kubespray/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2

apiVersion: kubeadm.k8s.io/v1beta2
kind: InitConfiguration
{% if kubeadm_token is defined %}
bootstrapTokens:
- token: "{{ kubeadm_token }}"
  description: "kubespray kubeadm bootstrap token"
  ttl: "24h"
{% endif %}
localAPIEndpoint:
  advertiseAddress: {{ ip | default(fallback_ips[inventory_hostname]) }}
  bindPort: {{ kube_apiserver_port }}
{% if kubeadm_certificate_key is defined %}
certificateKey: {{ kubeadm_certificate_key }}
{% endif %}
nodeRegistration:
{% if kube_override_hostname|default('') %}
  name: {{ kube_override_hostname }}
{% endif %}
{% if inventory_hostname in groups['kube-master'] and inventory_hostname not in groups['kube-node'] %}
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
{% else %}
  taints: []
{% endif %}
  criSocket: {{ cri_socket }}
---
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
clusterName: {{ cluster_name }}
etcd:
{% if not etcd_kubeadm_enabled %}
  external:
      endpoints:
{% for endpoint in etcd_access_addresses.split(',') %}
      - {{ endpoint }}
{% endfor %}
      caFile: {{ etcd_cert_dir }}/{{ kube_etcd_cacert_file }}
      certFile: {{ etcd_cert_dir }}/{{ kube_etcd_cert_file }}
      keyFile: {{ etcd_cert_dir }}/{{ kube_etcd_key_file }}
{% elif etcd_kubeadm_enabled %}
  local:
    imageRepository: "{{ etcd_image_repo | regex_replace("/etcd$","") }}"
    imageTag: "{{ etcd_image_tag }}"
    dataDir: "/var/lib/etcd"
    extraArgs:
      metrics: {{ etcd_metrics }}
      election-timeout: "{{ etcd_election_timeout }}"
      heartbeat-interval: "{{ etcd_heartbeat_interval }}"
      auto-compaction-retention: "{{ etcd_compaction_retention }}"
{% if etcd_snapshot_count is defined %}
      snapshot-count: "{{ etcd_snapshot_count }}"
{% endif %}
{% if etcd_quota_backend_bytes is defined %}
      quota-backend-bytes: "{{ etcd_quota_backend_bytes }}"
{% endif %}
{% if etcd_log_package_levels is defined %}
      log-package_levels: "{{ etcd_log_package_levels }}"
{% endif %}
{% for key, value in etcd_extra_vars.items() %}
      {{ key }}: "{{ value }}"
{% endfor %}
{% if host_architecture != "amd64" -%}
      etcd-unsupported-arch: {{host_architecture}}
{% endif %}
    serverCertSANs:
{% for san in etcd_cert_alt_names %}
      - {{ san }}
{% endfor %}
{% for san in etcd_cert_alt_ips %}
      - {{ san }}
{% endfor %}
    peerCertSANs:
{% for san in etcd_cert_alt_names %}
      - {{ san }}
{% endfor %}
{% for san in etcd_cert_alt_ips %}
      - {{ san }}
{% endfor %}
{% endif %}
dns:
  type: CoreDNS
  imageRepository: {{ coredns_image_repo | regex_replace('/coredns$','') }}
  imageTag: {{ coredns_image_tag }}
networking:
  dnsDomain: {{ dns_domain }}
  serviceSubnet: {{ kube_service_addresses }}
  podSubnet: {{ kube_pods_subnet }}
kubernetesVersion: {{ kube_version }}
{% if kubeadm_config_api_fqdn is defined %}
controlPlaneEndpoint: {{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
{% else %}
controlPlaneEndpoint: {{ ip | default(fallback_ips[inventory_hostname]) }}:{{ kube_apiserver_port }}
{% endif %}
certificatesDir: {{ kube_cert_dir }}
imageRepository: {{ kube_image_repo }}
useHyperKubeImage: false
apiServer:
  extraArgs:
{% if kube_api_anonymous_auth is defined %}
    anonymous-auth: "{{ kube_api_anonymous_auth }}"
{% endif %}
    authorization-mode: {{ authorization_modes | join(',') }}
    bind-address: {{ kube_apiserver_bind_address }}
{% if kube_apiserver_insecure_port|string != "0" %}
    insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
{% endif %}
    insecure-port: "{{ kube_apiserver_insecure_port }}"
{% if kube_apiserver_enable_admission_plugins|length > 0 %}
    enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
{% endif %}
{% if kube_apiserver_disable_admission_plugins|length > 0 %}
    disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
{% endif %}
    apiserver-count: "{{ kube_apiserver_count }}"
    endpoint-reconciler-type: lease
{% if etcd_events_cluster_enabled %}
