apiVersion: kubeadm.k8s.io/v1beta3 kind: ClusterConfiguration kubernetesVersion: {{ .Chart.Version }} clusterName: {{ .Values.global.clusterName }} #featureGates: # NonGracefulFailover: true controlPlaneEndpoint: {{ .Values.api.endpoint }} networking: podSubnet: 10.244.0.0/16 etcd: local: # imageTag: 3.5.5-0 extraArgs: ### DNS discovery #discovery-srv: {{ .Values.domain }} #discovery-srv-name: {{ .Values.global.clusterName }} advertise-client-urls: https://{{ .Values.etcd.nodeName }}:2379 initial-advertise-peer-urls: https://{{ .Values.etcd.nodeName }}:2380 initial-cluster: {{ include "kubeadm.etcd.initialCluster" .Values.etcd | quote }} initial-cluster-state: {{ .Values.etcd.state }} initial-cluster-token: etcd-{{ .Values.global.clusterName }} name: {{ .Values.etcd.nodeName }} listen-peer-urls: https://{{ .Values.listenAddress }}:2380 listen-client-urls: https://{{ .Values.listenAddress }}:2379 listen-metrics-urls: http://0.0.0.0:2381 logger: zap # log-level: "warn" {{- with .Values.etcd.extraArgs }} {{- toYaml . | nindent 6 }} {{- end }} serverCertSANs: - "{{ .Values.etcd.nodeName }}" - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}" - "{{ .Values.domain }}" peerCertSANs: - "{{ .Values.etcd.nodeName }}" - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}" - "{{ .Values.domain }}" controllerManager: extraArgs: profiling: "false" terminated-pod-gc-threshold: "300" leader-elect: {{ .Values.global.highAvailable | quote }} logging-format: json feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }} scheduler: extraArgs: profiling: "false" leader-elect: {{ .Values.global.highAvailable | quote }} logging-format: json feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }} apiServer: certSANs: - {{ regexSplit ":" .Values.api.endpoint -1 | first }} extraArgs: etcd-servers: {{ .Values.api.etcdServers }} profiling: "false" audit-log-path: "/var/log/kubernetes/audit.log" audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml audit-log-maxage: "7" audit-log-maxsize: "100" audit-log-maxbackup: "1" audit-log-compress: "true" {{- if .Values.api.falco.enabled }} audit-webhook-config-file: /etc/kubernetes/apiserver/audit-webhook.yaml {{- end }} tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml api-audiences: {{ .Values.api.apiAudiences }} {{- if .Values.api.serviceAccountIssuer }} service-account-issuer: "{{ .Values.api.serviceAccountIssuer }}" service-account-jwks-uri: "{{ .Values.api.serviceAccountIssuer }}/openid/v1/jwks" {{- end }} {{- if .Values.api.awsIamAuth.enabled }} authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml {{- end }} feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }} enable-admission-plugins: DenyServiceExternalIPs,NodeRestriction,EventRateLimit,ExtendedResourceToleration # {{- if .Values.global.highAvailable }} # goaway-chance: ".001" # {{- end }} logging-format: json {{- with .Values.api.extraArgs }} {{- toYaml . | nindent 4 }} {{- end }} extraVolumes: - name: kubezero-apiserver hostPath: /etc/kubernetes/apiserver mountPath: /etc/kubernetes/apiserver readOnly: true pathType: DirectoryOrCreate - name: audit-log hostPath: /var/log/kubernetes mountPath: /var/log/kubernetes pathType: DirectoryOrCreate