apiVersion: v1 kind: Pod metadata: name: kube-controller-manager namespace: kube-system labels: k8s-app: kube-controller-manager annotations: kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}" kubespray.controller-manager-cert/serial: "{{ controller_manager_cert_serial }}" spec: hostNetwork: true {% if kube_version | version_compare('v1.6', '>=') %} dnsPolicy: ClusterFirst {% endif %} {% if kube_version|version_compare('v1.11.1', '>=') %} priorityClassName: system-node-critical {% endif %} containers: - name: kube-controller-manager image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} resources: limits: cpu: {{ kube_controller_cpu_limit }} memory: {{ kube_controller_memory_limit }} requests: cpu: {{ kube_controller_cpu_requests }} memory: {{ kube_controller_memory_requests }} command: - /hyperkube - controller-manager - --kubeconfig={{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml - --leader-elect=true - --service-account-private-key-file={{ kube_cert_dir }}/service-account-key.pem - --root-ca-file={{ kube_cert_dir }}/ca.pem - --cluster-signing-cert-file={{ kube_cert_dir }}/ca.pem - --cluster-signing-key-file={{ kube_cert_dir }}/ca-key.pem - --enable-hostpath-provisioner={{ kube_hostpath_dynamic_provisioner }} - --node-monitor-grace-period={{ kube_controller_node_monitor_grace_period }} - --node-monitor-period={{ kube_controller_node_monitor_period }} - --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }} - --profiling={{ kube_profiling }} - --terminated-pod-gc-threshold={{ kube_controller_terminated_pod_gc_threshold }} - --v={{ kube_log_level }} {% if rbac_enabled %} - --use-service-account-credentials=true {% endif %} {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %} - --cloud-provider={{cloud_provider}} - --cloud-config={{ kube_config_dir }}/cloud_config {% elif cloud_provider is defined and cloud_provider in ["external", "oci"] %} - --cloud-provider=external {% endif %} {% if kube_network_plugin is defined and kube_network_plugin == 'cloud' %} - --configure-cloud-routes=true {% endif %} {% if kube_network_plugin is defined and kube_network_plugin in ["cloud", "flannel", "canal", "cilium"] %} - --allocate-node-cidrs=true - --cluster-cidr={{ kube_pods_subnet }} - --service-cluster-ip-range={{ kube_service_addresses }} - --node-cidr-mask-size={{ kube_network_node_prefix }} {% endif %} {% if kube_feature_gates %} - --feature-gates={{ kube_feature_gates|join(',') }} {% endif %} {% if controller_mgr_custom_flags is string %} - {{ controller_mgr_custom_flags }} {% else %} {% for flag in controller_mgr_custom_flags %} - {{ flag }} {% endfor %} {% endif %} livenessProbe: httpGet: host: 127.0.0.1 path: /healthz port: 10252 initialDelaySeconds: 30 timeoutSeconds: 10 volumeMounts: - mountPath: /etc/ssl name: ssl-certs-host readOnly: true {% for dir in ssl_ca_dirs %} - mountPath: {{ dir }} name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} readOnly: true {% endfor %} - mountPath: "{{kube_config_dir}}/ssl" name: etc-kube-ssl readOnly: true - mountPath: "{{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml" name: kubeconfig readOnly: true {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %} - mountPath: "{{ kube_config_dir }}/cloud_config" name: cloudconfig readOnly: true {% endif %} {% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined and openstack_cacert != "" %} - mountPath: "{{ kube_config_dir }}/openstack-cacert.pem" name: openstackcacert readOnly: true {% endif %} volumes: - name: ssl-certs-host hostPath: path: /etc/ssl {% for dir in ssl_ca_dirs %} - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} hostPath: path: {{ dir }} {% endfor %} - name: etc-kube-ssl hostPath: path: "{{ kube_config_dir }}/ssl" - name: kubeconfig hostPath: path: "{{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml" {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %} - hostPath: path: "{{ kube_config_dir }}/cloud_config" name: cloudconfig {% endif %} {% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined and openstack_cacert != "" %} - hostPath: path: "{{ kube_config_dir }}/openstack-cacert.pem" name: openstackcacert {% endif %}