151 lines
5.1 KiB
YAML
151 lines
5.1 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: karmada-apiserver
|
|
namespace: karmada-system
|
|
labels:
|
|
app: karmada-apiserver
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: karmada-apiserver
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 1
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: karmada-apiserver
|
|
spec:
|
|
automountServiceAccountToken: false
|
|
affinity:
|
|
podAntiAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchExpressions:
|
|
- key: app
|
|
operator: In
|
|
values:
|
|
- karmada-apiserver
|
|
topologyKey: kubernetes.io/hostname
|
|
containers:
|
|
- command:
|
|
- kube-apiserver
|
|
- --allow-privileged=true
|
|
- --authorization-mode=Node,RBAC
|
|
- --enable-bootstrap-token-auth=true
|
|
- --etcd-cafile=/etc/karmada/pki/etcd-client/ca.crt
|
|
- --etcd-certfile=/etc/karmada/pki/etcd-client/tls.crt
|
|
- --etcd-keyfile=/etc/karmada/pki/etcd-client/tls.key
|
|
- --etcd-servers=https://etcd-client.karmada-system.svc.cluster.local:2379
|
|
- --bind-address=0.0.0.0
|
|
- --disable-admission-plugins=StorageObjectInUseProtection,ServiceAccount
|
|
- --runtime-config=
|
|
- --secure-port=5443
|
|
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
|
|
- --service-account-key-file=/etc/karmada/pki/service-account-key-pair/sa.pub
|
|
- --service-account-signing-key-file=/etc/karmada/pki/service-account-key-pair/sa.key
|
|
- --service-cluster-ip-range=10.96.0.0/12
|
|
- --proxy-client-cert-file=/etc/karmada/pki/front-proxy-client/tls.crt
|
|
- --proxy-client-key-file=/etc/karmada/pki/front-proxy-client/tls.key
|
|
- --requestheader-client-ca-file=/etc/karmada/pki/front-proxy-client/ca.crt
|
|
- --requestheader-allowed-names=front-proxy-client
|
|
- --requestheader-extra-headers-prefix=X-Remote-Extra-
|
|
- --requestheader-group-headers=X-Remote-Group
|
|
- --requestheader-username-headers=X-Remote-User
|
|
- --tls-cert-file=/etc/karmada/pki/server/tls.crt
|
|
- --tls-private-key-file=/etc/karmada/pki/server/tls.key
|
|
- --client-ca-file=/etc/karmada/pki/server/ca.crt
|
|
- --tls-min-version=VersionTLS13
|
|
name: karmada-apiserver
|
|
image: registry.k8s.io/kube-apiserver:{{karmada_apiserver_version}}
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
failureThreshold: 8
|
|
httpGet:
|
|
path: /livez
|
|
port: 5443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 15
|
|
readinessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /readyz
|
|
port: 5443
|
|
scheme: HTTPS
|
|
periodSeconds: 1
|
|
successThreshold: 1
|
|
timeoutSeconds: 15
|
|
resources:
|
|
requests:
|
|
cpu: 250m
|
|
terminationMessagePath: /dev/termination-log
|
|
terminationMessagePolicy: File
|
|
volumeMounts:
|
|
- name: server-cert
|
|
mountPath: /etc/karmada/pki/server
|
|
readOnly: true
|
|
- name: etcd-client-cert
|
|
mountPath: /etc/karmada/pki/etcd-client
|
|
readOnly: true
|
|
- name: front-proxy-client-cert
|
|
mountPath: /etc/karmada/pki/front-proxy-client
|
|
readOnly: true
|
|
- name: service-account-key-pair
|
|
mountPath: /etc/karmada/pki/service-account-key-pair
|
|
readOnly: true
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
privileged: false
|
|
volumes:
|
|
- name: server-cert
|
|
secret:
|
|
secretName: karmada-apiserver-cert
|
|
- name: etcd-client-cert
|
|
secret:
|
|
secretName: karmada-apiserver-etcd-client-cert
|
|
- name: front-proxy-client-cert
|
|
secret:
|
|
secretName: karmada-apiserver-front-proxy-client-cert
|
|
- name: service-account-key-pair
|
|
secret:
|
|
secretName: karmada-apiserver-service-account-key-pair
|
|
dnsPolicy: ClusterFirstWithHostNet
|
|
enableServiceLinks: true
|
|
hostNetwork: true
|
|
preemptionPolicy: PreemptLowerPriority
|
|
priority: 2000001000
|
|
priorityClassName: system-node-critical
|
|
restartPolicy: Always
|
|
schedulerName: default-scheduler
|
|
securityContext:
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
terminationGracePeriodSeconds: 30
|
|
tolerations:
|
|
- effect: NoExecute
|
|
operator: Exists
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: karmada-apiserver
|
|
namespace: karmada-system
|
|
labels:
|
|
app: karmada-apiserver
|
|
spec:
|
|
ports:
|
|
- name: karmada-apiserver-kubectl
|
|
port: 5443
|
|
protocol: TCP
|
|
targetPort: 5443
|
|
selector:
|
|
app: karmada-apiserver
|
|
type: {{service_type}}
|