From 5369235235cddfaa9d991adf7e3e1956c35def24 Mon Sep 17 00:00:00 2001 From: Solomon Jacobs Date: Sun, 10 Sep 2023 13:39:17 +0200 Subject: [PATCH] deploy: delete manifests The manifests are not up-to-date and using them for installation is not supported. Change-Id: Id5d616c53be9ea39a317300db10aa6c0230a7d38 --- deploy/kubernetes/00_namespace.yaml | 5 - deploy/kubernetes/README.rst | 20 -- deploy/kubernetes/checkmk-serviceaccount.yaml | 53 ---- deploy/kubernetes/cluster-collector.yaml | 140 --------- deploy/kubernetes/ingress.yaml | 19 -- deploy/kubernetes/network-policy.yaml | 95 ------ deploy/kubernetes/node-collector.yaml | 279 ------------------ deploy/kubernetes/pod-security-policy.yaml | 76 ----- deploy/kubernetes/secret.yaml | 14 - deploy/kubernetes/service.yaml | 36 --- 10 files changed, 737 deletions(-) delete mode 100644 deploy/kubernetes/00_namespace.yaml delete mode 100644 deploy/kubernetes/README.rst delete mode 100644 deploy/kubernetes/checkmk-serviceaccount.yaml delete mode 100644 deploy/kubernetes/cluster-collector.yaml delete mode 100644 deploy/kubernetes/ingress.yaml delete mode 100644 deploy/kubernetes/network-policy.yaml delete mode 100644 deploy/kubernetes/node-collector.yaml delete mode 100644 deploy/kubernetes/pod-security-policy.yaml delete mode 100644 deploy/kubernetes/secret.yaml delete mode 100644 deploy/kubernetes/service.yaml diff --git a/deploy/kubernetes/00_namespace.yaml b/deploy/kubernetes/00_namespace.yaml deleted file mode 100644 index e1244b0..0000000 --- a/deploy/kubernetes/00_namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: checkmk-monitoring diff --git a/deploy/kubernetes/README.rst b/deploy/kubernetes/README.rst deleted file mode 100644 index 32fc04a..0000000 --- a/deploy/kubernetes/README.rst +++ /dev/null @@ -1,20 +0,0 @@ -============================================== -Checkmk Kubernetes Cluster and Node Collectors -============================================== - -You can deploy the Checkmk Kubernetes Cluster and Node Collectors using the manifests here. -Note: We recommend using Helm charts as they are less error-prone. We do not provide support for installation via manifests. - -Installation --------- - -Detailed instructions can be found in our `official docs`_. - - -Support policy --------- - -Please read our `official docs`_ for information regarding supported Kubernetes versions -and supported Kubernetes distros. - -.. _official docs: https://docs.checkmk.com/latest/en/monitoring_kubernetes.html \ No newline at end of file diff --git a/deploy/kubernetes/checkmk-serviceaccount.yaml b/deploy/kubernetes/checkmk-serviceaccount.yaml deleted file mode 100644 index 2a61093..0000000 --- a/deploy/kubernetes/checkmk-serviceaccount.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: checkmk - namespace: checkmk-monitoring ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: checkmk-metrics-reader -rules: - - apiGroups: - - "" # core API group - - apps - - batch - - autoscaling - resources: - - nodes - - nodes/proxy - - pods - - deployments - - replicasets - - jobs - - daemonsets - - statefulsets - - cronjobs - - services - - endpoints - - ingresses - - persistentvolumes - - persistentvolumeclaims - - storageclasses - - horizontalpodautoscalers - - replicasets - - namespaces - - resourcequotas - verbs: - - "get" - - "list" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: checkmk-metrics-reader-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: checkmk-metrics-reader -subjects: - - kind: ServiceAccount - name: checkmk - namespace: checkmk-monitoring diff --git a/deploy/kubernetes/cluster-collector.yaml b/deploy/kubernetes/cluster-collector.yaml deleted file mode 100644 index ed2e0e9..0000000 --- a/deploy/kubernetes/cluster-collector.yaml +++ /dev/null @@ -1,140 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: cluster-collector - name: cluster-collector - namespace: checkmk-monitoring ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: checkmk-cluster-collector -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: checkmk-collectors-podsecurity -subjects: - - kind: ServiceAccount - name: cluster-collector - namespace: checkmk-monitoring ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: checkmk-token-review -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - name: cluster-collector - namespace: checkmk-monitoring ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - seccomp.security.alpha.kubernetes.io/pod: runtime/default - name: cluster-collector - namespace: checkmk-monitoring - labels: - app: cluster-collector -spec: - replicas: 1 - selector: - matchLabels: - app: cluster-collector - template: - metadata: - labels: - app: cluster-collector - spec: - containers: - - name: cluster-collector - # You can find available images on - # https://hub.docker.com/r/checkmk/kubernetes-collector/tags - image: checkmk/kubernetes-collector:main_ - imagePullPolicy: Always - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - # HTTPS: Uncomment volumeMounts for cluster-collector-key and - # cluster-collector-cert HTTPS - volumeMounts: - # - name: cluster-collector-key - # mountPath: /etc/ca-certificates/cluster-collector-key.pem - # subPath: cluster-collector-key.pem - # readOnly: true - # - name: cluster-collector-cert - # mountPath: /etc/ca-certificates/cluster-collector-cert.pem - # subPath: cluster-collector-cert.pem - # readOnly: true - # gunicorn needs a writeable /tmp and runs best with ram backed /tmp - # https://docs.gunicorn.org/en/latest/faq.html#blocking-os-fchmod - - name: tmp - mountPath: /tmp - livenessProbe: - httpGet: - path: /health - port: api - httpHeaders: - - name: status - value: available - # HTTP/HTTPS: Change scheme accordingly - scheme: HTTP - initialDelaySeconds: 3 - periodSeconds: 10 - command: - - "/usr/local/bin/checkmk-cluster-collector" - # HTTPS: Uncomment ssl-keyfile, ssl-certfile, secure-protocol in args - args: - - "--host=0.0.0.0" - - "--reader-whitelist=checkmk-monitoring:checkmk" - - "--writer-whitelist=checkmk-monitoring:node-collector-container-metrics,checkmk-monitoring:node-collector-machine-sections" - # - "--ssl-keyfile=/etc/ca-certificates/cluster-collector-key.pem" - # - "--ssl-certfile=/etc/ca-certificates/cluster-collector-cert.pem" - # - "--secure-protocol" - ports: - - containerPort: 10050 - name: api - protocol: TCP - resources: - limits: - cpu: 300m - memory: 2000Mi - requests: - cpu: 150m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 10001 - runAsNonRoot: true - runAsUser: 10001 - serviceAccountName: cluster-collector - # HTTPS: Uncomment volumes cluster-collector-key and -cert - volumes: - - name: tmp - emptyDir: - medium: Memory - # - name: cluster-collector-key - # secret: - # secretName: cluster-collector-secret - # items: - # - key: cluster-collector-key - # path: cluster-collector-key.pem - # - name: cluster-collector-cert - # secret: - # secretName: cluster-collector-secret - # items: - # - key: cluster-collector-cert - # path: cluster-collector-cert.pem diff --git a/deploy/kubernetes/ingress.yaml b/deploy/kubernetes/ingress.yaml deleted file mode 100644 index c38f008..0000000 --- a/deploy/kubernetes/ingress.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: checkmk-cluster-collector - annotations: - nginx.ingress.kubernetes.io/rewrite-target: / -spec: - rules: - - host: checkmk-cluster-collector - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: cluster-collector - port: - number: 80 diff --git a/deploy/kubernetes/network-policy.yaml b/deploy/kubernetes/network-policy.yaml deleted file mode 100644 index 678b00c..0000000 --- a/deploy/kubernetes/network-policy.yaml +++ /dev/null @@ -1,95 +0,0 @@ ---- -# Deny all incoming/outgoing traffic to/from cluster-collector -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: deny-ingress-egress-cluster-collector-policy - namespace: checkmk-monitoring -spec: - podSelector: - matchLabels: - app: cluster-collector - policyTypes: - - Ingress - - Egress - ingress: [] - egress: [] ---- -# Deny all incoming/outgoing traffic to/from node-collector -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: deny-ingress-egress-node-collector-policy - namespace: checkmk-monitoring -spec: - podSelector: - matchLabels: - app: node-collector - policyTypes: - - Ingress - - Egress - ingress: [] - egress: [] ---- -# Allow incoming traffic from node-collector to cluster-collector -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-ingress-cluster-collector - namespace: checkmk-monitoring -spec: - podSelector: - matchLabels: - app: cluster-collector - policyTypes: - - Ingress - ingress: - - from: - - namespaceSelector: - matchLabels: - name: checkmk-monitoring - podSelector: - matchLabels: - app: node-collector ---- -# Allow outgoing traffic from node-collector to cluster-collector -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-egress-node-collector - namespace: checkmk-monitoring -spec: - podSelector: - matchLabels: - app: node-collector - policyTypes: - - Egress - egress: - - to: - - namespaceSelector: - matchLabels: - name: checkmk-monitoring - podSelector: - matchLabels: - app: cluster-collector ---- -# Allow traffic from Checkmk monitoring server -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-ingress-from-checkmk-server - namespace: checkmk-monitoring -spec: - podSelector: - matchLabels: - app: cluster-collector - policyTypes: - - Ingress - ingress: - - from: - - ipBlock: - # Node IP of the cluster-colletor pod or the metallb pod - cidr: '127.0.0.1/24' - - ipBlock: - # Checkmk IP - cidr: '127.0.0.1/32' diff --git a/deploy/kubernetes/node-collector.yaml b/deploy/kubernetes/node-collector.yaml deleted file mode 100644 index 5e3e1ba..0000000 --- a/deploy/kubernetes/node-collector.yaml +++ /dev/null @@ -1,279 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: node-collector-machine-sections - name: node-collector-machine-sections - namespace: checkmk-monitoring ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: node-collector-container-metrics - name: node-collector-container-metrics - namespace: checkmk-monitoring ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: node-collector-container-metrics-clusterrole -rules: - - apiGroups: - - policy - resourceNames: - - node-collector-container-metrics-podsecuritypolicy - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - labels: - app: node-collector-container-metrics - name: node-collector-container-metrics-podsecuritypolicy -spec: - allowedHostPaths: - - pathPrefix: /var/run - readOnly: false - - pathPrefix: /sys - readOnly: true - - pathPrefix: /var/lib/docker - readOnly: true - - pathPrefix: /etc/ca-certificates/ - readOnly: true - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - "hostPath" - - "secret" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: node-collector-container-metrics - name: node-collector-container-metrics-cluterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: node-collector-container-metrics-clusterrole -subjects: - - kind: ServiceAccount - name: node-collector-container-metrics - namespace: checkmk-monitoring ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - annotations: - seccomp.security.alpha.kubernetes.io/pod: runtime/default - labels: - app: node-collector-container-metrics - # This label allows checkmk to identify the node-collector. Removing or modifying this label - # is supported, but will remove features related to this label. - node-collector: "container-metrics" - name: node-collector-container-metrics - namespace: checkmk-monitoring -spec: - selector: - matchLabels: - app: node-collector-container-metrics - name: node-collector-container-metrics - minReadySeconds: 15 - template: - metadata: - labels: - app: node-collector-container-metrics - name: node-collector-container-metrics - spec: - containers: - # You can find available images on - # https://hub.docker.com/r/checkmk/kubernetes-collector/tags - - image: checkmk/kubernetes-collector:main_ - imagePullPolicy: Always - name: container-metrics-collector - # HTTPS: Uncomment volumeMounts checkmk-ca-cert for HTTPS - # volumeMounts: - # - name: checkmk-ca-cert - # mountPath: /etc/ca-certificates/checkmk-ca-cert.pem - # subPath: checkmk-ca-cert.pem - # readOnly: true - command: - - "/usr/local/bin/checkmk-container-metrics-collector" - # HTTPS: Uncomment secure-protocl and verify-ssl args for HTTP - args: - # - "--secure-protocol" - # - "--verify-ssl" - # host DNS can be determined as: - # . - - "--host=cluster-collector.checkmk-monitoring" - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - resources: - limits: - cpu: 300m - memory: 200Mi - requests: - cpu: 150m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 10001 - runAsNonRoot: true - runAsUser: 10001 - # You can find available images on - # https://hub.docker.com/r/checkmk/cadvisor-patched/tags - - image: checkmk/cadvisor-patched:main_ - imagePullPolicy: Always - name: cadvisor - command: - - "/usr/bin/cadvisor" - args: - - "--housekeeping_interval=30s" - - "--max_housekeeping_interval=35s" - - "--event_storage_event_limit=default=0" - - "--event_storage_age_limit=default=0" - - "--store_container_labels=false" - - "--whitelisted_container_labels=io.kubernetes.container.name,io.kubernetes.pod.name,io.kubernetes.pod.namespace,io.kubernetes.pod.uid" - - "--global_housekeeping_interval=30s" - - "--event_storage_event_limit=default=0" - - "--event_storage_age_limit=default=0" - - "--disable_metrics=percpu,process,sched,tcp,udp,diskIO,disk,network" - - "--allow_dynamic_housekeeping=true" - - "--storage_duration=1m0s" - resources: - limits: - cpu: 300m - memory: 200Mi - requests: - cpu: 150m - memory: 200Mi - volumeMounts: - - name: var-run - mountPath: /var/run - # TODO: - # readOnly: true - - name: sys - mountPath: /sys - readOnly: true - - name: docker - mountPath: /var/lib/docker - readOnly: true - serviceAccountName: node-collector-container-metrics - # automountServiceAccountToken: false - # TODO: - # https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection - terminationGracePeriodSeconds: 30 - # HTTPS: Uncomment volume checkmk-ca-cert for HTTPS - volumes: - # - name: checkmk-ca-cert - # secret: - # secretName: cluster-collector-secret - # items: - # - key: checkmk-ca-cert - # path: