airship/promenade
Code Issues Proposed changes
7070ade848
promenade/charts/apiserver/values.yaml
KHIYANI, RAHUL (rk0850) 154e0b5464 Apiserver: Add pod/container security context 
This updates the apiserver chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to false

Change-Id: I76d80c4cbf40d1e3e518a3d2969c86f4d5c8c3f4
2019-11-04 22:11:35 +00:00

328 lines
10 KiB
YAML
Raw Blame History

# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
release_group: null
# NOTE(mark-burnett): These values are not really configurable -- they live
# here to keep the templates cleaner.
const:
encryption_annotation: "airshipit.org/encryption_key"
command_prefix:
- /hyperkube
- kube-apiserver
- --advertise-address=$(POD_IP)
- --allow-privileged=true
- --anonymous-auth=false
- --bind-address=0.0.0.0
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
- --etcd-servers=$(ETCD_ENDPOINTS)
- --insecure-port=0
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --secure-port=$(APISERVER_PORT)
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
files_to_copy:
# NOTE(mark-burnett): These are (host dest): (container source) pairs
/etc/kubernetes/apiserver/kubeconfig.yaml: /tmp/etc/kubeconfig.yaml
/etc/kubernetes/apiserver/pki/apiserver-key.pem: /keys/apiserver-key.pem
/etc/kubernetes/apiserver/pki/apiserver.pem: /certs/apiserver.pem
/etc/kubernetes/apiserver/pki/cluster-ca.pem: /certs/cluster-ca.pem
/etc/kubernetes/apiserver/pki/etcd-client-ca.pem: /certs/etcd-client-ca.pem
/etc/kubernetes/apiserver/pki/etcd-client-key.pem: /keys/etcd-client-key.pem
/etc/kubernetes/apiserver/pki/etcd-client.pem: /certs/etcd-client.pem
/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem: /certs/kubelet-client-ca.pem
/etc/kubernetes/apiserver/pki/kubelet-client-key.pem: /keys/kubelet-client-key.pem
/etc/kubernetes/apiserver/pki/kubelet-client.pem: /certs/kubelet-client.pem
/etc/kubernetes/apiserver/pki/service-account.pub: /certs/service-account.pub
/etc/kubernetes/manifests/kubernetes-apiserver.yaml: /tmp/etc/kubernetes-apiserver.yaml
images:
tags:
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
anchor: gcr.io/google_containers/hyperkube-amd64:v1.11.6
apiserver: gcr.io/google_containers/hyperkube-amd64:v1.11.6
key_rotate: gcr.io/google_containers/hyperkube-amd64:v1.11.6
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
kubernetes_apiserver:
node_selector_key: kubernetes-apiserver
node_selector_value: enabled
job:
node_selector_key: kubernetes-apiserver
node_selector_value: enabled
anchor:
dns_policy: Default
enable_cleanup: true
kubelet:
manifest_path: /etc/kubernetes/manifests
period: 15
# TODO(sh8121att): Add dynamic rendering of the admission controller list allowing a base list
# and each conf entry to enable additional AC plugins
conf:
# Uncomment any of the below to enable the file placement and associated apiserver
# command line options
#
acconfig:
file: acconfig.yaml
command_options:
- '--admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml'
- '--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit'
content:
kind: AdmissionConfiguration
apiVersion: apiserver.k8s.io/v1alpha1
plugins:
- name: EventRateLimit
path: eventconfig.yaml
eventconfig:
file: eventconfig.yaml
content:
kind: Configuration
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
limits:
- type: Server
qps: 1000
burst: 10000
# agg_api_ca:
# file: agg-api-ca.pem
# command_options:
# - '--requestheader-client-ca-file=/etc/kubernetes/apiserver/agg-api-ca.pem'
# - '--requestheader-extra-headers-prefix=X-Remote-Extra-'
# - '--requestheader-group-headers=X-Remote-Group'
# - '--requestheader-username-headers=X-Remote-User'
# - '--requestheader-allowed-names="aggregator"'
# content: |
# -----SOME CA-----
# apiserver_proxy_cert:
# file: 'apiserver-proxy-cert.pem'
# command_options:
# - '--proxy-client-cert-file=/etc/kubernetes/apiserver/apiserver-proxy-cert.pem'
# content: |
# ------SOME CERT-----
# apiserver_proxy_key:
# file: 'apiserver-proxy-key.pem'
# command_options:
# - '--proxy-client-key-file=/etc/kubernetes/apiserver/apiserver-proxy-key.pem'
# content: |
# -----SOME KEY-----
# Uncomment any of the below to enable enhanced Audit Logging command line options.
#
# auditpolicy:
# file: audit_policy.yaml
# command_options:
# - '--audit-policy-file=/etc/kubernetes/apiserver/audit_policy.yaml'
# content:
# kind: Policy
# apiVersion: apiserver.k8s.io/v1
# rules:
# - level: Metadata
#
encryption_provider:
file: encryption_provider.yaml
command_options:
- '--experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml'
content:
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- 'secrets'
providers:
- secretbox:
keys:
- name: key1
secret: Xw2UcbjILTJM6QiFZ0WPSbUvjtoT8OJC/Nl8qqYWjGk=
- identity: {}
apiserver:
arguments:
- --authorization-mode=Node,RBAC
- --service-cluster-ip-range=10.96.0.0/16
- --endpoint-reconciler-type=lease
- --feature-gates=PodShareProcessNamespace=true
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
- --repair-malformed-updates=false
- --v=3
etcd:
endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
host_etc_path: /etc/kubernetes/apiserver
logging:
# Which messages to log.
# Valid values include any number from 0 to 9.
# Default 5(Trace level verbosity).
log_level: 5
#XXX another possible configuration
# tls:
# tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
# # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
# #Possible values: VersionTLS10, VersionTLS11, VersionTLS12
# tls-min-version: 'VersionTLS12'
network:
kubernetes_apiserver:
ingress:
public: true
classes:
namespace: "nginx-cluster"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
name: kubernetes-apiserver
port: 6443
node_port:
enabled: false
port: 31943
service:
name: kubernetes-apiserver
ip: null
secrets:
tls:
ca: placeholder
cert: placeholder
key: placeholder
service_account:
public_key: placeholder
etcd:
tls:
ca: placeholder
cert: placeholder
key: placeholder
kubelet:
tls:
ca: null
cert: null
key: null
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- apiserver-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
key_rotate: {}
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
kubernetes_apiserver:
name: kubernetes-apiserver
hosts:
default: kubernetes-apiserver
port:
https:
default: 6443
public: 443
path:
default: /
scheme:
default: https
public: https
host_fqdn_override:
default: null
# NOTE: this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
pod:
security_context:
kubernetes_apiserver_anchor:
pod:
runAsUser: 65534
container:
anchor:
runAsUser: 0
readOnlyRootFilesystem: false
mounts:
kubernetes_apiserver:
init_container: null
kubernetes_apiserver:
replicas:
apiserver: 3
lifecycle:
upgrades:
daemonsets:
pod_replacement_strategy: RollingUpdate
kubernetes-apiserver-anchor:
enabled: false
min_ready_seconds: 0
max_unavailable: 1
termination_grace_period:
kubernetes_apiserver:
timeout: 3600
resources:
enabled: false
anchor_pod:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
key_rotate:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
kubernetes_apiserver:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
configmap_bin: true
configmap_certs: true
configmap_etc: true
ingress_api: false
kubernetes_apiserver: true
secret: true
secret_ingress_tls: false
service: true
service_ingress: false
job_key_rotate: true
View Git Blame Copy Permalink