2 apiVersion: controlplane.cluster.x-k8s.io/v1alpha4
3 kind: KubeadmControlPlane
5 name: {{ .Values.clusterName }}
11 enable-admission-plugins: NodeRestriction,PodSecurityPolicy
15 {{- include "cluster.nodeIP" .Values.networkData | nindent 10 }}
16 node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
17 cpu-manager-policy: static
18 topology-manager-policy: best-effort
19 kube-reserved: cpu=200m,memory=512Mi
20 name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
25 node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
26 cpu-manager-policy: static
27 topology-manager-policy: best-effort
28 kube-reserved: cpu=200m,memory=512Mi
29 name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
31 {{- if .Values.preKubeadmCommands }}
32 {{ toYaml .Values.preKubeadmCommands | indent 4 }}
34 - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
35 - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
36 - curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
37 - add-apt-repository "deb https://apt.kubernetes.io/ kubernetes-xenial main"
39 - apt-get install -y ca-certificates
40 {{- if .Values.keepalived }}
41 - apt-get install -y keepalived
42 - systemctl enable --now keepalived
44 - /usr/local/bin/install-container-runtime.sh
45 - apt-get install -y kubelet={{ .Values.kubeVersion }} kubeadm={{ .Values.kubeVersion }} kubectl={{ .Values.kubeVersion }}
46 - systemctl enable --now kubelet
48 - mkdir -p /home/ubuntu/.kube
49 - cp /etc/kubernetes/admin.conf /home/ubuntu/.kube/config
50 - chown ubuntu:ubuntu /home/ubuntu/.kube/config
51 - mkdir -p /root/.kube
52 - cp /etc/kubernetes/admin.conf /root/.kube/config
53 - /usr/local/bin/harden_os.sh
54 # Normally any bootstrap resources needed would be applied with a
55 # ClusterResourceSet. However instead of apply, replace must be
57 - /usr/local/bin/harden_k8s.sh
58 {{- if eq (int .Values.numWorkerMachines) 0 }}
59 # Allow scheduling Pods on the control plane when there are no
61 - kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes --all node-role.kubernetes.io/master-
63 # This must be done after kubeadm as the cabpk provider relies on
64 # files in /var/run, which won't persist after a reboot
65 - /usr/local/bin/set_kernel_cmdline.sh
67 {{ include "cluster.keepalived" .Values | indent 4 }}
68 {{ include "cluster.containerRuntime" .Values | indent 4 }}
69 - path: /etc/systemd/system/containerd.service.d/override.conf
71 {{ $.Files.Get "resources/override.conf" | indent 8 }}
72 - path: /usr/local/bin/harden_os.sh
75 {{ $.Files.Get "resources/harden_os.sh" | indent 8 }}
76 - path: /usr/local/bin/harden_k8s.sh
79 {{ $.Files.Get "resources/harden_k8s.sh" | indent 8 }}
80 - path: /usr/local/bin/set_kernel_cmdline.sh
83 {{ $.Files.Get "resources/set_kernel_cmdline.sh" | indent 8 }}
84 {{- if eq .Values.cni "calico" }}
85 - path: /etc/NetworkManager/conf.d/calico.conf
87 {{ $.Files.Get "resources/calico.conf" | indent 8 }}
89 {{- if .Values.userData }}
91 - name: {{ .Values.userData.name }}
93 lockPassword: False # Necessary to allow password login
94 passwd: {{ .Values.userData.hashedPassword }}
96 - {{ .Values.userData.sshAuthorizedKey }}
97 sudo: "ALL=(ALL) NOPASSWD:ALL"
98 groups: sudo # Necessary to allow SSH logins (see /etc/ssh/sshd_config)
101 - {{ .Values.userData.sshAuthorizedKey }}
105 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha5
106 kind: Metal3MachineTemplate
107 name: {{ .Values.clusterName }}-controlplane
109 replicas: {{ .Values.numControlPlaneMachines }}
114 version: {{ .Values.k8sVersion }}