Skip to content

E
eks-cluster-autoscaler
Commit f7260c5d authored by Danny's avatar Danny
Browse files
Options

duplicate volume statement for serviceaccunt

parent 091bc8e5
Show whitespace changes
Inline Side-by-side
Showing with 101 additions and 20 deletions
eks-cluster-autoscaler-clusterrolebinding.tf
View file @ f7260c5d
resource "kubernetes_cluster_role" "cluster_autoscaler_clusterrole" { resource "kubernetes_cluster_role" "cluster_autoscaler_clusterrole" {
metadata { metadata {
name = "autoscaler-svc-acc" name = "cluster-autoscaler-svc-acc"
} }
rule { rule {
api_groups = [""] api_groups = [""]
resources = ["events", "endpoints"] resources = ["events", "endpoints"]
verbs = ["create", "patch"] verbs = ["create", "patch"]
}
rule {
api_groups = [""] api_groups = [""]
resources = ["pods/eviction"] resources = ["pods/eviction"]
verbs = ["create"] verbs = ["create"]
}
rule {
api_groups = [""] api_groups = [""]
resources = ["pods/status"] resources = ["pods/status"]
verbs = ["update"] verbs = ["update"]
}
rule {
api_groups = [""] api_groups = [""]
resources = ["endpoints"] resources = ["endpoints"]
resource_names = ["cluster-autoscaler"]
verbs = ["get", "update"] verbs = ["get", "update"]
}
rule {
api_groups = [""] api_groups = [""]
resources = ["nodes"] resources = ["nodes"]
verbs = ["watch", "list", "get", "update"] verbs = ["watch", "list", "get", "update"]
}
rule {
api_groups = [""] api_groups = [""]
resources = ["pods", "services", "replicationControllers", "persistentvolumeclaims", "persistentvolumes"] resources = ["pods", "services", "replicationcontrollers", "persistentvolumeclaims", "persistentvolumes"]
verbs = ["watch", "list", "get"] verbs = ["watch", "list", "get"]
}
rule {
api_groups = ["batch"] api_groups = ["batch"]
resources = ["jobs", "cronjobs"] resources = ["jobs", "cronjobs"]
verbs = ["watch", "list", "get"] verbs = ["watch", "list", "get"]
}
rule {
api_groups = ["extensions"] api_groups = ["extensions"]
resources = ["replicasets", "daemonsets"] resources = ["replicasets", "daemonsets"]
verbs = ["watch", "list", "get"] verbs = ["watch", "list", "get"]
}
rule {
api_groups = ["policy"] api_groups = ["policy"]
resources = ["poddistruptionpolicy"] resources = ["poddisruptionbudgets"]
verbs = ["watch", "list"] verbs = ["watch", "list"]
}
rule {
api_groups = ["apps"] api_groups = ["apps"]
resources = ["replicasets", "statefulsets"] resources = ["replicasets", "statefulsets", "daemonsets"]
verbs = ["watch", "list", "get"] verbs = ["watch", "list", "get"]
}
rule {
api_groups = [""]
resources = ["configmaps"]
resource_names = ["cluster-autoscaler-status"]
verbs = ["get", "delete", "update"]
}
api_groups = ["storage"] rule {
resources = ["storageclass"] api_groups = [""]
resources = ["configmaps"]
verbs = ["create"]
}
rule {
api_groups = ["storage.k8s.io"]
resources = ["storageclasses"]
verbs = ["watch", "list", "get"] verbs = ["watch", "list", "get"]
} }
} }
resource "kubernetes_cluster_role_binding" "external_dns_role_bind" { resource "kubernetes_role" "autoscaler_role" {
metadata { metadata {
name = "autoscaler-svc-acc" name = "cluster-autoscaler-svc-acc"
labels {
"k8s-addon" = "cluster-autoscaler.addons.k8s.io"
"k8s-app" = "cluster-autoscaler"
}
}
rule {
api_groups = [""]
resources = ["configmaps"]
resource_names = ["cluster-autoscaler-status"]
verbs = ["get", "delete", "update"]
}
rule {
api_groups = [""]
resources = ["configmaps"]
verbs = ["create"]
}
}
resource "kubernetes_role_binding" "cluster_autoscaler_role_bind" {
