Puppet Class: kubeadm::core

Defined in:
modules/kubeadm/manifests/core.pp

Overview

SPDX-License-Identifier: Apache-2.0 main kubeadm packages and setup

Parameters:



3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'modules/kubeadm/manifests/core.pp', line 3

class kubeadm::core (
    String[1]     $pause_image,
    Array[String] $extra_labels,
) {
    require ::kubeadm::repo
    include ::kubeadm::kubectl

    $packages = [
        'kubeadm',
        'kubernetes-cni',
        'cri-tools',
        'ipset',
    ]

    package { $packages:
        ensure => 'present',
        tag    => 'kubeadm-k8s',
    }

    file { '/etc/kubernetes':
        ensure => directory,
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
    }

    sysctl::parameters { 'kubelet':
        values   => {
            # Required by the protect-kernel-defaults option
            'vm.overcommit_memory' => 1,
            'kernel.panic'         => 10,
            'kernel.panic_on_oops' => 1,
        },
        priority => 90,
    }

    if $extra_labels != [] {
        $extra_labels_joined = " --node-labels='${extra_labels.join(',')}'"
    } else {
        $extra_labels_joined = ''
    }

    file { '/etc/default/kubelet':
        ensure  => 'present',
        mode    => '0444',
        notify  => Service['kubelet'],
        content => @("ARGS"/L),
        KUBELET_EXTRA_ARGS="--read-only-port=0 --protect-kernel-defaults=true\
         --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE\
        _RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,\
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
        TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,\
        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
        TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 \
        --pod-infra-container-image=${pause_image}\
        ${extra_labels_joined}\
        "
        |-ARGS
    }

    # If kubelet is failing, there's no notice offered by kubernetes directly
    # the node can still show "ready" in some situations (?!?).
    service { 'kubelet':
        ensure => 'running'
    }
}