apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system labels: k8s-app: kube-apiserver kubespray: v2 annotations: kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}" kubespray.apiserver-cert/serial: "{{ apiserver_cert_serial }}" spec: hostNetwork: true {% if kube_version | version_compare('v1.6', '>=') %} dnsPolicy: ClusterFirst {% endif %} {% if kube_version|version_compare('v1.11.1', '>=') %} priorityClassName: system-node-critical {% endif %} containers: - name: kube-apiserver image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} resources: limits: cpu: {{ kube_apiserver_cpu_limit }} memory: {{ kube_apiserver_memory_limit }} requests: cpu: {{ kube_apiserver_cpu_requests }} memory: {{ kube_apiserver_memory_requests }} command: - /hyperkube - apiserver {% if kubernetes_audit %} - --audit-log-path={{ audit_log_path }} - --audit-log-maxage={{ audit_log_maxage }} - --audit-log-maxbackup={{ audit_log_maxbackups }} - --audit-log-maxsize={{ audit_log_maxsize }} - --audit-policy-file={{ audit_policy_file }} {% endif %} - --advertise-address={{ ip | default(ansible_default_ipv4.address) }} - --etcd-servers={{ etcd_access_addresses }} {% if etcd_events_cluster_enabled %} - --etcd-servers-overrides=/events#{{ etcd_events_access_addresses }} {% endif %} {% if kube_version | version_compare('v1.9', '<') %} - --etcd-quorum-read=true {% endif %} - --etcd-cafile={{ etcd_cert_dir }}/ca.pem - --etcd-certfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem - --etcd-keyfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem {% if kube_apiserver_insecure_port|string != "0" %} - --insecure-bind-address={{ kube_apiserver_insecure_bind_address }} {% endif %} - --bind-address={{ kube_apiserver_bind_address }} - --apiserver-count={{ kube_apiserver_count }} {% if kube_version | version_compare('v1.9', '>=') %} - --endpoint-reconciler-type=lease {% endif %} {% if kube_version | version_compare('v1.10', '<') %} - --admission-control={{ kube_apiserver_admission_control | join(',') }} {% else %} {% if kube_apiserver_enable_admission_plugins|length > 0 %} - --enable-admission-plugins={{ kube_apiserver_enable_admission_plugins | join(',') }} {% endif %} {% if kube_apiserver_disable_admission_plugins|length > 0 %} - --disable-admission-plugins={{ kube_apiserver_disable_admission_plugins | join(',') }} {% endif %} {% endif %} - --service-cluster-ip-range={{ kube_service_addresses }} - --service-node-port-range={{ kube_apiserver_node_port_range }} - --client-ca-file={{ kube_cert_dir }}/ca.pem - --profiling={{ kube_profiling }} - --repair-malformed-updates=false - --kubelet-client-certificate={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem - --kubelet-client-key={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem - --service-account-lookup=true - --kubelet-preferred-address-types={{ kubelet_preferred_address_types }} - --request-timeout={{ kube_apiserver_request_timeout }} {% if kube_basic_auth|default(true) %} - --basic-auth-file={{ kube_users_dir }}/known_users.csv {% endif %} - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem {% if kube_token_auth|default(true) %} - --token-auth-file={{ kube_token_dir }}/known_tokens.csv {% endif %} - --service-account-key-file={{ kube_cert_dir }}/service-account-key.pem {% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %} - --oidc-issuer-url={{ kube_oidc_url }} - --oidc-client-id={{ kube_oidc_client_id }} {% if kube_oidc_ca_file is defined %} - --oidc-ca-file={{ kube_oidc_ca_file }} {% endif %} {% if kube_oidc_username_claim is defined %} - --oidc-username-claim={{ kube_oidc_username_claim }} {% endif %} {% if kube_oidc_username_prefix is defined %} - "--oidc-username-prefix={{ kube_oidc_username_prefix }}" {% endif %} {% if kube_oidc_groups_claim is defined %} - --oidc-groups-claim={{ kube_oidc_groups_claim }} {% endif %} {% if kube_oidc_groups_prefix is defined %} - "--oidc-groups-prefix={{ kube_oidc_groups_prefix }}" {% endif %} {% endif %} - --secure-port={{ kube_apiserver_port }} - --insecure-port={{ kube_apiserver_insecure_port }} - --storage-backend={{ kube_apiserver_storage_backend }} {% if kube_api_runtime_config is defined %} {% for conf in kube_api_runtime_config %} - --runtime-config={{ conf }} {% endfor %} {% endif %} {% if enable_network_policy %} {% if kube_version | version_compare('v1.8', '<') %} - --runtime-config=extensions/v1beta1/networkpolicies=true {% endif %} {% endif %} - --v={{ kube_log_level }} - --allow-privileged=true {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %} - --cloud-provider={{ cloud_provider }} - --cloud-config={{ kube_config_dir }}/cloud_config {% endif %} {% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %} - --anonymous-auth={{ kube_api_anonymous_auth }} {% endif %} {% if authorization_modes %} - --authorization-mode={{ authorization_modes|join(',') }} {% endif %} {% if kube_encrypt_secret_data %} - --experimental-encryption-provider-config={{ kube_config_dir }}/ssl/secrets_encryption.yaml {% endif %} {% if kube_feature_gates %} - --feature-gates={{ kube_feature_gates|join(',') }} {% endif %} {% if kube_version | version_compare('v1.9', '>=') %} - --requestheader-client-ca-file={{ kube_cert_dir }}/{{ kube_front_proxy_ca }} {# FIXME(mattymo): Vault certs do not work with front-proxy-client #} {% if cert_management == "vault" %} - --requestheader-allowed-names= {% else %} - --requestheader-allowed-names=front-proxy-client {% endif %} - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - --enable-aggregator-routing={{ kube_api_aggregator_routing }} - --proxy-client-cert-file={{ kube_cert_dir }}/front-proxy-client.pem - --proxy-client-key-file={{ kube_cert_dir }}/front-proxy-client-key.pem {% else %} - --proxy-client-cert-file={{ kube_cert_dir }}/apiserver.pem - --proxy-client-key-file={{ kube_cert_dir }}/apiserver-key.pem {% endif %} {% if apiserver_custom_flags is string %} - {{ apiserver_custom_flags }} {% else %} {% for flag in apiserver_custom_flags %} - {{ flag }} {% endfor %} {% endif %} livenessProbe: httpGet: host: 127.0.0.1 path: /healthz {% if kube_apiserver_insecure_port|int == 0 %} port: {{ kube_apiserver_port }} scheme: HTTPS {% else %} port: {{ kube_apiserver_insecure_port }} {% endif %} failureThreshold: 8 initialDelaySeconds: 15 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 15 volumeMounts: - mountPath: {{ kube_config_dir }} name: kubernetes-config readOnly: true - mountPath: /etc/ssl name: ssl-certs-host readOnly: true {% for dir in ssl_ca_dirs %} - mountPath: {{ dir }} name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} readOnly: true {% endfor %} - mountPath: {{ etcd_cert_dir }} name: etcd-certs readOnly: true {% if cloud_provider is defined and cloud_provider == 'aws' and ansible_os_family == 'RedHat' %} - mountPath: /etc/ssl/certs/ca-bundle.crt name: rhel-ca-bundle readOnly: true {% endif %} {% if kubernetes_audit %} {% if audit_log_path != "-" %} - mountPath: {{ audit_log_mountpath }} name: {{ audit_log_name }} Writable: true {% endif %} - mountPath: {{ audit_policy_mountpath }} name: {{ audit_policy_name }} {% endif %} volumes: - hostPath: path: {{ kube_config_dir }} name: kubernetes-config - name: ssl-certs-host hostPath: path: /etc/ssl {% for dir in ssl_ca_dirs %} - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} hostPath: path: {{ dir }} {% endfor %} - hostPath: path: {{ etcd_cert_dir }} name: etcd-certs {% if cloud_provider is defined and cloud_provider == 'aws' and ansible_os_family == 'RedHat' %} - hostPath: path: /etc/ssl/certs/ca-bundle.crt name: rhel-ca-bundle {% endif %} {% if kubernetes_audit %} {% if audit_log_path != "-" %} - hostPath: path: {{ audit_log_hostpath }} name: {{ audit_log_name }} {% endif %} - hostPath: path: {{ audit_policy_hostpath }} name: {{ audit_policy_name }} {% endif %}