1bd3d3a080
According to http://kubernetes.io/docs/user-guide/images/ : By default, the kubelet will try to pull each image from the specified registry. However, if the imagePullPolicy property of the container is set to IfNotPresent or Never, then a local\ image is used (preferentially or exclusively, respectively). Use IfNotPresent value to allow images prepared by the download role dependencies to be effectively used by kubelet without pull errors resulting apps to stay blocked in PullBackOff/Error state even when there are images on the localhost exist. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
78 lines
2.7 KiB
Django/Jinja
78 lines
2.7 KiB
Django/Jinja
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: kube-apiserver
|
|
namespace: kube-system
|
|
labels:
|
|
k8s-app: kube-apiserver
|
|
spec:
|
|
hostNetwork: true
|
|
containers:
|
|
- name: kube-apiserver
|
|
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
|
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
|
command:
|
|
- /hyperkube
|
|
- apiserver
|
|
- --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
|
|
- --etcd-servers={{ etcd_access_endpoint }}
|
|
- --etcd-quorum-read=true
|
|
- --etcd-cafile={{ etcd_cert_dir }}/ca.pem
|
|
- --etcd-certfile={{ etcd_cert_dir }}/node.pem
|
|
- --etcd-keyfile={{ etcd_cert_dir }}/node-key.pem
|
|
- --insecure-bind-address={{ kube_apiserver_insecure_bind_address }}
|
|
- --apiserver-count={{ kube_apiserver_count }}
|
|
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
|
|
- --service-cluster-ip-range={{ kube_service_addresses }}
|
|
- --service-node-port-range={{ kube_apiserver_node_port_range }}
|
|
- --client-ca-file={{ kube_cert_dir }}/ca.pem
|
|
- --basic-auth-file={{ kube_users_dir }}/known_users.csv
|
|
- --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
|
|
- --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
|
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv
|
|
- --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
|
- --secure-port={{ kube_apiserver_port }}
|
|
- --insecure-port={{ kube_apiserver_insecure_port }}
|
|
{% if kube_api_runtime_config is defined %}
|
|
{% for conf in kube_api_runtime_config %}
|
|
- --runtime-config={{ conf }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if enable_network_policy is defined and enable_network_policy == True %}
|
|
- --runtime-config=extensions/v1beta1/networkpolicies=true
|
|
{% endif %}
|
|
- --v={{ kube_log_level | default('2') }}
|
|
- --allow-privileged=true
|
|
{% if cloud_provider is defined and cloud_provider == "openstack" %}
|
|
- --cloud-provider={{ cloud_provider }}
|
|
- --cloud-config={{ kube_config_dir }}/cloud_config
|
|
{% elif cloud_provider is defined and cloud_provider == "aws" %}
|
|
- --cloud-provider={{ cloud_provider }}
|
|
{% endif %}
|
|
livenessProbe:
|
|
httpGet:
|
|
host: 127.0.0.1
|
|
path: /healthz
|
|
port: 8080
|
|
initialDelaySeconds: 30
|
|
timeoutSeconds: 10
|
|
volumeMounts:
|
|
- mountPath: {{ kube_config_dir }}
|
|
name: kubernetes-config
|
|
readOnly: true
|
|
- mountPath: /etc/ssl/certs
|
|
name: ssl-certs-host
|
|
readOnly: true
|
|
- mountPath: {{ etcd_cert_dir }}
|
|
name: etcd-certs
|
|
readOnly: true
|
|
volumes:
|
|
- hostPath:
|
|
path: {{ kube_config_dir }}
|
|
name: kubernetes-config
|
|
- hostPath:
|
|
path: /etc/ssl/certs/
|
|
name: ssl-certs-host
|
|
- hostPath:
|
|
path: {{ etcd_cert_dir }}
|
|
name: etcd-certs
|