# Copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################ ### Namespaces ################################ apiVersion: v1 kind: Namespace metadata: name: kubernetes-dashboard labels: app.kubernetes.io/part-of: kubernetes-dashboard --- ################################ ### cert-manager ################################ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: selfsigned namespace: kubernetes-dashboard labels: app.kubernetes.io/name: certmanager app.kubernetes.io/part-of: kubernetes-dashboard spec: selfSigned: {} --- ################################ ### Service Accounts ################################ apiVersion: v1 kind: ServiceAccount metadata: name: kubernetes-dashboard namespace: kubernetes-dashboard labels: app.kubernetes.io/part-of: kubernetes-dashboard --- ################################ ### Secrets & Config Maps ################################ apiVersion: v1 kind: Secret metadata: name: kubernetes-dashboard-csrf namespace: kubernetes-dashboard labels: app.kubernetes.io/part-of: kubernetes-dashboard type: Opaque data: csrf: "" --- apiVersion: v1 kind: Secret metadata: name: kubernetes-dashboard-key-holder namespace: kubernetes-dashboard labels: app.kubernetes.io/part-of: kubernetes-dashboard type: Opaque --- kind: ConfigMap apiVersion: v1 metadata: name: kubernetes-dashboard-settings namespace: kubernetes-dashboard labels: app.kubernetes.io/part-of: kubernetes-dashboard --- ################################ ### Roles & Bindings ################################ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kubernetes-dashboard namespace: kubernetes-dashboard labels: app.kubernetes.io/part-of: kubernetes-dashboard rules: # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - apiGroups: [ "" ] resources: [ "secrets" ] resourceNames: [ "kubernetes-dashboard-key-holder", "kubernetes-dashboard-csrf" ] verbs: [ "get", "update", "delete" ] # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. - apiGroups: [ "" ] resources: [ "configmaps" ] resourceNames: [ "kubernetes-dashboard-settings" ] verbs: [ "get", "update" ] # Allow Dashboard to get metrics. - apiGroups: [ "" ] resources: [ "services/proxy" ] resourceNames: [ "kubernetes-dashboard-metrics-scraper", "http:kubernetes-dashboard-metrics-scraper" ] verbs: [ "get" ] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kubernetes-dashboard labels: app.kubernetes.io/part-of: kubernetes-dashboard rules: # Allow Metrics Scraper to get metrics from the Metrics server - apiGroups: [ "metrics.k8s.io" ] resources: [ "pods", "nodes" ] verbs: [ "get", "list", "watch" ] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kubernetes-dashboard namespace: kubernetes-dashboard labels: app.kubernetes.io/part-of: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubernetes-dashboard subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard labels: app.kubernetes.io/part-of: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubernetes-dashboard subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kubernetes-dashboard --- ################################ ### Services & Ingresses ################################ kind: Service apiVersion: v1 metadata: name: kubernetes-dashboard-web namespace: kubernetes-dashboard labels: app.kubernetes.io/name: kubernetes-dashboard-web app.kubernetes.io/part-of: kubernetes-dashboard app.kubernetes.io/component: web app.kubernetes.io/version: "v1.0.0" spec: ports: - name: web port: 8000 selector: app.kubernetes.io/name: kubernetes-dashboard-web app.kubernetes.io/part-of: kubernetes-dashboard --- kind: Service apiVersion: v1 metadata: name: kubernetes-dashboard-api namespace: kubernetes-dashboard labels: app.kubernetes.io/name: kubernetes-dashboard-api app.kubernetes.io/part-of: kubernetes-dashboard app.kubernetes.io/component: api app.kubernetes.io/version: "v1.0.0" spec: ports: - name: api port: 9000 selector: app.kubernetes.io/name: kubernetes-dashboard-api app.kubernetes.io/part-of: kubernetes-dashboard --- kind: Service apiVersion: v1 metadata: name: kubernetes-dashboard-metrics-scraper namespace: kubernetes-dashboard labels: app.kubernetes.io/name: kubernetes-dashboard-metrics-scraper app.kubernetes.io/part-of: kubernetes-dashboard app.kubernetes.io/component: metrics app.kubernetes.io/version: "v1.0.9" spec: ports: - port: 8000 targetPort: 8000 selector: app.kubernetes.io/name: kubernetes-dashboard-metrics-scraper app.kubernetes.io/part-of: kubernetes-dashboard --- kind: Ingress apiVersion: networking.k8s.io/v1 metadata: name: kubernetes-dashboard namespace: kubernetes-dashboard labels: app.kubernetes.io/name: nginx-ingress app.kubernetes.io/part-of: kubernetes-dashboard annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" cert-manager.io/issuer: selfsigned spec: ingressClassName: nginx tls: - hosts: - localhost secretName: kubernetes-dashboard-certs rules: - host: localhost http: paths: - path: / pathType: Prefix backend: service: name: kubernetes-dashboard-web port: name: web - path: /api pathType: Prefix backend: service: name: kubernetes-dashboard-api port: name: api --- ################################ ### Deployments ################################ kind: Deployment apiVersion: apps/v1 metadata: name: kubernetes-dashboard-api namespace: kubernetes-dashboard labels: app.kubernetes.io/name: kubernetes-dashboard-api app.kubernetes.io/part-of: kubernetes-dashboard app.kubernetes.io/component: api app.kubernetes.io/version: "v1.0.0" spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/name: kubernetes-dashboard-api app.kubernetes.io/part-of: kubernetes-dashboard template: metadata: labels: app.kubernetes.io/name: kubernetes-dashboard-api app.kubernetes.io/part-of: kubernetes-dashboard app.kubernetes.io/component: api app.kubernetes.io/version: "v1.0.0" spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: kubernetes-dashboard-api image: docker.io/kubernetesui/dashboard-api:v1.0.0 imagePullPolicy: IfNotPresent ports: - containerPort: 9000 name: api protocol: TCP args: - --enable-insecure-login - --namespace=kubernetes-dashboard volumeMounts: # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 volumes: - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard --- kind: Deployment apiVersion: apps/v1 metadata: name: kubernetes-dashboard-web namespace: kubernetes-dashboard labels: app.kubernetes.io/name: kubernetes-dashboard-web app.kubernetes.io/part-of: kubernetes-dashboard app.kubernetes.io/component: web app.kubernetes.io/version: "v1.0.0" spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/name: kubernetes-dashboard-web app.kubernetes.io/part-of: kubernetes-dashboard template: metadata: labels: app.kubernetes.io/name: kubernetes-dashboard-web app.kubernetes.io/part-of: kubernetes-dashboard app.kubernetes.io/component: web app.kubernetes.io/version: "v1.0.0" spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: kubernetes-dashboard-web image: docker.io/kubernetesui/dashboard-web:v1.0.0 imagePullPolicy: IfNotPresent ports: - containerPort: 8000 name: web protocol: TCP volumeMounts: # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 volumes: - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard --- kind: Deployment apiVersion: apps/v1 metadata: name: kubernetes-dashboard-metrics-scraper namespace: kubernetes-dashboard labels: app.kubernetes.io/name: kubernetes-dashboard-metrics-scraper app.kubernetes.io/part-of: kubernetes-dashboard app.kubernetes.io/component: metrics app.kubernetes.io/version: "v1.0.9" spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/name: kubernetes-dashboard-metrics-scraper app.kubernetes.io/part-of: kubernetes-dashboard template: metadata: labels: app.kubernetes.io/name: kubernetes-dashboard-metrics-scraper app.kubernetes.io/part-of: kubernetes-dashboard app.kubernetes.io/component: metrics app.kubernetes.io/version: "v1.0.9" spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: kubernetes-dashboard-metrics-scraper image: docker.io/kubernetesui/metrics-scraper:v1.0.9 imagePullPolicy: IfNotPresent ports: - containerPort: 8000 protocol: TCP livenessProbe: httpGet: scheme: HTTP path: / port: 8000 initialDelaySeconds: 30 timeoutSeconds: 30 volumeMounts: - mountPath: /tmp name: tmp-volume securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 volumes: - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard