kubernetes/files/manifest/kube-apiserver.manifest - salt-formulas/kubernetes - Gitiles

 {%- from "kubernetes/map.jinja" import master with context %}
 {%- from "kubernetes/map.jinja" import common with context %}
 apiVersion: v1
 kind: Pod
 metadata:
   name: kube-apiserver
   namespace: kube-system
 spec:
   dnsPolicy: ClusterFirst
   hostNetwork: true
   restartPolicy: Always
   terminationGracePeriodSeconds: 30
   containers:
   - name: kube-apiserver
     image: {{ common.hyperkube.image }}
     command:
     - /hyperkube
     - apiserver
       --insecure-bind-address={{ master.apiserver.insecure_address }}
       --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %}
       --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
       --service-cluster-ip-range={{ master.service_addresses }}
       --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
       --basic-auth-file=/srv/kubernetes/basic_auth.csv
       --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
       --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
       --secure-port={{ master.apiserver.get('secure_port', '443') }}
       --bind-address={{ master.apiserver.address }}
       --token-auth-file=/srv/kubernetes/known_tokens.csv
       --etcd-quorum-read=true
       --v=2
       --allow-privileged=True
 {%- if master.apiserver.node_port_range is defined %}
       --service-node-port-range {{ master.apiserver.node_port_range }}
 {%- endif %}
 {%- for key, value in master.get('apiserver', {}).get('daemon_opts', {}).iteritems() %}
       --{{ key }}={{ value }}
 {% endfor %}
       1>>/var/log/kube-apiserver.log 2>&1
     imagePullPolicy: IfNotPresent
     livenessProbe:
       httpGet:
         host: 127.0.0.1
         path: /healthz
         port: 8080
         scheme: HTTP
       initialDelaySeconds: 15
       timeoutSeconds: 15
     ports:
     - containerPort: {{ master.apiserver.get('secure_port', '443') }}
       hostPort: {{ master.apiserver.get('secure_port', '443') }}
       name: https
       protocol: TCP
     - containerPort: 8080
       hostPort: 8080
       name: local
       protocol: TCP
     resources:
       requests:
         cpu: 250m
     volumeMounts:
     - mountPath: /srv/kubernetes
       name: srvkube
       readOnly: true
     - mountPath: /var/log/kube-apiserver.log
       name: logfile
     - mountPath: /etc/kubernetes/
       name: etckube
       readOnly: true
     - mountPath: /usr/share/ca-certificates
       name: usrsharecacerts
       readOnly: true
     - mountPath: /srv/sshproxy
       name: srvsshproxy
   volumes:
   - hostPath:
       path: /srv/kubernetes
     name: srvkube
   - hostPath:
       path: /var/log/kube-apiserver.log
     name: logfile
   - hostPath:
       path: /etc/kubernetes/
     name: etckube
   - hostPath:
       path: /usr/share/ca-certificates
     name: usrsharecacerts
   - hostPath:
       path: /srv/sshproxy
     name: srvsshproxy
	{%- from "kubernetes/map.jinja" import master with context %}
	{%- from "kubernetes/map.jinja" import common with context %}
	apiVersion: v1
	kind: Pod
	metadata:
	name: kube-apiserver
	namespace: kube-system
	spec:
	dnsPolicy: ClusterFirst
	hostNetwork: true
	restartPolicy: Always
	terminationGracePeriodSeconds: 30
	containers:
	- name: kube-apiserver
	image: {{ common.hyperkube.image }}
	command:
	- /hyperkube
	- apiserver
	--insecure-bind-address={{ master.apiserver.insecure_address }}
	--etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %}
	--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
	--service-cluster-ip-range={{ master.service_addresses }}
	--client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
	--basic-auth-file=/srv/kubernetes/basic_auth.csv
	--tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
	--tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
	--secure-port={{ master.apiserver.get('secure_port', '443') }}
	--bind-address={{ master.apiserver.address }}
	--token-auth-file=/srv/kubernetes/known_tokens.csv
	--etcd-quorum-read=true
	--v=2
	--allow-privileged=True
	{%- if master.apiserver.node_port_range is defined %}
	--service-node-port-range {{ master.apiserver.node_port_range }}
	{%- endif %}
	{%- for key, value in master.get('apiserver', {}).get('daemon_opts', {}).iteritems() %}
	--{{ key }}={{ value }}
	{% endfor %}
	1>>/var/log/kube-apiserver.log 2>&1
	imagePullPolicy: IfNotPresent
	livenessProbe:
	httpGet:
	host: 127.0.0.1
	path: /healthz
	port: 8080
	scheme: HTTP
	initialDelaySeconds: 15
	timeoutSeconds: 15
	ports:
	- containerPort: {{ master.apiserver.get('secure_port', '443') }}
	hostPort: {{ master.apiserver.get('secure_port', '443') }}
	name: https
	protocol: TCP
	- containerPort: 8080
	hostPort: 8080
	name: local
	protocol: TCP
	resources:
	requests:
	cpu: 250m
	volumeMounts:
	- mountPath: /srv/kubernetes
	name: srvkube
	readOnly: true
	- mountPath: /var/log/kube-apiserver.log
	name: logfile
	- mountPath: /etc/kubernetes/
	name: etckube
	readOnly: true
	- mountPath: /usr/share/ca-certificates
	name: usrsharecacerts
	readOnly: true
	- mountPath: /srv/sshproxy
	name: srvsshproxy
	volumes:
	- hostPath:
	path: /srv/kubernetes
	name: srvkube
	- hostPath:
	path: /var/log/kube-apiserver.log
	name: logfile
	- hostPath:
	path: /etc/kubernetes/
	name: etckube
	- hostPath:
	path: /usr/share/ca-certificates
	name: usrsharecacerts
	- hostPath:
	path: /srv/sshproxy
	name: srvsshproxy