k3s/cluster/gce/manifests/kube-apiserver.manifest

{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
  "name":"kube-apiserver",
  "namespace": "kube-system",
  "annotations": {
    "scheduler.alpha.kubernetes.io/critical-pod": "",
    "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
  },
  "labels": {
    "tier": "control-plane",
    "component": "kube-apiserver"
  }
},
"spec":{
"hostNetwork": true,
"containers":[
    {{kms_plugin_container}}
    {
    "name": "kube-apiserver",
    "image": "{{pillar['kube_docker_registry']}}/kube-apiserver:{{pillar['kube-apiserver_docker_tag']}}",
    "resources": {
      "requests": {
        "cpu": "125m"
      }
    },
    "command": [
                 "/bin/sh",
                 "-c",
                 "exec /usr/local/bin/kube-apiserver {{params}} --allow-privileged={{pillar['allow_privileged']}} 1>>/var/log/kube-apiserver.log 2>&1"
               ],
    {{container_env}}
    "livenessProbe": {
      "httpGet": {
        "host": "127.0.0.1",
        "port": 8080,
        "path": "/healthz"
      },
      "initialDelaySeconds": {{liveness_probe_initial_delay}},
      "timeoutSeconds": 15
    },
    "ports":[
      { "name": "https",
        "containerPort": {{secure_port}},
        "hostPort": {{secure_port}}},{
       "name": "local",
        "containerPort": 8080,
        "hostPort": 8080}
        ],
    "volumeMounts": [
        {{kms_socket_mount}}
        {{encryption_provider_mount}}
        {{cloud_config_mount}}
        {{additional_cloud_config_mount}}
        {{webhook_config_mount}}
        {{webhook_authn_config_mount}}
        {{audit_policy_config_mount}}
        {{audit_webhook_config_mount}}
        {{admission_controller_config_mount}}
        {{image_policy_webhook_config_mount}}
        { "name": "srvkube",
        "mountPath": "/etc/srv/kubernetes",
        "readOnly": true},
        { "name": "logfile",
        "mountPath": "/var/log/kube-apiserver.log",
        "readOnly": false},
        { "name": "auditlogfile",
        "mountPath": "/var/log/kube-apiserver-audit.log",
        "readOnly": false},
        { "name": "etcssl",
        "mountPath": "/etc/ssl",
        "readOnly": true},
        { "name": "usrsharecacerts",
        "mountPath": "/usr/share/ca-certificates",
        "readOnly": true},
        { "name": "varssl",
        "mountPath": "/var/ssl",
        "readOnly": true},
        { "name": "etcopenssl",
        "mountPath": "/etc/openssl",
        "readOnly": true},
        { "name": "etcpki",
        "mountPath": "/etc/srv/pki",
        "readOnly": true},
        { "name": "srvsshproxy",
        "mountPath": "{{srv_sshproxy_path}}",
        "readOnly": false}
      ]
    }
],
"volumes":[
  {{kms_socket_volume}}
  {{encryption_provider_volume}}
  {{cloud_config_volume}}
  {{additional_cloud_config_volume}}
  {{webhook_config_volume}}
  {{webhook_authn_config_volume}}
  {{audit_policy_config_volume}}
  {{audit_webhook_config_volume}}
  {{admission_controller_config_volume}}
  {{image_policy_webhook_config_volume}}
  { "name": "srvkube",
    "hostPath": {
        "path": "/etc/srv/kubernetes"}
  },
  { "name": "logfile",
    "hostPath": {
        "path": "/var/log/kube-apiserver.log",
        "type": "FileOrCreate"}
  },
  { "name": "auditlogfile",
    "hostPath": {
        "path": "/var/log/kube-apiserver-audit.log",
        "type": "FileOrCreate"}
  },
  { "name": "etcssl",
    "hostPath": {
        "path": "/etc/ssl"}
  },
  { "name": "usrsharecacerts",
    "hostPath": {
        "path": "/usr/share/ca-certificates"}
  },
  { "name": "varssl",
    "hostPath": {
        "path": "/var/ssl"}
  },
  { "name": "etcopenssl",
    "hostPath": {
        "path": "/etc/openssl"}
  },
  { "name": "etcpki",
    "hostPath": {
        "path": "/etc/srv/pki"}
  },
  { "name": "srvsshproxy",
    "hostPath": {
        "path": "{{srv_sshproxy_path}}"}
  }
]
}}
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`{`
Stop exposing v1beta3 by default 2015-06-30 02:30:14 +00:00			`"apiVersion": "v1",`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`"kind": "Pod",`
