vendor/k8s.io/kubernetes/cluster/centos/master/scripts/apiserver.sh - cloudstack-kubernetes-provider - Git at Google

 #!/usr/bin/env bash

 # Copyright 2014 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.


 MASTER_ADDRESS=${1:-"8.8.8.18"}
 ETCD_SERVERS=${2:-"https://8.8.8.18:2379"}
 SERVICE_CLUSTER_IP_RANGE=${3:-"10.10.10.0/24"}
 ADMISSION_CONTROL=${4:-""}

 cat <<EOF >/opt/kubernetes/cfg/kube-apiserver
 # --logtostderr=true: log to standard error instead of files
 KUBE_LOGTOSTDERR="--logtostderr=true"

 # --v=0: log level for V logs
 KUBE_LOG_LEVEL="--v=4"

 # --etcd-servers=[]: List of etcd servers to watch (http://ip:port),
 # comma separated. Mutually exclusive with -etcd-config
 KUBE_ETCD_SERVERS="--etcd-servers=${ETCD_SERVERS}"

 # --etcd-cafile="": SSL Certificate Authority file used to secure etcd communication.
 KUBE_ETCD_CAFILE="--etcd-cafile=/srv/kubernetes/etcd/ca.pem"

 # --etcd-certfile="": SSL certification file used to secure etcd communication.
 KUBE_ETCD_CERTFILE="--etcd-certfile=/srv/kubernetes/etcd/client.pem"

 # --etcd-keyfile="": key file used to secure etcd communication.
 KUBE_ETCD_KEYFILE="--etcd-keyfile=/srv/kubernetes/etcd/client-key.pem"

 # --insecure-bind-address=127.0.0.1: The IP address on which to serve the --insecure-port.
 KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"

 # --insecure-port=8080: The port on which to serve unsecured, unauthenticated access.
 KUBE_API_PORT="--insecure-port=8080"

 # --kubelet-port=10250: Kubelet port
 NODE_PORT="--kubelet-port=10250"

 # --advertise-address=<nil>: The IP address on which to advertise
 # the apiserver to members of the cluster.
 KUBE_ADVERTISE_ADDR="--advertise-address=${MASTER_ADDRESS}"

 # --allow-privileged=false: If true, allow privileged containers.
 KUBE_ALLOW_PRIV="--allow-privileged=false"

 # --service-cluster-ip-range=<nil>: A CIDR notation IP range from which to assign service cluster IPs.
 # This must not overlap with any IP ranges assigned to nodes for pods.
 KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"

 # --admission-control="AlwaysAdmit": Ordered list of plug-ins
 # to do admission control of resources into cluster.
 # Comma-delimited list of:
 #   LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists,
 #   NamespaceLifecycle, NamespaceAutoProvision, AlwaysAdmit,
 #   ServiceAccount, DefaultStorageClass, DefaultTolerationSeconds, ResourceQuota
 # Mark Deprecated. Use --enable-admission-plugins or --disable-admission-plugins instead since v1.10.
 # It will be removed in a future version.
 KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL}"

 # --client-ca-file="": If set, any request presenting a client certificate signed
 # by one of the authorities in the client-ca-file is authenticated with an identity
 # corresponding to the CommonName of the client certificate.
 KUBE_API_CLIENT_CA_FILE="--client-ca-file=/srv/kubernetes/ca.crt"

 # --tls-cert-file="": File containing x509 Certificate for HTTPS.  (CA cert, if any,
 # concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file
 # and --tls-private-key-file are not provided, a self-signed certificate and key are
 # generated for the public address and saved to /var/run/kubernetes.
 KUBE_API_TLS_CERT_FILE="--tls-cert-file=/srv/kubernetes/server.cert"

 # --tls-private-key-file="": File containing x509 private key matching --tls-cert-file.
 KUBE_API_TLS_PRIVATE_KEY_FILE="--tls-private-key-file=/srv/kubernetes/server.key"
 EOF

 KUBE_APISERVER_OPTS="   \${KUBE_LOGTOSTDERR}         \\
                         \${KUBE_LOG_LEVEL}           \\
                         \${KUBE_ETCD_SERVERS}        \\
                         \${KUBE_ETCD_CAFILE}         \\
                         \${KUBE_ETCD_CERTFILE}       \\
                         \${KUBE_ETCD_KEYFILE}        \\
                         \${KUBE_API_ADDRESS}         \\
                         \${KUBE_API_PORT}            \\
                         \${NODE_PORT}                \\
                         \${KUBE_ADVERTISE_ADDR}      \\
                         \${KUBE_ALLOW_PRIV}          \\
                         \${KUBE_SERVICE_ADDRESSES}   \\
                         \${KUBE_ADMISSION_CONTROL}   \\
                         \${KUBE_API_CLIENT_CA_FILE}  \\
                         \${KUBE_API_TLS_CERT_FILE}   \\
                         \${KUBE_API_TLS_PRIVATE_KEY_FILE}"


 cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
 [Unit]
 Description=Kubernetes API Server
 Documentation=https://github.com/kubernetes/kubernetes

 [Service]
 EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
 ExecStart=/opt/kubernetes/bin/kube-apiserver ${KUBE_APISERVER_OPTS}
 Restart=on-failure

