85 lines
2.6 KiB
Plaintext
85 lines
2.6 KiB
Plaintext
{%- from "kubernetes/map.jinja" import master with context %}
|
|
{%- from "kubernetes/map.jinja" import common with context %}
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: kube-apiserver
|
|
namespace: kube-system
|
|
spec:
|
|
dnsPolicy: ClusterFirst
|
|
hostNetwork: true
|
|
restartPolicy: Always
|
|
terminationGracePeriodSeconds: 30
|
|
containers:
|
|
- name: kube-apiserver
|
|
image: {{ common.hyperkube.image }}
|
|
command:
|
|
- /hyperkube
|
|
- apiserver
|
|
--insecure-bind-address={{ master.apiserver.insecure_address }}
|
|
--etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %}
|
|
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
|
|
--service-cluster-ip-range={{ master.service_addresses }}
|
|
--client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
|
|
--basic-auth-file=/srv/kubernetes/basic_auth.csv
|
|
--tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
|
|
--tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
|
|
--secure-port={{ master.apiserver.get('secure_port', '443') }}
|
|
--bind-address={{ master.apiserver.address }}
|
|
--token-auth-file=/srv/kubernetes/known_tokens.csv
|
|
--etcd-quorum-read=true
|
|
--v=2
|
|
--allow-privileged=True
|
|
1>>/var/log/kube-apiserver.log 2>&1
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
host: 127.0.0.1
|
|
path: /healthz
|
|
port: 8080
|
|
scheme: HTTP
|
|
initialDelaySeconds: 15
|
|
timeoutSeconds: 15
|
|
ports:
|
|
- containerPort: {{ master.apiserver.get('secure_port', '443') }}
|
|
hostPort: {{ master.apiserver.get('secure_port', '443') }}
|
|
name: https
|
|
protocol: TCP
|
|
- containerPort: 8080
|
|
hostPort: 8080
|
|
name: local
|
|
protocol: TCP
|
|
resources:
|
|
requests:
|
|
cpu: 250m
|
|
volumeMounts:
|
|
- mountPath: /srv/kubernetes
|
|
name: srvkube
|
|
readOnly: true
|
|
- mountPath: /var/log/kube-apiserver.log
|
|
name: logfile
|
|
- mountPath: /etc/kubernetes/ssl
|
|
name: etcssl
|
|
readOnly: true
|
|
- mountPath: /usr/share/ca-certificates
|
|
name: usrsharecacerts
|
|
readOnly: true
|
|
- mountPath: /srv/sshproxy
|
|
name: srvsshproxy
|
|
volumes:
|
|
- hostPath:
|
|
path: /srv/kubernetes
|
|
name: srvkube
|
|
- hostPath:
|
|
path: /var/log/kube-apiserver.log
|
|
name: logfile
|
|
- hostPath:
|
|
path: /etc/kubernetes/ssl
|
|
name: etcssl
|
|
- hostPath:
|
|
path: /usr/share/ca-certificates
|
|
name: usrsharecacerts
|
|
- hostPath:
|
|
path: /srv/sshproxy
|
|
name: srvsshproxy
|