Documentation
¶
Index ¶
- Variables
- func GetApiServerArgs(securityEnhancement bool, enableAudit bool) map[string]string
- func GetControllermanagerArgs(version string, securityEnhancement bool) map[string]string
- func GetKubeProxyConfiguration(kubeConf *common.KubeConf) map[string]interface{}
- func GetKubeletCgroupDriver(runtime connector.Runtime, kubeConf *common.KubeConf) (string, error)
- func GetKubeletConfiguration(runtime connector.Runtime, kubeConf *common.KubeConf, criSock string, ...) map[string]interface{}
- func GetSchedulerArgs(securityEnhancement bool) map[string]string
- func UpdateFeatureGatesConfiguration(args map[string]string, kubeConf *common.KubeConf) map[string]string
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // ref: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ FeatureGatesDefaultConfiguration = map[string]bool{ "RotateKubeletServerCertificate": true, "TTLAfterFinished": true, } FeatureGatesSecurityDefaultConfiguration = map[string]bool{ "RotateKubeletServerCertificate": true, "TTLAfterFinished": true, "SeccompDefault": true, } ApiServerArgs = map[string]string{ "bind-address": "0.0.0.0", } ApiServerSecurityArgs = map[string]string{ "bind-address": "0.0.0.0", "authorization-mode": "Node,RBAC", "enable-admission-plugins": "AlwaysPullImages,ServiceAccount,NamespaceLifecycle,NodeRestriction,LimitRanger,ResourceQuota,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,PodNodeSelector,PodSecurity", "profiling": "false", "request-timeout": "120s", "service-account-lookup": "true", "tls-min-version": "VersionTLS12", "tls-cipher-suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", } ControllermanagerArgs = map[string]string{ "bind-address": "0.0.0.0", "cluster-signing-duration": "87600h", } ControllermanagerSecurityArgs = map[string]string{ "bind-address": "127.0.0.1", "cluster-signing-duration": "87600h", "profiling": "false", "terminated-pod-gc-threshold": "50", "use-service-account-credentials": "true", } SchedulerArgs = map[string]string{ "bind-address": "0.0.0.0", } SchedulerSecurityArgs = map[string]string{ "bind-address": "127.0.0.1", "profiling": "false", } )
View Source
var AuditPolicy = template.Must(template.New("audit-policy.yaml").Parse( dedent.Dedent(`apiVersion: audit.k8s.io/v1 kind: Policy rules: # The following requests were manually identified as high-volume and low-risk, # so drop them. - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core resources: ["endpoints", "services", "services/status"] - level: None users: ["system:unsecured"] namespaces: ["kube-system"] verbs: ["get"] resources: - group: "" # core resources: ["configmaps"] - level: None users: ["kubelet"] # legacy kubelet identity verbs: ["get"] resources: - group: "" # core resources: ["nodes", "nodes/status"] - level: None userGroups: ["system:nodes"] verbs: ["get"] resources: - group: "" # core resources: ["nodes", "nodes/status"] - level: None users: - system:kube-controller-manager - system:kube-scheduler - system:serviceaccount:kube-system:endpoint-controller verbs: ["get", "update"] namespaces: ["kube-system"] resources: - group: "" # core resources: ["endpoints"] - level: None users: ["system:apiserver"] verbs: ["get"] resources: - group: "" # core resources: ["namespaces", "namespaces/status", "namespaces/finalize"] # Don't log HPA fetching metrics. - level: None users: - system:kube-controller-manager verbs: ["get", "list"] resources: - group: "metrics.k8s.io" # Don't log these read-only URLs. - level: None nonResourceURLs: - /healthz* - /version - /swagger* # Don't log events requests. - level: None resources: - group: "" # core resources: ["events"] # Secrets, ConfigMaps, TokenRequest and TokenReviews can contain sensitive & binary data, # so only log at the Metadata level. - level: Metadata resources: - group: "" # core resources: ["secrets", "configmaps", "serviceaccounts/token"] - group: authentication.k8s.io resources: ["tokenreviews"] omitStages: - "RequestReceived" # Get responses can be large; skip them. - level: Request verbs: ["get", "list", "watch"] resources: - group: "" # core - group: "admissionregistration.k8s.io" - group: "apiextensions.k8s.io" - group: "apiregistration.k8s.io" - group: "apps" - group: "authentication.k8s.io" - group: "authorization.k8s.io" - group: "autoscaling" - group: "batch" - group: "certificates.k8s.io" - group: "extensions" - group: "metrics.k8s.io" - group: "networking.k8s.io" - group: "policy" - group: "rbac.authorization.k8s.io" - group: "settings.k8s.io" - group: "storage.k8s.io" omitStages: - "RequestReceived" # Default level for known APIs - level: RequestResponse resources: - group: "" # core - group: "admissionregistration.k8s.io" - group: "apiextensions.k8s.io" - group: "apiregistration.k8s.io" - group: "apps" - group: "authentication.k8s.io" - group: "authorization.k8s.io" - group: "autoscaling" - group: "batch" - group: "certificates.k8s.io" - group: "extensions" - group: "metrics.k8s.io" - group: "networking.k8s.io" - group: "policy" - group: "rbac.authorization.k8s.io" - group: "settings.k8s.io" - group: "storage.k8s.io" omitStages: - "RequestReceived" # Default level for all other requests. - level: Metadata omitStages: - "RequestReceived" `)))
AuditPolicy defines the template of kube-apiserver audit-policy.
View Source
var AuditWebhook = template.Must(template.New("audit-webhook.yaml").Parse( dedent.Dedent(`apiVersion: v1 kind: Config clusters: - name: kube-auditing cluster: server: https://SHOULD_BE_REPLACED:6443/audit/webhook/event insecure-skip-tls-verify: true contexts: - context: cluster: kube-auditing user: "" name: default-context current-context: default-context preferences: {} users: [] `)))
AuditWebhook defines the template of kube-apiserver audit-webhook.
View Source
var ( // KubeadmConfig defines the template of kubeadm configuration file. KubeadmConfig = template.Must(template.New("kubeadm-config.yaml").Funcs(utils.FuncMap).Parse( dedent.Dedent(` {{- if .IsInitCluster -}} --- apiVersion: kubeadm.k8s.io/{{ if .IsV1beta3 }}v1beta3{{ else }}v1beta2{{ end }} kind: ClusterConfiguration etcd: {{- if .EtcdTypeIsKubeadm }} local: imageRepository: {{ .EtcdRepo }} imageTag: {{ .EtcdTag }} serverCertSANs: {{- range .ExternalEtcd.Endpoints }} - {{ . }} {{- end }} {{- else }} external: endpoints: {{- range .ExternalEtcd.Endpoints }} - {{ . }} {{- end }} {{- if .ExternalEtcd.CAFile }} caFile: {{ .ExternalEtcd.CAFile }} {{- end }} {{- if .ExternalEtcd.CertFile }} certFile: {{ .ExternalEtcd.CertFile }} {{- end }} {{- if .ExternalEtcd.KeyFile }} keyFile: {{ .ExternalEtcd.KeyFile }} {{- end }} {{- end }} dns: {{- if not .IsV1beta3 }} type: CoreDNS {{- end }} imageRepository: {{ .CorednsRepo }} imageTag: {{ .CorednsTag }} imageRepository: {{ .ImageRepo }} kubernetesVersion: {{ .Version }} certificatesDir: /etc/kubernetes/pki clusterName: {{ .ClusterName }} controlPlaneEndpoint: {{ .ControlPlaneEndpoint }} networking: dnsDomain: {{ .DNSDomain }} podSubnet: {{ .PodSubnet }} serviceSubnet: {{ .ServiceSubnet }} apiServer: extraArgs: {{ toYaml .ApiServerArgs | indent 4}} certSANs: {{- range .CertSANs }} - "{{ . }}" {{- end }} {{- if .EnableAudit }} extraVolumes: - name: k8s-audit hostPath: /etc/kubernetes/audit mountPath: /etc/kubernetes/audit pathType: DirectoryOrCreate {{- end }} controllerManager: extraArgs: {{- if .IPv6Support }} node-cidr-mask-size-ipv4: "{{ .NodeCidrMaskSize }}" node-cidr-mask-size-ipv6: "64" {{- else }} node-cidr-mask-size: "{{ .NodeCidrMaskSize }}" {{- end }} {{ toYaml .ControllerManagerArgs | indent 4 }} extraVolumes: - name: host-time hostPath: /etc/localtime mountPath: /etc/localtime readOnly: true scheduler: extraArgs: {{ toYaml .SchedulerArgs | indent 4 }} --- apiVersion: kubeadm.k8s.io/{{ if .IsV1beta3 }}v1beta3{{ else }}v1beta2{{ end }} kind: InitConfiguration localAPIEndpoint: advertiseAddress: {{ .AdvertiseAddress }} bindPort: {{ .BindPort }} nodeRegistration: {{- if .CriSock }} criSocket: {{ .CriSock }} {{- end }} kubeletExtraArgs: cgroup-driver: {{ .CgroupDriver }} --- apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration {{ toYaml .KubeProxyConfiguration }} --- apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration {{ toYaml .KubeletConfiguration }} {{- else -}} --- apiVersion: kubeadm.k8s.io/{{ if .IsV1beta3 }}v1beta3{{ else }}v1beta2{{ end }} kind: JoinConfiguration discovery: bootstrapToken: apiServerEndpoint: {{ .ControlPlaneEndpoint }} token: "{{ .BootstrapToken }}" unsafeSkipCAVerification: true tlsBootstrapToken: "{{ .BootstrapToken }}" {{- if .IsControlPlane }} controlPlane: localAPIEndpoint: advertiseAddress: {{ .AdvertiseAddress }} bindPort: {{ .BindPort }} certificateKey: {{ .CertificateKey }} {{- end }} nodeRegistration: {{- if .CriSock }} criSocket: {{ .CriSock }} {{- end }} kubeletExtraArgs: cgroup-driver: {{ .CgroupDriver }} {{- end }} `))) )
View Source
var KubeletEnv = template.Must(template.New("10-kubeadm.conf").Parse( dedent.Dedent(`# Note: This dropin only works with kubeadm and kubelet v1.11+ [Service] Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf" Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml" # This is a file that "kubeadm init" and "kubeadm join" generate at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env # This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use # the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file. EnvironmentFile=-/etc/default/kubelet Environment="KUBELET_EXTRA_ARGS=--node-ip={{ .NodeIP }} --hostname-override={{ .Hostname }} {{ if .ContainerRuntime }}--network-plugin=cni{{ end }} {{range .KubeletArgs }} {{.}}{{ end }}" ExecStart= ExecStart=/usr/local/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS `)))
KubeletEnv defines the template of kubelet's Env for the kubelet's systemd service.
View Source
var KubeletService = template.Must(template.New("kubelet.service").Parse( dedent.Dedent(`[Unit] Description=kubelet: The Kubernetes Node Agent Documentation=http://kubernetes.io/docs/ [Service] CPUAccounting=true MemoryAccounting=true ExecStart=/usr/local/bin/kubelet Restart=always StartLimitInterval=0 RestartSec=10 [Install] WantedBy=multi-user.target `)))
KubeletService defines the template of kubelete service for systemd.
Functions ¶
func GetApiServerArgs ¶ added in v3.1.0
func GetControllermanagerArgs ¶ added in v3.1.0
func GetKubeProxyConfiguration ¶ added in v3.1.0
func GetKubeletCgroupDriver ¶ added in v3.1.0
func GetKubeletConfiguration ¶ added in v3.1.0
func GetSchedulerArgs ¶ added in v3.1.0
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.