Last active
August 7, 2018 15:01
-
-
Save getglad/360577e24a0788eb013b0a0b5280e4f1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# fluentd conf runs in the same host with kube-apiserver | |
# https://github.com/fluent/fluentd/issues/369 | |
# /opt/td-agent/embedded/bin/fluent-gem install fluent-plugin-forest | |
<source> | |
@type tail | |
# audit log path of kube-apiserver | |
path /var/log/k8s/kube-audit | |
pos_file /var/log/k8s/kube-audit.pos | |
format json | |
time_key time | |
time_format %Y-%m-%dT%H:%M:%S.%N%z | |
tag audit | |
</source> | |
<filter audit> | |
#https://github.com/fluent/fluent-plugin-rewrite-tag-filter/issues/13 | |
@type record_transformer | |
enable_ruby | |
<record> | |
namespace ${record["objectRef"].nil? ? "none":(record["objectRef"]["namespace"].nil? ? "none":record["objec$ | |
</record> | |
</filter> | |
<match audit> | |
# route audit according to namespace element in context | |
@type rewrite_tag_filter | |
<rule> | |
key namespace | |
pattern ^(.+) | |
tag ${tag}.$1 | |
</rule> | |
</match> | |
<filter audit.**> | |
@type record_transformer | |
remove_keys namespace | |
</filter> | |
<match audit.**> | |
@type forest | |
subtype file | |
remove_prefix audit | |
<template> | |
time_slice_format %Y%m%d%H | |
compress gz | |
path /var/log/k8s/kube-audit-${tag}.*.log | |
format json | |
include_time_key true | |
</template> | |
</match> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: kubeadm.k8s.io/v1alpha1 | |
kind: MasterConfiguration | |
# noTaintMaster: true | |
api: | |
advertiseAddress: 10.206.162.110 | |
bindPort: 8443 | |
controlPlaneEndpoint: localhost | |
kubernetesVersion: v1.10.0 | |
certificatesDir: /var/lib/localkube/certs/ | |
# podNetworkCidr: 10.244.0.0/16 | |
networking: | |
serviceSubnet: 10.96.0.0/12 | |
etcd: | |
dataDir: /data/k8s | |
nodeName: #fqdn | |
apiServerExtraArgs: | |
admission-control: "Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota" | |
featureGates: | |
Auditing: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Log all requests at the Metadata level. | |
apiVersion: audit.k8s.io/v1beta1 | |
kind: Policy | |
rules: | |
- level: RequestResponse |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Pod | |
metadata: | |
annotations: | |
scheduler.alpha.kubernetes.io/critical-pod: "" | |
creationTimestamp: null | |
labels: | |
component: kube-apiserver | |
tier: control-plane | |
name: kube-apiserver | |
namespace: kube-system | |
spec: | |
containers: | |
- command: | |
- kube-apiserver | |
- --authorization-mode=Node,RBAC | |
- --advertise-address=172.31.44.55 | |
- --allow-privileged=true | |
- --client-ca-file=/etc/kubernetes/pki/ca.crt | |
- --disable-admission-plugins=PersistentVolumeLabel | |
- --enable-admission-plugins=NodeRestriction | |
- --enable-bootstrap-token-auth=true | |
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt | |
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt | |
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key | |
- --etcd-servers=https://127.0.0.1:2379 | |
- --insecure-port=0 | |
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt | |
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key | |
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname | |
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt | |
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key | |
- --requestheader-allowed-names=front-proxy-client | |
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt | |
- --requestheader-extra-headers-prefix=X-Remote-Extra- | |
- --requestheader-group-headers=X-Remote-Group | |
- --requestheader-username-headers=X-Remote-User | |
- --secure-port=6443 | |
- --service-account-key-file=/etc/kubernetes/pki/sa.pub | |
- --service-cluster-ip-range=10.96.0.0/12 | |
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt | |
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key | |
- --audit-policy-file=/etc/kubernetes/pki/k8s-audit.yaml | |
- --audit-log-path=/var/log/k8s/kube-audit | |
- --audit-log-format=json | |
image: k8s.gcr.io/kube-apiserver-amd64:v1.11.0 | |
imagePullPolicy: IfNotPresent | |
livenessProbe: | |
failureThreshold: 8 | |
httpGet: | |
host: 172.31.44.55 | |
path: /healthz | |
port: 6443 | |
scheme: HTTPS | |
initialDelaySeconds: 15 | |
timeoutSeconds: 15 | |
name: kube-apiserver | |
resources: | |
requests: | |
cpu: 250m | |
volumeMounts: | |
- mountPath: /etc/kubernetes/pki | |
name: k8s-certs | |
readOnly: true | |
- mountPath: /etc/ssl/certs | |
name: ca-certs | |
readOnly: true | |
- mountPath: /usr/share/ca-certificates | |
name: usr-share-ca-certificates | |
readOnly: true | |
- mountPath: /usr/local/share/ca-certificates | |
name: usr-local-share-ca-certificates | |
readOnly: true | |
- mountPath: /etc/ca-certificates | |
name: etc-ca-certificates | |
readOnly: true | |
- mountPath: /var/log/k8s | |
name: k8s-log | |
readOnly: false | |
hostNetwork: true | |
priorityClassName: system-cluster-critical | |
volumes: | |
- hostPath: | |
path: /var/log/k8s | |
type: DirectoryOrCreate | |
name: k8s-log | |
- hostPath: | |
path: /usr/local/share/ca-certificates | |
type: DirectoryOrCreate | |
name: usr-local-share-ca-certificates | |
- hostPath: | |
path: /etc/ca-certificates | |
type: DirectoryOrCreate | |
name: etc-ca-certificates | |
- hostPath: | |
path: /etc/kubernetes/pki | |
type: DirectoryOrCreate | |
name: k8s-certs | |
- hostPath: | |
path: /etc/ssl/certs | |
type: DirectoryOrCreate | |
name: ca-certs | |
- hostPath: | |
path: /usr/share/ca-certificates | |
type: DirectoryOrCreate | |
name: usr-share-ca-certificates | |
status: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sudo /usr/bin/kubeadm init --config /var/lib/kubeadm.yaml --ignore-preflight-errors=DirAvailable--etc-kubernetes-manifests --ignore-preflight-errors=DirAvailable--data-minikube --ignore-preflight-errors=Port-10250 --ignore-preflight-errors=FileAvailable--etc-kubernetes-manifests-kube-scheduler.yaml --ignore-preflight-errors=FileAvailable--etc-kubernetes-manifests-kube-apiserver.yaml --ignore-preflight-errors=FileAvailable--etc-kubernetes-manifests-kube-controller-manager.yaml --ignore-preflight-errors=FileAvailable--etc-kubernetes-manifests-etcd.yaml --ignore-preflight-errors=Swap --ignore-preflight-errors=CRI && sudo /usr/bin/kubeadm alpha phase addon kube-dns |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment