├── .gitignore
├── ISSUE_TEMPLATE.md
├── LICENSE
├── README-cn.md
├── README.md
├── Vagrantfile
├── addon
    ├── dashboard
    │   └── kubernetes-dashboard.yaml
    ├── dns
    │   ├── coredns.yaml.sed
    │   └── dns-deploy.sh
    ├── efk
    │   ├── es-service.yaml
    │   ├── es-statefulset.yaml
    │   ├── fluentd-es-configmap.yaml
    │   ├── fluentd-es-ds.yaml
    │   ├── kibana-deployment.yaml
    │   └── kibana-service.yaml
    ├── heapster
    │   ├── grafana-service.yaml
    │   ├── heapster-controller.yaml
    │   ├── heapster-service.yaml
    │   ├── influxdb-grafana-controller.yaml
    │   └── influxdb-service.yaml
    ├── istio
    │   ├── istio-demo.yaml
    │   └── istio-ingress.yaml
    ├── jenkins
    │   └── Dockerfile
    ├── kiali
    │   ├── kiali-configmap.yaml
    │   ├── kiali-secret.yaml
    │   └── kiali.yaml
    ├── rook
    │   ├── mysql.yaml
    │   ├── rook-agent-clusterrolebinding.yaml
    │   ├── rook-cluster.yaml
    │   ├── rook-operator.yaml
    │   ├── rook-storageclass.yaml
    │   ├── rook-tools.yaml
    │   └── wordpress.yaml
    ├── traefik-ingress
    │   ├── ingress.yaml
    │   ├── traefik-rbac.yaml
    │   └── traefik.yaml
    ├── vistio
    │   └── vistio-mesh-only.yaml
    └── weave-scope
    │   └── scope.yaml
├── conf
    ├── admin.kubeconfig
    ├── apiserver
    ├── bootstrap.kubeconfig
    ├── config
    ├── controller-manager
    ├── kube-proxy.kubeconfig
    ├── kubelet.kubeconfig
    ├── scheduler
    ├── scheduler.conf
    └── token.csv
├── hack
    ├── deploy-base-services.sh
    ├── deploy-helm.sh
    ├── get-dashboard-token.sh
    └── k8s-init.sh
├── images
    ├── bookinfo-demo.gif
    ├── dashboard-animation.gif
    ├── grafana-animation.gif
    ├── kiali.gif
    ├── traefik-ingress.gif
    ├── vistio-animation.gif
    └── weave-scope-animation.gif
├── install.sh
├── node1
    ├── kubelet
    └── proxy
├── node2
    ├── kubelet
    └── proxy
├── node3
    ├── kubelet
    └── proxy
├── pki
    ├── admin-csr.json
    ├── admin-key.pem
    ├── admin.csr
    ├── admin.p12
    ├── admin.pem
    ├── ca-config.json
    ├── ca-csr.json
    ├── ca-key.pem
    ├── ca.csr
    ├── ca.pem
    ├── kube-proxy-csr.json
    ├── kube-proxy-key.pem
    ├── kube-proxy.csr
    ├── kube-proxy.pem
    ├── kubernetes-csr.json
    ├── kubernetes-key.pem
    ├── kubernetes.csr
    ├── kubernetes.pem
    ├── scheduler-csr.json
    ├── scheduler-key.pem
    ├── scheduler.csr
    └── scheduler.pem
├── systemd
    ├── etcd.service
    ├── kube-apiserver.service
    ├── kube-controller-manager.service
    ├── kube-proxy.service
    ├── kube-scheduler.service
    └── kubelet.service
├── yaml
    ├── admin-role.yaml
    ├── istio-bookinfo
    │   ├── bookinfo-gateway.yaml
    │   ├── bookinfo.yaml
    │   └── destination-rule-all.yaml
    └── nginx-deployment.yaml
└── yum
    └── CentOS7-Base-163.repo


/.gitignore:
--------------------------------------------------------------------------------
1 | .vagrant/*
2 | .DS_Store
3 | *.tar.gz
4 | kubernetes
5 | *.box
6 | .idea/*
7 | 


--------------------------------------------------------------------------------
/ISSUE_TEMPLATE.md:
--------------------------------------------------------------------------------
 1 | # Environment
 2 | 
 3 | - OS:
 4 | - Kubernetes version:
 5 | - VirtualBox version:
 6 | - Vagrant version:
 7 | 
 8 | ## What I did?
 9 | 
10 | Your operations on this repo.
11 | 
12 | ## Messages
13 | 
14 | Logs or error messages.
15 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/README-cn.md:
--------------------------------------------------------------------------------
  1 | # 使用Vagrant和VirtualBox在本地搭建分布式的Kubernetes集群和Istio Service Mesh
  2 | 
  3 | [Setting up a Kubernetes cluster along with Istio service mesh locally with Vagrant and VirtualBox - English](README.md)
  4 | 
  5 | 当我们需要在本地开发时，更希望能够有一个开箱即用又可以方便定制的分布式开发环境，这样才能对Kubernetes本身和应用进行更好的测试。现在我们使用[Vagrant](https://www.vagrantup.com/)和[VirtualBox](https://www.virtualbox.org/wiki/Downloads)来创建一个这样的环境。
  6 | 
  7 | **注意**：因为使用虚拟机创建分布式Kubernetes集群比较耗费资源，所以我又仅使用Docker创建Standalone的Kubernetes的轻量级[Cloud Native Sandbox](https://github.com/rootsongjc/cloud-native-sandbox)。
  8 | 
  9 | ## Demo
 10 | 
 11 | 点击下面的图片观看视频。
 12 | 
 13 | [![观看视频](https://ae01.alicdn.com/kf/U4416321c10a0444a9f12dd7f5bf722c9p.jpg)](https://www.bilibili.com/video/av39514214/)
 14 | 
 15 | ## 准备环境
 16 | 
 17 | 需要准备以下软件和环境：
 18 | 
 19 | - 8G以上内存
 20 | - Vagrant 最新版本（推荐2.2.16）
 21 | - VirtualBox 5.2（不支持 5.2 以上的版本）
 22 | - 提前下载Kubernetes 1.16（本篇基于1.16.14）的release压缩包
 23 | - Mac/Linux，**Windows不完全支持，仅在windows10下通过**
 24 | 
 25 | ## 集群
 26 | 
 27 | 我们使用Vagrant和Virtualbox安装包含3个节点的kubernetes集群，其中master节点同时作为node节点。
 28 | 
 29 | | IP           | 主机名   | 组件                                       |
 30 | | ------------ | ----- | ---------------------------------------- |
 31 | | 172.17.8.101 | node1 | kube-apiserver、kube-controller-manager、kube-scheduler、etcd、kubelet、docker、flannel、dashboard |
 32 | | 172.17.8.102 | node2 | kubelet、docker、flannel、traefik           |
 33 | | 172.17.8.103 | node3 | kubelet、docker、flannel                   |
 34 | 
 35 | **注意**：以上的IP、主机名和组件都是固定在这些节点的，即使销毁后下次使用vagrant重建依然保持不变。
 36 | 
 37 | 容器IP范围：172.33.0.0/30
 38 | 
 39 | Kubernetes service IP范围：10.254.0.0/16
 40 | 
 41 | ## 安装的组件
 42 | 
 43 | 安装完成后的集群包含以下组件：
 44 | 
 45 | - flannel（`host-gw`模式）
 46 | - kubernetes dashboard
 47 | - etcd（单节点）
 48 | - kubectl
 49 | - CoreDNS
 50 | - kubernetes（版本根据下载的kubernetes安装包而定，支持Kubernetes1.9+）
 51 | 
 52 | **可选插件**
 53 | 
 54 | - Heapster + InfluxDB  + Grafana
 55 | - ElasticSearch + Fluentd + Kibana
 56 | - Istio service mesh
 57 | - Helm
 58 | - Vistio
 59 | - Kiali
 60 | 
 61 | ## 使用说明
 62 | 
 63 | 将该repo克隆到本地，下载Kubernetes的到项目的根目录。
 64 | 
 65 | ```bash
 66 | git clone https://github.com/rootsongjc/kubernetes-vagrant-centos-cluster.git
 67 | cd kubernetes-vagrant-centos-cluster
 68 | ```
 69 | 
 70 | **注意**：如果您是第一次运行该部署程序，那么可以直接执行下面的命令，它将自动帮你下载 Kubernetes 安装包，下一次你就不需要自己下载了，另外您也可以在[这里](https://kubernetes.io/docs/setup/release/notes/)找到Kubernetes的发行版下载地址，下载 Kubernetes发行版后重命名为`kubernetes-server-linux-amd64.tar.gz`，并移动到该项目的根目录下。
 71 | 
 72 | 因为该项目是使用 NFS 的方式挂载到虚拟机的 `/vagrant` 目录中的，所以在安装 NFS 的时候需要您输入密码授权。
 73 | 
 74 | 使用vagrant启动集群。
 75 | 
 76 | ```bash
 77 | vagrant up
 78 | ```
 79 | 
 80 | 如果是首次部署，会自动下载`centos/7`的box，这需要花费一些时间，另外每个节点还需要下载安装一系列软件包，整个过程大概需要10几分钟。
 81 | 
 82 | 如果您在运行`vagrant up`的过程中发现无法下载`centos/7`的box，可以手动下载后将其添加到vagrant中。
 83 | 
 84 | **手动添加centos/7 box**
 85 | 
 86 | ````bash
 87 | wget -c http://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1801_02.VirtualBox.box
 88 | vagrant box add CentOS-7-x86_64-Vagrant-1804_02.VirtualBox.box --name centos/7
 89 | ````
 90 | 
 91 | 这样下次运行`vagrant up`的时候就会自动读取本地的`centos/7` box而不会再到网上下载。
 92 | 
 93 | #### Mac 安装说明
 94 | 
 95 | 在偏好设置 -> 安全性和隐私 -> 通用，点击被阻止的程序。
 96 | 然后在命令行终端中执行 `sudo "/Library/Application Support/VirtualBox/LaunchDaemons/VirtualBoxStartup.sh" restart `， 再执行 `vagrant up` 启动。
 97 | 
 98 | **Windows 安装特别说明**
 99 | 
100 | 执行`vagrant up`之后会有如下提示：
101 | ```
102 | G:\code\kubernetes-vagrant-centos-cluster>vagrant up
103 | Bringing machine 'node1' up with 'virtualbox' provider...
104 | Bringing machine 'node2' up with 'virtualbox' provider...
105 | Bringing machine 'node3' up with 'virtualbox' provider...
106 | ==> node1: Importing base box 'centos/7'...
107 | ==> node1: Matching MAC address for NAT networking...
108 | ==> node1: Setting the name of the VM: node1
109 | ==> node1: Clearing any previously set network interfaces...
110 | ==> node1: Specific bridge 'en0: Wi-Fi (AirPort)' not found. You may be asked to specify
111 | ==> node1: which network to bridge to.
112 | ==> node1: Available bridged network interfaces:
113 | 1) Realtek PCIe GBE Family Controller
114 | 2) TAP-Windows Adapter V9
115 | ==> node1: When choosing an interface, it is usually the one that is
116 | ==> node1: being used to connect to the internet.
117 |     node1: Which interface should the network bridge to?
118 |     node1: Which interface should the network bridge to?
119 |     
120 | ```
121 | 输入`1`之后按回车继续。（根据自己真实网卡选择，node2、node3同样需要）
122 | 
123 | 
124 | node3快要结束的时候可能会有如下错误：
125 | ```
126 | node3: Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
127 |     node3: Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
128 |     node3: deploy coredns
129 |     node3: /tmp/vagrant-shell: ./dns-deploy.sh: /bin/bash^M: bad interpreter: No such file or directory
130 |     node3: error: no objects passed to apply
131 |     node3: /home/vagrant
132 | ```
133 | 
134 | 解决方法：
135 | 
136 | ```bash
137 | vagrant ssh node3
138 | sudo -i
139 | cd /vagrant/addon/dns
140 | yum -y install dos2unix
141 | dos2unix dns-deploy.sh
142 | ./dns-deploy.sh -r 10.254.0.0/16 -i 10.254.0.2 |kubectl apply -f -
143 | ```
144 | 
145 | 
146 | ### 访问kubernetes集群
147 | 
148 | 访问Kubernetes集群的方式有三种：
149 | 
150 | - 本地访问
151 | - 在VM内部访问
152 | - Kubernetes dashboard
153 | 
154 | **通过本地访问**
155 | 
156 | 可以直接在你自己的本地环境中操作该kubernetes集群，而无需登录到虚拟机中。
157 | 
158 | 要想在本地直接操作Kubernetes集群，需要在你的电脑里安装`kubectl`命令行工具，对于Mac用户执行以下步骤：
159 | 
160 | ```bash
161 | wget https://storage.googleapis.com/kubernetes-release/release/v1.16.14/kubernetes-client-darwin-amd64.tar.gz
162 | tar xvf kubernetes-client-darwin-amd64.tar.gz && cp kubernetes/client/bin/kubectl /usr/local/bin
163 | ```
164 | 
165 | 将`conf/admin.kubeconfig`文件放到`~/.kube/config`目录下即可在本地使用`kubectl`命令操作集群。
166 | 
167 | ```bash
168 | mkdir -p ~/.kube
169 | cp conf/admin.kubeconfig ~/.kube/config
170 | ```
171 | 
172 | 我们推荐您使用这种方式。
173 | 
174 | **在虚拟机内部访问**
175 | 
176 | 如果有任何问题可以登录到虚拟机内部调试：
177 | 
178 | ```bash
179 | vagrant ssh node1
180 | sudo -i
181 | kubectl get nodes
182 | ```
183 | 
184 | **Kubernetes dashboard**
185 | 
186 | 还可以直接通过dashboard UI来访问：https://172.17.8.101:8443
187 | 
188 | 可以在本地执行以下命令获取token的值（需要提前安装kubectl）：
189 | 
190 | ```bash
191 | kubectl -n kube-system describe secret `kubectl -n kube-system get secret|grep admin-token|cut -d " " -f1`|grep "token:"|tr -s " "|cut -d " " -f2
192 | ```
193 | 
194 | **注意**：token的值也可以在`vagrant up`的日志的最后看到。
195 | 
196 | ![Kubernetes dashboard animation](images/dashboard-animation.gif)
197 | 
198 | 只有当你安装了下面的heapster组件后才能看到上图中的监控metrics。
199 | 
200 | 
201 | **Windows下Chrome/Firefox访问**
202 | 
203 | 如果提示`NET::ERR_CERT_INVALID`，则需要下面的步骤
204 | 
205 | 进入本项目目录
206 | 
207 | ```
208 | vagrant ssh node1
209 | sudo -i
210 | cd /vagrant/addon/dashboard/
211 | mkdir certs
212 | openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard"
213 | openssl x509 -req -sha256 -days 365 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt
214 | kubectl delete secret kubernetes-dashboard-certs -n kube-system
215 | kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kube-system
216 | kubectl delete pods $(kubectl get pods -n kube-system|grep kubernetes-dashboard|awk '{print $1}') -n kube-system #重新创建dashboard
217 | ```
218 | 刷新浏览器之后点击`高级`，选择跳过即可打开页面。
219 | 
220 | ### 组件
221 | 
222 | **Heapster监控**
223 | 
224 | 创建Heapster监控：
225 | 
226 | ```bash
227 | kubectl apply -f addon/heapster/
228 | ```
229 | 
230 | 访问Grafana
231 | 
232 | 使用Ingress方式暴露的服务，在本地`/etc/hosts`中增加一条配置：
233 | 
234 | ```ini
235 | 172.17.8.102 grafana.jimmysong.io
236 | ```
237 | 
238 | 访问Grafana：<http://grafana.jimmysong.io>
239 | 
240 | ![Grafana动画](images/grafana-animation.gif)
241 | 
242 | **Traefik**
243 | 
244 | 部署Traefik ingress controller和增加ingress配置：
245 | 
246 | ```bash
247 | kubectl apply -f addon/traefik-ingress
248 | ```
249 | 
250 | 在本地`/etc/hosts`中增加一条配置：
251 | 
252 | ```ini
253 | 172.17.8.102 traefik.jimmysong.io
254 | ```
255 | 
256 | 访问Traefik UI：<http://traefik.jimmysong.io>
257 | 
258 | ![Traefik Ingress controller](images/traefik-ingress.gif)
259 | 
260 | **EFK**
261 | 
262 | 使用EFK做日志收集。
263 | 
264 | ```bash
265 | kubectl apply -f addon/efk/
266 | ```
267 | 
268 | **注意**：运行EFK的每个节点需要消耗很大的CPU和内存，请保证每台虚拟机至少分配了4G内存。
269 | 
270 | **Helm**
271 | 
272 | 用来部署helm。
273 | 
274 | ```bash
275 | hack/deploy-helm.sh
276 | ```
277 | 
278 | ### Service Mesh
279 | 
280 | 我们使用 [istio](https://istio.io) 作为 service mesh。
281 | 
282 | **安装**
283 | 
284 | 到[Istio release](https://github.com/istio/istio/releases) 页面下载istio的安装包，安装istio命令行工具，将`istioctl`命令行工具放到你的`$PATH`目录下，对于Mac用户：
285 | 
286 | ```bash
287 | wget https://github.com/istio/istio/releases/download/1.0.0/istio-1.0.0-osx.tar.gz
288 | tar xvf istio-1.0.0-osx.tar.gz
289 | mv bin/istioctl /usr/local/bin/
290 | ```
291 | 
292 | 在Kubernetes中部署istio：
293 | 
294 | ```bash
295 | kubectl apply -f addon/istio/istio-demo.yaml
296 | kubectl apply -f addon/istio/istio-ingress.yaml
297 | ```
298 | 
299 | **运行示例**
300 | 
301 | 我们开启了Sidecar自动注入。
302 | 
303 | ```bash
304 | kubectl label namespace default istio-injection=enabled
305 | kubectl apply -n default -f yaml/istio-bookinfo/bookinfo.yaml
306 | kubectl apply -n default -f yaml/istio-bookinfo/bookinfo-gateway.yaml
307 | kubectl apply -n default -f yaml/istio-bookinfo/destination-rule-all.yaml
308 | ```
309 | 
310 | 在您自己的本地主机的`/etc/hosts`文件中增加如下配置项。
311 | 
312 | ```
313 | 172.17.8.102 grafana.istio.jimmysong.io
314 | 172.17.8.102 prometheus.istio.jimmysong.io
315 | 172.17.8.102 servicegraph.istio.jimmysong.io
316 | 172.17.8.102 jaeger-query.istio.jimmysong.io
317 | ```
318 | 
319 | 我们可以通过下面的URL地址访问以上的服务。
320 | 
321 | | Service      | URL                                                          |
322 | | ------------ | ------------------------------------------------------------ |
323 | | grafana      | http://grafana.istio.jimmysong.io                            |
324 | | servicegraph | <http://servicegraph.istio.jimmysong.io/dotviz>, <http://servicegraph.istio.jimmysong.io/graph>,<http://servicegraph.istio.jimmysong.io/force/forcegraph.html> |
325 | | tracing      | http://jaeger-query.istio.jimmysong.io                       |
326 | | productpage  | http://172.17.8.101:31380/productpage                        |
327 | 
328 | 详细信息请参阅：https://istio.io/zh/docs/examples/bookinfo/
329 | 
330 | ![Bookinfo Demo](images/bookinfo-demo.gif)
331 | 
332 | ### Vistio
333 | 
334 | [Vizceral](https://github.com/Netflix/vizceral)是Netflix发布的一个开源项目，用于近乎实时地监控应用程序和集群之间的网络流量。Vistio是使用Vizceral对Istio和网格监控的改进。它利用Istio Mixer生成的指标，然后将其输入Prometheus。Vistio查询Prometheus并将数据存储在本地以允许重播流量。
335 | 
336 | ```bash
337 | # Deploy vistio via kubectl
338 | kubectl -n default apply -f addon/vistio/
339 | 
340 | # Expose vistio-api
341 | kubectl -n default port-forward $(kubectl -n default get pod -l app=vistio-api -o jsonpath='{.items[0].metadata.name}') 9091:9091 &
342 | 
343 | # Expose vistio in another terminal window
344 | kubectl -n default port-forward $(kubectl -n default get pod -l app=vistio-web -o jsonpath='{.items[0].metadata.name}') 8080:8080 &
345 | ```
346 | 
347 | 如果一切都已经启动并准备就绪，您就可以访问Vistio UI，开始探索服务网格网络，访问[http://localhost:8080](http://localhost:8080/) 您将会看到类似下图的输出。
348 | 
349 | ![vistio animation](images/vistio-animation.gif)
350 | 
351 | 更多详细内容请参考[Vistio—使用Netflix的Vizceral可视化Istio service mesh](http://www.servicemesher.com/blog/vistio-visualize-your-istio-mesh-using-netflixs-vizceral/)。
352 | 
353 | ### Kiali
354 | 
355 | Kiali是一个用于提供Istio service mesh观察性的项目，更多信息请查看[https://kiali.io](https://kiali.io/)。
356 | 
357 | 在本地该项目的根路径下执行下面的命令：
358 | 
359 | ```bash
360 | kubectl apply -n istio-system -f addon/kiali
361 | ```
362 | 
363 | Kiali web地址：http://172.17.8.101:32439
364 | 
365 | 用户名/密码：admin/admin
366 | 
367 | ![kiali](./images/kiali.gif)
368 | 
369 | **注意**：Kilia使用Jaeger做追踪，请不用屏蔽kilia页面的弹出窗口。
370 | 
371 | ### Weave scope
372 | 
373 | [Weave scope](https://github.com/weaveworks/scope)可用于监控、可视化和管理Docker&Kubernetes集群，详情见<https://www.weave.works/oss/scope/> 
374 | 
375 | 在本地该项目的根路径下执行下面的命令：
376 | 
377 | ```bash
378 | kubectl apply -f addon/weave-scope
379 | ```
380 | 
381 | 在本地的`/etc/hosts`下增加一条记录。
382 | 
383 | ```
384 | 172.17.8.102 scope.weave.jimmysong.io
385 | ```
386 | 
387 | 现在打开浏览器，访问http://scope.weave.jimmysong.io/
388 | 
389 | ![Weave scope动画](images/weave-scope-animation.gif)
390 | 
391 | ## 管理
392 | 
393 | 除了特别说明，以下命令都在当前的repo目录下操作。
394 | 
395 | ### 挂起
396 | 
397 | 将当前的虚拟机挂起，以便下次恢复。
398 | 
399 | ```bash
400 | vagrant suspend
401 | ```
402 | 
403 | ### 恢复
404 | 
405 | 恢复虚拟机的上次状态。
406 | 
407 | ```bash
408 | vagrant resume
409 | ```
410 | 
411 | 注意：我们每次挂起虚拟机后再重新启动它们的时候，看到的虚拟机中的时间依然是挂载时候的时间，这样将导致监控查看起来比较麻烦。因此请考虑先停机再重新启动虚拟机。
412 | 
413 | ### 重启
414 | 
415 | 停机后重启启动。
416 | 
417 | ```bash
418 | vagrant halt
419 | vagrant up
420 | # login to node1
421 | vagrant ssh node1
422 | # run the prosivision scripts
423 | /vagrant/hack/k8s-init.sh
424 | exit
425 | # login to node2
426 | vagrant ssh node2
427 | # run the prosivision scripts
428 | /vagrant/hack/k8s-init.sh
429 | exit
430 | # login to node3
431 | vagrant ssh node3
432 | # run the prosivision scripts
433 | /vagrant/hack/k8s-init.sh
434 | sudo -i
435 | cd /vagrant/hack
436 | ./deploy-base-services.sh
437 | exit
438 | ```
439 | 
440 | 现在你已经拥有一个完整的基础的kubernetes运行环境，在该repo的根目录下执行下面的命令可以获取kubernetes dashboard的admin用户的token。
441 | 
442 | ```bash
443 | hack/get-dashboard-token.sh
444 | ```
445 | 
446 | 根据提示登录即可。
447 | 
448 | ### 清理
449 | 
450 | 清理虚拟机。
451 | 
452 | ```bash
453 | vagrant destroy
454 | rm -rf .vagrant
455 | ```
456 | 
457 | ### 注意
458 | 
459 | 仅做开发测试使用，不要在生产环境使用该项目。
460 | 
461 | ## 参考
462 | 
463 | - [Kubernetes Handbook——Kubernetes中文指南/云原生应用架构实践手册](https://jimmysong.io/kubernetes-handbook)
464 | - [duffqiu/centos-vagrant](https://github.com/duffqiu/centos-vagrant)
465 | - [coredns/deployment](https://github.com/coredns/deployment)
466 | - [Kubernetes 1.8 kube-proxy 开启 ipvs](https://mritd.me/2017/10/10/kube-proxy-use-ipvs-on-kubernetes-1.8/#%E4%B8%80%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87)
467 | - [Vistio—使用Netflix的Vizceral可视化Istio service mesh](http://www.servicemesher.com/blog/vistio-visualize-your-istio-mesh-using-netflixs-vizceral/)
468 | 
469 | **更多[Istio](https://istio.io/zh)和Service Mesh的资讯请访问[ServiceMesher社区](http://www.servicemesher.com)和关注社区的微信公众号。**
470 | 
471 | <p align="center">
472 |   <img src="https://ws1.sinaimg.cn/large/00704eQkgy1fshv989hhqj309k09k0t6.jpg" alt="ServiceMesher微信公众号二维码"/>
473 | </p>
474 | 
475 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Setting up a distributed Kubernetes cluster along with Istio service mesh locally with Vagrant and VirtualBox
  2 | 
  3 | [使用Vagrant和VirtualBox在本地搭建分布式Kubernetes集群和Istio Service Mesh - 中文](README-cn.md)
  4 | 
  5 | Setting up a Kubernetes cluster and Istio service mesh with `vagrantfile` which consists of 1 master(also as node) and 3 nodes. You don't have to create complicated CA files or configuration.
  6 | 
  7 | **Note**: Because of using virtual machines to setup distributed Kubernetes cluster will bring high load on your computer, so I created the lightweight [Cloud Native Sandbox](https://github.com/rootsongjc/cloud-native-sandbox) using Docker to setup a standalone Kubernetes.
  8 | 
  9 | ## Demo
 10 | 
 11 | Click the following image to watch the video.
 12 | 
 13 | [![Watch the video](https://img.youtube.com/vi/26kbaZxcB4A/maxresdefault.jpg)](https://youtu.be/26kbaZxcB4A)
 14 | 
 15 | ### Why not use kubeadm?
 16 | 
 17 | Because I want to setup the etcd, apiserver, controller and scheduler without docker container.
 18 | 
 19 | ### Architecture
 20 | 
 21 | We will create a Kubernetes 1.15.0 cluster with 3 nodes which contains the components below:
 22 | 
 23 | | IP           | Hostname | Componets                                |
 24 | | ------------ | -------- | ---------------------------------------- |
 25 | | 172.17.8.101 | node1    | kube-apiserver, kube-controller-manager, kube-scheduler, etcd, kubelet, docker, flannel, dashboard |
 26 | | 172.17.8.102 | node2    | kubelet, docker, flannel、traefik         |
 27 | | 172.17.8.103 | node3    | kubelet, docker, flannel                 |
 28 | 
 29 | The default setting will create the private network from 172.17.8.101 to 172.17.8.103 for nodes, and it will use the host's DHCP for the public IP.
 30 | 
 31 | The kubernetes service's VIP range is `10.254.0.0/16`.
 32 | 
 33 | The container network range is `170.33.0.0/16` owned by flanneld with `host-gw` backend.
 34 | 
 35 | `kube-proxy` will run as `ipvs` mode.
 36 | 
 37 | ## Usage
 38 | 
 39 | ### Prerequisite
 40 | 
 41 | * Host server with 8G+ mem(More is better), 60G disk, 8 core cpu at lease
 42 | * **Vagrant latest（2.2.16 recommended）**
 43 | * **VirtualBox 5.2 (5.2+ is not supported)**
 44 | * Kubernetes 1.16 (support the latest version 1.16.14)
 45 | * Across GFW to download the kubernetes files (For China users only)
 46 | * MacOS/Linux (**Windows is not supported completely**)
 47 | * NFS Server Package 
 48 | 
 49 | ### Support Add-ons
 50 | 
 51 | **Required**
 52 | 
 53 | - CoreDNS
 54 | - Dashboard
 55 | - Traefik
 56 | 
 57 | **Optional**
 58 | 
 59 | - Heapster + InfluxDB + Grafana
 60 | - ElasticSearch + Fluentd + Kibana
 61 | - Istio service mesh
 62 | - Helm
 63 | - Vistio
 64 | - Kiali
 65 | 
 66 | #### Setup
 67 | 
 68 | Clone this repo into your local machine and download kubernetes binary release first and move them into the root directory of this repo (GitBash for the Windows must be run as Administrator to install ```vagrant-winnfsd``` plugin).
 69 | 
 70 | ```bash
 71 | vagrant plugin install vagrant-winnfsd
 72 | git clone https://github.com/rootsongjc/kubernetes-vagrant-centos-cluster.git
 73 | cd kubernetes-vagrant-centos-cluster
 74 | ```
 75 | 
 76 | **Note**: If this your first time to setup Kubernetes cluster with vagrant, just skip the above step and run the following command, it will download Kubernetes release automatically for you and no need to download the release next time. You can find the download address the Kubernetes releases [here](https://kubernetes.io/docs/imported/release/notes/). Download the release of version you wanted, move it to the root of this repo, rename it to `kubernetes-server-linux-amd64.tar.gz` then the `install.sh` script will skip the download step.
 77 | 
 78 | As this repo folder is mounted to `/vagrant` with NFS in virtual machines, you may be required to enter a password to for administrator privileges during the installation.
 79 | 
 80 | Set up Kubernetes cluster with vagrant.
 81 | 
 82 | ```bash
 83 | vagrant up
 84 | ```
 85 | 
 86 | Wait about 10 minutes the kubernetes cluster will be setup automatically.
 87 | 
 88 | If you have difficult to vagrant up the cluster because of have no way to download the `centos/7` box, you can download the box and add it first.
 89 | 
 90 | **Add centos/7 box manually**
 91 | 
 92 | ```bash
 93 | wget -c http://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1801_02.VirtualBox.box
 94 | vagrant box add CentOS-7-x86_64-Vagrant-1804_02.VirtualBox.box --name centos/7
 95 | ```
 96 | 
 97 | The next time you run `vagrant up`, vagrant will import the local box automatically.
 98 | 
 99 | #### Note for Mac
100 | 
101 | VirtualBox may be blocked by Mac's security limit.
102 | Go to `System Preferences` - `Security & Privacy` - `Gerneral` click the blocked app and unblock it.
103 | 
104 | Run  `sudo "/Library/Application Support/VirtualBox/LaunchDaemons/VirtualBoxStartup.sh" restart` in terminal and then `vagrant up`.
105 | 
106 | #### Note for Windows
107 | 
108 | - The project will run some bash script under the VirtualMachines. These scripts line ending need to be in LF. Git for windows set ```core.autocrlf``` true by default at the installation time. When you clone this project repository, this parameter (set to true) ask git to change all line ending to CRLF. This behavior need to be changed before cloning the repository (or after for each files by hand). We recommend to turn this off by running ```git config --global core.autocrlf false``` and ```git config --global core.eol lf``` before cloning. Then, after cloning, do not forget to turn the behavior back if you want to run other windows projects: ```git config --global core.autocrlf true``` and ```git config --global core.eol crlf```.
109 | 
110 | 
111 | If you have executed the previous git global configuration then, you will not see these output while node3 is going to be complete:
112 | 
113 | ```bash
114 |     node3: Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
115 |     node3: Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
116 |     node3: deploy coredns
117 |     node3: /tmp/vagrant-shell: ./dns-deploy.sh: /bin/bash^M: bad interpreter: No such file or directory
118 |     node3: error: no objects passed to apply
119 |     node3: /home/vagrant
120 | ```
121 | 
122 | Solution:
123 | 
124 | ```bash
125 | vagrant ssh node3
126 | sudo -i
127 | cd /vagrant/addon/dns
128 | yum -y install dos2unix
129 | dos2unix dns-deploy.sh
130 | ./dns-deploy.sh -r 10.254.0.0/16 -i 10.254.0.2 |kubectl apply -f -
131 | ```
132 | 
133 | #### Connect to kubernetes cluster
134 | 
135 | There are 3 ways to access the kubernetes cluster.
136 | 
137 | - on local
138 | - login to VM
139 | - Kubernetes dashboard
140 | 
141 | **local**
142 | 
143 | In order to manage the cluster on local you should Install `kubectl` command line tool first(But, you don't need to do it manually because of ```install.sh``` script itself does this).
144 | 
145 | Go to [Kubernetes release notes](https://kubernetes.io/docs/setup/release/notes/), download the client binaries, unzip it and then move `kubectl`  to your `$PATH` folder, for MacOS:
146 | 
147 | ```bash
148 | wget https://storage.googleapis.com/kubernetes-release/release/v1.16.14/kubernetes-client-darwin-amd64.tar.gz
149 | tar xvf kubernetes-client-darwin-amd64.tar.gz && cp kubernetes/client/bin/kubectl /usr/local/bin
150 | ```
151 | 
152 | Copy `conf/admin.kubeconfig` to `~/.kube/config`, using `kubectl` CLI to access the cluster.
153 | 
154 | ```bash
155 | mkdir -p ~/.kube
156 | cp conf/admin.kubeconfig ~/.kube/config
157 | ```
158 | 
159 | We recommend you follow this way.
160 | 
161 | **VM**
162 | 
163 | Login to the virtual machine for debuging. In most situations, you have no need to login the VMs.
164 | 
165 | ```bash
166 | vagrant ssh node1
167 | sudo -i
168 | kubectl get nodes
169 | kubectl get pods --namespace=kube-system
170 | ```
171 | 
172 | **Kubernetes dashboard**
173 | 
174 | Kubernetes dashboard URL: <https://172.17.8.101:8443>
175 | 
176 | Get the admin token:
177 | 
178 | ```bash
179 | kubectl -n kube-system describe secret `kubectl -n kube-system get secret|grep admin-token|cut -d " " -f1`|grep "token:"|tr -s " "|cut -d " " -f2
180 | ```
181 | 
182 | **Note**: You can see the token message on console when  `vagrant up` done.
183 | 
184 | ![Kubernetes dashboard animation](images/dashboard-animation.gif)
185 | 
186 | Only if you install the heapter addon bellow that you can see the metrics.
187 | 
188 | **Visit from Chrome/Firefox on Windows**
189 | 
190 | If you see the hint `NET::ERR_CERT_INVALID`, follow these steps:
191 | 
192 | ```bash
193 | vagrant ssh node1
194 | sudo -i
195 | cd /vagrant/addon/dashboard/
196 | mkdir certs
197 | openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard"
198 | openssl x509 -req -sha256 -days 365 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt
199 | kubectl delete secret kubernetes-dashboard-certs -n kube-system
200 | kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kube-system
201 | kubectl delete pods $(kubectl get pods -n kube-system|grep kubernetes-dashboard|awk '{print $1}') -n kube-system #re-install dashboard
202 | ```
203 | 
204 | Refresh the browser and click `Advance`, skip it. You will see the dashboard page there.
205 | 
206 | ## Components
207 | 
208 | **Heapster monitoring**
209 | 
210 | Run this command on your local machine.
211 | 
212 | ```bash
213 | kubectl apply -f /vagrant/addon/heapster/
214 | ```
215 | 
216 | Append the following item to your local `/etc/hosts` file.
217 | 
218 | ```ini
219 | 172.17.8.102 grafana.jimmysong.io
220 | ```
221 | 
222 | Open the URL in browser: <http://grafana.jimmysong.io>
223 | 
224 | ![Grafana animation](images/grafana-animation.gif)
225 | 
226 | **Traefik**
227 | 
228 | Run this command on your local machine.
229 | 
230 | ```bash
231 | kubectl apply -f /vagrant/addon/traefik-ingress
232 | ```
233 | 
234 | Append the following item to your  local file  `/etc/hosts`.
235 | 
236 | ```ini
237 | 172.17.8.102 traefik.jimmysong.io
238 | ```
239 | 
240 | Traefik UI URL: <http://traefik.jimmysong.io>
241 | 
242 | ![Traefik Ingress controller](images/traefik-ingress.gif)
243 | 
244 | **EFK**
245 | 
246 | Run this command on your local machine.
247 | 
248 | ```bash
249 | kubectl apply -f /vagrant/addon/efk/
250 | ```
251 | 
252 | **Note**: Powerful CPU and memory allocation required. At least 4G per virtual machine.
253 | 
254 | **Helm**
255 | 
256 | Run this command on your local machine.
257 | 
258 | ```bash
259 | /vagrant/hack/deploy-helm.sh
260 | ```
261 | 
262 | ### Service Mesh
263 | 
264 | We use [istio](https://istio.io) as the default service mesh.
265 | 
266 | **Installation**
267 | 
268 | Go to [Istio release](https://github.com/istio/istio/releases) to download the binary package, install istio command line tool on local and move `istioctl` to your `$PATH` folder, for Mac:
269 | 
270 | ```bash
271 | wget https://github.com/istio/istio/releases/download/1.0.0/istio-1.0.0-osx.tar.gz
272 | tar xvf istio-1.0.0-osx.tar.gz
273 | mv istio-1.0.0/bin/istioctl /usr/local/bin/
274 | ```
275 | 
276 | Deploy istio into Kubernetes:
277 | 
278 | ```bash
279 | kubectl apply -f /vagrant/addon/istio/istio-demo.yaml
280 | kubectl apply -f /vagrant/addon/istio/istio-ingress.yaml
281 | ```
282 | 
283 | **Run sample**
284 | 
285 | We will let the sidecars be auto injected.
286 | 
287 | ```bash
288 | kubectl label namespace default istio-injection=enabled
289 | kubectl apply -n default -f /vagrant/yaml/istio-bookinfo/bookinfo.yaml
290 | kubectl apply -n default -f /vagrant/yaml/istio-bookinfo/bookinfo-gateway.yaml
291 | kubectl apply -n default -f /vagrant/yaml/istio-bookinfo/destination-rule-all.yaml
292 | ```
293 | 
294 | Add the following items into the file  `/etc/hosts` of your local machine.
295 | 
296 | ```
297 | 172.17.8.102 grafana.istio.jimmysong.io
298 | 172.17.8.102 prometheus.istio.jimmysong.io
299 | 172.17.8.102 servicegraph.istio.jimmysong.io
300 | 172.17.8.102 jaeger-query.istio.jimmysong.io
301 | ```
302 | 
303 | We can see the services from the following URLs.
304 | 
305 | | Service      | URL                                                          |
306 | | ------------ | ------------------------------------------------------------ |
307 | | grafana      | http://grafana.istio.jimmysong.io                            |
308 | | servicegraph | <http://servicegraph.istio.jimmysong.io/dotviz>, <http://servicegraph.istio.jimmysong.io/graph>,<http://servicegraph.istio.jimmysong.io/force/forcegraph.html> |
309 | | tracing      | http://jaeger-query.istio.jimmysong.io                       |
310 | | productpage  | http://172.17.8.101:31380/productpage                        |
311 | 
312 | More detail see https://istio.io/docs/examples/bookinfo/
313 | 
314 | ![Bookinfo Demo](images/bookinfo-demo.gif)
315 | 
316 | ### Vistio
317 | 
318 | [Vizceral](https://github.com/Netflix/vizceral) is an open source project released by Netflix to monitor network traffic between applications and clusters in near real time. Vistio is an adaptation of Vizceral for Istio and mesh monitoring. It utilizes metrics generated by Istio Mixer which are then fed into Prometheus. Vistio queries Prometheus and stores that data locally to allow for the replaying of traffic.
319 | 
320 | Run the following commands in your local machine.
321 | 
322 | ```bash
323 | # Deploy vistio via kubectl
324 | kubectl -n default apply -f /vagrant/addon/vistio/
325 | 
326 | # Expose vistio-api
327 | kubectl -n default port-forward $(kubectl -n default get pod -l app=vistio-api -o jsonpath='{.items[0].metadata.name}') 9091:9091 &
328 | 
329 | # Expose vistio in another terminal window
330 | kubectl -n default port-forward $(kubectl -n default get pod -l app=vistio-web -o jsonpath='{.items[0].metadata.name}') 8080:8080 &
331 | ```
332 | 
333 | If everything up until now is working you should be able to load the Vistio UI  in your browser http://localhost:8080
334 | 
335 | ![vistio animation](images/vistio-animation.gif)
336 | 
337 | More details see [Vistio — Visualize your Istio Mesh Using Netflix’s Vizceral](https://itnext.io/vistio-visualize-your-istio-mesh-using-netflixs-vizceral-b075c402e18e).
338 | 
339 | ### Kiali
340 | 
341 | Kiali is a project to help observability for the Istio service mesh, see [https://kiali.io](https://kiali.io/).
342 | 
343 | Run the following commands in your local machine.
344 | 
345 | ```bash
346 | kubectl apply -n istio-system -f /vagrant/addon/kiali
347 | ```
348 | 
349 | Kiali web: http://172.17.8.101:32439
350 | 
351 | User/password: admin/admin
352 | 
353 | ![kiali](images/kiali.gif)
354 | 
355 | **Note**: Kiali use jaeger for tracing. Do not block the pop-up windows for kiali.
356 | 
357 | ### Weave scope
358 | 
359 | [Weave scope](https://github.com/weaveworks/scope) is a project for monitoring, visualisation & management for Docker & Kubernetes, see <https://www.weave.works/oss/scope/> 
360 | 
361 | Run the following commands in your local machine.
362 | 
363 | ```bash
364 | kubectl apply -f /vagrant/addon/weave-scope
365 | ```
366 | 
367 | Add a record on your local  `/etc/hosts`.
368 | 
369 | ```
370 | 172.17.8.102 scope.weave.jimmysong.io
371 | ```
372 | 
373 | Now open your browser on http://scope.weave.jimmysong.io/
374 | 
375 | ![Weave scope animation](images/weave-scope-animation.gif)
376 | 
377 | ## Operation
378 | 
379 | Except for special claim, execute the following commands under the current git repo's root directory.
380 | 
381 | ### Suspend
382 | 
383 | Suspend the current state of VMs.
384 | 
385 | ```bash
386 | vagrant suspend
387 | ```
388 | 
389 | ### Resume
390 | 
391 | Resume the last state of VMs.
392 | 
393 | ```bash
394 | vagrant resume
395 | ```
396 | 
397 | Note: every time you resume the VMs you will find that the machine time is still at you last time you suspended it. So consider to halt the VMs and restart them.
398 | 
399 | ### Restart
400 | 
401 | Halt the VMs and up them again.
402 | 
403 | ```bash
404 | vagrant halt
405 | vagrant up
406 | # login to node1
407 | vagrant ssh node1
408 | # run the prosivision scripts
409 | /vagrant/hack/k8s-init.sh
410 | exit
411 | # login to node2
412 | vagrant ssh node2
413 | # run the prosivision scripts
414 | /vagrant/hack/k8s-init.sh
415 | exit
416 | # login to node3
417 | vagrant ssh node3
418 | # run the prosivision scripts
419 | /vagrant/hack/k8s-init.sh
420 | sudo -i
421 | cd /vagrant/hack
422 | ./deploy-base-services.sh
423 | exit
424 | ```
425 | 
426 | Now you have provisioned the base kubernetes environments and you can login to kubernetes dashboard, run the following command at the root of this repo to get the admin token.
427 | 
428 | ```bash
429 | hack/get-dashboard-token.sh
430 | ```
431 | 
432 | Following the hint to login.
433 | 
434 | ### Clean
435 | 
436 | Clean up the VMs.
437 | 
438 | ```bash
439 | vagrant destroy
440 | rm -rf .vagrant
441 | ```
442 | 
443 | ### Note
444 | 
445 | Only use for development and test, don't use it in production environment.
446 | 
447 | ## Reference
448 | 
449 | * [Kubernetes Handbook - jimmysong.io](https://jimmysong.io/kubernetes-handbook/)
450 | * [duffqiu/centos-vagrant](https://github.com/duffqiu/centos-vagrant)
451 | * [coredns/deployment](https://github.com/coredns/deployment)
452 | * [kubernetes ipvs](https://github.com/kubernetes/kubernetes/tree/master/pkg/proxy/ipvs)
453 | * [Vistio — Visualize your Istio Mesh Using Netflix’s Vizceral](https://itnext.io/vistio-visualize-your-istio-mesh-using-netflixs-vizceral-b075c402e18e)
454 | 
455 | **Follow the [ServiceMesher community](http://www.servicemesher.com) on [twitter](https://twitter.com/servicemesher) to get more information about [Istio](https://istio.io) and service mesh.**
456 | 


--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
 1 | # -*- mode: ruby -*-
 2 | # vi: set ft=ruby :
 3 | # on win10, you need `vagrant plugin install vagrant-vbguest --plugin-version 0.21` and change synced_folder.type="virtualbox"
 4 | # reference `https://www.dissmeyer.com/2020/02/11/issue-with-centos-7-vagrant-boxes-on-windows-10/`
 5 | 
 6 | 
 7 | Vagrant.configure("2") do |config|
 8 |   config.vm.box_check_update = false
 9 |   config.vm.provider 'virtualbox' do |vb|
10 |   vb.customize [ "guestproperty", "set", :id, "/VirtualBox/GuestAdd/VBoxService/--timesync-set-threshold", 1000 ]
11 |   end  
12 |   config.vm.synced_folder ".", "/vagrant", type: "virtualbox"
13 |   $num_instances = 3
14 |   # curl https://discovery.etcd.io/new?size=3
15 |   $etcd_cluster = "node1=http://172.17.8.101:2380"
16 |   (1..$num_instances).each do |i|
17 |     config.vm.define "node#{i}" do |node|
18 |       node.vm.box = "centos/7"
19 |       node.vbguest.installer_options = { allow_kernel_upgrade: true }
20 |       node.vm.box_version = "1804.02"
21 |       node.vm.hostname = "node#{i}"
22 |       ip = "172.17.8.#{i+100}"
23 |       node.vm.network "private_network", ip: ip
24 |       node.vm.provider "virtualbox" do |vb|
25 |         vb.memory = "3072"
26 |         vb.cpus = 1
27 |         vb.name = "node#{i}"
28 |       end
29 |       node.vm.provision "shell", path: "install.sh", args: [i, ip, $etcd_cluster]
30 |     end
31 |   end
32 | end
33 | 


--------------------------------------------------------------------------------
/addon/dashboard/kubernetes-dashboard.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright 2017 The Kubernetes Authors.
  2 | #
  3 | # Licensed under the Apache License, Version 2.0 (the "License");
  4 | # you may not use this file except in compliance with the License.
  5 | # You may obtain a copy of the License at
  6 | #
  7 | #     http://www.apache.org/licenses/LICENSE-2.0
  8 | #
  9 | # Unless required by applicable law or agreed to in writing, software
 10 | # distributed under the License is distributed on an "AS IS" BASIS,
 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | # See the License for the specific language governing permissions and
 13 | # limitations under the License.
 14 | 
 15 | # Configuration to deploy release version of the Dashboard UI compatible with
 16 | # Kubernetes 1.8.
 17 | #
 18 | # Example usage: kubectl create -f <this_file>
 19 | 
 20 | # ------------------- Dashboard Secret ------------------- #
 21 | 
 22 | apiVersion: v1
 23 | kind: Secret
 24 | metadata:
 25 |   labels:
 26 |     k8s-app: kubernetes-dashboard
 27 |   name: kubernetes-dashboard-certs
 28 |   namespace: kube-system
 29 | type: Opaque
 30 | 
 31 | ---
 32 | # ------------------- Dashboard Service Account ------------------- #
 33 | 
 34 | apiVersion: v1
 35 | kind: ServiceAccount
 36 | metadata:
 37 |   labels:
 38 |     k8s-app: kubernetes-dashboard
 39 |   name: kubernetes-dashboard
 40 |   namespace: kube-system
 41 | 
 42 | ---
 43 | # ------------------- Dashboard Role & Role Binding ------------------- #
 44 | 
 45 | kind: Role
 46 | apiVersion: rbac.authorization.k8s.io/v1
 47 | metadata:
 48 |   name: kubernetes-dashboard-minimal
 49 |   namespace: kube-system
 50 | rules:
 51 |   # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
 52 | - apiGroups: [""]
 53 |   resources: ["secrets"]
 54 |   verbs: ["create"]
 55 |   # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
 56 | - apiGroups: [""]
 57 |   resources: ["configmaps"]
 58 |   verbs: ["create"]
 59 |   # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 60 | - apiGroups: [""]
 61 |   resources: ["secrets"]
 62 |   resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
 63 |   verbs: ["get", "update", "delete"]
 64 |   # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
 65 | - apiGroups: [""]
 66 |   resources: ["configmaps"]
 67 |   resourceNames: ["kubernetes-dashboard-settings"]
 68 |   verbs: ["get", "update"]
 69 |   # Allow Dashboard to get metrics from heapster.
 70 | - apiGroups: [""]
 71 |   resources: ["services"]
 72 |   resourceNames: ["heapster"]
 73 |   verbs: ["proxy"]
 74 | - apiGroups: [""]
 75 |   resources: ["services/proxy"]
 76 |   resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
 77 |   verbs: ["get"]
 78 | 
 79 | ---
 80 | apiVersion: rbac.authorization.k8s.io/v1
 81 | kind: RoleBinding
 82 | metadata:
 83 |   name: kubernetes-dashboard-minimal
 84 |   namespace: kube-system
 85 | roleRef:
 86 |   apiGroup: rbac.authorization.k8s.io
 87 |   kind: Role
 88 |   name: kubernetes-dashboard-minimal
 89 | subjects:
 90 | - kind: ServiceAccount
 91 |   name: kubernetes-dashboard
 92 |   namespace: kube-system
 93 | 
 94 | ---
 95 | # ------------------- Dashboard Deployment ------------------- #
 96 | 
 97 | kind: Deployment
 98 | apiVersion: apps/v1
 99 | metadata:
100 |   labels:
101 |     k8s-app: kubernetes-dashboard
102 |   name: kubernetes-dashboard
103 |   namespace: kube-system
104 | spec:
105 |   replicas: 1
106 |   revisionHistoryLimit: 10
107 |   selector:
108 |     matchLabels:
109 |       k8s-app: kubernetes-dashboard
110 |   template:
111 |     metadata:
112 |       labels:
113 |         k8s-app: kubernetes-dashboard
114 |     spec:
115 |       hostNetwork: true
116 |       nodeSelector:
117 |         kubernetes.io/hostname: "node1"
118 |       containers:
119 |       - name: kubernetes-dashboard
120 |         image: registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.8.3
121 |         ports:
122 |         - containerPort: 8443
123 |           protocol: TCP
124 |           hostPort: 8443
125 |         args:
126 |           - --auto-generate-certificates
127 |           # Uncomment the following line to manually specify Kubernetes API server Host
128 |           # If not specified, Dashboard will attempt to auto discover the API server and connect
129 |           # to it. Uncomment only if the default does not work.
130 |           # - --apiserver-host=http://my-address:port
131 |         volumeMounts:
132 |         - name: kubernetes-dashboard-certs
133 |           mountPath: /certs
134 |           # Create on-disk volume to store exec logs
135 |         - mountPath: /tmp
136 |           name: tmp-volume
137 |         livenessProbe:
138 |           httpGet:
139 |             scheme: HTTPS
140 |             path: /
141 |             port: 8443
142 |           initialDelaySeconds: 30
143 |           timeoutSeconds: 30
144 |       volumes:
145 |       - name: kubernetes-dashboard-certs
146 |         secret:
147 |           secretName: kubernetes-dashboard-certs
148 |       - name: tmp-volume
149 |         emptyDir: {}
150 |       serviceAccountName: kubernetes-dashboard
151 |       # Comment the following tolerations if Dashboard must not be deployed on master
152 |       tolerations:
153 |       - key: node-role.kubernetes.io/master
154 |         effect: NoSchedule
155 | 
156 | ---
157 | # ------------------- Dashboard Service ------------------- #
158 | 
159 | kind: Service
160 | apiVersion: v1
161 | metadata:
162 |   labels:
163 |     k8s-app: kubernetes-dashboard
164 |   name: kubernetes-dashboard
165 |   namespace: kube-system
166 | spec:
167 |   type: NodePort
168 |   ports:
169 |     - port: 8443
170 |       targetPort: 8443
171 |       nodePort: 30000
172 |   selector:
173 |     k8s-app: kubernetes-dashboard
174 | 


--------------------------------------------------------------------------------
/addon/dns/coredns.yaml.sed:
--------------------------------------------------------------------------------
  1 | apiVersion: v1
  2 | kind: ServiceAccount
  3 | metadata:
  4 |   name: coredns
  5 |   namespace: kube-system
  6 | ---
  7 | apiVersion: rbac.authorization.k8s.io/v1
  8 | kind: ClusterRole
  9 | metadata:
 10 |   labels:
 11 |     kubernetes.io/bootstrapping: rbac-defaults
 12 |   name: system:coredns
 13 | rules:
 14 | - apiGroups:
 15 |   - ""
 16 |   resources:
 17 |   - endpoints
 18 |   - services
 19 |   - pods
 20 |   - namespaces
 21 |   verbs:
 22 |   - list
 23 |   - watch
 24 | ---
 25 | apiVersion: rbac.authorization.k8s.io/v1
 26 | kind: ClusterRoleBinding
 27 | metadata:
 28 |   annotations:
 29 |     rbac.authorization.kubernetes.io/autoupdate: "true"
 30 |   labels:
 31 |     kubernetes.io/bootstrapping: rbac-defaults
 32 |   name: system:coredns
 33 | roleRef:
 34 |   apiGroup: rbac.authorization.k8s.io
 35 |   kind: ClusterRole
 36 |   name: system:coredns
 37 | subjects:
 38 | - kind: ServiceAccount
 39 |   name: coredns
 40 |   namespace: kube-system
 41 | ---
 42 | apiVersion: v1
 43 | kind: ConfigMap
 44 | metadata:
 45 |   name: coredns
 46 |   namespace: kube-system
 47 | data:
 48 |   Corefile: |
 49 |     .:53 {
 50 |         errors
 51 |         health
 52 |         kubernetes CLUSTER_DOMAIN REVERSE_CIDRS {
 53 |           pods insecure
 54 |           upstream
 55 |           fallthrough in-addr.arpa ip6.arpa
 56 |         }
 57 |         prometheus :9153
 58 |         proxy . /etc/resolv.conf
 59 |         cache 30
 60 |         reload
 61 |         loadbalance
 62 |     }
 63 | ---
 64 | apiVersion: apps/v1
 65 | kind: Deployment
 66 | metadata:
 67 |   name: coredns
 68 |   namespace: kube-system
 69 |   labels:
 70 |     k8s-app: kube-dns
 71 |     kubernetes.io/name: "CoreDNS"
 72 | spec:
 73 |   replicas: 2
 74 |   strategy:
 75 |     type: RollingUpdate
 76 |     rollingUpdate:
 77 |       maxUnavailable: 1
 78 |   selector:
 79 |     matchLabels:
 80 |       k8s-app: kube-dns
 81 |   template:
 82 |     metadata:
 83 |       labels:
 84 |         k8s-app: kube-dns
 85 |     spec:
 86 |       serviceAccountName: coredns
 87 |       tolerations:
 88 |         - key: "CriticalAddonsOnly"
 89 |           operator: "Exists"
 90 |       containers:
 91 |       - name: coredns
 92 |         image: coredns/coredns:1.2.0
 93 |         imagePullPolicy: IfNotPresent
 94 |         args: [ "-conf", "/etc/coredns/Corefile" ]
 95 |         volumeMounts:
 96 |         - name: config-volume
 97 |           mountPath: /etc/coredns
 98 |           readOnly: true
 99 |         ports:
100 |         - containerPort: 53
101 |           name: dns
102 |           protocol: UDP
103 |         - containerPort: 53
104 |           name: dns-tcp
105 |           protocol: TCP
106 |         - containerPort: 9153
107 |           name: metrics
108 |           protocol: TCP
109 |         livenessProbe:
110 |           httpGet:
111 |             path: /health
112 |             port: 8080
113 |             scheme: HTTP
114 |           initialDelaySeconds: 60
115 |           timeoutSeconds: 5
116 |           successThreshold: 1
117 |           failureThreshold: 5
118 |       dnsPolicy: Default
119 |       volumes:
120 |         - name: config-volume
121 |           configMap:
122 |             name: coredns
123 |             items:
124 |             - key: Corefile
125 |               path: Corefile
126 | ---
127 | apiVersion: v1
128 | kind: Service
129 | metadata:
130 |   name: kube-dns
131 |   namespace: kube-system
132 |   annotations:
133 |     prometheus.io/port: "9153"
134 |     prometheus.io/scrape: "true"
135 |   labels:
136 |     k8s-app: kube-dns
137 |     kubernetes.io/cluster-service: "true"
138 |     kubernetes.io/name: "CoreDNS"
139 | spec:
140 |   selector:
141 |     k8s-app: kube-dns
142 |   clusterIP: CLUSTER_DNS_IP
143 |   ports:
144 |   - name: dns
145 |     port: 53
146 |     protocol: UDP
147 |   - name: dns-tcp
148 |     port: 53
149 |     protocol: TCP
150 | 


--------------------------------------------------------------------------------
/addon/dns/dns-deploy.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Deploys CoreDNS to a cluster currently running Kube-DNS.
 4 | 
 5 | show_help () {
 6 | cat << USAGE
 7 | usage: $0 [ -r REVERSE-CIDR ] [ -i DNS-IP ] [ -d CLUSTER-DOMAIN ] [ -t YAML-TEMPLATE ]
 8 |     -r : Define a reverse zone for the given CIDR. You may specifcy this option more
 9 |          than once to add multiple reverse zones. If no reverse CIDRs are defined,
10 |          then the default is to handle all reverse zones (i.e. in-addr.arpa and ip6.arpa)
11 |     -i : Specify the cluster DNS IP address. If not specificed, the IP address of
12 |          the existing "kube-dns" service is used, if present.
13 | USAGE
14 | exit 0
15 | }
16 | 
17 | # Simple Defaults
18 | CLUSTER_DOMAIN=cluster.local
19 | YAML_TEMPLATE=`pwd`/coredns.yaml.sed
20 | 
21 | 
22 | # Get Opts
23 | while getopts "hr:i:d:t:" opt; do
24 |     case "$opt" in
25 |     h)  show_help
26 |         ;;
27 |     r)  REVERSE_CIDRS="$REVERSE_CIDRS $OPTARG"
28 |         ;;
29 |     i)  CLUSTER_DNS_IP=$OPTARG
30 |         ;;
31 |     d)  CLUSTER_DOMAIN=$OPTARG
32 |         ;;
33 |     t)  YAML_TEMPLATE=$OPTARG
34 |         ;;
35 |     esac
36 | done
37 | 
38 | # Conditional Defaults
39 | if [[ -z $REVERSE_CIDRS ]]; then
40 |   REVERSE_CIDRS="in-addr.arpa ip6.arpa"
41 | fi
42 | if [[ -z $CLUSTER_DNS_IP ]]; then
43 |   # Default IP to kube-dns IP
44 |   CLUSTER_DNS_IP=$(kubectl get service --namespace kube-system kube-dns -o jsonpath="{.spec.clusterIP}")
45 |   if [ $? -ne 0 ]; then
46 |       >&2 echo "Error! The IP address for DNS service couldn't be determined automatically. Please specify the DNS-IP with the '-i' option."
47 |       exit 2
48 |   fi
49 | fi
50 | 
51 | sed -e s/CLUSTER_DNS_IP/$CLUSTER_DNS_IP/g -e s/CLUSTER_DOMAIN/$CLUSTER_DOMAIN/g -e "s?REVERSE_CIDRS?$REVERSE_CIDRS?g" $YAML_TEMPLATE
52 | 


--------------------------------------------------------------------------------
/addon/efk/es-service.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: elasticsearch-logging
 5 |   namespace: kube-system
 6 |   labels:
 7 |     k8s-app: elasticsearch-logging
 8 |     kubernetes.io/cluster-service: "true"
 9 |     addonmanager.kubernetes.io/mode: Reconcile
10 |     kubernetes.io/name: "Elasticsearch"
11 | spec:
12 |   ports:
13 |   - port: 9200
14 |     protocol: TCP
15 |     targetPort: db
16 |   selector:
17 |     k8s-app: elasticsearch-logging
18 | 


--------------------------------------------------------------------------------
/addon/efk/es-statefulset.yaml:
--------------------------------------------------------------------------------
  1 | # RBAC authn and authz
  2 | apiVersion: v1
  3 | kind: ServiceAccount
  4 | metadata:
  5 |   name: elasticsearch-logging
  6 |   namespace: kube-system
  7 |   labels:
  8 |     k8s-app: elasticsearch-logging
  9 |     kubernetes.io/cluster-service: "true"
 10 |     addonmanager.kubernetes.io/mode: Reconcile
 11 | ---
 12 | kind: ClusterRole
 13 | apiVersion: rbac.authorization.k8s.io/v1
 14 | metadata:
 15 |   name: elasticsearch-logging
 16 |   labels:
 17 |     k8s-app: elasticsearch-logging
 18 |     kubernetes.io/cluster-service: "true"
 19 |     addonmanager.kubernetes.io/mode: Reconcile
 20 | rules:
 21 | - apiGroups:
 22 |   - ""
 23 |   resources:
 24 |   - "services"
 25 |   - "namespaces"
 26 |   - "endpoints"
 27 |   verbs:
 28 |   - "get"
 29 | ---
 30 | kind: ClusterRoleBinding
 31 | apiVersion: rbac.authorization.k8s.io/v1
 32 | metadata:
 33 |   namespace: kube-system
 34 |   name: elasticsearch-logging
 35 |   labels:
 36 |     k8s-app: elasticsearch-logging
 37 |     kubernetes.io/cluster-service: "true"
 38 |     addonmanager.kubernetes.io/mode: Reconcile
 39 | subjects:
 40 | - kind: ServiceAccount
 41 |   name: elasticsearch-logging
 42 |   namespace: kube-system
 43 |   apiGroup: ""
 44 | roleRef:
 45 |   kind: ClusterRole
 46 |   name: elasticsearch-logging
 47 |   apiGroup: ""
 48 | ---
 49 | # Elasticsearch deployment itself
 50 | apiVersion: apps/v1
 51 | kind: StatefulSet
 52 | metadata:
 53 |   name: elasticsearch-logging
 54 |   namespace: kube-system
 55 |   labels:
 56 |     k8s-app: elasticsearch-logging
 57 |     version: v5.6.4
 58 |     kubernetes.io/cluster-service: "true"
 59 |     addonmanager.kubernetes.io/mode: Reconcile
 60 | spec:
 61 |   serviceName: elasticsearch-logging
 62 |   replicas: 2
 63 |   selector:
 64 |     matchLabels:
 65 |       k8s-app: elasticsearch-logging
 66 |       version: v5.6.4
 67 |   template:
 68 |     metadata:
 69 |       labels:
 70 |         k8s-app: elasticsearch-logging
 71 |         version: v5.6.4
 72 |         kubernetes.io/cluster-service: "true"
 73 |     spec:
 74 |       serviceAccountName: elasticsearch-logging
 75 |       containers:
 76 |       - image: jimmysong/elasticsearch:v5.6.4
 77 |         name: elasticsearch-logging
 78 |         resources:
 79 |           # need more cpu upon initialization, therefore burstable class
 80 |           limits:
 81 |             cpu: 1000m
 82 |           requests:
 83 |             cpu: 100m
 84 |         ports:
 85 |         - containerPort: 9200
 86 |           name: db
 87 |           protocol: TCP
 88 |         - containerPort: 9300
 89 |           name: transport
 90 |           protocol: TCP
 91 |         volumeMounts:
 92 |         - name: elasticsearch-logging
 93 |           mountPath: /data
 94 |         env:
 95 |         - name: "NAMESPACE"
 96 |           valueFrom:
 97 |             fieldRef:
 98 |               fieldPath: metadata.namespace
 99 |       volumes:
100 |       - name: elasticsearch-logging
101 |         emptyDir: {}
102 |       # Elasticsearch requires vm.max_map_count to be at least 262144.
103 |       # If your OS already sets up this number to a higher value, feel free
104 |       # to remove this init container.
105 |       initContainers:
106 |       - image: alpine:3.6
107 |         command: ["/sbin/sysctl", "-w", "vm.max_map_count=262144"]
108 |         name: elasticsearch-logging-init
109 |         securityContext:
110 |           privileged: true
111 | 


--------------------------------------------------------------------------------
/addon/efk/fluentd-es-configmap.yaml:
--------------------------------------------------------------------------------
  1 | kind: ConfigMap
  2 | apiVersion: v1
  3 | metadata:
  4 |   name: fluentd-es-config-v0.1.3
  5 |   namespace: kube-system
  6 |   labels:
  7 |     addonmanager.kubernetes.io/mode: Reconcile
  8 | data:
  9 |   system.conf: |-
 10 |     <system>
 11 |       root_dir /tmp/fluentd-buffers/
 12 |     </system>
 13 | 
 14 |   containers.input.conf: |-
 15 |     # This configuration file for Fluentd / td-agent is used
 16 |     # to watch changes to Docker log files. The kubelet creates symlinks that
 17 |     # capture the pod name, namespace, container name & Docker container ID
 18 |     # to the docker logs for pods in the /var/log/containers directory on the host.
 19 |     # If running this fluentd configuration in a Docker container, the /var/log
 20 |     # directory should be mounted in the container.
 21 |     #
 22 |     # These logs are then submitted to Elasticsearch which assumes the
 23 |     # installation of the fluent-plugin-elasticsearch & the
 24 |     # fluent-plugin-kubernetes_metadata_filter plugins.
 25 |     # See https://github.com/uken/fluent-plugin-elasticsearch &
 26 |     # https://github.com/fabric8io/fluent-plugin-kubernetes_metadata_filter for
 27 |     # more information about the plugins.
 28 |     #
 29 |     # Example
 30 |     # =======
 31 |     # A line in the Docker log file might look like this JSON:
 32 |     #
 33 |     # {"log":"2014/09/25 21:15:03 Got request with path wombat\n",
 34 |     #  "stream":"stderr",
 35 |     #   "time":"2014-09-25T21:15:03.499185026Z"}
 36 |     #
 37 |     # The time_format specification below makes sure we properly
 38 |     # parse the time format produced by Docker. This will be
 39 |     # submitted to Elasticsearch and should appear like:
 40 |     # $ curl 'http://elasticsearch-logging:9200/_search?pretty'
 41 |     # ...
 42 |     # {
 43 |     #      "_index" : "logstash-2014.09.25",
 44 |     #      "_type" : "fluentd",
 45 |     #      "_id" : "VBrbor2QTuGpsQyTCdfzqA",
 46 |     #      "_score" : 1.0,
 47 |     #      "_source":{"log":"2014/09/25 22:45:50 Got request with path wombat\n",
 48 |     #                 "stream":"stderr","tag":"docker.container.all",
 49 |     #                 "@timestamp":"2014-09-25T22:45:50+00:00"}
 50 |     #    },
 51 |     # ...
 52 |     #
 53 |     # The Kubernetes fluentd plugin is used to write the Kubernetes metadata to the log
 54 |     # record & add labels to the log record if properly configured. This enables users
 55 |     # to filter & search logs on any metadata.
 56 |     # For example a Docker container's logs might be in the directory:
 57 |     #
 58 |     #  /var/lib/docker/containers/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b
 59 |     #
 60 |     # and in the file:
 61 |     #
 62 |     #  997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b-json.log
 63 |     #
 64 |     # where 997599971ee6... is the Docker ID of the running container.
 65 |     # The Kubernetes kubelet makes a symbolic link to this file on the host machine
 66 |     # in the /var/log/containers directory which includes the pod name and the Kubernetes
 67 |     # container name:
 68 |     #
 69 |     #    synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
 70 |     #    ->
 71 |     #    /var/lib/docker/containers/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b-json.log
 72 |     #
 73 |     # The /var/log directory on the host is mapped to the /var/log directory in the container
 74 |     # running this instance of Fluentd and we end up collecting the file:
 75 |     #
 76 |     #   /var/log/containers/synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
 77 |     #
 78 |     # This results in the tag:
 79 |     #
 80 |     #  var.log.containers.synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
 81 |     #
 82 |     # The Kubernetes fluentd plugin is used to extract the namespace, pod name & container name
 83 |     # which are added to the log message as a kubernetes field object & the Docker container ID
 84 |     # is also added under the docker field object.
 85 |     # The final tag is:
 86 |     #
 87 |     #   kubernetes.var.log.containers.synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
 88 |     #
 89 |     # And the final log record look like:
 90 |     #
 91 |     # {
 92 |     #   "log":"2014/09/25 21:15:03 Got request with path wombat\n",
 93 |     #   "stream":"stderr",
 94 |     #   "time":"2014-09-25T21:15:03.499185026Z",
 95 |     #   "kubernetes": {
 96 |     #     "namespace": "default",
 97 |     #     "pod_name": "synthetic-logger-0.25lps-pod",
 98 |     #     "container_name": "synth-lgr"
 99 |     #   },
100 |     #   "docker": {
101 |     #     "container_id": "997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b"
102 |     #   }
103 |     # }
104 |     #
105 |     # This makes it easier for users to search for logs by pod name or by
106 |     # the name of the Kubernetes container regardless of how many times the
107 |     # Kubernetes pod has been restarted (resulting in a several Docker container IDs).
108 | 
109 |     # Json Log Example:
110 |     # {"log":"[info:2016-02-16T16:04:05.930-08:00] Some log text here\n","stream":"stdout","time":"2016-02-17T00:04:05.931087621Z"}
111 |     # CRI Log Example:
112 |     # 2016-02-17T00:04:05.931087621Z stdout F [info:2016-02-16T16:04:05.930-08:00] Some log text here
113 |     <source>
114 |       @id fluentd-containers.log
115 |       @type tail
116 |       path /var/log/containers/*.log
117 |       pos_file /var/log/es-containers.log.pos
118 |       time_format %Y-%m-%dT%H:%M:%S.%NZ
119 |       tag raw.kubernetes.*
120 |       format json
121 |       read_from_head true
122 |     </source>
123 | 
124 |     # Detect exceptions in the log output and forward them as one log entry.
125 |     <match raw.kubernetes.**>
126 |       @id raw.kubernetes
127 |       @type detect_exceptions
128 |       remove_tag_prefix raw
129 |       message log
130 |       stream stream
131 |       multiline_flush_interval 5
132 |       max_bytes 500000
133 |       max_lines 1000
134 |     </match>
135 | 
136 |   system.input.conf: |-
137 |     # Example:
138 |     # 2015-12-21 23:17:22,066 [salt.state       ][INFO    ] Completed state [net.ipv4.ip_forward] at time 23:17:22.066081
139 |     <source>
140 |       @id minion
141 |       @type tail
142 |       format /^(?<time>[^ ]* [^ ,]*)[^\[]*\[[^\]]*\]\[(?<severity>[^ \]]*) *\] (?<message>.*)$/
143 |       time_format %Y-%m-%d %H:%M:%S
144 |       path /var/log/salt/minion
145 |       pos_file /var/log/salt.pos
146 |       tag salt
147 |     </source>
148 | 
149 |     # Example:
150 |     # Dec 21 23:17:22 gke-foo-1-1-4b5cbd14-node-4eoj startupscript: Finished running startup script /var/run/google.startup.script
151 |     <source>
152 |       @id startupscript.log
153 |       @type tail
154 |       format syslog
155 |       path /var/log/startupscript.log
156 |       pos_file /var/log/es-startupscript.log.pos
157 |       tag startupscript
158 |     </source>
159 | 
160 |     # Examples:
161 |     # time="2016-02-04T06:51:03.053580605Z" level=info msg="GET /containers/json"
162 |     # time="2016-02-04T07:53:57.505612354Z" level=error msg="HTTP Error" err="No such image: -f" statusCode=404
163 |     <source>
164 |       @id docker.log
165 |       @type tail
166 |       format /^time="(?<time>[^)]*)" level=(?<severity>[^ ]*) msg="(?<message>[^"]*)"( err="(?<error>[^"]*)")?( statusCode=($<status_code>\d+))?/
167 |       path /var/log/docker.log
168 |       pos_file /var/log/es-docker.log.pos
169 |       tag docker
170 |     </source>
171 | 
172 |     # Example:
173 |     # 2016/02/04 06:52:38 filePurge: successfully removed file /var/etcd/data/member/wal/00000000000006d0-00000000010a23d1.wal
174 |     <source>
175 |       @id etcd.log
176 |       @type tail
177 |       # Not parsing this, because it doesn't have anything particularly useful to
178 |       # parse out of it (like severities).
179 |       format none
180 |       path /var/log/etcd.log
181 |       pos_file /var/log/es-etcd.log.pos
182 |       tag etcd
183 |     </source>
184 | 
185 |     # Multi-line parsing is required for all the kube logs because very large log
186 |     # statements, such as those that include entire object bodies, get split into
187 |     # multiple lines by glog.
188 | 
189 |     # Example:
190 |     # I0204 07:32:30.020537    3368 server.go:1048] POST /stats/container/: (13.972191ms) 200 [[Go-http-client/1.1] 10.244.1.3:40537]
191 |     <source>
192 |       @id kubelet.log
193 |       @type tail
194 |       format multiline
195 |       multiline_flush_interval 5s
196 |       format_firstline /^\w\d{4}/
197 |       format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
198 |       time_format %m%d %H:%M:%S.%N
199 |       path /var/log/kubelet.log
200 |       pos_file /var/log/es-kubelet.log.pos
201 |       tag kubelet
202 |     </source>
203 | 
204 |     # Example:
205 |     # I1118 21:26:53.975789       6 proxier.go:1096] Port "nodePort for kube-system/default-http-backend:http" (:31429/tcp) was open before and is still needed
206 |     <source>
207 |       @id kube-proxy.log
208 |       @type tail
209 |       format multiline
210 |       multiline_flush_interval 5s
211 |       format_firstline /^\w\d{4}/
212 |       format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
213 |       time_format %m%d %H:%M:%S.%N
214 |       path /var/log/kube-proxy.log
215 |       pos_file /var/log/es-kube-proxy.log.pos
216 |       tag kube-proxy
217 |     </source>
218 | 
219 |     # Example:
220 |     # I0204 07:00:19.604280       5 handlers.go:131] GET /api/v1/nodes: (1.624207ms) 200 [[kube-controller-manager/v1.1.3 (linux/amd64) kubernetes/6a81b50] 127.0.0.1:38266]
221 |     <source>
222 |       @id kube-apiserver.log
223 |       @type tail
224 |       format multiline
225 |       multiline_flush_interval 5s
226 |       format_firstline /^\w\d{4}/
227 |       format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
228 |       time_format %m%d %H:%M:%S.%N
229 |       path /var/log/kube-apiserver.log
230 |       pos_file /var/log/es-kube-apiserver.log.pos
231 |       tag kube-apiserver
232 |     </source>
233 | 
234 |     # Example:
235 |     # I0204 06:55:31.872680       5 servicecontroller.go:277] LB already exists and doesn't need update for service kube-system/kube-ui
236 |     <source>
237 |       @id kube-controller-manager.log
238 |       @type tail
239 |       format multiline
240 |       multiline_flush_interval 5s
241 |       format_firstline /^\w\d{4}/
242 |       format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
243 |       time_format %m%d %H:%M:%S.%N
244 |       path /var/log/kube-controller-manager.log
245 |       pos_file /var/log/es-kube-controller-manager.log.pos
246 |       tag kube-controller-manager
247 |     </source>
248 | 
249 |     # Example:
250 |     # W0204 06:49:18.239674       7 reflector.go:245] pkg/scheduler/factory/factory.go:193: watch of *api.Service ended with: 401: The event in requested index is outdated and cleared (the requested history has been cleared [2578313/2577886]) [2579312]
251 |     <source>
252 |       @id kube-scheduler.log
253 |       @type tail
254 |       format multiline
255 |       multiline_flush_interval 5s
256 |       format_firstline /^\w\d{4}/
257 |       format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
258 |       time_format %m%d %H:%M:%S.%N
259 |       path /var/log/kube-scheduler.log
260 |       pos_file /var/log/es-kube-scheduler.log.pos
261 |       tag kube-scheduler
262 |     </source>
263 | 
264 |     # Example:
265 |     # I1104 10:36:20.242766       5 rescheduler.go:73] Running Rescheduler
266 |     <source>
267 |       @id rescheduler.log
268 |       @type tail
269 |       format multiline
270 |       multiline_flush_interval 5s
271 |       format_firstline /^\w\d{4}/
272 |       format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
273 |       time_format %m%d %H:%M:%S.%N
274 |       path /var/log/rescheduler.log
275 |       pos_file /var/log/es-rescheduler.log.pos
276 |       tag rescheduler
277 |     </source>
278 | 
279 |     # Example:
280 |     # I0603 15:31:05.793605       6 cluster_manager.go:230] Reading config from path /etc/gce.conf
281 |     <source>
282 |       @id glbc.log
283 |       @type tail
284 |       format multiline
285 |       multiline_flush_interval 5s
286 |       format_firstline /^\w\d{4}/
287 |       format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
288 |       time_format %m%d %H:%M:%S.%N
289 |       path /var/log/glbc.log
290 |       pos_file /var/log/es-glbc.log.pos
291 |       tag glbc
292 |     </source>
293 | 
294 |     # Example:
295 |     # I0603 15:31:05.793605       6 cluster_manager.go:230] Reading config from path /etc/gce.conf
296 |     <source>
297 |       @id cluster-autoscaler.log
298 |       @type tail
299 |       format multiline
300 |       multiline_flush_interval 5s
301 |       format_firstline /^\w\d{4}/
302 |       format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
303 |       time_format %m%d %H:%M:%S.%N
304 |       path /var/log/cluster-autoscaler.log
305 |       pos_file /var/log/es-cluster-autoscaler.log.pos
306 |       tag cluster-autoscaler
307 |     </source>
308 | 
309 |     # Logs from systemd-journal for interesting services.
310 |     <source>
311 |       @id journald-docker
312 |       @type systemd
313 |       filters [{ "_SYSTEMD_UNIT": "docker.service" }]
314 |       <storage>
315 |         @type local
316 |         persistent true
317 |       </storage>
318 |       read_from_head true
319 |       tag docker
320 |     </source>
321 | 
322 |     <source>
323 |       @id journald-kubelet
324 |       @type systemd
325 |       filters [{ "_SYSTEMD_UNIT": "kubelet.service" }]
326 |       <storage>
327 |         @type local
328 |         persistent true
329 |       </storage>
330 |       read_from_head true
331 |       tag kubelet
332 |     </source>
333 | 
334 |     <source>
335 |       @id journald-node-problem-detector
336 |       @type systemd
337 |       filters [{ "_SYSTEMD_UNIT": "node-problem-detector.service" }]
338 |       <storage>
339 |         @type local
340 |         persistent true
341 |       </storage>
342 |       read_from_head true
343 |       tag node-problem-detector
344 |     </source>
345 | 
346 |   forward.input.conf: |-
347 |     # Takes the messages sent over TCP
348 |     <source>
349 |       @type forward
350 |     </source>
351 | 
352 |   monitoring.conf: |-
353 |     # Prometheus Exporter Plugin
354 |     # input plugin that exports metrics
355 |     <source>
356 |       @type prometheus
357 |     </source>
358 | 
359 |     <source>
360 |       @type monitor_agent
361 |     </source>
362 | 
363 |     # input plugin that collects metrics from MonitorAgent
364 |     <source>
365 |       @type prometheus_monitor
366 |       <labels>
367 |         host ${hostname}
368 |       </labels>
369 |     </source>
370 | 
371 |     # input plugin that collects metrics for output plugin
372 |     <source>
373 |       @type prometheus_output_monitor
374 |       <labels>
375 |         host ${hostname}
376 |       </labels>
377 |     </source>
378 | 
379 |     # input plugin that collects metrics for in_tail plugin
380 |     <source>
381 |       @type prometheus_tail_monitor
382 |       <labels>
383 |         host ${hostname}
384 |       </labels>
385 |     </source>
386 | 
387 |   output.conf: |-
388 |     # Enriches records with Kubernetes metadata
389 |     <filter kubernetes.**>
390 |       @type kubernetes_metadata
391 |     </filter>
392 | 
393 |     <match **>
394 |       @id elasticsearch
395 |       @type elasticsearch
396 |       @log_level info
397 |       include_tag_key true
398 |       host elasticsearch-logging
399 |       port 9200
400 |       logstash_format true
401 |       <buffer>
402 |         @type file
403 |         path /var/log/fluentd-buffers/kubernetes.system.buffer
404 |         flush_mode interval
405 |         retry_type exponential_backoff
406 |         flush_thread_count 2
407 |         flush_interval 5s
408 |         retry_forever
409 |         retry_max_interval 30
410 |         chunk_limit_size 2M
411 |         queue_limit_length 8
412 |         overflow_action block
413 |       </buffer>
414 |     </match>
415 | 


--------------------------------------------------------------------------------
/addon/efk/fluentd-es-ds.yaml:
--------------------------------------------------------------------------------
  1 | apiVersion: v1
  2 | kind: ServiceAccount
  3 | metadata:
  4 |   name: fluentd-es
  5 |   namespace: kube-system
  6 |   labels:
  7 |     k8s-app: fluentd-es
  8 |     kubernetes.io/cluster-service: "true"
  9 |     addonmanager.kubernetes.io/mode: Reconcile
 10 | ---
 11 | kind: ClusterRole
 12 | apiVersion: rbac.authorization.k8s.io/v1
 13 | metadata:
 14 |   name: fluentd-es
 15 |   labels:
 16 |     k8s-app: fluentd-es
 17 |     kubernetes.io/cluster-service: "true"
 18 |     addonmanager.kubernetes.io/mode: Reconcile
 19 | rules:
 20 | - apiGroups:
 21 |   - ""
 22 |   resources:
 23 |   - "namespaces"
 24 |   - "pods"
 25 |   verbs:
 26 |   - "get"
 27 |   - "watch"
 28 |   - "list"
 29 | ---
 30 | kind: ClusterRoleBinding
 31 | apiVersion: rbac.authorization.k8s.io/v1
 32 | metadata:
 33 |   name: fluentd-es
 34 |   labels:
 35 |     k8s-app: fluentd-es
 36 |     kubernetes.io/cluster-service: "true"
 37 |     addonmanager.kubernetes.io/mode: Reconcile
 38 | subjects:
 39 | - kind: ServiceAccount
 40 |   name: fluentd-es
 41 |   namespace: kube-system
 42 |   apiGroup: ""
 43 | roleRef:
 44 |   kind: ClusterRole
 45 |   name: fluentd-es
 46 |   apiGroup: ""
 47 | ---
 48 | apiVersion: apps/v1
 49 | kind: DaemonSet
 50 | metadata:
 51 |   name: fluentd-es-v2.0.4
 52 |   namespace: kube-system
 53 |   labels:
 54 |     k8s-app: fluentd-es
 55 |     version: v2.0.4
 56 |     kubernetes.io/cluster-service: "true"
 57 |     addonmanager.kubernetes.io/mode: Reconcile
 58 | spec:
 59 |   selector:
 60 |     matchLabels:
 61 |       k8s-app: fluentd-es
 62 |       version: v2.0.4
 63 |   template:
 64 |     metadata:
 65 |       labels:
 66 |         k8s-app: fluentd-es
 67 |         kubernetes.io/cluster-service: "true"
 68 |         version: v2.0.4
 69 |       # This annotation ensures that fluentd does not get evicted if the node
 70 |       # supports critical pod annotation based priority scheme.
 71 |       # Note that this does not guarantee admission on the nodes (#40573).
 72 |       annotations:
 73 |         scheduler.alpha.kubernetes.io/critical-pod: ''
 74 |     spec:
 75 |       serviceAccountName: fluentd-es
 76 |       containers:
 77 |       - name: fluentd-es
 78 |         image: jimmysong/fluentd-elasticsearch:v2.0.3
 79 |         env:
 80 |         - name: FLUENTD_ARGS
 81 |           value: --no-supervisor -q
 82 |         resources:
 83 |           limits:
 84 |             memory: 500Mi
 85 |           requests:
 86 |             cpu: 100m
 87 |             memory: 200Mi
 88 |         volumeMounts:
 89 |         - name: varlog
 90 |           mountPath: /var/log
 91 |         - name: varlibdockercontainers
 92 |           mountPath: /var/lib/docker/containers
 93 |           readOnly: true
 94 |         - name: libsystemddir
 95 |           mountPath: /host/lib
 96 |           readOnly: true
 97 |         - name: config-volume
 98 |           mountPath: /etc/fluent/config.d
 99 |       nodeSelector:
100 |         beta.kubernetes.io/fluentd-ds-ready: "true"
101 |       terminationGracePeriodSeconds: 30
102 |       volumes:
103 |       - name: varlog
104 |         hostPath:
105 |           path: /var/log
106 |       - name: varlibdockercontainers
107 |         hostPath:
108 |           path: /var/lib/docker/containers
109 |       # It is needed to copy systemd library to decompress journals
110 |       - name: libsystemddir
111 |         hostPath:
112 |           path: /usr/lib64
113 |       - name: config-volume
114 |         configMap:
115 |           name: fluentd-es-config-v0.1.3
116 | 


--------------------------------------------------------------------------------
/addon/efk/kibana-deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: kibana-logging
 5 |   namespace: kube-system
 6 |   labels:
 7 |     k8s-app: kibana-logging
 8 |     kubernetes.io/cluster-service: "true"
 9 |     addonmanager.kubernetes.io/mode: Reconcile
10 | spec:
11 |   replicas: 1
12 |   selector:
13 |     matchLabels:
14 |       k8s-app: kibana-logging
15 |   template:
16 |     metadata:
17 |       labels:
18 |         k8s-app: kibana-logging
19 |     spec:
20 |       containers:
21 |       - name: kibana-logging
22 |         #image: jimmysong/kibana:5.6.4
23 |         image: trojany/kibana:5.6.4
24 |         resources:
25 |           # need more cpu upon initialization, therefore burstable class
26 |           limits:
27 |             cpu: 1000m
28 |           requests:
29 |             cpu: 100m
30 |         env:
31 |           - name: ELASTICSEARCH_URL
32 |             value: http://elasticsearch-logging:9200
33 |           - name: SERVER_BASEPATH
34 |             value: /api/v1/proxy/namespaces/kube-system/services/kibana-logging
35 |           - name: XPACK_MONITORING_ENABLED
36 |             value: "false"
37 |           - name: XPACK_SECURITY_ENABLED
38 |             value: "false"
39 |         ports:
40 |         - containerPort: 5601
41 |           name: ui
42 |           protocol: TCP
43 | 


--------------------------------------------------------------------------------
/addon/efk/kibana-service.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: kibana-logging
 5 |   namespace: kube-system
 6 |   labels:
 7 |     k8s-app: kibana-logging
 8 |     kubernetes.io/cluster-service: "true"
 9 |     addonmanager.kubernetes.io/mode: Reconcile
10 |     kubernetes.io/name: "Kibana"
11 | spec:
12 |   ports:
13 |   - port: 5601
14 |     protocol: TCP
15 |     targetPort: ui
16 |   selector:
17 |     k8s-app: kibana-logging
18 |   type: NodePort
19 | 


--------------------------------------------------------------------------------
/addon/heapster/grafana-service.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: monitoring-grafana
 5 |   namespace: kube-system
 6 |   labels:
 7 |     kubernetes.io/cluster-service: "true"
 8 |     addonmanager.kubernetes.io/mode: Reconcile
 9 |     kubernetes.io/name: "Grafana"
10 | spec:
11 |   # On production clusters, consider setting up auth for grafana, and
12 |   # exposing Grafana either using a LoadBalancer or a public IP.
13 |   # type: LoadBalancer
14 |   ports:
15 |     - port: 3000
16 |       protocol: TCP
17 |       targetPort: ui
18 |       nodePort: 30001
19 |   selector:
20 |     k8s-app: influxGrafana
21 |   type: NodePort
22 | 


--------------------------------------------------------------------------------
/addon/heapster/heapster-controller.yaml:
--------------------------------------------------------------------------------
  1 | apiVersion: v1
  2 | kind: ServiceAccount
  3 | metadata:
  4 |   name: heapster
  5 |   namespace: kube-system
  6 |   labels:
  7 |     kubernetes.io/cluster-service: "true"
  8 |     addonmanager.kubernetes.io/mode: Reconcile
  9 | ---
 10 | kind: ClusterRoleBinding
 11 | apiVersion: rbac.authorization.k8s.io/v1beta1
 12 | metadata:
 13 |   name: heapster
 14 | subjects:
 15 |   - kind: ServiceAccount
 16 |     name: heapster
 17 |     namespace: kube-system
 18 | roleRef:
 19 |   kind: ClusterRole
 20 |   name: cluster-admin
 21 |   apiGroup: rbac.authorization.k8s.io
 22 | ---
 23 | apiVersion: v1
 24 | kind: ConfigMap
 25 | metadata:
 26 |   name: heapster-config
 27 |   namespace: kube-system
 28 |   labels:
 29 |     kubernetes.io/cluster-service: "true"
 30 |     addonmanager.kubernetes.io/mode: EnsureExists
 31 | data:
 32 |   NannyConfiguration: |-
 33 |     apiVersion: nannyconfig/v1alpha1
 34 |     kind: NannyConfiguration
 35 | ---
 36 | apiVersion: v1
 37 | kind: ConfigMap
 38 | metadata:
 39 |   name: eventer-config
 40 |   namespace: kube-system
 41 |   labels:
 42 |     kubernetes.io/cluster-service: "true"
 43 |     addonmanager.kubernetes.io/mode: EnsureExists
 44 | data:
 45 |   NannyConfiguration: |-
 46 |     apiVersion: nannyconfig/v1alpha1
 47 |     kind: NannyConfiguration
 48 | ---
 49 | apiVersion: apps/v1
 50 | kind: Deployment
 51 | metadata:
 52 |   name: heapster-v1.5.0
 53 |   namespace: kube-system
 54 |   labels:
 55 |     k8s-app: heapster
 56 |     kubernetes.io/cluster-service: "true"
 57 |     addonmanager.kubernetes.io/mode: Reconcile
 58 |     version: v1.5.0
 59 | spec:
 60 |   replicas: 1
 61 |   selector:
 62 |     matchLabels:
 63 |       k8s-app: heapster
 64 |       version: v1.5.0
 65 |   template:
 66 |     metadata:
 67 |       labels:
 68 |         k8s-app: heapster
 69 |         version: v1.5.0
 70 |       annotations:
 71 |         scheduler.alpha.kubernetes.io/critical-pod: ''
 72 |     spec:
 73 |       containers:
 74 |         - image: jimmysong/heapster-amd64:v1.5.3
 75 |           name: heapster
 76 |           livenessProbe:
 77 |             httpGet:
 78 |               path: /healthz
 79 |               port: 8082
 80 |               scheme: HTTP
 81 |             initialDelaySeconds: 180
 82 |             timeoutSeconds: 5
 83 |           command:
 84 |             - /heapster
 85 |             - --source=kubernetes.summary_api:''
 86 |             - --sink=influxdb:http://monitoring-influxdb:8086
 87 |         - image: jimmysong/heapster-amd64:v1.5.3
 88 |           name: eventer
 89 |           command:
 90 |             - /eventer
 91 |             - --source=kubernetes:''
 92 |             - --sink=influxdb:http://monitoring-influxdb:8086
 93 |         - image: jimmysong/addon-resizer:1.8.2
 94 |           name: heapster-nanny
 95 |           resources:
 96 |             limits:
 97 |               cpu: 50m
 98 |               memory: 90Mi
 99 |             requests:
100 |               cpu: 50m
101 |               memory: 90Mi
102 |           env:
103 |             - name: MY_POD_NAME
104 |               valueFrom:
105 |                 fieldRef:
106 |                   fieldPath: metadata.name
107 |             - name: MY_POD_NAMESPACE
108 |               valueFrom:
109 |                 fieldRef:
110 |                   fieldPath: metadata.namespace
111 |           volumeMounts:
112 |           - name: heapster-config-volume
113 |             mountPath: /etc/config
114 |           command:
115 |             - /pod_nanny
116 |             - --config-dir=/etc/config
117 |             - --cpu=80m
118 |             - --extra-cpu=0.5m
119 |             - --memory=140Mi
120 |             - --extra-memory=4Mi
121 |             - --threshold=5
122 |             - --deployment=heapster-v1.5.0
123 |             - --container=heapster
124 |             - --poll-period=300000
125 |             - --estimator=exponential
126 |         - image: jimmysong/addon-resizer:1.8.2
127 |           name: eventer-nanny
128 |           resources:
129 |             limits:
130 |               cpu: 50m
131 |               memory: 90Mi
132 |             requests:
133 |               cpu: 50m
134 |               memory: 90Mi
135 |           env:
136 |             - name: MY_POD_NAME
137 |               valueFrom:
138 |                 fieldRef:
139 |                   fieldPath: metadata.name
140 |             - name: MY_POD_NAMESPACE
141 |               valueFrom:
142 |                 fieldRef:
143 |                   fieldPath: metadata.namespace
144 |           volumeMounts:
145 |           - name: eventer-config-volume
146 |             mountPath: /etc/config
147 |           command:
148 |             - /pod_nanny
149 |             - --config-dir=/etc/config
150 |             - --cpu=100m
151 |             - --extra-cpu=0m
152 |             - --memory=190Mi
153 |             - --extra-memory=500Ki
154 |             - --threshold=5
155 |             - --deployment=heapster-v1.5.0
156 |             - --container=eventer
157 |             - --poll-period=300000
158 |             - --estimator=exponential
159 |       volumes:
160 |         - name: heapster-config-volume
161 |           configMap:
162 |             name: heapster-config
163 |         - name: eventer-config-volume
164 |           configMap:
165 |             name: eventer-config
166 |       serviceAccountName: heapster
167 |       tolerations:
168 |         - key: "CriticalAddonsOnly"
169 |           operator: "Exists"
170 | 


--------------------------------------------------------------------------------
/addon/heapster/heapster-service.yaml:
--------------------------------------------------------------------------------
 1 | kind: Service
 2 | apiVersion: v1
 3 | metadata:
 4 |   name: heapster
 5 |   namespace: kube-system
 6 |   labels:
 7 |     kubernetes.io/cluster-service: "true"
 8 |     addonmanager.kubernetes.io/mode: Reconcile
 9 |     kubernetes.io/name: "Heapster"
10 | spec: 
11 |   ports: 
12 |     - port: 80
13 |       targetPort: 8082
14 |   selector: 
15 |     k8s-app: heapster
16 | 


--------------------------------------------------------------------------------
/addon/heapster/influxdb-grafana-controller.yaml:
--------------------------------------------------------------------------------
 1 | kind: Deployment
 2 | apiVersion: apps/v1
 3 | metadata:
 4 |   name: monitoring-influxdb-grafana-v4
 5 |   namespace: kube-system
 6 |   labels:
 7 |     k8s-app: influxGrafana
 8 |     version: v4
 9 |     kubernetes.io/cluster-service: "true"
10 |     addonmanager.kubernetes.io/mode: Reconcile
11 | spec:
12 |   replicas: 1
13 |   selector:
14 |     matchLabels:
15 |       k8s-app: influxGrafana
16 |       version: v4
17 |   template:
18 |     metadata:
19 |       labels:
20 |         k8s-app: influxGrafana
21 |         version: v4
22 |       annotations:
23 |         scheduler.alpha.kubernetes.io/critical-pod: ''
24 |     spec:
25 |       tolerations:
26 |       - key: node-role.kubernetes.io/master
27 |         effect: NoSchedule
28 |       - key: "CriticalAddonsOnly"
29 |         operator: "Exists"
30 |       containers:
31 |         - name: influxdb
32 |           #image: jimmysong/heapster-influxdb-amd64:v1.3.3
33 |           image: pupudaye/heapster-influxdb-amd64:v1.3.3
34 |           resources:
35 |             limits:
36 |               cpu: 100m
37 |               memory: 500Mi
38 |             requests:
39 |               cpu: 100m
40 |               memory: 500Mi
41 |           ports:
42 |             - name: http
43 |               containerPort: 8083
44 |             - name: api
45 |               containerPort: 8086
46 |           volumeMounts:
47 |           - name: influxdb-persistent-storage
48 |             mountPath: /data
49 |         - name: grafana
50 |           image: jimmysong/heapster-grafana-amd64:v4.4.3
51 |           env:
52 |           resources:
53 |             # keep request = limit to keep this container in guaranteed class
54 |             limits:
55 |               cpu: 100m
56 |               memory: 100Mi
57 |             requests:
58 |               cpu: 100m
59 |               memory: 100Mi
60 |           env:
61 |             # This variable is required to setup templates in Grafana.
62 |             - name: INFLUXDB_SERVICE_URL
63 |               value: http://localhost:8086
64 |               # The following env variables are required to make Grafana accessible via
65 |               # the kubernetes api-server proxy. On production clusters, we recommend
66 |               # removing these env variables, setup auth for grafana, and expose the grafana
67 |               # service using a LoadBalancer or a public IP.
68 |             - name: GF_AUTH_BASIC_ENABLED
69 |               value: "false"
70 |             - name: GF_AUTH_ANONYMOUS_ENABLED
71 |               value: "true"
72 |             - name: GF_AUTH_ANONYMOUS_ORG_ROLE
73 |               value: Admin
74 |               #- name: GF_SERVER_ROOT_URL
75 |               #  value: /api/v1/proxy/namespaces/kube-system/services/monitoring-grafana/
76 |           ports:
77 |           - name: ui
78 |             containerPort: 3000
79 |           volumeMounts:
80 |           - name: grafana-persistent-storage
81 |             mountPath: /var
82 |       volumes:
83 |       - name: influxdb-persistent-storage
84 |         emptyDir: {}
85 |       - name: grafana-persistent-storage
86 |         emptyDir: {}
87 | 


--------------------------------------------------------------------------------
/addon/heapster/influxdb-service.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: monitoring-influxdb
 5 |   namespace: kube-system
 6 |   labels:
 7 |     kubernetes.io/cluster-service: "true"
 8 |     addonmanager.kubernetes.io/mode: Reconcile
 9 |     kubernetes.io/name: "InfluxDB"
10 | spec:
11 |   ports:
12 |     - name: http
13 |       port: 8083
14 |       targetPort: 8083
15 |     - name: api
16 |       port: 8086
17 |       targetPort: 8086
18 |   selector:
19 |     k8s-app: influxGrafana
20 | 


--------------------------------------------------------------------------------
/addon/istio/istio-ingress.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Ingress
 3 | metadata:
 4 |   name: istio-ingress
 5 |   namespace: istio-system
 6 | spec:
 7 |   rules:
 8 |   - host: grafana.istio.jimmysong.io
 9 |     http:
10 |       paths:
11 |       - path: /
12 |         backend:
13 |           serviceName: grafana
14 |           servicePort: 3000
15 |   - host: servicegraph.istio.jimmysong.io
16 |     http:
17 |       paths:
18 |       - path: /
19 |         backend:
20 |           serviceName: servicegraph
21 |           servicePort: 8088
22 |   - host: prometheus.istio.jimmysong.io
23 |     http:
24 |       paths:
25 |       - path: /
26 |         backend:
27 |           serviceName: prometheus
28 |           servicePort: 9090
29 |   - host: jaeger-query.istio.jimmysong.io
30 |     http:
31 |       paths:
32 |       - path: /
33 |         backend:
34 |           serviceName: jaeger-query
35 |           servicePort: 16686
36 | 


--------------------------------------------------------------------------------
/addon/jenkins/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM jenkins/jenkins:lts
 2 | MAINTAINER Jimmy Song <rootsongjc@gmail.com>
 3 | EXPOSE 8080 50000
 4 | USER root
 5 | # Install prerequisites for Docker
 6 | RUN apt-get update && apt-get install -y sudo maven iptables libsystemd-journal0 init-system-helpers libapparmor1 libltdl7 libseccomp2 libdevmapper1.02.1 && rm -rf /var/lib/apt/lists/*
 7 | ENV DOCKER_VERSION=docker-ce_17.03.0~ce-0~ubuntu-trusty_amd64.deb
 8 | ENV KUBERNETES_VERSION=v1.9.1
 9 | # Set up Docker
10 | RUN wget https://download.docker.com/linux/ubuntu/dists/trusty/pool/stable/amd64/$DOCKER_VERSION
11 | RUN dpkg -i $DOCKER_VERSION
12 | # Set up Kubernetes
13 | RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$KUBERNETES_VERSION/bin/linux/amd64/kubectl
14 | RUN chmod +x ./kubectl
15 | RUN mv ./kubectl /usr/local/bin/kubectl
16 | # Configure access to the Kubernetes Cluster
17 | ADD ../../conf/config ~/.kube
18 | ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/jenkins.sh"]
19 | 


--------------------------------------------------------------------------------
/addon/kiali/kiali-configmap.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: ConfigMap
 3 | metadata:
 4 |   name: kiali
 5 |   labels:
 6 |     app: kiali
 7 |     version: master
 8 | data:
 9 |   config.yaml: |
10 |     server:
11 |       port: 20001
12 |       web_root: /
13 |     external_services:
14 |       jaeger:
15 |         url: "http://172.17.8.101:31888"
16 |       grafana:
17 |         url: "http://grafana.istio.jimmysong.io"
18 | 


--------------------------------------------------------------------------------
/addon/kiali/kiali-secret.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Secret
 3 | metadata:
 4 |   name: kiali
 5 |   labels:
 6 |     app: kiali
 7 |     version: master
 8 | type: Opaque
 9 | data:
10 |   username: YWRtaW4=    # admin
11 |   password: YWRtaW4=    # admin
12 | 


--------------------------------------------------------------------------------
/addon/kiali/kiali.yaml:
--------------------------------------------------------------------------------
  1 | apiVersion: v1
  2 | kind: ServiceAccount
  3 | metadata:
  4 |   name: kiali
  5 |   labels:
  6 |     app: kiali
  7 |     version: master
  8 | ---
  9 | apiVersion: v1
 10 | kind: Service
 11 | metadata:
 12 |   name: kiali
 13 |   labels:
 14 |     app: kiali
 15 |     version: master
 16 | spec:
 17 |   type: NodePort
 18 |   ports:
 19 |   - name: tcp
 20 |     protocol: TCP
 21 |     port: 20001
 22 |     nodePort: 32439
 23 |   selector:
 24 |     app: kiali
 25 |     version: master
 26 | ---
 27 | apiVersion: extensions/v1beta1
 28 | kind: Ingress
 29 | metadata:
 30 |   name: kiali
 31 |   labels:
 32 |     app: kiali
 33 |     version: master
 34 | spec:
 35 |   backend:
 36 |     serviceName: kiali
 37 |     servicePort: 20001
 38 | ---
 39 | apiVersion: extensions/v1beta1
 40 | kind: Deployment
 41 | metadata:
 42 |   name: kiali
 43 |   labels:
 44 |     app: kiali
 45 |     version: master
 46 | spec:
 47 |   replicas: 1
 48 |   selector:
 49 |     matchLabels:
 50 |       app: kiali
 51 |       version: master
 52 |   strategy:
 53 |     rollingUpdate:
 54 |       maxSurge: 1
 55 |       maxUnavailable: 1
 56 |     type: RollingUpdate
 57 |   template:
 58 |     metadata:
 59 |       name: kiali
 60 |       labels:
 61 |         app: kiali
 62 |         version: master
 63 |     spec:
 64 |       serviceAccount: kiali
 65 |       containers:
 66 |       - image: kiali/kiali:latest
 67 |         name: kiali
 68 |         command:
 69 |         - "/opt/kiali/kiali"
 70 |         - "-config"
 71 |         - "/kiali-configuration/config.yaml"
 72 |         - "-v"
 73 |         - "4"
 74 |         env:
 75 |         - name: ACTIVE_NAMESPACE
 76 |           valueFrom:
 77 |             fieldRef:
 78 |               fieldPath: metadata.namespace
 79 |         - name: SERVER_CREDENTIALS_USERNAME
 80 |           valueFrom:
 81 |             secretKeyRef:
 82 |               name: kiali
 83 |               key: username
 84 |         - name: SERVER_CREDENTIALS_PASSWORD
 85 |           valueFrom:
 86 |             secretKeyRef:
 87 |               name: kiali
 88 |               key: password
 89 |         volumeMounts:
 90 |         - name: kiali-configuration
 91 |           mountPath: "/kiali-configuration"
 92 |       volumes:
 93 |       - name: kiali-configuration
 94 |         configMap:
 95 |           name: kiali
 96 | ---
 97 | apiVersion: rbac.authorization.k8s.io/v1
 98 | kind: ClusterRole
 99 | metadata:
100 |   name: kiali
101 |   labels:
102 |     app: kiali
103 |     version: master
104 | rules:
105 | - apiGroups: ["batch"]
106 |   resources:
107 |   - cronjobs
108 |   - jobs
109 |   verbs:
110 |   - get
111 |   - list
112 |   - watch
113 | - apiGroups: ["", "apps", "autoscaling"]
114 |   resources:
115 |   - configmaps
116 |   - namespaces
117 |   - nodes
118 |   - pods
119 |   - projects
120 |   - replicasets
121 |   - replicationcontrollers
122 |   - services
123 |   - statefulsets
124 |   - endpoints
125 |   - deployments
126 |   - horizontalpodautoscalers
127 |   verbs:
128 |   - get
129 |   - list
130 |   - watch
131 | - apiGroups: ["config.istio.io"]
132 |   resources:
133 |   - rules
134 |   - circonuses
135 |   - deniers
136 |   - fluentds
137 |   - kubernetesenvs
138 |   - listcheckers
139 |   - memquotas
140 |   - opas
141 |   - prometheuses
142 |   - rbacs
143 |   - servicecontrols
144 |   - solarwindses
145 |   - stackdrivers
146 |   - statsds
147 |   - stdios
148 |   - apikeys
149 |   - authorizations
150 |   - checknothings
151 |   - kuberneteses
152 |   - listentries
153 |   - logentries
154 |   - metrics
155 |   - quotas
156 |   - reportnothings
157 |   - servicecontrolreports
158 |   - quotaspecs
159 |   - quotaspecbindings
160 |   verbs:
161 |   - get
162 |   - list
163 |   - watch
164 | - apiGroups: ["networking.istio.io"]
165 |   resources:
166 |   - virtualservices
167 |   - destinationrules
168 |   - serviceentries
169 |   - gateways
170 |   verbs:
171 |   - get
172 |   - list
173 |   - watch
174 | ---
175 | apiVersion: rbac.authorization.k8s.io/v1
176 | kind: ClusterRoleBinding
177 | metadata:
178 |   name: kiali
179 |   labels:
180 |     app: kiali
181 |     version: master
182 | roleRef:
183 |   kind: ClusterRole
184 |   name: kiali
185 |   apiGroup: rbac.authorization.k8s.io
186 | subjects:
187 | - kind: ServiceAccount
188 |   name: kiali
189 |   namespace: istio-system
190 | 


--------------------------------------------------------------------------------
/addon/rook/mysql.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: wordpress-mysql
 5 |   labels:
 6 |     app: wordpress
 7 | spec:
 8 |   ports:
 9 |     - port: 3306
10 |   selector:
11 |     app: wordpress
12 |     tier: mysql
13 |   clusterIP: None
14 | ---
15 | apiVersion: v1
16 | kind: PersistentVolumeClaim
17 | metadata:
18 |   name: mysql-pv-claim
19 |   labels:
20 |     app: wordpress
21 | spec:
22 |   storageClassName: rook-block
23 |   accessModes:
24 |   - ReadWriteOnce
25 |   resources:
26 |     requests:
27 |       storage: 2Gi
28 | ---
29 | apiVersion: apps/v1beta1
30 | kind: Deployment
31 | metadata:
32 |   name: wordpress-mysql
33 |   labels:
34 |     app: wordpress
35 | spec:
36 |   strategy:
37 |     type: Recreate
38 |   template:
39 |     metadata:
40 |       labels:
41 |         app: wordpress
42 |         tier: mysql
43 |     spec:
44 |       containers:
45 |       - image: mysql:5.6
46 |         name: mysql
47 |         env:
48 |         - name: MYSQL_ROOT_PASSWORD
49 |           value: changeme
50 |         ports:
51 |         - containerPort: 3306
52 |           name: mysql
53 |         volumeMounts:
54 |         - name: mysql-persistent-storage
55 |           mountPath: /var/lib/mysql
56 |       volumes:
57 |       - name: mysql-persistent-storage
58 |         persistentVolumeClaim:
59 |           claimName: mysql-pv-claim
60 | 


--------------------------------------------------------------------------------
/addon/rook/rook-agent-clusterrolebinding.yaml:
--------------------------------------------------------------------------------
 1 | kind: ClusterRoleBinding
 2 | apiVersion: rbac.authorization.k8s.io/v1beta1
 3 | metadata:
 4 |     name: rookagent-clusterrolebinding
 5 | subjects:
 6 |   - kind: ServiceAccount
 7 |     name: rook-agent
 8 |     namespace: rook-system
 9 | roleRef:
10 |     kind: ClusterRole
11 |     name: cluster-admin
12 |     apiGroup: ""
13 | 


--------------------------------------------------------------------------------
/addon/rook/rook-cluster.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Namespace
 3 | metadata:
 4 |   name: rook
 5 | ---
 6 | apiVersion: rook.io/v1alpha1
 7 | kind: Cluster
 8 | metadata:
 9 |   name: rook
10 |   namespace: rook
11 | spec:
12 |   versionTag: v0.6.2
13 |   dataDirHostPath: /var/lib/rook
14 |   storage:
15 |     useAllNodes: true
16 |     useAllDevices: false
17 |     storeConfig:
18 |       storeType: bluestore
19 |       databaseSizeMB: 512
20 |       journalSizeMB: 512
21 | 


--------------------------------------------------------------------------------
/addon/rook/rook-operator.yaml:
--------------------------------------------------------------------------------
  1 | apiVersion: v1
  2 | kind: Namespace
  3 | metadata:
  4 |   name: rook-system
  5 | ---
  6 | kind: ClusterRole
  7 | apiVersion: rbac.authorization.k8s.io/v1beta1
  8 | metadata:
  9 |   name: rook-operator
 10 | rules:
 11 | - apiGroups:
 12 |   - ""
 13 |   resources:
 14 |   - namespaces
 15 |   - serviceaccounts
 16 |   - secrets
 17 |   - pods
 18 |   - services
 19 |   - nodes
 20 |   - nodes/proxy
 21 |   - configmaps
 22 |   - events
 23 |   - persistentvolumes
 24 |   - persistentvolumeclaims
 25 |   verbs:
 26 |   - get
 27 |   - list
 28 |   - watch
 29 |   - patch
 30 |   - create
 31 |   - update
 32 |   - delete
 33 | - apiGroups:
 34 |   - extensions
 35 |   resources:
 36 |   - thirdpartyresources
 37 |   - deployments
 38 |   - daemonsets
 39 |   - replicasets
 40 |   verbs:
 41 |   - get
 42 |   - list
 43 |   - watch
 44 |   - create
 45 |   - update
 46 |   - delete
 47 | - apiGroups:
 48 |   - apiextensions.k8s.io
 49 |   resources:
 50 |   - customresourcedefinitions
 51 |   verbs:
 52 |   - get
 53 |   - list
 54 |   - watch
 55 |   - create
 56 |   - delete
 57 | - apiGroups:
 58 |   - rbac.authorization.k8s.io
 59 |   resources:
 60 |   - clusterroles
 61 |   - clusterrolebindings
 62 |   - roles
 63 |   - rolebindings
 64 |   verbs:
 65 |   - get
 66 |   - list
 67 |   - watch
 68 |   - create
 69 |   - update
 70 |   - delete
 71 | - apiGroups:
 72 |   - storage.k8s.io
 73 |   resources:
 74 |   - storageclasses
 75 |   verbs:
 76 |   - get
 77 |   - list
 78 |   - watch
 79 |   - delete
 80 | - apiGroups:
 81 |   - rook.io
 82 |   resources:
 83 |   - "*"
 84 |   verbs:
 85 |   - "*"
 86 | ---
 87 | apiVersion: v1
 88 | kind: ServiceAccount
 89 | metadata:
 90 |   name: rook-operator
 91 |   namespace: rook-system
 92 | ---
 93 | kind: ClusterRoleBinding
 94 | apiVersion: rbac.authorization.k8s.io/v1beta1
 95 | metadata:
 96 |   name: rook-operator
 97 |   namespace: rook-system
 98 | roleRef:
 99 |   apiGroup: rbac.authorization.k8s.io
100 |   kind: ClusterRole
101 |   name: rook-operator
102 | subjects:
103 | - kind: ServiceAccount
104 |   name: rook-operator
105 |   namespace: rook-system
106 | ---
107 | apiVersion: apps/v1beta1
108 | kind: Deployment
109 | metadata:
110 |   name: rook-operator
111 |   namespace: rook-system
112 | spec:
113 |   replicas: 1
114 |   template:
115 |     metadata:
116 |       labels:
117 |         app: rook-operator
118 |     spec:
119 |       serviceAccountName: rook-operator
120 |       containers:
121 |       - name: rook-operator
122 |         image: rook/rook:master
123 |         args: ["operator"]
124 |         env:
125 |         # To disable RBAC, uncomment the following:
126 |         # - name: RBAC_ENABLED
127 |         #  value: "false"
128 |         # Rook Agent toleration. Will tolerate all taints with all keys.
129 |         # Choose between NoSchedule, PreferNoSchedule and NoExecute:
130 |         # - name: AGENT_TOLERATION
131 |         #  value: "NoSchedule"
132 |         # (Optional) Rook Agent toleration key. Set this to the key of the taint you want to tolerate
133 |         # - name: AGENT_TOLERATION_KEY
134 |         #  value: "<KeyOfTheTaintToTolerate>"
135 |         # Set the path where the Rook agent can find the flex volumes
136 |         # - name: FLEXVOLUME_DIR_PATH
137 |         #  value: "<PathToFlexVolumes>"
138 |         # The interval to check if every mon is in the quorum.
139 |         - name: ROOK_MON_HEALTHCHECK_INTERVAL
140 |           value: "45s"
141 |         - name: FLEXVOLUME_DIR_PATH
142 |           value: "/var/lib/kubelet/volumeplugins"
143 |         # The duration to wait before trying to failover or remove/replace the
144 |         # current mon with a new mon (useful for compensating flapping network).
145 |         - name: ROOK_MON_OUT_TIMEOUT
146 |           value: "300s"
147 |         - name: NODE_NAME
148 |           valueFrom:
149 |             fieldRef:
150 |               fieldPath: spec.nodeName
151 |         - name: POD_NAME
152 |           valueFrom:
153 |             fieldRef:
154 |               fieldPath: metadata.name
155 |         - name: POD_NAMESPACE
156 |           valueFrom:
157 |             fieldRef:
158 |               fieldPath: metadata.namespace
159 | 


--------------------------------------------------------------------------------
/addon/rook/rook-storageclass.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: rook.io/v1alpha1
 2 | kind: Pool
 3 | metadata:
 4 |   name: replicapool
 5 |   namespace: rook
 6 | spec:
 7 |   replicated:
 8 |     size: 1
 9 |   # For an erasure-coded pool, comment out the replication size above and uncomment the following settings.
10 |   # Make sure you have enough OSDs to support the replica size or erasure code chunks.
11 |   #erasureCoded:
12 |   #  dataChunks: 2
13 |   #  codingChunks: 1
14 | ---
15 | apiVersion: storage.k8s.io/v1
16 | kind: StorageClass
17 | metadata:
18 |    name: rook-block
19 | provisioner: rook.io/block
20 | parameters:
21 |   pool: replicapool
22 |   # Specify the Rook cluster from which to create volumes.
23 |   # If not specified, it will use `rook` as the name of the cluster.
24 |   # This is also the namespace where the cluster will be
25 |   clusterName: rook
26 |   # Specify the filesystem type of the volume. If not specified, it will use `ext4`.
27 |   # fstype: ext4
28 | 


--------------------------------------------------------------------------------
/addon/rook/rook-tools.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Pod
 3 | metadata:
 4 |   name: rook-tools
 5 |   namespace: rook
 6 | spec:
 7 |   dnsPolicy: ClusterFirstWithHostNet
 8 |   containers:
 9 |   - name: rook-tools
10 |     image: rook/toolbox:master
11 |     imagePullPolicy: IfNotPresent
12 |     env:
13 |       - name: ROOK_ADMIN_SECRET
14 |         valueFrom:
15 |           secretKeyRef:
16 |             name: rook-ceph-mon
17 |             key: admin-secret
18 |     securityContext:
19 |       privileged: true
20 |     volumeMounts:
21 |       - mountPath: /dev
22 |         name: dev
23 |       - mountPath: /sys/bus
24 |         name: sysbus
25 |       - mountPath: /lib/modules
26 |         name: libmodules
27 |       - name: mon-endpoint-volume
28 |         mountPath: /etc/rook
29 |   hostNetwork: false
30 |   volumes:
31 |     - name: dev
32 |       hostPath:
33 |         path: /dev
34 |     - name: sysbus
35 |       hostPath:
36 |         path: /sys/bus
37 |     - name: libmodules
38 |       hostPath:
39 |         path: /lib/modules
40 |     - name: mon-endpoint-volume
41 |       configMap:
42 |         name: rook-ceph-mon-endpoints
43 |         items:
44 |         - key: data
45 |           path: mon-endpoints
46 | 


--------------------------------------------------------------------------------
/addon/rook/wordpress.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: wordpress
 5 |   labels:
 6 |     app: wordpress
 7 | spec:
 8 |   ports:
 9 |   - port: 80
10 |   selector:
11 |     app: wordpress
12 |     tier: frontend
13 | ---
14 | apiVersion: v1
15 | kind: PersistentVolumeClaim
16 | metadata:
17 |   name: wp-pv-claim
18 |   labels:
19 |     app: wordpress
20 | spec:
21 |   storageClassName: rook-block
22 |   accessModes:
23 |   - ReadWriteOnce
24 |   resources:
25 |     requests:
26 |       storage: 2Gi
27 | ---
28 | apiVersion: extensions/v1beta1
29 | kind: Deployment
30 | metadata:
31 |   name: wordpress
32 |   labels:
33 |     app: wordpress
34 | spec:
35 |   strategy:
36 |     type: Recreate
37 |   template:
38 |     metadata:
39 |       labels:
40 |         app: wordpress
41 |         tier: frontend
42 |     spec:
43 |       containers:
44 |       - image: wordpress:4.6.1-apache
45 |         name: wordpress
46 |         env:
47 |         - name: WORDPRESS_DB_HOST
48 |           value: wordpress-mysql
49 |         - name: WORDPRESS_DB_PASSWORD
50 |           value: changeme
51 |         ports:
52 |         - containerPort: 80
53 |           name: wordpress
54 |         volumeMounts:
55 |         - name: wordpress-persistent-storage
56 |           mountPath: /var/www/html
57 |       volumes:
58 |       - name: wordpress-persistent-storage
59 |         persistentVolumeClaim:
60 |           claimName: wp-pv-claim
61 | ---
62 | apiVersion: extensions/v1beta1
63 | kind: Ingress
64 | metadata:
65 |   name: wordpress-ingress
66 | spec:
67 |   rules:
68 |   - host: wp.jimmysong.io
69 |     http:
70 |       paths:
71 |       - path: /
72 |         backend:
73 |           serviceName: wordpress
74 |           servicePort: 80
75 | 


--------------------------------------------------------------------------------
/addon/traefik-ingress/ingress.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Ingress
 3 | metadata:
 4 |   name: traefik-ingress
 5 |   namespace: kube-system
 6 | spec:
 7 |   rules:
 8 |   - host: traefik.jimmysong.io
 9 |     http:
10 |       paths:
11 |       - path: /
12 |         backend:
13 |           serviceName: traefik-ingress-service
14 |           servicePort: 8080
15 |   - host: grafana.jimmysong.io
16 |     http:
17 |       paths:
18 |       - path: /
19 |         backend:
20 |           serviceName: monitoring-grafana
21 |           servicePort: 3000
22 | 


--------------------------------------------------------------------------------
/addon/traefik-ingress/traefik-rbac.yaml:
--------------------------------------------------------------------------------
 1 | kind: ClusterRoleBinding
 2 | apiVersion: rbac.authorization.k8s.io/v1beta1
 3 | metadata:
 4 |   name: traefik-ingress-controller
 5 | subjects:
 6 |   - kind: ServiceAccount
 7 |     name: traefik-ingress-controller
 8 |     namespace: kube-system
 9 | roleRef:
10 |   kind: ClusterRole
11 |   name: cluster-admin
12 |   apiGroup: rbac.authorization.k8s.io
13 | 


--------------------------------------------------------------------------------
/addon/traefik-ingress/traefik.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | apiVersion: v1
 3 | kind: ServiceAccount
 4 | metadata:
 5 |   name: traefik-ingress-controller
 6 |   namespace: kube-system
 7 | ---
 8 | kind: DaemonSet
 9 | apiVersion: apps/v1
10 | metadata:
11 |   name: traefik-ingress-controller
12 |   namespace: kube-system
13 |   labels:
14 |     k8s-app: traefik-ingress-lb
15 | spec:
16 |   selector:
17 |     matchLabels:
18 |       name: traefik-ingress-lb
19 |   template:
20 |     metadata:
21 |       labels:
22 |         k8s-app: traefik-ingress-lb
23 |         name: traefik-ingress-lb
24 |     spec:
25 |       serviceAccountName: traefik-ingress-controller
26 |       terminationGracePeriodSeconds: 60
27 |       hostNetwork: true
28 |       containers:
29 |       - image: traefik:1.7
30 |         name: traefik-ingress-lb
31 |         ports:
32 |         - name: http
33 |           containerPort: 80
34 |           hostPort: 80
35 |         - name: admin
36 |           containerPort: 8080
37 |           hostPort: 8080
38 |         securityContext:
39 |           privileged: true
40 |         args:
41 |         - -d
42 |         - --api
43 |         - --kubernetes
44 |       nodeSelector:
45 |         kubernetes.io/hostname: "node2"
46 | ---
47 | kind: Service
48 | apiVersion: v1
49 | metadata:
50 |   name: traefik-ingress-service
51 |   namespace: kube-system
52 | spec:
53 |   selector:
54 |     k8s-app: traefik-ingress-lb
55 |   ports:
56 |     - protocol: TCP
57 |       port: 80
58 |       name: web
59 |     - protocol: TCP
60 |       # avoid to conflict with kube-apiserver insecure port
61 |       port: 8080
62 |       name: admin
63 | 


--------------------------------------------------------------------------------
/addon/vistio/vistio-mesh-only.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | # Source: vistio/templates/configmap.yaml
  3 | apiVersion: v1
  4 | kind: ConfigMap
  5 | metadata:
  6 |   name: vistio-api-config
  7 |   labels:
  8 |     heritage: Tiller
  9 |     chart: "vistio-0.1.0"
 10 |     app: vistio
 11 |     release: vistio
 12 | data:
 13 |   vistio.yaml: |-
 14 |     clusterLevel:
 15 |     - cluster: istio-mesh
 16 |       maxVolume: 100
 17 |       serviceConnections:
 18 |       - notices:
 19 |         - name: HighErrorRate
 20 |           severityThreshold:
 21 |             error: 0.05
 22 |             warning: 0.01
 23 |           statusType: danger
 24 |           title: '[{{ .value }}] High Error Rate'
 25 |         prometheusURL: http://prometheus.istio-system:9090
 26 |         query: sum(rate(istio_requests_total[1m])) by (source_app,destination_service,response_code)
 27 |         source:
 28 |           label: source_app
 29 |         status:
 30 |           dangerRegex: ^5..$
 31 |           label: response_code
 32 |           warningRegex: ^4..$
 33 |         target:
 34 |           label: destination_service
 35 |     globalLevel:
 36 |       clusterConnections:
 37 |       - prometheusURL: http://prometheus.istio-system:9090
 38 |         # TODO support istio 1.0
 39 |         # with istio-ingressgateway
 40 |         query: sum(rate(istio_requests_total{reporter="source", source_workload="istio-ingressgateway"}[1m])) by (response_code)
 41 |         # no istio-ingressgateway
 42 |         # query: sum(rate(istio_requests_total[1m])) by (response_code)
 43 |         source:
 44 |           replacement: Total Mesh Requests
 45 |         status:
 46 |           dangerRegex: ^5..$
 47 |           label: response_code
 48 |           warningRegex: ^4..$
 49 |         target:
 50 |           replacement: istio-mesh
 51 |       maxVolume: 100
 52 |     graphName: Vistio
 53 |     
 54 | ---
 55 | # Source: vistio/templates/service.yaml
 56 | apiVersion: v1
 57 | kind: Service
 58 | metadata:
 59 |   name: vistio-api
 60 |   labels:
 61 |     heritage: Tiller
 62 |     chart: "vistio-0.1.0"
 63 |     app: vistio-api
 64 |     release: vistio
 65 | spec:
 66 |   type: ClusterIP
 67 |   selector:
 68 |     app: vistio-api
 69 |     release: vistio
 70 |   ports:
 71 |     - name: http
 72 |       port: 9091
 73 |       targetPort: 9091
 74 |       protocol: TCP
 75 | ---
 76 | apiVersion: v1
 77 | kind: Service
 78 | metadata:
 79 |   name: vistio-web
 80 |   labels:
 81 |     heritage: Tiller
 82 |     chart: "vistio-0.1.0"
 83 |     app: vistio-web
 84 |     release: vistio
 85 | spec:
 86 |   type: ClusterIP
 87 |   selector:
 88 |     app: vistio-web
 89 |     release: vistio
 90 |   ports:
 91 |     - name: http
 92 |       port: 8080
 93 |       targetPort: 8080
 94 |       protocol: TCP
 95 | 
 96 | ---
 97 | # Source: vistio/templates/deployment.yaml
 98 | apiVersion: extensions/v1beta1
 99 | kind: Deployment
100 | metadata:
101 |   name: vistio-web
102 |   labels:
103 |     heritage: Tiller
104 |     chart: "vistio-0.1.0"
105 |     app: vistio-web
106 |     release: vistio
107 | spec:
108 |   replicas: 1
109 |   template:
110 |     metadata:
111 |       labels:
112 |         app: vistio-web
113 |         release: vistio
114 |     spec:
115 |       containers:
116 |         - name: vistio
117 |           image: "nmnellis/vistio-web:v0.1.0"
118 |           imagePullPolicy: Always
119 |           ports:
120 |             - containerPort: 8080
121 |           env:
122 |             - name: UPDATE_URL
123 |               value: http://localhost:9091/graph
124 |             - name: INTERVAL
125 |               value: "1000"
126 |             - name: MAX_REPLAY_OFFSET
127 |               value: "43200"
128 |           resources:
129 |             {}
130 |             
131 | 
132 | ---
133 | # Source: vistio/templates/statefulset.yaml
134 | apiVersion: apps/v1beta1
135 | kind: StatefulSet
136 | metadata:
137 |   name: vistio-api
138 |   labels:
139 |     heritage: Tiller
140 |     chart: "vistio-0.1.0"
141 |     app: vistio-api
142 |     release: vistio
143 | spec:
144 |   replicas: 1
145 |   serviceName: vistio
146 |   template:
147 |     metadata:
148 |       labels:
149 |         app: vistio-api
150 |         release: vistio
151 |     spec:
152 |       containers:
153 |         - name: vistio-api
154 |           image: nmnellis/vistio-api:v0.1.0
155 |           imagePullPolicy: IfNotPresent
156 |           args:
157 |             - --config.file=/etc/vistio/vistio.yaml
158 |             - --log.level=info
159 |             - --storage.path=/var/vistio/data
160 |             - --storage.retention=24h
161 |             - --cache.size=100
162 |             - --retrieval.scrape-interval=10s
163 |             - --retrieval.scrape-timeout=8s
164 |             - --api.port=9091
165 |           ports:
166 |             - containerPort: 9091
167 |           livenessProbe:
168 |             httpGet:
169 |               path: /
170 |               port: 9091
171 |             initialDelaySeconds: 30
172 |             timeoutSeconds: 30
173 |           readinessProbe:
174 |             httpGet:
175 |               path: /
176 |               port: 9091
177 |             initialDelaySeconds: 30
178 |             timeoutSeconds: 30
179 |           resources:
180 |             {}
181 |             
182 |           volumeMounts:
183 |             - name: config
184 |               mountPath: /etc/vistio
185 |             - name: vistio-db
186 |               mountPath: /var/vistio/data
187 |               subPath: vistio-db
188 |         - name: reloader
189 |           image: nghialv2607/k8s-config-reloader:v0.1.0
190 |           imagePullPolicy: IfNotPresent
191 |           args:
192 |             - --config.promviz-reload-url=http://localhost:9091/reload
193 |             - --config.promviz-config-dir=/etc/vistio
194 |             - --config.log-level=info
195 |           resources:
196 |             limits:
197 |               cpu: 50m
198 |               memory: 64Mi
199 |             requests:
200 |               cpu: 20m
201 |               memory: 32Mi
202 |             
203 |           volumeMounts:
204 |             - name: config
205 |               mountPath: /etc/vistio
206 |       volumes:
207 |         - name: config
208 |           configMap:
209 |             name: vistio-api-config
210 |         - name: vistio-db
211 |           emptyDir: {}
212 | 
213 | 


--------------------------------------------------------------------------------
/addon/weave-scope/scope.yaml:
--------------------------------------------------------------------------------
  1 | apiVersion: v1
  2 | kind: List
  3 | items:
  4 |   - apiVersion: v1
  5 |     kind: Namespace
  6 |     metadata:
  7 |       name: weave
  8 |       annotations:
  9 |         cloud.weave.works/version: unknown
 10 |   - apiVersion: v1
 11 |     kind: ServiceAccount
 12 |     metadata:
 13 |       name: weave-scope
 14 |       annotations:
 15 |         cloud.weave.works/launcher-info: |-
 16 |           {
 17 |             "original-request": {
 18 |               "url": "/k8s/v1.8/scope.yaml",
 19 |               "date": "Fri Aug 17 2018 13:08:44 GMT+0000 (UTC)"
 20 |             },
 21 |             "email-address": "support@weave.works"
 22 |           }
 23 |       labels:
 24 |         name: weave-scope
 25 |       namespace: weave
 26 |   - apiVersion: rbac.authorization.k8s.io/v1beta1
 27 |     kind: ClusterRole
 28 |     metadata:
 29 |       name: weave-scope
 30 |       annotations:
 31 |         cloud.weave.works/launcher-info: |-
 32 |           {
 33 |             "original-request": {
 34 |               "url": "/k8s/v1.8/scope.yaml",
 35 |               "date": "Fri Aug 17 2018 13:08:44 GMT+0000 (UTC)"
 36 |             },
 37 |             "email-address": "support@weave.works"
 38 |           }
 39 |       labels:
 40 |         name: weave-scope
 41 |     rules:
 42 |       - apiGroups:
 43 |           - ''
 44 |         resources:
 45 |           - pods
 46 |         verbs:
 47 |           - get
 48 |           - list
 49 |           - watch
 50 |           - delete
 51 |       - apiGroups:
 52 |           - ''
 53 |         resources:
 54 |           - pods/log
 55 |           - services
 56 |           - nodes
 57 |           - namespaces
 58 |           - persistentvolumes
 59 |           - persistentvolumeclaims
 60 |         verbs:
 61 |           - get
 62 |           - list
 63 |           - watch
 64 |       - apiGroups:
 65 |           - apps
 66 |         resources:
 67 |           - statefulsets
 68 |         verbs:
 69 |           - get
 70 |           - list
 71 |           - watch
 72 |       - apiGroups:
 73 |           - batch
 74 |         resources:
 75 |           - cronjobs
 76 |           - jobs
 77 |         verbs:
 78 |           - get
 79 |           - list
 80 |           - watch
 81 |       - apiGroups:
 82 |           - extensions
 83 |         resources:
 84 |           - deployments
 85 |           - daemonsets
 86 |         verbs:
 87 |           - get
 88 |           - list
 89 |           - watch
 90 |       - apiGroups:
 91 |           - extensions
 92 |         resources:
 93 |           - deployments/scale
 94 |         verbs:
 95 |           - get
 96 |           - update
 97 |       - apiGroups:
 98 |           - storage.k8s.io
 99 |         resources:
100 |           - storageclasses
101 |         verbs:
102 |           - get
103 |           - list
104 |           - watch
105 |   - apiVersion: rbac.authorization.k8s.io/v1beta1
106 |     kind: ClusterRoleBinding
107 |     metadata:
108 |       name: weave-scope
109 |       annotations:
110 |         cloud.weave.works/launcher-info: |-
111 |           {
112 |             "original-request": {
113 |               "url": "/k8s/v1.8/scope.yaml",
114 |               "date": "Fri Aug 17 2018 13:08:44 GMT+0000 (UTC)"
115 |             },
116 |             "email-address": "support@weave.works"
117 |           }
118 |       labels:
119 |         name: weave-scope
120 |     roleRef:
121 |       kind: ClusterRole
122 |       name: weave-scope
123 |       apiGroup: rbac.authorization.k8s.io
124 |     subjects:
125 |       - kind: ServiceAccount
126 |         name: weave-scope
127 |         namespace: weave
128 |   - apiVersion: apps/v1beta1
129 |     kind: Deployment
130 |     metadata:
131 |       name: weave-scope-app
132 |       annotations:
133 |         cloud.weave.works/launcher-info: |-
134 |           {
135 |             "original-request": {
136 |               "url": "/k8s/v1.8/scope.yaml",
137 |               "date": "Fri Aug 17 2018 13:08:44 GMT+0000 (UTC)"
138 |             },
139 |             "email-address": "support@weave.works"
140 |           }
141 |       labels:
142 |         name: weave-scope-app
143 |         app: weave-scope
144 |         weave-cloud-component: scope
145 |         weave-scope-component: app
146 |       namespace: weave
147 |     spec:
148 |       replicas: 1
149 |       revisionHistoryLimit: 2
150 |       template:
151 |         metadata:
152 |           labels:
153 |             name: weave-scope-app
154 |             app: weave-scope
155 |             weave-cloud-component: scope
156 |             weave-scope-component: app
157 |         spec:
158 |           containers:
159 |             - name: app
160 |               args:
161 |                 - '--mode=app'
162 |               command:
163 |                 - /home/weave/scope
164 |               env: []
165 |               image: 'docker.io/weaveworks/scope:1.9.1'
166 |               imagePullPolicy: IfNotPresent
167 |               ports:
168 |                 - containerPort: 4040
169 |                   protocol: TCP
170 |   - apiVersion: v1
171 |     kind: Service
172 |     metadata:
173 |       name: weave-scope-app
174 |       annotations:
175 |         cloud.weave.works/launcher-info: |-
176 |           {
177 |             "original-request": {
178 |               "url": "/k8s/v1.8/scope.yaml",
179 |               "date": "Fri Aug 17 2018 13:08:44 GMT+0000 (UTC)"
180 |             },
181 |             "email-address": "support@weave.works"
182 |           }
183 |       labels:
184 |         name: weave-scope-app
185 |         app: weave-scope
186 |         weave-cloud-component: scope
187 |         weave-scope-component: app
188 |       namespace: weave
189 |     spec:
190 |       ports:
191 |         - name: app
192 |           port: 80
193 |           protocol: TCP
194 |           targetPort: 4040
195 |       selector:
196 |         name: weave-scope-app
197 |         app: weave-scope
198 |         weave-cloud-component: scope
199 |         weave-scope-component: app
200 |   - apiVersion: extensions/v1beta1
201 |     kind: DaemonSet
202 |     metadata:
203 |       name: weave-scope-agent
204 |       annotations:
205 |         cloud.weave.works/launcher-info: |-
206 |           {
207 |             "original-request": {
208 |               "url": "/k8s/v1.8/scope.yaml",
209 |               "date": "Fri Aug 17 2018 13:08:44 GMT+0000 (UTC)"
210 |             },
211 |             "email-address": "support@weave.works"
212 |           }
213 |       labels:
214 |         name: weave-scope-agent
215 |         app: weave-scope
216 |         weave-cloud-component: scope
217 |         weave-scope-component: agent
218 |       namespace: weave
219 |     spec:
220 |       minReadySeconds: 5
221 |       template:
222 |         metadata:
223 |           labels:
224 |             name: weave-scope-agent
225 |             app: weave-scope
226 |             weave-cloud-component: scope
227 |             weave-scope-component: agent
228 |         spec:
229 |           containers:
230 |             - name: scope-agent
231 |               args:
232 |                 - '--mode=probe'
233 |                 - '--probe-only'
234 |                 - '--probe.kubernetes=true'
235 |                 - '--probe.docker.bridge=docker0'
236 |                 - '--probe.docker=true'
237 |                 - 'weave-scope-app.weave.svc.cluster.local:80'
238 |               command:
239 |                 - /home/weave/scope
240 |               env:
241 |                 - name: KUBERNETES_NODENAME
242 |                   valueFrom:
243 |                     fieldRef:
244 |                       apiVersion: v1
245 |                       fieldPath: spec.nodeName
246 |               image: 'docker.io/weaveworks/scope:1.9.1'
247 |               imagePullPolicy: IfNotPresent
248 |               securityContext:
249 |                 privileged: true
250 |               volumeMounts:
251 |                 - name: scope-plugins
252 |                   mountPath: /var/run/scope/plugins
253 |                 - name: sys-kernel-debug
254 |                   mountPath: /sys/kernel/debug
255 |                 - name: docker-socket
256 |                   mountPath: /var/run/docker.sock
257 |           dnsPolicy: ClusterFirstWithHostNet
258 |           hostNetwork: true
259 |           hostPID: true
260 |           serviceAccountName: weave-scope
261 |           tolerations:
262 |             - effect: NoSchedule
263 |               operator: Exists
264 |           volumes:
265 |             - name: scope-plugins
266 |               hostPath:
267 |                 path: /var/run/scope/plugins
268 |             - name: sys-kernel-debug
269 |               hostPath:
270 |                 path: /sys/kernel/debug
271 |             - name: docker-socket
272 |               hostPath:
273 |                 path: /var/run/docker.sock
274 |       updateStrategy:
275 |         type: RollingUpdate
276 | ---
277 | apiVersion: extensions/v1beta1
278 | kind: Ingress
279 | metadata:
280 |   name: weave-ingress
281 |   namespace: weave
282 | spec:
283 |   rules:
284 |   - host: scope.weave.jimmysong.io
285 |     http:
286 |       paths:
287 |       - path: /
288 |         backend:
289 |           serviceName: weave-scope-app
290 |           servicePort: 80
291 | 


