115 lines
4.4 KiB
YAML
115 lines
4.4 KiB
YAML
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
namespace: kube-system
|
|
name: k8s-apiserver
|
|
annotations:
|
|
novit.io/bootstrap-prio: "400"
|
|
labels:
|
|
component: k8s-apiserver
|
|
tier: control-plane
|
|
spec:
|
|
hostNetwork: true
|
|
dnsPolicy: Default
|
|
priorityClassName: system-cluster-critical
|
|
automountServiceAccountToken: false
|
|
tolerations:
|
|
- key: node.kubernetes.io/not-ready
|
|
effect: NoSchedule
|
|
containers:
|
|
- name: apiserver
|
|
image: {{ .vars.k8s_registry}}/kube-apiserver:{{ .vars.kubernetes_version }}
|
|
command:
|
|
- kube-apiserver
|
|
- --secure-port={{ .vars.control_plane.api_port }}
|
|
- --etcd-servers={{ range $i, $host := hosts_by_group "master" }}{{ if gt $i 0 }},{{end}}https://{{$host.ip}}:2379{{end}}
|
|
- --etcd-cafile=/tls/etcd-client/ca.crt
|
|
- --etcd-keyfile=/tls/etcd-client/tls.key
|
|
- --etcd-certfile=/tls/etcd-client/tls.crt
|
|
- --cert-dir=/var/lib/kubelet/certs
|
|
- --allow-privileged=true
|
|
- --service-cluster-ip-range={{.cluster.subnets.services}}
|
|
- --client-ca-file=/tls/apiserver/ca.crt
|
|
- --tls-cert-file=/tls/apiserver/tls.crt
|
|
- --tls-private-key-file=/tls/apiserver/tls.key
|
|
- --service-account-issuer=local-server
|
|
- --service-account-key-file=/tls-ca/service-accounts/ca.key
|
|
- --service-account-signing-key-file=/tls-ca/service-accounts/ca.key
|
|
- --proxy-client-key-file=/tls/proxy-client/tls.key
|
|
- --proxy-client-cert-file=/tls/proxy-client/tls.crt
|
|
- --requestheader-client-ca-file=/tls/proxy-client/ca.crt
|
|
- --requestheader-allowed-names=proxy-client
|
|
- --requestheader-extra-headers-prefix=X-Remote-Extra-
|
|
- --requestheader-group-headers=X-Remote-Group
|
|
- --requestheader-username-headers=X-Remote-User
|
|
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS
|
|
- --kubelet-client-certificate=/tls/kubelet-client/tls.crt
|
|
- --kubelet-client-key=/tls/kubelet-client/tls.key
|
|
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
|
|
- --token-auth-file=/etc/kubernetes/token-auth.csv
|
|
- --authorization-mode=RBAC,Node
|
|
- --event-ttl=6h0m0s
|
|
- --enable-bootstrap-token-auth
|
|
{{ if .vars.control_plane.reserve_resources }}
|
|
resources:
|
|
requests:
|
|
cpu: 400m
|
|
memory: 1.2Gi
|
|
{{ end }}
|
|
volumeMounts:
|
|
- name: etc-certs
|
|
mountPath: /etc/ssl/certs
|
|
- name: tls-etcd-client
|
|
mountPath: /tls/etcd-client
|
|
- name: tls-apiserver
|
|
mountPath: /tls/apiserver
|
|
- name: tls-kubelet-client
|
|
mountPath: /tls/kubelet-client
|
|
- name: ca-cluster
|
|
mountPath: /tls-ca/cluster
|
|
- name: ca-service-accounts
|
|
mountPath: /tls-ca/service-accounts
|
|
- name: tls-proxy-client
|
|
mountPath: /tls/proxy-client
|
|
- name: etc-k8s
|
|
mountPath: /etc/kubernetes
|
|
- name: certs
|
|
mountPath: /var/lib/kubelet/certs
|
|
#livenessProbe:
|
|
# httpGet:
|
|
# scheme: HTTPS
|
|
# host: 127.0.0.1
|
|
# port: {{ .vars.control_plane.api_port }}
|
|
# path: /healthz
|
|
# initialDelaySeconds: 15
|
|
# timeoutSeconds: 15
|
|
# failureThreshold: 8
|
|
volumes:
|
|
- name: etc-certs
|
|
hostPath:
|
|
path: /etc/ssl/certs
|
|
- name: etc-k8s
|
|
hostPath:
|
|
path: /etc/kubernetes
|
|
- name: tls-etcd-client
|
|
hostPath:
|
|
path: /etc/tls/etcd-client
|
|
- name: ca-cluster
|
|
hostPath:
|
|
path: /etc/tls-ca/cluster
|
|
- name: ca-service-accounts
|
|
hostPath:
|
|
path: /etc/tls-ca/service-accounts
|
|
- name: tls-apiserver
|
|
hostPath:
|
|
path: /etc/tls/apiserver
|
|
- name: tls-kubelet-client
|
|
hostPath:
|
|
path: /etc/tls/kubelet-client
|
|
- name: tls-proxy-client
|
|
hostPath:
|
|
path: /etc/tls/proxy-client
|
|
- name: certs
|
|
hostPath:
|
|
path: /var/lib/kubelet/certs
|