Key": "KubernetesCluster",
"Value": {
"Ref": "ClusterName"
}
},
{
"Key": "Name",
"Value": "kubernetes-vpc"
}
]
},
"Type": "AWS::EC2::VPC"
},
"VPCGatewayAttachment": {
"Properties": {
"InternetGatewayId": {
"Ref": "InternetGateway"
},
"VpcId": {
"Ref": "VPC"
}
},
"Type": "AWS::EC2::VPCGatewayAttachment"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment