salt-formula-kubernetes/kubernetes/files/manifest/kube-apiserver.manifest

{%- from "kubernetes/map.jinja" import master with context %}
{%- from "kubernetes/map.jinja" import common with context %}
apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
  namespace: kube-system
spec:
  dnsPolicy: ClusterFirst
  hostNetwork: true
  restartPolicy: Always
  terminationGracePeriodSeconds: 30
  containers:
  - name: kube-apiserver
    image: {{ common.hyperkube.image }}
    command:
    - /hyperkube
    - apiserver
      --insecure-bind-address={{ master.apiserver.insecure_address }}
      --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %}
      --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
      --service-cluster-ip-range={{ master.service_addresses }}
      --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
      --basic-auth-file=/srv/kubernetes/basic_auth.csv
      --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
      --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
      --secure-port={{ master.apiserver.get('secure_port', '443') }}
      --bind-address={{ master.apiserver.address }}
      --token-auth-file=/srv/kubernetes/known_tokens.csv
      --etcd-quorum-read=true
      --v=2
      --allow-privileged=True
      1>>/var/log/kube-apiserver.log 2>&1
    imagePullPolicy: IfNotPresent
    livenessProbe:
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 8080
        scheme: HTTP
      initialDelaySeconds: 15
      timeoutSeconds: 15
    ports:
    - containerPort: {{ master.apiserver.get('secure_port', '443') }}
      hostPort: {{ master.apiserver.get('secure_port', '443') }}
      name: https
      protocol: TCP
    - containerPort: 8080
      hostPort: 8080
      name: local
      protocol: TCP
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /srv/kubernetes
      name: srvkube
      readOnly: true
    - mountPath: /var/log/kube-apiserver.log
      name: logfile
    - mountPath: /etc/kubernetes/ssl
      name: etcssl
      readOnly: true
    - mountPath: /usr/share/ca-certificates
      name: usrsharecacerts
      readOnly: true
    - mountPath: /srv/sshproxy
      name: srvsshproxy
  volumes:
  - hostPath:
      path: /srv/kubernetes
    name: srvkube
  - hostPath:
      path: /var/log/kube-apiserver.log
    name: logfile
  - hostPath:
      path: /etc/kubernetes/ssl
    name: etcssl
  - hostPath:
      path: /usr/share/ca-certificates
    name: usrsharecacerts
  - hostPath:
      path: /srv/sshproxy
    name: srvsshproxy