-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig.yaml
290 lines (287 loc) · 10.5 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
options:
audit-policy:
type: string
default: |
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
# Don't log read-only requests from the apiserver
- level: None
users: ["system:apiserver"]
verbs: ["get", "list", "watch"]
# Don't log kube-proxy watches
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- resources: ["endpoints", "services"]
# Don't log nodes getting their own status
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- resources: ["nodes"]
# Don't log kube-controller-manager and kube-scheduler getting endpoints
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- resources: ["endpoints"]
# Log everything else at the Request level.
- level: Request
omitStages:
- RequestReceived
description: |
Audit policy passed to kube-apiserver via --audit-policy-file.
For more info, please refer to the upstream documentation at
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
audit-webhook-config:
type: string
default: ""
description: |
Audit webhook config passed to kube-apiserver via --audit-webhook-config-file.
For more info, please refer to the upstream documentation at
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
addons-registry:
type: string
default: ""
description: |
Specify the docker registry to use when applying addons.
DEPRECATED in 1.15: Use the broader 'image-registry' config option instead. If both
options are set, 'addons-registry' will be used to configure the cdk-addons snap until
v1.17 is released. After that, the 'addons-registry' option will have no effect.
image-registry:
type: string
default: "image-registry.canonical.com:5000/cdk"
description: |
Container image registry to use for CDK. This includes addons like the Kubernetes dashboard,
metrics server, ingress, and dns along with non-addon images including the pause
container and default backend image.
enable-dashboard-addons:
type: boolean
default: true
description: Deploy the Kubernetes Dashboard and Heapster addons
dns-provider:
type: string
default: "auto"
description: |
DNS provider addon to use. Can be "auto", "core-dns", "kube-dns", or
"none".
CoreDNS is only supported on Kubernetes 1.14+.
When set to "auto", the behavior is as follows:
- New deployments of Kubernetes 1.14+ will use CoreDNS
- New deployments of Kubernetes 1.13 or older will use KubeDNS
- Upgraded deployments will continue to use whichever provider was
previously used.
dns_domain:
type: string
default: cluster.local
description: The local domain for cluster dns
extra_sans:
type: string
default: ""
description: |
Space-separated list of extra SAN entries to add to the x509 certificate
created for the master nodes.
service-cidr:
type: string
default: 10.152.183.0/24
description: CIDR to user for Kubernetes services. Cannot be changed after deployment.
allow-privileged:
type: string
default: "auto"
description: |
Allow kube-apiserver to run in privileged mode. Supported values are
"true", "false", and "auto". If "true", kube-apiserver will run in
privileged mode by default. If "false", kube-apiserver will never run in
privileged mode. If "auto", kube-apiserver will not run in privileged
mode by default, but will switch to privileged mode if gpu hardware is
detected on a worker node.
enable-nvidia-plugin:
type: string
default: "auto"
description: |
Load the nvidia device plugin daemonset. Supported values are
"auto" and "false". When "auto", the daemonset will be loaded
only if GPUs are detected. When "false" the nvidia device plugin
will not be loaded.
channel:
type: string
default: "1.15/stable"
description: |
Snap channel to install Kubernetes master services from
client_password:
type: string
default: ""
description: |
Password to be used for admin user (leave empty for random password).
api-extra-args:
type: string
default: ""
description: |
Space separated list of flags and key=value pairs that will be passed as arguments to
kube-apiserver. For example a value like this:
runtime-config=batch/v2alpha1=true profiling=true
will result in kube-apiserver being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true
controller-manager-extra-args:
type: string
default: ""
description: |
Space separated list of flags and key=value pairs that will be passed as arguments to
kube-controller-manager. For example a value like this:
runtime-config=batch/v2alpha1=true profiling=true
will result in kube-controller-manager being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true
scheduler-extra-args:
type: string
default: ""
description: |
Space separated list of flags and key=value pairs that will be passed as arguments to
kube-scheduler. For example a value like this:
runtime-config=batch/v2alpha1=true profiling=true
will result in kube-scheduler being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true
authorization-mode:
type: string
default: "AlwaysAllow"
description: |
Comma separated authorization modes. Allowed values are
"RBAC", "Node", "Webhook", "ABAC", "AlwaysDeny" and "AlwaysAllow".
