3919d666c1
The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
64 lines
2.3 KiB
Django/Jinja
64 lines
2.3 KiB
Django/Jinja
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: kube-apiserver
|
|
namespace: kube-system
|
|
spec:
|
|
hostNetwork: true
|
|
containers:
|
|
- name: kube-apiserver
|
|
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
|
|
command:
|
|
- /hyperkube
|
|
- apiserver
|
|
- --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
|
|
- --etcd-servers={{ etcd_access_endpoint }}
|
|
- --etcd-quorum-read=true
|
|
- --insecure-bind-address={{ kube_apiserver_insecure_bind_address }}
|
|
- --apiserver-count={{ kube_apiserver_count }}
|
|
- --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,ResourceQuota
|
|
- --service-cluster-ip-range={{ kube_service_addresses }}
|
|
- --client-ca-file={{ kube_cert_dir }}/ca.pem
|
|
- --basic-auth-file={{ kube_users_dir }}/known_users.csv
|
|
- --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
|
|
- --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
|
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv
|
|
- --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
|
- --secure-port={{ kube_apiserver_port }}
|
|
- --insecure-port={{ kube_apiserver_insecure_port }}
|
|
{% if kube_api_runtime_config is defined %}
|
|
{% for conf in kube_api_runtime_config %}
|
|
- --runtime-config={{ conf }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if enable_network_policy is defined and enable_network_policy == True %}
|
|
- --runtime-config=extensions/v1beta1/networkpolicies=true
|
|
{% endif %}
|
|
- --v={{ kube_log_level | default('2') }}
|
|
- --allow-privileged=true
|
|
{% if cloud_provider is defined and cloud_provider == "openstack" %}
|
|
- --cloud-provider={{ cloud_provider }}
|
|
- --cloud-config={{ kube_config_dir }}/cloud_config
|
|
{% elif cloud_provider is defined and cloud_provider == "aws" %}
|
|
- --cloud-provider={{ cloud_provider }}
|
|
{% endif %}
|
|
- 2>&1 >> {{ kube_log_dir }}/kube-apiserver.log
|
|
volumeMounts:
|
|
- mountPath: {{ kube_config_dir }}
|
|
name: kubernetes-config
|
|
readOnly: true
|
|
- mountPath: /etc/ssl/certs
|
|
name: ssl-certs-host
|
|
readOnly: true
|
|
- mountPath: /var/log/
|
|
name: logfile
|
|
volumes:
|
|
- hostPath:
|
|
path: {{ kube_config_dir }}
|
|
name: kubernetes-config
|
|
- hostPath:
|
|
path: /etc/ssl/certs/
|
|
name: ssl-certs-host
|
|
- hostPath:
|
|
path: /var/log/
|
|
name: logfile
|