checkmk-ca-cert.pem - - name: var-run - hostPath: - path: /var/run - - name: sys - hostPath: - path: /sys - - name: docker - hostPath: - path: /var/lib/docker ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - annotations: - seccomp.security.alpha.kubernetes.io/pod: runtime/default - labels: - app: node-collector-machine-sections - # This label allows checkmk to identify the node-collector. Removing or modifying this label - # is supported, but will remove features related to this label. - node-collector: "machine-sections" - name: node-collector-machine-sections - namespace: checkmk-monitoring -spec: - selector: - matchLabels: - app: node-collector-machine-sections - name: node-collector-machine-sections - minReadySeconds: 15 - template: - metadata: - labels: - app: node-collector-machine-sections - name: node-collector-machine-sections - spec: - containers: - # You can find available images on - # https://hub.docker.com/r/checkmk/kubernetes-collector/tags - - image: checkmk/kubernetes-collector:main_ - imagePullPolicy: Always - name: machine-sections-collector - # HTTPS: Uncomment volumeMounts checkmk-ca-cert for HTTPS - # volumeMounts: - # - name: checkmk-ca-cert - # mountPath: /etc/ca-certificates/checkmk-ca-cert.pem - # subPath: checkmk-ca-cert.pem - # readOnly: true - command: - - "/usr/local/bin/checkmk-machine-sections-collector" - # HTTPS: Uncomment secure-protocl and verify-ssl args for HTTP - args: - # - "--secure-protocol" - # - "--verify-ssl" - # host DNS can be determined as: - # . - - "--host=cluster-collector.checkmk-monitoring" - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - resources: - limits: - cpu: 300m - memory: 200Mi - requests: - cpu: 150m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 10001 - runAsNonRoot: true - runAsUser: 10001 - serviceAccountName: node-collector-machine-sections - terminationGracePeriodSeconds: 30 - # HTTPS: Uncomment volume checkmk-ca-cert for HTTPS - # volumes: - # - name: checkmk-ca-cert - # secret: - # secretName: cluster-collector-secret - # items: - # - key: checkmk-ca-cert - # path: checkmk-ca-cert.pem diff --git a/deploy/kubernetes/pod-security-policy.yaml b/deploy/kubernetes/pod-security-policy.yaml deleted file mode 100644 index 87b1fcc..0000000 --- a/deploy/kubernetes/pod-security-policy.yaml +++ /dev/null @@ -1,76 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: checkmk-monitoring - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: >- - docker/default,runtime/default - apparmor.security.beta.kubernetes.io/allowedProfileNames: >- - runtime/default - apparmor.security.beta.kubernetes.io/defaultProfileName: >- - runtime/default -spec: - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - runAsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - defaultAllowPrivilegeEscalation: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - requiredDropCapabilities: [ALL] - allowedCapabilities: [] - privileged: false - hostIPC: false - hostPID: false - hostNetwork: false - hostPorts: - - min: 0 - max: 65535 - volumes: - - secret - - emptyDir ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: checkmk-collectors-podsecurity -rules: - - apiGroups: - - policy - resourceNames: - - checkmk-monitoring - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: node-collector-machine-sections - name: node-collector-machine-sections-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: checkmk-collectors-podsecurity -subjects: - - kind: ServiceAccount - name: node-collector-machine-sections - namespace: checkmk-monitoring diff --git a/deploy/kubernetes/secret.yaml b/deploy/kubernetes/secret.yaml deleted file mode 100644 index 1137f9c..0000000 --- a/deploy/kubernetes/secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: cluster-collector-secret - namespace: checkmk-monitoring -data: - # Secret must be a base64 encoded string. Use 'echo -n "STRING" | base64' - cluster-collector-key: | - ABC - cluster-collector-cert: | - ABC - checkmk-ca-cert: | - ABC diff --git a/deploy/kubernetes/service.yaml b/deploy/kubernetes/service.yaml deleted file mode 100644 index a6207a9..0000000 --- a/deploy/kubernetes/service.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: cluster-collector - namespace: checkmk-monitoring - labels: - app: cluster-collector -spec: - ports: - - name: api - port: 80 - targetPort: 10050 - protocol: TCP - # If ingress is used: - # type: LoadBalancer - selector: - app: cluster-collector ---- -apiVersion: v1 -kind: Service -metadata: - name: cluster-collector-nodeport - namespace: checkmk-monitoring - labels: - app: cluster-collector -spec: - type: NodePort - ports: - - name: cluster-collector - port: 30035 - nodePort: 30035 - targetPort: 10050 - protocol: TCP - selector: - app: cluster-collector