295103adc0
Kubernetes project is about to set etcdv3 as default storage engine in 1.6. This patch allows to specify particular backend for kube-apiserver. User may force the option to etcdv3 for new environment. At the same time if the environment uses v2 it will continue uses it until user decides to upgrade to v3. Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
90 lines
3.2 KiB
Django/Jinja
90 lines
3.2 KiB
Django/Jinja
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: kube-apiserver
|
|
namespace: {{system_namespace}}
|
|
labels:
|
|
k8s-app: kube-apiserver
|
|
kargo: v2
|
|
spec:
|
|
hostNetwork: true
|
|
containers:
|
|
- name: kube-apiserver
|
|
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
|
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
|
resources:
|
|
limits:
|
|
cpu: {{ kube_apiserver_cpu_limit }}
|
|
memory: {{ kube_apiserver_memory_limit }}
|
|
requests:
|
|
cpu: {{ kube_apiserver_cpu_requests }}
|
|
memory: {{ kube_apiserver_memory_requests }}
|
|
command:
|
|
- /hyperkube
|
|
- apiserver
|
|
- --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
|
|
- --etcd-servers={{ etcd_access_endpoint }}
|
|
- --etcd-quorum-read=true
|
|
- --etcd-cafile={{ etcd_cert_dir }}/ca.pem
|
|
- --etcd-certfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem
|
|
- --etcd-keyfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem
|
|
- --insecure-bind-address={{ kube_apiserver_insecure_bind_address }}
|
|
- --apiserver-count={{ kube_apiserver_count }}
|
|
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
|
|
- --service-cluster-ip-range={{ kube_service_addresses }}
|
|
- --service-node-port-range={{ kube_apiserver_node_port_range }}
|
|
- --client-ca-file={{ kube_cert_dir }}/ca.pem
|
|
- --basic-auth-file={{ kube_users_dir }}/known_users.csv
|
|
- --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
|
|
- --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
|
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv
|
|
- --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
|
- --secure-port={{ kube_apiserver_port }}
|
|
- --insecure-port={{ kube_apiserver_insecure_port }}
|
|
- --storage-backend={{ kube_apiserver_storage_backend }}
|
|
{% if kube_api_runtime_config is defined %}
|
|
{% for conf in kube_api_runtime_config %}
|
|
- --runtime-config={{ conf }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if enable_network_policy is defined and enable_network_policy == True %}
|
|
- --runtime-config=extensions/v1beta1/networkpolicies=true
|
|
{% endif %}
|
|
- --v={{ kube_log_level }}
|
|
- --allow-privileged=true
|
|
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure"] %}
|
|
- --cloud-provider={{ cloud_provider }}
|
|
- --cloud-config={{ kube_config_dir }}/cloud_config
|
|
{% elif cloud_provider is defined and cloud_provider == "aws" %}
|
|
- --cloud-provider={{ cloud_provider }}
|
|
{% endif %}
|
|
{% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %}
|
|
- --anonymous-auth={{ kube_api_anonymous_auth }}
|
|
{% endif %}
|
|
livenessProbe:
|
|
httpGet:
|
|
host: 127.0.0.1
|
|
path: /healthz
|
|
port: 8080
|
|
initialDelaySeconds: 30
|
|
timeoutSeconds: 10
|
|
volumeMounts:
|
|
- mountPath: {{ kube_config_dir }}
|
|
name: kubernetes-config
|
|
readOnly: true
|
|
- mountPath: /etc/ssl/certs
|
|
name: ssl-certs-host
|
|
readOnly: true
|
|
- mountPath: {{ etcd_cert_dir }}
|
|
name: etcd-certs
|
|
readOnly: true
|
|
volumes:
|
|
- hostPath:
|
|
path: {{ kube_config_dir }}
|
|
name: kubernetes-config
|
|
- hostPath:
|
|
path: /etc/ssl/certs/
|
|
name: ssl-certs-host
|
|
- hostPath:
|
|
path: {{ etcd_cert_dir }}
|
|
name: etcd-certs
|