4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
16 apiserver_admission_controllers:
19 - MutatingAdmissionWebhook
26 - ValidatingAdmissionWebhook
28 apiserver_feature_gates:
35 - "--admission-control={{ apiserver_admission_controllers | join(',') }}"
36 - "--advertise-address={{ apiserver }}"
37 - "--allow-privileged=true"
38 - "--anonymous-auth=false"
39 - "--apiserver-count={{ groups['caas_master']|length|int }}"
40 - "--audit-policy-file={{ caas.caas_policy_directory }}/audit-policy.yaml"
41 - "--audit-log-format=json"
42 - "--audit-log-maxbackup=10"
43 - "--audit-log-maxsize=100"
44 - "--audit-log-path=/var/log/audit/kube_apiserver/kube-apiserver-audit.log"
45 - "--authorization-mode=Node,RBAC"
46 - "--bind-address={{ apiserver }}"
47 - "--client-ca-file=/etc/openssl/ca.pem"
48 - "--enable-bootstrap-token-auth=true"
49 - "--etcd-cafile=/etc/etcd/ssl/ca.pem"
50 - "--etcd-certfile=/etc/etcd/ssl/etcd{{ nodeindex }}.pem"
51 - "--etcd-keyfile=/etc/etcd/ssl/etcd{{ nodeindex }}-key.pem"
52 - "--etcd-servers={% for host in groups['caas_master'] %}https://{{ hostvars[host]['networking']['infra_internal']['ip'] }}:{{ caas.etcd_api_port }}{% if not loop.last %},{% endif %}{% endfor %}"
53 - "--experimental-encryption-provider-config={{ caas.cert_path }}/{{ caas._secrets_conf }}"
54 - "--feature-gates={{ apiserver_feature_gates | get_kube_options }}"
56 - "--kubelet-certificate-authority=/etc/openssl/ca.pem"
57 - "--kubelet-client-certificate=/etc/kubernetes/ssl/kubelet-server.pem"
58 - "--kubelet-client-key=/etc/kubernetes/ssl/kubelet-server-key.pem"
59 - "--kubelet-https=true"
60 - "--max-requests-inflight=1000"
61 - "--proxy-client-cert-file=/etc/kubernetes/ssl/metrics.crt"
62 - "--proxy-client-key-file=/etc/kubernetes/ssl/metrics.key"
63 - "--requestheader-client-ca-file=/etc/openssl/ca.pem"
64 - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
65 - "--requestheader-group-headers=X-Remote-Group"
66 - "--requestheader-username-headers=X-Remote-User"
67 - "--secure-port={{ apiserver_port }}"
68 - "--service-account-key-file=/etc/kubernetes/ssl/service-account.pem"
69 - "--service-account-lookup=true"
70 - "--service-cluster-ip-range={{ caas.service_cluster_ip_cidr }}"
71 - "--tls-cert-file=/etc/kubernetes/ssl/tls-cert.pem"
72 - "--tls-private-key-file=/etc/kubernetes/ssl/apiserver{{ nodeindex }}-key.pem"
73 - "--token-auth-file={{ caas.cert_path }}/{{ caas.tokenscsv_filename }}"
75 controllermanager_feature_gates:
80 scheduler_feature_gates: