Last active
June 18, 2018 17:49
-
-
Save DD-ScottBeamish/76d7537882d562ae05f92776794195f5 to your computer and use it in GitHub Desktop.
OpenShift 3.6 Development Environment w/RBAC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| name: datadog | |
| rules: | |
| - nonResourceURLs: | |
| - "/version" # Used to get apiserver version metadata | |
| - "/healthz" # Healthcheck | |
| verbs: ["get"] | |
| - apiGroups: [""] | |
| resources: | |
| - "nodes" | |
| - "namespaces" # | |
| - "events" # Cluster events + kube_service cache invalidation | |
| - "services" # kube_service tag | |
| verbs: ["get", "list"] | |
| - apiGroups: [""] | |
| resources: | |
| - "configmaps" | |
| resourceNames: ["datadog-leader-elector"] | |
| verbs: ["get", "delete", "update"] | |
| - apiGroups: [""] | |
| resources: | |
| - "configmaps" | |
| verbs: ["create"] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Your admin user needs the same permissions to be able to grant them | |
| # Easiest way is to bind your user to the cluster-admin role | |
| # See https://cloud.google.com/container-engine/docs/role-based-access-control#setting_up_role-based_access_control | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| name: datadog | |
| subjects: | |
| - kind: ServiceAccount | |
| name: datadog | |
| namespace: default | |
| roleRef: | |
| kind: ClusterRole | |
| name: datadog | |
| apiGroup: rbac.authorization.k8s.io |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: extensions/v1beta1 | |
| kind: DaemonSet | |
| metadata: | |
| name: datadog-agent | |
| spec: | |
| selector: | |
| matchLabels: | |
| name: datadog-agent | |
| template: | |
| metadata: | |
| labels: | |
| app: datadog-agent | |
| name: datadog-agent | |
| name: datadog-agent | |
| spec: | |
| nodeSelector: | |
| label: local | |
| spec: | |
| serviceAccountName: datadog | |
| containers: | |
| - image: datadog/agent:latest | |
| imagePullPolicy: Always | |
| name: datadog-agent | |
| ports: | |
| - containerPort: 8125 | |
| name: dogstatsdport | |
| protocol: UDP | |
| - containerPort: 8126 | |
| name: traceport | |
| protocol: TCP | |
| env: | |
| - name: DD_API_KEY | |
| value: <YOUR_API_KEY> | |
| - name: DD_COLLECT_KUBERNETES_EVENTS | |
| value: "true" | |
| - name: DD_LEADER_ELECTION | |
| value: "true" | |
| - name: KUBERNETES | |
| value: "yes" | |
| resources: | |
| requests: | |
| memory: "128Mi" | |
| cpu: "100m" | |
| limits: | |
| memory: "512Mi" | |
| cpu: "250m" | |
| volumeMounts: | |
| - name: dockersocket | |
| mountPath: /var/run/docker.sock | |
| - name: procdir | |
| mountPath: /host/proc | |
| readOnly: true | |
| - name: cgroups | |
| mountPath: /host/sys/fs/cgroup | |
| readOnly: true | |
| livenessProbe: | |
| exec: | |
| command: | |
| - ./probe.sh | |
| initialDelaySeconds: 15 | |
| periodSeconds: 5 | |
| volumes: | |
| - hostPath: | |
| path: /var/run/docker.sock | |
| name: dockersocket | |
| - hostPath: | |
| path: /proc | |
| name: procdir | |
| - hostPath: | |
| path: /sys/fs/cgroup | |
| name: cgroups |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # You need to use that account for your dd-agent DaemonSet | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: datadog | |
| automountServiceAccountToken: true |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Minishift specific instructions
Start minshift with the --metrics flag
minishift start --vm-driver=virtualbox --metricsLabel the default node with local
oc label node localhost label=localInstalling the Container via DaemonSet
Ensure that the current namespace is 'default'
oc project defaultCreate the Datadog ServiceAccount
oc create -f service-account.yamlApply the privileged scc to the Datadog ServiceAccount
oc adm policy add-scc-to-user privileged -n default -z datadogCreate the Datadog ClusterRole which provides access to the various objects required to gather metrics
oc create -f cluster-role.yamlCreate the ClusterRoleBinding to map the ClusterRole to the ServiceAccount
oc create -f clusterrole-binding.yamlCreate the DaemonSet which instructs the scheduler to run 1 instance of the Datadog Agent container on each kubelet
oc create -f dd-agent.yaml