parametrize secure port for api
diff --git a/README.rst b/README.rst
index f366287..030ccb7 100644
--- a/README.rst
+++ b/README.rst
@@ -189,6 +189,36 @@
pool:
container: false
+Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
+
+.. code-block:: yaml
+
+ kubernetes:
+ master:
+ apiserver:
+ secure_port: 8081
+
+Other k8s services which communicates with secure api still communicate with 443 port. You can you proxy or iptables formula.
+
+.. code-block:: yaml
+
+ iptables:
+ _support:
+ sensu:
+ enabled: false
+ sphinx:
+ enabled: false
+ service:
+ enabled: true
+ chain:
+ PREROUTING:
+ rules:
+ - table: nat
+ chain: PREROUTING
+ destination_port: 443
+ jump: REDIRECT
+ to_port: 8081
+ protocol: tcp
Kubernetes with Flannel
-----------------------
diff --git a/kubernetes/files/manifest/kube-apiserver.manifest b/kubernetes/files/manifest/kube-apiserver.manifest
index 11a872f..db870d8 100644
--- a/kubernetes/files/manifest/kube-apiserver.manifest
+++ b/kubernetes/files/manifest/kube-apiserver.manifest
@@ -24,7 +24,7 @@
--basic-auth-file=/srv/kubernetes/basic_auth.csv
--tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
--tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
- --secure-port=443
+ --secure-port={{ master.apiserver.get('secure_port', '443') }}
--bind-address={{ master.apiserver.address }}
--token-auth-file=/srv/kubernetes/known_tokens.csv
--v=2
@@ -40,8 +40,8 @@
initialDelaySeconds: 15
timeoutSeconds: 15
ports:
- - containerPort: 443
- hostPort: 443
+ - containerPort: {{ master.apiserver.get('secure_port', '443') }}
+ hostPort: {{ master.apiserver.get('secure_port', '443') }}
name: https
protocol: TCP
- containerPort: 8080
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index b59d9ff..4526ed7 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -76,7 +76,7 @@
- user: root
- group: root
- mode: 644
- - contents: DAEMON_ARGS=" --insecure-bind-address={{ master.apiserver.insecure_address }} --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %} --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range={{ master.service_addresses }} --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --secure-port=443 --bind-address={{ master.apiserver.address }} --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=True"
+ - contents: DAEMON_ARGS=" --insecure-bind-address={{ master.apiserver.insecure_address }} --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %} --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range={{ master.service_addresses }} --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --secure-port={{ master.apiserver.get('secure_port', '443') }} --bind-address={{ master.apiserver.address }} --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=True"
/etc/default/kube-controller-manager:
file.managed: