76 lines
2.5 KiB
Bash
76 lines
2.5 KiB
Bash
|
#!/bin/bash
|
||
|
|
||
|
echo ""
|
||
|
echo "... ] INSTALLING KUBE APISERVER [ ..."
|
||
|
|
||
|
HOME=$( cd "$(dirname "$0")" && pwd )
|
||
|
source $HOME/../config
|
||
|
|
||
|
systemctl stop kube-apiserver.service
|
||
|
|
||
|
gzip -v -c -d $HOME/../blobs/kube-apiserver.gz > /usr/local/bin/kube-apiserver
|
||
|
chmod +x /usr/local/bin/kube-apiserver
|
||
|
|
||
|
cat <<EOF | tee /etc/systemd/system/kube-apiserver.service
|
||
|
[Unit]
|
||
|
Description=Kubernetes API Server
|
||
|
Documentation=https://github.com/kubernetes/kubernetes
|
||
|
After=network.target
|
||
|
|
||
|
[Service]
|
||
|
User=root
|
||
|
ExecStart=/usr/local/bin/kube-apiserver \\
|
||
|
--advertise-address=${NODE_IP} \\
|
||
|
--bind-address=${NODE_IP} \\
|
||
|
--secure-port=6443 \\
|
||
|
--allow-privileged=true \\
|
||
|
--anonymous-auth=false \\
|
||
|
--apiserver-count=3 \\
|
||
|
--audit-log-maxage=30 \\
|
||
|
--audit-log-maxbackup=3 \\
|
||
|
--audit-log-maxsize=100 \\
|
||
|
--audit-log-path=/var/log/kube-audit.log \\
|
||
|
--authorization-mode=Node,RBAC \\
|
||
|
--client-ca-file=${CA_DIR}/ca.crt \\
|
||
|
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,AlwaysPullImages \\
|
||
|
--enable-swagger-ui=false \\
|
||
|
--etcd-cafile="${CA_DIR}/etcd-ca.crt" \\
|
||
|
--etcd-certfile="${CA_DIR}/etcd.crt" \\
|
||
|
--etcd-keyfile="${CA_DIR}/etcd.key" \\
|
||
|
--etcd-servers="https://${ETCD_1_IP}:2379,https://${ETCD_2_IP}:2379,https://${ETCD_3_IP}:2379" \\
|
||
|
--event-ttl=1h \\
|
||
|
--enable-bootstrap-token-auth \\
|
||
|
--kubelet-certificate-authority=${CA_DIR}/ca.crt \\
|
||
|
--kubelet-client-certificate=${CA_DIR}/kube-apiserver-kubelet-client.crt \\
|
||
|
--kubelet-client-key=${CA_DIR}/kube-apiserver-kubelet-client.key \\
|
||
|
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \\
|
||
|
--proxy-client-key-file=${CA_DIR}/aggregator.key \\
|
||
|
--proxy-client-cert-file=${CA_DIR}/aggregator.crt \\
|
||
|
--kubelet-https=true \\
|
||
|
--runtime-config=api/all=true \\
|
||
|
--service-account-lookup=true \\
|
||
|
--service-account-key-file=${CA_DIR}/sa.pub \\
|
||
|
--service-cluster-ip-range=${SERVICE_NET} \\
|
||
|
--service-node-port-range=30000-32767 \\
|
||
|
--tls-cert-file=${CA_DIR}/kube-apiserver.crt \\
|
||
|
--tls-private-key-file=${CA_DIR}/kube-apiserver.key \\
|
||
|
--requestheader-client-ca-file=${CA_DIR}/aggregator-ca.crt \\
|
||
|
--requestheader-allowed-names=aggregator \\
|
||
|
--requestheader-username-headers=X-Remote-User \\
|
||
|
--requestheader-group-headers=X-Remote-Group \\
|
||
|
--requestheader-extra-headers-prefix=X-Remote-Extra- \\
|
||
|
--logtostderr=true \\
|
||
|
--v=2
|
||
|
|
||
|
Restart=on-failure
|
||
|
Type=notify
|
||
|
LimitNOFILE=65536
|
||
|
|
||
|
[Install]
|
||
|
WantedBy=multi-user.target
|
||
|
EOF
|
||
|
|
||
|
systemctl daemon-reload
|
||
|
systemctl enable kube-apiserver
|
||
|
systemctl start kube-apiserver
|