-
Notifications
You must be signed in to change notification settings - Fork 36
/
config.yaml
359 lines (345 loc) · 13.5 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
options:
audit-policy:
type: string
default: |
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# Don't log read-only requests from the apiserver
- level: None
users: ["system:apiserver"]
verbs: ["get", "list", "watch"]
# Don't log kube-proxy watches
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- resources: ["endpoints", "services"]
# Don't log nodes getting their own status
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- resources: ["nodes"]
# Don't log kube-controller-manager and kube-scheduler getting endpoints
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- resources: ["endpoints"]
# Log everything else at the Request level.
- level: Request
omitStages:
- RequestReceived
description: |
Audit policy passed to kube-apiserver via --audit-policy-file.
For more info, please refer to the upstream documentation at
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
audit-webhook-config:
type: string
default: ""
description: |
Audit webhook config passed to kube-apiserver via --audit-webhook-config-file.
For more info, please refer to the upstream documentation at
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
image-registry:
type: string
default: "rocks.canonical.com:443/cdk"
description: |
Container image registry to use for CDK. This includes addons like the Kubernetes dashboard,
metrics server, ingress, and dns along with non-addon images including the pause
container and default backend image.
enable-dashboard-addons:
type: boolean
default: true
description: Deploy the Kubernetes Dashboard
dns-provider:
type: string
default: "auto"
description: |
DNS provider addon to use. Can be "auto", "core-dns", or "none".
CoreDNS is only supported on Kubernetes 1.14+.
When set to "auto", the behavior is as follows:
- New deployments of Kubernetes 1.14+ will use CoreDNS
- Upgraded deployments will continue to use whichever provider was
previously used.
dns_domain:
type: string
default: cluster.local
description: The local domain for cluster dns
extra_sans:
type: string
default: ""
description: |
Space-separated list of extra SAN entries to add to the x509 certificate
created for the control plane nodes.
service-cidr:
type: string
default: 10.152.183.0/24
description: |
CIDR to use for Kubernetes services. After deployment it is
only possible to increase the size of the IP range. It is not possible to
change or shrink the address range after deployment.
allow-privileged:
type: string
default: "auto"
description: |
Allow kube-apiserver to run in privileged mode. Supported values are
"true", "false", and "auto". If "true", kube-apiserver will run in
privileged mode by default. If "false", kube-apiserver will never run in
privileged mode. If "auto", kube-apiserver will not run in privileged
mode by default, unless certain circumstances are discovered
* gpu hardware is detected on a worker node
* openstack-integrator successfully related
* ceph-client sucessfully related
enable-nvidia-plugin:
type: string
default: "auto"
description: |
Load the nvidia device plugin daemonset. Supported values are
"auto" and "false". When "auto", the daemonset will be loaded
only if GPUs are detected. When "false" the nvidia device plugin
will not be loaded.
channel:
type: string
default: "1.23/edge"
description: |
Snap channel to install Kubernetes control plane services from
client_password:
type: string
default: ""
description: |
Password to be used for admin user (leave empty for random password).
api-extra-args:
type: string
default: ""
description: |
Space separated list of flags and key=value pairs that will be passed as arguments to
kube-apiserver. For example a value like this:
runtime-config=batch/v2alpha1=true profiling=true
will result in kube-apiserver being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true
controller-manager-extra-args:
type: string
default: ""
description: |
Space separated list of flags and key=value pairs that will be passed as arguments to
kube-controller-manager. For example a value like this:
runtime-config=batch/v2alpha1=true profiling=true
will result in kube-controller-manager being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true
scheduler-extra-args:
type: string
default: ""
description: |
Space separated list of flags and key=value pairs that will be passed as arguments to
kube-scheduler. For example a value like this:
runtime-config=batch/v2alpha1=true profiling=true
will result in kube-scheduler being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true
authorization-mode:
type: string
default: "Node,RBAC"
description: |
Comma separated authorization modes. Allowed values are
"RBAC", "Node", "Webhook", "ABAC", "AlwaysDeny" and "AlwaysAllow".
require-manual-upgrade:
type: boolean
default: true
description: |
When true, control plane nodes will not be upgraded until the user triggers
it manually by running the upgrade action.
storage-backend:
type: string
default: "auto"
description: |
The storage backend for kube-apiserver persistence. Can be "etcd2", "etcd3", or
"auto". Auto mode will select etcd3 on new installations, or etcd2 on upgrades.
enable-metrics:
type: boolean
default: true
description: |
If true the metrics server for Kubernetes will be deployed onto the cluster
managed entirely by kubernetes addons. Consider disabling this option and deploying
`kubernetes-metrics-server-operator` into a kubernetes model.
snapd_refresh:
default: "max"
type: string
description: |
How often snapd handles updates for installed snaps. Setting an empty
string will check 4x per day. Set to "max" to delay the refresh as long
as possible. You may also set a custom string as described in the
'refresh.timer' section here:
https://forum.snapcraft.io/t/system-options/87
DEPRECATED in 1.19: Manage installed snap versions with the snap-store-proxy model config.
