2 apiVersion: controlplane.cluster.x-k8s.io/v1alpha4
3 kind: KubeadmControlPlane
5 name: {{ .Values.clusterName }}
11 enable-admission-plugins: NodeRestriction,PodSecurityPolicy
15 node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
16 cpu-manager-policy: static
17 topology-manager-policy: best-effort
18 kube-reserved: cpu=200m,memory=512Mi
19 name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
24 node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
25 cpu-manager-policy: static
26 topology-manager-policy: best-effort
27 kube-reserved: cpu=200m,memory=512Mi
28 name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
30 {{- if .Values.preKubeadmCommands }}
31 {{ toYaml .Values.preKubeadmCommands | indent 4 }}
33 {{- if .Values.networks }}
34 # Without touching up /etc/hosts, kubeadm may pick the wrong
35 # (i.e. provisioning network) address for the node IP
36 - sed -i "1i $(ip -4 addr show dev {{ .Values.networks.baremetal.interface }} | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -1) $(hostname)" /etc/hosts
38 - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
39 - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
40 - curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
41 - add-apt-repository "deb https://apt.kubernetes.io/ kubernetes-xenial main"
43 - apt-get install -y ca-certificates
44 {{- if .Values.keepalived }}
45 - apt-get install -y keepalived
46 - systemctl enable --now keepalived
48 - /usr/local/bin/install-container-runtime.sh
49 - apt-get install -y kubelet={{ .Values.kubeVersion }} kubeadm={{ .Values.kubeVersion }} kubectl={{ .Values.kubeVersion }}
50 - systemctl enable --now kubelet
52 - mkdir -p /home/ubuntu/.kube
53 - cp /etc/kubernetes/admin.conf /home/ubuntu/.kube/config
54 - chown ubuntu:ubuntu /home/ubuntu/.kube/config
55 - mkdir -p /root/.kube
56 - cp /etc/kubernetes/admin.conf /root/.kube/config
57 - /usr/local/bin/harden_os.sh
58 # Normally any bootstrap resources needed would be applied with a
59 # ClusterResourceSet. However instead of apply, replace must be
61 - /usr/local/bin/harden_k8s.sh
62 {{- if eq (int .Values.numWorkerMachines) 0 }}
63 # Allow scheduling Pods on the control plane when there are no
65 - kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes --all node-role.kubernetes.io/master-
67 # This must be done after kubeadm as the cabpk provider relies on
68 # files in /var/run, which won't persist after a reboot
69 - /usr/local/bin/set_kernel_cmdline.sh
71 {{ include "cluster.keepalived" .Values | indent 4 }}
72 {{ include "cluster.containerRuntime" .Values | indent 4 }}
73 - path: /etc/systemd/system/containerd.service.d/override.conf
75 {{ $.Files.Get "resources/override.conf" | indent 8 }}
76 - path: /usr/local/bin/harden_os.sh
79 {{ $.Files.Get "resources/harden_os.sh" | indent 8 }}
80 - path: /usr/local/bin/harden_k8s.sh
83 {{ $.Files.Get "resources/harden_k8s.sh" | indent 8 }}
84 - path: /usr/local/bin/set_kernel_cmdline.sh
87 {{ $.Files.Get "resources/set_kernel_cmdline.sh" | indent 8 }}
88 {{- if .Values.userData }}
90 - name: {{ .Values.userData.name }}
92 lockPassword: False # Necessary to allow password login
93 passwd: {{ .Values.userData.hashedPassword }}
95 - {{ .Values.userData.sshAuthorizedKey }}
96 sudo: "ALL=(ALL) NOPASSWD:ALL"
97 groups: sudo # Necessary to allow SSH logins (see /etc/ssh/sshd_config)
100 - {{ .Values.userData.sshAuthorizedKey }}
104 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha5
105 kind: Metal3MachineTemplate
106 name: {{ .Values.clusterName }}-controlplane
108 replicas: {{ .Values.numControlPlaneMachines }}
113 version: {{ .Values.k8sVersion }}