{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
  "name":"kube-apiserver",
  "namespace": "kube-system",
  "annotations": {
    "scheduler.alpha.kubernetes.io/critical-pod": "",
    "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
  },
  "labels": {
    "tier": "control-plane",
    "component": "kube-apiserver"
  }
},
"spec":{
"hostNetwork": true,
"containers":[
    {
    "name": "kube-apiserver",
    "image": "{{pillar['kube_docker_registry']}}/kube-apiserver:{{pillar['kube-apiserver_docker_tag']}}",
    "resources": {
      "requests": {
        "cpu": "250m"
      }
    },
    "command": [
                 "/bin/sh",
                 "-c",
                 "exec /usr/local/bin/kube-apiserver {{params}} --allow-privileged={{pillar['allow_privileged']}} 1>>/var/log/kube-apiserver.log 2>&1"
               ],
    {{container_env}}
    "livenessProbe": {
      "httpGet": {
        "host": "127.0.0.1",
        "port": 8080,
        "path": "/healthz?exclude=etcd"
      },
      "initialDelaySeconds": {{liveness_probe_initial_delay}},
      "timeoutSeconds": 15
    },
    "readinessProbe": {
      "httpGet": {
        "host": "127.0.0.1",
        "port": 8080,
        "path": "/healthz"
      },
      "timeoutSeconds": 15
    },
    "ports":[
      { "name": "https",
        "containerPort": {{secure_port}},
        "hostPort": {{secure_port}}},{
       "name": "local",
        "containerPort": 8080,
        "hostPort": 8080}
        ],
    "volumeMounts": [
        {{kms_socket_mount}}
        {{encryption_provider_mount}}
        {{cloud_config_mount}}
        {{additional_cloud_config_mount}}
        {{webhook_config_mount}}
        {{webhook_authn_config_mount}}
        {{audit_policy_config_mount}}
        {{audit_webhook_config_mount}}
        {{admission_controller_config_mount}}
        {{image_policy_webhook_config_mount}}
        { "name": "srvkube",
        "mountPath": "/etc/srv/kubernetes",
        "readOnly": true},
        { "name": "logfile",
        "mountPath": "/var/log/kube-apiserver.log",
        "readOnly": false},
        { "name": "auditlogfile",
        "mountPath": "/var/log/kube-apiserver-audit.log",
        "readOnly": false},
        { "name": "etcssl",
        "mountPath": "/etc/ssl",
        "readOnly": true},
        { "name": "usrsharecacerts",
        "mountPath": "/usr/share/ca-certificates",
        "readOnly": true},
        { "name": "varssl",
        "mountPath": "/var/ssl",
        "readOnly": true},
        { "name": "etcopenssl",
        "mountPath": "/etc/openssl",
        "readOnly": true},
        { "name": "etcpki",
        "mountPath": "/etc/srv/pki",
        "readOnly": true},
        { "name": "srvsshproxy",
        "mountPath": "{{srv_sshproxy_path}}",
        "readOnly": false}
      ]
    }
],
"volumes":[
  {{kms_socket_volume}}
  {{encryption_provider_volume}}
  {{cloud_config_volume}}
  {{additional_cloud_config_volume}}
  {{webhook_config_volume}}
  {{webhook_authn_config_volume}}
  {{audit_policy_config_volume}}
  {{audit_webhook_config_volume}}
  {{admission_controller_config_volume}}
  {{image_policy_webhook_config_volume}}
  { "name": "srvkube",
    "hostPath": {
        "path": "/etc/srv/kubernetes"}
  },
  { "name": "logfile",
    "hostPath": {
        "path": "/var/log/kube-apiserver.log",
        "type": "FileOrCreate"}
  },
  { "name": "auditlogfile",
    "hostPath": {
        "path": "/var/log/kube-apiserver-audit.log",
        "type": "FileOrCreate"}
  },
  { "name": "etcssl",
    "hostPath": {
        "path": "/etc/ssl"}
  },
  { "name": "usrsharecacerts",
    "hostPath": {
        "path": "/usr/share/ca-certificates"}
  },
  { "name": "varssl",
    "hostPath": {
        "path": "/var/ssl"}
  },
  { "name": "etcopenssl",
    "hostPath": {
        "path": "/etc/openssl"}
  },
  { "name": "etcpki",
    "hostPath": {
        "path": "/etc/srv/pki"}
  },
  { "name": "srvsshproxy",
    "hostPath": {
        "path": "{{srv_sshproxy_path}}"}
  }
]
}}