Register the kubelet on the master node with an apiserver. This option is separated from the apiserver running locally on the master node so that it can be optionally enabled or disabled as needed. Also, fix the healthchecking configuration for the master components, which was previously only working by coincidence: If a kubelet doesn't register with a master, it never bothers to figure out what its local address is. In which case it ends up constructing a URL like http://:8080/healthz for the http probe. This happens to work on the master because all of the pods are using host networking and explicitly binding to 127.0.0.1. Once the kubelet is registered with the master and it determines the local node address, it tries to healthcheck on an address where the pod isn't listening and the kubelet periodically restarts each master component when the liveness probe fails. 2015-08-04 18:14:46 +00:00			`"metadata": {`
			`"name":"kube-apiserver",`
add labels to kube component static pods 2016-04-14 23:03:40 +00:00			`"namespace": "kube-system",`
make all static system pods critical 2017-06-12 22:22:04 +00:00			`"annotations": {`
Use default seccomp profile for GCE manifests 2018-05-24 17:31:28 +00:00			`"scheduler.alpha.kubernetes.io/critical-pod": "",`
			`"seccomp.security.alpha.kubernetes.io/pod": "docker/default"`
make all static system pods critical 2017-06-12 22:22:04 +00:00			`},`
add labels to kube component static pods 2016-04-14 23:03:40 +00:00			`"labels": {`
			`"tier": "control-plane",`
			`"component": "kube-apiserver"`
			`}`
Register the kubelet on the master node with an apiserver. This option is separated from the apiserver running locally on the master node so that it can be optionally enabled or disabled as needed. Also, fix the healthchecking configuration for the master components, which was previously only working by coincidence: If a kubelet doesn't register with a master, it never bothers to figure out what its local address is. In which case it ends up constructing a URL like http://:8080/healthz for the http probe. This happens to work on the master because all of the pods are using host networking and explicitly binding to 127.0.0.1. Once the kubelet is registered with the master and it determines the local node address, it tries to healthcheck on an address where the pod isn't listening and the kubelet periodically restarts each master component when the liveness probe fails. 2015-08-04 18:14:46 +00:00			`},`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`"spec":{`
			`"hostNetwork": true,`
			`"containers":[`
Enable CloudKMS Plugin deployment. 2018-03-28 20:53:01 +00:00			`{{kms_plugin_container}}`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`{`
			`"name": "kube-apiserver",`
add an option to push/pull component images from a registry using kube-up 2015-11-18 02:13:24 +00:00			`"image": "{{pillar['kube_docker_registry']}}/kube-apiserver:{{pillar['kube-apiserver_docker_tag']}}",`
Explicitly configure master component containers and nginx with 200m each. 2015-07-02 04:50:03 +00:00			`"resources": {`
Make master component pods burstable, instead of guaranteed. 2016-02-12 22:28:48 +00:00			`"requests": {`
Decrease CPU requests of master components in two times. 2018-08-16 13:06:13 +00:00			`"cpu": "125m"`
Explicitly configure master component containers and nginx with 200m each. 2015-07-02 04:50:03 +00:00			`}`
			`},`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`"command": [`
logs for master components 2015-04-24 21:46:43 +00:00			`"/bin/sh",`
			`"-c",`
Add 'exec' in all saltbase manifests using '/bin/sh -c'. Right now, if docker sends SIGTERM, /bin/sh doesn't pass it to underlying process, which breaks graceful process shutdown. Changing '/bin/sh -c CMD > /var/log/FILE.log' pattern to '/bin/sh -c exec CMD > /var/log/FILE.log' still allows to redirect output to log file, but also passes all signals to CMD process. 2018-01-02 16:12:48 +00:00			`"exec /usr/local/bin/kube-apiserver {{params}} --allow-privileged={{pillar['allow_privileged']}} 1>>/var/log/kube-apiserver.log 2>&1"`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`],`
Allow cache mutation detector enablement by PRs Allow cache mutation detector enablement by PRs in an attempt to find mutations before they're merged in to the code base. It's just for the apiserver and controller-manager for now. If/when the other components start using a SharedInformerFactory, we should set them up just like this as well. 2017-02-17 15:00:18 +00:00			`{{container_env}}`
add livenessProbe to kube-apiserver.manifest 2015-06-16 05:21:35 +00:00			`"livenessProbe": {`
			`"httpGet": {`