--------------------------------------------------------------------------------
/conf/admin.kubeconfig:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | clusters:
 3 | - cluster:
 4 |     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXBPZ0F3SUJBZ0lVTWVuVHNleWtMcGQreWdPZGhzZkZCa3R0UTlNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhEekFOQmdOVkJBc1RCbE41YzNSbGJURVRNQkVHCkExVUVBeE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHhPREF4TVRBd09UTTBNREJhRncweU16QXhNRGt3T1RNME1EQmEKTUd3eEN6QUpCZ05WQkFZVEFrTk9NUkF3RGdZRFZRUUlFd2RDWldsS2FXNW5NUkF3RGdZRFZRUUhFd2RDWldsSwphVzVuTVJNd0VRWURWUVFLRXdwTGRXSmxjbTVsZEdWek1ROHdEUVlEVlFRTEV3WlRlWE4wWlcweEV6QVJCZ05WCkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREkKM09HOE91d0h2ZVIvY3RSZE1naUJRMGc2cXozYmFnNTlDRG1yMURaU2R3bm9TTzZVR0QyanpjQllWVFJOTFFwWQpuc2FBY1pLa3FONmJDdHRiVGdCVkd4ZGltNGQzdXdveS9kcnpTeU9zclVnWUVsZGQwV0p2Nk5xZVUrUGVOd01pCmg1WGxTcFlYbTF1eTBDejFSdFlLbUZxZUFoMTN2c1hwMGptcEQ0NCtQMStIN0dvaWlXSTNMakVCOFNlcVM2LzIKUzVvNXlWdC92VzlUTlRzZ1FRL2o1Q2tNYnRkMGdDVzdGdk14ckpabXZFNi9Ocm9vU3o0WDZVb3M1TkxZVFYwdwpyVDhJbDZ2N3l4d2xHcEZ3dE0wSy9yMGRQN1U0eGRjUVFjQzlkOFRqaE5SMWczNEVaeXBNZ2FybFBVWDYzK1AxCjhWMXExanBScXdGZG9uS1lNSWExQWdNQkFBR2pSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUIKQWY4RUNEQUdBUUgvQWdFQ01CMEdBMVVkRGdRV0JCUklROENvNnl4NEh1RXZ3anZlR0NQZXBDUGVpekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQXZxaGFvUjUzdEZSMmlDdllaWFc0Zmc5Zlh2Y25mUEFxY3pwTEtIbVNjUDdZCjdZWWxJOVF2Vkg1YXVZanU0WjRjVWVsMFErcytUZXp6dGFkRDYvMHJ2K1pVRlB5a0NxQld4NDh1NjRmZ2JlNnIKN25USnJjRXY3Sm54eENSN04vem5YQ25rYStDOE5vMEE2UzJCU1ZHS29rSkZzNmNmMy85OEZLazQyU0ZqM2NsNwpLMytobUtJU0hQMGxWQ2ZwNWVhTHVTcEYzakwvYUdmVk4wb1dLaWJFYWN2QWFhUE5DR29zMkRFV0NsNjNMY2wxCnhoTktsWjlBdDgvN2M0ejRSemJwUDJVaE9FYkRGQlYyRXhhLy9ya0NEdnhDUWtudmtva004TnN0Q1loc2MyWVkKNjNIang0K3hNZjZJNUhlUVBUS2Y3dy9LZVZwbFdLdkVBQVV4MFhYUTVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 5 |     server: https://172.17.8.101:6443
 6 |   name: kubernetes
 7 | contexts:
 8 | - context:
 9 |     cluster: kubernetes
10 |     user: admin
11 |   name: kubernetes
12 | current-context: kubernetes
13 | kind: Config
14 | preferences: {}
15 | users:
16 | - name: admin
17 |   user:
18 |     as-user-extra: {}
19 |     client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ1RENDQXN5Z0F3SUJBZ0lVY3pFMWdybEpuMGVJUGM1eFlkRkd2VEFXYjZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhEekFOQmdOVkJBc1RCbE41YzNSbGJURVRNQkVHCkExVUVBeE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHhPREF4TVRBd09UVXdNREJhRncweU9EQXhNRGd3T1RVd01EQmEKTUdzeEN6QUpCZ05WQkFZVEFrTk9NUkF3RGdZRFZRUUlFd2RDWldsS2FXNW5NUkF3RGdZRFZRUUhFd2RDWldsSwphVzVuTVJjd0ZRWURWUVFLRXc1emVYTjBaVzA2YldGemRHVnljekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUTR3CkRBWURWUVFERXdWaFpHMXBiakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLY0oKb2N6U1N4QnhjdTNIL01hWUhFdU81Z0c1dG50Rm9iYWYvQWVwWm1oZnZSQVVBTURnbUVtalNKcUJzQk1YTmwrSgoxRHRkZERJZjU2WkZuaWxUbFZXcVd3MTNpaVJ6QkFmaXVMVW44by9sV3ZBOVVPRzAwRkhMdENMbmZITjNlNTZlCmhuSnhRbFBrTm1oTXlyNUZZeDBuRldzckZSTkNZaTRDS2tHVU1JUlJEWjVLMzZWRWNBM0lEUXA1M3dTZ3R2MUUKbDdQbXoxRW1sNURVelplOWZSQlhVUjJTalZnSWZwK0xpL0NMS1ZBYThjQ1BvWW5PL0RNeGFKemd2NWZ1VGRzZwpaNndRaGcwanM3cE1wMzRsZEhUa2lQcHU3V0RRU2N5dklWQmxPNDVXWXBiTkNMNVV1T0RDZFhPZkFMRVN0bGxxCldrODUzd3dmWnNlMC9PT0ZGYnNDQXdFQUFhTi9NSDB3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVcKTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJRbApLMkhmRmI1akk0VHhXMFcrVDRxNm83TkxwekFmQmdOVkhTTUVHREFXZ0JSSVE4Q282eXg0SHVFdndqdmVHQ1BlCnBDUGVpekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBVzJWODJzbFQvcmdSRVJOTHNGNDZtNktMYU9NMitSQ1YKU2NGbXVDSWNMMXhWaWNxcFlyMzlkeEVYeGVVZ056SE1oWnhsaUorOTMrL2RCWkJrcHZTZUYvUjNMS213c0NlMwpnT2ZTOGFNUU9yWFQ2aGJuNVYwUURMZFNTemdLQUZuS3AwT3JCNEt1dWVGby9kQXF2dGlKQW51dCs5cTVCYXdVCkE5cUk2aENCM1o2cEFMbEdVc3BaZi9aLzl1U3h3R08zd1htOG5mMUVnWEVxRmNkWlhrNisyZ1F2Q21NV0hPNS8KSVQxeWlpZ3FOR2VDZUdOa0d0ZjFBMWJKMldTV3p2anJOYVNtN3gwcUVQWms2SkhxNkxDRzJtQnU4b3N6QXRQbAo3ZGhJbVdoV2xza21PM25laE1wbVBHUnhqaHJjVlRZd0lQVld2MXNnb3hKTlR2RkhERFVCcmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
20 |     client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcHdtaHpOSkxFSEZ5N2NmOHhwZ2NTNDdtQWJtMmUwV2h0cC84QjZsbWFGKzlFQlFBCndPQ1lTYU5JbW9Hd0V4YzJYNG5VTzExME1oL25wa1dlS1ZPVlZhcGJEWGVLSkhNRUIrSzR0U2Z5aitWYThEMVEKNGJUUVVjdTBJdWQ4YzNkN25wNkdjbkZDVStRMmFFekt2a1ZqSFNjVmF5c1ZFMEppTGdJcVFaUXdoRkVObmtyZgpwVVJ3RGNnTkNubmZCS0MyL1VTWHMrYlBVU2FYa05UTmw3MTlFRmRSSFpLTldBaCtuNHVMOElzcFVCcnh3SStoCmljNzhNekZvbk9DL2wrNU4yeUJuckJDR0RTT3p1a3luZmlWMGRPU0krbTd0WU5CSnpLOGhVR1U3amxaaWxzMEkKdmxTNDRNSjFjNThBc1JLMldXcGFUem5mREI5bXg3VDg0NFVWdXdJREFRQUJBb0lCQUFtUmFhMDcxb1RvbXJhNApIK2lZU2ZhaUJ0Yk9kbjkxSzZBMFpkRmlpTFV0MXJ5WENMd0RvWFdHWHVCSzBYVW1mVHpYdmtwd1BmbXBEakhlCkJ3TkRBR2paeTBGb09ZZUE5eGdraW9RRjk4VDZWRTB5bGZGMzAvNzdkaVFSc25WQ3dOZ0RLSnhobEhVTnUzZ1oKL2ZzTUtuTS9DK0VKcExsbnNnd0VuN3NGN0FtSUswd05aMjVoWmcvMmJPeVBHUUdFQkkwRExrS05lK0RySzZPbwphWFFRVlM4d1RIQmdGdStXZkhZSWpTY0E4Q0cycWdlMEs3Yk1TNEJBYXlad2RyMDMyNXlkWUV5MytEUmxVNlhZCkpyZjUrKzFIMEFNanZ3L3JzZGpvbnkrZGc4N0R1UFRDTHJwSit3RGg3a05Xckx1NFhFNEpYU0YyWUREeWlrVDUKWTVkQ3lDRUNnWUVBM0tPVEVEV0V1ZlgxdTl3bm5ZL2k2ZGpySGowQmg4VmlLV2Q2WXExSXFUdTJkZkIvRHhYUQpQMkhzbVBWRE1aeDZkWWcxVmR5aXZCZ055UTNRcTdNMlhIMnlWakc4TmJ3N3F2QlF0Zk83Mk9JeGJzeXZkSUtoClhwaEE1Q0ZVVkMvQ3NCZVB4VjdOLzFqVmZhdEx1YlVYSEFiQ1JxcFZBeHN6MGY3Um00aUU2QU1DZ1lFQXdjN2oKd3kwaWovS3cxM1N5S29CRHVzdTNPUGllTVNhaDR0cGhrZ2JXOFF6YSs1Y21YSmZHT1RSSENOVisycjQxKzlxagovQmlsVjZueFZrS1RWcjdERWUzdkIyRHhYcHlpTTJZR2l4ck1vY0s1MVYvUm1SUUJQcUlOOFZZR2NQYzZIQWRHCjJHbTFBaXExaEN6cVk5OGhZV3dNR3hiUHZoNUpteGQ0ak5HaCtla0NnWUFOdnZjamxHSC9mKzVlVk5uMi9BYmsKRU1xZEtLbld2cHBkLy85azlHekpkbG5vd1NINVc1K013MW9OTVlLTkxiV0hhd1AvcEc1VEQ2Q1VQUk1hRDJFOApvK3dmYUp2VU1UVDZjbHhrNlpsemFxd3Z2ZnJVWkdzUFRLY0dUM2xFZ1hFOHJVc2N2Y3BSdFVRZnZ6TkpqNW12CitrL1NQVHhzcEI0M1lBdkpCOWxYNXdLQmdBN0NjY2dJWk94dmdCWTRkZVVVdFpQQk5lZnB6eXBSRmQwUDRvUmIKYnYwV2pJckNmUkpxSUpkMHFzQTZlaG13aUszd2ZiS1NNZTFXTE9IejJnS3VMbTdzSHRzQi8vL0RqL3E0RjJGNgpuZ0Ruc24xVWVjTGRxaWFaOHRQaFNFWk1IYW5LeUJOdElYTFR5OVVRRXAyZWZZMU16RE0zN29ROURELzZicHpTCnpqSVpBb0dCQUtic0p6Z1JqbmJadFFCWVNlY2tqT2tLR09tY1I5OW5tT0l2Qkxyc1U2RDdBYkFUTzRjcC9zaHQKc1ZDNEpoQTBZYkMvL2MxM2JVbkpXaVdhWjcwbmVDa212bFVoQnB0U3h2Vmh0ek0rM2o5TThDWGRoZTAvbEVpdAprT0Vma29TUHBHVjBSQmlrU2tVUllWcWs3OEtSczA1Sk9GSGRCU3ZXNENSLy81NWcrZWlkCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
21 | 


--------------------------------------------------------------------------------
/conf/apiserver:
--------------------------------------------------------------------------------
 1 | ###
 2 | ## kubernetes system config
 3 | ##
 4 | ## The following values are used to configure the kube-apiserver
 5 | ##
 6 | #
 7 | ## The address on the local server to listen to.
 8 | KUBE_API_ADDRESS="--advertise-address=172.17.8.101 --bind-address=172.17.8.101 --insecure-bind-address=172.17.8.101"
 9 | #
10 | ## The port on the local server to listen on.
11 | #KUBE_API_PORT="--port=8080"
12 | #
13 | ## Port minions listen on
14 | #KUBELET_PORT="--kubelet-port=10250"
15 | #
16 | ## Comma separated list of nodes in the etcd cluster
17 | KUBE_ETCD_SERVERS="--etcd-servers=http://172.17.8.101:2379"
18 | #
19 | ## Address range to use for services
20 | KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"
21 | #
22 | ## default admission control policies
23 | KUBE_ADMISSION_CONTROL="--admission-control=ServiceAccount,NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota,MutatingAdmissionWebhook,ValidatingAdmissionWebhook"
24 | #
25 | ## Add your own!
26 | KUBE_API_ARGS="--authorization-mode=Node,RBAC --runtime-config=rbac.authorization.k8s.io/v1beta1 --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/etc/kubernetes/token.csv --service-node-port-range=30000-32767 --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem --client-ca-file=/etc/kubernetes/ssl/ca.pem --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem --enable-swagger-ui=true --apiserver-count=3 --audit-log-maxage=30 --audit-log-maxbackup=3 --audit-log-maxsize=100 --audit-log-path=/var/lib/audit.log --event-ttl=1h --allow-privileged=true"
27 | 


--------------------------------------------------------------------------------
/conf/bootstrap.kubeconfig:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | clusters:
 3 | - cluster:
 4 |     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXBPZ0F3SUJBZ0lVTWVuVHNleWtMcGQreWdPZGhzZkZCa3R0UTlNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhEekFOQmdOVkJBc1RCbE41YzNSbGJURVRNQkVHCkExVUVBeE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHhPREF4TVRBd09UTTBNREJhRncweU16QXhNRGt3T1RNME1EQmEKTUd3eEN6QUpCZ05WQkFZVEFrTk9NUkF3RGdZRFZRUUlFd2RDWldsS2FXNW5NUkF3RGdZRFZRUUhFd2RDWldsSwphVzVuTVJNd0VRWURWUVFLRXdwTGRXSmxjbTVsZEdWek1ROHdEUVlEVlFRTEV3WlRlWE4wWlcweEV6QVJCZ05WCkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREkKM09HOE91d0h2ZVIvY3RSZE1naUJRMGc2cXozYmFnNTlDRG1yMURaU2R3bm9TTzZVR0QyanpjQllWVFJOTFFwWQpuc2FBY1pLa3FONmJDdHRiVGdCVkd4ZGltNGQzdXdveS9kcnpTeU9zclVnWUVsZGQwV0p2Nk5xZVUrUGVOd01pCmg1WGxTcFlYbTF1eTBDejFSdFlLbUZxZUFoMTN2c1hwMGptcEQ0NCtQMStIN0dvaWlXSTNMakVCOFNlcVM2LzIKUzVvNXlWdC92VzlUTlRzZ1FRL2o1Q2tNYnRkMGdDVzdGdk14ckpabXZFNi9Ocm9vU3o0WDZVb3M1TkxZVFYwdwpyVDhJbDZ2N3l4d2xHcEZ3dE0wSy9yMGRQN1U0eGRjUVFjQzlkOFRqaE5SMWczNEVaeXBNZ2FybFBVWDYzK1AxCjhWMXExanBScXdGZG9uS1lNSWExQWdNQkFBR2pSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUIKQWY4RUNEQUdBUUgvQWdFQ01CMEdBMVVkRGdRV0JCUklROENvNnl4NEh1RXZ3anZlR0NQZXBDUGVpekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQXZxaGFvUjUzdEZSMmlDdllaWFc0Zmc5Zlh2Y25mUEFxY3pwTEtIbVNjUDdZCjdZWWxJOVF2Vkg1YXVZanU0WjRjVWVsMFErcytUZXp6dGFkRDYvMHJ2K1pVRlB5a0NxQld4NDh1NjRmZ2JlNnIKN25USnJjRXY3Sm54eENSN04vem5YQ25rYStDOE5vMEE2UzJCU1ZHS29rSkZzNmNmMy85OEZLazQyU0ZqM2NsNwpLMytobUtJU0hQMGxWQ2ZwNWVhTHVTcEYzakwvYUdmVk4wb1dLaWJFYWN2QWFhUE5DR29zMkRFV0NsNjNMY2wxCnhoTktsWjlBdDgvN2M0ejRSemJwUDJVaE9FYkRGQlYyRXhhLy9ya0NEdnhDUWtudmtva004TnN0Q1loc2MyWVkKNjNIang0K3hNZjZJNUhlUVBUS2Y3dy9LZVZwbFdLdkVBQVV4MFhYUTVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 5 |     server: https://172.17.8.101:6443
 6 |   name: kubernetes
 7 | contexts:
 8 | - context:
 9 |     cluster: kubernetes
10 |     user: kubelet-bootstrap
11 |   name: default
12 | current-context: default
13 | kind: Config
14 | preferences: {}
15 | users:
16 | - name: kubelet-bootstrap
17 |   user:
18 |     as-user-extra: {}
19 |     token: 9c64d78dbd5afd42316e32d922e2da47
20 | 


--------------------------------------------------------------------------------
/conf/config:
--------------------------------------------------------------------------------
 1 | ###
 2 | # kubernetes system config
 3 | #
 4 | # The following values are used to configure various aspects of all
 5 | # kubernetes services, including
 6 | #
 7 | #   kube-apiserver.service
 8 | #   kube-controller-manager.service
 9 | #   kube-scheduler.service
10 | #   kubelet.service
11 | #   kube-proxy.service
12 | # logging to stderr means we get it in the systemd journal
13 | KUBE_LOGTOSTDERR="--logtostderr=true"
14 | 
15 | # journal message level, 0 is debug
16 | KUBE_LOG_LEVEL="--v=0"
17 | 
18 | # Should this cluster be allowed to run privileged docker containers
19 | # This flog is not compatible with Kubernetes v1.15
20 | #KUBE_ALLOW_PRIV="--allow-privileged=true"
21 | 
22 | # How the controller-manager, scheduler, and proxy find the apiserver
23 | KUBE_MASTER="--master=http://172.17.8.101:8080"
24 | 


--------------------------------------------------------------------------------
/conf/controller-manager:
--------------------------------------------------------------------------------
1 | ###
2 | # The following values are used to configure the kubernetes controller-manager
3 | 
4 | # defaults from config and apiserver should be adequate
5 | 
6 | # Add your own!
7 | KUBE_CONTROLLER_MANAGER_ARGS="--address=127.0.0.1 --service-cluster-ip-range=10.254.0.0/16 --cluster-name=kubernetes --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem  --service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem --root-ca-file=/etc/kubernetes/ssl/ca.pem --leader-elect=true"


--------------------------------------------------------------------------------
/conf/kube-proxy.kubeconfig:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | clusters:
 3 | - cluster:
 4 |     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXBPZ0F3SUJBZ0lVTWVuVHNleWtMcGQreWdPZGhzZkZCa3R0UTlNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhEekFOQmdOVkJBc1RCbE41YzNSbGJURVRNQkVHCkExVUVBeE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHhPREF4TVRBd09UTTBNREJhRncweU16QXhNRGt3T1RNME1EQmEKTUd3eEN6QUpCZ05WQkFZVEFrTk9NUkF3RGdZRFZRUUlFd2RDWldsS2FXNW5NUkF3RGdZRFZRUUhFd2RDWldsSwphVzVuTVJNd0VRWURWUVFLRXdwTGRXSmxjbTVsZEdWek1ROHdEUVlEVlFRTEV3WlRlWE4wWlcweEV6QVJCZ05WCkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREkKM09HOE91d0h2ZVIvY3RSZE1naUJRMGc2cXozYmFnNTlDRG1yMURaU2R3bm9TTzZVR0QyanpjQllWVFJOTFFwWQpuc2FBY1pLa3FONmJDdHRiVGdCVkd4ZGltNGQzdXdveS9kcnpTeU9zclVnWUVsZGQwV0p2Nk5xZVUrUGVOd01pCmg1WGxTcFlYbTF1eTBDejFSdFlLbUZxZUFoMTN2c1hwMGptcEQ0NCtQMStIN0dvaWlXSTNMakVCOFNlcVM2LzIKUzVvNXlWdC92VzlUTlRzZ1FRL2o1Q2tNYnRkMGdDVzdGdk14ckpabXZFNi9Ocm9vU3o0WDZVb3M1TkxZVFYwdwpyVDhJbDZ2N3l4d2xHcEZ3dE0wSy9yMGRQN1U0eGRjUVFjQzlkOFRqaE5SMWczNEVaeXBNZ2FybFBVWDYzK1AxCjhWMXExanBScXdGZG9uS1lNSWExQWdNQkFBR2pSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUIKQWY4RUNEQUdBUUgvQWdFQ01CMEdBMVVkRGdRV0JCUklROENvNnl4NEh1RXZ3anZlR0NQZXBDUGVpekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQXZxaGFvUjUzdEZSMmlDdllaWFc0Zmc5Zlh2Y25mUEFxY3pwTEtIbVNjUDdZCjdZWWxJOVF2Vkg1YXVZanU0WjRjVWVsMFErcytUZXp6dGFkRDYvMHJ2K1pVRlB5a0NxQld4NDh1NjRmZ2JlNnIKN25USnJjRXY3Sm54eENSN04vem5YQ25rYStDOE5vMEE2UzJCU1ZHS29rSkZzNmNmMy85OEZLazQyU0ZqM2NsNwpLMytobUtJU0hQMGxWQ2ZwNWVhTHVTcEYzakwvYUdmVk4wb1dLaWJFYWN2QWFhUE5DR29zMkRFV0NsNjNMY2wxCnhoTktsWjlBdDgvN2M0ejRSemJwUDJVaE9FYkRGQlYyRXhhLy9ya0NEdnhDUWtudmtva004TnN0Q1loc2MyWVkKNjNIang0K3hNZjZJNUhlUVBUS2Y3dy9LZVZwbFdLdkVBQVV4MFhYUTVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 5 |     server: https://172.17.8.101:6443
 6 |   name: kubernetes
 7 | contexts:
 8 | - context:
 9 |     cluster: kubernetes
10 |     user: kube-proxy
11 |   name: default
12 | current-context: default
13 | kind: Config
14 | preferences: {}
15 | users:
16 | - name: kube-proxy
17 |   user:
18 |     as-user-extra: {}
19 |     client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ3RENDQXRTZ0F3SUJBZ0lVREZGNzY0cVRUeGJsbWpEWEdqZGp0M0RYWnFvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhEekFOQmdOVkJBc1RCbE41YzNSbGJURVRNQkVHCkExVUVBeE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHhPREF4TVRBd09UVXhNREJhRncweU9EQXhNRGd3T1RVeE1EQmEKTUhNeEN6QUpCZ05WQkFZVEFrTk9NUkF3RGdZRFZRUUlFd2RDWldsS2FXNW5NUkF3RGdZRFZRUUhFd2RDWldsSwphVzVuTVJNd0VRWURWUVFLRXdwcmRXSmxjbTVsZEdWek1ROHdEUVlEVlFRTEV3WlRlWE4wWlcweEdqQVlCZ05WCkJBTVRFWE41YzNSbGJUcHJkV0psTFhCeWIzaDVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUIKQ2dLQ0FRRUFwMXpVd1Q3VzNucnlIZEJoS0lvMkYxTXpwWGxYMndXbUZQTlViMUMvQytqMTZxT0pjZlpZLzRxbApqdHl1TjBrWjZWUmN3U3hXZk5rZm04ejd3emJvNW1jd1lEUUgzR0JWdG43aXY5dFhjSG16OHJkVGhKOGdHWERzClVsQVRCc1Y5YWExa21jbHhZbjBCMEh5T1oycnNEdC80TW8vYm1hUWIzT2JyR1pqbUNyVnVnY0xjeGFpSk9ycWEKRDZRT1I4S1FxQ2ZNbThRbzRmeDdjVFY0NlZ0aHVTbklUc001RmRmdUxkU1JQbWxCcE5aeElHU2kwZ0JhK0xOUgpacmlRYnBRSHY5b1NhOTRaVlY4RnVudVdrZUEzOThvWDloZTlwR1dVL0hDeEZNRHlONnRybTlNSlNTeEtQSExaCkF4dllsOHFGL2JRS2FLK3hreFdNSmloN2xUOFprd0lEQVFBQm8zOHdmVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SFFZRApWUjBPQkJZRUZBUG9sQUVPVElBWllzbHdrTzFXTTBYNjgvWE5NQjhHQTFVZEl3UVlNQmFBRkVoRHdLanJMSGdlCjRTL0NPOTRZSTk2a0k5NkxNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUI4cUlCdFF0UWdMT3MyVW5LRHNIMlMKUCtYaW5STlFLSGRFdllhd2w3L0FwZ0RkcHVFV09KZmFENnVZQ3NvSFNaMDQwQzg5ckJWOVJ2MXlzT0lsbXVCRApVOTFrZU5hTkkwQlM5dm95VWZlbzJ0VVF6bk85NGpmVWphY1pCSkdIY0g2TTVtZ2ZKTG9JR3NYR0grazc3QkduCnZWQmVMUENUMGtPa3pla0JhZlEwYzA2WElTdGFtKzhpcFJaUDZaZ3E0eXZOc3JPSm9QcTBxSlcvd0FtMjdQM1IKNWdpMUVWM09iL1M3N3IvSGZjTW81RTdiRUR3eWhSVHZtVDFSWmJkNURMeXZwODRvNS9KMXRzVExvL25pZ0VnbgpTdmhSNWVleDIwNXBwZWlWYXEyUCtXTlFweFg3VXlMS3VaSFhqVFNXNzQvc05tcU5Na08wcHdEYTZoQU1XR2ZRCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
20 |     client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcDF6VXdUN1czbnJ5SGRCaEtJbzJGMU16cFhsWDJ3V21GUE5VYjFDL0MrajE2cU9KCmNmWlkvNHFsanR5dU4wa1o2VlJjd1N4V2ZOa2ZtOHo3d3pibzVtY3dZRFFIM0dCVnRuN2l2OXRYY0htejhyZFQKaEo4Z0dYRHNVbEFUQnNWOWFhMWttY2x4WW4wQjBIeU9aMnJzRHQvNE1vL2JtYVFiM09ickdaam1DclZ1Z2NMYwp4YWlKT3JxYUQ2UU9SOEtRcUNmTW04UW80Zng3Y1RWNDZWdGh1U25JVHNNNUZkZnVMZFNSUG1sQnBOWnhJR1NpCjBnQmErTE5SWnJpUWJwUUh2OW9TYTk0WlZWOEZ1bnVXa2VBMzk4b1g5aGU5cEdXVS9IQ3hGTUR5TjZ0cm05TUoKU1N4S1BITFpBeHZZbDhxRi9iUUthSyt4a3hXTUppaDdsVDhaa3dJREFRQUJBb0lCQUZOVWhsNDlvcENkMktWOQpscEt2MW1UZ3VXdGZzcDNML3ppWk8yWTlaeEpRQ1BtdU9ZWXpxWFo3R3htNXlVaWZyalllR2h6WXJhdDJGQ1huCjkwYm90U2ZiSXh3VGJBS1BPTDRvQ1ZDTHJzckMzaFV3c0hYdElQZHA0VkRPcTlxSVJIeDBxQTFtWG4weVRzLzIKNUpTYmlUT1MwcXFpTkM0WXB3TGpPeFhBcW5HVHZDQmd6OEhWMFJwSEgvaGtBVXJkTWlnNTJLeXNQTGtMSlBzUwozLzlpMGpGTnloU0RQVHFZajg3dVkwOS9ROEtLaHRiUm1tUXgzU1hZTUF6SVQyVllxc0hldXBaZzlRSjlRbkhzCngyQXVpdVVFNURTN25IN2pndFhGQlNzMy9qWml2TWtnQzI0SHk5Yi9OdlU4S0lZQlh0WEwvT1pEUXMyNnJ2VloKZUxMT1NKa0NnWUVBdzVZU1lnZDZjcmRKM1gyQnE3V2dveGMwQWpvbXc5aEVnamVzL2lUbEZpb1NFRXlNbGFFbwo5UFJwUzY5MU53YUxBZzRvcmNCdnZLQm9vRTVldERxaXFNQTc3OUF4ZEVlckVJSXJxQlJDUGRXZ29zVTVKdkNsClkxV2QyMTJabmhEc3ptTU4wbjFTS2h0aldjb0o1SU5WN2Q5Q3pya1R1MW1ETTBMdSsweUswMzhDZ1lFQTJ3NzgKWWJZWVNVMmNxeGhtSTdrZ3NESnNtK1RTQUkyYlpwZ29DMmpBZjlMSU5DSjJoRmUyWWxqeW4vSHMwbUI4dFF4dwozMGluRWJCVVA0amRrTS93Tll3dG0wQ1dFQnRrRWRpVkJkYXZlTFNDaGhHdmsrM0lTdDlCaGsrd1E5cUxKODFlCm1kdTZxcmZPdS84M3pSSmdsUVRLSVhFRXBpUGdKc21KSlc3cE0rMENnWUFtUUNaT042b3gzemk1OFg2M3B5akkKWEpSV1R5c2ZxQjhWM0crZnNIV0JGUzg5TXN0WHhCSHZmaEZOdFAzV2loZ0xpZHRZeDhiU2ZBaWFPVmw2SS9HRgowVHFubHU3bEQ5TWJ3bWxwVUxUM3hOekttSW1wM094cmRlWU9iY3JLU0FNWUJmVkJFak5NZXRpK1NhNFBtOFBsClpvRjVUbWJXZ0JZUm8yaDdpeWVuWHdLQmdRQ3FHY2JzOFFPRzJGZVJuRTZqNnJ0eFZwWnpyNGxLbUt0VlRVMjcKSGtwc2QzYXkxUmdHeUQxOXZPZ2FQemZRWE5BNW5rRi9nT0VLb1V1cVVsTUtnZzFhNTFENnYzcEhZNTJmSmZrQwpJYVQ4Szk4MjBFRHdzN0hXUWVxVnF3ZUtpUWVKanJXbzc3RFJwQTFLZW5JUU1mY0JnRWlkRXkreSt5U3h1Y2xmCllmS0FPUUtCZ1FDU05EK1g5SjVOaVBGOTRyWG1CaE9KTVNkelB6eUV2Y1NwTjJ6ZkY5WFEzcUtJVWlaQUdtdmUKelVSUzNlTUt6TmJhaUt5cXZvMEE0c3hlb2czcldPNEN1a0pmRW01NWViNXl3VlRSOXZYeWt3YmdMR08xOHU3TwpYOEJKNzB5QmJYUHN6c2NpWDR5ak9hbWF4eGFDVkxCU2ZDWkhiaGZNVDVnR0FJZTNTV2duQVE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
21 | 


