deploy/cluster/templates/kubeadmcontrolplane.yaml

   1 ---
   2 apiVersion: controlplane.cluster.x-k8s.io/v1alpha4
   3 kind: KubeadmControlPlane
   4 metadata:
   5   name: {{ .Values.clusterName }}
   6 spec:
   7   kubeadmConfigSpec:
   8     clusterConfiguration:
   9       apiServer:
  10         extraArgs:
  11           enable-admission-plugins: NodeRestriction,PodSecurityPolicy
  12     initConfiguration:
  13       nodeRegistration:
  14         kubeletExtraArgs:
  15           {{- include "cluster.nodeIP" .Values.networkData | nindent 10 }}
  16           node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
  17           cpu-manager-policy: static
  18           topology-manager-policy: best-effort
  19           kube-reserved: cpu=200m,memory=512Mi
  20         name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
  21     joinConfiguration:
  22       controlPlane: {}
  23       nodeRegistration:
  24         kubeletExtraArgs:
  25           node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
  26           cpu-manager-policy: static
  27           topology-manager-policy: best-effort
  28           kube-reserved: cpu=200m,memory=512Mi
  29         name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
  30     preKubeadmCommands:
  31 {{- if .Values.preKubeadmCommands }}
  32 {{ toYaml .Values.preKubeadmCommands | indent 4 }}
  33 {{- end }}
  34     - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
  35     - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  36     - curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
  37     - add-apt-repository "deb https://apt.kubernetes.io/ kubernetes-xenial main"
  38     - apt-get update -y
  39     - apt-get install -y ca-certificates
  40 {{- if .Values.keepalived }}
  41     - apt-get install -y keepalived
  42     - systemctl enable --now keepalived
  43 {{- end }}
  44     - /usr/local/bin/install-container-runtime.sh
  45     - apt-get install -y kubelet={{ .Values.kubeVersion }} kubeadm={{ .Values.kubeVersion }} kubectl={{ .Values.kubeVersion }}
  46     - systemctl enable --now kubelet
  47     postKubeadmCommands:
  48     - mkdir -p /home/ubuntu/.kube
  49     - cp /etc/kubernetes/admin.conf /home/ubuntu/.kube/config
  50     - chown ubuntu:ubuntu /home/ubuntu/.kube/config
  51     - mkdir -p /root/.kube
  52     - cp /etc/kubernetes/admin.conf /root/.kube/config
  53     - /usr/local/bin/harden_os.sh
  54     # Normally any bootstrap resources needed would be applied with a
  55     # ClusterResourceSet.  However instead of apply, replace must be
  56     # used to harden K8s.
  57     - /usr/local/bin/harden_k8s.sh
  58 {{- if eq (int .Values.numWorkerMachines) 0 }}
  59     # Allow scheduling Pods on the control plane when there are no
  60     # workers.
  61     - kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes --all node-role.kubernetes.io/master-
  62 {{- end }}
  63     # This must be done after kubeadm as the cabpk provider relies on
  64     # files in /var/run, which won't persist after a reboot
  65     - /usr/local/bin/set_kernel_cmdline.sh
  66     # Required for OpenEBS support
  67     - /usr/local/bin/enable_iscsi.sh
  68     files:
  69 {{ include "cluster.keepalived" .Values | indent 4 }}
  70 {{ include "cluster.containerRuntime" .Values | indent 4 }}
  71     - path: /etc/systemd/system/containerd.service.d/override.conf
  72       content: |
  73 {{ $.Files.Get "resources/override.conf" | indent 8 }}
  74     - path: /usr/local/bin/harden_os.sh
  75       permissions: '0777'
  76       content: |
  77 {{ $.Files.Get "resources/harden_os.sh" | indent 8 }}
  78     - path: /usr/local/bin/harden_k8s.sh
  79       permissions: '0777'
  80       content: |
  81 {{ $.Files.Get "resources/harden_k8s.sh" | indent 8 }}
  82     - path: /usr/local/bin/set_kernel_cmdline.sh
  83       permissions: '0777'
  84       content: |
  85 {{ $.Files.Get "resources/set_kernel_cmdline.sh" | indent 8 }}
  86     - path: /usr/local/bin/enable_iscsi.sh
  87       permissions: '0777'
  88       content: |
  89 {{ $.Files.Get "resources/enable_iscsi.sh" | indent 8 }}
  90 {{- if eq .Values.cni "calico" }}
  91     - path: /etc/NetworkManager/conf.d/calico.conf
  92       content: |
  93 {{ $.Files.Get "resources/calico.conf" | indent 8 }}
  94 {{- end }}
  95 {{- if .Values.userData }}
  96     users:
  97     - name: {{ .Values.userData.name }}
  98       shell: /bin/bash
  99       lockPassword: False # Necessary to allow password login
 100       passwd: {{ .Values.userData.hashedPassword }}
 101       sshAuthorizedKeys:
 102       - {{ .Values.userData.sshAuthorizedKey }}
 103       sudo: "ALL=(ALL) NOPASSWD:ALL"
 104       groups: sudo # Necessary to allow SSH logins (see /etc/ssh/sshd_config)
 105     - name: root
 106       sshAuthorizedKeys:
 107       - {{ .Values.userData.sshAuthorizedKey }}
 108 {{- end }}
 109   machineTemplate:
 110     infrastructureRef:
 111       apiVersion: infrastructure.cluster.x-k8s.io/v1alpha5
 112       kind: Metal3MachineTemplate
 113       name: {{ .Values.clusterName }}-controlplane
 114     nodeDrainTimeout: 0s
 115   replicas: {{ .Values.numControlPlaneMachines }}
 116   rolloutStrategy:
 117     rollingUpdate:
 118       maxSurge: 1
 119     type: RollingUpdate
 120   version: {{ .Values.k8sVersion }}