Make kubeadm config work on bare-metal, minor tuning

This commit is contained in:
Stefan Reimer 2021-02-22 14:41:32 +01:00
parent 8e8f747686
commit d969e53d40
9 changed files with 32 additions and 7 deletions

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubeadm name: kubeadm
description: KubeZero Kubeadm golden config description: KubeZero Kubeadm golden config
type: application type: application
version: 1.19.7 version: 1.19.8
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

View File

@ -10,7 +10,7 @@ networking:
etcd: etcd:
local: local:
extraArgs: extraArgs:
listen-metrics-urls: "http://0.0.0.0:2381" listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381"
unsafe-no-fsync: "true" unsafe-no-fsync: "true"
logger: "zap" logger: "zap"
{{- with .Values.etcdExtraArgs }} {{- with .Values.etcdExtraArgs }}
@ -19,14 +19,14 @@ etcd:
controllerManager: controllerManager:
extraArgs: extraArgs:
profiling: "false" profiling: "false"
bind-address: 0.0.0.0 bind-address: {{ .Values.listenAddress }}
terminated-pod-gc-threshold: "300" terminated-pod-gc-threshold: "300"
leader-elect: {{ .Values.clusterHighAvailable | quote }} leader-elect: {{ .Values.clusterHighAvailable | quote }}
logging-format: json logging-format: json
scheduler: scheduler:
extraArgs: extraArgs:
profiling: "false" profiling: "false"
bind-address: 0.0.0.0 bind-address: {{ .Values.listenAddress }}
leader-elect: {{ .Values.clusterHighAvailable | quote }} leader-elect: {{ .Values.clusterHighAvailable | quote }}
logging-format: json logging-format: json
apiServer: apiServer:
@ -35,7 +35,6 @@ apiServer:
extraArgs: extraArgs:
etcd-servers: {{ .Values.allEtcdEndpoints }} etcd-servers: {{ .Values.allEtcdEndpoints }}
profiling: "false" profiling: "false"
feature-gates: "CSIMigrationAWS=true,CSIMigrationAWSComplete=true,DefaultPodTopologySpread=true"
audit-log-path: "/var/log/kubernetes/audit.log" audit-log-path: "/var/log/kubernetes/audit.log"
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
audit-log-maxage: "7" audit-log-maxage: "7"
@ -43,7 +42,12 @@ apiServer:
audit-log-maxbackup: "3" audit-log-maxbackup: "3"
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
{{- if eq .Values.platform "aws" }}
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
feature-gates: "CSIMigrationAWS=true,CSIMigrationAWSComplete=true,DefaultPodTopologySpread=true"
{{- else }}
feature-gates: "DefaultPodTopologySpread=true"
{{- end }}
enable-admission-plugins: NodeRestriction,EventRateLimit enable-admission-plugins: NodeRestriction,EventRateLimit
{{- if .Values.clusterHighAvailable }} {{- if .Values.clusterHighAvailable }}
goaway-chance: ".001" goaway-chance: ".001"

View File

@ -2,5 +2,5 @@ apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration kind: KubeProxyConfiguration
metadata: metadata:
name: kubezero-kubeproxyconfiguration name: kubezero-kubeproxyconfiguration
metricsBindAddress: "0.0.0.0:10249" metricsBindAddress: "{{ .Values.listenAddress }}:10249"
mode: "" mode: ""

View File

@ -7,13 +7,20 @@ cgroupDriver: cgroupfs
logging: logging:
format: json format: json
hairpinMode: hairpin-veth hairpinMode: hairpin-veth
{{- if .Values.systemd }}
resolvConf: /run/systemd/resolve/resolv.conf resolvConf: /run/systemd/resolve/resolv.conf
protectKernelDefaults: true {{- end }}
protectKernelDefaults: {{ .Values.protectKernelDefaults }}
eventRecordQPS: 0 eventRecordQPS: 0
# Breaks kubelet at boot time # Breaks kubelet at boot time
# tlsCertFile: /var/lib/kubelet/pki/kubelet.crt # tlsCertFile: /var/lib/kubelet/pki/kubelet.crt
# tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key # tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key
tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256] tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256]
{{- if eq .Values.platform "aws" }}
featureGates: featureGates:
CSIMigrationAWS: true CSIMigrationAWS: true
CSIMigrationAWSComplete: true CSIMigrationAWSComplete: true
{{- end }}
kubeReserved:
cpu=50m
memory=128m

View File

@ -1,3 +1,4 @@
{{- if eq .Values.platform "aws" }}
apiVersion: v1 apiVersion: v1
kind: Config kind: Config
clusters: clusters:
@ -23,3 +24,4 @@ users:
- "{{ .Values.clusterName }}" - "{{ .Values.clusterName }}"
- "-r" - "-r"
- "{{ .Values.kubeAdminRole }}" - "{{ .Values.kubeAdminRole }}"
{{- end }}

View File

@ -1,3 +1,4 @@
{{- if eq .Values.platform "aws" }}
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
@ -30,3 +31,4 @@ spec:
type: array type: array
items: items:
type: string type: string
{{- end }}

View File

@ -1,3 +1,4 @@
{{- if eq .Values.platform "aws" }}
kind: ClusterRole kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
@ -151,3 +152,4 @@ spec:
- name: state - name: state
hostPath: hostPath:
path: /var/aws-iam-authenticator/ path: /var/aws-iam-authenticator/
{{- end }}

View File

@ -1,3 +1,4 @@
{{- if eq .Values.platform "aws" }}
# Controller role which is more or less cluster-admin once enrolled # Controller role which is more or less cluster-admin once enrolled
apiVersion: iamauthenticator.k8s.aws/v1alpha1 apiVersion: iamauthenticator.k8s.aws/v1alpha1
kind: IAMIdentityMapping kind: IAMIdentityMapping
@ -32,3 +33,4 @@ spec:
username: kubernetes-admin username: kubernetes-admin
groups: groups:
- system:masters - system:masters
{{- end }}

View File

@ -1,7 +1,13 @@
clusterVersion: 1.19.0 clusterVersion: 1.19.0
listenAddress: 0.0.0.0
clusterName: pleasechangeme clusterName: pleasechangeme
apiEndpoint: kube-api.changeme.org:6443 apiEndpoint: kube-api.changeme.org:6443
etcdExtraArgs: {} etcdExtraArgs: {}
apiExtraArgs: {} apiExtraArgs: {}
clusterHighAvailable: false clusterHighAvailable: false
allEtcdEndpoints: "" allEtcdEndpoints: ""
# supported values aws,bare-metal
platform: "aws"
# Set to false for openrc, eg. on Gentoo or Alpine
systemd: true
protectKernelDefaults: true