|
|
apiVersion: v1kind: Podmetadata: name: kube-apiserver namespace: {{system_namespace}} labels: k8s-app: kube-apiserver kargo: v2spec: hostNetwork: true containers: - name: kube-apiserver image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} resources: limits: cpu: {{ kube_apiserver_cpu_limit }} memory: {{ kube_apiserver_memory_limit }} requests: cpu: {{ kube_apiserver_cpu_requests }} memory: {{ kube_apiserver_memory_requests }} command: - /hyperkube - apiserver - --advertise-address={{ ip | default(ansible_default_ipv4.address) }} - --etcd-servers={{ etcd_access_endpoint }} - --etcd-quorum-read=true - --etcd-cafile={{ etcd_cert_dir }}/ca.pem - --etcd-certfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem - --etcd-keyfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem - --insecure-bind-address={{ kube_apiserver_insecure_bind_address }} - --apiserver-count={{ kube_apiserver_count }} - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota - --service-cluster-ip-range={{ kube_service_addresses }} - --service-node-port-range={{ kube_apiserver_node_port_range }} - --client-ca-file={{ kube_cert_dir }}/ca.pem{% if kube_basic_auth|default(true) %} - --basic-auth-file={{ kube_users_dir }}/known_users.csv{% endif %} - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem{% if kube_token_auth|default(true) %} - --token-auth-file={{ kube_token_dir }}/known_tokens.csv{% endif %} - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %} - --oidc-issuer-url={{ kube_oidc_url }} - --oidc-client-id={{ kube_oidc_client_id }}{% if kube_oidc_ca_file is defined %} - --oidc-ca-file={{ kube_oidc_ca_file }}{% endif %}{% if kube_oidc_username_claim is defined %} - --oidc-username-claim={{ kube_oidc_username_claim }}{% endif %}{% if kube_oidc_groups_claim is defined %} - --oidc-groups-claim={{ kube_oidc_groups_claim }}{% endif %}{% endif %} - --secure-port={{ kube_apiserver_port }} - --insecure-port={{ kube_apiserver_insecure_port }} - --storage-backend={{ kube_apiserver_storage_backend }}{% if kube_api_runtime_config is defined %}{% for conf in kube_api_runtime_config %} - --runtime-config={{ conf }}{% endfor %}{% endif %}{% if enable_network_policy %} - --runtime-config=extensions/v1beta1/networkpolicies=true{% endif %} - --v={{ kube_log_level }} - --allow-privileged=true{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} - --cloud-provider={{ cloud_provider }} - --cloud-config={{ kube_config_dir }}/cloud_config{% elif cloud_provider is defined and cloud_provider == "aws" %} - --cloud-provider={{ cloud_provider }}{% endif %}{% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %} - --anonymous-auth={{ kube_api_anonymous_auth }}{% endif %} livenessProbe: httpGet: host: 127.0.0.1 path: /healthz port: 8080 initialDelaySeconds: 30 timeoutSeconds: 10 volumeMounts: - mountPath: {{ kube_config_dir }} name: kubernetes-config readOnly: true - mountPath: /etc/ssl/certs name: ssl-certs-host readOnly: true - mountPath: {{ etcd_cert_dir }} name: etcd-certs readOnly: true volumes: - hostPath: path: {{ kube_config_dir }} name: kubernetes-config - hostPath: path: /etc/ssl/certs/ name: ssl-certs-host - hostPath: path: {{ etcd_cert_dir }} name: etcd-certs
|
