Skip to content

Instantly share code, notes, and snippets.

@dhinojosa
Created December 6, 2022 23:38
Show Gist options
  • Save dhinojosa/7e31e7ceaeb570304dfd598f8b6aedba to your computer and use it in GitHub Desktop.
Save dhinojosa/7e31e7ceaeb570304dfd598f8b6aedba to your computer and use it in GitHub Desktop.
apiVersion: v1
kind: Pod
metadata:
annotations:
dns.alpha.kubernetes.io/internal: api.internal.dik8ssecurity01.k8s.local
kubectl.kubernetes.io/default-container: kube-apiserver
creationTimestamp: null
labels:
k8s-app: kube-apiserver
name: kube-apiserver
namespace: kube-system
spec:
containers:
- args:
- --log-file=/var/log/kube-apiserver.log
- --also-stdout
- /usr/local/bin/kube-apiserver
- --allow-privileged=true
- --anonymous-auth=false
- --api-audiences=kubernetes.svc.default
- --apiserver-count=1
- --authorization-mode=Node,RBAC
- --bind-address=0.0.0.0
- --client-ca-file=/srv/kubernetes/ca.crt
- --cloud-config=/etc/kubernetes/in-tree-cloud.config
- --cloud-provider=external
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
- --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
- --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
- --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
- --etcd-servers-overrides=/events#https://127.0.0.1:4002
- --etcd-servers=https://127.0.0.1:4001
- --feature-gates=CSIMigrationAWS=true,InTreePluginAWSUnregister=true
- --kubelet-client-certificate=/srv/kubernetes/kube-apiserver/kubelet-api.crt
- --kubelet-client-key=/srv/kubernetes/kube-apiserver/kubelet-api.key
- --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP
- --proxy-client-cert-file=/srv/kubernetes/kube-apiserver/apiserver-aggregator.crt
- --proxy-client-key-file=/srv/kubernetes/kube-apiserver/apiserver-aggregator.key
- --requestheader-allowed-names=aggregator
- --requestheader-client-ca-file=/srv/kubernetes/kube-apiserver/apiserver-aggregator-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=443
- --service-account-issuer=https://api.internal.dik8ssecurity01.k8s.local
- --service-account-jwks-uri=https://api.internal.dik8ssecurity01.k8s.local/openid/v1/jwks
- --service-account-key-file=/srv/kubernetes/kube-apiserver/service-account.pub
- --service-account-signing-key-file=/srv/kubernetes/kube-apiserver/service-account.key
- --service-cluster-ip-range=100.64.0.0/13
- --storage-backend=etcd3
- --tls-cert-file=/srv/kubernetes/kube-apiserver/server.crt
- --profiling=false
- --tls-private-key-file=/srv/kubernetes/kube-apiserver/server.key
- --v=2
command:
- /go-runner
image: registry.k8s.io/kube-apiserver:v1.25.4@sha256:ba9fc1737c5b7857f3e19183d1504ec58df0c50d970e0c008e58e8a13dc11422
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
port: 3990
initialDelaySeconds: 45
timeoutSeconds: 15
name: kube-apiserver
ports:
- containerPort: 443
hostPort: 443
name: https
resources:
requests:
cpu: 150m
volumeMounts:
- mountPath: /var/log/kube-apiserver.log
name: logfile
- mountPath: /etc/ssl
name: etcssl
readOnly: true
- mountPath: /etc/pki/tls
name: etcpkitls
readOnly: true
- mountPath: /etc/pki/ca-trust
name: etcpkica-trust
readOnly: true
- mountPath: /usr/share/ssl
name: usrsharessl
readOnly: true
- mountPath: /usr/ssl
name: usrssl
readOnly: true
- mountPath: /usr/lib/ssl
name: usrlibssl
readOnly: true
- mountPath: /usr/local/openssl
name: usrlocalopenssl
readOnly: true
- mountPath: /var/ssl
name: varssl
readOnly: true
- mountPath: /etc/openssl
name: etcopenssl
readOnly: true
- mountPath: /etc/kubernetes/in-tree-cloud.config
name: cloudconfig
readOnly: true
- mountPath: /srv/kubernetes/ca.crt
name: kubernetesca
readOnly: true
- mountPath: /srv/kubernetes/kube-apiserver
name: srvkapi
readOnly: true
- mountPath: /srv/sshproxy
name: srvsshproxy
readOnly: true
- args:
- --ca-cert=/secrets/ca.crt
- --client-cert=/secrets/client.crt
- --client-key=/secrets/client.key
image: registry.k8s.io/kops/kube-apiserver-healthcheck:1.25.3@sha256:fad595f1a97a17e6774d46d0c6cdf7762572df9b28ee39385d5456ce5f44ee49
livenessProbe:
httpGet:
host: 127.0.0.1
path: /.kube-apiserver-healthcheck/healthz
port: 3990
initialDelaySeconds: 5
timeoutSeconds: 5
name: healthcheck
resources: {}
securityContext:
runAsNonRoot: true
runAsUser: 10012
volumeMounts:
- mountPath: /secrets
name: healthcheck-secrets
readOnly: true
hostNetwork: true
priorityClassName: system-cluster-critical
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- hostPath:
path: /var/log/kube-apiserver.log
name: logfile
- hostPath:
path: /etc/ssl
name: etcssl
- hostPath:
path: /etc/pki/tls
name: etcpkitls
- hostPath:
path: /etc/pki/ca-trust
name: etcpkica-trust
- hostPath:
path: /usr/share/ssl
name: usrsharessl
- hostPath:
path: /usr/ssl
name: usrssl
- hostPath:
path: /usr/lib/ssl
name: usrlibssl
- hostPath:
path: /usr/local/openssl
name: usrlocalopenssl
- hostPath:
path: /var/ssl
name: varssl
- hostPath:
path: /etc/openssl
name: etcopenssl
- hostPath:
path: /etc/kubernetes/in-tree-cloud.config
name: cloudconfig
- hostPath:
path: /srv/kubernetes/ca.crt
name: kubernetesca
- hostPath:
path: /srv/kubernetes/kube-apiserver
name: srvkapi
- hostPath:
path: /srv/sshproxy
name: srvsshproxy
- hostPath:
path: /etc/kubernetes/kube-apiserver-healthcheck/secrets
type: Directory
name: healthcheck-secrets
status: {}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment