# sourced from https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.7.1/components.yaml --- apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: k8s-app: metrics-server rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-view: "true" name: system:aggregated-metrics-reader rules: - apiGroups: - metrics.k8s.io resources: - pods - nodes verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: k8s-app: metrics-server name: system:metrics-server rules: - apiGroups: - "" resources: - nodes/metrics verbs: - get - apiGroups: - "" resources: - pods - nodes verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: k8s-app: metrics-server name: metrics-server-auth-reader namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: k8s-app: metrics-server name: metrics-server:system:auth-delegator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: k8s-app: metrics-server name: system:metrics-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:metrics-server subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: v1 kind: Service metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system spec: ports: - name: https port: 443 protocol: TCP targetPort: https selector: k8s-app: metrics-server --- apiVersion: apps/v1 kind: Deployment metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system spec: replicas: 2 selector: matchLabels: k8s-app: metrics-server template: metadata: labels: k8s-app: metrics-server spec: containers: - args: - --secure-port=4443 - --kubelet-use-node-status-port - --metric-resolution=15s - --kubelet-preferred-address-types={{ if or IsIPv6Only (not (eq GetCloudProvider "aws"))}}InternalIP{{ else }}Hostname{{ end }} {{ if not (WithDefaultBool .MetricsServer.Insecure true) }} - --tls-cert-file=/srv/tls.crt - --tls-private-key-file=/srv/tls.key {{ else }} - --cert-dir=/tmp {{ end }} {{ if WithDefaultBool .MetricsServer.Insecure true }} - --kubelet-insecure-tls {{ end }} image: {{ or .MetricsServer.Image "registry.k8s.io/metrics-server/metrics-server:v0.7.2" }} imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /livez port: https scheme: HTTPS periodSeconds: 10 name: metrics-server ports: - containerPort: 4443 name: https protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /readyz port: https scheme: HTTPS initialDelaySeconds: 20 periodSeconds: 10 resources: requests: cpu: 100m memory: 200Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault volumeMounts: {{ if not (WithDefaultBool .MetricsServer.Insecure true) }} - name: certs mountPath: /srv {{ end }} - mountPath: /tmp name: tmp-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical serviceAccountName: metrics-server topologySpreadConstraints: - maxSkew: 1 topologyKey: "topology.kubernetes.io/zone" whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: k8s-app: metrics-server - maxSkew: 1 topologyKey: "kubernetes.io/hostname" whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: k8s-app: metrics-server volumes: {{ if not (WithDefaultBool .MetricsServer.Insecure true) }} - name: certs secret: secretName: metrics-server-tls {{ end }} - emptyDir: {} name: tmp-dir --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: {{ if not (WithDefaultBool .MetricsServer.Insecure true) }} annotations: cert-manager.io/inject-ca-from: kube-system/metrics-server {{ end }} labels: k8s-app: metrics-server name: v1beta1.metrics.k8s.io spec: group: metrics.k8s.io groupPriorityMinimum: 100 {{ if WithDefaultBool .MetricsServer.Insecure true }} insecureSkipTLSVerify: true {{ end }} service: name: metrics-server namespace: kube-system version: v1beta1 versionPriority: 100 --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: metrics-server namespace: kube-system labels: k8s-app: metrics-server spec: minAvailable: 1 selector: matchLabels: k8s-app: metrics-server {{ if not (WithDefaultBool .MetricsServer.Insecure true) }} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: metrics-server namespace: kube-system spec: secretName: metrics-server-tls duration: 2160h renewBefore: 360h usages: - server auth dnsNames: - metrics-server.kube-system.svc issuerRef: name: metrics-server.addons.k8s.io kind: Issuer {{ end }}