See: https://snapcraft.io/snap-store-proxy and https://juju.is/docs/offline-mode-strategies#heading--snap-specific-proxy
default-storage:
type: string
default: "auto"
description: |
The storage class to make the default storage class. Allowed values are "auto",
"none", "ceph-xfs", "ceph-ext4", "cephfs". Note: Only works in Kubernetes >= 1.10
cephfs-mounter:
type: string
default: "default"
description: |
The client driver used for cephfs based storage. Options are "fuse", "kernel" and "default".
keystone-policy:
default: |
apiVersion: v1
kind: ConfigMap
metadata:
name: k8s-auth-policy
namespace: kube-system
labels:
k8s-app: k8s-keystone-auth
data:
policies: |
[
{
"resource": {
"verbs": ["get", "list", "watch"],
"resources": ["*"],
"version": "*",
"namespace": "*"
},
"match": [
{
"type": "role",
"values": ["k8s-viewers"]
},
{
"type": "project",
"values": ["k8s"]
}
]
},
{
"resource": {
"verbs": ["*"],
"resources": ["*"],
"version": "*",
"namespace": "default"
},
"match": [
{
"type": "role",
"values": ["k8s-users"]
},
{
"type": "project",
"values": ["k8s"]
}
]
},
{
"resource": {
"verbs": ["*"],
"resources": ["*"],
"version": "*",
"namespace": "*"
},
"match": [
{
"type": "role",
"values": ["k8s-admins"]
},
{
"type": "project",
"values": ["k8s"]
}
]
}
]
type: string
description: |
Policy for Keystone authorization. This is used when a Keystone charm is
related to kubernetes-control-plane in order to provide authorization
for Keystone users on the Kubernetes cluster.
enable-keystone-authorization:
type: boolean
default: false
description: |
If true and the Keystone charm is related, users will authorize against
the Keystone server. Note that if related, users will always authenticate
against Keystone.
keystone-ssl-ca:
type: string
description: |
Keystone certificate authority encoded in base64 for securing communications to Keystone.
For example: `juju config kubernetes-control-plane keystone-ssl-ca=$(base64 /path/to/ca.crt)`
default: ""
dashboard-auth:
type: string
description: |
Method of authentication for the Kubernetes dashboard. Allowed values are "auto",
"basic", and "token". If set to "auto", basic auth is used unless Keystone is
related to kubernetes-control-plane, in which case token auth is used.
DEPRECATED: this option has no effect on Kubernetes 1.19 and above.
default: "auto"
loadbalancer-ips:
type: string
description: |
Space separated list of IP addresses of loadbalancers in front of the control plane.
These can be either virtual IP addresses that have been floated in front of the control
plane or the IP of a loadbalancer appliance such as an F5. Workers will alternate IP
addresses from this list to distribute load - for example If you have 2 IPs and 4 workers,
each IP will be used by 2 workers. Note that this will only work if kubeapi-load-balancer
is not in use and there is a relation between kubernetes-control-plane:kube-api-endpoint and
kubernetes-worker:kube-api-endpoint. If using the kubeapi-load-balancer, see the
loadbalancer-ips configuration variable on the kubeapi-load-balancer charm.
default: ""
default-cni:
type: string
description: |
Default CNI network to use when multiple CNI subordinates are related.
The value of this config should be the application name of a related CNI
subordinate. For example:
juju config kubernetes-control-plane default-cni=flannel
If unspecified, then the default CNI network is chosen alphabetically.
default: ""
authn-webhook-endpoint:
type: string
default: ""
description: |
Custom endpoint to check when authenticating kube-apiserver requests.
This must be an https url accessible by the kubernetes-control-plane units. For example:
https://your.server:8443/authenticate
When a JSON-serialized TokenReview object is POSTed to this endpoint, it must
respond with appropriate authentication details. For more info, please refer
to the upstream documentation at
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
pod-security-policy:
type: string
default: ""
description: |
Default RBAC pod security policy [0] and privileged cluster roles formatted
as a YAML file as a string.
A good example of a PSP policy can be found here [1].
[0] https://kubernetes.io/docs/concepts/policy/pod-security-policy/
[1] https://github.com/kubernetes/examples/blob/master/staging/podsecuritypolicy/rbac/policies.yaml
register-with-taints:
type: string
default: "node-role.kubernetes.io/control-plane:NoSchedule"
description: |
Space-separated list of taints to apply to this node at registration time.
This config is only used at deploy time when Kubelet first registers the
node with Kubernetes. To change node taints after deploy time, use kubectl
instead.
For more information, see the upstream Kubernetes documentation about
taints:
https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
api-aggregation-extension:
type: boolean
default: true
description: |
Note: required if 'enable-metrics' is enabled.
Configuring the aggregation layer allows the Kubernetes apiserver to be extended
with additional APIs, which are not part of the core Kubernetes APIs.
For more information, see the upstream Kubernetes documentation about this
feature:
https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/#enable-kubernetes-apiserver-flags
labels:
# Override default from layer-kubernetes-node-base config.yaml
default: "node-role.kubernetes.io/control-plane="