metadata {
name = "cluster-autoscaler-svc-acc"
} }
role_ref { role_ref {
api_group = "rbac.authorization.k8s.io" api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole" kind = "Role"
name = "cluster-autoscaler" name = "cluster-autoscaler-svc-acc"
} }
subject { subject {
kind = "ServiceAccount" kind = "ServiceAccount"
name = "autoscaler-svc-acc" name = "cluster-autoscaler-svc-acc"
namespace = "kube-system" namespace = "kube-system"
api_group = "" api_group = ""
} }
}
subject { resource "kubernetes_cluster_role_binding" "cluster_autoscaler_clusterrole_bind" {
kind = "Group" metadata {
name = "system:serviceaccount" name = "cluster-autoscaler-svc-acc"
}
role_ref {
api_group = "rbac.authorization.k8s.io" api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-autoscaler-svc-acc"
}
subject {
kind = "ServiceAccount"
name = "cluster-autoscaler-svc-acc"
namespace = "kube-system"
api_group = ""
} }
} }
eks-cluster-autoscaler.tf
View file @ f7260c5d
...@@ -36,15 +36,18 @@ resource "kubernetes_deployment" "aws_cluster_autoscaler_deployment" { ...@@ -36,15 +36,18 @@ resource "kubernetes_deployment" "aws_cluster_autoscaler_deployment" {
volume { volume {
name = "${kubernetes_service_account.cluster_autoscaler_service_account.default_secret_name}" name = "${kubernetes_service_account.cluster_autoscaler_service_account.default_secret_name}"
name = "autoscaler-ssl-volume"
secret { secret {
secret_name = "${kubernetes_service_account.cluster_autoscaler_service_account.default_secret_name}" secret_name = "${kubernetes_service_account.cluster_autoscaler_service_account.default_secret_name}"
} }
} }
volume {
name = "autoscaler-ssl-volume"
}
container { container {
image = "k8s.gcr.io/cluster-autoscaler:v1.13.1" image = "k8s.gcr.io/cluster-autoscaler:v1.3.6"
name = "cluster-autoscaler-container" name = "cluster-autoscaler-container"
image_pull_policy = "IfNotPresent" image_pull_policy = "IfNotPresent"
args = ["./cluster-autoscaler", "--cloud-provider=aws", "--node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled", "--skip-nodes-with-local-storage=false", "--stderrthreshold=info", "--expander=least-waste", "--v=4"] args = ["./cluster-autoscaler", "--cloud-provider=aws", "--node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled", "--skip-nodes-with-local-storage=false", "--stderrthreshold=info", "--expander=least-waste", "--v=4"]
...@@ -53,8 +56,10 @@ resource "kubernetes_deployment" "aws_cluster_autoscaler_deployment" { ...@@ -53,8 +56,10 @@ resource "kubernetes_deployment" "aws_cluster_autoscaler_deployment" {
mount_path = "/var/run/secrets/kubernetes.io/serviceaccount" mount_path = "/var/run/secrets/kubernetes.io/serviceaccount"
name = "${kubernetes_service_account.cluster_autoscaler_service_account.default_secret_name}" name = "${kubernetes_service_account.cluster_autoscaler_service_account.default_secret_name}"
read_only = true read_only = true
}
mount_path = "/etc/ssl/certs/" volume_mount {
mount_path = "/etc/ssl/certs/ca-bundle.crt"
name = "autoscaler-ssl-volume" name = "autoscaler-ssl-volume"
read_only = true read_only = true
} }
...@@ -69,6 +74,11 @@ resource "kubernetes_deployment" "aws_cluster_autoscaler_deployment" { ...@@ -69,6 +74,11 @@ resource "kubernetes_deployment" "aws_cluster_autoscaler_deployment" {
port { port {
container_port = 8085 container_port = 8085
} }
env {
name = "AWS_REGION"
value = "us-east-1"
}
} }
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment