manage kube-apiserver manifest with ansible
This commit is contained in:
parent
c44cfb8bc8
commit
2bb13ef505
@ -127,3 +127,15 @@
|
|||||||
- name: Reload sysctl config
|
- name: Reload sysctl config
|
||||||
ansible.builtin.shell: "sysctl --system"
|
ansible.builtin.shell: "sysctl --system"
|
||||||
when: sysctl.changed
|
when: sysctl.changed
|
||||||
|
|
||||||
|
- name: Reconfigure Kubernetes master nodes
|
||||||
|
hosts: masters
|
||||||
|
vars:
|
||||||
|
KUBERNETES_VERSION: v1.28.12
|
||||||
|
IP: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
|
||||||
|
tasks:
|
||||||
|
- name: Configure kube-apiserver manifest on masters
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: kube-apiserver.j2
|
||||||
|
dest: /etc/kubernetes/manifests/kube-apiserver.yaml
|
||||||
|
mode: 600
|
||||||
|
|||||||
132
kube-apiserver.j2
Normal file
132
kube-apiserver.j2
Normal file
@ -0,0 +1,132 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: {{ IP }}:6443
|
||||||
|
creationTimestamp: null
|
||||||
|
labels:
|
||||||
|
component: kube-apiserver
|
||||||
|
tier: control-plane
|
||||||
|
name: kube-apiserver
|
||||||
|
namespace: kube-system
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- command:
|
||||||
|
- kube-apiserver
|
||||||
|
- --advertise-address={{ IP }}
|
||||||
|
- --allow-privileged=true
|
||||||
|
- --authorization-mode=Node,RBAC
|
||||||
|
- --client-ca-file=/etc/kubernetes/pki/ca.crt
|
||||||
|
- --enable-admission-plugins=NodeRestriction
|
||||||
|
- --enable-bootstrap-token-auth=true
|
||||||
|
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
|
||||||
|
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
|
||||||
|
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
|
||||||
|
- --etcd-servers=https://127.0.0.1:2379
|
||||||
|
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
|
||||||
|
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
|
||||||
|
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
||||||
|
- --oidc-client-id=passmower.kubelogin
|
||||||
|
- --oidc-groups-claim=groups
|
||||||
|
- --oidc-issuer-url=https://auth.k-space.ee/
|
||||||
|
- --oidc-username-claim=sub
|
||||||
|
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
|
||||||
|
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
|
||||||
|
- --requestheader-allowed-names=front-proxy-client
|
||||||
|
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
|
||||||
|
- --requestheader-extra-headers-prefix=X-Remote-Extra-
|
||||||
|
- --requestheader-group-headers=X-Remote-Group
|
||||||
|
- --requestheader-username-headers=X-Remote-User
|
||||||
|
- --secure-port=6443
|
||||||
|
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
|
||||||
|
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
|
||||||
|
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
|
||||||
|
- --service-cluster-ip-range=10.96.0.0/12
|
||||||
|
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
|
||||||
|
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
|
||||||
|
image: registry.k8s.io/kube-apiserver:{{ KUBERNETES_VERSION }}
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
livenessProbe:
|
||||||
|
failureThreshold: 8
|
||||||
|
httpGet:
|
||||||
|
host: {{ IP }}
|
||||||
|
path: /livez
|
||||||
|
port: 6443
|
||||||
|
scheme: HTTPS
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
periodSeconds: 10
|
||||||
|
timeoutSeconds: 15
|
||||||
|
name: kube-apiserver
|
||||||
|
readinessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
httpGet:
|
||||||
|
host: {{ IP }}
|
||||||
|
path: /readyz
|
||||||
|
port: 6443
|
||||||
|
scheme: HTTPS
|
||||||
|
periodSeconds: 1
|
||||||
|
timeoutSeconds: 15
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 250m
|
||||||
|
startupProbe:
|
||||||
|
failureThreshold: 24
|
||||||
|
httpGet:
|
||||||
|
host: {{ IP }}
|
||||||
|
path: /livez
|
||||||
|
port: 6443
|
||||||
|
scheme: HTTPS
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
periodSeconds: 10
|
||||||
|
timeoutSeconds: 15
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /etc/ssl/certs
|
||||||
|
name: ca-certs
|
||||||
|
readOnly: true
|
||||||
|
- mountPath: /etc/ca-certificates
|
||||||
|
name: etc-ca-certificates
|
||||||
|
readOnly: true
|
||||||
|
- mountPath: /etc/pki
|
||||||
|
name: etc-pki
|
||||||
|
readOnly: true
|
||||||
|
- mountPath: /etc/kubernetes/pki
|
||||||
|
name: k8s-certs
|
||||||
|
readOnly: true
|
||||||
|
- mountPath: /usr/local/share/ca-certificates
|
||||||
|
name: usr-local-share-ca-certificates
|
||||||
|
readOnly: true
|
||||||
|
- mountPath: /usr/share/ca-certificates
|
||||||
|
name: usr-share-ca-certificates
|
||||||
|
readOnly: true
|
||||||
|
hostNetwork: true
|
||||||
|
priority: 2000001000
|
||||||
|
priorityClassName: system-node-critical
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
volumes:
|
||||||
|
- hostPath:
|
||||||
|
path: /etc/ssl/certs
|
||||||
|
type: DirectoryOrCreate
|
||||||
|
name: ca-certs
|
||||||
|
- hostPath:
|
||||||
|
path: /etc/ca-certificates
|
||||||
|
type: DirectoryOrCreate
|
||||||
|
name: etc-ca-certificates
|
||||||
|
- hostPath:
|
||||||
|
path: /etc/pki
|
||||||
|
type: DirectoryOrCreate
|
||||||
|
name: etc-pki
|
||||||
|
- hostPath:
|
||||||
|
path: /etc/kubernetes/pki
|
||||||
|
type: DirectoryOrCreate
|
||||||
|
name: k8s-certs
|
||||||
|
- hostPath:
|
||||||
|
path: /usr/local/share/ca-certificates
|
||||||
|
type: DirectoryOrCreate
|
||||||
|
name: usr-local-share-ca-certificates
|
||||||
|
- hostPath:
|
||||||
|
path: /usr/share/ca-certificates
|
||||||
|
type: DirectoryOrCreate
|
||||||
|
name: usr-share-ca-certificates
|
||||||
|
status: {}
|
||||||
Loading…
Reference in New Issue
Block a user