The kube-apiserver command line is constructed from a command_prefix
array, and in the case of the apiserver chart, an arguments array, both
defined in values.yaml. If an option needs to be added to the command
line, the entire array needs to be redefined in a values.yaml override,
which is sometimes inconvenient.
There is an existing interface in the apiserver and apiserver-webhook
charts to allow kube-apiserver arguments to be appended, but only when
they are associated with a config file that is dynamically included in a
configmap. The typical usage is similar to:
conf:
ignored_key_name:
file: filename.yaml
content: ...
command_options:
- --some-file=/etc/kubernetes/apiserver/filename.yaml
This change removes the requirement to include a file in the configmap,
allowing arbitrary command options to be appended. For example, in the
apiserver chart, this is now possible:
conf:
ignored_key_name:
command_options:
- --service-account-issuer=apiserver
Change-Id: I86283ecedd701c0f061da7b706d6ed54498f27a3
- Detect if the content of a auxiliary config file is a string
to be directly written to a file or something that should be
serialized as YAML.
Change-Id: I51a25e0911b81b88e58c90576063f39562ef4fee
This change accomplishes 2 primary things:
1. It generalizes work to enable the EventRateLimit admission plugin.
2. It restructures the anchor so that during an upgrade an "old" anchor
does not try to coordinate the injection of "new" data from
configmaps/secrets.
It also includes these ancillary changes:
* Clean up apiserver argument specification in the chart.
* De-duplicate and realign apiserver arguments in bootstrapping templates.
It has the side effects of:
* Adding a new field, ".apiserver.arguments" to the Genesis config,
which will be the preferred way to configure bootstrapping apiservers
going forward (in lieu of command_prefix).
Change-Id: I33cfe80ee8e29cd79e479a7985e3c098a2288fda
Add the EventRateLimit admission controller, to allow operators to
define rate limits for the k8s API server at the server, namespace,
or user account level.
This also
* cleans up some of the parameters passed into the API server
* replaces the deprecated --admission-control parameter
* applies --repair-malformed-updates consistently, incl examples
* removes unused batch/v2alpha1 runtime config
* https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
* removes duplicate --service-cluster-ip-range setting
This PS adds EventRateLimits to the bootstrap and anchor API
servers; future work will need to add it to the Keystone
Webhook API server.
Change-Id: I32a2d4add880e50f470e4cb0687e20d16e6e926d
- Updated apiserver-anchor with a liveness probe.
- Changed apiserver liveness probe to query kubectl.
This allows the pod to restart if it looses access to etcd.
Change-Id: I0ef9cbc941a0533268e4f499a1333e88be3e43a3
Phil Sphicas