fix: JWT aud for istio, cleanup

This commit is contained in:
Stefan Reimer 2021-06-29 17:39:44 +02:00
parent 23912192ad
commit 61add69904
6 changed files with 33 additions and 14 deletions

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubeadm
description: KubeZero Kubeadm golden config
type: application
version: 1.20.1
version: 1.20.8
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:

View File

@ -10,17 +10,10 @@ networking:
etcd:
local:
extraArgs:
#name: {{ .Values.etcd.nodeName }}
### DNS discovery
#discovery-srv: {{ .Values.domain }}
#discovery-srv-name: {{ .Values.clusterName }}
#initial-cluster:
### Regular
#{{- if .Values.etcd.initialCluster }}
#initial-cluster: {{ .Values.etcd.initialCluster }}
#{{- end }}
#initial-advertise-peer-urls: "https://{{ .Values.etcd.nodeName }}:2380"
#advertise-client-urls: "https://{{ .Values.etcd.nodeName }}:2379"
initial-cluster-token: etcd-{{ .Values.clusterName }}
listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381"
logger: "zap"
@ -42,21 +35,21 @@ controllerManager:
profiling: "false"
bind-address: {{ .Values.listenAddress }}
terminated-pod-gc-threshold: "300"
leader-elect: {{ .Values.highAvailable | quote }}
# leader-elect: {{ .Values.highAvailable | quote }}
logging-format: json
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
scheduler:
extraArgs:
profiling: "false"
bind-address: {{ .Values.listenAddress }}
leader-elect: {{ .Values.highAvailable | quote }}
# leader-elect: {{ .Values.highAvailable | quote }}
logging-format: json
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
apiServer:
certSANs:
- {{ regexSplit ":" .Values.api.endpoint -1 | first }}
extraArgs:
etcd-servers: {{ ternary .Values.api.allEtcdEndpoints "https://127.0.0.1:2379" .Values.highAvailable }}
etcd-servers: {{ .Values.api.allEtcdEndpoints }}
profiling: "false"
audit-log-path: "/var/log/kubernetes/audit.log"
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
@ -67,13 +60,18 @@ apiServer:
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
{{- if eq .Values.platform "aws" }}
service-account-issuer: "{{ .Values.serviceAccountIssuer }}"
service-account-jwks-uri: "{{ .Values.serviceAccountIssuer }}/openid/v1/jwks"
api-audiences: "istio-ca,sts.amazonaws.com"
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
{{- else }}
api-audiences: "istio-ca"
{{- end }}
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
enable-admission-plugins: NodeRestriction,EventRateLimit
{{- if .Values.highAvailable }}
goaway-chance: ".001"
{{- end }}
# {{- if .Values.highAvailable }}
# goaway-chance: ".001"
# {{- end }}
logging-format: json
{{- with .Values.api.extraArgs }}
{{- toYaml . | nindent 4 }}

View File

@ -11,3 +11,6 @@ nodeRegistration:
- KubeletVersion
kubeletExtraArgs:
node-labels: {{ .Values.nodeLabels | quote }}
{{- with .Values.providerID }}
provider-id: {{ . }}
{{- end }}

View File

@ -15,3 +15,6 @@ nodeRegistration:
- KubeletVersion
kubeletExtraArgs:
node-labels: {{ .Values.nodeLabels | quote }}
{{- with .Values.providerID }}
provider-id: {{ . }}
{{- end }}

View File

@ -1,3 +1,4 @@
{{- if .Values.disabledfor120 }}
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
@ -6,3 +7,4 @@ handler: runc
overhead:
podFixed:
memory: 16Mi
{{- end }}

View File

@ -0,0 +1,13 @@
{{- if eq .Values.platform "aws" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oidc-public
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:service-account-issuer-discovery
subjects:
- kind: Group
name: system:unauthenticated
{{- end }}