apiVersion: v1 Kind: pod
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.8.11:6443
kubernetes.io/config.hash: 755e36554917832e5f2c40bbb2e580cb
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver-vandal-1
namespace: kube-system
# ownerReferences:
# - apiVersion: v1
# controller: true
# kind: Node
# name: vandal-1
# uid: 77f24839-9368-4d4c-a024-4c8452ef2b3d
spec:
dnsPolicy: ClusterFirst
enableServiceLinks: true
hostNetwork: true
nodeName: vandal-1
preemptionPolicy: PreemptLowerPriority
priority: 2000001000
priorityClassName: system-node-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
seccompProfile:
type: RuntimeDefault
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
operator: Exists
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/pki
type: DirectoryOrCreate
name: etc-pki
- hostPath:
path: /etc/kubernetes/pki
type: DirectoryOrCreate
name: k8s-certs
# ~~~~~~ ServiceAccount ~~~~~~
automountServiceAccountToken: true
serviceAccountName: codify
# ^^^^^^ ServiceAccount ^^^^^^
#---------------------------------------------------------------------
# Containers
#---------------------------------------------------------------------
containers:
- name: kube-apiserver
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
command:
- kube-apiserver
- --advertise-address=192.168.8.11
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
image: registry.k8s.io/kube-apiserver:v1.26.0
imagePullPolicy: IfNotPresent
# ~~~~~~ Probes ~~~~~~
livenessProbe:
failureThreshold: 8
httpGet:
host: 192.168.8.11
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
readinessProbe:
failureThreshold: 3
httpGet:
host: 192.168.8.11
path: /readyz
port: 6443
scheme: HTTPS
periodSeconds: 1
successThreshold: 1
timeoutSeconds: 15
startupProbe:
failureThreshold: 24
httpGet:
host: 192.168.8.11
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
# ^^^^^^ Probes ^^^^^^
# ~~~~~~ Resources ~~~~~~
resources:
limits:
memory: 4Gi
cpu: 2000m
requests:
memory: 100Mi
cpu: 250m
# ^^^^^^ Resources ^^^^^^
# ~~~~~~ VolumeMounts ~~~~~~
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/pki
name: etc-pki
readOnly: true
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
# ^^^^^^ VolumeMounts ^^^^^^
apiVersion: rbac.authorization.k8s.io/v1 Kind: Role
# Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [''] # indicate the core API group
resources: ['pods']
verbs: ['get', 'watch', 'list']
- apiGroups: ['']
# GET /api/v1/namespaces/{namespace}/pods/{pod}/log
resources: ['pods/log']
verbs: ['get', 'list']
- apiGroups: ['']
# at HTTP level, the name of the resource for accessing ConfigMap object is 'configmaps'
resources: ['configmaps']
resourceNames: ['my-configmap']
verbs: ['update', 'get']
- apiGroups: ['batch']
resources: ['*']
verbs: ['*']
- apiGroups: ['apps']
resources: ['deployments']
verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
---
# ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: ['']
resources: ['secrets']
verbs: ['get', 'watch', 'list']
- apiGroups: ['']
resources: ['nodes']
verbs: ['get', 'list', 'watch']
- nonResourceURLs: ['/healthz', '/healthz/*']
verbs: ['get', 'post']
---
# RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: default
name: read-pods
subjects:
- kind: User
name: anatomy # case-sensitive
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: default
namespace: kube-system
- kind: Group
name: system:serviceaccounts:qa # all service accounts in the qa namespace
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:serviceaccounts # all service accounts in any namespace
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:authenticated # for all authenticated users
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:unauthenticated # for all unauthenticated users
apiGroup: rbac.authorization.k8s.io
roleRef: # roleRef specifies the binding to a Role/ClusterRole
apiGroup: rbac.authorization.k8s.io
kind: Role # Role | ClusterRole
name: pod-reader
---
# ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager
apiGroup: rbac.authorization.k8s.io
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: secret-reader
---
# Aggregated ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: monitoring
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.example.com/aggregate-to-monitoring: 'true'
rules: [] # control plane automatically fills in the rules
---
# Add to Aggregated ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: monitoring-endpoints
labels:
rbac.example.com/aggregate-to-monitoring: 'true'
# when you create this ClusterRole, the rules below will be added to the `monitoring` ClusterRole
rules:
- apiGroups: ['']
resources: ['services', 'endpointslices', 'pods']
verbs: ['get', 'list', 'watch']
浙公网安备 33010602011771号