Register the kubelet on the master node with an apiserver. This option is separated from the apiserver running locally on the master node so that it can be optionally enabled or disabled as needed. Also, fix the healthchecking configuration for the master components, which was previously only working by coincidence: If a kubelet doesn't register with a master, it never bothers to figure out what its local address is. In which case it ends up constructing a URL like http://:8080/healthz for the http probe. This happens to work on the master because all of the pods are using host networking and explicitly binding to 127.0.0.1. Once the kubelet is registered with the master and it determines the local node address, it tries to healthcheck on an address where the pod isn't listening and the kubelet periodically restarts each master component when the liveness probe fails. 2015-08-04 18:14:46 +00:00			`"host": "127.0.0.1",`
			`"port": 8080,`
			`"path": "/healthz"`
add livenessProbe to kube-apiserver.manifest 2015-06-16 05:21:35 +00:00			`},`
Configurable liveness probe initial delays for etcd and kube-apiserver in GCE 2018-01-02 12:13:03 +00:00			`"initialDelaySeconds": {{liveness_probe_initial_delay}},`
add livenessProbe to kube-apiserver.manifest 2015-06-16 05:21:35 +00:00			`"timeoutSeconds": 15`
			`},`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`"ports":[`
			`{ "name": "https",`
Remove nginx and replace basic auth with bearer token auth for GCE. - Configure the apiserver to listen securely on 443 instead of 6443. - Configure the kubelet to connect to 443 instead of 6443. - Update documentation to refer to bearer tokens instead of basic auth. 2015-04-17 21:04:14 +00:00			`"containerPort": {{secure_port}},`
			`"hostPort": {{secure_port}}},{`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`"name": "local",`
			`"containerPort": 8080,`
			`"hostPort": 8080}`
			`],`
			`"volumeMounts": [`
Enable CloudKMS Plugin deployment. 2018-03-28 20:53:01 +00:00			`{{kms_socket_mount}}`
			`{{encryption_provider_mount}}`
Mount cloud-config files for cloudproviders in kube-apiserver & kube-controllermanager. 2015-05-18 17:34:50 +00:00			`{{cloud_config_mount}}`
Remove manifest copies from Trusty support This change revises the way to provide kube-system manifests for clusters on Trusty. Originally, we maintained copies of some manifests under cluster/gce/trusty/kube-manifests, which is not scalable and hard to maintain. With this change, clusters on Trusty will use the same source of manifests as ContainerVM. This change also fixes some minor problems such as shell variables and comments to meet the style guidance better. 2016-02-12 16:02:26 +00:00			`{{additional_cloud_config_mount}}`
Configuration for GCP webhook authentication and authorization 2016-05-11 23:41:32 +00:00			`{{webhook_config_mount}}`
			`{{webhook_authn_config_mount}}`
Set up basic test configuration for AdavencedAuditing 2017-05-26 20:48:49 +00:00			`{{audit_policy_config_mount}}`
Add GCE configuration parameter for webhook audit logging 2017-06-02 00:42:26 +00:00			`{{audit_webhook_config_mount}}`
Scripts to configure image verification admission controller for gce. 2016-08-18 20:42:57 +00:00			`{{admission_controller_config_mount}}`
			`{{image_policy_webhook_config_mount}}`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`{ "name": "srvkube",`
Removed unused srv_kube_path variable 2018-06-21 11:58:11 +00:00			`"mountPath": "/etc/srv/kubernetes",`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`"readOnly": true},`
logs for master components 2015-04-24 21:46:43 +00:00			`{ "name": "logfile",`
			`"mountPath": "/var/log/kube-apiserver.log",`
			`"readOnly": false},`
cluster/gce: Add env var to enable apiserver basic audit log. For now, this is focused on a fixed set of flags that makes the audit log show up under /var/log/kube-apiserver-audit.log and behave similarly to /var/log/kube-apiserver.log. Allowing other customization would require significantly more complex changes. Audit log rotation is handled externally by the wildcard /var/log/*.log already configured in configure-helper.sh. 2017-02-09 18:43:19 +00:00			`{ "name": "auditlogfile",`
			`"mountPath": "/var/log/kube-apiserver-audit.log",`
			`"readOnly": false},`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`{ "name": "etcssl",`
			`"mountPath": "/etc/ssl",`
			`"readOnly": true},`
