392 lines
12 KiB
YAML
392 lines
12 KiB
YAML
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
release_group: null
|
|
|
|
# NOTE(mark-burnett): These values are not really configurable -- they live
|
|
# here to keep the templates cleaner.
|
|
const:
|
|
encryption_annotation: "airshipit.org/encryption_key"
|
|
command_prefix:
|
|
- kube-apiserver
|
|
- --advertise-address=$(POD_IP)
|
|
- --allow-privileged=true
|
|
- --anonymous-auth=true
|
|
- --bind-address=0.0.0.0
|
|
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
|
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
|
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
|
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
|
- --etcd-servers=$(ETCD_ENDPOINTS)
|
|
- --insecure-port=0
|
|
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
|
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
|
|
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
|
|
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
|
- --secure-port=$(APISERVER_PORT)
|
|
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
|
- --service-account-signing-key-file=/etc/kubernetes/apiserver/pki/service-account.key
|
|
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
|
|
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
|
|
|
files_to_copy:
|
|
# NOTE(mark-burnett): These are (host dest): (container source) pairs
|
|
/etc/kubernetes/apiserver/kubeconfig.yaml: /tmp/etc/kubeconfig.yaml
|
|
/etc/kubernetes/apiserver/pki/apiserver-key.pem: /keys/apiserver-key.pem
|
|
/etc/kubernetes/apiserver/pki/apiserver.pem: /certs/apiserver.pem
|
|
/etc/kubernetes/apiserver/pki/cluster-ca.pem: /certs/cluster-ca.pem
|
|
/etc/kubernetes/apiserver/pki/etcd-client-ca.pem: /certs/etcd-client-ca.pem
|
|
/etc/kubernetes/apiserver/pki/etcd-client-key.pem: /keys/etcd-client-key.pem
|
|
/etc/kubernetes/apiserver/pki/etcd-client.pem: /certs/etcd-client.pem
|
|
/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem: /certs/kubelet-client-ca.pem
|
|
/etc/kubernetes/apiserver/pki/kubelet-client-key.pem: /keys/kubelet-client-key.pem
|
|
/etc/kubernetes/apiserver/pki/kubelet-client.pem: /certs/kubelet-client.pem
|
|
/etc/kubernetes/apiserver/pki/service-account.pub: /certs/service-account.pub
|
|
/etc/kubernetes/apiserver/pki/service-account.key: /keys/service-account.key
|
|
/etc/kubernetes/manifests/kubernetes-apiserver.yaml: /tmp/etc/kubernetes-apiserver.yaml
|
|
|
|
images:
|
|
tags:
|
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
|
anchor: cwedgwood/kubectl:v1.19.7-1
|
|
apiserver: k8s.gcr.io/kube-apiserver-amd64:v1.19.7
|
|
key_rotate: cwedgwood/kubectl:v1.19.7-1
|
|
pull_policy: "IfNotPresent"
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
labels:
|
|
kubernetes_apiserver:
|
|
node_selector_key: kubernetes-apiserver
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: kubernetes-apiserver
|
|
node_selector_value: enabled
|
|
|
|
anchor:
|
|
dns_policy: Default
|
|
enable_cleanup: true
|
|
kubelet:
|
|
manifest_path: /etc/kubernetes/manifests
|
|
period: 15
|
|
|
|