--------------------------------------------------------------------------------
/conf/kubelet.kubeconfig:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | clusters:
 3 | - cluster:
 4 |     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXBPZ0F3SUJBZ0lVTWVuVHNleWtMcGQreWdPZGhzZkZCa3R0UTlNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhEekFOQmdOVkJBc1RCbE41YzNSbGJURVRNQkVHCkExVUVBeE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHhPREF4TVRBd09UTTBNREJhRncweU16QXhNRGt3T1RNME1EQmEKTUd3eEN6QUpCZ05WQkFZVEFrTk9NUkF3RGdZRFZRUUlFd2RDWldsS2FXNW5NUkF3RGdZRFZRUUhFd2RDWldsSwphVzVuTVJNd0VRWURWUVFLRXdwTGRXSmxjbTVsZEdWek1ROHdEUVlEVlFRTEV3WlRlWE4wWlcweEV6QVJCZ05WCkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREkKM09HOE91d0h2ZVIvY3RSZE1naUJRMGc2cXozYmFnNTlDRG1yMURaU2R3bm9TTzZVR0QyanpjQllWVFJOTFFwWQpuc2FBY1pLa3FONmJDdHRiVGdCVkd4ZGltNGQzdXdveS9kcnpTeU9zclVnWUVsZGQwV0p2Nk5xZVUrUGVOd01pCmg1WGxTcFlYbTF1eTBDejFSdFlLbUZxZUFoMTN2c1hwMGptcEQ0NCtQMStIN0dvaWlXSTNMakVCOFNlcVM2LzIKUzVvNXlWdC92VzlUTlRzZ1FRL2o1Q2tNYnRkMGdDVzdGdk14ckpabXZFNi9Ocm9vU3o0WDZVb3M1TkxZVFYwdwpyVDhJbDZ2N3l4d2xHcEZ3dE0wSy9yMGRQN1U0eGRjUVFjQzlkOFRqaE5SMWczNEVaeXBNZ2FybFBVWDYzK1AxCjhWMXExanBScXdGZG9uS1lNSWExQWdNQkFBR2pSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUIKQWY4RUNEQUdBUUgvQWdFQ01CMEdBMVVkRGdRV0JCUklROENvNnl4NEh1RXZ3anZlR0NQZXBDUGVpekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQXZxaGFvUjUzdEZSMmlDdllaWFc0Zmc5Zlh2Y25mUEFxY3pwTEtIbVNjUDdZCjdZWWxJOVF2Vkg1YXVZanU0WjRjVWVsMFErcytUZXp6dGFkRDYvMHJ2K1pVRlB5a0NxQld4NDh1NjRmZ2JlNnIKN25USnJjRXY3Sm54eENSN04vem5YQ25rYStDOE5vMEE2UzJCU1ZHS29rSkZzNmNmMy85OEZLazQyU0ZqM2NsNwpLMytobUtJU0hQMGxWQ2ZwNWVhTHVTcEYzakwvYUdmVk4wb1dLaWJFYWN2QWFhUE5DR29zMkRFV0NsNjNMY2wxCnhoTktsWjlBdDgvN2M0ejRSemJwUDJVaE9FYkRGQlYyRXhhLy9ya0NEdnhDUWtudmtva004TnN0Q1loc2MyWVkKNjNIang0K3hNZjZJNUhlUVBUS2Y3dy9LZVZwbFdLdkVBQVV4MFhYUTVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 5 |     server: https://172.17.8.101:6443
 6 |   name: kubernetes
 7 | contexts:
 8 | - context:
 9 |     cluster: kubernetes
10 |     user: admin
11 |   name: kubernetes
12 | current-context: kubernetes
13 | kind: Config
14 | preferences: {}
15 | users:
16 | - name: admin
17 |   user:
18 |     as-user-extra: {}
19 |     client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ1RENDQXN5Z0F3SUJBZ0lVY3pFMWdybEpuMGVJUGM1eFlkRkd2VEFXYjZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhEekFOQmdOVkJBc1RCbE41YzNSbGJURVRNQkVHCkExVUVBeE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHhPREF4TVRBd09UVXdNREJhRncweU9EQXhNRGd3T1RVd01EQmEKTUdzeEN6QUpCZ05WQkFZVEFrTk9NUkF3RGdZRFZRUUlFd2RDWldsS2FXNW5NUkF3RGdZRFZRUUhFd2RDWldsSwphVzVuTVJjd0ZRWURWUVFLRXc1emVYTjBaVzA2YldGemRHVnljekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUTR3CkRBWURWUVFERXdWaFpHMXBiakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLY0oKb2N6U1N4QnhjdTNIL01hWUhFdU81Z0c1dG50Rm9iYWYvQWVwWm1oZnZSQVVBTURnbUVtalNKcUJzQk1YTmwrSgoxRHRkZERJZjU2WkZuaWxUbFZXcVd3MTNpaVJ6QkFmaXVMVW44by9sV3ZBOVVPRzAwRkhMdENMbmZITjNlNTZlCmhuSnhRbFBrTm1oTXlyNUZZeDBuRldzckZSTkNZaTRDS2tHVU1JUlJEWjVLMzZWRWNBM0lEUXA1M3dTZ3R2MUUKbDdQbXoxRW1sNURVelplOWZSQlhVUjJTalZnSWZwK0xpL0NMS1ZBYThjQ1BvWW5PL0RNeGFKemd2NWZ1VGRzZwpaNndRaGcwanM3cE1wMzRsZEhUa2lQcHU3V0RRU2N5dklWQmxPNDVXWXBiTkNMNVV1T0RDZFhPZkFMRVN0bGxxCldrODUzd3dmWnNlMC9PT0ZGYnNDQXdFQUFhTi9NSDB3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVcKTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJRbApLMkhmRmI1akk0VHhXMFcrVDRxNm83TkxwekFmQmdOVkhTTUVHREFXZ0JSSVE4Q282eXg0SHVFdndqdmVHQ1BlCnBDUGVpekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBVzJWODJzbFQvcmdSRVJOTHNGNDZtNktMYU9NMitSQ1YKU2NGbXVDSWNMMXhWaWNxcFlyMzlkeEVYeGVVZ056SE1oWnhsaUorOTMrL2RCWkJrcHZTZUYvUjNMS213c0NlMwpnT2ZTOGFNUU9yWFQ2aGJuNVYwUURMZFNTemdLQUZuS3AwT3JCNEt1dWVGby9kQXF2dGlKQW51dCs5cTVCYXdVCkE5cUk2aENCM1o2cEFMbEdVc3BaZi9aLzl1U3h3R08zd1htOG5mMUVnWEVxRmNkWlhrNisyZ1F2Q21NV0hPNS8KSVQxeWlpZ3FOR2VDZUdOa0d0ZjFBMWJKMldTV3p2anJOYVNtN3gwcUVQWms2SkhxNkxDRzJtQnU4b3N6QXRQbAo3ZGhJbVdoV2xza21PM25laE1wbVBHUnhqaHJjVlRZd0lQVld2MXNnb3hKTlR2RkhERFVCcmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
20 |     client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcHdtaHpOSkxFSEZ5N2NmOHhwZ2NTNDdtQWJtMmUwV2h0cC84QjZsbWFGKzlFQlFBCndPQ1lTYU5JbW9Hd0V4YzJYNG5VTzExME1oL25wa1dlS1ZPVlZhcGJEWGVLSkhNRUIrSzR0U2Z5aitWYThEMVEKNGJUUVVjdTBJdWQ4YzNkN25wNkdjbkZDVStRMmFFekt2a1ZqSFNjVmF5c1ZFMEppTGdJcVFaUXdoRkVObmtyZgpwVVJ3RGNnTkNubmZCS0MyL1VTWHMrYlBVU2FYa05UTmw3MTlFRmRSSFpLTldBaCtuNHVMOElzcFVCcnh3SStoCmljNzhNekZvbk9DL2wrNU4yeUJuckJDR0RTT3p1a3luZmlWMGRPU0krbTd0WU5CSnpLOGhVR1U3amxaaWxzMEkKdmxTNDRNSjFjNThBc1JLMldXcGFUem5mREI5bXg3VDg0NFVWdXdJREFRQUJBb0lCQUFtUmFhMDcxb1RvbXJhNApIK2lZU2ZhaUJ0Yk9kbjkxSzZBMFpkRmlpTFV0MXJ5WENMd0RvWFdHWHVCSzBYVW1mVHpYdmtwd1BmbXBEakhlCkJ3TkRBR2paeTBGb09ZZUE5eGdraW9RRjk4VDZWRTB5bGZGMzAvNzdkaVFSc25WQ3dOZ0RLSnhobEhVTnUzZ1oKL2ZzTUtuTS9DK0VKcExsbnNnd0VuN3NGN0FtSUswd05aMjVoWmcvMmJPeVBHUUdFQkkwRExrS05lK0RySzZPbwphWFFRVlM4d1RIQmdGdStXZkhZSWpTY0E4Q0cycWdlMEs3Yk1TNEJBYXlad2RyMDMyNXlkWUV5MytEUmxVNlhZCkpyZjUrKzFIMEFNanZ3L3JzZGpvbnkrZGc4N0R1UFRDTHJwSit3RGg3a05Xckx1NFhFNEpYU0YyWUREeWlrVDUKWTVkQ3lDRUNnWUVBM0tPVEVEV0V1ZlgxdTl3bm5ZL2k2ZGpySGowQmg4VmlLV2Q2WXExSXFUdTJkZkIvRHhYUQpQMkhzbVBWRE1aeDZkWWcxVmR5aXZCZ055UTNRcTdNMlhIMnlWakc4TmJ3N3F2QlF0Zk83Mk9JeGJzeXZkSUtoClhwaEE1Q0ZVVkMvQ3NCZVB4VjdOLzFqVmZhdEx1YlVYSEFiQ1JxcFZBeHN6MGY3Um00aUU2QU1DZ1lFQXdjN2oKd3kwaWovS3cxM1N5S29CRHVzdTNPUGllTVNhaDR0cGhrZ2JXOFF6YSs1Y21YSmZHT1RSSENOVisycjQxKzlxagovQmlsVjZueFZrS1RWcjdERWUzdkIyRHhYcHlpTTJZR2l4ck1vY0s1MVYvUm1SUUJQcUlOOFZZR2NQYzZIQWRHCjJHbTFBaXExaEN6cVk5OGhZV3dNR3hiUHZoNUpteGQ0ak5HaCtla0NnWUFOdnZjamxHSC9mKzVlVk5uMi9BYmsKRU1xZEtLbld2cHBkLy85azlHekpkbG5vd1NINVc1K013MW9OTVlLTkxiV0hhd1AvcEc1VEQ2Q1VQUk1hRDJFOApvK3dmYUp2VU1UVDZjbHhrNlpsemFxd3Z2ZnJVWkdzUFRLY0dUM2xFZ1hFOHJVc2N2Y3BSdFVRZnZ6TkpqNW12CitrL1NQVHhzcEI0M1lBdkpCOWxYNXdLQmdBN0NjY2dJWk94dmdCWTRkZVVVdFpQQk5lZnB6eXBSRmQwUDRvUmIKYnYwV2pJckNmUkpxSUpkMHFzQTZlaG13aUszd2ZiS1NNZTFXTE9IejJnS3VMbTdzSHRzQi8vL0RqL3E0RjJGNgpuZ0Ruc24xVWVjTGRxaWFaOHRQaFNFWk1IYW5LeUJOdElYTFR5OVVRRXAyZWZZMU16RE0zN29ROURELzZicHpTCnpqSVpBb0dCQUtic0p6Z1JqbmJadFFCWVNlY2tqT2tLR09tY1I5OW5tT0l2Qkxyc1U2RDdBYkFUTzRjcC9zaHQKc1ZDNEpoQTBZYkMvL2MxM2JVbkpXaVdhWjcwbmVDa212bFVoQnB0U3h2Vmh0ek0rM2o5TThDWGRoZTAvbEVpdAprT0Vma29TUHBHVjBSQmlrU2tVUllWcWs3OEtSczA1Sk9GSGRCU3ZXNENSLy81NWcrZWlkCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
21 | 


--------------------------------------------------------------------------------
/conf/scheduler:
--------------------------------------------------------------------------------
1 | ###
2 | # kubernetes scheduler config
3 | 
4 | # default config should be adequate
5 | 
6 | # Add your own!
7 | KUBE_SCHEDULER_ARGS="--leader-elect=true --address=127.0.0.1"
8 | KUBE_SCHEDULER_CONF="--kubeconfig=/etc/kubernetes/scheduler.conf"


--------------------------------------------------------------------------------
/conf/scheduler.conf:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | clusters:
 3 | - cluster:
 4 |     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXBPZ0F3SUJBZ0lVTWVuVHNleWtMcGQreWdPZGhzZkZCa3R0UTlNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhEekFOQmdOVkJBc1RCbE41YzNSbGJURVRNQkVHCkExVUVBeE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHhPREF4TVRBd09UTTBNREJhRncweU16QXhNRGt3T1RNME1EQmEKTUd3eEN6QUpCZ05WQkFZVEFrTk9NUkF3RGdZRFZRUUlFd2RDWldsS2FXNW5NUkF3RGdZRFZRUUhFd2RDWldsSwphVzVuTVJNd0VRWURWUVFLRXdwTGRXSmxjbTVsZEdWek1ROHdEUVlEVlFRTEV3WlRlWE4wWlcweEV6QVJCZ05WCkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREkKM09HOE91d0h2ZVIvY3RSZE1naUJRMGc2cXozYmFnNTlDRG1yMURaU2R3bm9TTzZVR0QyanpjQllWVFJOTFFwWQpuc2FBY1pLa3FONmJDdHRiVGdCVkd4ZGltNGQzdXdveS9kcnpTeU9zclVnWUVsZGQwV0p2Nk5xZVUrUGVOd01pCmg1WGxTcFlYbTF1eTBDejFSdFlLbUZxZUFoMTN2c1hwMGptcEQ0NCtQMStIN0dvaWlXSTNMakVCOFNlcVM2LzIKUzVvNXlWdC92VzlUTlRzZ1FRL2o1Q2tNYnRkMGdDVzdGdk14ckpabXZFNi9Ocm9vU3o0WDZVb3M1TkxZVFYwdwpyVDhJbDZ2N3l4d2xHcEZ3dE0wSy9yMGRQN1U0eGRjUVFjQzlkOFRqaE5SMWczNEVaeXBNZ2FybFBVWDYzK1AxCjhWMXExanBScXdGZG9uS1lNSWExQWdNQkFBR2pSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUIKQWY4RUNEQUdBUUgvQWdFQ01CMEdBMVVkRGdRV0JCUklROENvNnl4NEh1RXZ3anZlR0NQZXBDUGVpekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQXZxaGFvUjUzdEZSMmlDdllaWFc0Zmc5Zlh2Y25mUEFxY3pwTEtIbVNjUDdZCjdZWWxJOVF2Vkg1YXVZanU0WjRjVWVsMFErcytUZXp6dGFkRDYvMHJ2K1pVRlB5a0NxQld4NDh1NjRmZ2JlNnIKN25USnJjRXY3Sm54eENSN04vem5YQ25rYStDOE5vMEE2UzJCU1ZHS29rSkZzNmNmMy85OEZLazQyU0ZqM2NsNwpLMytobUtJU0hQMGxWQ2ZwNWVhTHVTcEYzakwvYUdmVk4wb1dLaWJFYWN2QWFhUE5DR29zMkRFV0NsNjNMY2wxCnhoTktsWjlBdDgvN2M0ejRSemJwUDJVaE9FYkRGQlYyRXhhLy9ya0NEdnhDUWtudmtva004TnN0Q1loc2MyWVkKNjNIang0K3hNZjZJNUhlUVBUS2Y3dy9LZVZwbFdLdkVBQVV4MFhYUTVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 5 |     server: https://172.17.8.101:6443
 6 |   name: kubernetes
 7 | contexts:
 8 | - context:
 9 |     cluster: kubernetes
10 |     user: system:kube-scheduler
11 |   name: system:kube-scheduler@kubernetes
12 | current-context: system:kube-scheduler@kubernetes
13 | kind: Config
14 | preferences: {}
15 | users:
16 | - name: system:kube-scheduler
17 |   user:
18 |     as-user-extra: {}
19 |     client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvRENDQXVTZ0F3SUJBZ0lVSThPSWVVTzlOUjVTLzdLVVdnZlNJaDB6TmRVd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhEekFOQmdOVkJBc1RCbE41YzNSbGJURVRNQkVHCkExVUVBeE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHhPREF4TVRFeE5ESTNNREJhRncweU9EQXhNRGt4TkRJM01EQmEKTUlHQ01Rc3dDUVlEVlFRR0V3SkRUakVRTUE0R0ExVUVDQk1IUW1WcFNtbHVaekVRTUE0R0ExVUVCeE1IUW1WcApTbWx1WnpFZU1Cd0dBMVVFQ2hNVmMzbHpkR1Z0T210MVltVXRjMk5vWldSMWJHVnlNUTh3RFFZRFZRUUxFd1pUCmVYTjBaVzB4SGpBY0JnTlZCQU1URlhONWMzUmxiVHByZFdKbExYTmphR1ZrZFd4bGNqQ0NBU0l3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKc3dQeHhLQ3FlZjFaRmV6S1Zkam9jZmUrWFVBR1NjL2hILwppSU0ycFZ1cENnRnhZWWR2L0d5SERPZldyWTRmUnZwYzAxbG9jNzQ1aEoyWlpaTWVpTWU3ZmY3QWdORVVOZXByClAwbDZWb04zY0oyeWFmYjVUaWhLL01pcTJBZ2RuaFp4MVU4RDNrZ2NpUDFjdG1uQ1hTZnFmSUVhbEpUTmIyVnQKa1p2YlgxYUtTRlFhZnZUYUFaa25uOGJ0d0lrTEU4a0p2TWIzZnhHRkZRN1AvMFJnYVBzUFRhQy9lTGZEZFdmSgplM2VBNHhLWEZsemdHWkJ3SmJBZElQZFp3bjFsWlVHZnpkYXl2ZTgvRWJOM2MzNDhDN2pXMUtHcHcycUdIUUlBClplcUpIWFh5TTA4cE83NEZzbzlYVVYwTlVIVHdLbUF4ZXgzaFUvNG1SSEo4a1FzWDN3RUNBd0VBQWFOL01IMHcKRGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTQpCZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJRNzhwRTAreExPRWZFVXNjNEg1ekJOSHVKMXNUQWZCZ05WCkhTTUVHREFXZ0JSSVE4Q282eXg0SHVFdndqdmVHQ1BlcENQZWl6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUEKU1VmMUpUd0VwclQ1d3lZRmU3SmJuZ1psQ0hjd1NlTDduRjFFN2dweTdxN0s0VUNpZ2hBRjZ3ZWp0Mm1HSzNEYQo0RlpZSDA4a2Z5b1k3MTBkVVMzLzRqZ28yWVJiaUxDVTE4NEVPSmR6TnhNWkhQV0l5YlhnaUtoMGxReWVra01XCjZSQldJYWEvRlZuSk1ldEJCN2tBcjBCWFY4QzVDNjAvRTNLTWV2MVhibklZbFdXWmdoeTExOUZOMk0vWHJYVkEKV0ZDU2YzNFVDTCs1OWlVQklLeTNCeW1EWE93aDNaRkpJUWJ5L0R3M2RJSWNmNnRxUUNGWk5QR1FSL1V3SUw2cgo5YU1xTUJIUWlXTmdLV0x2bVlzTnorVmwzKzVmQlUwVk1YK3pSMDRLNDltNzI3dkxLY0lPNXZheDJYWGtJTkpyCmVCZlZFQ2JNL1c3TFd5dVNnaURaRWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
20 |     client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbXpBL0hFb0twNS9Wa1Y3TXBWMk9oeDk3NWRRQVpKeitFZitJZ3phbFc2a0tBWEZoCmgyLzhiSWNNNTlhdGpoOUcrbHpUV1doenZqbUVuWmxsa3g2SXg3dDkvc0NBMFJRMTZtcy9TWHBXZzNkd25iSnAKOXZsT0tFcjh5S3JZQ0IyZUZuSFZUd1BlU0J5SS9WeTJhY0pkSitwOGdScVVsTTF2WlcyUm05dGZWb3BJVkJwKwo5Tm9CbVNlZnh1M0FpUXNUeVFtOHh2ZC9FWVVWRHMvL1JHQm8rdzlOb0w5NHQ4TjFaOGw3ZDREakVwY1dYT0FaCmtIQWxzQjBnOTFuQ2ZXVmxRWi9OMXJLOTd6OFJzM2R6Zmp3THVOYlVvYW5EYW9ZZEFnQmw2b2tkZGZJelR5azcKdmdXeWoxZFJYUTFRZFBBcVlERjdIZUZUL2laRWNueVJDeGZmQVFJREFRQUJBb0lCQUMyWVRFS01nbnJqWEFVYwovRFZ0dW0xNjA1VWY1NG1vRW9ISk9SdU1GNk5Kay9YK2tQQVE5L0lPNzd6Qjl6WDFmSTRjYmNBc0R5MkppcXdmCklKZkw5ZFh4QVVDeTRHWU5jUlhSc3NOczNUUTlDR3BjdkFOakZoS0NqYWlMZ1hOSStHU1J4MkV5dXNFbkdSeVAKZTh5dzNWdlg2Z0tvZzVVQWtzVVRIeC9Tb1QwMGFIN25JdHZIVTZ2ZS9wU0pkbWR0cGZUNW8rUVBwbDhlc3VmTQpMUG8wMjI2aEcwY09iZmg5YnA3RnZVek0zdkN2Wlo1MjlJOUU4dkpwL0lJWFpVS0NmeTFGOCtyMVp6cWd4bGpHCnV1aG53QVNPM0pTMWhTczUxUmhxbkpocVBQSkJJRDZDcExGcjZ1a2Z4cFVPK21ZYWtJRGIwN3pTRDB5TktLY2YKSlFSZ1VBRUNnWUVBd0V0VzlnZEVpRUt2UG9Lb3oyUFJCd1NOWFpTcUR1bFNxZEp1dDNpc1ZpeU9uNTJ6SVZvUgpqZDd3dU02bkQrWDFNaUQvbm9vR3p2VXozc0FLTHNNbUt1WlcrMFVjZzdoTjdzbWhqenFzTXlhOW11UlVVSzVtCjBtaXRlenBTV0VraFJmT1NOM1FHOGU0bnFpNFc1eFJmbzFPYUdrQURLeld4b2UwdmIwbUhzVUVDZ1lFQXpwbnQKSEw3cVE5eVZkc1YxYXMvS2NjYktrQ0NCbWxpTkF5clhyWGtDV082LzhKUThlRDhIM3JyNmN4ZjRaT1ZySnFVLwpWQnRicDdUbkVPUEFZZkFtTHhKc3ZtYW05ckFJOWppRUNYbTdOWjY3Q2tnQWV0a3NIZmFscW8wOGdrc2RjcS8yCmlsZ2JSNWJSN090U2VhTGVVc0RiY1M5RGxsQi84a1p4cmJ3ZS9jRUNnWUVBdXZPRVpFWEVsMFZkNDBSY291VEUKZ0RJb3ptYU92MWlRaVpLUkdjYzBwY05FRm1MWG1RRmNON1ljQzFDK2szSmE1Slc0YjRaNkFCUGNqaC9leG4vcwpSNkVSeDlEMVhBcC9tanhsMmo2TTFGNUIwS2xVWCt4dkF2bktVQmZ2bnUzYWI0dlRDQjdCOGN3OHUvTjdTTVpDCkJTUnVtajdKMWVTcUFtZjZ5aE9PM1FFQ2dZQUdSZnBETXpEZDJxYlhNbXU4VUk3dklZQXBIRE9UUWprVjdZa2IKQlYraTM2MElXeGZ5OXNjQVptRVFlWnZiUkhRYWVrNFArYnl3dlBkL05jc3pyaDBhdE02RWdZMTBWQ2dSZ2VuUQpkOWZOYXdKMjczVEVSaS9td1FTS3h6c2RJYmJGTXI2anVNVXJTVk1haEpLK2lzbUJiY1c4REJsYlNScDVldFljCjFtZUNnUUtCZ0NySC85ZnVLenJYVzNHNVhaS0dyRzYrT2JoMUJiRHB5NU16N2QwNEtXbE1PSnZyUjVSdTdyVEkKdEM0M0YxUDMvT3FjSnBXa2liV1pzNkFIZ29MYU0rd2Z3NUUrbmF4c0RCcTVrWVdGWVRFbWhobkFWVXdqZU1JcwpiTGVQekRQRGRpZjRMUEFuNys0RXV2c0Z6SnA2cXJMTWtiSDJFZ01rdVJ1T2ljb0grMUJpCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
21 | 


--------------------------------------------------------------------------------
/conf/token.csv:
--------------------------------------------------------------------------------
1 | 9c64d78dbd5afd42316e32d922e2da47,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
2 | 


--------------------------------------------------------------------------------
/hack/deploy-base-services.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Deploy the basement service to kubernetes
 3 | # Include coredns, dashboard and traefik ingress
 4 | echo "deploy coredns"
 5 | cd ../addon/dns
 6 | ./dns-deploy.sh -r 10.254.0.0/16 -i 10.254.0.2 |kubectl apply -f -
 7 | cd ../..
 8 | echo "deploy kubernetes dashboard"
 9 | kubectl apply -f addon/dashboard/kubernetes-dashboard.yaml
10 | echo "create admin role token"
11 | kubectl apply -f yaml/admin-role.yaml
12 | echo "the admin role token is:"
13 | kubectl -n kube-system describe secret `kubectl -n kube-system get secret|grep admin-token|cut -d " " -f1`|grep "token:"|tr -s " "|cut -d " " -f2
14 | echo "login to dashboard with the above token"
15 | echo https://172.17.8.101:`kubectl -n kube-system get svc kubernetes-dashboard -o=jsonpath='{.spec.ports[0].port}'`
16 | echo "install traefik ingress controller"
17 | kubectl apply -f addon/traefik-ingress/
18 | 


--------------------------------------------------------------------------------
/hack/deploy-helm.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Install helm CLI
 3 | if command -v helm>/dev/null 2>&1; then
 4 |   echo 'Helm has been installed already'
 5 | else
 6 |   echo 'Install helm on your local machine...'
 7 |   curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get > get_helm.sh
 8 |   chmod 700 get_helm.sh
 9 |   ./get_helm.sh
10 | fi
11 | kubectl create serviceaccount --namespace kube-system tiller
12 | kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
13 | helm init -i jimmysong/kubernetes-helm-tiller:v2.8.2
14 | kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
15 | 


--------------------------------------------------------------------------------
/hack/get-dashboard-token.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Get the dashboard token for admin user
3 | echo "Login to kubernetes dashboard at https://172.17.8.101:8443 with the following token"
4 | kubectl -n kube-system describe secret `kubectl -n kube-system get secret|grep admin-token|cut -d " " -f1`|grep "token:"|tr -s " "|cut -d " " -f2
5 | 


--------------------------------------------------------------------------------
/hack/k8s-init.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # start the following service in node1
 3 | if [ `hostname` == "node1" ];then
 4 |     echo "Create network config in etcd..."
 5 |     etcdctl mkdir /kube-centos/network
 6 |     etcdctl mk /kube-centos/network/config '{"Network":"172.33.0.0/16","SubnetLen":24,"Backend":{"Type":"host-gw"}}'
 7 | fi
 8 | # Start the following services in all nodes
 9 | services=(flanneld docker kubelet)
10 | for svc in ${services[@]}
11 | do
12 |     echo "Start $svc"
13 |     sudo systemctl start $svc
14 | done
15 | 


--------------------------------------------------------------------------------
/images/bookinfo-demo.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rootsongjc/kubernetes-vagrant-centos-cluster/73d8324d194647291d8780f3a267439dea211382/images/bookinfo-demo.gif


--------------------------------------------------------------------------------
/images/dashboard-animation.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rootsongjc/kubernetes-vagrant-centos-cluster/73d8324d194647291d8780f3a267439dea211382/images/dashboard-animation.gif


--------------------------------------------------------------------------------
/images/grafana-animation.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rootsongjc/kubernetes-vagrant-centos-cluster/73d8324d194647291d8780f3a267439dea211382/images/grafana-animation.gif


--------------------------------------------------------------------------------
/images/kiali.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rootsongjc/kubernetes-vagrant-centos-cluster/73d8324d194647291d8780f3a267439dea211382/images/kiali.gif


--------------------------------------------------------------------------------
/images/traefik-ingress.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rootsongjc/kubernetes-vagrant-centos-cluster/73d8324d194647291d8780f3a267439dea211382/images/traefik-ingress.gif


--------------------------------------------------------------------------------
/images/vistio-animation.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rootsongjc/kubernetes-vagrant-centos-cluster/73d8324d194647291d8780f3a267439dea211382/images/vistio-animation.gif


--------------------------------------------------------------------------------
/images/weave-scope-animation.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rootsongjc/kubernetes-vagrant-centos-cluster/73d8324d194647291d8780f3a267439dea211382/images/weave-scope-animation.gif


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | # change time zone
  3 | cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
  4 | timedatectl set-timezone Asia/Shanghai
  5 | rm /etc/yum.repos.d/CentOS-Base.repo
  6 | cp /vagrant/yum/*.* /etc/yum.repos.d/
  7 | mv /etc/yum.repos.d/CentOS7-Base-163.repo /etc/yum.repos.d/CentOS-Base.repo
  8 | # using socat to port forward in helm tiller
  9 | # install  kmod and ceph-common for rook
 10 | yum install -y wget curl conntrack-tools vim net-tools telnet tcpdump bind-utils socat ntp kmod ceph-common dos2unix
 11 | kubernetes_release="/vagrant/kubernetes-server-linux-amd64.tar.gz"
 12 | # Download Kubernetes
 13 | if [[ $(hostname) == "node1" ]] && [[ ! -f "$kubernetes_release" ]]; then
 14 |     wget https://storage.googleapis.com/kubernetes-release/release/v1.16.14/kubernetes-server-linux-amd64.tar.gz -P /vagrant/
 15 | fi
 16 | 
 17 | # enable ntp to sync time
 18 | echo 'sync time'
 19 | systemctl start ntpd
 20 | systemctl enable ntpd
 21 | echo 'disable selinux'
 22 | setenforce 0
 23 | sed -i 's/=enforcing/=disabled/g' /etc/selinux/config
 24 | 
 25 | echo 'enable iptable kernel parameter'
 26 | cat >> /etc/sysctl.conf <<EOF
 27 | net.ipv4.ip_forward=1
 28 | EOF
 29 | sysctl -p
 30 | 
 31 | echo 'set host name resolution'
 32 | cat >> /etc/hosts <<EOF
 33 | 172.17.8.101 node1
 34 | 172.17.8.102 node2
 35 | 172.17.8.103 node3
 36 | EOF
 37 | 
 38 | cat /etc/hosts
 39 | 
 40 | echo 'set nameserver'
 41 | echo "nameserver 8.8.8.8">/etc/resolv.conf
 42 | cat /etc/resolv.conf
 43 | 
 44 | echo 'disable swap'
 45 | swapoff -a
 46 | sed -i '/swap/s/^/#/' /etc/fstab
 47 | 
 48 | #create group if not exists
 49 | egrep "^docker" /etc/group >& /dev/null
 50 | if [ $? -ne 0 ]
 51 | then
 52 |   groupadd docker
 53 | fi
 54 | 
 55 | usermod -aG docker vagrant
 56 | rm -rf ~/.docker/
 57 | yum install -y docker.x86_64
 58 | # To fix docker exec error, downgrade docker version, see https://github.com/openshift/origin/issues/21590
 59 | yum downgrade -y docker-1.13.1-75.git8633870.el7.centos.x86_64 docker-client-1.13.1-75.git8633870.el7.centos.x86_64 docker-common-1.13.1-75.git8633870.el7.centos.x86_64
 60 | 
 61 | cat > /etc/docker/daemon.json <<EOF
 62 | {
 63 |   "registry-mirrors" : [
 64 | 	"https://reg-mirror.qiniu.com",
 65 | 	"https://hub-mirror.c.163.com",
 66 | 	"https://mirror.ccs.tencentyun.com",
 67 | 	"https://docker.mirrors.ustc.edu.cn",
 68 | 	"https://dockerhub.azk8s.cn",
 69 | 	"https://registry.docker-cn.com"
 70 |   ]
 71 | }
 72 | EOF
 73 | 
 74 | if [[ $1 -eq 1 ]]
 75 | then
 76 |     yum install -y etcd
 77 |     #cp /vagrant/systemd/etcd.service /usr/lib/systemd/system/
 78 | cat > /etc/etcd/etcd.conf <<EOF
 79 | #[Member]
 80 | ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
 81 | ETCD_LISTEN_PEER_URLS="http://$2:2380"
 82 | ETCD_LISTEN_CLIENT_URLS="http://$2:2379,http://localhost:2379"
 83 | ETCD_NAME="node$1"
 84 | 
 85 | #[Clustering]
 86 | ETCD_INITIAL_ADVERTISE_PEER_URLS="http://$2:2380"
 87 | ETCD_ADVERTISE_CLIENT_URLS="http://$2:2379"
 88 | ETCD_INITIAL_CLUSTER="$3"
 89 | ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
 90 | ETCD_INITIAL_CLUSTER_STATE="new"
 91 | EOF
 92 |     cat /etc/etcd/etcd.conf
 93 |     echo 'create network config in etcd'
 94 | cat > /etc/etcd/etcd-init.sh<<EOF
 95 | #!/bin/bash
 96 | etcdctl mkdir /kube-centos/network
 97 | etcdctl mk /kube-centos/network/config '{"Network":"172.33.0.0/16","SubnetLen":24,"Backend":{"Type":"host-gw"}}'
 98 | EOF
 99 |     chmod +x /etc/etcd/etcd-init.sh
100 |     echo 'start etcd...'
101 |     systemctl daemon-reload
102 |     systemctl enable etcd
103 |     systemctl start etcd
104 | 
105 |     echo 'create kubernetes ip range for flannel on 172.33.0.0/16'
106 |     /etc/etcd/etcd-init.sh
107 |     etcdctl cluster-health
108 |     etcdctl ls /
109 | fi
110 | 
111 | echo 'install flannel...'
112 | yum install -y flannel
113 | 
114 | echo 'create flannel config file...'
115 | 
116 | cat > /etc/sysconfig/flanneld <<EOF
117 | # Flanneld configuration options
118 | FLANNEL_ETCD_ENDPOINTS="http://172.17.8.101:2379"
119 | FLANNEL_ETCD_PREFIX="/kube-centos/network"
120 | FLANNEL_OPTIONS="-iface=eth1"
121 | EOF
122 | 
123 | echo 'enable flannel with host-gw backend'
124 | rm -rf /run/flannel/
125 | systemctl daemon-reload
126 | systemctl enable flanneld
127 | systemctl start flanneld
128 | 
129 | echo 'enable docker'
130 | systemctl daemon-reload
131 | systemctl enable docker
132 | systemctl start docker
133 | 
134 | echo "copy pem, token files"
135 | mkdir -p /etc/kubernetes/ssl
136 | cp /vagrant/pki/* /etc/kubernetes/ssl/
137 | cp /vagrant/conf/token.csv /etc/kubernetes/
138 | cp /vagrant/conf/bootstrap.kubeconfig /etc/kubernetes/
139 | cp /vagrant/conf/kube-proxy.kubeconfig /etc/kubernetes/
140 | cp /vagrant/conf/kubelet.kubeconfig /etc/kubernetes/
141 | 
142 | tar -xzvf /vagrant/kubernetes-server-linux-amd64.tar.gz --no-same-owner -C /vagrant
143 | cp /vagrant/kubernetes/server/bin/* /usr/bin
144 | 
145 | dos2unix -q /vagrant/systemd/*.service
146 | cp /vagrant/systemd/*.service /usr/lib/systemd/system/
147 | mkdir -p /var/lib/kubelet
148 | mkdir -p ~/.kube
149 | cp /vagrant/conf/admin.kubeconfig ~/.kube/config
150 | 
151 | if [[ $1 -eq 1 ]]
152 | then
153 |     echo "configure master and node1"
154 | 
155 |     cp /vagrant/conf/apiserver /etc/kubernetes/
156 |     cp /vagrant/conf/config /etc/kubernetes/
157 |     cp /vagrant/conf/controller-manager /etc/kubernetes/
158 |     cp /vagrant/conf/scheduler /etc/kubernetes/
159 |     cp /vagrant/conf/scheduler.conf /etc/kubernetes/
160 |     cp /vagrant/node1/* /etc/kubernetes/
161 | 
162 |     systemctl daemon-reload
163 |     systemctl enable kube-apiserver
164 |     systemctl start kube-apiserver
165 | 
166 |     systemctl enable kube-controller-manager
167 |     systemctl start kube-controller-manager
168 | 
169 |     systemctl enable kube-scheduler
170 |     systemctl start kube-scheduler
171 | 
172 |     systemctl enable kubelet
173 |     systemctl start kubelet
174 | 
175 |     systemctl enable kube-proxy
176 |     systemctl start kube-proxy
177 | fi
178 | 
179 | if [[ $1 -eq 2 ]]
180 | then
181 |     echo "configure node2"
182 |     cp /vagrant/node2/* /etc/kubernetes/
183 | 
184 |     systemctl daemon-reload
185 |     systemctl enable kubelet
186 |     systemctl start kubelet
187 |     systemctl enable kube-proxy
188 |     systemctl start kube-proxy
189 | fi
190 | 
191 | if [[ $1 -eq 3 ]]
192 | then
193 |     echo "configure node3"
194 |     cp /vagrant/node3/* /etc/kubernetes/
195 | 
196 |     systemctl daemon-reload
197 | 
198 |     systemctl enable kubelet
199 |     systemctl start kubelet
200 |     systemctl enable kube-proxy
201 |     systemctl start kube-proxy
202 | 
203 |     echo "deploy coredns"
204 |     cd /vagrant/addon/dns/
205 |     ./dns-deploy.sh -r 10.254.0.0/16 -i 10.254.0.2 |kubectl apply -f -
206 |     cd -
207 | 
208 |     echo "deploy kubernetes dashboard"
209 |     kubectl apply -f /vagrant/addon/dashboard/kubernetes-dashboard.yaml
210 |     echo "create admin role token"
211 |     kubectl apply -f /vagrant/yaml/admin-role.yaml
212 |     echo "the admin role token is:"
213 |     kubectl -n kube-system describe secret `kubectl -n kube-system get secret|grep admin-token|cut -d " " -f1`|grep "token:"|tr -s " "|cut -d " " -f2
214 |     echo "login to dashboard with the above token"
215 |     echo https://172.17.8.101:`kubectl -n kube-system get svc kubernetes-dashboard -o=jsonpath='{.spec.ports[0].port}'`
216 |     echo "install traefik ingress controller"
217 |     kubectl apply -f /vagrant/addon/traefik-ingress/
218 | fi
219 | 
220 | echo "Configure Kubectl to autocomplete"
221 | source <(kubectl completion bash) # setup autocomplete in bash into the current shell, bash-completion package should be installed first.
222 | echo "source <(kubectl completion bash)" >> ~/.bashrc # add autocomplete permanently to your bash shell.
223 | 
224 | 


