Puppet Class: k8s::apiserver

Defined in:: modules/k8s/manifests/apiserver.pp

Overview

Parameters

Parameters:

admission_plugins (Optional[K8s::AdmissionPlugins]) (defaults to: undef) —

Admission plugins that should be enabled or disabled. Some plugins are enabled by default and need to be explicitely disabled. The defaults depend on the kubernetes version, see: `kube-apiserver -h | grep admission-plugins`.
admission_configuration (Optional[Array[Hash]]) (defaults to: undef) —

Array of admission plugin configurations (as YAML) kubernetes.io/docs/reference/config-api/apiserver-config.v1alpha1/#apiserver-k8s-io-v1alpha1-AdmissionPluginConfiguration
etcd_servers (String)
ssl_cert_path (Stdlib::Unixpath)
ssl_key_path (Stdlib::Unixpath)
users (Hash[String, Any])
authz_mode (String) (defaults to: 'RBAC')
allow_privileged (Boolean) (defaults to: false)
logtostderr (Boolean) (defaults to: true)
v_log_level (Integer) (defaults to: 0)
packages_from_future (Boolean) (defaults to: false)
service_cluster_ip_range (Optional[Stdlib::IP::Address]) (defaults to: undef)
service_node_port_range (Optional[String]) (defaults to: undef)
apiserver_count (Optional[Integer]) (defaults to: undef)
runtime_config (Optional[String]) (defaults to: undef)

# File 'modules/k8s/manifests/apiserver.pp', line 14

class k8s::apiserver(
    String $etcd_servers,
    Stdlib::Unixpath $ssl_cert_path,
    Stdlib::Unixpath $ssl_key_path,
    Hash[String, Any] $users,
    String $authz_mode = 'RBAC',
    Boolean $allow_privileged = false,
    Boolean $logtostderr = true,
    Integer $v_log_level = 0,
    Boolean $packages_from_future = false,
    Optional[Stdlib::IP::Address] $service_cluster_ip_range = undef,
    Optional[String] $service_node_port_range = undef,
    Optional[Integer] $apiserver_count = undef,
    Optional[String] $runtime_config = undef,
    Optional[K8s::AdmissionPlugins] $admission_plugins = undef,
    Optional[Array[Hash]] $admission_configuration = undef,
) {
    require k8s::base_dirs

    group { 'kube':
        ensure => present,
        system => true,
    }
    user { 'kube':
        ensure => present,
        gid    => 'kube',
        system => true,
        home   => '/nonexistent',
        shell  => '/usr/sbin/nologin',
    }

    if $packages_from_future {
        apt::package_from_component { 'apiserver-kubernetes-future':
            component => 'component/kubernetes-future',
            packages  => ['kubernetes-master'],
        }
    } else {
        ensure_packages('kubernetes-master')
    }

    file { '/etc/kubernetes/infrastructure-users':
        content => template('k8s/infrastructure-users.csv.erb'),
        owner   => 'kube',
        group   => 'kube',
        mode    => '0400',
        notify  => Service['kube-apiserver'],
    }

    # The admission config file needs to be available as parameter fo apiserver
    $admission_configuration_file = '/etc/kubernetes/admission-config.yaml'
    file { '/etc/default/kube-apiserver':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('k8s/kube-apiserver.default.erb'),
        notify  => Service['kube-apiserver'],
    }

    $admission_configuration_ensure = $admission_configuration ? {
        undef   => absent,
        default => file,
    }
    # .to_yaml in erb templates always adds a document separator so it's
    # not possible to join yaml in the template with .to_yaml from a variable.
    $admission_configuration_content = {
        'apiVersion' => 'apiserver.k8s.io/v1alpha1',
        'kind'       => 'AdmissionConfiguration',
        'plugins'    => $admission_configuration,
    }
    file { $admission_configuration_file:
        ensure  => $admission_configuration_ensure,
        content => to_yaml($admission_configuration_content),
        owner   => 'kube',
        group   => 'kube',
        mode    => '0400',
        notify  => Service['kube-apiserver'],
    }


    service { 'kube-apiserver':
        ensure => running,
        enable => true,
    }
}