manage kube-apiserver manifest with ansible
This commit is contained in:
parent
c44cfb8bc8
commit
2bb13ef505
@ -127,3 +127,15 @@
|
||||
- name: Reload sysctl config
|
||||
ansible.builtin.shell: "sysctl --system"
|
||||
when: sysctl.changed
|
||||
|
||||
- name: Reconfigure Kubernetes master nodes
|
||||
hosts: masters
|
||||
vars:
|
||||
KUBERNETES_VERSION: v1.28.12
|
||||
IP: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
|
||||
tasks:
|
||||
- name: Configure kube-apiserver manifest on masters
|
||||
ansible.builtin.template:
|
||||
src: kube-apiserver.j2
|
||||
dest: /etc/kubernetes/manifests/kube-apiserver.yaml
|
||||
mode: 600
|
||||
|
132
kube-apiserver.j2
Normal file
132
kube-apiserver.j2
Normal file
@ -0,0 +1,132 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
annotations:
|
||||
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: {{ IP }}:6443
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
component: kube-apiserver
|
||||
tier: control-plane
|
||||
name: kube-apiserver
|
||||
namespace: kube-system
|
||||
spec:
|
||||
containers:
|
||||
- command:
|
||||
- kube-apiserver
|
||||
- --advertise-address={{ IP }}
|
||||
- --allow-privileged=true
|
||||
- --authorization-mode=Node,RBAC
|
||||
- --client-ca-file=/etc/kubernetes/pki/ca.crt
|
||||
- --enable-admission-plugins=NodeRestriction
|
||||
- --enable-bootstrap-token-auth=true
|
||||
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
|
||||
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
|
||||
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
|
||||
- --etcd-servers=https://127.0.0.1:2379
|
||||
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
|
||||
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
|
||||
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
||||
- --oidc-client-id=passmower.kubelogin
|
||||
- --oidc-groups-claim=groups
|
||||
- --oidc-issuer-url=https://auth.k-space.ee/
|
||||
- --oidc-username-claim=sub
|
||||
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
|
||||
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
|
||||
- --requestheader-allowed-names=front-proxy-client
|
||||
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
|
||||
- --requestheader-extra-headers-prefix=X-Remote-Extra-
|
||||
- --requestheader-group-headers=X-Remote-Group
|
||||
- --requestheader-username-headers=X-Remote-User
|
||||
- --secure-port=6443
|
||||
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
|
||||
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
|
||||
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
|
||||
- --service-cluster-ip-range=10.96.0.0/12
|
||||
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
|
||||
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
|
||||
image: registry.k8s.io/kube-apiserver:{{ KUBERNETES_VERSION }}
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
failureThreshold: 8
|
||||
httpGet:
|
||||
host: {{ IP }}
|
||||
path: /livez
|
||||
port: 6443
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 15
|
||||
name: kube-apiserver
|
||||
readinessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
host: {{ IP }}
|
||||
path: /readyz
|
||||
port: 6443
|
||||
scheme: HTTPS
|
||||
periodSeconds: 1
|
||||
timeoutSeconds: 15
|
||||
resources:
|
||||
requests:
|
||||
cpu: 250m
|
||||
startupProbe:
|
||||
failureThreshold: 24
|
||||
httpGet:
|
||||
host: {{ IP }}
|
||||
path: /livez
|
||||
port: 6443
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 15
|
||||
volumeMounts:
|
||||
- mountPath: /etc/ssl/certs
|
||||
name: ca-certs
|
||||
readOnly: true
|
||||
- mountPath: /etc/ca-certificates
|
||||
name: etc-ca-certificates
|
||||
readOnly: true
|
||||
- mountPath: /etc/pki
|
||||
name: etc-pki
|
||||
readOnly: true
|
||||
- mountPath: /etc/kubernetes/pki
|
||||
name: k8s-certs
|
||||
readOnly: true
|
||||
- mountPath: /usr/local/share/ca-certificates
|
||||
name: usr-local-share-ca-certificates
|
||||
readOnly: true
|
||||
- mountPath: /usr/share/ca-certificates
|
||||
name: usr-share-ca-certificates
|
||||
readOnly: true
|
||||
hostNetwork: true
|
||||
priority: 2000001000
|
||||
priorityClassName: system-node-critical
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /etc/ssl/certs
|
||||
type: DirectoryOrCreate
|
||||
name: ca-certs
|
||||
- hostPath:
|
||||
path: /etc/ca-certificates
|
||||
type: DirectoryOrCreate
|
||||
name: etc-ca-certificates
|
||||
- hostPath:
|
||||
path: /etc/pki
|
||||
type: DirectoryOrCreate
|
||||
name: etc-pki
|
||||
- hostPath:
|
||||
path: /etc/kubernetes/pki
|
||||
type: DirectoryOrCreate
|
||||
name: k8s-certs
|
||||
- hostPath:
|
||||
path: /usr/local/share/ca-certificates
|
||||
type: DirectoryOrCreate
|
||||
name: usr-local-share-ca-certificates
|
||||
- hostPath:
|
||||
path: /usr/share/ca-certificates
|
||||
type: DirectoryOrCreate
|
||||
name: usr-share-ca-certificates
|
||||
status: {}
|
Loading…
Reference in New Issue
Block a user