# Copyright 2017 AT&T Intellectual Property. All other rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. release_group: null # NOTE(mark-burnett): These values are not really configurable -- they live # here to keep the templates cleaner. const: encryption_annotation: "airshipit.org/encryption_key" command_prefix: - kube-apiserver - --advertise-address=$(POD_IP) - --allow-privileged=true - --anonymous-auth=true - --bind-address=0.0.0.0 - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem - --etcd-servers=$(ETCD_ENDPOINTS) - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem - --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --secure-port=$(APISERVER_PORT) - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub - --service-account-signing-key-file=/etc/kubernetes/apiserver/pki/service-account.key - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem files_to_copy: # NOTE(mark-burnett): These are (host dest): (container source) pairs /etc/kubernetes/apiserver/kubeconfig.yaml: /tmp/etc/kubeconfig.yaml /etc/kubernetes/apiserver/pki/apiserver-key.pem: /keys/apiserver-key.pem /etc/kubernetes/apiserver/pki/apiserver.pem: /certs/apiserver.pem /etc/kubernetes/apiserver/pki/cluster-ca.pem: /certs/cluster-ca.pem /etc/kubernetes/apiserver/pki/etcd-client-ca.pem: /certs/etcd-client-ca.pem /etc/kubernetes/apiserver/pki/etcd-client-key.pem: /keys/etcd-client-key.pem /etc/kubernetes/apiserver/pki/etcd-client.pem: /certs/etcd-client.pem /etc/kubernetes/apiserver/pki/kubelet-client-ca.pem: /certs/kubelet-client-ca.pem /etc/kubernetes/apiserver/pki/kubelet-client-key.pem: /keys/kubelet-client-key.pem /etc/kubernetes/apiserver/pki/kubelet-client.pem: /certs/kubelet-client.pem /etc/kubernetes/apiserver/pki/service-account.pub: /certs/service-account.pub /etc/kubernetes/apiserver/pki/service-account.key: /keys/service-account.key /etc/kubernetes/manifests/kubernetes-apiserver.yaml: /tmp/etc/kubernetes-apiserver.yaml images: tags: dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 anchor: quay.io/airshipit/porthole-compute-utility:latest-ubuntu_focal apiserver: registry.k8s.io/kube-apiserver-amd64:v1.27.4 key_rotate: quay.io/airshipit/porthole-compute-utility:latest-ubuntu_focal pull_policy: "IfNotPresent" local_registry: active: false exclude: - dep_check - image_repo_sync labels: kubernetes_apiserver: node_selector_key: kubernetes-apiserver node_selector_value: enabled job: node_selector_key: kubernetes-apiserver node_selector_value: enabled anchor: dns_policy: Default enable_cleanup: true kubelet: manifest_path: /etc/kubernetes/manifests period: 15 # TODO(sh8121att): Add dynamic rendering of the admission controller list allowing a base list # and each conf entry to enable additional AC plugins conf: # Uncomment any of the below to enable the file placement and associated apiserver # command line options # acconfig: file: acconfig.yaml command_options: - '--admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml' - '--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit' content: kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: EventRateLimit path: eventconfig.yaml eventconfig: file: eventconfig.yaml content: kind: Configuration apiVersion: eventratelimit.admission.k8s.io/v1alpha1 limits: - type: Server qps: 1000 burst: 10000 # agg_api_ca: # file: agg-api-ca.pem # command_options: # - '--requestheader-client-ca-file=/etc/kubernetes/apiserver/agg-api-ca.pem' # - '--requestheader-extra-headers-prefix=X-Remote-Extra-' # - '--requestheader-group-headers=X-Remote-Group' # - '--requestheader-username-headers=X-Remote-User' # - '--requestheader-allowed-names="aggregator"' # content: | # -----SOME CA----- # apiserver_proxy_cert: # file: 'apiserver-proxy-cert.pem' # command_options: # - '--proxy-client-cert-file=/etc/kubernetes/apiserver/apiserver-proxy-cert.pem' # content: | # ------SOME CERT----- # apiserver_proxy_key: # file: 'apiserver-proxy-key.pem' # command_options: # - '--proxy-client-key-file=/etc/kubernetes/apiserver/apiserver-proxy-key.pem' # content: | # -----SOME KEY----- # Uncomment any of the below to enable enhanced Audit Logging command line options. # Note: To use the Log backend, ensure that the hostPath of the log file is mounted. # (Refer to .pod.mounts.apiserver.apiserver) # # auditpolicy: # file: audit_policy.yaml # command_options: # - '--audit-policy-file=/etc/kubernetes/apiserver/audit_policy.yaml' # - '--audit-log-maxsize=10' # - '--audit-log-maxbackup=3' # - '--audit-log-path=/var/log/audit/audit.log' # content: # kind: Policy # apiVersion: apiserver.k8s.io/v1 # rules: # - level: Metadata # encryption_provider: file: encryption_provider.yaml command_options: - '--encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml' content: kind: EncryptionConfiguration apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - 'secrets' providers: - secretbox: keys: - name: key1 secret: Xw2UcbjILTJM6QiFZ0WPSbUvjtoT8OJC/Nl8qqYWjGk= - identity: {} service_account_issuer: command_options: - --service-account-issuer=https://kubernetes.default.svc.cluster.local apiserver: arguments: - --authorization-mode=Node,RBAC - --service-cluster-ip-range=10.96.0.0/16 - --endpoint-reconciler-type=lease - --v=3 etcd: endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local host_etc_path: /etc/kubernetes/apiserver logging: # Which messages to log. # Valid values include any number from 0 to 9. # Default 5(Trace level verbosity). log_level: 5 #XXX another possible configuration # tls: # tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" # # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ # #Possible values: VersionTLS10, VersionTLS11, VersionTLS12 # tls-min-version: 'VersionTLS12' network: kubernetes_apiserver: ingress: public: true classes: namespace: "nginx-cluster" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/proxy-read-timeout: "120" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/secure-backends: "true" name: kubernetes-apiserver port: 6443 node_port: enabled: false port: 31943 service: name: kubernetes-apiserver ip: null secrets: tls: ca: placeholder cert: placeholder key: placeholder service_account: public_key: placeholder private_key: placeholder etcd: tls: ca: placeholder cert: placeholder key: placeholder kubelet: tls: ca: null cert: null key: null dependencies: dynamic: common: local_image_registry: jobs: - apiserver-image-repo-sync services: - endpoint: node service: local_image_registry static: key_rotate: {} # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: cluster_domain_suffix: cluster.local kubernetes_apiserver: name: kubernetes-apiserver hosts: default: kubernetes-apiserver port: https: default: 6443 public: 443 path: default: / scheme: default: https public: https host_fqdn_override: default: null # NOTE: this chart supports TLS for fqdn over-ridden public # endpoints using the following format: # public: # host: null # tls: # crt: null # key: null pod: mandatory_access_control: type: apparmor kubernetes_apiserver_anchor: anchor: runtime/default kube-apiserver: init: runtime/default apiserver-key-rotate: runtime/default apiserver: apiserver: runtime/default security_context: kubernetes_apiserver_anchor: pod: runAsUser: 65534 container: anchor: runAsUser: 0 readOnlyRootFilesystem: false key_rotate: pod: runAsUser: 65534 container: apiserver_key_rotate: runAsUser: 0 readOnlyRootFilesystem: false apiserver: pod: runAsUser: 65534 container: apiserver: runAsUser: 0 readOnlyRootFilesystem: false mounts: # .pod.mounts.kubernetes_apiserver is for the anchor daemonset kubernetes_apiserver: init_container: null kubernetes_apiserver: # .pod.mounts.apiserver is for the apiserver static pod apiserver: apiserver: # Example mounts for audit logging, refer to .conf.auditpolicy above. # volumeMounts: # - name: audit-logs # mountPath: /var/log/audit # mountPropagation: HostToContainer # readOnly: false # volumes: # - name: audit-logs # hostPath: # path: /var/log/audit # type: DirectoryOrCreate replicas: apiserver: 3 lifecycle: upgrades: daemonsets: pod_replacement_strategy: RollingUpdate kubernetes-apiserver-anchor: enabled: false min_ready_seconds: 0 max_unavailable: 1 termination_grace_period: kubernetes_apiserver: timeout: 3600 resources: enabled: false anchor_pod: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" key_rotate: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" kubernetes_apiserver: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" probes: apiserver: apiserver: liveness: enabled: true params: failureThreshold: 3 initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 readiness: enabled: true params: initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 5 env: apiserver: manifests: configmap_bin: true configmap_certs: true configmap_etc: true ingress_api: false kubernetes_apiserver: true secret: true secret_ingress_tls: false service: true service_ingress: false job_key_rotate: true