kubernetes/files/manifest/kube-apiserver.manifest - salt-formulas/kubernetes - Gitiles

 {%- from "kubernetes/map.jinja" import master with context %}
 {%- from "kubernetes/map.jinja" import common with context %}
 {%- from "kubernetes/map.jinja" import version %}
 ---
 apiVersion: v1
 kind: Pod
 metadata:
   name: kube-apiserver
   namespace: kube-system
 spec:
   dnsPolicy: ClusterFirst
   hostNetwork: true
   restartPolicy: Always
   terminationGracePeriodSeconds: 30
   containers:
   - name: kube-apiserver
     image: {{ common.hyperkube.image }}
     command:
     - /hyperkube
     - apiserver
       --insecure-bind-address={{ master.apiserver.insecure_address }}
       --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %}
       --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
       --service-cluster-ip-range={{ master.service_addresses }}
       {%- if master.auth.get('ssl', {}).enabled|default(True) %}
       --client-ca-file={{ master.auth.get('ssl', {}).ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
       {%- endif %}
       {%- if master.auth.get('proxy', {}).enabled|default(False) %}
       --requestheader-username-headers={{ master.auth.proxy.header.user }}
       --requestheader-group-headers={{ master.auth.proxy.header.group }}
       --requestheader-extra-headers-prefix={{ master.auth.proxy.header.extra }}
       --requestheader-client-ca-file={{ master.auth.proxy.ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
       {%- endif %}
       --anonymous-auth={{ master.auth.get('anonymous', {}).enabled|default(False) }}
       {%- if master.auth.get('basic', {}).enabled|default(True) %}
       --basic-auth-file={{ master.auth.basic.file|default("/srv/kubernetes/basic_auth.csv") }}
       {%- endif %}
       --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
       --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
       --secure-port={{ master.apiserver.secure_port }}
       --bind-address={{ master.apiserver.address }}
       {%- if master.auth.get('token', {}).enabled|default(True) %}
       --token-auth-file={{ master.auth.token.file|default("/srv/kubernetes/known_tokens.csv") }}
       {%- endif %}
       --v={{ master.get('verbosity', 2) }}
       --allow-privileged=True
       {%- if common.addons.get('virtlet', {}).get('enabled') %}
       {%- if salt['pkg.version_cmp'](version,'1.8') >= 0 %}
         --feature-gates=MountPropagation=true
       {%- endif %}
       {%- if salt['pkg.version_cmp'](version,'1.9') >= 0 %}
       --endpoint-reconciler-type={{ master.apiserver.get('endpoint-reconciler', 'lease') }}
       {%- else %}
       --apiserver-count={{ master.apiserver.get('count', 1) }}
       {%- endif %}
       {%- endif %}
       {%- if master.auth.get('mode') %}
       --authorization-mode={{ master.auth.mode }}
       {%- endif %}
 {%- if master.apiserver.node_port_range is defined %}
       --service-node-port-range {{ master.apiserver.node_port_range }}
 {%- endif %}
 {%- for key, value in master.get('apiserver', {}).get('daemon_opts', {}).items() %}
       --{{ key }}={{ value }}
 {% endfor %}
       1>>/var/log/kube-apiserver.log 2>&1
     imagePullPolicy: IfNotPresent
     livenessProbe:
       httpGet:
         host: 127.0.0.1
         path: /healthz
         port: {{ master.apiserver.insecure_port }}
         scheme: HTTP
       initialDelaySeconds: 15
       timeoutSeconds: 15
     ports:
     - containerPort: {{ master.apiserver.secure_port }}
       hostPort: {{ master.apiserver.secure_port }}
       name: https
       protocol: TCP
     - containerPort: {{ master.apiserver.insecure_port }}
       hostPort: {{ master.apiserver.insecure_port }}
       name: local
       protocol: TCP
     resources:
       requests:
         cpu: 250m
     volumeMounts:
     - mountPath: /srv/kubernetes
       name: srvkube
       readOnly: true
     - mountPath: /var/log/kube-apiserver.log
       name: logfile
     - mountPath: /etc/kubernetes/
       name: etckube
       readOnly: true
     - mountPath: /usr/share/ca-certificates
       name: usrsharecacerts
       readOnly: true
     - mountPath: /srv/sshproxy
       name: srvsshproxy
   volumes:
   - hostPath:
       path: /srv/kubernetes
