-
Notifications
You must be signed in to change notification settings - Fork 161
/
kube-apiserver-pod.yaml
140 lines (140 loc) · 3.71 KB
/
kube-apiserver-pod.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
kind: Pod
apiVersion: v1
metadata:
name: bootstrap-kube-apiserver
# Use the same namespace for the bootstrap apiserver as the post-bootstrap
# apiserver for compatibility with a single-node (SNO) cluster.
namespace: openshift-kube-apiserver
labels:
openshift.io/control-plane: "true"
openshift.io/component: "api"
annotations:
openshift.io/run-level: "0"
kubectl.kubernetes.io/default-logs-container: kube-apiserver
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
spec:
restartPolicy: Always
hostNetwork: true
initContainers:
- name: setup
terminationMessagePolicy: FallbackToLogsOnError
image: {{ .Image }}
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /var/log/kube-apiserver
name: audit-dir
command: ['/bin/bash', '-ec']
args:
- |
echo -n "Fixing audit permissions."
chmod 0700 /var/log/kube-apiserver && touch /var/log/kube-apiserver/audit.log && chmod 0600 /var/log/kube-apiserver/*
securityContext:
privileged: true
resources:
requests:
memory: 50Mi
cpu: 5m
containers:
- name: kube-apiserver
image: {{ .Image }}
imagePullPolicy: {{ .ImagePullPolicy }}
terminationMessagePolicy: FallbackToLogsOnError
command: [ "/bin/bash", "-ec" ]
args:
- >
hyperkube kube-apiserver
--openshift-config=/etc/kubernetes/config/{{ .ConfigFileName }}
--v=2
--advertise-address=${HOST_IP}
resources:
requests:
memory: 1Gi
cpu: 265m
volumeMounts:
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
- mountPath: /etc/kubernetes/secrets
name: secrets
readOnly: true
- mountPath: /etc/kubernetes/cloud
name: etc-kubernetes-cloud
readOnly: true
- mountPath: /etc/kubernetes/config
name: config
readOnly: true
- mountPath: /var/log/bootstrap-control-plane
name: logs
- mountPath: /var/log/kube-apiserver
name: audit-dir
livenessProbe:
httpGet:
scheme: HTTPS
port: 6443
path: livez?exclude=etcd
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
scheme: HTTPS
port: 6443
path: readyz
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
startupProbe:
httpGet:
scheme: HTTPS
port: 6443
path: livez
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 30
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{if .OperatorImage}}
- name: kube-apiserver-insecure-readyz
image: {{.OperatorImage}}
imagePullPolicy: IfNotPresent
terminationMessagePolicy: FallbackToLogsOnError
command: ["cluster-kube-apiserver-operator", "insecure-readyz"]
args:
- --insecure-port=6080
- --delegate-url=https://localhost:6443/readyz
ports:
- containerPort: 6080
resources:
requests:
memory: 50Mi
cpu: 5m
{{end}}
terminationGracePeriodSeconds: {{ .TerminationGracePeriodSeconds }}
volumes:
- hostPath:
path: {{ .SecretsHostPath }}
name: secrets
- hostPath:
path: {{ .CloudProviderHostPath }}
name: etc-kubernetes-cloud
- hostPath:
path: {{ .ConfigHostPath }}
name: config
- hostPath:
path: /etc/ssl/certs
name: ssl-certs-host
- hostPath:
path: /var/log/bootstrap-control-plane
name: logs
- hostPath:
path: /var/log/kube-apiserver
name: audit-dir