# TODO(sh8121att): Add dynamic rendering of the admission controller list allowing a base list
|
|
# and each conf entry to enable additional AC plugins
|
|
conf:
|
|
# Uncomment any of the below to enable the file placement and associated apiserver
|
|
# command line options
|
|
#
|
|
acconfig:
|
|
file: acconfig.yaml
|
|
command_options:
|
|
- '--admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml'
|
|
- '--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit'
|
|
content:
|
|
kind: AdmissionConfiguration
|
|
apiVersion: apiserver.k8s.io/v1alpha1
|
|
plugins:
|
|
- name: EventRateLimit
|
|
path: eventconfig.yaml
|
|
eventconfig:
|
|
file: eventconfig.yaml
|
|
content:
|
|
kind: Configuration
|
|
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
|
|
limits:
|
|
- type: Server
|
|
qps: 1000
|
|
burst: 10000
|
|
# agg_api_ca:
|
|
# file: agg-api-ca.pem
|
|
# command_options:
|
|
# - '--requestheader-client-ca-file=/etc/kubernetes/apiserver/agg-api-ca.pem'
|
|
# - '--requestheader-extra-headers-prefix=X-Remote-Extra-'
|
|
# - '--requestheader-group-headers=X-Remote-Group'
|
|
# - '--requestheader-username-headers=X-Remote-User'
|
|
# - '--requestheader-allowed-names="aggregator"'
|
|
# content: |
|
|
# -----SOME CA-----
|
|
# apiserver_proxy_cert:
|
|
# file: 'apiserver-proxy-cert.pem'
|
|
# command_options:
|
|
# - '--proxy-client-cert-file=/etc/kubernetes/apiserver/apiserver-proxy-cert.pem'
|
|
# content: |
|
|
# ------SOME CERT-----
|
|
# apiserver_proxy_key:
|
|
# file: 'apiserver-proxy-key.pem'
|
|
# command_options:
|
|
# - '--proxy-client-key-file=/etc/kubernetes/apiserver/apiserver-proxy-key.pem'
|
|
# content: |
|
|
# -----SOME KEY-----
|
|
# Uncomment any of the below to enable enhanced Audit Logging command line options.
|
|
# Note: To use the Log backend, ensure that the hostPath of the log file is mounted.
|
|
# (Refer to .pod.mounts.apiserver.apiserver)
|
|
#
|
|
# auditpolicy:
|
|
# file: audit_policy.yaml
|
|
# command_options:
|
|
# - '--audit-policy-file=/etc/kubernetes/apiserver/audit_policy.yaml'
|
|
# - '--audit-log-maxsize=10'
|
|
# - '--audit-log-maxbackup=3'
|
|
# - '--audit-log-path=/var/log/audit/audit.log'
|
|
# content:
|
|
# kind: Policy
|
|
# apiVersion: apiserver.k8s.io/v1
|
|
# rules:
|
|
# - level: Metadata
|
|
#
|
|
encryption_provider:
|
|
file: encryption_provider.yaml
|
|
command_options:
|
|
- '--encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml'
|
|
content:
|
|
kind: EncryptionConfiguration
|
|
apiVersion: apiserver.config.k8s.io/v1
|
|
resources:
|
|
- resources:
|
|
- 'secrets'
|
|
providers:
|
|
- secretbox:
|
|
keys:
|
|
- name: key1
|
|
secret: Xw2UcbjILTJM6QiFZ0WPSbUvjtoT8OJC/Nl8qqYWjGk=
|
|
- identity: {}
|
|
service_account_issuer:
|
|
command_options:
|
|
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
|
|
|
|
apiserver:
|
|
arguments:
|
|
- --authorization-mode=Node,RBAC
|
|
- --service-cluster-ip-range=10.96.0.0/16
|
|
- --endpoint-reconciler-type=lease
|
|
- --v=3
|
|
etcd:
|
|
endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
|
|
host_etc_path: /etc/kubernetes/apiserver
|
|
logging:
|
|
# Which messages to log.
|
|
# Valid values include any number from 0 to 9.
|
|
# Default 5(Trace level verbosity).
|
|
log_level: 5
|
|
#XXX another possible configuration
|
|
# tls:
|
|
# tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
|
|
# # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
|
|
# #Possible values: VersionTLS10, VersionTLS11, VersionTLS12
|
|
# tls-min-version: 'VersionTLS12'
|
|
|
|
network:
|
|
kubernetes_apiserver:
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx-cluster"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
|
|
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
nginx.ingress.kubernetes.io/secure-backends: "true"
|
|
name: kubernetes-apiserver
|
|
port: 6443
|
|
node_port:
|
|
enabled: false
|
|
port: 31943
|
|
|
|
service:
|
|
name: kubernetes-apiserver
|
|
ip: null
|
|
|
|
secrets:
|
|
tls:
|
|
ca: placeholder
|
|
cert: placeholder
|
|
key: placeholder
|
|
service_account:
|
|
public_key: placeholder
|
|
private_key: placeholder
|
|
etcd:
|
|
tls:
|
|
ca: placeholder
|
|
cert: placeholder
|
|
key: placeholder
|
|
kubelet:
|
|
tls:
|
|
ca: null
|
|
cert: null
|
|
key: null
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- apiserver-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
static:
|
|
key_rotate: {}
|
|
|
|
# typically overriden by environmental
|
|
# values, but should include all endpoints
|
|
# required by this chart
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
kubernetes_apiserver:
|
|
name: kubernetes-apiserver
|
|
hosts:
|
|
default: kubernetes-apiserver
|
|
port:
|
|
https:
|
|
default: 6443
|
|
public: 443
|
|
path:
|
|
default: /
|
|
scheme:
|
|
default: https
|
|
public: https
|
|
host_fqdn_override:
|
|
default: null
|
|
# NOTE: this chart supports TLS for fqdn over-ridden public
|
|
# endpoints using the following format:
|
|
# public:
|
|
# host: null
|
|
# tls:
|
|
# crt: null
|
|
# key: null
|
|
|
|
pod:
|
|
mandatory_access_control:
|
|
type: apparmor
|
|
kubernetes_apiserver_anchor:
|
|
anchor: runtime/default
|
|
kube-apiserver:
|
|
init: runtime/default
|
|
apiserver-key-rotate: runtime/default
|
|
apiserver:
|
|
apiserver: runtime/default
|
|
security_context:
|
|
kubernetes_apiserver_anchor:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
anchor:
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: false
|
|
key_rotate:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
apiserver_key_rotate:
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: false
|
|
apiserver:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
apiserver:
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: false
|
|
mounts:
|
|
# .pod.mounts.kubernetes_apiserver is for the anchor daemonset
|
|
kubernetes_apiserver:
|
|
init_container: null
|
|
kubernetes_apiserver:
|
|
# .pod.mounts.apiserver is for the apiserver static pod
|
|
apiserver:
|
|
apiserver:
|
|
# Example mounts for audit logging, refer to .conf.auditpolicy above.
|
|
# volumeMounts:
|
|
# - name: audit-logs
|
|
# mountPath: /var/log/audit
|
|
# mountPropagation: HostToContainer
|
|
# readOnly: false
|
|
# volumes:
|
|
# - name: audit-logs
|
|
# hostPath:
|
|
# path: /var/log/audit
|
|
# type: DirectoryOrCreate
|
|
replicas:
|
|
apiserver: 3
|
|
lifecycle:
|
|
upgrades:
|
|
daemonsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
kubernetes-apiserver-anchor:
|
|
enabled: false
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
termination_grace_period:
|
|
kubernetes_apiserver:
|
|
timeout: 3600
|
|
resources:
|
|
enabled: false
|
|
anchor_pod:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
key_rotate:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
kubernetes_apiserver:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
probes:
|
|
apiserver:
|
|
apiserver:
|
|
liveness:
|
|
enabled: true
|
|
params:
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 10
|
|
readiness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 5
|
|
timeoutSeconds: 5
|
|
env:
|
|
apiserver:
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_certs: true
|
|
configmap_etc: true
|
|
ingress_api: false
|
|
kubernetes_apiserver: true
|
|
secret: true
|
|
secret_ingress_tls: false
|
|
service: true
|
|
service_ingress: false
|
|
job_key_rotate: true
|