Puppet Class: k8s::controller

Defined in:
modules/k8s/manifests/controller.pp

Overview

SPDX-License-Identifier: Apache-2.0 Class that sets up and configures kube-controller-manager

The kubeconfig given should granted rights to the core role system:kube-controller-manager to permit kube-controller-manager to create service dedicated service accounts for all the controllers. See: v1-16.docs.kubernetes.io/docs/reference/access-authn-authz/rbac/#controller-roles

Also make sure, that the kube-controller-manager uses the secure API port, rather than the privileged local one to not be able to bypass authentication and authorization checks.

Note: This has the drawback that the kube-controller-manager will no longer talk to the local

apiserver, but to the LVS service instead (to be able to verify TLS cert).

Parameters:

  • version (K8s::KubernetesVersion)
  • service_account_private_key_file (Stdlib::Unixpath)
  • kubeconfig (Stdlib::Unixpath)
  • logtostderr (Boolean) (defaults to: true)
  • v_log_level (Integer) (defaults to: 0)


14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# File 'modules/k8s/manifests/controller.pp', line 14

class k8s::controller (
    K8s::KubernetesVersion $version,
    Stdlib::Unixpath $service_account_private_key_file,
    Stdlib::Unixpath $kubeconfig,
    Boolean $logtostderr=true,
    Integer $v_log_level=0,
) {
    k8s::package { 'controller':
        package => 'master',
        version => $version,
    }

    file { '/etc/default/kube-controller-manager':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('k8s/kube-controller-manager.default.erb'),
        notify  => Service['kube-controller-manager'],
    }

    service { 'kube-controller-manager':
        ensure => running,
        enable => true,
    }
}