Puppet Class: k8s::apiserver

Defined in:
modules/k8s/manifests/apiserver.pp

Overview

Parameters

Parameters:

  • admission_plugins (Optional[K8s::AdmissionPlugins]) (defaults to: undef)

    Admission plugins that should be enabled or disabled. Some plugins are enabled by default and need to be explicitely disabled. The defaults depend on the kubernetes version, see: `kube-apiserver -h | grep admission-plugins`.

  • admission_configuration (Optional[Array[Hash]]) (defaults to: undef)
  • etcd_servers (String)
  • ssl_cert_path (Stdlib::Unixpath)
  • ssl_key_path (Stdlib::Unixpath)
  • users (Hash[String, Any])
  • authz_mode (String) (defaults to: 'RBAC')
  • allow_privileged (Boolean) (defaults to: false)
  • logtostderr (Boolean) (defaults to: true)
  • v_log_level (Integer) (defaults to: 0)
  • packages_from_future (Boolean) (defaults to: false)
  • service_cluster_ip_range (Optional[Stdlib::IP::Address]) (defaults to: undef)
  • service_node_port_range (Optional[String]) (defaults to: undef)
  • apiserver_count (Optional[Integer]) (defaults to: undef)
  • runtime_config (Optional[String]) (defaults to: undef)


14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# File 'modules/k8s/manifests/apiserver.pp', line 14

class k8s::apiserver(
    String $etcd_servers,
    Stdlib::Unixpath $ssl_cert_path,
    Stdlib::Unixpath $ssl_key_path,
    Hash[String, Any] $users,
    String $authz_mode = 'RBAC',
    Boolean $allow_privileged = false,
    Boolean $logtostderr = true,
    Integer $v_log_level = 0,
    Boolean $packages_from_future = false,
    Optional[Stdlib::IP::Address] $service_cluster_ip_range = undef,
    Optional[String] $service_node_port_range = undef,
    Optional[Integer] $apiserver_count = undef,
    Optional[String] $runtime_config = undef,
    Optional[K8s::AdmissionPlugins] $admission_plugins = undef,
    Optional[Array[Hash]] $admission_configuration = undef,
) {
    require k8s::base_dirs

    group { 'kube':
        ensure => present,
        system => true,
    }
    user { 'kube':
        ensure => present,
        gid    => 'kube',
        system => true,
        home   => '/nonexistent',
        shell  => '/usr/sbin/nologin',
    }

    if $packages_from_future {
        apt::package_from_component { 'apiserver-kubernetes-future':
            component => 'component/kubernetes-future',
            packages  => ['kubernetes-master'],
        }
    } else {
        ensure_packages('kubernetes-master')
    }

    file { '/etc/kubernetes/infrastructure-users':
        content => template('k8s/infrastructure-users.csv.erb'),
        owner   => 'kube',
        group   => 'kube',
        mode    => '0400',
        notify  => Service['kube-apiserver'],
    }

    # The admission config file needs to be available as parameter fo apiserver
    $admission_configuration_file = '/etc/kubernetes/admission-config.yaml'
    file { '/etc/default/kube-apiserver':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('k8s/kube-apiserver.default.erb'),
        notify  => Service['kube-apiserver'],
    }

    $admission_configuration_ensure = $admission_configuration ? {
        undef   => absent,
        default => file,
    }
    # .to_yaml in erb templates always adds a document separator so it's
    # not possible to join yaml in the template with .to_yaml from a variable.
    $admission_configuration_content = {
        'apiVersion' => 'apiserver.k8s.io/v1alpha1',
        'kind'       => 'AdmissionConfiguration',
        'plugins'    => $admission_configuration,
    }
    file { $admission_configuration_file:
        ensure  => $admission_configuration_ensure,
        content => to_yaml($admission_configuration_content),
        owner   => 'kube',
        group   => 'kube',
        mode    => '0400',
        notify  => Service['kube-apiserver'],
    }


    service { 'kube-apiserver':
        ensure => running,
        enable => true,
    }
}