    etcd-servers-overrides: "/events#{{ etcd_events_access_addresses_semicolon }}"
{% endif %}
    service-node-port-range: {{ kube_apiserver_node_port_range }}
    kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
    profiling: "{{ kube_profiling }}"
    request-timeout: "{{ kube_apiserver_request_timeout }}"
    enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
{% if kube_basic_auth|default(true) %}
    basic-auth-file: {{ kube_users_dir }}/known_users.csv
{% endif %}
{% if kube_token_auth|default(true) %}
    token-auth-file: {{ kube_token_dir }}/known_tokens.csv
{% endif %}
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
    oidc-issuer-url: {{ kube_oidc_url }}
    oidc-client-id: {{ kube_oidc_client_id }}
{%   if kube_oidc_ca_file is defined %}
    oidc-ca-file: {{ kube_oidc_ca_file }}
{%   endif %}
{%   if kube_oidc_username_claim is defined %}
    oidc-username-claim: {{ kube_oidc_username_claim }}
{%   endif %}
{%   if kube_oidc_groups_claim is defined %}
    oidc-groups-claim: {{ kube_oidc_groups_claim }}
{%   endif %}
{%   if kube_oidc_username_prefix is defined %}
    oidc-username-prefix: "{{ kube_oidc_username_prefix }}"
{%   endif %}
{%   if kube_oidc_groups_prefix is defined %}
    oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
{%   endif %}
{% endif %}
{% if kube_webhook_token_auth|default(false) %}
    authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
{% endif %}
{% if kube_encrypt_secret_data %}
    encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %}
    storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %}
    runtime-config: {{ kube_api_runtime_config | join(',') }}
{% endif %}
    allow-privileged: "true"
{% if kubernetes_audit %}
    audit-log-path: "{{ audit_log_path }}"
    audit-log-maxage: "{{ audit_log_maxage }}"
    audit-log-maxbackup: "{{ audit_log_maxbackups }}"
    audit-log-maxsize: "{{ audit_log_maxsize }}"
    audit-policy-file: {{ audit_policy_file }}
{% endif %}
{% for key in kube_kubeadm_apiserver_extra_args %}
    {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
{% endfor %}
{% if kube_feature_gates %}
    feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %}
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
    cloud-provider: {{ cloud_provider }}
    cloud-config: {{ kube_config_dir }}/cloud_config
{% elif cloud_provider is defined and cloud_provider in ["external"] %}
    cloud-config: {{ kube_config_dir }}/cloud_config
{% endif %}
{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes or ssl_ca_dirs|length %}
  extraVolumes:
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
  - name: cloud-config
    hostPath: {{ kube_config_dir }}/cloud_config
    mountPath: {{ kube_config_dir }}/cloud_config
{% endif %}
{% if kube_basic_auth|default(true) %}
  - name: basic-auth-config
    hostPath: {{ kube_users_dir }}
    mountPath: {{ kube_users_dir }}
{% endif %}
{% if kube_token_auth|default(true) %}
  - name: token-auth-config
    hostPath: {{ kube_token_dir }}
    mountPath: {{ kube_token_dir }}
{% endif %}
{% if kube_webhook_token_auth|default(false) %}
  - name: webhook-token-auth-config
    hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
    mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
{% endif %}
{% if kubernetes_audit %}
  - name: {{ audit_policy_name }}
    hostPath: {{ audit_policy_hostpath }}
    mountPath: {{ audit_policy_mountpath }}
{% if audit_log_path != "-" %}
  - name: {{ audit_log_name }}
    hostPath: {{ audit_log_hostpath }}
    mountPath: {{ audit_log_mountpath }}
    readOnly: false
{% endif %}
{% endif %}
{% for volume in apiserver_extra_volumes %}
  - name: {{ volume.name }}
    hostPath: {{ volume.hostPath }}
    mountPath: {{ volume.mountPath }}
    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
{% endfor %}
{% if ssl_ca_dirs|length %}
{% for dir in ssl_ca_dirs %}
  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
    hostPath: {{ dir }}
    mountPath: {{ dir }}
    readOnly: true
{% endfor %}
{% endif %}
{% endif %}
  certSANs:
