apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: kubernetes-dashboard namespace: kubernetes-system spec: chart: spec: chart: kubernetes-dashboard sourceRef: kind: HelmRepository name: kubernetes-dashboard namespace: flux-system interval: 15m0s timeout: 5m releaseName: kubernetes-dashboard values: # Copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Default values for kubernetes-dashboard # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value image: ## Repository for container repository: kubernetesui/dashboard tag: "" # If not defined, uses appVersion of Chart.yaml pullPolicy: IfNotPresent pullSecrets: [] ## Number of replicas replicaCount: 1 ## @param commonLabels Labels to add to all deployed objects ## commonLabels: {} ## @param commonAnnotations Annotations to add to all deployed objects ## commonAnnotations: {} ## Here annotations can be added to the kubernetes dashboard deployment annotations: {} ## Here labels can be added to the kubernetes dashboard deployment labels: {} ## Additional container arguments ## extraArgs: - --enable-skip-login - --enable-insecure-login - --system-banner="Welcome to Kubernetes" ## Additional container environment variables ## extraEnv: [] # - name: SOME_VAR # value: 'some value' ## Additional volumes to be added to kubernetes dashboard pods ## extraVolumes: [] # - name: dashboard-kubeconfig # secret: # defaultMode: 420 # secretName: dashboard-kubeconfig ## Additional volumeMounts to be added to kubernetes dashboard container ## extraVolumeMounts: [] # - mountPath: /kubeconfig # name: dashboard-kubeconfig # readOnly: true ## Array of extra K8s manifests to deploy ## extraManifests: [] # - apiVersion: v1 # kind: ConfigMap # metadata: # name: additional-configmap # data: # mykey: myvalue ## Annotations to be added to kubernetes dashboard pods # podAnnotations: ## SecurityContext to be added to kubernetes dashboard pods ## To disable set the following configuration to null: # securityContext: null securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault ## SecurityContext defaults for the kubernetes dashboard container and metrics scraper container ## To disable set the following configuration to null: # containerSecurityContext: null containerSecurityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 capabilities: drop: ["ALL"] ## @param podLabels Extra labels for OAuth2 Proxy pods ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## podLabels: {} ## @param podAnnotations Annotations for OAuth2 Proxy pods ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} ## Node labels for pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} ## List of node taints to tolerate (requires Kubernetes >= 1.6) tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute" ## Affinity for pod assignment ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: {} ## Name of Priority Class of pods # priorityClassName: "" ## Pod resource requests & limits resources: requests: cpu: 100m memory: 200Mi limits: cpu: 2 memory: 200Mi ## Serve application over HTTP without TLS ## ## Note: If set to true, you may want to add --enable-insecure-login to extraArgs protocolHttp: false service: type: LoadBalancer # Dashboard service port externalPort: 443 ## LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to ## set allowed inbound rules on the security group assigned to the master load balancer # loadBalancerSourceRanges: [] # clusterIP: "" ## A user-specified IP address for load balancer to use as External IP (if supported) # loadBalancerIP: ## Additional Kubernetes Dashboard Service annotations annotations: {} ## Here labels can be added to the Kubernetes Dashboard service labels: {} ## Enable or disable the kubernetes.io/cluster-service label. Should be disabled for GKE clusters >=1.15. ## Otherwise, the addon manager will presume ownership of the service and try to delete it. clusterServiceLabel: enabled: true key: "kubernetes.io/cluster-service" ingress: ## If true, Kubernetes Dashboard Ingress will be created. ## enabled: false ## Kubernetes Dashboard Ingress labels # labels: # key: value ## Kubernetes Dashboard Ingress annotations # annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: 'true' ## If you plan to use TLS backend with enableInsecureLogin set to false ## (default), you need to uncomment the below. ## If you use ingress-nginx < 0.21.0 # nginx.ingress.kubernetes.io/secure-backends: "true" ## if you use ingress-nginx >= 0.21.0 # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" ## Kubernetes Dashboard Ingress Class # className: "example-lb" ## Kubernetes Dashboard Ingress paths ## Both `/` and `/*` are required to work on gce ingress. paths: - / # - /* ## Custom Kubernetes Dashboard Ingress paths. Will override default paths. ## customPaths: [] # - pathType: ImplementationSpecific # backend: # service: # name: ssl-redirect # port: # name: use-annotation # - pathType: ImplementationSpecific # backend: # service: # name: >- # {{ include "kubernetes-dashboard.fullname" . }} # port: # # Don't use string here, use only integer value! # number: 443 ## Kubernetes Dashboard Ingress hostnames ## Must be provided if Ingress is enabled ## # hosts: # - kubernetes-dashboard.domain.com ## Kubernetes Dashboard Ingress TLS configuration ## Secrets must be manually created in the namespace ## # tls: # - secretName: kubernetes-dashboard-tls # hosts: # - kubernetes-dashboard.domain.com # Global dashboard settings settings: {} ## Cluster name that appears in the browser window title if it is set # clusterName: "" ## Max number of items that can be displayed on each list page # itemsPerPage: 10 ## Number of seconds between every auto-refresh of logs # logsAutoRefreshTimeInterval: 5 ## Number of seconds between every auto-refresh of every resource. Set 0 to disable # resourceAutoRefreshTimeInterval: 5 ## Hide all access denied warnings in the notification panel # disableAccessDeniedNotifications: false ## Pinned CRDs that will be displayed in dashboard's menu pinnedCRDs: [] # - kind: customresourcedefinition ## Fully qualified name of a CRD # name: prometheuses.monitoring.coreos.com ## Display name # displayName: Prometheus ## Is this CRD namespaced? # namespaced: true ## Metrics Scraper ## Container to scrape, store, and retrieve a window of time from the Metrics Server. ## refs: https://github.com/kubernetes-sigs/dashboard-metrics-scraper metricsScraper: ## Wether to enable dashboard-metrics-scraper enabled: false image: repository: kubernetesui/metrics-scraper tag: v1.0.9 resources: {} ## SecurityContext especially for the kubernetes dashboard metrics scraper container ## If not set, the global containterSecurityContext values will define these values # containerSecurityContext: # allowPrivilegeEscalation: false # readOnlyRootFilesystem: true # runAsUser: 1001 # runAsGroup: 2001 # args: # - --log-level=info # - --logtostderr=true ## Optional Metrics Server sub-chart ## Enable this if you don't already have metrics-server enabled on your cluster and ## want to use it with dashboard metrics-scraper ## refs: ## - https://github.com/kubernetes-sigs/metrics-server ## - https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server metrics-server: enabled: false ## Example for additional args # args: # - --kubelet-preferred-address-types=InternalIP # - --kubelet-insecure-tls rbac: # Specifies whether namespaced RBAC resources (Role, Rolebinding) should be created create: true # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) to access metrics should be created # Independent from rbac.create parameter. clusterRoleMetrics: true # Start in ReadOnly mode. # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) with read only permissions to all resources listed inside the cluster should be created # Only dashboard-related Secrets and ConfigMaps will still be available for writing. # # The basic idea of the clusterReadOnlyRole # is not to hide all the secrets and sensitive data but more # to avoid accidental changes in the cluster outside the standard CI/CD. # # It is NOT RECOMMENDED to use this version in production. # Instead you should review the role and remove all potentially sensitive parts such as # access to persistentvolumes, pods/log etc. # # Independent from rbac.create parameter. clusterReadOnlyRole: false # It is possible to add additional rules if read only role is enabled. # This can be useful, for example, to show CRD resources. # clusterReadOnlyRoleAdditionalRules: [] # If the default role permissions are not enough, it is possible to add additional permissions. # roleAdditionalRules: [] serviceAccount: # Specifies whether a service account should be created create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: livenessProbe: # Number of seconds to wait before sending first probe initialDelaySeconds: 30 # Number of seconds to wait for probe response timeoutSeconds: 30 ## podDisruptionBudget ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ podDisruptionBudget: enabled: false ## Minimum available instances; ignored if there is no PodDisruptionBudget minAvailable: ## Maximum unavailable instances; ignored if there is no PodDisruptionBudget maxUnavailable: ## PodSecurityContext for pod level securityContext # securityContext: # runAsUser: 1001 # runAsGroup: 2001 networkPolicy: # Whether to create a network policy that allows/restricts access to the service enabled: false # Whether to set network policy to deny all ingress traffic for the kubernetes-dashboard ingressDenyAll: false ## podSecurityPolicy for fine-grained authorization of pod creation and updates ## Note that PSP is deprecated and has been removed from kubernetes 1.25 onwards. ## For 1.25+ consider enabling PodSecurityAdmission, refer to chart README.md. podSecurityPolicy: # Specifies whether a pod security policy should be created enabled: false serviceMonitor: # Whether or not to create a Prometheus Operator service monitor. enabled: false ## Here labels can be added to the serviceMonitor labels: {} ## Here annotations can be added to the serviceMonitor annotations: {} ## Optional containers, i.e. for auth addons. optionalContainers: enabled: false containers: []