apiserver(-webhook): Allow volume overrides
The existing apiserver chart supports volume overrides for the anchor daemonset, but not for the apiserver static pod itself. The feature to allow volume overrides in the apiserver-webhook chart was never fully implemented. This changes allows volume overrides via values.yaml for both charts, and provides a more complete audit example that includes mounting the audit log destination as a host path volume. Change-Id: I27ccf77671a190e8cb6b66d8a9b13c2cde6c9a45
This commit is contained in:
Phil Sphicas
parent
27f181a9d3
commit
c6b62ff414
|
|
@ -96,6 +96,8 @@ tls-{{ $group | replace "_" "-" }}-{{ $type | replace "_" "-" }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- if .Values.manifests.deployment }}
|
{{- if .Values.manifests.deployment }}
|
||||||
|
{{- $mounts_apiserver := .Values.pod.mounts.apiserver_webhook.apiserver }}
|
||||||
|
{{- $mounts_webhook := .Values.pod.mounts.apiserver_webhook.webhook }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
|
|
@ -212,6 +214,7 @@ spec:
|
||||||
{{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
{{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
{{ tuple "etcd" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
{{ tuple "etcd" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
{{ tuple "etcd" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
{{ tuple "etcd" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
|
{{ if $mounts_apiserver.volumeMounts }}{{ toYaml $mounts_apiserver.volumeMounts | indent 12 }}{{ end }}
|
||||||
- name: webhook
|
- name: webhook
|
||||||
{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
|
@ -248,6 +251,7 @@ spec:
|
||||||
subPath: webhook_start.sh
|
subPath: webhook_start.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
{{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
|
{{ if $mounts_webhook.volumeMounts }}{{ toYaml $mounts_webhook.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
{{- if hasKey .Values.certificates "keystone" }}
|
{{- if hasKey .Values.certificates "keystone" }}
|
||||||
{{ tuple "keystone" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
{{ tuple "keystone" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
|
|
@ -277,4 +281,6 @@ spec:
|
||||||
secret:
|
secret:
|
||||||
defaultMode: 292
|
defaultMode: 292
|
||||||
secretName: {{ .Values.secrets.tls.webhook_apiserver.api.public }}
|
secretName: {{ .Values.secrets.tls.webhook_apiserver.api.public }}
|
||||||
|
{{ if $mounts_apiserver.volumes }}{{ toYaml $mounts_apiserver.volumes | indent 8 }}{{ end }}
|
||||||
|
{{ if $mounts_webhook.volumes }}{{ toYaml $mounts_webhook.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
||||||
|
|
@ -214,13 +214,26 @@ pod:
|
||||||
apiserver:
|
apiserver:
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
# explicitly setting the runAsUser may be required to write audit logs to the host
|
||||||
|
# runAsUser: 0
|
||||||
webhook:
|
webhook:
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
mounts:
|
mounts:
|
||||||
kubernetes_apiserver:
|
apiserver_webhook:
|
||||||
init_container: null
|
apiserver:
|
||||||
kubernetes_apiserver:
|
# Example mounts for audit logging, refer to .conf.apiserver.auditpolicy below.
|
||||||
|
# volumeMounts:
|
||||||
|
# - name: audit-logs
|
||||||
|
# mountPath: /var/log/audit
|
||||||
|
# mountPropagation: HostToContainer
|
||||||
|
# readOnly: false
|
||||||
|
# volumes:
|
||||||
|
# - name: audit-logs
|
||||||
|
# hostPath:
|
||||||
|
# path: /var/log/audit
|
||||||
|
# type: DirectoryOrCreate
|
||||||
|
webhook: null
|
||||||
affinity:
|
affinity:
|
||||||
anti:
|
anti:
|
||||||
type:
|
type:
|
||||||
|
|
@ -282,13 +295,6 @@ pod:
|
||||||
limits:
|
limits:
|
||||||
memory: "256Mi"
|
memory: "256Mi"
|
||||||
cpu: "200m"
|
cpu: "200m"
|
||||||
mounts:
|
|
||||||
kubernetes_keystone_webhook_api:
|
|
||||||
init_container: null
|
|
||||||
kubernetes_keystone_webhook_api: null
|
|
||||||
kubernetes_keystone_webhook_tests:
|
|
||||||
init_container: null
|
|
||||||
kubernetes_keystone_webhook_tests: null
|
|
||||||
conf:
|
conf:
|
||||||
paths:
|
paths:
|
||||||
base: '/etc/webhook_apiserver/'
|
base: '/etc/webhook_apiserver/'
|
||||||
|
|
@ -330,6 +336,24 @@ conf:
|
||||||
content:
|
content:
|
||||||
kind: EncryptionConfiguration
|
kind: EncryptionConfiguration
|
||||||
apiVersion: apiserver.config.k8s.io/v1
|
apiVersion: apiserver.config.k8s.io/v1
|
||||||
|
# Uncomment any of the below to enable enhanced Audit Logging command line options.
|
||||||
|
# Note: To use the Log backend, ensure that the hostPath of the log file is mounted,
|
||||||
|
# and that the runAsUser for the apiserver container can write to it.
|
||||||
|
# (Refer to .pod.mounts.apiserver.apiserver)
|
||||||
|
#
|
||||||
|
# auditpolicy:
|
||||||
|
# file: audit_policy.yaml
|
||||||
|
# command_options:
|
||||||
|
# - '--audit-policy-file=/etc/kubernetes/apiserver/audit_policy.yaml'
|
||||||
|
# - '--audit-log-maxsize=10'
|
||||||
|
# - '--audit-log-maxbackup=3'
|
||||||
|
# - '--audit-log-path=/var/log/audit/webhook-audit.log'
|
||||||
|
# content:
|
||||||
|
# kind: Policy
|
||||||
|
# apiVersion: apiserver.k8s.io/v1
|
||||||
|
# rules:
|
||||||
|
# - level: Metadata
|
||||||
|
#
|
||||||
policy:
|
policy:
|
||||||
- resource:
|
- resource:
|
||||||
verbs:
|
verbs:
|
||||||
|
|
|
||||||
|
|
@ -51,6 +51,9 @@ httpGet:
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
|
||||||
|
{{- $mounts_apiserver := .Values.pod.mounts.apiserver.apiserver }}
|
||||||
|
|
||||||
|
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
|
|
@ -124,7 +127,9 @@ spec:
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: etc
|
- name: etc
|
||||||
mountPath: /etc/kubernetes/apiserver
|
mountPath: /etc/kubernetes/apiserver
|
||||||
|
{{ if $mounts_apiserver.volumeMounts }}{{ toYaml $mounts_apiserver.volumeMounts | indent 8 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: etc
|
- name: etc
|
||||||
hostPath:
|
hostPath:
|
||||||
path: {{ .Values.apiserver.host_etc_path }}
|
path: {{ .Values.apiserver.host_etc_path }}
|
||||||
|
{{ if $mounts_apiserver.volumes }}{{ toYaml $mounts_apiserver.volumes | indent 4 }}{{ end }}
|
||||||
|
|
|
||||||
|
|
@ -131,11 +131,16 @@ conf:
|
||||||
# content: |
|
# content: |
|
||||||
# -----SOME KEY-----
|
# -----SOME KEY-----
|
||||||
# Uncomment any of the below to enable enhanced Audit Logging command line options.
|
# Uncomment any of the below to enable enhanced Audit Logging command line options.
|
||||||
|
# Note: To use the Log backend, ensure that the hostPath of the log file is mounted.
|
||||||
|
# (Refer to .pod.mounts.apiserver.apiserver)
|
||||||
#
|
#
|
||||||
# auditpolicy:
|
# auditpolicy:
|
||||||
# file: audit_policy.yaml
|
# file: audit_policy.yaml
|
||||||
# command_options:
|
# command_options:
|
||||||
# - '--audit-policy-file=/etc/kubernetes/apiserver/audit_policy.yaml'
|
# - '--audit-policy-file=/etc/kubernetes/apiserver/audit_policy.yaml'
|
||||||
|
# - '--audit-log-maxsize=10'
|
||||||
|
# - '--audit-log-maxbackup=3'
|
||||||
|
# - '--audit-log-path=/var/log/audit/audit.log'
|
||||||
# content:
|
# content:
|
||||||
# kind: Policy
|
# kind: Policy
|
||||||
# apiVersion: apiserver.k8s.io/v1
|
# apiVersion: apiserver.k8s.io/v1
|
||||||
|
|
@ -293,9 +298,24 @@ pod:
|
||||||
runAsUser: 0
|
runAsUser: 0
|
||||||
readOnlyRootFilesystem: false
|
readOnlyRootFilesystem: false
|
||||||
mounts:
|
mounts:
|
||||||
|
# .pod.mounts.kubernetes_apiserver is for the anchor daemonset
|
||||||
kubernetes_apiserver:
|
kubernetes_apiserver:
|
||||||
init_container: null
|
init_container: null
|
||||||
kubernetes_apiserver:
|
kubernetes_apiserver:
|
||||||
|
# .pod.mounts.apiserver is for the apiserver static pod
|
||||||
|
apiserver:
|
||||||
|
apiserver:
|
||||||
|
# Example mounts for audit logging, refer to .conf.auditpolicy above.
|
||||||
|
# volumeMounts:
|
||||||
|
# - name: audit-logs
|
||||||
|
# mountPath: /var/log/audit
|
||||||
|
# mountPropagation: HostToContainer
|
||||||
|
# readOnly: false
|
||||||
|
# volumes:
|
||||||
|
# - name: audit-logs
|
||||||
|
# hostPath:
|
||||||
|
# path: /var/log/audit
|
||||||
|
# type: DirectoryOrCreate
|
||||||
replicas:
|
replicas:
|
||||||
apiserver: 3
|
apiserver: 3
|
||||||
lifecycle:
|
lifecycle:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue