/
bootstrap-config-overrides.yaml
66 lines (66 loc) · 2.69 KB
/
bootstrap-config-overrides.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
apiVersion: kubecontrolplane.config.openshift.io/v1
kind: KubeAPIServerConfig
aggregatorConfig:
proxyClientInfo:
certFile: /etc/kubernetes/secrets/apiserver-proxy.crt
keyFile: /etc/kubernetes/secrets/apiserver-proxy.key
authConfig:
requestHeader:
clientCA: /etc/kubernetes/secrets/aggregator-signer.crt
kubeletClientInfo:
ca: /etc/kubernetes/secrets/kubelet-client-ca-bundle.crt # this is wired to the KCM CSR, which signs serving and client certs for kubelet
certFile: /etc/kubernetes/secrets/kube-apiserver-to-kubelet-client.crt
keyFile: /etc/kubernetes/secrets/kube-apiserver-to-kubelet-client.key
serviceAccountPublicKeyFiles:
- /etc/kubernetes/secrets/service-account.pub
servingInfo:
bindAddress: "{{.BindAddress}}"
bindNetwork: {{.BindNetwork}}
certFile: /etc/kubernetes/secrets/kube-apiserver-service-network-server.crt
clientCA: /etc/kubernetes/secrets/kube-apiserver-complete-client-ca-bundle.crt
keyFile: /etc/kubernetes/secrets/kube-apiserver-service-network-server.key
namedCertificates:
- names:
- "kubernetes"
- "kubernetes.default"
- "kubernetes.default.svc"
- "kubernetes.default.svc.cluster.local"
certFile: /etc/kubernetes/secrets/kube-apiserver-service-network-server.crt
keyFile: /etc/kubernetes/secrets/kube-apiserver-service-network-server.key
- names:
- "localhost"
- "127.0.0.1"
- "::1"
certFile: /etc/kubernetes/secrets/kube-apiserver-localhost-server.crt
keyFile: /etc/kubernetes/secrets/kube-apiserver-localhost-server.key
- certFile: /etc/kubernetes/secrets/kube-apiserver-lb-server.crt
keyFile: /etc/kubernetes/secrets/kube-apiserver-lb-server.key
- certFile: /etc/kubernetes/secrets/kube-apiserver-internal-lb-server.crt
keyFile: /etc/kubernetes/secrets/kube-apiserver-internal-lb-server.key
storageConfig:
ca: /etc/kubernetes/secrets/{{.EtcdServingCA}}
certFile: /etc/kubernetes/secrets/etcd-client.crt
keyFile: /etc/kubernetes/secrets/etcd-client.key
urls: {{range .EtcdServerURLs}}
- {{.}}{{end}}
{{if .ServiceCIDR | len | ne 0}}
servicesSubnet: {{index .ServiceCIDR 0}}{{end}}
admission:
pluginConfig:
{{if .ServiceCIDR }}
network.openshift.io/RestrictedEndpointsAdmission:
configuration:
apiVersion: network.openshift.io/v1
kind: RestrictedEndpointsAdmissionConfig
restrictedCIDRs: {{range .ServiceCIDR}}
- {{.}}{{end}}{{range .ClusterCIDR}}
- {{.}}{{end}}
{{end}}
apiServerArguments:
feature-gates:
- "RotateKubeletServerCertificate=true"
- "SupportPodPidsLimit=true"
- "NodeDisruptionExclusion=true"
- "ServiceNodeExclusion=true"
- "SCTPSupport=true"
- "LegacyNodeRoleBehavior=false"