Created
May 3, 2020 21:51
-
-
Save kusw3/bb9dadef0754fcaa9b02f7ba1ad2faed to your computer and use it in GitHub Desktop.
Terraform file using kubernetes provider to deploy metrics-server and kubernetes-dashboard on AWS EKS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Based on steps for AWS EKS deployment | |
# https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html | |
# It needs a kubernetes provider to be available | |
# | |
#### | |
## Metrics | |
#### | |
resource "kubernetes_cluster_role" "aggregated-metrics-reader" { | |
metadata { | |
name = "system:aggregated-metrics-reader" | |
labels = { | |
"rbac.authorization.k8s.io/aggregate-to-view" = "true" | |
"rbac.authorization.k8s.io/aggregate-to-edit" = "true" | |
"rbac.authorization.k8s.io/aggregate-to-admin" = "true" | |
} | |
} | |
rule { | |
api_groups = ["metrics.k8s.io"] | |
resources = ["pods", "nodes"] | |
verbs = ["get", "list", "watch"] | |
} | |
} | |
resource "kubernetes_cluster_role_binding" "metrics_server_auth_delegator" { | |
metadata { | |
name = "metrics-server:system:auth-delegator" | |
} | |
role_ref { | |
api_group = "rbac.authorization.k8s.io" | |
kind = "ClusterRole" | |
name = "system:auth-delegator" | |
} | |
subject { | |
kind = "ServiceAccount" | |
name = "metrics-server" | |
namespace = "kube-system" | |
} | |
} | |
resource "kubernetes_role_binding" "metrics_server_auth_reader" { | |
metadata { | |
name = "metrics-server-auth-reader" | |
namespace = "kube-system" | |
} | |
role_ref { | |
api_group = "rbac.authorization.k8s.io" | |
kind = "Role" | |
name = "extension-apiserver-authentication-reader" | |
} | |
subject { | |
kind = "ServiceAccount" | |
name = "metrics-server" | |
namespace = "kube-system" | |
} | |
} | |
resource "kubernetes_api_service" "metrics-server" { | |
metadata { | |
name = "v1beta1.metrics.k8s.io" | |
} | |
spec { | |
service { | |
name = "metrics-server" | |
namespace = "kube-system" | |
} | |
group = "metrics.k8s.io" | |
version = "v1beta1" | |
insecure_skip_tls_verify = "true" | |
group_priority_minimum = 100 | |
version_priority = 100 | |
} | |
} | |
resource "kubernetes_service_account" "metrics_server" { | |
metadata { | |
name = "metrics-server" | |
namespace = "kube-system" | |
} | |
} | |
resource "kubernetes_deployment" "metrics_server" { | |
metadata { | |
name = "metrics-server" | |
namespace = "kube-system" | |
labels = { | |
"k8s-app" = "metrics-server" | |
} | |
} | |
spec { | |
selector { | |
match_labels = { | |
"k8s-app" = "metrics-server" | |
} | |
} | |
template { | |
metadata { | |
name = "metrics-server" | |
labels = { | |
"k8s-app" = "metrics-server" | |
} | |
} | |
spec { | |
service_account_name = "metrics-server" | |
automount_service_account_token = "true" | |
volume { | |
name = "tmp-dir" | |
empty_dir {} | |
} | |
container { | |
name = "metrics-server" | |
image = var.k8s_metrics_server_image | |
image_pull_policy = "IfNotPresent" | |
args = [ | |
"--cert-dir=/tmp", | |
"--secure-port=4443" | |
] | |
port { | |
name = "main-port" | |
container_port = 4443 | |
protocol = "TCP" | |
} | |
security_context { | |
read_only_root_filesystem = "true" | |
run_as_non_root = "true" | |
run_as_user = 1000 | |
} | |
volume_mount { | |
name = "tmp-dir" | |
mount_path = "/tmp" | |
} | |
} | |
node_selector = { | |
"kubernetes.io/os" = "linux" | |
"kubernetes.io/arch" = "amd64" | |
} | |
} | |
} | |
} | |
depends_on = [ | |
kubernetes_service_account.metrics_server, | |
] | |
} | |
resource "kubernetes_service" "metrics_server" { | |
metadata { | |
name = "metrics-server" | |
namespace = "kube-system" | |
labels = { | |
"kubernetes.io/name" = "Metrics-server", | |
"kubernetes.io/cluster-service" = "true" | |
} | |
} | |
spec { | |
selector = { | |
"k8s-app" = "metrics-server" | |
} | |
port { | |
port = 443 | |
protocol = "TCP" | |
target_port = "main-port" | |
} | |
} | |
depends_on = [ | |
kubernetes_cluster_role.metrics_server | |
] | |
} | |
resource "kubernetes_cluster_role" "metrics_server" { | |
metadata { | |
name = "system:metrics-server" | |
} | |
rule { | |
api_groups = [""] | |
resources = ["pods", "nodes", "nodes/stats", "namespaces", "configmaps"] | |
verbs = ["get", "list", "watch"] | |
} | |
} | |
resource "kubernetes_cluster_role_binding" "metrics_server" { | |
metadata { | |
name = "system:metrics-server" | |
} | |
role_ref { | |
api_group = "rbac.authorization.k8s.io" | |
kind = "ClusterRole" | |
name = "system:metrics-server" | |
} | |
subject { | |
kind = "ServiceAccount" | |
name = "metrics-server" | |
namespace = "kube-system" | |
} | |
depends_on = [ | |
kubernetes_cluster_role.metrics_server | |
] | |
} | |
#### | |
## Kubernetes Dashboard | |
#### | |
resource "kubernetes_namespace" "monitoring" { | |
metadata { | |
name = var.k8s_monitoring_ns_name | |
} | |
# Not explicitly required but everything else below depends on this NS | |
depends_on = [ | |
kubernetes_service.metrics_server | |
] | |
} | |
resource "kubernetes_service_account" "kubernetes_dashboard" { | |
metadata { | |
name = "kubernetes-dashboard" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
} | |
resource "kubernetes_service" "kubernetes_dashboard" { | |
metadata { | |
name = "kubernetes-dashboard" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
spec { | |
selector = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
port { | |
port = 443 | |
target_port = 8443 | |
} | |
} | |
} | |
resource "kubernetes_secret" "kubernetes_dashboard_certs" { | |
metadata { | |
name = "kubernetes-dashboard-certs" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
type = "Opaque" | |
} | |
resource "kubernetes_secret" "kubernetes_dashboard_csrf" { | |
metadata { | |
name = "kubernetes-dashboard-csrf" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
type = "Opaque" | |
data = { | |
csrf = "" | |
} | |
} | |
resource "kubernetes_secret" "kubernetes_dashboard_key_holder" { | |
metadata { | |
name = "kubernetes-dashboard-key-holder" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
type = "Opaque" | |
} | |
resource "kubernetes_config_map" "kubernetes_dashboard_settings" { | |
metadata { | |
name = "kubernetes-dashboard-settings" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
} | |
resource "kubernetes_role" "kubernetes_dashboard" { | |
metadata { | |
name = "kubernetes-dashboard" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
# Allow Dashboard to get, update and delete Dashboard exclusive secrets. | |
rule { | |
api_groups = [""] | |
resources = ["secrets"] | |
resource_names = ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] | |
verbs = ["get", "update", "delete"] | |
} | |
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. | |
rule { | |
api_groups = [""] | |
resources = ["configmap"] | |
resource_names = ["kubernetes-dashboard-settings"] | |
verbs = ["get", "update"] | |
} | |
# Allow Dashboard to get metrics. | |
rule { | |
api_groups = [""] | |
resources = ["services"] | |
resource_names = ["heapster", "dashboard-metrics-scraper"] | |
