apiVersion: v1 kind: Pod metadata: name: kube-apiserver spec: hostNetwork: true containers: - name: kube-apiserver image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} command: - /hyperkube - apiserver - --insecure-bind-address=0.0.0.0 - --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %} - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota - --service-cluster-ip-range={{ kube_service_addresses }} - --client-ca-file={{ kube_cert_dir }}/ca.pem - --basic-auth-file={{ kube_users_dir }}/known_users.csv - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem - --secure-port={{ kube_apiserver_port }} {% if kube_api_runtime_config is defined %} {% for conf in kube_api_runtime_config %} - --runtime-config={{ conf }} {% endfor %} {% endif %} - --token-auth-file={{ kube_token_dir }}/known_tokens.csv - --v={{ kube_log_level | default('2') }} - --allow-privileged=true ports: - containerPort: {{ kube_apiserver_port }} hostPort: {{ kube_apiserver_port }} name: https - containerPort: {{ kube_apiserver_insecure_port }} hostPort: {{ kube_apiserver_insecure_port }} name: local volumeMounts: - mountPath: {{ kube_config_dir }} name: kubernetes-config readOnly: true - mountPath: /etc/ssl/certs name: ssl-certs-host readOnly: true volumes: - hostPath: path: {{ kube_config_dir }} name: kubernetes-config - hostPath: path: /usr/share/ca-certificates name: ssl-certs-host