--- apiVersion: v1 kind: ServiceAccount metadata: name: metrics-server namespace: kube-system --- apiVersion: apps/v1 kind: Deployment metadata: name: metrics-server namespace: kube-system labels: k8s-app: metrics-server spec: revisionHistoryLimit: 0 strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 selector: matchLabels: k8s-app: metrics-server template: metadata: name: metrics-server labels: k8s-app: metrics-server spec: priorityClassName: "system-node-critical" serviceAccountName: metrics-server tolerations: - key: "CriticalAddonsOnly" operator: "Exists" - key: "node-role.kubernetes.io/control-plane" operator: "Exists" effect: "NoSchedule" - key: "node-role.kubernetes.io/master" operator: "Exists" effect: "NoSchedule" volumes: # mount in tmp so we can safely use from-scratch images and/or read-only containers - name: tmp-dir emptyDir: {} containers: - name: metrics-server image: "%{SYSTEM_DEFAULT_REGISTRY}%rancher/mirrored-metrics-server:v0.7.2" args: - --cert-dir=/tmp - --secure-port=10250 - --kubelet-preferred-address-types=%{PREFERRED_ADDRESS_TYPES}% - --kubelet-use-node-status-port - --metric-resolution=15s - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 resources: requests: cpu: 100m memory: 70Mi ports: - name: https containerPort: 10250 protocol: TCP readinessProbe: httpGet: path: /readyz port: https scheme: HTTPS initialDelaySeconds: 0 periodSeconds: 2 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 livenessProbe: httpGet: path: /livez port: https scheme: HTTPS initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 allowPrivilegeEscalation: false volumeMounts: - name: tmp-dir mountPath: /tmp