verbs = ["proxy"] | |
} | |
rule { | |
api_groups = [""] | |
resources = ["services/proxy"] | |
resource_names = ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] | |
verbs = ["get"] | |
} | |
depends_on = [ | |
kubernetes_service.dashboard_metrics_scraper, | |
kubernetes_config_map.kubernetes_dashboard_settings, | |
kubernetes_secret.kubernetes_dashboard_certs, | |
kubernetes_secret.kubernetes_dashboard_csrf, | |
kubernetes_secret.kubernetes_dashboard_key_holder, | |
] | |
} | |
resource "kubernetes_cluster_role" "kubernetes_dashboard" { | |
metadata { | |
name = "kubernetes-dashboard" | |
labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
rule { | |
api_groups = ["metrics.k8s.io"] | |
resources = ["pods", "nodes"] | |
verbs = ["get", "list", "watch"] | |
} | |
} | |
resource "kubernetes_role_binding" "kubernetes_dashboard" { | |
metadata { | |
name = "kubernetes-dashboard" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
role_ref { | |
api_group = "rbac.authorization.k8s.io" | |
kind = "Role" | |
name = "kubernetes-dashboard" | |
} | |
subject { | |
kind = "ServiceAccount" | |
name = "kubernetes-dashboard" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
} | |
} | |
resource "kubernetes_cluster_role_binding" "kubernetes_dashboard" { | |
metadata { | |
name = "kubernetes-dashboard" | |
} | |
role_ref { | |
api_group = "rbac.authorization.k8s.io" | |
kind = "ClusterRole" | |
name = "kubernetes-dashboard" | |
} | |
subject { | |
kind = "ServiceAccount" | |
name = "kubernetes-dashboard" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
} | |
} | |
resource "kubernetes_deployment" "kubernetes-dashboard" { | |
metadata { | |
name = "kubernetes-dashboard" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
spec { | |
replicas = 1 | |
revision_history_limit = 10 | |
selector { | |
match_labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
template { | |
metadata { | |
labels = { | |
k8s-app = "kubernetes-dashboard" | |
} | |
} | |
spec { | |
container { | |
name = "kubernetes-dashboard" | |
image = var.k8s_dashboard_image | |
image_pull_policy = "Always" | |
port { | |
container_port = 8443 | |
protocol = "TCP" | |
} | |
args = [ | |
"--auto-generate-certificates", | |
"--namespace=${kubernetes_namespace.monitoring.metadata[0].name}" | |
] | |
volume_mount { | |
name = "kubernetes-dashboard-certs" | |
mount_path = "/certs" | |
} | |
volume_mount { | |
name = "tmp-volume" | |
mount_path = "/tmp" | |
} | |
liveness_probe { | |
http_get { | |
scheme = "HTTPS" | |
path = "/" | |
port = 8443 | |
} | |
initial_delay_seconds = 30 | |
timeout_seconds = 30 | |
} | |
security_context { | |
allow_privilege_escalation = "false" | |
read_only_root_filesystem = "true" | |
run_as_user = 1001 | |
run_as_group = 2001 | |
} | |
} | |
volume { | |
name = "kubernetes-dashboard-certs" | |
secret { | |
secret_name = "kubernetes-dashboard-certs" | |
} | |
} | |
volume { | |
name = "tmp-volume" | |
empty_dir {} | |
} | |
service_account_name = "kubernetes-dashboard" | |
automount_service_account_token = "true" | |
node_selector = { | |
"beta.kubernetes.io/os" = "linux" | |
} | |
toleration { | |
key = "node-role.kubernetes.io/master" | |
effect = "NoSchedule" | |
} | |
} | |
} | |
} | |
depends_on = [ | |
kubernetes_namespace.monitoring, | |
kubernetes_service_account.kubernetes_dashboard, | |
kubernetes_secret.kubernetes_dashboard_certs, | |
kubernetes_secret.kubernetes_dashboard_csrf, | |
kubernetes_secret.kubernetes_dashboard_key_holder, | |
