diff --git a/charts/kubeadm/README.md b/charts/kubeadm/README.md index e69de29..bd22975 100644 --- a/charts/kubeadm/README.md +++ b/charts/kubeadm/README.md @@ -0,0 +1,54 @@ +# kubeadm + +![Version: 1.20.11](https://img.shields.io/badge/Version-1.20.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +KubeZero Kubeadm golden config + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Quarky9 | | | + +## Requirements + +Kubernetes: `>= 1.18.0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| api.allEtcdEndpoints | string | `""` | | +| api.apiAudiences | string | `"istio-ca"` | | +| api.endpoint | string | `"kube-api.changeme.org:6443"` | | +| api.extraArgs | object | `{}` | | +| api.listenPort | int | `6443` | | +| api.serviceAccountIssuer | string | `""` | | +| clusterName | string | `"pleasechangeme"` | | +| domain | string | `"changeme.org"` | | +| etcd.extraArgs | object | `{}` | | +| etcd.nodeName | string | `"set_via_cmdline"` | | +| highAvailable | bool | `false` | | +| kubeAdminRole | string | `"arn:aws:iam::000000000000:role/KubernetesNode"` | | +| listenAddress | string | `"0.0.0.0"` | | +| platform | string | `"aws"` | | +| protectKernelDefaults | bool | `true` | | +| systemd | bool | `true` | | +| workerNodeRole | string | `"arn:aws:iam::000000000000:role/KubernetesNode"` | | + +## Resources + +- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/ +- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2 +- https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3 +- https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go +- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/ +- https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration + +- https://github.com/awslabs/amazon-eks-ami + +### Etcd +- https://itnext.io/breaking-down-and-fixing-etcd-cluster-d81e35b9260d + diff --git a/charts/kubeadm/README.md.gotmpl b/charts/kubeadm/README.md.gotmpl index e8bc176..59239ae 100644 --- a/charts/kubeadm/README.md.gotmpl +++ b/charts/kubeadm/README.md.gotmpl @@ -15,14 +15,6 @@ {{ template "chart.valuesSection" . }} -## Changes for 1.19 - -### Logging to json of control plane components -- https://github.com/kubernetes/website/blob/dev-1.19/content/en/docs/concepts/cluster-administration/system-logs.md - -### PodTopologySpread -- https://kubernetes.io/blog/2020/05/introducing-podtopologyspread/#podtopologyspread-defaults - ## Resources - https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/ diff --git a/charts/kubeadm/templates/ClusterConfiguration.yaml b/charts/kubeadm/templates/ClusterConfiguration.yaml index dc08cab..e3b9a6c 100644 --- a/charts/kubeadm/templates/ClusterConfiguration.yaml +++ b/charts/kubeadm/templates/ClusterConfiguration.yaml @@ -62,13 +62,13 @@ apiServer: bind-address: {{ .Values.listenAddress }} tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml + api-audiences: {{ .Values.api.apiAudiences }} + {{- if .Values.api.serviceAccountIssuer }} + service-account-issuer: "{{ .Values.api.serviceAccountIssuer }}" + service-account-jwks-uri: "{{ .Values.api.serviceAccountIssuer }}/openid/v1/jwks" + {{- end }} {{- if eq .Values.platform "aws" }} - service-account-issuer: "{{ .Values.serviceAccountIssuer }}" - service-account-jwks-uri: "{{ .Values.serviceAccountIssuer }}/openid/v1/jwks" - api-audiences: "istio-ca,sts.amazonaws.com" authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml - {{- else }} - api-audiences: "istio-ca" {{- end }} feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }} # for 1.21 diff --git a/charts/kubeadm/templates/JoinConfiguration.yaml b/charts/kubeadm/templates/JoinConfiguration.yaml index d2c9073..7582409 100644 --- a/charts/kubeadm/templates/JoinConfiguration.yaml +++ b/charts/kubeadm/templates/JoinConfiguration.yaml @@ -1,3 +1,4 @@ +# This is for controllers only, workers dont use kubeadm apiVersion: kubeadm.k8s.io/v1beta2 kind: JoinConfiguration discovery: @@ -5,7 +6,7 @@ discovery: kubeConfigPath: /root/.kube/config controlPlane: localAPIEndpoint: - advertiseAddress: {{ .Values.serviceIp }} + advertiseAddress: {{ .Values.listenAddress }} bindPort: {{ .Values.api.listenPort }} nodeRegistration: ignorePreflightErrors: diff --git a/charts/kubeadm/templates/KubeProxyConfiguration.yaml b/charts/kubeadm/templates/KubeProxyConfiguration.yaml index 6ca5945..1c50cf9 100644 --- a/charts/kubeadm/templates/KubeProxyConfiguration.yaml +++ b/charts/kubeadm/templates/KubeProxyConfiguration.yaml @@ -2,5 +2,6 @@ apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration metadata: name: kubezero-kubeproxyconfiguration +# kube-proxy doesnt really support setting dynamic bind-address via config, replaced by cilium long-term anyways metricsBindAddress: "0.0.0.0:10249" mode: "" diff --git a/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml b/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml index 927881b..abaf9a6 100644 --- a/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml +++ b/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.platform "aws" }} +{{- if .Values.api.serviceAccountIssuer }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/kubeadm/values.yaml b/charts/kubeadm/values.yaml index a861fdd..415f1fa 100644 --- a/charts/kubeadm/values.yaml +++ b/charts/kubeadm/values.yaml @@ -1,20 +1,22 @@ clusterName: pleasechangeme domain: changeme.org -serviceIp: set_via_cmdline +# Needs to be set to primary node IP +listenAddress: 0.0.0.0 api: endpoint: kube-api.changeme.org:6443 listenPort: 6443 allEtcdEndpoints: "" extraArgs: {} + serviceAccountIssuer: "" + apiAudiences: "istio-ca" etcd: nodeName: set_via_cmdline extraArgs: {} highAvailable: false -listenAddress: 0.0.0.0 # supported values aws,bare-metal platform: "aws"