|
|
apiVersion: v1kind: Podmetadata: name: kube-apiserver namespace: {{system_namespace}} labels: k8s-app: kube-apiserver kubespray: v2 annotations: kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}" kubespray.apiserver-cert/serial: "{{ apiserver_cert_serial }}"spec: hostNetwork: true{% if kube_version | version_compare('v1.6', '>=') %} dnsPolicy: ClusterFirst{% endif %} containers: - name: kube-apiserver image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} resources: limits: cpu: {{ kube_apiserver_cpu_limit }} memory: {{ kube_apiserver_memory_limit }} requests: cpu: {{ kube_apiserver_cpu_requests }} memory: {{ kube_apiserver_memory_requests }} command: - /hyperkube - apiserver - --advertise-address={{ ip | default(ansible_default_ipv4.address) }} - --etcd-servers={{ etcd_access_addresses }}{% if etcd_events_cluster_setup %} - --etcd-servers-overrides=/events#{{ etcd_events_access_addresses }}{% endif %}{% if kube_version | version_compare('v1.9', '<') %} - --etcd-quorum-read=true{% endif %} - --etcd-cafile={{ etcd_cert_dir }}/ca.pem - --etcd-certfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem - --etcd-keyfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem - --insecure-bind-address={{ kube_apiserver_insecure_bind_address }} - --bind-address={{ kube_apiserver_bind_address }} - --apiserver-count={{ kube_apiserver_count }} - --admission-control={{ kube_apiserver_admission_control | join(',') }} - --service-cluster-ip-range={{ kube_service_addresses }} - --service-node-port-range={{ kube_apiserver_node_port_range }} - --client-ca-file={{ kube_cert_dir }}/ca.pem - --profiling=false - --repair-malformed-updates=false - --kubelet-client-certificate={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem - --kubelet-client-key={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem - --service-account-lookup=true{% if kube_basic_auth|default(true) %} - --basic-auth-file={{ kube_users_dir }}/known_users.csv{% endif %} - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem - --proxy-client-cert-file={{ kube_cert_dir }}/apiserver.pem - --proxy-client-key-file={{ kube_cert_dir }}/apiserver-key.pem{% if kube_token_auth|default(true) %} - --token-auth-file={{ kube_token_dir }}/known_tokens.csv{% endif %} - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %} - --oidc-issuer-url={{ kube_oidc_url }} - --oidc-client-id={{ kube_oidc_client_id }}{% if kube_oidc_ca_file is defined %} - --oidc-ca-file={{ kube_oidc_ca_file }}{% endif %}{% if kube_oidc_username_claim is defined %} - --oidc-username-claim={{ kube_oidc_username_claim }}{% endif %}{% if kube_oidc_groups_claim is defined %} - --oidc-groups-claim={{ kube_oidc_groups_claim }}{% endif %}{% endif %} - --secure-port={{ kube_apiserver_port }} - --insecure-port={{ kube_apiserver_insecure_port }} - --storage-backend={{ kube_apiserver_storage_backend }}{% if kube_api_runtime_config is defined %}{% for conf in kube_api_runtime_config %} - --runtime-config={{ conf }}{% endfor %}{% endif %}{% if enable_network_policy %}{% if kube_version | version_compare('v1.8', '<') %} - --runtime-config=extensions/v1beta1/networkpolicies=true{% endif %}{% endif %} - --v={{ kube_log_level }} - --allow-privileged=true{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} - --cloud-provider={{ cloud_provider }} - --cloud-config={{ kube_config_dir }}/cloud_config{% elif cloud_provider is defined and cloud_provider == "aws" %} - --cloud-provider={{ cloud_provider }}{% endif %}{% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %} - --anonymous-auth={{ kube_api_anonymous_auth }}{% endif %}{% if authorization_modes %} - --authorization-mode={{ authorization_modes|join(',') }}{% endif %}{% if kube_feature_gates %} - --feature-gates={{ kube_feature_gates|join(',') }}{% endif %}{% if kube_version | version_compare('v1.9', '>=') %} - --requestheader-client-ca-file={{ kube_cert_dir }}/ca.pem - --requestheader-allowed-names=front-proxy-client - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - --enable-aggregator-routing={{ kube_api_aggregator_routing }} - --proxy-client-cert-file={{ kube_cert_dir }}/front-proxy-client.pem - --proxy-client-key-file={{ kube_cert_dir }}/front-proxy-client-key.pem{% endif %}{% if apiserver_custom_flags is string %} - {{ apiserver_custom_flags }}{% else %}{% for flag in apiserver_custom_flags %} - {{ flag }}{% endfor %}{% endif %} livenessProbe: httpGet: host: 127.0.0.1 path: /healthz{% if kube_apiserver_insecure_port|int == 0 %} port: {{ kube_apiserver_port }} scheme: HTTPS{% else %} port: {{ kube_apiserver_insecure_port }}{% endif %} failureThreshold: 8 initialDelaySeconds: 15 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 15 volumeMounts: - mountPath: {{ kube_config_dir }} name: kubernetes-config readOnly: true - mountPath: /etc/ssl name: ssl-certs-host readOnly: true{% for dir in ssl_ca_dirs %} - mountPath: {{ dir }} name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} readOnly: true{% endfor %} - mountPath: {{ etcd_cert_dir }} name: etcd-certs readOnly: true{% if cloud_provider is defined and cloud_provider == 'aws' and ansible_os_family == 'RedHat' %} - mountPath: /etc/ssl/certs/ca-bundle.crt name: rhel-ca-bundle readOnly: true{% endif %} volumes: - hostPath: path: {{ kube_config_dir }} name: kubernetes-config - name: ssl-certs-host hostPath: path: /etc/ssl{% for dir in ssl_ca_dirs %} - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} hostPath: path: {{ dir }}{% endfor %} - hostPath: path: {{ etcd_cert_dir }} name: etcd-certs{% if cloud_provider is defined and cloud_provider == 'aws' and ansible_os_family == 'RedHat' %} - hostPath: path: /etc/ssl/certs/ca-bundle.crt name: rhel-ca-bundle{% endif %}
|
