Adds a number of flags/options

docs/cluster_spec.md

@@ -159,6 +159,14 @@ spec:
 
 ```
 
+#### profiling flag
+
+```yaml
+spec:
+  kubeAPIServer:
+    profiling: true
+```
+
 #### audit logging
 
 Read more about this here: https://kubernetes.io/docs/admin/audit
@@ -179,7 +187,7 @@ You could use the [fileAssets](https://github.com/kubernetes/kops/blob/master/do
 
 Example policy file can be found [here]( https://raw.githubusercontent.com/kubernetes/website/master/docs/tasks/debug-application-cluster/audit-policy.yaml)
 
-#### Max Requests Inflight 
+#### Max Requests Inflight
 
 The maximum number of non-mutating requests in flight at a given time. When the server exceeds this, it rejects requests. Zero for no limit. (default 400)
 
@@ -215,6 +223,26 @@ spec:
     serviceNodePortRange: 30000-33000
 ```
 
+#### Disable Basic Auth
+
+This will disable the passing of the `--basic-auth-file` flag.
+
+```yaml
+spec:
+  kubeAPIServer:
+    disableBasicAuth: true
+```
+
+#### Disable Token Auth
+
+This will disable the passing of the `--token-auth-file` flag.
+
+```yaml
+spec:
+  kubeAPIServer:
+    disableTokenAuth: true
+```
+
 ### externalDns
 
 This block contains configuration options for your `external-DNS` provider.
@@ -260,6 +288,7 @@ This block contains configurations for `kube-scheduler`.  See https://kubernetes
  spec:
    kubeScheduler:
      usePolicyConfigMap: true
+     profiling: true
 ```
 
 Will make kube-scheduler use the scheduler policy from configmap "scheduler-policy" in namespace kube-system.
@@ -295,6 +324,7 @@ spec:
     horizontalPodAutoscalerSyncPeriod: 15s
     horizontalPodAutoscalerDownscaleDelay: 5m0s
     horizontalPodAutoscalerUpscaleDelay: 3m0s
+    profiling: true
 ```
 
 For more details on `horizontalPodAutoscaler` flags see the [official HPA docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) and the [Kops guides on how to set it up](horizontal_pod_autoscaling.md).

nodeup/pkg/model/kube_apiserver.go

@@ -166,8 +166,12 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 	kubeAPIServer.ClientCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt")
 	kubeAPIServer.TLSCertFile = filepath.Join(b.PathSrvKubernetes(), "server.cert")
 	kubeAPIServer.TLSPrivateKeyFile = filepath.Join(b.PathSrvKubernetes(), "server.key")
-	kubeAPIServer.BasicAuthFile = filepath.Join(b.PathSrvKubernetes(), "basic_auth.csv")
-	kubeAPIServer.TokenAuthFile = filepath.Join(b.PathSrvKubernetes(), "known_tokens.csv")
+	if !kubeAPIServer.DisableBasicAuth {
+		kubeAPIServer.BasicAuthFile = filepath.Join(b.PathSrvKubernetes(), "basic_auth.csv")
+	}
+	if !kubeAPIServer.DisableTokenAuth {
+		kubeAPIServer.TokenAuthFile = filepath.Join(b.PathSrvKubernetes(), "known_tokens.csv")
+	}
 
 	if b.UseEtcdTLS() {
 		kubeAPIServer.EtcdCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt")

pkg/apis/kops/componentconfig.go

@@ -164,6 +164,14 @@ type KubeletConfigSpec struct {
 	FailSwapOn *bool `json:"failSwapOn,omitempty" flag:"fail-swap-on"`
 	// ExperimentalAllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls
 	ExperimentalAllowedUnsafeSysctls []string `json:"experimentalAllowedUnsafeSysctls,omitempty" flag:"experimental-allowed-unsafe-sysctls"`
+	// EventQps If > 0, limit event creations per second to this value. If 0, unlimited.
+	EventQPS *int32 `json:"eventQps,omitempty" flag:"event-qps"`
+	// MakeIptablesUtilChains will ensure iptables utility rules are present on host.
+	MakeIptablesUtilChains *bool `json:"makeIptablesUtilChains,omitempty" flag:"make-iptables-util-chains"`
+	// CAdvisorPort The port of the localhost cAdvisor endpoint (set to 0 to disable) (default 4194)
+	CAdvisorPort *int32 `json:"cadvisorPort,omitempty" flag:"cadvisor-port"`
+	// ProtectKernelDefaults Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults.
+	ProtectKernelDefaults *bool `json:"protectKernelDefaults,omitempty" flag:"protect-kernel-defaults"`
 }
 
