---
apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
  namespace: kube-system
  labels:
    tier: control-plane
    component: kube-apiserver
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
  hostNetwork: true
  containers:
    - name: kube-apiserver
      image: gcr.io/google_containers/hyperkube-amd64:v1.6.2
      command:
        - /hyperkube
        - apiserver
        - --advertise-address={{ current_node.ip }}
        - --authorization-mode=RBAC
        - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
        - --anonymous-auth=false
        - --client-ca-file=/etc/kubernetes/pki/cluster-ca.pem
        - --insecure-port=0
        - --bind-address=0.0.0.0
        - --secure-port=443
        - --allow-privileged=true
        - --etcd-servers=https://kubernetes:2379
        - --etcd-cafile=/etc/kubernetes/pki/cluster-ca.pem
        - --etcd-certfile=/etc/kubernetes/pki/apiserver.pem
        - --etcd-keyfile=/etc/kubernetes/pki/apiserver-key.pem
        - --service-cluster-ip-range={{ network.service_ip_cidr }}
        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
        - --service-account-key-file=/etc/kubernetes/pki/sa.pem
        - --tls-cert-file=/etc/kubernetes/pki/apiserver.pem
        - --tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem
        - --v=5
      volumeMounts:
        - name: config
          mountPath: /etc/kubernetes
          readOnly: true
  volumes:
    - name: config
      hostPath:
        path: /etc/kubernetes/apiserver