cluster: bindmount more cert paths /etc/ssl/certs is currently mounted through in a number of places. However, on Gentoo and CoreOS (and probably others), the files in /etc/ssl/certs are just symlinks to files in /usr/share/ca-certificates. For these components to correclty work, the target of the symlinks needs to be available as well. This is especially important for kube-controller-manager, where this issue was noticed. This change was originally part of #33965, but was split out for ease of review. 2016-12-07 23:21:53 +00:00			`{ "name": "usrsharecacerts",`
			`"mountPath": "/usr/share/ca-certificates",`
			`"readOnly": true},`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`{ "name": "varssl",`
			`"mountPath": "/var/ssl",`
			`"readOnly": true},`
			`{ "name": "etcopenssl",`
			`"mountPath": "/etc/openssl",`
			`"readOnly": true},`
Expose /etc/pki from host to kube-apiserver and controller-manager CentOS 7 Core nodes running on OpenStack with an SSL-enabled API endpoint results in the following error without this patch: F0425 19:00:58.124520 5 server.go:100] Cloud provider could not be initialized: could not init cloud provider "openstack": Post https://my.openstack.cloud:5000/v2.0/tokens: x509: failed to load system roots and no roots provided The root cause is that the ca-bundle.crt file is actually a symlink which points to a directory which wasn't previously exposed. [root@kubernetesstack-master ~]# ls -l /etc/ssl/certs/ca-bundle.crt lrwxrwxrwx. 1 root root 49 18 nov 11:02 /etc/ssl/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem [root@kubernetesstack-master ~]# 2016-04-28 07:20:13 +00:00			`{ "name": "etcpki",`
fix upgrades 2017-02-27 23:06:11 +00:00			`"mountPath": "/etc/srv/pki",`
Some refactoring. Only selectively use ssh proxy. Add NetworkName to gce.Config. Add locking to uses of master.tunnels. 2015-06-04 18:58:38 +00:00			`"readOnly": true},`
Make sshproxy use a hostmount on master PD (don't spam sshKeys on upgrade/reboot). Add comment describing what SSHTunnelList.Close() does. Simplify util.FileExists. 2015-06-05 21:49:26 +00:00			`{ "name": "srvsshproxy",`
Remove manifest copies from Trusty support This change revises the way to provide kube-system manifests for clusters on Trusty. Originally, we maintained copies of some manifests under cluster/gce/trusty/kube-manifests, which is not scalable and hard to maintain. With this change, clusters on Trusty will use the same source of manifests as ContainerVM. This change also fixes some minor problems such as shell variables and comments to meet the style guidance better. 2016-02-12 16:02:26 +00:00			`"mountPath": "{{srv_sshproxy_path}}",`
Some refactoring. Only selectively use ssh proxy. Add NetworkName to gce.Config. Add locking to uses of master.tunnels. 2015-06-04 18:58:38 +00:00			`"readOnly": false}`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`]`
			`}`
			`],`
			`"volumes":[`
Enable CloudKMS Plugin deployment. 2018-03-28 20:53:01 +00:00			`{{kms_socket_volume}}`
			`{{encryption_provider_volume}}`
Mount cloud-config files for cloudproviders in kube-apiserver & kube-controllermanager. 2015-05-18 17:34:50 +00:00			`{{cloud_config_volume}}`
Remove manifest copies from Trusty support This change revises the way to provide kube-system manifests for clusters on Trusty. Originally, we maintained copies of some manifests under cluster/gce/trusty/kube-manifests, which is not scalable and hard to maintain. With this change, clusters on Trusty will use the same source of manifests as ContainerVM. This change also fixes some minor problems such as shell variables and comments to meet the style guidance better. 2016-02-12 16:02:26 +00:00			`{{additional_cloud_config_volume}}`
Configuration for GCP webhook authentication and authorization 2016-05-11 23:41:32 +00:00			`{{webhook_config_volume}}`
			`{{webhook_authn_config_volume}}`
Set up basic test configuration for AdavencedAuditing 2017-05-26 20:48:49 +00:00			`{{audit_policy_config_volume}}`
Add GCE configuration parameter for webhook audit logging 2017-06-02 00:42:26 +00:00			`{{audit_webhook_config_volume}}`
Scripts to configure image verification admission controller for gce. 2016-08-18 20:42:57 +00:00			`{{admission_controller_config_volume}}`
			`{{image_policy_webhook_config_volume}}`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`{ "name": "srvkube",`
			`"hostPath": {`
