143 lines
4.9 KiB
YAML
143 lines
4.9 KiB
YAML
apiVersion: kubeadm.k8s.io/v1beta4
|
|
kind: ClusterConfiguration
|
|
kubernetesVersion: {{ .Chart.Version }}
|
|
clusterName: {{ .Values.global.clusterName }}
|
|
#featureGates:
|
|
# NonGracefulFailover: true
|
|
controlPlaneEndpoint: {{ .Values.api.endpoint }}
|
|
networking:
|
|
podSubnet: 10.244.0.0/16
|
|
etcd:
|
|
local:
|
|
# imageTag: 3.5.12-0
|
|
extraArgs:
|
|
- name: advertise-client-urls
|
|
value: https://{{ .Values.etcd.nodeName }}:2379
|
|
- name: initial-advertise-peer-urls
|
|
value: https://{{ .Values.etcd.nodeName }}:2380
|
|
- name: initial-cluster
|
|
value: {{ include "kubeadm.etcd.initialCluster" .Values.etcd | quote }}
|
|
- name: initial-cluster-state
|
|
value: {{ .Values.etcd.state }}
|
|
- name: initial-cluster-token
|
|
value: etcd-{{ .Values.global.clusterName }}
|
|
- name: name
|
|
value: {{ .Values.etcd.nodeName }}
|
|
- name: listen-peer-urls
|
|
value: https://{{ .Values.listenAddress }}:2380
|
|
- name: listen-client-urls
|
|
value: https://{{ .Values.listenAddress }}:2379
|
|
- name: listen-metrics-urls
|
|
value: http://0.0.0.0:2381
|
|
- name: logger
|
|
value: zap
|
|
- name: log-level
|
|
value: warn
|
|
### DNS discovery
|
|
#- name: discovery-srv
|
|
# value: {{ .Values.domain }}
|
|
#- name: discovery-srv-name
|
|
# value: {{ .Values.global.clusterName }}
|
|
{{- with .Values.etcd.extraArgs }}
|
|
{{- toYaml . | nindent 6 }}
|
|
{{- end }}
|
|
serverCertSANs:
|
|
- "{{ .Values.etcd.nodeName }}"
|
|
- "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
|
|
- "{{ .Values.domain }}"
|
|
peerCertSANs:
|
|
- "{{ .Values.etcd.nodeName }}"
|
|
- "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
|
|
- "{{ .Values.domain }}"
|
|
controllerManager:
|
|
extraArgs:
|
|
- name: profiling
|
|
value: "false"
|
|
- name: terminated-pod-gc-threshold
|
|
value: "300"
|
|
- name: leader-elect
|
|
value: {{ .Values.global.highAvailable | quote }}
|
|
- name: logging-format
|
|
value: json
|
|
- name: feature-gates
|
|
value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
|
|
scheduler:
|
|
extraArgs:
|
|
- name: feature-gates
|
|
value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
|
|
- name: leader-elect
|
|
value: {{ .Values.global.highAvailable | quote }}
|
|
- name: logging-format
|
|
value: json
|
|
- name: profiling
|
|
value: "false"
|
|
apiServer:
|
|
certSANs:
|
|
- {{ regexSplit ":" .Values.api.endpoint -1 | first }}
|
|
extraArgs:
|
|
- name: profiling
|
|
value: "false"
|
|
- name: etcd-servers
|
|
value: {{ .Values.api.etcdServers }}
|
|
- name: audit-log-path
|
|
value: /var/log/kubernetes/audit.log
|
|
- name: audit-policy-file
|
|
value: /etc/kubernetes/apiserver/audit-policy.yaml
|
|
- name: audit-log-maxage
|
|
value: "7"
|
|
- name: audit-log-maxsize
|
|
value: "100"
|
|
- name: audit-log-maxbackup
|
|
value: "1"
|
|
- name: audit-log-compress
|
|
value: "true"
|
|
{{- if .Values.api.falco.enabled }}
|
|
- name: audit-webhook-config-file
|
|
value: /etc/kubernetes/apiserver/audit-webhook.yaml
|
|
{{- end }}
|
|
- name: tls-cipher-suites
|
|
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
|
- name: admission-control-config-file
|
|
value: /etc/kubernetes/apiserver/admission-configuration.yaml
|
|
- name: api-audiences
|
|
value: {{ .Values.api.apiAudiences }}
|
|
{{- if .Values.api.serviceAccountIssuer }}
|
|
- name: service-account-issuer
|
|
value: "{{ .Values.api.serviceAccountIssuer }}"
|
|
- name: service-account-jwks-uri
|
|
value: "{{ .Values.api.serviceAccountIssuer }}/openid/v1/jwks"
|
|
{{- end }}
|
|
{{- if .Values.api.awsIamAuth }}
|
|
- name: authentication-token-webhook-config-file
|
|
value: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
|
|
- name: authentication-token-webhook-cache-ttl
|
|
value: 3600s
|
|
- name: authentication-token-webhook-version
|
|
value: v1
|
|
{{- end }}
|
|
- name: feature-gates
|
|
value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
|
|
- name: authorization-config
|
|
value: /etc/kubernetes/apiserver/authz-config.yaml
|
|
- name: enable-admission-plugins
|
|
value: DenyServiceExternalIPs,NodeRestriction,EventRateLimit,ExtendedResourceToleration
|
|
{{- if .Values.global.highAvailable }}
|
|
- name: goaway-chance
|
|
value: ".001"
|
|
{{- end }}
|
|
- name: logging-format
|
|
value: json
|
|
{{- with .Values.api.extraArgs }}
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
extraVolumes:
|
|
- name: kubezero-apiserver
|
|
hostPath: /etc/kubernetes/apiserver
|
|
mountPath: /etc/kubernetes/apiserver
|
|
readOnly: true
|
|
pathType: DirectoryOrCreate
|
|
- name: audit-log
|
|
hostPath: /var/log/kubernetes
|
|
mountPath: /var/log/kubernetes
|
|
pathType: DirectoryOrCreate
|