diff --git a/docs/ansible/ansible.md b/docs/ansible/ansible.md index 040168bb1..6bcf9daab 100644 --- a/docs/ansible/ansible.md +++ b/docs/ansible/ansible.md @@ -78,7 +78,6 @@ The following tags are defined in playbooks: | crio | Configuring crio container engine for hosts | | crun | Configuring crun runtime | | csi-driver | Configuring csi driver | -| dashboard | Installing and configuring the Kubernetes Dashboard | | dns | Remove dns entries when resetting | | docker | Configuring docker engine runtime for hosts | | download | Fetching container images to a delegate host | diff --git a/docs/getting_started/getting-started.md b/docs/getting_started/getting-started.md index 18050dc4b..bdda25b20 100644 --- a/docs/getting_started/getting-started.md +++ b/docs/getting_started/getting-started.md @@ -83,32 +83,6 @@ authentication. One can get a kubeconfig from kube_control_plane hosts For more information on kubeconfig and accessing a Kubernetes cluster, refer to the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/). -## Accessing Kubernetes Dashboard - -Supported version is kubernetes-dashboard v2.0.x : - -- Login option : token/kubeconfig by default -- Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory, -- Only serves over https - -Access is described in [dashboard docs](https://github.com/kubernetes/dashboard/tree/master/docs/user/accessing-dashboard). With kubespray's default deployment in kube-system namespace, instead of kubernetes-dashboard : - -- Proxy URL is -- kubectl commands must be run with "-n kube-system" - -Accessing through Ingress is highly recommended. For proxy access, please note that proxy must listen to [localhost](https://github.com/kubernetes/dashboard/issues/692#issuecomment-220492484) (`proxy --address="x.x.x.x"` will not work) - -For token authentication, guide to create Service Account is provided in [dashboard sample user](https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md) doc. Still take care of default namespace. - -Access can also by achieved via ssh tunnel on a control plane : - -```bash -# localhost:8081 will be sent to control-plane-1's own localhost:8081 -ssh -L8001:localhost:8001 user@control-plane-1 -sudo -i -kubectl proxy -``` - ## Accessing Kubernetes API The main client of Kubernetes is `kubectl`. It is installed on each kube_control_plane diff --git a/inventory/sample/group_vars/k8s_cluster/addons.yml b/inventory/sample/group_vars/k8s_cluster/addons.yml index 29125191e..32520205f 100644 --- a/inventory/sample/group_vars/k8s_cluster/addons.yml +++ b/inventory/sample/group_vars/k8s_cluster/addons.yml @@ -1,8 +1,4 @@ --- -# Kubernetes dashboard -# RBAC required. see docs/getting-started.md for access details. -# dashboard_enabled: false - # Helm deployment helm_enabled: false diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index a53e71f72..5b9fc2024 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -119,29 +119,5 @@ netchecker_agent_log_level: 5 netchecker_server_log_level: 5 netchecker_etcd_log_level: info -# Dashboard -dashboard_replicas: 1 - -# Namespace for dashboard -dashboard_namespace: kube-system - -# Limits for dashboard -dashboard_cpu_limit: 100m -dashboard_memory_limit: 256M -dashboard_cpu_requests: 50m -dashboard_memory_requests: 64M - -# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that -# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs -dashboard_use_custom_certs: false -dashboard_certs_secret_name: kubernetes-dashboard-certs -dashboard_tls_key_file: dashboard.key -dashboard_tls_cert_file: dashboard.crt -dashboard_master_toleration: true - -# Override dashboard default settings -dashboard_token_ttl: 900 -dashboard_skip_login: false - # Policy Controllers # policy_controller_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}] diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index a7c434884..12684a18d 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -109,15 +109,3 @@ - netchecker-server-clusterrolebinding.yml.j2 - netchecker-server-deployment.yml.j2 - netchecker-server-svc.yml.j2 - -- name: Kubernetes Apps | Dashboard - command: - cmd: "{{ kubectl_apply_stdin }}" - stdin: "{{ lookup('template', 'dashboard.yml.j2') }}" - delegate_to: "{{ groups['kube_control_plane'][0] }}" - run_once: true - vars: - k8s_namespace: "{{ dashboard_namespace }}" - when: dashboard_enabled - tags: - - dashboard diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 deleted file mode 100644 index 0bfa3b173..000000000 --- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 +++ /dev/null @@ -1,323 +0,0 @@ -# Copyright 2017 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Configuration to deploy release version of the Dashboard UI compatible with -# Kubernetes 1.8. -# -# Example usage: kubectl create -f - -{% if k8s_namespace != 'kube-system' %} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ k8s_namespace }} - labels: - name: {{ k8s_namespace }} -{% endif %} ---- -# ------------------- Dashboard Secrets ------------------- # -apiVersion: v1 -kind: Secret -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard-certs -type: Opaque - ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard-csrf -type: Opaque -data: - csrf: "" - ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard-key-holder -type: Opaque - ---- -# ------------------- Dashboard ConfigMap ------------------- # -kind: ConfigMap -apiVersion: v1 -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard-settings - ---- -# ------------------- Dashboard Service Account ------------------- # - -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard - ---- -# ------------------- Dashboard Role & Role Binding ------------------- # -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard -rules: - # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - - apiGroups: [""] - resources: ["secrets"] - resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] - verbs: ["get", "update", "delete"] - # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["kubernetes-dashboard-settings"] - verbs: ["get", "update"] - # Allow Dashboard to get metrics. - - apiGroups: [""] - resources: ["services"] - resourceNames: ["heapster", "dashboard-metrics-scraper"] - verbs: ["proxy"] - - apiGroups: [""] - resources: ["services/proxy"] - resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] - verbs: ["get"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kubernetes-dashboard -subjects: - - kind: ServiceAccount - name: kubernetes-dashboard - namespace: {{ k8s_namespace }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kubernetes-dashboard -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubernetes-dashboard -subjects: - - kind: ServiceAccount - name: kubernetes-dashboard - namespace: {{ k8s_namespace }} - ---- -# ------------------- Dashboard Deployment ------------------- # - -kind: Deployment -apiVersion: apps/v1 -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard -spec: - replicas: {{ dashboard_replicas }} - revisionHistoryLimit: 10 - selector: - matchLabels: - k8s-app: kubernetes-dashboard - template: - metadata: - labels: - k8s-app: kubernetes-dashboard - spec: - securityContext: - seccompProfile: - type: RuntimeDefault - priorityClassName: system-cluster-critical - containers: - - name: kubernetes-dashboard - image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }} - imagePullPolicy: {{ k8s_image_pull_policy }} - resources: - limits: - cpu: {{ dashboard_cpu_limit }} - memory: {{ dashboard_memory_limit }} - requests: - cpu: {{ dashboard_cpu_requests }} - memory: {{ dashboard_memory_requests }} - ports: - - containerPort: 8443 - protocol: TCP - args: - - --namespace={{ k8s_namespace }} -{% if dashboard_use_custom_certs %} - - --tls-key-file={{ dashboard_tls_key_file }} - - --tls-cert-file={{ dashboard_tls_cert_file }} -{% else %} - - --auto-generate-certificates -{% endif %} -{% if dashboard_skip_login %} - - --enable-skip-login -{% endif %} - - --authentication-mode=token - # Uncomment the following line to manually specify Kubernetes API server Host - # If not specified, Dashboard will attempt to auto discover the API server and connect - # to it. Uncomment only if the default does not work. - # - --apiserver-host=http://my-address:port - - --token-ttl={{ dashboard_token_ttl }} - volumeMounts: - - name: kubernetes-dashboard-certs - mountPath: /certs - # Create on-disk volume to store exec logs - - mountPath: /tmp - name: tmp-volume - livenessProbe: - httpGet: - scheme: HTTPS - path: / - port: 8443 - initialDelaySeconds: 30 - timeoutSeconds: 30 - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1001 - runAsGroup: 2001 - volumes: - - name: kubernetes-dashboard-certs - secret: - secretName: {{ dashboard_certs_secret_name }} - - name: tmp-volume - emptyDir: {} - serviceAccountName: kubernetes-dashboard -{% if dashboard_master_toleration %} - tolerations: - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule -{% endif %} - ---- -# ------------------- Dashboard Service ------------------- # - -kind: Service -apiVersion: v1 -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard -spec: - ports: - - port: 443 - targetPort: 8443 - selector: - k8s-app: kubernetes-dashboard - ---- -# ------------------- Metrics Scraper Service Account ------------------- # - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard -rules: - # Allow Metrics Scraper to get metrics from the Metrics server - - apiGroups: ["metrics.k8s.io"] - resources: ["pods", "nodes"] - verbs: ["get", "list", "watch"] - ---- - -# ------------------- Metrics Scraper Service ------------------- # -kind: Service -apiVersion: v1 -metadata: - labels: - k8s-app: kubernetes-metrics-scraper - name: dashboard-metrics-scraper -spec: - ports: - - port: 8000 - targetPort: 8000 - selector: - k8s-app: kubernetes-metrics-scraper - ---- - -# ------------------- Metrics Scraper Deployment ------------------- # -kind: Deployment -apiVersion: apps/v1 -metadata: - labels: - k8s-app: kubernetes-metrics-scraper - name: kubernetes-metrics-scraper -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - k8s-app: kubernetes-metrics-scraper - template: - metadata: - labels: - k8s-app: kubernetes-metrics-scraper - spec: - securityContext: - seccompProfile: - type: RuntimeDefault - priorityClassName: system-cluster-critical - containers: - - name: kubernetes-metrics-scraper - image: {{ dashboard_metrics_scraper_repo }}:{{ dashboard_metrics_scraper_tag }} - ports: - - containerPort: 8000 - protocol: TCP - livenessProbe: - httpGet: - scheme: HTTP - path: / - port: 8000 - initialDelaySeconds: 30 - timeoutSeconds: 30 - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1001 - runAsGroup: 2001 - volumeMounts: - - mountPath: /tmp - name: tmp-volume - serviceAccountName: kubernetes-dashboard - volumes: - - name: tmp-volume - emptyDir: {} -{% if dashboard_master_toleration %} - tolerations: - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule -{% endif %} diff --git a/roles/kubespray_defaults/defaults/main/download.yml b/roles/kubespray_defaults/defaults/main/download.yml index 512d225bf..86eab7823 100644 --- a/roles/kubespray_defaults/defaults/main/download.yml +++ b/roles/kubespray_defaults/defaults/main/download.yml @@ -376,11 +376,6 @@ gcp_pd_csi_attacher_image_tag: "v2.1.1-gke.0" gcp_pd_csi_resizer_image_tag: "v0.4.0-gke.0" gcp_pd_csi_registrar_image_tag: "v1.2.0-gke.0" -dashboard_image_repo: "{{ docker_image_repo }}/kubernetesui/dashboard" -dashboard_image_tag: "v2.7.0" -dashboard_metrics_scraper_repo: "{{ docker_image_repo }}/kubernetesui/metrics-scraper" -dashboard_metrics_scraper_tag: "v1.0.8" - metallb_speaker_image_repo: "{{ quay_image_repo }}/metallb/speaker" metallb_controller_image_repo: "{{ quay_image_repo }}/metallb/controller" metallb_version: 0.13.9 @@ -1074,24 +1069,6 @@ downloads: groups: - kube_node - dashboard: - enabled: "{{ dashboard_enabled }}" - container: true - repo: "{{ dashboard_image_repo }}" - tag: "{{ dashboard_image_tag }}" - checksum: "{{ dashboard_digest_checksum | default(None) }}" - groups: - - kube_control_plane - - dashboard_metrics_scrapper: - enabled: "{{ dashboard_enabled }}" - container: true - repo: "{{ dashboard_metrics_scraper_repo }}" - tag: "{{ dashboard_metrics_scraper_tag }}" - checksum: "{{ dashboard_digest_checksum | default(None) }}" - groups: - - kube_control_plane - metallb_speaker: enabled: "{{ metallb_speaker_enabled }}" container: true diff --git a/roles/kubespray_defaults/defaults/main/main.yml b/roles/kubespray_defaults/defaults/main/main.yml index 2f006fcb2..7625d3788 100644 --- a/roles/kubespray_defaults/defaults/main/main.yml +++ b/roles/kubespray_defaults/defaults/main/main.yml @@ -436,10 +436,6 @@ credentials_dir: "{{ inventory_dir }}/credentials" # K8s image pull policy (imagePullPolicy) k8s_image_pull_policy: IfNotPresent -# Kubernetes dashboard -# RBAC required. see docs/getting-started.md for access details. -dashboard_enabled: false - # Addons which can be enabled helm_enabled: false registry_enabled: false diff --git a/roles/validate_inventory/tasks/main.yml b/roles/validate_inventory/tasks/main.yml index 1bdb38108..e8a818be5 100644 --- a/roles/validate_inventory/tasks/main.yml +++ b/roles/validate_inventory/tasks/main.yml @@ -76,13 +76,6 @@ - kube_network_plugin not in ['calico', 'none'] - ipv4_stack | bool -- name: Stop if RBAC is not enabled when dashboard is enabled - assert: - that: rbac_enabled - when: - - dashboard_enabled - - not ignore_assert_errors - - name: Check cloud_provider value assert: that: cloud_provider == 'external' diff --git a/tests/files/almalinux9-calico.yml b/tests/files/almalinux9-calico.yml index 3ef929696..e878d100a 100644 --- a/tests/files/almalinux9-calico.yml +++ b/tests/files/almalinux9-calico.yml @@ -5,8 +5,6 @@ vm_memory: 3072 # Kubespray settings metrics_server_enabled: true -dashboard_namespace: "kube-dashboard" -dashboard_enabled: true loadbalancer_apiserver_type: haproxy local_path_provisioner_enabled: true diff --git a/tests/files/flatcar4081-calico.yml b/tests/files/flatcar4081-calico.yml index 1c0a790d9..80a0dd2d5 100644 --- a/tests/files/flatcar4081-calico.yml +++ b/tests/files/flatcar4081-calico.yml @@ -6,6 +6,4 @@ vm_memory: 3072 # Kubespray settings metrics_server_enabled: true -dashboard_namespace: "kube-dashboard" -dashboard_enabled: true loadbalancer_apiserver_type: haproxy diff --git a/tests/files/rockylinux10-calico.yml b/tests/files/rockylinux10-calico.yml index 781e5d0fe..0a0678225 100644 --- a/tests/files/rockylinux10-calico.yml +++ b/tests/files/rockylinux10-calico.yml @@ -5,6 +5,4 @@ vm_memory: 3072 # Kubespray settings metrics_server_enabled: true -dashboard_namespace: "kube-dashboard" -dashboard_enabled: true loadbalancer_apiserver_type: haproxy diff --git a/tests/files/rockylinux9-calico.yml b/tests/files/rockylinux9-calico.yml index 2d223b790..4cf0db94c 100644 --- a/tests/files/rockylinux9-calico.yml +++ b/tests/files/rockylinux9-calico.yml @@ -5,6 +5,4 @@ vm_memory: 3072 # Kubespray settings metrics_server_enabled: true -dashboard_namespace: "kube-dashboard" -dashboard_enabled: true loadbalancer_apiserver_type: haproxy