deploy/cluster/templates/kubeadmcontrolplane.yaml

   1 ---
   2 apiVersion: controlplane.cluster.x-k8s.io/v1alpha4
   3 kind: KubeadmControlPlane
   4 metadata:
   5   name: {{ .Values.clusterName }}
   6 spec:
   7   kubeadmConfigSpec:
   8     clusterConfiguration:
   9       apiServer:
  10         extraArgs:
  11           enable-admission-plugins: NodeRestriction,PodSecurityPolicy
  12     initConfiguration:
  13       nodeRegistration:
  14         kubeletExtraArgs:
  15           node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
  16           cpu-manager-policy: static
  17           topology-manager-policy: best-effort
  18           kube-reserved: cpu=200m,memory=512Mi
  19         name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
  20     joinConfiguration:
  21       controlPlane: {}
  22       nodeRegistration:
  23         kubeletExtraArgs:
  24           node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
  25         name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
  26     preKubeadmCommands:
  27 {{- if .Values.networks }}
  28     # Without touching up /etc/hosts, kubeadm may pick the wrong
  29     # (i.e. provisioning network) address for the node IP
  30     - sed -i "1i $(ip -4 addr show dev {{ .Values.networks.baremetal.interface }} | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -1) $(hostname)" /etc/hosts
  31 {{- end }}
  32     - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
  33     - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  34     - curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
  35     - add-apt-repository "deb https://apt.kubernetes.io/ kubernetes-xenial main"
  36     - apt update -y
  37     - apt-get install -y ca-certificates
  38 {{- if .Values.keepalived }}
  39     - apt-get install -y keepalived
  40     - systemctl enable --now keepalived
  41 {{- end }}
  42     - /usr/local/bin/install-container-runtime.sh
  43     - apt-get install -y kubelet={{ .Values.kubeVersion }} kubeadm={{ .Values.kubeVersion }} kubectl={{ .Values.kubeVersion }}
  44     - systemctl enable --now kubelet
  45     postKubeadmCommands:
  46     - mkdir -p /home/ubuntu/.kube
  47     - cp /etc/kubernetes/admin.conf /home/ubuntu/.kube/config
  48     - chown ubuntu:ubuntu /home/ubuntu/.kube/config
  49     - mkdir -p /root/.kube
  50     - cp /etc/kubernetes/admin.conf /root/.kube/config
  51     - /usr/local/bin/harden_os.sh
  52     # Normally any bootstrap resources needed would be applied with a
  53     # ClusterResourceSet.  However instead of apply, replace must be
  54     # used to harden K8s.
  55     - /usr/local/bin/harden_k8s.sh
  56 {{- if eq (int .Values.numWorkerMachines) 0 }}
  57     # Allow scheduling Pods on the control plane when there are no
  58     # workers.
  59     - kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes --all node-role.kubernetes.io/master-
  60 {{- end }}
  61     # This must be done after kubeadm as the cabpk provider relies on
  62     # files in /var/run, which won't persist after a reboot
  63     - /usr/local/bin/set_kernel_cmdline.sh
  64     files:
  65 {{ include "cluster.keepalived" .Values | indent 4 }}
  66 {{ include "cluster.containerRuntime" .Values | indent 4 }}
  67     - path: /etc/systemd/system/containerd.service.d/override.conf
  68       content: |
  69 {{ $.Files.Get "resources/override.conf" | indent 8 }}
  70     - path: /usr/local/bin/harden_os.sh
  71       permissions: '0777'
  72       content: |
  73 {{ $.Files.Get "resources/harden_os.sh" | indent 8 }}
  74     - path: /usr/local/bin/harden_k8s.sh
  75       permissions: '0777'
  76       content: |
  77 {{ $.Files.Get "resources/harden_k8s.sh" | indent 8 }}
  78     - path: /usr/local/bin/set_kernel_cmdline.sh
  79       permissions: '0777'
  80       content: |
  81 {{ $.Files.Get "resources/set_kernel_cmdline.sh" | indent 8 }}
  82     users:
  83     - name: {{ .Values.userData.name }}
  84       shell: /bin/bash
  85       lockPassword: False # Necessary to allow password login
  86       passwd: {{ .Values.userData.hashedPassword }}
  87       sshAuthorizedKeys:
  88       - {{ .Values.userData.sshAuthorizedKey }}
  89       sudo: "ALL=(ALL) NOPASSWD:ALL"
  90       groups: sudo # Necessary to allow SSH logins (see /etc/ssh/sshd_config)
  91     - name: root
  92       sshAuthorizedKeys:
  93       - {{ .Values.userData.sshAuthorizedKey }}
  94   machineTemplate:
  95     infrastructureRef:
  96       apiVersion: infrastructure.cluster.x-k8s.io/v1alpha5
  97       kind: Metal3MachineTemplate
  98       name: {{ .Values.clusterName }}-controlplane
  99     nodeDrainTimeout: 0s
 100   replicas: {{ .Values.numControlPlaneMachines }}
 101   rolloutStrategy:
 102     rollingUpdate:
 103       maxSurge: 1
 104     type: RollingUpdate
 105   version: {{ .Values.k8sVersion }}