c12s-kubespray/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2

apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
  namespace: kube-system
  labels:
    k8s-app: kube-apiserver
    kubespray: v2
  annotations:
    kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}"
    kubespray.apiserver-cert/serial: "{{ apiserver_cert_serial }}"
spec:
  hostNetwork: true
{% if kube_version | version_compare('v1.6', '>=')  %}
  dnsPolicy: ClusterFirst
{% endif %}
  containers:
  - name: kube-apiserver
    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
    imagePullPolicy: {{ k8s_image_pull_policy }}
    resources:
      limits:
        cpu: {{ kube_apiserver_cpu_limit }}
        memory: {{ kube_apiserver_memory_limit }}
      requests:
        cpu: {{ kube_apiserver_cpu_requests }}
        memory: {{ kube_apiserver_memory_requests }}
    command:
    - /hyperkube
    - apiserver
{% if kubernetes_audit %}
    - --audit-log-path={{ audit_log_path }}
    - --audit-log-maxage={{ audit_log_maxage }}
    - --audit-log-maxbackup={{ audit_log_maxbackups }}
    - --audit-log-maxsize={{ audit_log_maxsize }}
    - --audit-policy-file={{ audit_policy_file }}
{% endif %}
    - --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
    - --etcd-servers={{ etcd_access_addresses }}
{%   if etcd_events_cluster_enabled %}
    - --etcd-servers-overrides=/events#{{ etcd_events_access_addresses }}
{% endif %}
{%   if kube_version | version_compare('v1.9', '<')  %}
    - --etcd-quorum-read=true
{% endif %}
    - --etcd-cafile={{ etcd_cert_dir }}/ca.pem
    - --etcd-certfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem
    - --etcd-keyfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem
{% if kube_apiserver_insecure_port|string != "0" %}
    - --insecure-bind-address={{ kube_apiserver_insecure_bind_address }}
{% endif %}
    - --bind-address={{ kube_apiserver_bind_address }}
    - --apiserver-count={{ kube_apiserver_count }}
{% if kube_version | version_compare('v1.9', '>=') %}
    - --endpoint-reconciler-type=lease
{% endif %}
{% if kube_version | version_compare('v1.10', '<') %}
    - --admission-control={{ kube_apiserver_admission_control | join(',') }}
{% else %}
{% if kube_apiserver_enable_admission_plugins|length > 0 %}
    - --enable-admission-plugins={{ kube_apiserver_enable_admission_plugins | join(',') }}
{% endif %}
{% if kube_apiserver_disable_admission_plugins|length > 0 %}
    - --disable-admission-plugins={{ kube_apiserver_disable_admission_plugins | join(',') }}
{% endif %}
{% endif %}
    - --service-cluster-ip-range={{ kube_service_addresses }}
    - --service-node-port-range={{ kube_apiserver_node_port_range }}
    - --client-ca-file={{ kube_cert_dir }}/ca.pem
    - --profiling={{ kube_profiling }}
    - --repair-malformed-updates=false
    - --kubelet-client-certificate={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem
    - --kubelet-client-key={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem
    - --service-account-lookup=true
    - --kubelet-preferred-address-types={{ kubelet_preferred_address_types }}
{% if kube_basic_auth|default(true) %}
    - --basic-auth-file={{ kube_users_dir }}/known_users.csv
{% endif %}
    - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
    - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
{% if kube_token_auth|default(true) %}
    - --token-auth-file={{ kube_token_dir }}/known_tokens.csv
{% endif %}
    - --service-account-key-file={{ kube_cert_dir }}/service-account-key.pem
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
    - --oidc-issuer-url={{ kube_oidc_url }}
    - --oidc-client-id={{ kube_oidc_client_id }}
{%   if kube_oidc_ca_file is defined %}
    - --oidc-ca-file={{ kube_oidc_ca_file }}
{%   endif %}
{%   if kube_oidc_username_claim is defined %}
    - --oidc-username-claim={{ kube_oidc_username_claim }}
{%   endif %}
{%   if kube_oidc_username_prefix is defined %}
    - "--oidc-username-prefix={{ kube_oidc_username_prefix }}"
{%   endif %}
{%   if kube_oidc_groups_claim is defined %}
    - --oidc-groups-claim={{ kube_oidc_groups_claim }}
{%   endif %}
{%   if kube_oidc_groups_prefix is defined %}
    - "--oidc-groups-prefix={{ kube_oidc_groups_prefix }}"
{%   endif %}
{% endif %}
    - --secure-port={{ kube_apiserver_port }}
    - --insecure-port={{ kube_apiserver_insecure_port }}
    - --storage-backend={{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %}
{%   for conf in kube_api_runtime_config %}
    - --runtime-config={{ conf }}
{%   endfor %}
{% endif %}
{% if enable_network_policy %}
{%   if kube_version | version_compare('v1.8', '<')  %}
    - --runtime-config=extensions/v1beta1/networkpolicies=true
{%   endif %}
{% endif %}
    - --v={{ kube_log_level }}
    - --allow-privileged=true
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
    - --cloud-provider={{ cloud_provider }}
    - --cloud-config={{ kube_config_dir }}/cloud_config
{% endif %}
{% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=')  %}
    - --anonymous-auth={{ kube_api_anonymous_auth }}
{% endif %}
{% if authorization_modes %}
    - --authorization-mode={{ authorization_modes|join(',') }}
{% endif %}
{% if kube_encrypt_secret_data %}
    - --experimental-encryption-provider-config={{ kube_config_dir }}/ssl/secrets_encryption.yaml
{% endif %}
{% if kube_feature_gates %}
    - --feature-gates={{ kube_feature_gates|join(',') }}
{% endif %}
{% if kube_version | version_compare('v1.9', '>=') %}
    - --requestheader-client-ca-file={{ kube_cert_dir }}/{{ kube_front_proxy_ca }}
{# FIXME(mattymo): Vault certs do not work with front-proxy-client #}
{% if cert_management == "vault" %}
    - --requestheader-allowed-names=
{% else %}
    - --requestheader-allowed-names=front-proxy-client
{% endif %}
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --enable-aggregator-routing={{ kube_api_aggregator_routing }}
    - --proxy-client-cert-file={{ kube_cert_dir }}/front-proxy-client.pem
    - --proxy-client-key-file={{ kube_cert_dir }}/front-proxy-client-key.pem
{% else %}
    - --proxy-client-cert-file={{ kube_cert_dir }}/apiserver.pem
    - --proxy-client-key-file={{ kube_cert_dir }}/apiserver-key.pem
{% endif %}
{% if apiserver_custom_flags is string %}
    - {{ apiserver_custom_flags }}
{% else %}
{% for flag in apiserver_custom_flags %}
    - {{ flag }}
{% endfor %}
{% endif %}
    livenessProbe:
      httpGet:
        host: 127.0.0.1
        path: /healthz
{% if kube_apiserver_insecure_port|int == 0 %}
        port: {{ kube_apiserver_port }}
        scheme: HTTPS
{% else %}
        port: {{ kube_apiserver_insecure_port }}
{% endif %}
      failureThreshold: 8
      initialDelaySeconds: 15
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 15
    volumeMounts:
    - mountPath: {{ kube_config_dir }}
      name: kubernetes-config
      readOnly: true
    - mountPath: /etc/ssl
      name: ssl-certs-host
      readOnly: true
{% for dir in ssl_ca_dirs %}
    - mountPath: {{ dir }}
      name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
      readOnly: true
{% endfor %}
    - mountPath: {{ etcd_cert_dir }}
      name: etcd-certs
      readOnly: true
{% if cloud_provider is defined and cloud_provider == 'aws' and ansible_os_family == 'RedHat' %}
    - mountPath: /etc/ssl/certs/ca-bundle.crt
      name: rhel-ca-bundle
      readOnly: true
{% endif %}
{% if kubernetes_audit %}
{% if audit_log_path != "-" %}
    - mountPath: {{ audit_log_mountpath }}
      name: {{ audit_log_name }}
      Writable: true
{% endif %}
    - mountPath: {{ audit_policy_mountpath }}
      name: {{ audit_policy_name }}
{% endif %}
  volumes:
  - hostPath:
      path: {{ kube_config_dir }}
    name: kubernetes-config
  - name: ssl-certs-host
    hostPath:
      path: /etc/ssl
{% for dir in ssl_ca_dirs %}
  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
    hostPath:
      path: {{ dir }}
{% endfor %}
  - hostPath:
      path: {{ etcd_cert_dir }}
    name: etcd-certs
{% if cloud_provider is defined and cloud_provider == 'aws' and ansible_os_family == 'RedHat' %}
  - hostPath:
      path: /etc/ssl/certs/ca-bundle.crt
    name: rhel-ca-bundle
{% endif %}
{% if kubernetes_audit %}
{% if audit_log_path != "-" %}
  - hostPath:
      path: {{ audit_log_hostpath }}
    name: {{ audit_log_name }}
{% endif %}
  - hostPath:
      path: {{ audit_policy_hostpath }}
    name: {{ audit_policy_name }}
{% endif %}