divyenpatel/Kubeadm Manifests with VCP enabled

## kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --cloud-config=/etc/kubernetes/pki/vsphere.conf
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --enable-bootstrap-token-auth=true
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --requestheader-allowed-names=front-proxy-client
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --allow-privileged=true
    - --requestheader-username-headers=X-Remote-User
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --insecure-port=0
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --service-cluster-ip-range=10.96.0.0/12
    - --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota
    - --advertise-address=10.160.217.79
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --secure-port=6443
    - --authorization-mode=Node,RBAC
    - --etcd-servers=http://127.0.0.1:2379
    - --cloud-provider=vsphere
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.4
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 10.160.217.79
        path: /healthz
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    name: kube-apiserver
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
    - mountPath: /etc/pki
      name: ca-certs-etc-pki
      readOnly: true
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
  - hostPath:
      path: /etc/pki
      type: DirectoryOrCreate
    name: ca-certs-etc-pki
status: {}

## kube-controller-manager.yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  creationTimestamp: null
  labels:
    component: kube-controller-manager
    tier: control-plane
  name: kube-controller-manager
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-controller-manager
    - --cloud-config=/etc/kubernetes/pki/vsphere.conf
    - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
    - --controllers=*,bootstrapsigner,tokencleaner
    - --kubeconfig=/etc/kubernetes/controller-manager.conf
    - --use-service-account-credentials=true
    - --root-ca-file=/etc/kubernetes/pki/ca.crt
    - --service-account-private-key-file=/etc/kubernetes/pki/sa.key
    - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
    - --address=127.0.0.1
    - --leader-elect=true
    - --cloud-provider=vsphere
    image: gcr.io/google_containers/kube-controller-manager-amd64:v1.9.4
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 10252
        scheme: HTTP
      initialDelaySeconds: 15
      timeoutSeconds: 15
    name: kube-controller-manager
    resources:
      requests:
        cpu: 200m
    volumeMounts:
    - mountPath: /etc/kubernetes/controller-manager.conf
      name: kubeconfig
      readOnly: true
    - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
      name: flexvolume-dir
    - mountPath: /etc/pki
      name: ca-certs-etc-pki
      readOnly: true
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
  - hostPath:
      path: /etc/kubernetes/controller-manager.conf
      type: FileOrCreate
    name: kubeconfig
  - hostPath:
      path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
      type: DirectoryOrCreate
    name: flexvolume-dir
  - hostPath:
      path: /etc/pki
      type: DirectoryOrCreate
    name: ca-certs-etc-pki
status: {}

## Kubeadm Manifests with VCP enabled

      
    Raw
  

              Kubeadm Manifests with VCP enabled
            
          
## Kubelet - 10-kubeadm.conf
# cat /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--cloud-provider=vsphere --cloud-config=/etc/kubernetes/vsphere.conf --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true"
Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt"
Environment="KUBELET_CGROUP_ARGS=--cgroup-driver=systemd"
Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0"
Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki"
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CGROUP_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS

## vsphere.conf
# cat /etc/kubernetes/vsphere.conf
[Global]
        user = "administrator@vsphere.local"
        password = "*****"
        server = "xxx.xxx.xxx.xx"
        port = "443" #Optional
        insecure-flag = "1" #set to 1 if the vCenter uses a self-signed cert
        datacenter = "k8s-datacenter"
        datastore = "sharedVMFS-0" #Datastore to use for provisioning volumes using storage classes/dynamic provisioning
        working-dir = "kubernetes"
[Disk]
    scsicontrollertype = pvscsi
	apiVersion: v1
	kind: Pod
	metadata:
	annotations:
	scheduler.alpha.kubernetes.io/critical-pod: ""
	creationTimestamp: null
	labels:
	component: kube-apiserver
	tier: control-plane
	name: kube-apiserver
	namespace: kube-system
	spec:
	containers:
	- command:
	- kube-apiserver
	- --cloud-config=/etc/kubernetes/pki/vsphere.conf
	- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
	- --enable-bootstrap-token-auth=true
	- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
	- --requestheader-allowed-names=front-proxy-client
	- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
	- --allow-privileged=true
	- --requestheader-username-headers=X-Remote-User
	- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
	- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
	- --client-ca-file=/etc/kubernetes/pki/ca.crt
	- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
	- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
	- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
	- --insecure-port=0
	- --requestheader-group-headers=X-Remote-Group
	- --requestheader-extra-headers-prefix=X-Remote-Extra-
	- --service-cluster-ip-range=10.96.0.0/12
	- --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota
	- --advertise-address=10.160.217.79
	- --service-account-key-file=/etc/kubernetes/pki/sa.pub
	- --secure-port=6443
	- --authorization-mode=Node,RBAC
	- --etcd-servers=http://127.0.0.1:2379
	- --cloud-provider=vsphere
	image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.4
	livenessProbe:
	failureThreshold: 8
	httpGet:
	host: 10.160.217.79
	path: /healthz
	port: 6443
	scheme: HTTPS
	initialDelaySeconds: 15
	timeoutSeconds: 15
	name: kube-apiserver
	resources:
	requests:
	cpu: 250m
	volumeMounts:
	- mountPath: /etc/kubernetes/pki
	name: k8s-certs
	readOnly: true
	- mountPath: /etc/ssl/certs
	name: ca-certs
	readOnly: true
	- mountPath: /etc/pki
	name: ca-certs-etc-pki
	readOnly: true
	hostNetwork: true
	volumes:
	- hostPath:
	path: /etc/kubernetes/pki
	type: DirectoryOrCreate
	name: k8s-certs
	- hostPath:
	path: /etc/ssl/certs
	type: DirectoryOrCreate
	name: ca-certs
	- hostPath:
	path: /etc/pki
	type: DirectoryOrCreate
	name: ca-certs-etc-pki
	status: {}
	# cat /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
	[Service]
	Environment="KUBELET_KUBECONFIG_ARGS=--cloud-provider=vsphere --cloud-config=/etc/kubernetes/vsphere.conf --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
	Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true"
	Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
	Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
	Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt"
	Environment="KUBELET_CGROUP_ARGS=--cgroup-driver=systemd"
	Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0"
	Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki"
	ExecStart=
	ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CGROUP_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS
	# cat /etc/kubernetes/vsphere.conf
	[Global]
	user = "administrator@vsphere.local"
	password = "*****"
	server = "xxx.xxx.xxx.xx"
	port = "443" #Optional
	insecure-flag = "1" #set to 1 if the vCenter uses a self-signed cert
	datacenter = "k8s-datacenter"
	datastore = "sharedVMFS-0" #Datastore to use for provisioning volumes using storage classes/dynamic provisioning
	working-dir = "kubernetes"
	[Disk]
	scsicontrollertype = pvscsi