apiVersion: v1 kind: Pod metadata: namespace: kube-system name: k8s-apiserver annotations: novit.io/bootstrap-prio: "400" labels: component: k8s-apiserver tier: control-plane spec: hostNetwork: true dnsPolicy: Default priorityClassName: system-cluster-critical automountServiceAccountToken: false tolerations: - key: node.kubernetes.io/not-ready effect: NoSchedule containers: - name: apiserver image: {{ .vars.k8s_registry}}/kube-apiserver:{{ .vars.kubernetes_version }} command: - kube-apiserver - --secure-port={{ .vars.control_plane.api_port }} - --etcd-servers={{ range $i, $host := hosts_by_group "master" }}{{ if gt $i 0 }},{{end}}https://{{$host.ip}}:2379{{end}} - --etcd-cafile=/tls/etcd-client/ca.crt - --etcd-keyfile=/tls/etcd-client/tls.key - --etcd-certfile=/tls/etcd-client/tls.crt - --cert-dir=/var/lib/kubelet/certs - --allow-privileged=true - --service-cluster-ip-range={{.cluster.subnets.services}} - --client-ca-file=/tls/apiserver/ca.crt - --tls-cert-file=/tls/apiserver/tls.crt - --tls-private-key-file=/tls/apiserver/tls.key - --service-account-issuer=local-server - --service-account-key-file=/tls-ca/service-accounts/ca.key - --service-account-signing-key-file=/tls-ca/service-accounts/ca.key - --proxy-client-key-file=/tls/proxy-client/tls.key - --proxy-client-cert-file=/tls/proxy-client/tls.crt - --requestheader-client-ca-file=/tls/proxy-client/ca.crt - --requestheader-allowed-names=proxy-client - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS - --kubelet-client-certificate=/tls/kubelet-client/tls.crt - --kubelet-client-key=/tls/kubelet-client/tls.key - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota - --token-auth-file=/etc/kubernetes/token-auth.csv - --authorization-mode=RBAC,Node - --event-ttl=6h0m0s - --enable-bootstrap-token-auth {{ if .vars.control_plane.reserve_resources }} resources: requests: cpu: 400m memory: 1.2Gi {{ end }} volumeMounts: - name: etc-certs mountPath: /etc/ssl/certs - name: tls-etcd-client mountPath: /tls/etcd-client - name: tls-apiserver mountPath: /tls/apiserver - name: tls-kubelet-client mountPath: /tls/kubelet-client - name: ca-cluster mountPath: /tls-ca/cluster - name: ca-service-accounts mountPath: /tls-ca/service-accounts - name: tls-proxy-client mountPath: /tls/proxy-client - name: etc-k8s mountPath: /etc/kubernetes - name: certs mountPath: /var/lib/kubelet/certs #livenessProbe: # httpGet: # scheme: HTTPS # host: 127.0.0.1 # port: {{ .vars.control_plane.api_port }} # path: /healthz # initialDelaySeconds: 15 # timeoutSeconds: 15 # failureThreshold: 8 volumes: - name: etc-certs hostPath: path: /etc/ssl/certs - name: etc-k8s hostPath: path: /etc/kubernetes - name: tls-etcd-client hostPath: path: /etc/tls/etcd-client - name: ca-cluster hostPath: path: /etc/tls-ca/cluster - name: ca-service-accounts hostPath: path: /etc/tls-ca/service-accounts - name: tls-apiserver hostPath: path: /etc/tls/apiserver - name: tls-kubelet-client hostPath: path: /etc/tls/kubelet-client - name: tls-proxy-client hostPath: path: /etc/tls/proxy-client - name: certs hostPath: path: /var/lib/kubelet/certs