From 2bb13ef5052d26fa93fa7a36f47ea31d69ebda02 Mon Sep 17 00:00:00 2001 From: Erki Aas Date: Sat, 27 Jul 2024 14:24:53 +0300 Subject: [PATCH] manage kube-apiserver manifest with ansible --- ansible-kubernetes.yml | 12 ++++ kube-apiserver.j2 | 132 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 144 insertions(+) create mode 100644 kube-apiserver.j2 diff --git a/ansible-kubernetes.yml b/ansible-kubernetes.yml index e2a6b19..d149b13 100644 --- a/ansible-kubernetes.yml +++ b/ansible-kubernetes.yml @@ -127,3 +127,15 @@ - name: Reload sysctl config ansible.builtin.shell: "sysctl --system" when: sysctl.changed + +- name: Reconfigure Kubernetes master nodes + hosts: masters + vars: + KUBERNETES_VERSION: v1.28.12 + IP: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" + tasks: + - name: Configure kube-apiserver manifest on masters + ansible.builtin.template: + src: kube-apiserver.j2 + dest: /etc/kubernetes/manifests/kube-apiserver.yaml + mode: 600 diff --git a/kube-apiserver.j2 b/kube-apiserver.j2 new file mode 100644 index 0000000..7726f35 --- /dev/null +++ b/kube-apiserver.j2 @@ -0,0 +1,132 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: {{ IP }}:6443 + creationTimestamp: null + labels: + component: kube-apiserver + tier: control-plane + name: kube-apiserver + namespace: kube-system +spec: + containers: + - command: + - kube-apiserver + - --advertise-address={{ IP }} + - --allow-privileged=true + - --authorization-mode=Node,RBAC + - --client-ca-file=/etc/kubernetes/pki/ca.crt + - --enable-admission-plugins=NodeRestriction + - --enable-bootstrap-token-auth=true + - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt + - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt + - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key + - --etcd-servers=https://127.0.0.1:2379 + - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt + - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --oidc-client-id=passmower.kubelogin + - --oidc-groups-claim=groups + - --oidc-issuer-url=https://auth.k-space.ee/ + - --oidc-username-claim=sub + - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt + - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key + - --requestheader-allowed-names=front-proxy-client + - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt + - --requestheader-extra-headers-prefix=X-Remote-Extra- + - --requestheader-group-headers=X-Remote-Group + - --requestheader-username-headers=X-Remote-User + - --secure-port=6443 + - --service-account-issuer=https://kubernetes.default.svc.cluster.local + - --service-account-key-file=/etc/kubernetes/pki/sa.pub + - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key + - --service-cluster-ip-range=10.96.0.0/12 + - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt + - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key + image: registry.k8s.io/kube-apiserver:{{ KUBERNETES_VERSION }} + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 8 + httpGet: + host: {{ IP }} + path: /livez + port: 6443 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + name: kube-apiserver + readinessProbe: + failureThreshold: 3 + httpGet: + host: {{ IP }} + path: /readyz + port: 6443 + scheme: HTTPS + periodSeconds: 1 + timeoutSeconds: 15 + resources: + requests: + cpu: 250m + startupProbe: + failureThreshold: 24 + httpGet: + host: {{ IP }} + path: /livez + port: 6443 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + volumeMounts: + - mountPath: /etc/ssl/certs + name: ca-certs + readOnly: true + - mountPath: /etc/ca-certificates + name: etc-ca-certificates + readOnly: true + - mountPath: /etc/pki + name: etc-pki + readOnly: true + - mountPath: /etc/kubernetes/pki + name: k8s-certs + readOnly: true + - mountPath: /usr/local/share/ca-certificates + name: usr-local-share-ca-certificates + readOnly: true + - mountPath: /usr/share/ca-certificates + name: usr-share-ca-certificates + readOnly: true + hostNetwork: true + priority: 2000001000 + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /etc/ssl/certs + type: DirectoryOrCreate + name: ca-certs + - hostPath: + path: /etc/ca-certificates + type: DirectoryOrCreate + name: etc-ca-certificates + - hostPath: + path: /etc/pki + type: DirectoryOrCreate + name: etc-pki + - hostPath: + path: /etc/kubernetes/pki + type: DirectoryOrCreate + name: k8s-certs + - hostPath: + path: /usr/local/share/ca-certificates + type: DirectoryOrCreate + name: usr-local-share-ca-certificates + - hostPath: + path: /usr/share/ca-certificates + type: DirectoryOrCreate + name: usr-share-ca-certificates +status: {}