Puppet Class: k8s::controller
- Defined in:
- modules/k8s/manifests/controller.pp
Overview
SPDX-License-Identifier: Apache-2.0 Class that sets up and configures kube-controller-manager
The kubeconfig given should granted rights to the core role system:kube-controller-manager to permit kube-controller-manager to create service dedicated service accounts for all the controllers. See: v1-16.docs.kubernetes.io/docs/reference/access-authn-authz/rbac/#controller-roles
Also make sure, that the kube-controller-manager uses the secure API port, rather than the privileged local one to not be able to bypass authentication and authorization checks.
Note: This has the drawback that the kube-controller-manager will no longer talk to the local
apiserver, but to the LVS service instead (to be able to verify TLS cert).
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
# File 'modules/k8s/manifests/controller.pp', line 14
class k8s::controller (
K8s::KubernetesVersion $version,
Stdlib::Unixpath $service_account_private_key_file,
Stdlib::Unixpath $ca_file,
Stdlib::Unixpath $kubeconfig,
Stdlib::Unixpath $tls_cert_file,
Stdlib::Unixpath $tls_private_key_file,
Integer $v_log_level = 0,
) {
k8s::package { 'controller':
package => 'master',
version => $version,
}
file { '/etc/default/kube-controller-manager':
ensure => file,
owner => 'root',
group => 'root',
mode => '0444',
content => template('k8s/kube-controller-manager.default.erb'),
notify => Service['kube-controller-manager'],
}
service { 'kube-controller-manager':
ensure => running,
enable => true,
subscribe => [
File[$kubeconfig],
],
}
}
|