 // KubeProxyConfig defines the configuration for a proxy
@@ -198,6 +206,10 @@ type KubeProxyConfig struct {
 type KubeAPIServerConfig struct {
 	// Image is the docker container used
 	Image string `json:"image,omitempty"`
+	// DisableBasicAuth removes the --basic-auth-file flag
+	DisableBasicAuth bool `json:"disableBasicAuth,omitempty"`
+	// EnableTokenAuth removes the --token-auth-file flag
+	DisableTokenAuth bool `json:"disableTokenAuth,omitempty"`
 	// LogLevel is the logging level of the api
 	LogLevel int32 `json:"logLevel,omitempty" flag:"v" flag-empty:"0"`
 	// CloudProvider is the name of the cloudProvider we are using, aws, gce etcd
@@ -315,9 +327,14 @@ type KubeAPIServerConfig struct {
 	FeatureGates map[string]string `json:"featureGates,omitempty" flag:"feature-gates"`
 	// MaxRequestsInflight The maximum number of non-mutating requests in flight at a given time.
 	MaxRequestsInflight int32 `json:"maxRequestsInflight,omitempty" flag:"max-requests-inflight" flag-empty:"0"`
-
 	// EtcdQuorumRead configures the etcd-quorum-read flag, which forces consistent reads from etcd
 	EtcdQuorumRead *bool `json:"etcdQuorumRead,omitempty" flag:"etcd-quorum-read"`
+	// Enable profiling via web interface
+	Profiling *bool `json:"profiling,omitempty" flag:"profiling"`
+	// Verify service account token
+	ServiceAccountLookup *bool `json:"serviceAccountLookup,omitempty" flag:"service-account-lookup"`
+	// Repair malformed requests from clients
+	RepairMalformedUpdates *bool `json:"repairMalformedUpdates,omitempty" flag:"repair-malformed-updates"`
 }
 
 // KubeControllerManagerConfig is the configuration for the controller
@@ -379,6 +396,8 @@ type KubeControllerManagerConfig struct {
 	HorizontalPodAutoscalerUseRestClients *bool `json:"horizontalPodAutoscalerUseRestClients,omitempty" flag:"horizontal-pod-autoscaler-use-rest-clients"`
 	// FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features.
 	FeatureGates map[string]string `json:"featureGates,omitempty" flag:"feature-gates"`
+	// Enable profiling via web interface
+	Profiling *bool `json:"profiling,omitempty" flag:"profiling"`
 }
 
 type CloudControllerManagerConfig struct {
@@ -415,6 +434,8 @@ type KubeSchedulerConfig struct {
 	LogLevel int32 `json:"logLevel,omitempty" flag:"v"`
 	// Image is the docker image to use
 	Image string `json:"image,omitempty"`
+	// Enable profiling via web interface
+	Profiling *bool `json:"profiling,omitempty" flag:"profiling"`
 	// LeaderElection defines the configuration of leader election client.
 	LeaderElection *LeaderElectionConfiguration `json:"leaderElection,omitempty"`
 	// UsePolicyConfigMap enable setting the scheduler policy from a configmap

pkg/apis/kops/v1alpha1/componentconfig.go

@@ -164,6 +164,14 @@ type KubeletConfigSpec struct {
 	FailSwapOn *bool `json:"failSwapOn,omitempty" flag:"fail-swap-on"`
 	// ExperimentalAllowedUnsafeSysctls are passed to the kubelet config to whitelist allowable sysctls
 	ExperimentalAllowedUnsafeSysctls []string `json:"experimental_allowed_unsafe_sysctls,omitempty" flag:"experimental-allowed-unsafe-sysctls"`
+	// EventQps If > 0, limit event creations per second to this value. If 0, unlimited.
+	EventQPS *int32 `json:"eventQps,omitempty" flag:"event-qps"`
+	// MakeIptablesUtilChains will ensure iptables utility rules are present on host.
+	MakeIptablesUtilChains *bool `json:"makeIptablesUtilChains,omitempty" flag:"make-iptables-util-chains"`
+	// CAdvisorPort The port of the localhost cAdvisor endpoint (set to 0 to disable) (default 4194)
+	CAdvisorPort *int32 `json:"cadvisorPort,omitempty" flag:"cadvisor-port"`
+	// ProtectKernelDefaults Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults.
+	ProtectKernelDefaults *bool `json:"protectKernelDefaults,omitempty" flag:"protect-kernel-defaults"`
 }
 
 // KubeProxyConfig defines the configuration for a proxy
@@ -198,6 +206,10 @@ type KubeProxyConfig struct {
 type KubeAPIServerConfig struct {
 	// Image is the docker container used
 	Image string `json:"image,omitempty"`
+	// DisableBasicAuth removes the --basic-auth-file flag
+	DisableBasicAuth bool `json:"disableBasicAuth,omitempty"`
+	// EnableTokenAuth removes the --token-auth-file flag
+	DisableTokenAuth bool `json:"disableTokenAuth,omitempty"`
 	// LogLevel is the logging level of the api
 	LogLevel int32 `json:"logLevel,omitempty" flag:"v" flag-empty:"0"`
 	// CloudProvider is the name of the cloudProvider we are using, aws, gce etcd
@@ -315,9 +327,14 @@ type KubeAPIServerConfig struct {
 	FeatureGates map[string]string `json:"featureGates,omitempty" flag:"feature-gates"`
 	// MaxRequestsInflight The maximum number of non-mutating requests in flight at a given time.
 	MaxRequestsInflight int32 `json:"maxRequestsInflight,omitempty" flag:"max-requests-inflight" flag-empty:"0"`
-
 	// EtcdQuorumRead configures the etcd-quorum-read flag, which forces consistent reads from etcd
 	EtcdQuorumRead *bool `json:"etcdQuorumRead,omitempty" flag:"etcd-quorum-read"`
+	// Enable profiling via web interface.
+	Profiling *bool `json:"profiling,omitempty" flag:"profiling"`
+	// Verify service account token
+	ServiceAccountLookup *bool `json:"serviceAccountLookup,omitempty" flag:"service-account-lookup"`
+	// Repair malformed requests from clients
+	RepairMalformedUpdates *bool `json:"repairMalformedUpdates,omitempty" flag:"repair-malformed-updates"`
 }
 
 // KubeControllerManagerConfig is the configuration for the controller
@@ -379,6 +396,8 @@ type KubeControllerManagerConfig struct {
 	HorizontalPodAutoscalerUseRestClients *bool `json:"horizontalPodAutoscalerUseRestClients,omitempty" flag:"horizontal-pod-autoscaler-use-rest-clients"`
 	// FeatureGates is set of key=value pairs that describe feature gates for alpha/experimental features.
 	FeatureGates map[string]string `json:"featureGates,omitempty" flag:"feature-gates"`
+	// Enable profiling via web interface.
+	Profiling *bool `json:"profiling,omitempty" flag:"profiling"`
 }
 
 type CloudControllerManagerConfig struct {
@@ -415,6 +434,8 @@ type KubeSchedulerConfig struct {
 	LogLevel int32 `json:"logLevel,omitempty" flag:"v"`
 	// Image is the docker image to use
 	Image string `json:"image,omitempty"`
+	// Enable profiling via web interface
+	Profiling bool `json:"profiling,omitempty" flag:"profiling"`
 	// LeaderElection defines the configuration of leader election client.
 	LeaderElection *LeaderElectionConfiguration `json:"leaderElection,omitempty"`
 	// UsePolicyConfigMap enable setting the scheduler policy from a configmap