     name: srvkube
   - hostPath:
       path: /var/log/kube-apiserver.log
     name: logfile
   - hostPath:
       path: /etc/kubernetes/
     name: etckube
   - hostPath:
       path: /usr/share/ca-certificates
     name: usrsharecacerts
   - hostPath:
       path: /srv/sshproxy
     name: srvsshproxy
	{%- from "kubernetes/map.jinja" import master with context %}
	{%- from "kubernetes/map.jinja" import common with context %}
	{%- from "kubernetes/map.jinja" import version %}
	---
	apiVersion: v1
	kind: Pod
	metadata:
	name: kube-apiserver
	namespace: kube-system
	spec:
	dnsPolicy: ClusterFirst
	hostNetwork: true
	restartPolicy: Always
	terminationGracePeriodSeconds: 30
	containers:
	- name: kube-apiserver
	image: {{ common.hyperkube.image }}
	command:
	- /hyperkube
	- apiserver
	--insecure-bind-address={{ master.apiserver.insecure_address }}
	--etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %}
	--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
	--service-cluster-ip-range={{ master.service_addresses }}
	{%- if master.auth.get('ssl', {}).enabled\|default(True) %}
	--client-ca-file={{ master.auth.get('ssl', {}).ca_file\|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
	{%- endif %}
	{%- if master.auth.get('proxy', {}).enabled\|default(False) %}
	--requestheader-username-headers={{ master.auth.proxy.header.user }}
	--requestheader-group-headers={{ master.auth.proxy.header.group }}
	--requestheader-extra-headers-prefix={{ master.auth.proxy.header.extra }}
	--requestheader-client-ca-file={{ master.auth.proxy.ca_file\|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
	{%- endif %}
	--anonymous-auth={{ master.auth.get('anonymous', {}).enabled\|default(False) }}
	{%- if master.auth.get('basic', {}).enabled\|default(True) %}
	--basic-auth-file={{ master.auth.basic.file\|default("/srv/kubernetes/basic_auth.csv") }}
	{%- endif %}
	--tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
	--tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
	--secure-port={{ master.apiserver.secure_port }}
	--bind-address={{ master.apiserver.address }}
	{%- if master.auth.get('token', {}).enabled\|default(True) %}
	--token-auth-file={{ master.auth.token.file\|default("/srv/kubernetes/known_tokens.csv") }}
	{%- endif %}
	--v={{ master.get('verbosity', 2) }}
	--allow-privileged=True
	{%- if common.addons.get('virtlet', {}).get('enabled') %}
	{%- if salt['pkg.version_cmp'](version,'1.8') >= 0 %}
	--feature-gates=MountPropagation=true
	{%- endif %}
	{%- if salt['pkg.version_cmp'](version,'1.9') >= 0 %}
	--endpoint-reconciler-type={{ master.apiserver.get('endpoint-reconciler', 'lease') }}
	{%- else %}
	--apiserver-count={{ master.apiserver.get('count', 1) }}
	{%- endif %}
	{%- endif %}
	{%- if master.auth.get('mode') %}
	--authorization-mode={{ master.auth.mode }}
	{%- endif %}
	{%- if master.apiserver.node_port_range is defined %}
	--service-node-port-range {{ master.apiserver.node_port_range }}
	{%- endif %}
	{%- for key, value in master.get('apiserver', {}).get('daemon_opts', {}).items() %}
	--{{ key }}={{ value }}
	{% endfor %}
	1>>/var/log/kube-apiserver.log 2>&1
	imagePullPolicy: IfNotPresent
	livenessProbe:
	httpGet:
	host: 127.0.0.1
	path: /healthz
	port: {{ master.apiserver.insecure_port }}
	scheme: HTTP
	initialDelaySeconds: 15
	timeoutSeconds: 15
	ports:
	- containerPort: {{ master.apiserver.secure_port }}
	hostPort: {{ master.apiserver.secure_port }}
	name: https
	protocol: TCP
	- containerPort: {{ master.apiserver.insecure_port }}
	hostPort: {{ master.apiserver.insecure_port }}
	name: local
	protocol: TCP
	resources:
	requests:
	cpu: 250m
	volumeMounts:
	- mountPath: /srv/kubernetes
	name: srvkube
	readOnly: true
	- mountPath: /var/log/kube-apiserver.log
	name: logfile
	- mountPath: /etc/kubernetes/
	name: etckube
	readOnly: true
	- mountPath: /usr/share/ca-certificates
	name: usrsharecacerts
	readOnly: true
	- mountPath: /srv/sshproxy
	name: srvsshproxy
	volumes:
	- hostPath:
	path: /srv/kubernetes
	name: srvkube
	- hostPath:
	path: /var/log/kube-apiserver.log
	name: logfile
	- hostPath:
	path: /etc/kubernetes/
	name: etckube
	- hostPath:
	path: /usr/share/ca-certificates
	name: usrsharecacerts
	- hostPath:
	path: /srv/sshproxy
	name: srvsshproxy