forked from Azure/acs-engine
-
Notifications
You must be signed in to change notification settings - Fork 0
/
defaults-apiserver.go
118 lines (106 loc) · 5.04 KB
/
defaults-apiserver.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package acsengine
import (
"strconv"
"github.com/Azure/acs-engine/pkg/api"
"github.com/Azure/acs-engine/pkg/helpers"
)
func setAPIServerConfig(cs *api.ContainerService) {
o := cs.Properties.OrchestratorProfile
staticLinuxAPIServerConfig := map[string]string{
"--address": "0.0.0.0",
"--advertise-address": "<kubernetesAPIServerIP>",
"--allow-privileged": "true",
"--anonymous-auth": "false",
"--audit-log-maxage": "30",
"--audit-log-maxbackup": "10",
"--audit-log-maxsize": "100",
"--audit-log-path": "/var/log/apiserver/audit.log",
"--insecure-port": "8080",
"--secure-port": "443",
"--service-account-lookup": "true",
"--etcd-cafile": "/etc/kubernetes/certs/ca.crt",
"--etcd-certfile": "/etc/kubernetes/certs/etcdclient.crt",
"--etcd-keyfile": "/etc/kubernetes/certs/etcdclient.key",
"--etcd-servers": "https://127.0.0.1:" + strconv.Itoa(DefaultMasterEtcdClientPort),
"--etcd-quorum-read": "true",
"--tls-cert-file": "/etc/kubernetes/certs/apiserver.crt",
"--tls-private-key-file": "/etc/kubernetes/certs/apiserver.key",
"--client-ca-file": "/etc/kubernetes/certs/ca.crt",
"--profiling": "false",
"--repair-malformed-updates": "false",
"--service-account-key-file": "/etc/kubernetes/certs/apiserver.key",
"--kubelet-client-certificate": "/etc/kubernetes/certs/client.crt",
"--kubelet-client-key": "/etc/kubernetes/certs/client.key",
"--service-cluster-ip-range": o.KubernetesConfig.ServiceCIDR,
"--storage-backend": o.GetAPIServerEtcdAPIVersion(),
"--v": "4",
}
// Data Encryption at REST configuration
if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableDataEncryptionAtRest) {
staticLinuxAPIServerConfig["--experimental-encryption-provider-config"] = "/etc/kubernetes/encryption-config.yaml"
}
// Aggregated API configuration
if o.KubernetesConfig.EnableAggregatedAPIs {
staticLinuxAPIServerConfig["--requestheader-client-ca-file"] = "/etc/kubernetes/certs/proxy-ca.crt"
staticLinuxAPIServerConfig["--proxy-client-cert-file"] = "/etc/kubernetes/certs/proxy.crt"
staticLinuxAPIServerConfig["--proxy-client-key-file"] = "/etc/kubernetes/certs/proxy.key"
staticLinuxAPIServerConfig["--requestheader-allowed-names"] = ""
staticLinuxAPIServerConfig["--requestheader-extra-headers-prefix"] = "X-Remote-Extra-"
staticLinuxAPIServerConfig["--requestheader-group-headers"] = "X-Remote-Group"
staticLinuxAPIServerConfig["--requestheader-username-headers"] = "X-Remote-User"
}
// Enable cloudprovider if we're not using cloud controller manager
if !helpers.IsTrueBoolPointer(o.KubernetesConfig.UseCloudControllerManager) {
staticLinuxAPIServerConfig["--cloud-provider"] = "azure"
staticLinuxAPIServerConfig["--cloud-config"] = "/etc/kubernetes/azure.json"
}
// AAD configuration
if cs.Properties.HasAadProfile() {
staticLinuxAPIServerConfig["--oidc-username-claim"] = "oid"
staticLinuxAPIServerConfig["--oidc-groups-claim"] = "groups"
staticLinuxAPIServerConfig["--oidc-client-id"] = "spn:" + cs.Properties.AADProfile.ServerAppID
issuerHost := "sts.windows.net"
if GetCloudTargetEnv(cs.Location) == "AzureChinaCloud" {
issuerHost = "sts.chinacloudapi.cn"
}
staticLinuxAPIServerConfig["--oidc-issuer-url"] = "https://" + issuerHost + "/"
}
staticWindowsAPIServerConfig := make(map[string]string)
for key, val := range staticLinuxAPIServerConfig {
staticWindowsAPIServerConfig[key] = val
}
// Windows apiserver config overrides
// TODO placeholder for specific config overrides for Windows clusters
// Default apiserver config
defaultAPIServerConfig := map[string]string{
"--admission-control": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DenyEscalatingExec,AlwaysPullImages,SecurityContextDeny",
"--authorization-mode": "Node",
}
// RBAC configuration
if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableRbac) {
defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC"
}
// If no user-configurable apiserver config values exists, use the defaults
if o.KubernetesConfig.APIServerConfig == nil {
o.KubernetesConfig.APIServerConfig = defaultAPIServerConfig
} else {
for key, val := range defaultAPIServerConfig {
// If we don't have a user-configurable apiserver config for each option
if _, ok := o.KubernetesConfig.APIServerConfig[key]; !ok {
// then assign the default value
o.KubernetesConfig.APIServerConfig[key] = val
}
}
}
// We don't support user-configurable values for the following,
// so any of the value assignments below will override user-provided values
var overrideAPIServerConfig map[string]string
if cs.Properties.HasWindows() {
overrideAPIServerConfig = staticWindowsAPIServerConfig
} else {
overrideAPIServerConfig = staticLinuxAPIServerConfig
}
for key, val := range overrideAPIServerConfig {
o.KubernetesConfig.APIServerConfig[key] = val
}
}