| #!/usr/bin/env bash |
| |
| # Copyright 2014 The Kubernetes Authors. |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| |
| MASTER_ADDRESS=${1:-"8.8.8.18"} |
| ETCD_SERVERS=${2:-"https://8.8.8.18:2379"} |
| SERVICE_CLUSTER_IP_RANGE=${3:-"10.10.10.0/24"} |
| ADMISSION_CONTROL=${4:-""} |
| |
| cat <<EOF >/opt/kubernetes/cfg/kube-apiserver |
| # --logtostderr=true: log to standard error instead of files |
| KUBE_LOGTOSTDERR="--logtostderr=true" |
| |
| # --v=0: log level for V logs |
| KUBE_LOG_LEVEL="--v=4" |
| |
| # --etcd-servers=[]: List of etcd servers to watch (http://ip:port), |
| # comma separated. Mutually exclusive with -etcd-config |
| KUBE_ETCD_SERVERS="--etcd-servers=${ETCD_SERVERS}" |
| |
| # --etcd-cafile="": SSL Certificate Authority file used to secure etcd communication. |
| KUBE_ETCD_CAFILE="--etcd-cafile=/srv/kubernetes/etcd/ca.pem" |
| |
| # --etcd-certfile="": SSL certification file used to secure etcd communication. |
| KUBE_ETCD_CERTFILE="--etcd-certfile=/srv/kubernetes/etcd/client.pem" |
| |
| # --etcd-keyfile="": key file used to secure etcd communication. |
| KUBE_ETCD_KEYFILE="--etcd-keyfile=/srv/kubernetes/etcd/client-key.pem" |
| |
| # --insecure-bind-address=127.0.0.1: The IP address on which to serve the --insecure-port. |
| KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0" |
| |
| # --insecure-port=8080: The port on which to serve unsecured, unauthenticated access. |
| KUBE_API_PORT="--insecure-port=8080" |
| |
| # --kubelet-port=10250: Kubelet port |
| NODE_PORT="--kubelet-port=10250" |
| |
| # --advertise-address=<nil>: The IP address on which to advertise |
| # the apiserver to members of the cluster. |
| KUBE_ADVERTISE_ADDR="--advertise-address=${MASTER_ADDRESS}" |
| |
| # --allow-privileged=false: If true, allow privileged containers. |
| KUBE_ALLOW_PRIV="--allow-privileged=false" |
| |
| # --service-cluster-ip-range=<nil>: A CIDR notation IP range from which to assign service cluster IPs. |
| # This must not overlap with any IP ranges assigned to nodes for pods. |
| KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" |
| |
| # --admission-control="AlwaysAdmit": Ordered list of plug-ins |
| # to do admission control of resources into cluster. |
| # Comma-delimited list of: |
| # LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists, |
| # NamespaceLifecycle, NamespaceAutoProvision, AlwaysAdmit, |
| # ServiceAccount, DefaultStorageClass, DefaultTolerationSeconds, ResourceQuota |
| # Mark Deprecated. Use --enable-admission-plugins or --disable-admission-plugins instead since v1.10. |
| # It will be removed in a future version. |
| KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL}" |
| |
| # --client-ca-file="": If set, any request presenting a client certificate signed |
| # by one of the authorities in the client-ca-file is authenticated with an identity |
| # corresponding to the CommonName of the client certificate. |
| KUBE_API_CLIENT_CA_FILE="--client-ca-file=/srv/kubernetes/ca.crt" |
| |
| # --tls-cert-file="": File containing x509 Certificate for HTTPS. (CA cert, if any, |
| # concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file |
| # and --tls-private-key-file are not provided, a self-signed certificate and key are |
| # generated for the public address and saved to /var/run/kubernetes. |
| KUBE_API_TLS_CERT_FILE="--tls-cert-file=/srv/kubernetes/server.cert" |
| |
| # --tls-private-key-file="": File containing x509 private key matching --tls-cert-file. |
| KUBE_API_TLS_PRIVATE_KEY_FILE="--tls-private-key-file=/srv/kubernetes/server.key" |
| EOF |
| |
| KUBE_APISERVER_OPTS=" \${KUBE_LOGTOSTDERR} \\ |
| \${KUBE_LOG_LEVEL} \\ |
| \${KUBE_ETCD_SERVERS} \\ |
| \${KUBE_ETCD_CAFILE} \\ |
| \${KUBE_ETCD_CERTFILE} \\ |
| \${KUBE_ETCD_KEYFILE} \\ |
| \${KUBE_API_ADDRESS} \\ |
| \${KUBE_API_PORT} \\ |
| \${NODE_PORT} \\ |
| \${KUBE_ADVERTISE_ADDR} \\ |
| \${KUBE_ALLOW_PRIV} \\ |
| \${KUBE_SERVICE_ADDRESSES} \\ |
| \${KUBE_ADMISSION_CONTROL} \\ |
| \${KUBE_API_CLIENT_CA_FILE} \\ |
| \${KUBE_API_TLS_CERT_FILE} \\ |
| \${KUBE_API_TLS_PRIVATE_KEY_FILE}" |
| |
| |
| cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service |
| [Unit] |
| Description=Kubernetes API Server |
| Documentation=https://github.com/kubernetes/kubernetes |
| |
| [Service] |
| EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver |
| ExecStart=/opt/kubernetes/bin/kube-apiserver ${KUBE_APISERVER_OPTS} |
| Restart=on-failure |
| |
| [Install] |
| WantedBy=multi-user.target |
| EOF |
| |
| systemctl daemon-reload |
| systemctl enable kube-apiserver |
| systemctl restart kube-apiserver |