Removed unused srv_kube_path variable 2018-06-21 11:58:11 +00:00			`"path": "/etc/srv/kubernetes"}`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`},`
logs for master components 2015-04-24 21:46:43 +00:00			`{ "name": "logfile",`
			`"hostPath": {`
update related files 2017-06-18 13:34:24 +00:00			`"path": "/var/log/kube-apiserver.log",`
			`"type": "FileOrCreate"}`
logs for master components 2015-04-24 21:46:43 +00:00			`},`
cluster/gce: Add env var to enable apiserver basic audit log. For now, this is focused on a fixed set of flags that makes the audit log show up under /var/log/kube-apiserver-audit.log and behave similarly to /var/log/kube-apiserver.log. Allowing other customization would require significantly more complex changes. Audit log rotation is handled externally by the wildcard /var/log/*.log already configured in configure-helper.sh. 2017-02-09 18:43:19 +00:00			`{ "name": "auditlogfile",`
			`"hostPath": {`
update related files 2017-06-18 13:34:24 +00:00			`"path": "/var/log/kube-apiserver-audit.log",`
			`"type": "FileOrCreate"}`
cluster/gce: Add env var to enable apiserver basic audit log. For now, this is focused on a fixed set of flags that makes the audit log show up under /var/log/kube-apiserver-audit.log and behave similarly to /var/log/kube-apiserver.log. Allowing other customization would require significantly more complex changes. Audit log rotation is handled externally by the wildcard /var/log/*.log already configured in configure-helper.sh. 2017-02-09 18:43:19 +00:00			`},`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`{ "name": "etcssl",`
			`"hostPath": {`
			`"path": "/etc/ssl"}`
			`},`
cluster: bindmount more cert paths /etc/ssl/certs is currently mounted through in a number of places. However, on Gentoo and CoreOS (and probably others), the files in /etc/ssl/certs are just symlinks to files in /usr/share/ca-certificates. For these components to correclty work, the target of the symlinks needs to be available as well. This is especially important for kube-controller-manager, where this issue was noticed. This change was originally part of #33965, but was split out for ease of review. 2016-12-07 23:21:53 +00:00			`{ "name": "usrsharecacerts",`
			`"hostPath": {`
			`"path": "/usr/share/ca-certificates"}`
			`},`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`{ "name": "varssl",`
			`"hostPath": {`
			`"path": "/var/ssl"}`
			`},`
			`{ "name": "etcopenssl",`
			`"hostPath": {`
			`"path": "/etc/openssl"}`
			`},`
Expose /etc/pki from host to kube-apiserver and controller-manager CentOS 7 Core nodes running on OpenStack with an SSL-enabled API endpoint results in the following error without this patch: F0425 19:00:58.124520 5 server.go:100] Cloud provider could not be initialized: could not init cloud provider "openstack": Post https://my.openstack.cloud:5000/v2.0/tokens: x509: failed to load system roots and no roots provided The root cause is that the ca-bundle.crt file is actually a symlink which points to a directory which wasn't previously exposed. [root@kubernetesstack-master ~]# ls -l /etc/ssl/certs/ca-bundle.crt lrwxrwxrwx. 1 root root 49 18 nov 11:02 /etc/ssl/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem [root@kubernetesstack-master ~]# 2016-04-28 07:20:13 +00:00			`{ "name": "etcpki",`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`"hostPath": {`
fix upgrades 2017-02-27 23:06:11 +00:00			`"path": "/etc/srv/pki"}`
Some refactoring. Only selectively use ssh proxy. Add NetworkName to gce.Config. Add locking to uses of master.tunnels. 2015-06-04 18:58:38 +00:00			`},`
Make sshproxy use a hostmount on master PD (don't spam sshKeys on upgrade/reboot). Add comment describing what SSHTunnelList.Close() does. Simplify util.FileExists. 2015-06-05 21:49:26 +00:00			`{ "name": "srvsshproxy",`
			`"hostPath": {`
Remove manifest copies from Trusty support This change revises the way to provide kube-system manifests for clusters on Trusty. Originally, we maintained copies of some manifests under cluster/gce/trusty/kube-manifests, which is not scalable and hard to maintain. With this change, clusters on Trusty will use the same source of manifests as ContainerVM. This change also fixes some minor problems such as shell variables and comments to meet the style guidance better. 2016-02-12 16:02:26 +00:00			`"path": "{{srv_sshproxy_path}}"}`
kube-apiserver in a pod. 2015-04-09 21:35:07 +00:00			`}`
			`]`
			`}}`