ea1f072c7e
It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
107 lines
3.9 KiB
Django/Jinja
107 lines
3.9 KiB
Django/Jinja
apiVersion: v1
|
||
kind: Pod
|
||
metadata:
|
||
name: kube-apiserver
|
||
namespace: {{system_namespace}}
|
||
labels:
|
||
k8s-app: kube-apiserver
|
||
kargo: v2
|
||
spec:
|
||
hostNetwork: true
|
||
containers:
|
||
- name: kube-apiserver
|
||
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
|
||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||
resources:
|
||
limits:
|
||
cpu: {{ kube_apiserver_cpu_limit }}
|
||
memory: {{ kube_apiserver_memory_limit }}
|
||
requests:
|
||
cpu: {{ kube_apiserver_cpu_requests }}
|
||
memory: {{ kube_apiserver_memory_requests }}
|
||
command:
|
||
- /hyperkube
|
||
- apiserver
|
||
- --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
|
||
- --etcd-servers={{ etcd_access_endpoint }}
|
||
- --etcd-quorum-read=true
|
||
- --etcd-cafile={{ etcd_cert_dir }}/ca.pem
|
||
- --etcd-certfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem
|
||
- --etcd-keyfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem
|
||
- --insecure-bind-address={{ kube_apiserver_insecure_bind_address }}
|
||
- --apiserver-count={{ kube_apiserver_count }}
|
||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
|
||
- --service-cluster-ip-range={{ kube_service_addresses }}
|
||
- --service-node-port-range={{ kube_apiserver_node_port_range }}
|
||
- --client-ca-file={{ kube_cert_dir }}/ca.pem
|
||
{% if kube_basic_auth|default(true) %}
|
||
- --basic-auth-file={{ kube_users_dir }}/known_users.csv
|
||
{% endif %}
|
||
- --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
|
||
- --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
||
{% if kube_token_auth|default(true) %}
|
||
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv
|
||
{% endif %}
|
||
- --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
||
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
|
||
- --oidc-issuer-url={{ kube_oidc_url }}
|
||
- --oidc-client-id={{ kube_oidc_client_id }}
|
||
{% if kube_oidc_ca_file is defined %}
|
||
- --oidc-ca-file={{ kube_oidc_ca_file }}
|
||
{% endif %}
|
||
{% if kube_oidc_username_claim is defined %}
|
||
- --oidc-username-claim={{ kube_oidc_username_claim }}
|
||
{% endif %}
|
||
{% if kube_oidc_groups_claim is defined %}
|
||
- --oidc-groups-claim={{ kube_oidc_groups_claim }}
|
||
{% endif %}
|
||
{% endif %}
|
||
- --secure-port={{ kube_apiserver_port }}
|
||
- --insecure-port={{ kube_apiserver_insecure_port }}
|
||
- --storage-backend={{ kube_apiserver_storage_backend }}
|
||
{% if kube_api_runtime_config is defined %}
|
||
{% for conf in kube_api_runtime_config %}
|
||
- --runtime-config={{ conf }}
|
||
{% endfor %}
|
||
{% endif %}
|
||
{% if enable_network_policy is defined and enable_network_policy == True %}
|
||
- --runtime-config=extensions/v1beta1/networkpolicies=true
|
||
{% endif %}
|
||
- --v={{ kube_log_level }}
|
||
- --allow-privileged=true
|
||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}
|
||
- --cloud-provider={{ cloud_provider }}
|
||
- --cloud-config={{ kube_config_dir }}/cloud_config
|
||
{% elif cloud_provider is defined and cloud_provider == "aws" %}
|
||
- --cloud-provider={{ cloud_provider }}
|
||
{% endif %}
|
||
{% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %}
|
||
- --anonymous-auth={{ kube_api_anonymous_auth }}
|
||
{% endif %}
|
||
livenessProbe:
|
||
httpGet:
|
||
host: 127.0.0.1
|
||
path: /healthz
|
||
port: 8080
|
||
initialDelaySeconds: 30
|
||
timeoutSeconds: 10
|
||
volumeMounts:
|
||
- mountPath: {{ kube_config_dir }}
|
||
name: kubernetes-config
|
||
readOnly: true
|
||
- mountPath: /etc/ssl/certs
|
||
name: ssl-certs-host
|
||
readOnly: true
|
||
- mountPath: {{ etcd_cert_dir }}
|
||
name: etcd-certs
|
||
readOnly: true
|
||
volumes:
|
||
- hostPath:
|
||
path: {{ kube_config_dir }}
|
||
name: kubernetes-config
|
||
- hostPath:
|
||
path: /etc/ssl/certs/
|
||
name: ssl-certs-host
|
||
- hostPath:
|
||
path: {{ etcd_cert_dir }}
|
||
name: etcd-certs
|