kubespray/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2

apiVersion: kubeadm.k8s.io/v1alpha3
kind: InitConfiguration
apiEndpoint:
  advertiseAddress: {{ ip | default(ansible_default_ipv4.address) }}
  bindPort: {{ kube_apiserver_port }}
nodeRegistration:
{% if kube_override_hostname|default('') %}
  name: {{ kube_override_hostname }}
{% endif %}
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
{% if container_manager == 'crio' %}
  criSocket: /var/run/crio/crio.sock
{% else %}
  criSocket: /var/run/dockershim.sock
{% endif %}
---
apiVersion: kubeadm.k8s.io/v1alpha3
kind: ClusterConfiguration
clusterName: {{ cluster_name }}
etcd:
  external:
      endpoints:
{% for endpoint in etcd_access_addresses.split(',') %}
      - {{ endpoint }}
{% endfor %}
      caFile: {{ kube_config_dir }}/ssl/etcd/ca.pem
      certFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}.pem
      keyFile: {{ kube_config_dir }}/ssl/etcd/node-{{ inventory_hostname }}-key.pem
networking:
  dnsDomain: {{ dns_domain }}
  serviceSubnet: {{ kube_service_addresses }}
  podSubnet: {{ kube_pods_subnet }}
kubernetesVersion: {{ kube_version }}
{% if groups['kube-master'] | length > 1 and kubeadm_config_api_fqdn is defined %}
controlPlaneEndpoint: {{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
{% else %}
controlPlaneEndpoint: {{ ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}
{% endif %}
apiServerExtraArgs:
  authorization-mode: {{ authorization_modes | join(',') }}
  bind-address: {{ kube_apiserver_bind_address }}
{% if kube_apiserver_insecure_port|string != "0" %}
  insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
{% endif %}
  insecure-port: "{{ kube_apiserver_insecure_port }}"
{% if kube_version is version('v1.10', '<') %}
  admission-control: {{ kube_apiserver_admission_control | join(',') }}
{% else %}
{% if kube_apiserver_enable_admission_plugins|length > 0 %}
  enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
{% endif %}
{% if kube_apiserver_disable_admission_plugins|length > 0 %}
  disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
{% endif %}
{% endif %}
  apiserver-count: "{{ kube_apiserver_count }}"
{% if kube_version is version('v1.9', '>=') %}
  endpoint-reconciler-type: lease
{% endif %}
{% if etcd_events_cluster_enabled %}
  etcd-servers-overrides: "/events#{{ etcd_events_access_addresses }}"
{% endif %}
  service-node-port-range: {{ kube_apiserver_node_port_range }}
  kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
{% if kube_basic_auth|default(true) %}
  basic-auth-file: {{ kube_users_dir }}/known_users.csv
{% endif %}
{% if kube_token_auth|default(true) %}
  token-auth-file: {{ kube_token_dir }}/known_tokens.csv
{% endif %}
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
  oidc-issuer-url: {{ kube_oidc_url }}
  oidc-client-id: {{ kube_oidc_client_id }}
{%   if kube_oidc_ca_file is defined %}
  oidc-ca-file: {{ kube_oidc_ca_file }}
{%   endif %}
{%   if kube_oidc_username_claim is defined %}
  oidc-username-claim: {{ kube_oidc_username_claim }}
{%   endif %}
{%   if kube_oidc_groups_claim is defined %}
  oidc-groups-claim: {{ kube_oidc_groups_claim }}
{%   endif %}
{% endif %}
{% if kube_encrypt_secret_data %}
  experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
{% endif %}
  storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %}
  runtime-config: {{ kube_api_runtime_config | join(',') }}
{% endif %}
  allow-privileged: "true"
{% if kubernetes_audit %}
  audit-log-path: "{{ audit_log_path }}"
  audit-log-maxage: "{{ audit_log_maxage }}"
  audit-log-maxbackup: "{{ audit_log_maxbackups }}"
  audit-log-maxsize: "{{ audit_log_maxsize }}"
  audit-policy-file: {{ audit_policy_file }}
{% endif %}
{% for key in kube_kubeadm_apiserver_extra_args %}
  {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
{% endfor %}
{% if kube_feature_gates %}
  feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %}
controllerManagerExtraArgs:
  node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
  node-monitor-period: {{ kube_controller_node_monitor_period }}
  pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
{% if kube_feature_gates %}
  feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %}
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
controllerManagerExtraVolumes:
- name: openstackcacert
  hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
  mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
{% endif %}
{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) %}
apiServerExtraVolumes:
{% if kube_basic_auth|default(true) %}
- name: basic-auth-config
  hostPath: {{ kube_users_dir }}
  mountPath: {{ kube_users_dir }}
{% endif %}
{% if kube_token_auth|default(true) %}
- name: token-auth-config
  hostPath: {{ kube_token_dir }}
  mountPath: {{ kube_token_dir }}
{% endif %}
{% if kubernetes_audit %}
- name: {{ audit_policy_name }}
  hostPath: {{ audit_policy_hostpath }}
  mountPath: {{ audit_policy_mountpath }}
{% if audit_log_path != "-" %}
- name: {{ audit_log_name }}
  hostPath: {{ audit_log_hostpath }}
  mountPath: {{ audit_log_mountpath }}
  writable: true
{% endif %}
{% endif %}
{% endif %}
{% for key in kube_kubeadm_controller_extra_args %}
  {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
{% endfor %}
schedulerExtraArgs:
{% if kube_feature_gates %}
  feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %}
{% if kube_kubeadm_scheduler_extra_args|length > 0 %}
{% for key in kube_kubeadm_scheduler_extra_args %}
  {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
{% endfor %}
{% endif %}
apiServerCertSANs:
{% for san in  apiserver_sans.split(' ') | unique %}
  - {{ san }}
{% endfor %}
certificatesDir: {{ kube_config_dir }}/ssl
imageRepository: {{ kube_image_repo }}
unifiedControlPlaneImage: ""
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
bindAddress: 0.0.0.0
clientConnection:
 acceptContentTypes: ""
 burst: 10
 contentType: application/vnd.kubernetes.protobuf
 kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
 qps: 5
clusterCIDR: ""
configSyncPeriod: 15m0s
conntrack:
 max: null
 maxPerCore: 32768
 min: 131072
 tcpCloseWaitTimeout: 1h0m0s
 tcpEstablishedTimeout: 24h0m0s
enableProfiling: false
healthzBindAddress: 0.0.0.0:10256
iptables:
 masqueradeAll: false
 masqueradeBit: 14
 minSyncPeriod: 0s
 syncPeriod: 30s
ipvs:
 excludeCIDRs: null
 minSyncPeriod: 0s
 scheduler: ""
 syncPeriod: 30s
metricsBindAddress: 127.0.0.1:10249
mode: {{ kube_proxy_mode }}
{% if kube_proxy_nodeport_addresses %}
nodePortAddresses: [{{ kube_proxy_nodeport_addresses_cidr }}]
{% endif %}
oomScoreAdj: -999
portRange: ""
resourceContainer: /kube-proxy
udpIdleTimeout: 250ms