apiVersion: apps/v1 kind: Deployment metadata: name: karmada-apiserver namespace: karmada-system labels: app: karmada-apiserver spec: replicas: 1 selector: matchLabels: app: karmada-apiserver strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: app: karmada-apiserver spec: automountServiceAccountToken: false affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - karmada-apiserver topologyKey: kubernetes.io/hostname containers: - command: - kube-apiserver - --allow-privileged=true - --authorization-mode=Node,RBAC - --enable-bootstrap-token-auth=true - --etcd-cafile=/etc/karmada/pki/etcd-client/ca.crt - --etcd-certfile=/etc/karmada/pki/etcd-client/tls.crt - --etcd-keyfile=/etc/karmada/pki/etcd-client/tls.key - --etcd-servers=https://etcd-client.karmada-system.svc.cluster.local:2379 - --bind-address=0.0.0.0 - --disable-admission-plugins=StorageObjectInUseProtection,ServiceAccount - --runtime-config= - --secure-port=5443 - --service-account-issuer=https://kubernetes.default.svc.cluster.local - --service-account-key-file=/etc/karmada/pki/service-account-key-pair/sa.pub - --service-account-signing-key-file=/etc/karmada/pki/service-account-key-pair/sa.key - --service-cluster-ip-range=10.96.0.0/12 - --proxy-client-cert-file=/etc/karmada/pki/front-proxy-client/tls.crt - --proxy-client-key-file=/etc/karmada/pki/front-proxy-client/tls.key - --requestheader-client-ca-file=/etc/karmada/pki/front-proxy-client/ca.crt - --requestheader-allowed-names=front-proxy-client - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - --tls-cert-file=/etc/karmada/pki/server/tls.crt - --tls-private-key-file=/etc/karmada/pki/server/tls.key - --client-ca-file=/etc/karmada/pki/server/ca.crt - --tls-min-version=VersionTLS13 name: karmada-apiserver image: registry.k8s.io/kube-apiserver:{{karmada_apiserver_version}} imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 8 httpGet: path: /livez port: 5443 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 15 readinessProbe: failureThreshold: 3 httpGet: path: /readyz port: 5443 scheme: HTTPS periodSeconds: 1 successThreshold: 1 timeoutSeconds: 15 resources: requests: cpu: 250m terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - name: server-cert mountPath: /etc/karmada/pki/server readOnly: true - name: etcd-client-cert mountPath: /etc/karmada/pki/etcd-client readOnly: true - name: front-proxy-client-cert mountPath: /etc/karmada/pki/front-proxy-client readOnly: true - name: service-account-key-pair mountPath: /etc/karmada/pki/service-account-key-pair readOnly: true volumes: - name: server-cert secret: secretName: karmada-apiserver-cert - name: etcd-client-cert secret: secretName: karmada-apiserver-etcd-client-cert - name: front-proxy-client-cert secret: secretName: karmada-apiserver-front-proxy-client-cert - name: service-account-key-pair secret: secretName: karmada-apiserver-service-account-key-pair dnsPolicy: ClusterFirstWithHostNet enableServiceLinks: true hostNetwork: true preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute operator: Exists --- apiVersion: v1 kind: Service metadata: name: karmada-apiserver namespace: karmada-system labels: app: karmada-apiserver spec: ports: - name: karmada-apiserver-kubectl port: 5443 protocol: TCP targetPort: 5443 selector: app: karmada-apiserver type: {{service_type}}