require-manual-upgrade:
type: boolean
default: true
description: |
When true, master nodes will not be upgraded until the user triggers
it manually by running the upgrade action.
storage-backend:
type: string
default: "auto"
description: |
The storage backend for kube-apiserver persistence. Can be "etcd2", "etcd3", or
"auto". Auto mode will select etcd3 on new installations, or etcd2 on upgrades.
enable-metrics:
type: boolean
default: true
description: |
If true the metrics server for Kubernetes will be deployed onto the cluster.
snapd_refresh:
default: "max"
type: string
description: |
How often snapd handles updates for installed snaps. Setting an empty
string will check 4x per day. Set to "max" to delay the refresh as long
as possible. You may also set a custom string as described in the
'refresh.timer' section here:
https://forum.snapcraft.io/t/system-options/87
default-storage:
type: string
default: "auto"
description: |
The storage class to make the default storage class. Allowed values are "auto",
"none", "ceph-xfs", "ceph-ext4". Note: Only works in Kubernetes >= 1.10
keystone-policy:
default: |
apiVersion: v1
kind: ConfigMap
metadata:
name: k8s-auth-policy
namespace: kube-system
labels:
k8s-app: k8s-keystone-auth
data:
policies: |
[
{
"resource": {
"verbs": ["get", "list", "watch"],
"resources": ["*"],
"version": "*",
"namespace": "*"
},
"match": [
{
"type": "role",
"values": ["k8s-viewers"]
},
{
"type": "project",
"values": ["k8s"]
}
]
},
{
"resource": {
"verbs": ["*"],
"resources": ["*"],
"version": "*",
"namespace": "default"
},
"match": [
{
"type": "role",
"values": ["k8s-users"]
},
{
"type": "project",
"values": ["k8s"]
}
]
},
{
"resource": {
"verbs": ["*"],
"resources": ["*"],
"version": "*",
"namespace": "*"
},
"match": [
{
"type": "role",
"values": ["k8s-admins"]
},
{
"type": "project",
"values": ["k8s"]
}
]
}
]
type: string
description: |
Policy for Keystone authentication. This is used when a Keystone charm is
related to kubernetes-master in order to provide authentication and authorization
for Keystone users on the Kubernetes cluster.
enable-keystone-authorization:
type: boolean
default: false
description: |
If true and the Keystone charm is related, users will authorize against
the Keystone server. Note that if related, users will always authenticate
against Keystone.
keystone-ssl-ca:
type: string
description: |
Keystone certificate authority encoded in base64 for securing communications to Keystone.
For example: `juju config kubernetes-master keystone-ssl-ca=$(base64 /path/to/ca.crt)`
default: ""
dashboard-auth:
type: string
description: |
Method of authentication for the Kubernetes dashboard. Allowed values are "auto",
"basic", and "token". If set to "auto", basic auth is used unless Keystone is
related to kubernetes-master, in which case token auth is used.
default: "auto"
loadbalancer-ips:
type: string
description: |
Space separated list of IP addresses of loadbalancers in front of the control plane.
These can be either virtual IP addresses that have been floated in front of the control
plane or the IP of a loadbalancer appliance such as an F5. Workers will alternate IP
addresses from this list to distribute load - for example If you have 2 IPs and 4 workers,
each IP will be used by 2 workers. Note that this will only work if kubeapi-load-balancer
is not in use and there is a relation between kubernetes-master:kube-api-endpoint and
kubernetes-worker:kube-api-endpoint. If using the kubeapi-load-balancer, see the
loadbalancer-ips configuration variable on the kubeapi-load-balancer charm.
default: ""