-
Notifications
You must be signed in to change notification settings - Fork 91
/
deploy.yaml
180 lines (180 loc) · 6.21 KB
/
deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: openshift-oauth-apiserver
name: apiserver
labels:
app: openshift-oauth-apiserver
apiserver: "true"
# The number of replicas will be set in code to the number of master nodes.
spec:
strategy:
type: RollingUpdate
rollingUpdate:
# To ensure that only one pod at a time writes to the node's
# audit log, require the update strategy to proceed a node at a
# time. Only when a master node has its existing
# oauth-apiserver pod stopped will a new one be allowed to
# start.
maxUnavailable: 1
maxSurge: 0
selector:
matchLabels:
app: openshift-oauth-apiserver
apiserver: "true"
template:
metadata:
name: openshift-oauth-apiserver
labels:
app: openshift-oauth-apiserver
apiserver: "true"
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
spec:
serviceAccountName: oauth-apiserver-sa
priorityClassName: system-node-critical
initContainers:
- name: fix-audit-permissions
terminationMessagePolicy: FallbackToLogsOnError
image: ${IMAGE}
imagePullPolicy: IfNotPresent
command: ['sh', '-c', 'chmod 0700 /var/log/oauth-apiserver && touch /var/log/oauth-apiserver/audit.log && chmod 0600 /var/log/oauth-apiserver/*']
securityContext:
privileged: true
runAsUser: 0
resources:
requests:
cpu: 15m
memory: 50Mi
volumeMounts:
- mountPath: /var/log/oauth-apiserver
name: audit-dir
containers:
- name: oauth-apiserver
terminationMessagePolicy: FallbackToLogsOnError
image: ${IMAGE}
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
if [ -s /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then
echo "Copying system trust bundle"
cp -f /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
fi
exec oauth-apiserver start \
--secure-port=8443 \
--audit-log-path=/var/log/oauth-apiserver/audit.log \
--audit-log-format=json \
--audit-log-maxsize=100 \
--audit-log-maxbackup=10 \
--audit-policy-file=/var/run/configmaps/audit/policy.yaml \
--etcd-cafile=/var/run/configmaps/etcd-serving-ca/ca-bundle.crt \
--etcd-keyfile=/var/run/secrets/etcd-client/tls.key \
--etcd-certfile=/var/run/secrets/etcd-client/tls.crt \
--shutdown-delay-duration=15s \
--tls-private-key-file=/var/run/secrets/serving-cert/tls.key \
--tls-cert-file=/var/run/secrets/serving-cert/tls.crt \
${FLAGS}
resources:
requests:
memory: 200Mi
cpu: 150m
# we need to set this to privileged to be able to write audit to /var/log/oauth-apiserver
securityContext:
privileged: true
runAsUser: 0
ports:
- containerPort: 8443
volumeMounts:
- mountPath: /var/run/configmaps/audit
name: audit-policies
- mountPath: /var/run/secrets/etcd-client
name: etcd-client
- mountPath: /var/run/configmaps/etcd-serving-ca
name: etcd-serving-ca
- mountPath: /var/run/configmaps/trusted-ca-bundle
name: trusted-ca-bundle
- mountPath: /var/run/secrets/serving-cert
name: serving-cert
- mountPath: /var/run/secrets/encryption-config
name: encryption-config
- mountPath: /var/log/oauth-apiserver
name: audit-dir
livenessProbe:
httpGet:
scheme: HTTPS
port: 8443
path: healthz
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
scheme: HTTPS
port: 8443
path: readyz
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 1
startupProbe:
httpGet:
scheme: HTTPS
port: 8443
path: healthz
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 30
terminationGracePeriodSeconds: 90 # a bit more than the 60 seconds timeout of non-long-running requests + the shutdown delay
volumes:
- name: audit-policies
configMap:
name: audit-${REVISION}
- name: etcd-client
secret:
secretName: etcd-client
- name: etcd-serving-ca
configMap:
name: etcd-serving-ca
- name: serving-cert
secret:
secretName: serving-cert
- name: trusted-ca-bundle
configMap:
name: trusted-ca-bundle
optional: true
items:
- key: ca-bundle.crt
path: tls-ca-bundle.pem
- name: encryption-config
secret:
secretName: encryption-config-${REVISION}
optional: true
- hostPath:
path: /var/log/oauth-apiserver
name: audit-dir
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
# Ensure pod can be scheduled on master nodes
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
# Ensure pod can be evicted if the node is unreachable
- key: "node.kubernetes.io/unreachable"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 120
# Ensure scheduling is delayed until node readiness
# (i.e. network operator configures CNI on the node)
- key: "node.kubernetes.io/not-ready"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 120
# Anti-affinity is configured in code due to the need to scope
# selection to the computed pod template.