---
apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-apiserver
image: registry.kube-system.svc.rec.io:5555/caas/hyperkube:1.16.0-5
securityContext:
runAsUser: 144
command:
- "/kube-apiserver"
- --admission-control=DefaultStorageClass,LimitRanger,MutatingAdmissionWebhook,NamespaceExists,NamespaceLifecycle,NodeRestriction,PodSecurityPolicy,ResourceQuota,ServiceAccount,ValidatingAdmissionWebhook
- --advertise-address=192.168.12.51
- --allow-privileged=true
- --anonymous-auth=false
- --apiserver-count=3
- --audit-policy-file=/var/lib/caas/policies/audit-policy.yaml
- --audit-log-format=json
- --audit-log-maxsize=100
- --audit-log-maxbackup=88
- --audit-log-path=/var/log/audit/kube_apiserver/kube-apiserver-audit.log
- --authorization-mode=Node,RBAC
- --bind-address=192.168.12.51
- --client-ca-file=/etc/openssl/ca.pem
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/etcd/ssl/ca.pem
- --etcd-certfile=/etc/etcd/ssl/etcd1.pem
- --etcd-keyfile=/etc/etcd/ssl/etcd1-key.pem
- --etcd-servers=https://192.168.12.51:4111,https://192.168.12.52:4111,https://192.168.12.53:4111
- --experimental-encryption-provider-config=/etc/kubernetes/ssl/secrets.conf
- --feature-gates=SCTPSupport=True,CPUManager=False,TokenRequest=True,DevicePlugins=True
- --insecure-port=0
- --kubelet-certificate-authority=/etc/openssl/ca.pem
- --kubelet-client-certificate=/etc/kubernetes/ssl/kubelet-server.pem
- --kubelet-client-key=/etc/kubernetes/ssl/kubelet-server-key.pem
- --kubelet-https=true
- --max-requests-inflight=1000
- --proxy-client-cert-file=/etc/kubernetes/ssl/metrics.crt
- --proxy-client-key-file=/etc/kubernetes/ssl/metrics.key
- --requestheader-client-ca-file=/etc/openssl/ca.pem
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-key-file=/etc/kubernetes/ssl/service-account.pem
- --service-account-lookup=true
- --service-cluster-ip-range=10.254.0.0/16
- --tls-cert-file=/etc/kubernetes/ssl/tls-cert.pem
- --tls-private-key-file=/etc/kubernetes/ssl/apiserver1-key.pem
- --token-auth-file=/etc/kubernetes/ssl/tokens.csv
- --runtime-config=apps/v1beta1=true,apps/v1beta2=true,extensions/v1beta1/daemonsets=true,extensions/v1beta1/deployments=true,extensions/v1beta1/replicasets=true,extensions/v1beta1/networkpolicies=true,extensions/v1beta1/podsecuritypolicies=true
resources:
requests:
cpu: "50m"
volumeMounts:
- name: time-mount
mountPath: /etc/localtime
readOnly: true
- name: secret-kubernetes
mountPath: /etc/kubernetes/ssl
readOnly: true
- name: secret-root-ca
mountPath: /etc/openssl/ca.pem
readOnly: true
- name: secret-etcd
mountPath: /etc/etcd/ssl
readOnly: true
- name: audit-kube-apiserver
mountPath: /var/log/audit/kube_apiserver/
readOnly: false
- name: audit-policy-dir
mountPath: /var/lib/caas/policies
readOnly: true
volumes:
- name: time-mount
hostPath:
path: /etc/localtime
- name: secret-kubernetes
hostPath:
path: /etc/kubernetes/ssl
- name: secret-root-ca
hostPath:
path: /etc/openssl/ca.pem
- name: secret-etcd
hostPath:
path: /etc/etcd/ssl
- name: audit-kube-apiserver
hostPath:
path: /var/log/audit/kube_apiserver/
- name: audit-policy-dir
hostPath:
path: /var/lib/caas/policies
|