--------------------------------------------------------------------------------
/node1/kubelet:
--------------------------------------------------------------------------------
 1 | ###
 2 | ## kubernetes kubelet (minion) config
 3 | #
 4 | ## The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
 5 | KUBELET_ADDRESS="--address=172.17.8.101"
 6 | #
 7 | ## The port for the info server to serve on
 8 | #KUBELET_PORT="--port=10250"
 9 | #
10 | ## You may leave this blank to use the actual hostname
11 | KUBELET_HOSTNAME="--hostname-override=node1"
12 | #
13 | ## location of the api-server
14 | ## COMMENT THIS ON KUBERNETES 1.8+
15 | # KUBELET_API_SERVER="--api-servers=http://172.20.0.113:8080"
16 | #
17 | ## pod infrastructure container
18 | KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.1"
19 | #
20 | ## Add your own!
21 | KUBELET_ARGS="--runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice --cgroup-driver=systemd --cluster-dns=10.254.0.2 --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --cert-dir=/etc/kubernetes/ssl --cluster-domain=cluster.local --hairpin-mode promiscuous-bridge --serialize-image-pulls=false"
22 | 


--------------------------------------------------------------------------------
/node1/proxy:
--------------------------------------------------------------------------------
1 | ###
2 | # kubernetes proxy config
3 | 
4 | # default config should be adequate
5 | 
6 | # Add your own!
7 | KUBE_PROXY_ARGS="--bind-address=172.17.8.101 --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig --cluster-cidr=10.254.0.0/16 --hostname-override=node2"
8 | 


--------------------------------------------------------------------------------
/node2/kubelet:
--------------------------------------------------------------------------------
 1 | ###
 2 | ## kubernetes kubelet (minion) config
 3 | #
 4 | ## The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
 5 | KUBELET_ADDRESS="--address=172.17.8.102"
 6 | #
 7 | ## The port for the info server to serve on
 8 | #KUBELET_PORT="--port=10250"
 9 | #
10 | ## You may leave this blank to use the actual hostname
11 | KUBELET_HOSTNAME="--hostname-override=node2"
12 | #
13 | ## location of the api-server
14 | ## COMMENT THIS ON KUBERNETES 1.8+
15 | # KUBELET_API_SERVER="--api-servers=http://172.20.0.113:8080"
16 | #
17 | ## pod infrastructure container
18 | #KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=sz-pg-oam-docker-hub-001.tenxcloud.com/library/pod-infrastructure:rhel7"
19 | #KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=jimmysong/pause-amd64:3.0"
20 | KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.1"
21 | #
22 | ## Add your own!
23 | KUBELET_ARGS="--runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice --cgroup-driver=systemd --cluster-dns=10.254.0.2 --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --cert-dir=/etc/kubernetes/ssl --cluster-domain=cluster.local --hairpin-mode promiscuous-bridge --serialize-image-pulls=false"
24 | 


--------------------------------------------------------------------------------
/node2/proxy:
--------------------------------------------------------------------------------
1 | ###
2 | # kubernetes proxy config
3 | 
4 | # default config should be adequate
5 | 
6 | # Add your own!
7 | KUBE_PROXY_ARGS="--bind-address=172.17.8.102 --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig --cluster-cidr=10.254.0.0/16 --hostname-override=node2"
8 | 


--------------------------------------------------------------------------------
/node3/kubelet:
--------------------------------------------------------------------------------
 1 | ###
 2 | ## kubernetes kubelet (minion) config
 3 | #
 4 | ## The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
 5 | KUBELET_ADDRESS="--address=172.17.8.103"
 6 | #
 7 | ## The port for the info server to serve on
 8 | #KUBELET_PORT="--port=10250"
 9 | #
10 | ## You may leave this blank to use the actual hostname
11 | KUBELET_HOSTNAME="--hostname-override=node3"
12 | #
13 | ## location of the api-server
14 | ## COMMENT THIS ON KUBERNETES 1.8+
15 | # KUBELET_API_SERVER="--api-servers=http://172.20.0.113:8080"
16 | #
17 | ## pod infrastructure container
18 | #KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=jimmysong/pause-amd64:3.0"
19 | KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.1"
20 | #
21 | ## Add your own!
22 | KUBELET_ARGS="--runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice --cgroup-driver=systemd --cluster-dns=10.254.0.2 --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --cert-dir=/etc/kubernetes/ssl --cluster-domain=cluster.local --hairpin-mode promiscuous-bridge --serialize-image-pulls=false"
23 | 


--------------------------------------------------------------------------------
/node3/proxy:
--------------------------------------------------------------------------------
1 | ###
2 | # kubernetes proxy config
3 | 
4 | # default config should be adequate
5 | 
6 | # Add your own!
7 | KUBE_PROXY_ARGS="--bind-address=172.17.8.103 --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig --cluster-cidr=10.254.0.0/16 --hostname-override=node3"
8 | 


--------------------------------------------------------------------------------
/pki/admin-csr.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "CN": "admin",
 3 |   "hosts": [],
 4 |   "key": {
 5 |     "algo": "rsa",
 6 |     "size": 2048
 7 |   },
 8 |   "names": [
 9 |     {
10 |       "C": "CN",
11 |       "ST": "BeiJing",
12 |       "L": "BeiJing",
13 |       "O": "system:masters",
14 |       "OU": "System"
15 |     }
16 |   ]
17 | }
18 | 


--------------------------------------------------------------------------------
/pki/admin-key.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIEowIBAAKCAQEApwmhzNJLEHFy7cf8xpgcS47mAbm2e0Whtp/8B6lmaF+9EBQA
 3 | wOCYSaNImoGwExc2X4nUO110Mh/npkWeKVOVVapbDXeKJHMEB+K4tSfyj+Va8D1Q
 4 | 4bTQUcu0Iud8c3d7np6GcnFCU+Q2aEzKvkVjHScVaysVE0JiLgIqQZQwhFENnkrf
 5 | pURwDcgNCnnfBKC2/USXs+bPUSaXkNTNl719EFdRHZKNWAh+n4uL8IspUBrxwI+h
 6 | ic78MzFonOC/l+5N2yBnrBCGDSOzukynfiV0dOSI+m7tYNBJzK8hUGU7jlZils0I
 7 | vlS44MJ1c58AsRK2WWpaTznfDB9mx7T844UVuwIDAQABAoIBAAmRaa071oTomra4
 8 | H+iYSfaiBtbOdn91K6A0ZdFiiLUt1ryXCLwDoXWGXuBK0XUmfTzXvkpwPfmpDjHe
 9 | BwNDAGjZy0FoOYeA9xgkioQF98T6VE0ylfF30/77diQRsnVCwNgDKJxhlHUNu3gZ
10 | /fsMKnM/C+EJpLlnsgwEn7sF7AmIK0wNZ25hZg/2bOyPGQGEBI0DLkKNe+DrK6Oo
11 | aXQQVS8wTHBgFu+WfHYIjScA8CG2qge0K7bMS4BAayZwdr0325ydYEy3+DRlU6XY
12 | Jrf5++1H0AMjvw/rsdjony+dg87DuPTCLrpJ+wDh7kNWrLu4XE4JXSF2YDDyikT5
13 | Y5dCyCECgYEA3KOTEDWEufX1u9wnnY/i6djrHj0Bh8ViKWd6Yq1IqTu2dfB/DxXQ
14 | P2HsmPVDMZx6dYg1VdyivBgNyQ3Qq7M2XH2yVjG8Nbw7qvBQtfO72OIxbsyvdIKh
15 | XphA5CFUVC/CsBePxV7N/1jVfatLubUXHAbCRqpVAxsz0f7Rm4iE6AMCgYEAwc7j
16 | wy0ij/Kw13SyKoBDusu3OPieMSah4tphkgbW8Qza+5cmXJfGOTRHCNV+2r41+9qj
17 | /BilV6nxVkKTVr7DEe3vB2DxXpyiM2YGixrMocK51V/RmRQBPqIN8VYGcPc6HAdG
18 | 2Gm1Aiq1hCzqY98hYWwMGxbPvh5Jmxd4jNGh+ekCgYANvvcjlGH/f+5eVNn2/Abk
19 | EMqdKKnWvppd//9k9GzJdlnowSH5W5+Mw1oNMYKNLbWHawP/pG5TD6CUPRMaD2E8
20 | o+wfaJvUMTT6clxk6ZlzaqwvvfrUZGsPTKcGT3lEgXE8rUscvcpRtUQfvzNJj5mv
21 | +k/SPTxspB43YAvJB9lX5wKBgA7CccgIZOxvgBY4deUUtZPBNefpzypRFd0P4oRb
22 | bv0WjIrCfRJqIJd0qsA6ehmwiK3wfbKSMe1WLOHz2gKuLm7sHtsB///Dj/q4F2F6
23 | ngDnsn1UecLdqiaZ8tPhSEZMHanKyBNtIXLTy9UQEp2efY1MzDM37oQ9DD/6bpzS
24 | zjIZAoGBAKbsJzgRjnbZtQBYSeckjOkKGOmcR99nmOIvBLrsU6D7AbATO4cp/sht
25 | sVC4JhA0YbC//c13bUnJWiWaZ70neCkmvlUhBptSxvVhtzM+3j9M8CXdhe0/lEit
26 | kOEfkoSPpGV0RBikSkURYVqk78KRs05JOFHdBSvW4CR//55g+eid
27 | -----END RSA PRIVATE KEY-----
28 | 


--------------------------------------------------------------------------------
/pki/admin.csr:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE REQUEST-----
 2 | MIICsDCCAZgCAQAwazELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAO
 3 | BgNVBAcTB0JlaUppbmcxFzAVBgNVBAoTDnN5c3RlbTptYXN0ZXJzMQ8wDQYDVQQL
 4 | EwZTeXN0ZW0xDjAMBgNVBAMTBWFkbWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
 5 | MIIBCgKCAQEApwmhzNJLEHFy7cf8xpgcS47mAbm2e0Whtp/8B6lmaF+9EBQAwOCY
 6 | SaNImoGwExc2X4nUO110Mh/npkWeKVOVVapbDXeKJHMEB+K4tSfyj+Va8D1Q4bTQ
 7 | Ucu0Iud8c3d7np6GcnFCU+Q2aEzKvkVjHScVaysVE0JiLgIqQZQwhFENnkrfpURw
 8 | DcgNCnnfBKC2/USXs+bPUSaXkNTNl719EFdRHZKNWAh+n4uL8IspUBrxwI+hic78
 9 | MzFonOC/l+5N2yBnrBCGDSOzukynfiV0dOSI+m7tYNBJzK8hUGU7jlZils0IvlS4
10 | 4MJ1c58AsRK2WWpaTznfDB9mx7T844UVuwIDAQABoAAwDQYJKoZIhvcNAQELBQAD
11 | ggEBAJgo5ERzue4Eq8Bxqqln6AdzaGp3MPD/a1NP8evO9umZqmuG7ZgdzXTqFGkW
12 | Ry9KGWjAzzFZai42Hl/+Zsr3VVdQuOFGLx6RqlTMagp+0HUTJti27gd5HLYNtJei
13 | i+nHir0V1YhXC2+gmf5Md7kGZpseSx/t3B2zHkkmuAiERs+CgEGWd7vgiJ75EAjn
14 | EOW0ec6RMtZp2N9Qj5ifiRUuz+ThGrPH9fEcBecooYkVAQfgDaPhe1JgJldr/1BH
15 | WdvzQZoZR1mQkELjlUuVcKZek7m1593ux7U/UPlFaVyk4nEcwhgH5CmLRYcMJshc
16 | SXJO3GjnHHOJ2+VtdRStvirgSKk=
17 | -----END CERTIFICATE REQUEST-----
18 | 


--------------------------------------------------------------------------------
/pki/admin.p12:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rootsongjc/kubernetes-vagrant-centos-cluster/73d8324d194647291d8780f3a267439dea211382/pki/admin.p12


--------------------------------------------------------------------------------
/pki/admin.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIID5DCCAsygAwIBAgIUczE1grlJn0eIPc5xYdFGvTAWb6AwDQYJKoZIhvcNAQEL
 3 | BQAwbDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
 4 | aUppbmcxEzARBgNVBAoTCkt1YmVybmV0ZXMxDzANBgNVBAsTBlN5c3RlbTETMBEG
 5 | A1UEAxMKa3ViZXJuZXRlczAeFw0xODAxMTAwOTUwMDBaFw0yODAxMDgwOTUwMDBa
 6 | MGsxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYDVQQHEwdCZWlK
 7 | aW5nMRcwFQYDVQQKEw5zeXN0ZW06bWFzdGVyczEPMA0GA1UECxMGU3lzdGVtMQ4w
 8 | DAYDVQQDEwVhZG1pbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKcJ
 9 | oczSSxBxcu3H/MaYHEuO5gG5tntFobaf/AepZmhfvRAUAMDgmEmjSJqBsBMXNl+J
10 | 1DtddDIf56ZFnilTlVWqWw13iiRzBAfiuLUn8o/lWvA9UOG00FHLtCLnfHN3e56e
11 | hnJxQlPkNmhMyr5FYx0nFWsrFRNCYi4CKkGUMIRRDZ5K36VEcA3IDQp53wSgtv1E
12 | l7Pmz1Eml5DUzZe9fRBXUR2SjVgIfp+Li/CLKVAa8cCPoYnO/DMxaJzgv5fuTdsg
13 | Z6wQhg0js7pMp34ldHTkiPpu7WDQScyvIVBlO45WYpbNCL5UuODCdXOfALEStllq
14 | Wk853wwfZse0/OOFFbsCAwEAAaN/MH0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
15 | MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQl
16 | K2HfFb5jI4TxW0W+T4q6o7NLpzAfBgNVHSMEGDAWgBRIQ8Co6yx4HuEvwjveGCPe
17 | pCPeizANBgkqhkiG9w0BAQsFAAOCAQEAW2V82slT/rgRERNLsF46m6KLaOM2+RCV
18 | ScFmuCIcL1xVicqpYr39dxEXxeUgNzHMhZxliJ+93+/dBZBkpvSeF/R3LKmwsCe3
19 | gOfS8aMQOrXT6hbn5V0QDLdSSzgKAFnKp0OrB4KuueFo/dAqvtiJAnut+9q5BawU
20 | A9qI6hCB3Z6pALlGUspZf/Z/9uSxwGO3wXm8nf1EgXEqFcdZXk6+2gQvCmMWHO5/
21 | IT1yiigqNGeCeGNkGtf1A1bJ2WSWzvjrNaSm7x0qEPZk6JHq6LCG2mBu8oszAtPl
22 | 7dhImWhWlskmO3nehMpmPGRxjhrcVTYwIPVWv1sgoxJNTvFHDDUBrg==
23 | -----END CERTIFICATE-----
24 | 


--------------------------------------------------------------------------------
/pki/ca-config.json:
--------------------------------------------------------------------------------
1 | {"signing":{"default":{"expiry":"87600h"},"profiles":{"kubernetes":{"usages":["signing","key encipherment","server auth","client auth"],"expiry":"87600h"}}}}


--------------------------------------------------------------------------------
/pki/ca-csr.json:
--------------------------------------------------------------------------------
1 | {"CN":"kubernetes","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"BeiJing","L":"BeiJing","O":"Kubernetes","OU":"System"}]}
2 | 


--------------------------------------------------------------------------------
/pki/ca-key.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIEowIBAAKCAQEAyNzhvDrsB73kf3LUXTIIgUNIOqs922oOfQg5q9Q2UncJ6Eju
 3 | lBg9o83AWFU0TS0KWJ7GgHGSpKjemwrbW04AVRsXYpuHd7sKMv3a80sjrK1IGBJX
 4 | XdFib+janlPj3jcDIoeV5UqWF5tbstAs9UbWCphangIdd77F6dI5qQ+OPj9fh+xq
 5 | IoliNy4xAfEnqkuv9kuaOclbf71vUzU7IEEP4+QpDG7XdIAluxbzMayWZrxOvza6
 6 | KEs+F+lKLOTS2E1dMK0/CJer+8scJRqRcLTNCv69HT+1OMXXEEHAvXfE44TUdYN+
 7 | BGcqTIGq5T1F+t/j9fFdatY6UasBXaJymDCGtQIDAQABAoIBAGluh46l3v6xTh8X
 8 | xyCkApLXHjKtb+qb4L8AckUfPuRKV4j1v0U89B3nAe9byfg4jBW4Qblp4+9KNI5t
 9 | RHbImqQRdFTuDk1qgBAD78mEx1T8H7uC5Rj5rxHOx/ITVqhtd9fIE4YngGEjyx4w
10 | 52hXpkIpdmc59P3FxVzWXC3BXIiPDAkUmjPdH6Tb3uDsMObfrNR7r5nVaKXkc7B9
11 | z5l0iQwbAPwQVszvEK/3JnnbMo3rRY7rMFTwyJgV13+n73fkbgrdFqpGnEjYe72E
12 | VICMnL8vOoY1Oa79+BKpPAbSvf7kdjx/OMQMREKk54bWi9x/+pPyfimUTbtgwbcT
13 | ejRn+AECgYEAzc8wmiyzmj+I96hIjmngvEDvGoDV3N9cYlUGXlvbSlA7gygxaDDb
14 | pyV4h8nIewCuARpCgdlVYu2hcCbPW1jE9E7Wo9EnM87J8Me7moDw8sslElpYS0QO
15 | 7n6VPoOfeZqNCSUuiXksWcYng/POYwvy1cPm7E3IRCc55Zk0BC08u6UCgYEA+djg
16 | sxUYjZvBxeBc+cteLxfjQWhsNoFSz2WkvaLKAokmhsMCeUlQcuw+SEXTG1SwF944
17 | klMAHU1Mf5vgubPGhRtinvjUM3oB2YTmzuSQbzyqUvdqZDWM8X6c65oudviyVp5I
18 | LPVnC/LgJiQr1IDRQnAZElz6BcQsEdODvDsR8dECgYEAlrcIt47Ow8GNUxeocqo0
19 | iofe0YDRnJrxc40iSc1ozIXu3wB7FfrZkBDPsFjjeLgptOL/G0oFzpmIpLG3HgTm
20 | zqZBZtvOopDnr20FBIMycAq2Djec+xlO+fY24v3OtmWorK7O4pubD+8dlvLfDAd/
21 | AG4i2J+pbcdwDaRgxEJAfIUCgYAE6Axpl+V2inOAtko9IZBE7nwpAar2Ww3MQtu8
22 | WaEL8bOO++9lgFoTF66VbsGZjM00esmzneunp6fz7ZS5MN2aKZKDOrG4HRJCOkjq
23 | ETUA6jkSDgfJ1f9hkrH0Mn/tGC8wYkValKskYe2i8hzmPG1fl6H2aVsDl/mhk/zH
24 | SoWssQKBgBnImR5xyLYLDK2b2mM/l9K49GE0PTEK4kHs7R3Ghn4GewV6DUjOUz4T
25 | nBII7yZdQpF3M0KKOUP8kRFBm1HYU0Efi3t1eYrJwmY3vzcOHTVqVLmi0buNKZYM
26 | pwrSZUAXYjKIJHkbQB84k4txUj9tEEsPLhFIyopDBN5tfpDlsXBI
27 | -----END RSA PRIVATE KEY-----
28 | 


--------------------------------------------------------------------------------
/pki/ca.csr:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE REQUEST-----
 2 | MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAO
 3 | BgNVBAcTB0JlaUppbmcxEzARBgNVBAoTCkt1YmVybmV0ZXMxDzANBgNVBAsTBlN5
 4 | c3RlbTETMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
 5 | ADCCAQoCggEBAMjc4bw67Ae95H9y1F0yCIFDSDqrPdtqDn0IOavUNlJ3CehI7pQY
 6 | PaPNwFhVNE0tCliexoBxkqSo3psK21tOAFUbF2Kbh3e7CjL92vNLI6ytSBgSV13R
 7 | Ym/o2p5T4943AyKHleVKlhebW7LQLPVG1gqYWp4CHXe+xenSOakPjj4/X4fsaiKJ
 8 | YjcuMQHxJ6pLr/ZLmjnJW3+9b1M1OyBBD+PkKQxu13SAJbsW8zGslma8Tr82uihL
 9 | PhfpSizk0thNXTCtPwiXq/vLHCUakXC0zQr+vR0/tTjF1xBBwL13xOOE1HWDfgRn
10 | KkyBquU9Rfrf4/XxXWrWOlGrAV2icpgwhrUCAwEAAaAAMA0GCSqGSIb3DQEBCwUA
11 | A4IBAQCUP2pixOTRj6TgGG6NAV/bsvUaPAgthvZEgQzEoX21QOp6hm3wZQGzpY5+
12 | IU2SLQgwkT3w9lrGnpbhJEWkZYqXG1GIVk4drBmQ9UnEBAhE2yx3rrtCZ03hlOpq
13 | 6V7XulwxImA7Mdl9eXNWnkD+qNIT7sVBKX082vZqfYlLlXmhlf93LtLoxDaosCuV
14 | bIVH5tg9XU7TSxkD+G5ggYbcXeAB9UeJa3alVcEyJn7TixmxzY7w1NR6TxCcoa5u
15 | RMyK0IGzBai5kuMxu0Uy1/zP9+z/M0qVa40AC4MTnHRe4Ft5ge9pCrO5Nx0SvOOV
16 | ZFeDS9Znln//8afBKotnPdRHmtQ/
17 | -----END CERTIFICATE REQUEST-----
18 | 


--------------------------------------------------------------------------------
/pki/ca.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIDqzCCApOgAwIBAgIUMenTseykLpd+ygOdhsfFBkttQ9MwDQYJKoZIhvcNAQEL
 3 | BQAwbDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
 4 | aUppbmcxEzARBgNVBAoTCkt1YmVybmV0ZXMxDzANBgNVBAsTBlN5c3RlbTETMBEG
 5 | A1UEAxMKa3ViZXJuZXRlczAeFw0xODAxMTAwOTM0MDBaFw0yMzAxMDkwOTM0MDBa
 6 | MGwxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYDVQQHEwdCZWlK
 7 | aW5nMRMwEQYDVQQKEwpLdWJlcm5ldGVzMQ8wDQYDVQQLEwZTeXN0ZW0xEzARBgNV
 8 | BAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDI
 9 | 3OG8OuwHveR/ctRdMgiBQ0g6qz3bag59CDmr1DZSdwnoSO6UGD2jzcBYVTRNLQpY
10 | nsaAcZKkqN6bCttbTgBVGxdim4d3uwoy/drzSyOsrUgYEldd0WJv6NqeU+PeNwMi
11 | h5XlSpYXm1uy0Cz1RtYKmFqeAh13vsXp0jmpD44+P1+H7GoiiWI3LjEB8SeqS6/2
12 | S5o5yVt/vW9TNTsgQQ/j5CkMbtd0gCW7FvMxrJZmvE6/NrooSz4X6Uos5NLYTV0w
13 | rT8Il6v7yxwlGpFwtM0K/r0dP7U4xdcQQcC9d8TjhNR1g34EZypMgarlPUX63+P1
14 | 8V1q1jpRqwFdonKYMIa1AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMB
15 | Af8ECDAGAQH/AgECMB0GA1UdDgQWBBRIQ8Co6yx4HuEvwjveGCPepCPeizANBgkq
16 | hkiG9w0BAQsFAAOCAQEAvqhaoR53tFR2iCvYZXW4fg9fXvcnfPAqczpLKHmScP7Y
17 | 7YYlI9QvVH5auYju4Z4cUel0Q+s+TezztadD6/0rv+ZUFPykCqBWx48u64fgbe6r
18 | 7nTJrcEv7JnxxCR7N/znXCnka+C8No0A6S2BSVGKokJFs6cf3/98FKk42SFj3cl7
19 | K3+hmKISHP0lVCfp5eaLuSpF3jL/aGfVN0oWKibEacvAaaPNCGos2DEWCl63Lcl1
20 | xhNKlZ9At8/7c4z4RzbpP2UhOEbDFBV2Exa//rkCDvxCQknvkokM8NstCYhsc2YY
21 | 63Hjx4+xMf6I5HeQPTKf7w/KeVplWKvEAAUx0XXQ5Q==
22 | -----END CERTIFICATE-----
23 | 


--------------------------------------------------------------------------------
/pki/kube-proxy-csr.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "CN": "system:kube-proxy",
 3 |   "hosts": [],
 4 |   "key": {
 5 |     "algo": "rsa",
 6 |     "size": 2048
 7 |   },
 8 |   "names": [
 9 |     {
10 |       "C": "CN",
11 |       "ST": "BeiJing",
12 |       "L": "BeiJing",
13 |       "O": "kubernetes",
14 |       "OU": "System"
15 |     }
16 |   ]
17 | }
18 | 


--------------------------------------------------------------------------------
/pki/kube-proxy-key.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIEpAIBAAKCAQEAp1zUwT7W3nryHdBhKIo2F1MzpXlX2wWmFPNUb1C/C+j16qOJ
 3 | cfZY/4qljtyuN0kZ6VRcwSxWfNkfm8z7wzbo5mcwYDQH3GBVtn7iv9tXcHmz8rdT
 4 | hJ8gGXDsUlATBsV9aa1kmclxYn0B0HyOZ2rsDt/4Mo/bmaQb3ObrGZjmCrVugcLc
 5 | xaiJOrqaD6QOR8KQqCfMm8Qo4fx7cTV46VthuSnITsM5FdfuLdSRPmlBpNZxIGSi
 6 | 0gBa+LNRZriQbpQHv9oSa94ZVV8FunuWkeA398oX9he9pGWU/HCxFMDyN6trm9MJ
 7 | SSxKPHLZAxvYl8qF/bQKaK+xkxWMJih7lT8ZkwIDAQABAoIBAFNUhl49opCd2KV9
 8 | lpKv1mTguWtfsp3L/ziZO2Y9ZxJQCPmuOYYzqXZ7Gxm5yUifrjYeGhzYrat2FCXn
 9 | 90botSfbIxwTbAKPOL4oCVCLrsrC3hUwsHXtIPdp4VDOq9qIRHx0qA1mXn0yTs/2
10 | 5JSbiTOS0qqiNC4YpwLjOxXAqnGTvCBgz8HV0RpHH/hkAUrdMig52KysPLkLJPsS
11 | 3/9i0jFNyhSDPTqYj87uY09/Q8KKhtbRmmQx3SXYMAzIT2VYqsHeupZg9QJ9QnHs
12 | x2AuiuUE5DS7nH7jgtXFBSs3/jZivMkgC24Hy9b/NvU8KIYBXtXL/OZDQs26rvVZ
13 | eLLOSJkCgYEAw5YSYgd6crdJ3X2Bq7Wgoxc0Ajomw9hEgjes/iTlFioSEEyMlaEo
14 | 9PRpS691NwaLAg4orcBvvKBooE5etDqiqMA779AxdEerEIIrqBRCPdWgosU5JvCl
15 | Y1Wd212ZnhDszmMN0n1SKhtjWcoJ5INV7d9CzrkTu1mDM0Lu+0yK038CgYEA2w78
16 | YbYYSU2cqxhmI7kgsDJsm+TSAI2bZpgoC2jAf9LINCJ2hFe2Yljyn/Hs0mB8tQxw
17 | 30inEbBUP4jdkM/wNYwtm0CWEBtkEdiVBdaveLSChhGvk+3ISt9Bhk+wQ9qLJ81e
18 | mdu6qrfOu/83zRJglQTKIXEEpiPgJsmJJW7pM+0CgYAmQCZON6ox3zi58X63pyjI
19 | XJRWTysfqB8V3G+fsHWBFS89MstXxBHvfhFNtP3WihgLidtYx8bSfAiaOVl6I/GF
20 | 0Tqnlu7lD9MbwmlpULT3xNzKmImp3OxrdeYObcrKSAMYBfVBEjNMeti+Sa4Pm8Pl
21 | ZoF5TmbWgBYRo2h7iyenXwKBgQCqGcbs8QOG2FeRnE6j6rtxVpZzr4lKmKtVTU27
22 | Hkpsd3ay1RgGyD19vOgaPzfQXNA5nkF/gOEKoUuqUlMKgg1a51D6v3pHY52fJfkC
23 | IaT8K9820EDws7HWQeqVqweKiQeJjrWo77DRpA1KenIQMfcBgEidEy+y+ySxuclf
24 | YfKAOQKBgQCSND+X9J5NiPF94rXmBhOJMSdzPzyEvcSpN2zfF9XQ3qKIUiZAGmve
25 | zURS3eMKzNbaiKyqvo0A4sxeog3rWO4CukJfEm55eb5ywVTR9vXykwbgLGO18u7O
26 | X8BJ70yBbXPszsciX4yjOamaxxaCVLBSfCZHbhfMT5gGAIe3SWgnAQ==
27 | -----END RSA PRIVATE KEY-----
28 | 


--------------------------------------------------------------------------------
/pki/kube-proxy.csr:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE REQUEST-----
 2 | MIICuDCCAaACAQAwczELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAO
 3 | BgNVBAcTB0JlaUppbmcxEzARBgNVBAoTCmt1YmVybmV0ZXMxDzANBgNVBAsTBlN5
 4 | c3RlbTEaMBgGA1UEAxMRc3lzdGVtOmt1YmUtcHJveHkwggEiMA0GCSqGSIb3DQEB
 5 | AQUAA4IBDwAwggEKAoIBAQCnXNTBPtbeevId0GEoijYXUzOleVfbBaYU81RvUL8L
 6 | 6PXqo4lx9lj/iqWO3K43SRnpVFzBLFZ82R+bzPvDNujmZzBgNAfcYFW2fuK/21dw
 7 | ebPyt1OEnyAZcOxSUBMGxX1prWSZyXFifQHQfI5nauwO3/gyj9uZpBvc5usZmOYK
 8 | tW6BwtzFqIk6upoPpA5HwpCoJ8ybxCjh/HtxNXjpW2G5KchOwzkV1+4t1JE+aUGk
 9 | 1nEgZKLSAFr4s1FmuJBulAe/2hJr3hlVXwW6e5aR4Df3yhf2F72kZZT8cLEUwPI3
10 | q2ub0wlJLEo8ctkDG9iXyoX9tApor7GTFYwmKHuVPxmTAgMBAAGgADANBgkqhkiG
11 | 9w0BAQsFAAOCAQEARIg0LEf4hi0hF4qjUBYdYJGdukZVgBlja6Xgz80ZRElP5U9/
12 | 58flClNqvdwT99JVrHMMH/Etk+9MJQMyK+x5DIWrf28RAZhwTVWHEhTO0QZqdwXR
13 | 39qEFsTABOjEL+3rLfaXYmeBR+sgUqC246v2qOxOS14tJjVUBm7Q9dNpU0YG124Y
14 | NG7l2+ABis2p3HnC5zLE0dp+Al/XD5xmVXyKYxJctlwJxeGHjrX56UkhWOPKTiSE
15 | 4e3oRZ0QA+1S9Vm7rHhEbGd0ZyeaEUnelvYkJscHhyLk0Kjrq5DozM+/NQhEchOe
16 | B/QthioQ+N4TabOAllchwFBxtXtJ7MV3Y+Z5bw==
17 | -----END CERTIFICATE REQUEST-----
18 | 


--------------------------------------------------------------------------------
/pki/kube-proxy.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIID7DCCAtSgAwIBAgIUDFF764qTTxblmjDXGjdjt3DXZqowDQYJKoZIhvcNAQEL
 3 | BQAwbDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
 4 | aUppbmcxEzARBgNVBAoTCkt1YmVybmV0ZXMxDzANBgNVBAsTBlN5c3RlbTETMBEG
 5 | A1UEAxMKa3ViZXJuZXRlczAeFw0xODAxMTAwOTUxMDBaFw0yODAxMDgwOTUxMDBa
 6 | MHMxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYDVQQHEwdCZWlK
 7 | aW5nMRMwEQYDVQQKEwprdWJlcm5ldGVzMQ8wDQYDVQQLEwZTeXN0ZW0xGjAYBgNV
 8 | BAMTEXN5c3RlbTprdWJlLXByb3h5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
 9 | CgKCAQEAp1zUwT7W3nryHdBhKIo2F1MzpXlX2wWmFPNUb1C/C+j16qOJcfZY/4ql
10 | jtyuN0kZ6VRcwSxWfNkfm8z7wzbo5mcwYDQH3GBVtn7iv9tXcHmz8rdThJ8gGXDs
11 | UlATBsV9aa1kmclxYn0B0HyOZ2rsDt/4Mo/bmaQb3ObrGZjmCrVugcLcxaiJOrqa
12 | D6QOR8KQqCfMm8Qo4fx7cTV46VthuSnITsM5FdfuLdSRPmlBpNZxIGSi0gBa+LNR
13 | ZriQbpQHv9oSa94ZVV8FunuWkeA398oX9he9pGWU/HCxFMDyN6trm9MJSSxKPHLZ
14 | AxvYl8qF/bQKaK+xkxWMJih7lT8ZkwIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAw
15 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
16 | VR0OBBYEFAPolAEOTIAZYslwkO1WM0X68/XNMB8GA1UdIwQYMBaAFEhDwKjrLHge
17 | 4S/CO94YI96kI96LMA0GCSqGSIb3DQEBCwUAA4IBAQB8qIBtQtQgLOs2UnKDsH2S
18 | P+XinRNQKHdEvYawl7/ApgDdpuEWOJfaD6uYCsoHSZ040C89rBV9Rv1ysOIlmuBD
19 | U91keNaNI0BS9voyUfeo2tUQznO94jfUjacZBJGHcH6M5mgfJLoIGsXGH+k77BGn
20 | vVBeLPCT0kOkzekBafQ0c06XIStam+8ipRZP6Zgq4yvNsrOJoPq0qJW/wAm27P3R
21 | 5gi1EV3Ob/S77r/HfcMo5E7bEDwyhRTvmT1RZbd5DLyvp84o5/J1tsTLo/nigEgn
22 | SvhR5eex205ppeiVaq2P+WNQpxX7UyLKuZHXjTSW74/sNmqNMkO0pwDa6hAMWGfQ
23 | -----END CERTIFICATE-----
24 | 


--------------------------------------------------------------------------------
/pki/kubernetes-csr.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "CN": "kubernetes",
 3 |     "hosts": [
 4 |       "127.0.0.1",
 5 |       "172.17.8.101",
 6 |       "172.17.8.102",
 7 |       "172.17.8.103",
 8 |       "192.168.31.1",
 9 |       "10.254.0.1",
10 |       "kubernetes",
11 |       "kubernetes.default",
12 |       "kubernetes.default.svc",
13 |       "kubernetes.default.svc.cluster",
14 |       "kubernetes.default.svc.cluster.local"
15 |     ],
16 |     "key": {
17 |         "algo": "rsa",
18 |         "size": 2048
19 |     },
20 |     "names": [
21 |         {
22 |             "C": "CN",
23 |             "ST": "BeiJing",
24 |             "L": "BeiJing",
25 |             "O": "kubernetes",
26 |             "OU": "System"
27 |         }
28 |     ]
29 | }
30 | 


--------------------------------------------------------------------------------
/pki/kubernetes-key.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIEpAIBAAKCAQEA9FfjHGp2E1VJkD7zw6St/CFkpV84eudIWR717erf6C8FBerR
 3 | NVzJwtydfknNLNrJpyNcQMPMgL/LV4WR1Y+JGEPWKq6VYd4Xg98EXvf1HP+dZfP1
 4 | +TfBzNaL88mi0/s72sc2Ul/xTq//BZBrZwhUdJQKbJ26m686pQrE+EzT5I3SGuw5
 5 | ekKnb2IdWjvxFZhFNgC43eTULgjpz+eHDX8o4mlSykvFh4/nXhhGgq49jdkBfe3E
 6 | ux0MT2OIU7aKESugGu9cY/uPhGZcWVA/H2oWCAy63aYT9KMtRb0KlGvZd06SSWg9
 7 | 0AJq72rBzBzcG6ap2DAstjmP2Xe/1unF2e3hEQIDAQABAoIBABh2J/1zRwjec/Pl
 8 | 6X9/oA9qxGmt47iiKOMLL3G3Ht1ev7D89h7SgDxq27WF6+1+pct+xcCSGYoWKWRE
 9 | sfngWcg9GlbBjaDznAUOsaBUUIyrpnVLfCeMBnHcVLx+RjfUogRgBzct9bl78xr6
10 | f1YcRmA5ZeXD0Ke/Xi6hqmB1SI1L11NLHeb1wZyx/2BJE8ujkhICFTBH6X8wkuWl
11 | YCs3tUhajXWIP7sWtLb54uNxbACoMeJXlEszQ5MLpjM8kxK25BGaZ4ubrsGaYcFz
12 | T863clp0+EHfPukEixi359jvhUDnsw4A4AZUM6gccQFsOPTJJ2Fu56L4XS2viwvk
13 | P3kPEAECgYEA9OBevT/cB+PWXLd0CWUgm/5Y7J7ZkyY4f737qlgnp/xRx/pCxbAn
14 | WYmbRkxlfgb64jnQQvLNzCfqxHF6Of7u9hdqgTWjdpjte8lAnDbHVjiDGkk8L+mu
15 | aNaM4YHJONE4UIujooB/6/I8s5hTjT2e5LWeVY+PMSd1MmaAiv0kYQECgYEA/3FR
16 | O7BJ9hwB5cU3aqVzL2sTZyyfkmFH2K3AFzZ/Zl0kxtvUgmJMCgnDlylbYa80fOOu
17 | v3CxACbgs2Ill4qwNMh3MaU5dCI/qYOmjLTFMycpEVll6140Kvbu5keHqI2L0ij+
18 | UFkjcpuhRbsX6lsAi49Xi03XCkvo2YwQSu0TcBECgYEAwCLkcx2OKWqtoaYYF98P
19 | TRau80pYcUsF/cU1mBz/UKF8EardhXuIBIsiGHCNGeukIqk2LbGRpGSVonlfa+4J
20 | 1XHeEW/iyIWJoRzx4yBgG9jPlWptHTL/tCbT94T8O+Z9h0VpqXGl7Z3t3wTgWexF
21 | pjKS/5NayTiqjlc6+NNTHgECgYBn6ox2cMgV49ztwWZC713Fi5TQIzojTYnx3vVH
22 | PDdlyDye3W09QYnXh5NXGk7/lUwQBnvfi5OmESrWLvZGCPiX8Hl069dMpGYrqtAF
23 | a8DRh3vQgALTVnZ4iA42BiFs83BPJbgXrbua8y8PdAZNo4m8PKsLk7YIjUsDvVQf
24 | dwSyUQKBgQDbjLS/KPbDrwYYIEofOa/vSxO+Anpgsq+FvD+bwFEbehgt25wCfymd
25 | 79jgTBDcl9D2i0EwZMvX3g8qHdrnxTPn8qQ3W+vBSAzOp/Wi/UsNuiT0sux+AZZY
26 | tsZaSg3YxvoCE3rXB6TwBHCGGLd0h1UO3GO9Ns+87UpJkFgbZIm1nw==
27 | -----END RSA PRIVATE KEY-----
28 | 


--------------------------------------------------------------------------------
/pki/kubernetes.csr:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE REQUEST-----
 2 | MIIDdjCCAl4CAQAwbDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAO
 3 | BgNVBAcTB0JlaUppbmcxEzARBgNVBAoTCmt1YmVybmV0ZXMxDzANBgNVBAsTBlN5
 4 | c3RlbTETMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
 5 | ADCCAQoCggEBAPRX4xxqdhNVSZA+88OkrfwhZKVfOHrnSFke9e3q3+gvBQXq0TVc
 6 | ycLcnX5JzSzayacjXEDDzIC/y1eFkdWPiRhD1iqulWHeF4PfBF739Rz/nWXz9fk3
 7 | wczWi/PJotP7O9rHNlJf8U6v/wWQa2cIVHSUCmydupuvOqUKxPhM0+SN0hrsOXpC
 8 | p29iHVo78RWYRTYAuN3k1C4I6c/nhw1/KOJpUspLxYeP514YRoKuPY3ZAX3txLsd
 9 | DE9jiFO2ihEroBrvXGP7j4RmXFlQPx9qFggMut2mE/SjLUW9CpRr2XdOkkloPdAC
10 | au9qwcwc3BumqdgwLLY5j9l3v9bpxdnt4RECAwEAAaCBxDCBwQYJKoZIhvcNAQkO
11 | MYGzMIGwMIGtBgNVHREEgaUwgaKCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVm
12 | YXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0
13 | LnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9j
14 | YWyHBH8AAAGHBKwRCGWHBKwRCGaHBKwRCGeHBMCoHwGHBAr+AAEwDQYJKoZIhvcN
15 | AQELBQADggEBAHDJQkrl/VzwCd3BD3efksIpJhmQKyzk6z+8R0QlofsF/wRh39vU
16 | FChRQXFOW32F8oeEY4rpUCc0Cw6KU+j3tCWC553GHRgycNKpf4tmN+UjXkjoMJ++
17 | d6I/oOg7fUYmlaosVvI+FdU6vFGx53HS0mHLkJP2ca3i3R+iSpBMHxLJZs0ZRr/3
18 | Q6PbFp785OBJgNWh8y/ySGdc1FDoFfnjiVd28Tef5UVT/mnAYfEVVdFzNn2CrcES
19 | y2oyZypqiD7qKUdT5zIZIvQnblTurpDl/yHEGeETKk40ZREbbIIYZ8QG+wlT7ofy
20 | i62UwkT4efRaZNAoXaYCD+gOBFsHCQ/T8r0=
21 | -----END CERTIFICATE REQUEST-----
22 | 


--------------------------------------------------------------------------------
/pki/kubernetes.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIEmTCCA4GgAwIBAgIUF9UbtsUax1KvtXtE1w5UQP9f6AUwDQYJKoZIhvcNAQEL
 3 | BQAwbDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
 4 | aUppbmcxEzARBgNVBAoTCkt1YmVybmV0ZXMxDzANBgNVBAsTBlN5c3RlbTETMBEG
 5 | A1UEAxMKa3ViZXJuZXRlczAeFw0xODAxMTExMzIwMDBaFw0yODAxMDkxMzIwMDBa
 6 | MGwxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYDVQQHEwdCZWlK
 7 | aW5nMRMwEQYDVQQKEwprdWJlcm5ldGVzMQ8wDQYDVQQLEwZTeXN0ZW0xEzARBgNV
 8 | BAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0
 9 | V+McanYTVUmQPvPDpK38IWSlXzh650hZHvXt6t/oLwUF6tE1XMnC3J1+Sc0s2smn
10 | I1xAw8yAv8tXhZHVj4kYQ9YqrpVh3heD3wRe9/Uc/51l8/X5N8HM1ovzyaLT+zva
11 | xzZSX/FOr/8FkGtnCFR0lApsnbqbrzqlCsT4TNPkjdIa7Dl6QqdvYh1aO/EVmEU2
12 | ALjd5NQuCOnP54cNfyjiaVLKS8WHj+deGEaCrj2N2QF97cS7HQxPY4hTtooRK6Aa
13 | 71xj+4+EZlxZUD8fahYIDLrdphP0oy1FvQqUa9l3TpJJaD3QAmrvasHMHNwbpqnY
14 | MCy2OY/Zd7/W6cXZ7eERAgMBAAGjggExMIIBLTAOBgNVHQ8BAf8EBAMCBaAwHQYD
15 | VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
16 | BBYEFBAnbm8KdSzzqT8frZryn4eM/4MsMB8GA1UdIwQYMBaAFEhDwKjrLHge4S/C
17 | O94YI96kI96LMIGtBgNVHREEgaUwgaKCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMu
18 | ZGVmYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4Iea3ViZXJuZXRlcy5kZWZh
19 | dWx0LnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIu
20 | bG9jYWyHBH8AAAGHBKwRCGWHBKwRCGaHBKwRCGeHBMCoHwGHBAr+AAEwDQYJKoZI
21 | hvcNAQELBQADggEBALr/jUnQNmlln2NoH+SOCnYzlo4y09c4EgsCE0roNzwYHx8K
22 | fnTDaJigZ/JpQxLzv/KKRRNBQCbDEM5vh2cyctxYSpIEXbIZTGQli6W0qQQonRza
23 | 2d9Dtu4aa0waHhEgciWKpj7/pW8j9kr5FZ3YynxV4H5Z9X/A2vClIXVsImk1AyyY
24 | 62C1l0JtB/zkmBfNTvhe8mavWkL/VOogNiw1kDsu1aA5B66lEQ62a4VEwONGhrTe
25 | MZEfdeKv9LIOvzi5vKoK9wpBAplFsl/bqDft+uB08Qtmlrkvton3QGrCjQC6qLm9
26 | jKXh+v9H/SQyBI6YFfEfMODsGFTesvay5A40KLM=
27 | -----END CERTIFICATE-----
28 | 


--------------------------------------------------------------------------------
/pki/scheduler-csr.json:
--------------------------------------------------------------------------------
1 | {"CN":"system:kube-scheduler","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","ST":"BeiJing","L":"BeiJing","O":"system:kube-scheduler","OU":"System"}]}


--------------------------------------------------------------------------------
/pki/scheduler-key.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIEowIBAAKCAQEAmzA/HEoKp5/VkV7MpV2Ohx975dQAZJz+Ef+IgzalW6kKAXFh
 3 | h2/8bIcM59atjh9G+lzTWWhzvjmEnZllkx6Ix7t9/sCA0RQ16ms/SXpWg3dwnbJp
 4 | 9vlOKEr8yKrYCB2eFnHVTwPeSByI/Vy2acJdJ+p8gRqUlM1vZW2Rm9tfVopIVBp+
 5 | 9NoBmSefxu3AiQsTyQm8xvd/EYUVDs//RGBo+w9NoL94t8N1Z8l7d4DjEpcWXOAZ
 6 | kHAlsB0g91nCfWVlQZ/N1rK97z8Rs3dzfjwLuNbUoanDaoYdAgBl6okddfIzTyk7
 7 | vgWyj1dRXQ1QdPAqYDF7HeFT/iZEcnyRCxffAQIDAQABAoIBAC2YTEKMgnrjXAUc
 8 | /DVtum1605Uf54moEoHJORuMF6NJk/X+kPAQ9/IO77zB9zX1fI4cbcAsDy2Jiqwf
 9 | IJfL9dXxAUCy4GYNcRXRssNs3TQ9CGpcvANjFhKCjaiLgXNI+GSRx2EyusEnGRyP
10 | e8yw3VvX6gKog5UAksUTHx/SoT00aH7nItvHU6ve/pSJdmdtpfT5o+QPpl8esufM
11 | LPo0226hG0cObfh9bp7FvUzM3vCvZZ529I9E8vJp/IIXZUKCfy1F8+r1ZzqgxljG
12 | uuhnwASO3JS1hSs51RhqnJhqPPJBID6CpLFr6ukfxpUO+mYakIDb07zSD0yNKKcf
13 | JQRgUAECgYEAwEtW9gdEiEKvPoKoz2PRBwSNXZSqDulSqdJut3isViyOn52zIVoR
14 | jd7wuM6nD+X1MiD/nooGzvUz3sAKLsMmKuZW+0Ucg7hN7smhjzqsMya9muRUUK5m
15 | 0mitezpSWEkhRfOSN3QG8e4nqi4W5xRfo1OaGkADKzWxoe0vb0mHsUECgYEAzpnt
16 | HL7qQ9yVdsV1as/KccbKkCCBmliNAyrXrXkCWO6/8JQ8eD8H3rr6cxf4ZOVrJqU/
17 | VBtbp7TnEOPAYfAmLxJsvmam9rAI9jiECXm7NZ67CkgAetksHfalqo08gksdcq/2
18 | ilgbR5bR7OtSeaLeUsDbcS9DllB/8kZxrbwe/cECgYEAuvOEZEXEl0Vd40RcouTE
19 | gDIozmaOv1iQiZKRGcc0pcNEFmLXmQFcN7YcC1C+k3Ja5JW4b4Z6ABPcjh/exn/s
20 | R6ERx9D1XAp/mjxl2j6M1F5B0KlUX+xvAvnKUBfvnu3ab4vTCB7B8cw8u/N7SMZC
21 | BSRumj7J1eSqAmf6yhOO3QECgYAGRfpDMzDd2qbXMmu8UI7vIYApHDOTQjkV7Ykb
22 | BV+i360IWxfy9scAZmEQeZvbRHQaek4P+bywvPd/Ncszrh0atM6EgY10VCgRgenQ
23 | d9fNawJ273TERi/mwQSKxzsdIbbFMr6juMUrSVMahJK+ismBbcW8DBlbSRp5etYc
24 | 1meCgQKBgCrH/9fuKzrXW3G5XZKGrG6+Obh1BbDpy5Mz7d04KWlMOJvrR5Ru7rTI
25 | tC43F1P3/OqcJpWkibWZs6AHgoLaM+wfw5E+naxsDBq5kYWFYTEmhhnAVUwjeMIs
26 | bLePzDPDdif4LPAn7+4EuvsFzJp6qrLMkbH2EgMkuRuOicoH+1Bi
27 | -----END RSA PRIVATE KEY-----
28 | 


--------------------------------------------------------------------------------
/pki/scheduler.csr:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE REQUEST-----
 2 | MIICyDCCAbACAQAwgYIxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAw
 3 | DgYDVQQHEwdCZWlKaW5nMR4wHAYDVQQKExVzeXN0ZW06a3ViZS1zY2hlZHVsZXIx
 4 | DzANBgNVBAsTBlN5c3RlbTEeMBwGA1UEAxMVc3lzdGVtOmt1YmUtc2NoZWR1bGVy
 5 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmzA/HEoKp5/VkV7MpV2O
 6 | hx975dQAZJz+Ef+IgzalW6kKAXFhh2/8bIcM59atjh9G+lzTWWhzvjmEnZllkx6I
 7 | x7t9/sCA0RQ16ms/SXpWg3dwnbJp9vlOKEr8yKrYCB2eFnHVTwPeSByI/Vy2acJd
 8 | J+p8gRqUlM1vZW2Rm9tfVopIVBp+9NoBmSefxu3AiQsTyQm8xvd/EYUVDs//RGBo
 9 | +w9NoL94t8N1Z8l7d4DjEpcWXOAZkHAlsB0g91nCfWVlQZ/N1rK97z8Rs3dzfjwL
10 | uNbUoanDaoYdAgBl6okddfIzTyk7vgWyj1dRXQ1QdPAqYDF7HeFT/iZEcnyRCxff
11 | AQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBACNsxd/BJYWJZXjUbRB1z9SObcYC
12 | HlpPcKCyxq4Vyx4AKts0iHP4yi1tSuxR0O0Jxm6N/sXiOjcf/gi1d/vB0Sa1yobH
13 | ajdi4GkCMD6hjrDp1ch5OiOhRf6wjKLDL0afclesu6P/LmsNgH2/H1mRo/R1wgzz
14 | 1vptMr/N+id7wyQaJzXyb+ZBAqWO4p/8z5VcEL1HGlhdSRWl4g6fdQkHVCOhcJ+U
15 | oGeFVGPDmA68Y32/32AHSmu/eZyKm0feDR/OQwEME9UlVRJV6yhwaKx14xH/CQV9
16 | 1NWvEzsrPhYmi38VT5izzjL92feWHNSjhLJC+FtlooPOwTXLlaFGw+k4HZU=
17 | -----END CERTIFICATE REQUEST-----
18 | 


--------------------------------------------------------------------------------
/pki/scheduler.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIID/DCCAuSgAwIBAgIUI8OIeUO9NR5S/7KUWgfSIh0zNdUwDQYJKoZIhvcNAQEL
 3 | BQAwbDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
 4 | aUppbmcxEzARBgNVBAoTCkt1YmVybmV0ZXMxDzANBgNVBAsTBlN5c3RlbTETMBEG
 5 | A1UEAxMKa3ViZXJuZXRlczAeFw0xODAxMTExNDI3MDBaFw0yODAxMDkxNDI3MDBa
 6 | MIGCMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpSmluZzEQMA4GA1UEBxMHQmVp
 7 | SmluZzEeMBwGA1UEChMVc3lzdGVtOmt1YmUtc2NoZWR1bGVyMQ8wDQYDVQQLEwZT
 8 | eXN0ZW0xHjAcBgNVBAMTFXN5c3RlbTprdWJlLXNjaGVkdWxlcjCCASIwDQYJKoZI
 9 | hvcNAQEBBQADggEPADCCAQoCggEBAJswPxxKCqef1ZFezKVdjocfe+XUAGSc/hH/
10 | iIM2pVupCgFxYYdv/GyHDOfWrY4fRvpc01loc745hJ2ZZZMeiMe7ff7AgNEUNepr
11 | P0l6VoN3cJ2yafb5TihK/Miq2AgdnhZx1U8D3kgciP1ctmnCXSfqfIEalJTNb2Vt
12 | kZvbX1aKSFQafvTaAZknn8btwIkLE8kJvMb3fxGFFQ7P/0RgaPsPTaC/eLfDdWfJ
13 | e3eA4xKXFlzgGZBwJbAdIPdZwn1lZUGfzdayve8/EbN3c348C7jW1KGpw2qGHQIA
14 | ZeqJHXXyM08pO74Fso9XUV0NUHTwKmAxex3hU/4mRHJ8kQsX3wECAwEAAaN/MH0w
15 | DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAM
16 | BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ78pE0+xLOEfEUsc4H5zBNHuJ1sTAfBgNV
17 | HSMEGDAWgBRIQ8Co6yx4HuEvwjveGCPepCPeizANBgkqhkiG9w0BAQsFAAOCAQEA
18 | SUf1JTwEprT5wyYFe7JbngZlCHcwSeL7nF1E7gpy7q7K4UCighAF6wejt2mGK3Da
19 | 4FZYH08kfyoY710dUS3/4jgo2YRbiLCU184EOJdzNxMZHPWIybXgiKh0lQyekkMW
20 | 6RBWIaa/FVnJMetBB7kAr0BXV8C5C60/E3KMev1XbnIYlWWZghy119FN2M/XrXVA
21 | WFCSf34UCL+59iUBIKy3BymDXOwh3ZFJIQby/Dw3dIIcf6tqQCFZNPGQR/UwIL6r
22 | 9aMqMBHQiWNgKWLvmYsNz+Vl3+5fBU0VMX+zR04K49m727vLKcIO5vax2XXkINJr
23 | eBfVECbM/W7LWyuSgiDZEg==
24 | -----END CERTIFICATE-----
25 | 


--------------------------------------------------------------------------------
/systemd/etcd.service:
--------------------------------------------------------------------------------
 1 | # DO NOT USE THIS FILE
 2 | [Unit]
 3 | Description=Etcd Server
 4 | After=network.target
 5 | After=network-online.target
 6 | Wants=network-online.target
 7 | 
 8 | [Service]
 9 | Type=notify
10 | WorkingDirectory=/var/lib/etcd/
11 | EnvironmentFile=-/etc/etcd/etcd.conf
12 | User=etcd
13 | ExecStart=/usr/bin/etcd --name $ETCD_NAME --data-dir=$ETCD_DATA_DIR --listen-client-urls $ETCD_LISTEN_CLIENT_URLS --advertise-client-urls $ETCD_ADVERTISE_CLIENT_URLS
14 | #ExecStartPost=/etc/etcd/etcd-init.sh
15 | Restart=on-failure
16 | LimitNOFILE=65536
17 | 
18 | [Install]
19 | WantedBy=multi-user.target
20 | 


--------------------------------------------------------------------------------
/systemd/kube-apiserver.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Kubernetes API Service
 3 | Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 4 | After=network.target
 5 | After=etcd.service
 6 | 
 7 | [Service]
 8 | EnvironmentFile=-/etc/kubernetes/config
 9 | EnvironmentFile=-/etc/kubernetes/apiserver
10 | ExecStart=/usr/bin/kube-apiserver $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_ETCD_SERVERS $KUBE_API_ADDRESS $KUBE_API_PORT $KUBELET_PORT $KUBE_ALLOW_PRIV $KUBE_SERVICE_ADDRESSES $KUBE_ADMISSION_CONTROL $KUBE_API_ARGS
11 | Restart=on-failure
12 | Type=notify
13 | LimitNOFILE=65536
14 | 
15 | [Install]
16 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/systemd/kube-controller-manager.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Kubernetes Controller Manager
 3 | Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 4 | 
 5 | [Service]
 6 | EnvironmentFile=-/etc/kubernetes/config
 7 | EnvironmentFile=-/etc/kubernetes/controller-manager
 8 | ExecStart=/usr/bin/kube-controller-manager $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUBE_CONTROLLER_MANAGER_ARGS
 9 | Restart=on-failure
10 | LimitNOFILE=65536
11 | 
12 | [Install]
13 | WantedBy=multi-user.target
14 | 


--------------------------------------------------------------------------------
/systemd/kube-proxy.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Kubernetes Kube-Proxy Server
 3 | Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 4 | After=network.target
 5 | 
 6 | [Service]
 7 | EnvironmentFile=-/etc/kubernetes/config
 8 | EnvironmentFile=-/etc/kubernetes/proxy
 9 | ExecStart=/usr/bin/kube-proxy $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUBE_PROXY_ARGS
10 | Restart=on-failure
11 | LimitNOFILE=65536
12 | 
13 | [Install]
14 | WantedBy=multi-user.target
15 | 


--------------------------------------------------------------------------------
/systemd/kube-scheduler.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Kubernetes Scheduler Plugin
 3 | Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 4 | 
 5 | [Service]
 6 | EnvironmentFile=-/etc/kubernetes/config
 7 | EnvironmentFile=-/etc/kubernetes/scheduler
 8 | ExecStart=/usr/bin/kube-scheduler $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUBE_SCHEDULER_CONF $KUBE_SCHEDULER_ARGS
 9 | Restart=on-failure
10 | LimitNOFILE=65536
11 | 
12 | [Install]
13 | WantedBy=multi-user.target
14 | 


--------------------------------------------------------------------------------
/systemd/kubelet.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Kubernetes Kubelet Server
 3 | Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 4 | After=docker.service
 5 | Requires=docker.service
 6 | 
 7 | [Service]
 8 | WorkingDirectory=/var/lib/kubelet
 9 | EnvironmentFile=-/etc/kubernetes/config
10 | EnvironmentFile=-/etc/kubernetes/kubelet
11 | ExecStart=/usr/bin/kubelet $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBELET_API_SERVER $KUBELET_ADDRESS $KUBELET_PORT $KUBELET_HOSTNAME $KUBE_ALLOW_PRIV $KUBELET_POD_INFRA_CONTAINER $KUBELET_ARGS
12 | Restart=on-failure
13 | 
14 | [Install]
15 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/yaml/admin-role.yaml:
--------------------------------------------------------------------------------
 1 | kind: ClusterRoleBinding
 2 | apiVersion: rbac.authorization.k8s.io/v1beta1
 3 | metadata:
 4 |   name: admin
 5 |   annotations:
 6 |     rbac.authorization.kubernetes.io/autoupdate: "true"
 7 | roleRef:
 8 |   kind: ClusterRole
 9 |   name: cluster-admin
10 |   apiGroup: rbac.authorization.k8s.io
11 | subjects:
12 | - kind: ServiceAccount
13 |   name: admin
14 |   namespace: kube-system
15 | ---
16 | apiVersion: v1
17 | kind: ServiceAccount
18 | metadata:
19 |   name: admin
20 |   namespace: kube-system
21 |   labels:
22 |     kubernetes.io/cluster-service: "true"
23 |     addonmanager.kubernetes.io/mode: Reconcile
24 | 


--------------------------------------------------------------------------------
/yaml/istio-bookinfo/bookinfo-gateway.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: Gateway
 3 | metadata:
 4 |   name: bookinfo-gateway
 5 | spec:
 6 |   selector:
 7 |     istio: ingressgateway # use istio default controller
 8 |   servers:
 9 |   - port:
10 |       number: 80
11 |       name: http
12 |       protocol: HTTP
13 |     hosts:
14 |     - "*"
15 | ---
16 | apiVersion: networking.istio.io/v1alpha3
17 | kind: VirtualService
18 | metadata:
19 |   name: bookinfo
20 | spec:
21 |   hosts:
22 |   - "*"
23 |   gateways:
24 |   - bookinfo-gateway
25 |   http:
26 |   - match:
27 |     - uri:
28 |         exact: /productpage
29 |     - uri:
30 |         exact: /login
31 |     - uri:
32 |         exact: /logout
33 |     - uri:
34 |         prefix: /api/v1/products
35 |     route:
36 |     - destination:
37 |         host: productpage
38 |         port:
39 |           number: 9080
40 | 


--------------------------------------------------------------------------------
/yaml/istio-bookinfo/bookinfo.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright 2017 Istio Authors
  2 | #
  3 | #   Licensed under the Apache License, Version 2.0 (the "License");
  4 | #   you may not use this file except in compliance with the License.
  5 | #   You may obtain a copy of the License at
  6 | #
  7 | #       http://www.apache.org/licenses/LICENSE-2.0
  8 | #
  9 | #   Unless required by applicable law or agreed to in writing, software
 10 | #   distributed under the License is distributed on an "AS IS" BASIS,
 11 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | #   See the License for the specific language governing permissions and
 13 | #   limitations under the License.
 14 | 
 15 | ##################################################################################################
 16 | # Details service
 17 | ##################################################################################################
 18 | apiVersion: v1
 19 | kind: Service
 20 | metadata:
 21 |   name: details
 22 |   labels:
 23 |     app: details
 24 | spec:
 25 |   ports:
 26 |   - port: 9080
 27 |     name: http
 28 |   selector:
 29 |     app: details
 30 | ---
 31 | apiVersion: extensions/v1beta1
 32 | kind: Deployment
 33 | metadata:
 34 |   name: details-v1
 35 | spec:
 36 |   replicas: 1
 37 |   template:
 38 |     metadata:
 39 |       labels:
 40 |         app: details
 41 |         version: v1
 42 |     spec:
 43 |       containers:
 44 |       - name: details
 45 |         image: istio/examples-bookinfo-details-v1:1.8.0
 46 |         imagePullPolicy: IfNotPresent
 47 |         ports:
 48 |         - containerPort: 9080
 49 | ---
 50 | ##################################################################################################
 51 | # Ratings service
 52 | ##################################################################################################
 53 | apiVersion: v1
 54 | kind: Service
 55 | metadata:
 56 |   name: ratings
 57 |   labels:
 58 |     app: ratings
 59 | spec:
 60 |   ports:
 61 |   - port: 9080
 62 |     name: http
 63 |   selector:
 64 |     app: ratings
 65 | ---
 66 | apiVersion: extensions/v1beta1
 67 | kind: Deployment
 68 | metadata:
 69 |   name: ratings-v1
 70 | spec:
 71 |   replicas: 1
 72 |   template:
 73 |     metadata:
 74 |       labels:
 75 |         app: ratings
 76 |         version: v1
 77 |     spec:
 78 |       containers:
 79 |       - name: ratings
 80 |         image: istio/examples-bookinfo-ratings-v1:1.8.0
 81 |         imagePullPolicy: IfNotPresent
 82 |         ports:
 83 |         - containerPort: 9080
 84 | ---
 85 | ##################################################################################################
 86 | # Reviews service
 87 | ##################################################################################################
 88 | apiVersion: v1
 89 | kind: Service
 90 | metadata:
 91 |   name: reviews
 92 |   labels:
 93 |     app: reviews
 94 | spec:
 95 |   ports:
 96 |   - port: 9080
 97 |     name: http
 98 |   selector:
 99 |     app: reviews
100 | ---
101 | apiVersion: extensions/v1beta1
102 | kind: Deployment
103 | metadata:
104 |   name: reviews-v1
105 | spec:
106 |   replicas: 1
107 |   template:
108 |     metadata:
109 |       labels:
110 |         app: reviews
111 |         version: v1
112 |     spec:
113 |       containers:
114 |       - name: reviews
115 |         image: istio/examples-bookinfo-reviews-v1:1.8.0
116 |         imagePullPolicy: IfNotPresent
117 |         ports:
118 |         - containerPort: 9080
119 | ---
120 | apiVersion: extensions/v1beta1
121 | kind: Deployment
122 | metadata:
123 |   name: reviews-v2
124 | spec:
125 |   replicas: 1
126 |   template:
127 |     metadata:
128 |       labels:
129 |         app: reviews
130 |         version: v2
131 |     spec:
132 |       containers:
133 |       - name: reviews
134 |         image: istio/examples-bookinfo-reviews-v2:1.8.0
135 |         imagePullPolicy: IfNotPresent
136 |         ports:
137 |         - containerPort: 9080
138 | ---
139 | apiVersion: extensions/v1beta1
140 | kind: Deployment
141 | metadata:
142 |   name: reviews-v3
143 | spec:
144 |   replicas: 1
145 |   template:
146 |     metadata:
147 |       labels:
148 |         app: reviews
149 |         version: v3
150 |     spec:
151 |       containers:
152 |       - name: reviews
153 |         image: istio/examples-bookinfo-reviews-v3:1.8.0
154 |         imagePullPolicy: IfNotPresent
155 |         ports:
156 |         - containerPort: 9080
157 | ---
158 | ##################################################################################################
159 | # Productpage services
160 | ##################################################################################################
161 | apiVersion: v1
162 | kind: Service
163 | metadata:
164 |   name: productpage
165 |   labels:
166 |     app: productpage
167 | spec:
168 |   ports:
169 |   - port: 9080
170 |     name: http
171 |   selector:
172 |     app: productpage
173 | ---
174 | apiVersion: extensions/v1beta1
175 | kind: Deployment
176 | metadata:
177 |   name: productpage-v1
178 | spec:
179 |   replicas: 1
180 |   template:
181 |     metadata:
182 |       labels:
183 |         app: productpage
184 |         version: v1
185 |     spec:
186 |       containers:
187 |       - name: productpage
188 |         image: istio/examples-bookinfo-productpage-v1:1.8.0
189 |         imagePullPolicy: IfNotPresent
190 |         ports:
191 |         - containerPort: 9080
192 | ---
193 | 


--------------------------------------------------------------------------------
/yaml/istio-bookinfo/destination-rule-all.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: DestinationRule
 3 | metadata:
 4 |   name: productpage
 5 | spec:
 6 |   host: productpage
 7 |   subsets:
 8 |   - name: v1
 9 |     labels:
10 |       version: v1
11 | ---
12 | apiVersion: networking.istio.io/v1alpha3
13 | kind: DestinationRule
14 | metadata:
15 |   name: reviews
16 | spec:
17 |   host: reviews
18 |   subsets:
19 |   - name: v1
20 |     labels:
21 |       version: v1
22 |   - name: v2
23 |     labels:
24 |       version: v2
25 |   - name: v3
26 |     labels:
27 |       version: v3
28 | ---
29 | apiVersion: networking.istio.io/v1alpha3
30 | kind: DestinationRule
31 | metadata:
32 |   name: ratings
33 | spec:
34 |   host: ratings
35 |   subsets:
36 |   - name: v1
37 |     labels:
38 |       version: v1
39 |   - name: v2
40 |     labels:
41 |       version: v2
42 |   - name: v2-mysql
43 |     labels:
44 |       version: v2-mysql
45 |   - name: v2-mysql-vm
46 |     labels:
47 |       version: v2-mysql-vm
48 | ---
49 | apiVersion: networking.istio.io/v1alpha3
50 | kind: DestinationRule
51 | metadata:
52 |   name: details
53 | spec:
54 |   host: details
55 |   subsets:
56 |   - name: v1
57 |     labels:
58 |       version: v1
59 |   - name: v2
60 |     labels:
61 |       version: v2
62 | ---
63 | 


--------------------------------------------------------------------------------
/yaml/nginx-deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: my-nginx
 5 | spec:
 6 |   replicas: 2
 7 |   template:
 8 |     metadata:
 9 |       labels:
10 |         run: my-nginx
11 |     spec:
12 |       containers:
13 |       - name: my-nginx
14 |         image: nginx:1.9
15 |         ports:
16 |         - containerPort: 80
17 | ---
18 | apiVersion: v1
19 | kind: Service
20 | metadata:
21 |   name: my-nginx
22 |   labels:
23 |     app: my-nginx
24 | spec:
25 |   ports:
26 |   - port: 80
27 |     protocol: TCP
28 |     name: http
29 |   selector:
30 |     run: my-nginx
31 | 


--------------------------------------------------------------------------------
/yum/CentOS7-Base-163.repo:
--------------------------------------------------------------------------------
 1 | # CentOS-Base.repo
 2 | #
 3 | # The mirror system uses the connecting IP address of the client and the
 4 | # update status of each mirror to pick mirrors that are updated to and
 5 | # geographically close to the client.  You should use this for CentOS updates
 6 | # unless you are manually picking other mirrors.
 7 | #
 8 | # If the mirrorlist= does not work for you, as a fall back you can try the 
 9 | # remarked out baseurl= line instead.
10 | #
11 | #
12 | [base]
13 | name=CentOS-$releasever - Base - 163.com
14 | #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
15 | baseurl=http://mirrors.163.com/centos/$releasever/os/$basearch/
16 | gpgcheck=1
17 | gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
18 | 
19 | #released updates
20 | [updates]
21 | name=CentOS-$releasever - Updates - 163.com
22 | #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
23 | baseurl=http://mirrors.163.com/centos/$releasever/updates/$basearch/
24 | gpgcheck=1
25 | gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
26 | 
27 | #additional packages that may be useful
28 | [extras]
29 | name=CentOS-$releasever - Extras - 163.com
30 | #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
31 | baseurl=http://mirrors.163.com/centos/$releasever/extras/$basearch/
32 | gpgcheck=1
33 | gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
34 | 
35 | #additional packages that extend functionality of existing packages
36 | [centosplus]
37 | name=CentOS-$releasever - Plus - 163.com
38 | baseurl=http://mirrors.163.com/centos/$releasever/centosplus/$basearch/
39 | gpgcheck=1
40 | enabled=0
41 | gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
42 | 


--------------------------------------------------------------------------------