kubernetes_config_map.kubernetes_dashboard_settings, | |
kubernetes_role.kubernetes_dashboard, | |
kubernetes_cluster_role.kubernetes_dashboard, | |
kubernetes_role_binding.kubernetes_dashboard, | |
kubernetes_cluster_role_binding.kubernetes_dashboard, | |
] | |
} | |
resource "kubernetes_service" "dashboard_metrics_scraper" { | |
metadata { | |
name = "dashboard-metrics-scraper" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
labels = { | |
k8s-app = "dashboard-metrics-scraper" | |
} | |
} | |
spec { | |
port { | |
port = 8000 | |
target_port = 8000 | |
} | |
selector = { | |
k8s-app = "dashboard-metrics-scraper" | |
} | |
} | |
} | |
resource "kubernetes_deployment" "dashboard-metrics-scraper" { | |
metadata { | |
name = "dashboard-metrics-scraper" | |
namespace = kubernetes_namespace.monitoring.metadata[0].name | |
labels = { | |
k8s-app = "dashboard-metrics-scraper" | |
} | |
} | |
spec { | |
replicas = 1 | |
revision_history_limit = 10 | |
selector { | |
match_labels = { | |
k8s-app = "dashboard-metrics-scraper" | |
} | |
} | |
template { | |
metadata { | |
labels = { | |
k8s-app = "dashboard-metrics-scraper" | |
} | |
annotations = { | |
"seccomp.security.alpha.kubernetes.io/pod" = "runtime/default" | |
} | |
} | |
spec { | |
container { | |
name = "dashboard-metrics-scraper" | |
image = var.k8s_metrics_scraper_image | |
port { | |
container_port = 8000 | |
protocol = "TCP" | |
} | |
volume_mount { | |
name = "tmp-volume" | |
mount_path = "/tmp" | |
} | |
liveness_probe { | |
http_get { | |
scheme = "HTTP" | |
path = "/" | |
port = 8000 | |
} | |
initial_delay_seconds = 30 | |
timeout_seconds = 30 | |
} | |
security_context { | |
allow_privilege_escalation = "false" | |
read_only_root_filesystem = "true" | |
run_as_user = 1001 | |
run_as_group = 2001 | |
} | |
} | |
service_account_name = "kubernetes-dashboard" | |
automount_service_account_token = "true" | |
node_selector = { | |
"beta.kubernetes.io/os" = "linux" | |
} | |
toleration { | |
key = "node-role.kubernetes.io/master" | |
effect = "NoSchedule" | |
} | |
volume { | |
name = "tmp-volume" | |
empty_dir {} | |
} | |
} | |
} | |
} | |
depends_on = [ | |
kubernetes_deployment.kubernetes-dashboard | |
] | |
} | |
### | |
# Create eks-admin user | |
### | |
resource "kubernetes_service_account" "eks_admin" { | |
metadata { | |
name = "eks-admin" | |
namespace = "kube-system" | |
} | |
} | |
resource "kubernetes_cluster_role_binding" "eks_admin" { | |
metadata { | |
name = "eks-admin" | |
} | |
role_ref { | |
api_group = "rbac.authorization.k8s.io" | |
kind = "ClusterRole" | |
name = "cluster-admin" | |
} | |
subject { | |
kind = "ServiceAccount" | |
name = "eks-admin" | |
namespace = "kube-system" | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variable "k8s_monitoring_ns_name" { | |
description = "Name given to the monitoring Namespace within the Kubernetes Cluster" | |
type = string | |
default = "monitoring" | |
} | |
variable "k8s_dashboard_image" { | |
description = "Kubernetes Dashboard container image" | |
type = string | |
default = "kubernetesui/dashboard:v2.0.0-rc6" | |
} | |
variable "k8s_metrics_scraper_image" { | |
description = "Kubernetes Dashboard metrics scrapper container image" | |
type = string | |
default = "kubernetesui/metrics-scraper:v1.0.3" | |
} | |
variable "k8s_metrics_server_image" { | |
description = "Kubernetes metrics server image name" | |
type = string | |
default = "k8s.gcr.io/metrics-server-amd64:v0.3.6" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment