apiVersion: v1 kind: Pod metadata: namespace: kube-system name: k8s-controller-manager annotations: novit.io/bootstrap-prio: "500" labels: component: k8s-controller-manager tier: control-plane spec: hostNetwork: true dnsPolicy: Default priorityClassName: system-cluster-critical automountServiceAccountToken: false tolerations: - key: node.kubernetes.io/not-ready effect: NoSchedule containers: - name: controller-manager image: {{ .vars.k8s_registry}}/kube-controller-manager:{{ .vars.kubernetes_version }} command: - kube-controller-manager - --cluster-signing-cert-file=/tls-ca/cluster/ca.crt - --cluster-signing-key-file=/tls-ca/cluster/ca.key - --root-ca-file=/tls-ca/cluster/ca.crt - --service-account-private-key-file=/tls-ca/service-accounts/ca.key - --kubeconfig=/run/k8s/kubeconfig - --allocate-node-cidrs - --cluster-cidr={{ .cluster.subnets.pods }} - --node-cidr-mask-size=24 - --controllers=*,bootstrapsigner,tokencleaner - --authentication-kubeconfig=/run/k8s/kubeconfig - --authorization-kubeconfig=/run/k8s/kubeconfig {{ if .vars.control_plane.reserve_resources }} resources: requests: cpu: 100m memory: 320Mi {{ end }} volumeMounts: - name: config mountPath: /run/k8s - name: etc-k8s mountPath: /etc/kubernetes - name: certs mountPath: /etc/ssl/certs - name: ca-cluster mountPath: /tls-ca/cluster - name: ca-service-accounts mountPath: /tls-ca/service-accounts - name: tls-cluster-client mountPath: /etc/tls/cluster-client livenessProbe: httpGet: scheme: HTTPS host: 127.0.0.1 port: 10257 path: /healthz initialDelaySeconds: 15 timeoutSeconds: 15 failureThreshold: 8 volumes: - name: config hostPath: path: /etc/kubernetes/control-plane - name: etc-k8s hostPath: path: /etc/kubernetes - name: ca-cluster hostPath: path: /etc/tls-ca/cluster - name: ca-service-accounts hostPath: path: /etc/tls-ca/service-accounts - name: certs hostPath: path: /var/lib/kubelet/certs - name: tls-cluster-client hostPath: path: /etc/tls/cluster-client