Make kubeadm config work on bare-metal, minor tuning

This commit is contained in:
Stefan Reimer 2021-02-22 14:41:32 +01:00
parent 8e8f747686
commit d969e53d40
9 changed files with 32 additions and 7 deletions

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubeadm
description: KubeZero Kubeadm golden config
type: application
version: 1.19.7
version: 1.19.8
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:

View File

@ -10,7 +10,7 @@ networking:
etcd:
local:
extraArgs:
listen-metrics-urls: "http://0.0.0.0:2381"
listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381"
unsafe-no-fsync: "true"
logger: "zap"
{{- with .Values.etcdExtraArgs }}
@ -19,14 +19,14 @@ etcd:
controllerManager:
extraArgs:
profiling: "false"
bind-address: 0.0.0.0
bind-address: {{ .Values.listenAddress }}
terminated-pod-gc-threshold: "300"
leader-elect: {{ .Values.clusterHighAvailable | quote }}
logging-format: json
scheduler:
extraArgs:
profiling: "false"
bind-address: 0.0.0.0
bind-address: {{ .Values.listenAddress }}
leader-elect: {{ .Values.clusterHighAvailable | quote }}
logging-format: json
apiServer:
@ -35,7 +35,6 @@ apiServer:
extraArgs:
etcd-servers: {{ .Values.allEtcdEndpoints }}
profiling: "false"
feature-gates: "CSIMigrationAWS=true,CSIMigrationAWSComplete=true,DefaultPodTopologySpread=true"
audit-log-path: "/var/log/kubernetes/audit.log"
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
audit-log-maxage: "7"
@ -43,7 +42,12 @@ apiServer:
audit-log-maxbackup: "3"
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
{{- if eq .Values.platform "aws" }}
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
feature-gates: "CSIMigrationAWS=true,CSIMigrationAWSComplete=true,DefaultPodTopologySpread=true"
{{- else }}
feature-gates: "DefaultPodTopologySpread=true"
{{- end }}
enable-admission-plugins: NodeRestriction,EventRateLimit
{{- if .Values.clusterHighAvailable }}
goaway-chance: ".001"

View File

@ -2,5 +2,5 @@ apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
metadata:
name: kubezero-kubeproxyconfiguration
metricsBindAddress: "0.0.0.0:10249"
metricsBindAddress: "{{ .Values.listenAddress }}:10249"
mode: ""

View File

@ -7,13 +7,20 @@ cgroupDriver: cgroupfs
logging:
format: json
hairpinMode: hairpin-veth
{{- if .Values.systemd }}
resolvConf: /run/systemd/resolve/resolv.conf
protectKernelDefaults: true
{{- end }}
protectKernelDefaults: {{ .Values.protectKernelDefaults }}
eventRecordQPS: 0
# Breaks kubelet at boot time
# tlsCertFile: /var/lib/kubelet/pki/kubelet.crt
# tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key
tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256]
{{- if eq .Values.platform "aws" }}
featureGates:
CSIMigrationAWS: true
CSIMigrationAWSComplete: true
{{- end }}
kubeReserved:
cpu=50m
memory=128m

View File

@ -1,3 +1,4 @@
{{- if eq .Values.platform "aws" }}
apiVersion: v1
kind: Config
clusters:
@ -23,3 +24,4 @@ users:
- "{{ .Values.clusterName }}"
- "-r"
- "{{ .Values.kubeAdminRole }}"
{{- end }}

View File

@ -1,3 +1,4 @@
{{- if eq .Values.platform "aws" }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
@ -30,3 +31,4 @@ spec:
type: array
items:
type: string
{{- end }}

View File

@ -1,3 +1,4 @@
{{- if eq .Values.platform "aws" }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@ -151,3 +152,4 @@ spec:
- name: state
hostPath:
path: /var/aws-iam-authenticator/
{{- end }}

View File

@ -1,3 +1,4 @@
{{- if eq .Values.platform "aws" }}
# Controller role which is more or less cluster-admin once enrolled
apiVersion: iamauthenticator.k8s.aws/v1alpha1
kind: IAMIdentityMapping
@ -32,3 +33,4 @@ spec:
username: kubernetes-admin
groups:
- system:masters
{{- end }}

View File

@ -1,7 +1,13 @@
clusterVersion: 1.19.0
listenAddress: 0.0.0.0
clusterName: pleasechangeme
apiEndpoint: kube-api.changeme.org:6443
etcdExtraArgs: {}
apiExtraArgs: {}
clusterHighAvailable: false
allEtcdEndpoints: ""
# supported values aws,bare-metal
platform: "aws"
# Set to false for openrc, eg. on Gentoo or Alpine
systemd: true
protectKernelDefaults: true