{% for san in apiserver_sans %}
  - {{ san }}
{% endfor %}
  timeoutForControlPlane: 5m0s
controllerManager:
  extraArgs:
    node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
    node-monitor-period: {{ kube_controller_node_monitor_period }}
    pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
    node-cidr-mask-size: "{{ kube_network_node_prefix }}"
    profiling: "{{ kube_profiling }}"
    terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
    bind-address: {{ kube_controller_manager_bind_address }}
{% if kube_feature_gates %}
    feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %}
{% for key in kube_kubeadm_controller_extra_args %}
    {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
{% endfor %}
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
    cloud-provider: {{ cloud_provider }}
    cloud-config: {{ kube_config_dir }}/cloud_config
{% elif cloud_provider is defined and cloud_provider in ["external"] %}
    cloud-config: {{ kube_config_dir }}/cloud_config
{% endif %}
{% if kube_network_plugin is defined and kube_network_plugin not in ["cloud"] %}
    configure-cloud-routes: "false"
{% endif %}
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] or controller_manager_extra_volumes %}
  extraVolumes:
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
  - name: openstackcacert
    hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
    mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
{% endif %}
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
  - name: cloud-config
    hostPath: {{ kube_config_dir }}/cloud_config
    mountPath: {{ kube_config_dir }}/cloud_config
{% endif %}
{% for volume in controller_manager_extra_volumes %}
  - name: {{ volume.name }}
    hostPath: {{ volume.hostPath }}
    mountPath: {{ volume.mountPath }}
    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
{% endfor %}
{% endif %}
scheduler:
  extraArgs:
    bind-address: {{ kube_scheduler_bind_address }}
{% if kube_feature_gates %}
    feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %}
{% if kube_kubeadm_scheduler_extra_args|length > 0 %}
{% for key in kube_kubeadm_scheduler_extra_args %}
    {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
{% endfor %}
{% endif %}
  extraVolumes:
{% if scheduler_extra_volumes %}
  extraVolumes:
{% for volume in scheduler_extra_volumes %}
  - name: {{ volume.name }}
    hostPath: {{ volume.hostPath }}
    mountPath: {{ volume.mountPath }}
    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
{% endfor %}
{% endif %}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
bindAddress: {{ kube_proxy_bind_address }}
clientConnection:
 acceptContentTypes: {{ kube_proxy_client_accept_content_types }}
 burst: {{ kube_proxy_client_burst }}
 contentType: {{ kube_proxy_client_content_type }}
 kubeconfig: {{ kube_proxy_client_kubeconfig }}
 qps: {{ kube_proxy_client_qps }}
clusterCIDR: {{ kube_pods_subnet }}
configSyncPeriod: {{ kube_proxy_config_sync_period }}
conntrack:
 maxPerCore: {{ kube_proxy_conntrack_max_per_core }}
 min: {{ kube_proxy_conntrack_min }}
 tcpCloseWaitTimeout: {{ kube_proxy_conntrack_tcp_close_wait_timeout }}
 tcpEstablishedTimeout: {{ kube_proxy_conntrack_tcp_established_timeout }}
enableProfiling: {{ kube_proxy_enable_profiling }}
healthzBindAddress: {{ kube_proxy_healthz_bind_address }}
hostnameOverride: {{ kube_override_hostname }}
iptables:
 masqueradeAll: {{ kube_proxy_masquerade_all }}
 masqueradeBit: {{ kube_proxy_masquerade_bit }}
 minSyncPeriod: {{ kube_proxy_min_sync_period }}
 syncPeriod: {{ kube_proxy_sync_period }}
ipvs:
 excludeCIDRs: {{ kube_proxy_exclude_cidrs }}
 minSyncPeriod: {{ kube_proxy_min_sync_period }}
 scheduler: {{ kube_proxy_scheduler }}
 syncPeriod: {{ kube_proxy_sync_period }}
metricsBindAddress: {{ kube_proxy_metrics_bind_address }}
mode: {{ kube_proxy_mode }}
nodePortAddresses: {{ kube_proxy_nodeport_addresses }}
oomScoreAdj: {{ kube_proxy_oom_score_adj }}
portRange: {{ kube_proxy_port_range }}
udpIdleTimeout: {{ kube_proxy_udp_idle_timeout }}