Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure kubelet and API server flags for CAPO clusters #687

Closed
Tracked by #600
cornelius-keller opened this issue Jan 10, 2022 · 4 comments
Closed
Tracked by #600

Configure kubelet and API server flags for CAPO clusters #687

cornelius-keller opened this issue Jan 10, 2022 · 4 comments
Assignees
@erkanerol
Labels
area/kaas Mission: Cloud Native Platform - Self-driving Kubernetes as a Service component/cluster-openstack epic/capo team/rocket Team Rocket
Milestone
CAPI Openstack Beta

Comments

@cornelius-keller
Copy link
Contributor

User Story

  • As a giant swarm user I want the kubelet and api-server configured according to the giant swarm standards, so that I have the same user experience and basic feature set on CAPO as on the other providers.
@cornelius-keller
Copy link
Contributor Author

see #487 for the kubelet and API server configuration on CAPA

@cornelius-keller cornelius-keller added this to the CAPI Openstack Beta milestone Jan 11, 2022
@cornelius-keller cornelius-keller added area/kaas Mission: Cloud Native Platform - Self-driving Kubernetes as a Service team/rocket Team Rocket labels Jan 11, 2022
@cornelius-keller cornelius-keller mentioned this issue Jan 11, 2022
Closed
73 tasks
@erkanerol erkanerol self-assigned this Apr 19, 2022
@kopiczko kopiczko self-assigned this May 13, 2022
@kopiczko
Copy link

The vintage flags can be in found #487

Taken from gubble:

apiserver

    - kube-apiserver
    - --advertise-address=10.6.0.241
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --cloud-provider=external
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --oidc-client-id=dex-k8s-authenticator
    - --oidc-groups-claim=groups
    - --oidc-issuer-url=https://dex.a.b.c.com
    - --oidc-username-claim=email
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-issuer=https://kubernetes.default.svc.cluster.local
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

kubelet

CP:

/usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --cloud-provider=external --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --pod-infra-container-image=k8s.gcr.io/pause:3.5 --pod-infra-container-image=k8s.gcr.io/pause:3.6

$ sudo cat /var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging: {}
memorySwap: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
resolvConf: /run/systemd/resolve/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s

worker:

/usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --cloud-provider=external --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --node-labels=giantswarm.io/node-pool=default-3 --pod-infra-container-image=k8s.gcr.io/pause:3.5 --pod-infra-container-image=k8s.gcr.io/pause:3.6

$ sudo cat /var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging: {}
memorySwap: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
resolvConf: /run/systemd/resolve/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s

@kopiczko
Copy link

For encryption at REST I found this https://github.com/giantswarm/encryption-provider-operator but it requires some learning on how it works. From a quick glance it runs in a MC and connects to remote WCs from there. It also installs https://github.com/giantswarm/encryption-config-hasher by creating Chart CRs in the WC.

@erkanerol
Copy link

erkanerol commented May 18, 2022
edited
Loading

We decided to create separate issues for audit log and encryption at rest:

@erkanerol erkanerol mentioned this issue May 20, 2022
Merged
4 tasks
@kopiczko kopiczko removed their assignment May 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@erkanerol erkanerol

Labels
area/kaas Mission: Cloud Native Platform - Self-driving Kubernetes as a Service component/cluster-openstack epic/capo team/rocket Team Rocket
Projects
None yet
Milestone
CAPI Openstack Beta
Development

No branches or pull requests
3 participants
@cornelius-keller @kopiczko @erkanerol