 [Install]
 WantedBy=multi-user.target
 EOF

 systemctl daemon-reload
 systemctl enable kube-apiserver
 systemctl restart kube-apiserver
	#!/usr/bin/env bash

	# Copyright 2014 The Kubernetes Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.


	MASTER_ADDRESS=${1:-"8.8.8.18"}
	ETCD_SERVERS=${2:-"https://8.8.8.18:2379"}
	SERVICE_CLUSTER_IP_RANGE=${3:-"10.10.10.0/24"}
	ADMISSION_CONTROL=${4:-""}

	cat <<EOF >/opt/kubernetes/cfg/kube-apiserver
	# --logtostderr=true: log to standard error instead of files
	KUBE_LOGTOSTDERR="--logtostderr=true"

	# --v=0: log level for V logs
	KUBE_LOG_LEVEL="--v=4"

	# --etcd-servers=[]: List of etcd servers to watch (http://ip:port),
	# comma separated. Mutually exclusive with -etcd-config
	KUBE_ETCD_SERVERS="--etcd-servers=${ETCD_SERVERS}"

	# --etcd-cafile="": SSL Certificate Authority file used to secure etcd communication.
	KUBE_ETCD_CAFILE="--etcd-cafile=/srv/kubernetes/etcd/ca.pem"

	# --etcd-certfile="": SSL certification file used to secure etcd communication.
	KUBE_ETCD_CERTFILE="--etcd-certfile=/srv/kubernetes/etcd/client.pem"

	# --etcd-keyfile="": key file used to secure etcd communication.
	KUBE_ETCD_KEYFILE="--etcd-keyfile=/srv/kubernetes/etcd/client-key.pem"

	# --insecure-bind-address=127.0.0.1: The IP address on which to serve the --insecure-port.
	KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"

	# --insecure-port=8080: The port on which to serve unsecured, unauthenticated access.
	KUBE_API_PORT="--insecure-port=8080"

	# --kubelet-port=10250: Kubelet port
	NODE_PORT="--kubelet-port=10250"

	# --advertise-address=<nil>: The IP address on which to advertise
	# the apiserver to members of the cluster.
	KUBE_ADVERTISE_ADDR="--advertise-address=${MASTER_ADDRESS}"

	# --allow-privileged=false: If true, allow privileged containers.
	KUBE_ALLOW_PRIV="--allow-privileged=false"

	# --service-cluster-ip-range=<nil>: A CIDR notation IP range from which to assign service cluster IPs.
	# This must not overlap with any IP ranges assigned to nodes for pods.
	KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"

	# --admission-control="AlwaysAdmit": Ordered list of plug-ins
	# to do admission control of resources into cluster.
	# Comma-delimited list of:
	# LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists,
	# NamespaceLifecycle, NamespaceAutoProvision, AlwaysAdmit,
	# ServiceAccount, DefaultStorageClass, DefaultTolerationSeconds, ResourceQuota
	# Mark Deprecated. Use --enable-admission-plugins or --disable-admission-plugins instead since v1.10.
	# It will be removed in a future version.
	KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL}"

	# --client-ca-file="": If set, any request presenting a client certificate signed
	# by one of the authorities in the client-ca-file is authenticated with an identity
	# corresponding to the CommonName of the client certificate.
	KUBE_API_CLIENT_CA_FILE="--client-ca-file=/srv/kubernetes/ca.crt"

	# --tls-cert-file="": File containing x509 Certificate for HTTPS. (CA cert, if any,
	# concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file
	# and --tls-private-key-file are not provided, a self-signed certificate and key are
	# generated for the public address and saved to /var/run/kubernetes.
	KUBE_API_TLS_CERT_FILE="--tls-cert-file=/srv/kubernetes/server.cert"

	# --tls-private-key-file="": File containing x509 private key matching --tls-cert-file.
	KUBE_API_TLS_PRIVATE_KEY_FILE="--tls-private-key-file=/srv/kubernetes/server.key"
	EOF

	KUBE_APISERVER_OPTS=" \${KUBE_LOGTOSTDERR} \\
	\${KUBE_LOG_LEVEL} \\
	\${KUBE_ETCD_SERVERS} \\
	\${KUBE_ETCD_CAFILE} \\
	\${KUBE_ETCD_CERTFILE} \\
	\${KUBE_ETCD_KEYFILE} \\
	\${KUBE_API_ADDRESS} \\
	\${KUBE_API_PORT} \\
	\${NODE_PORT} \\
	\${KUBE_ADVERTISE_ADDR} \\
	\${KUBE_ALLOW_PRIV} \\
	\${KUBE_SERVICE_ADDRESSES} \\
	\${KUBE_ADMISSION_CONTROL} \\
	\${KUBE_API_CLIENT_CA_FILE} \\
	\${KUBE_API_TLS_CERT_FILE} \\
	\${KUBE_API_TLS_PRIVATE_KEY_FILE}"


	cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
	[Unit]
	Description=Kubernetes API Server
	Documentation=https://github.com/kubernetes/kubernetes

	[Service]
	EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
	ExecStart=/opt/kubernetes/bin/kube-apiserver ${KUBE_APISERVER_OPTS}
	Restart=on-failure

	[Install]
	WantedBy=multi-user.target
	EOF

	systemctl daemon-reload
	systemctl enable kube-apiserver
	systemctl restart kube-apiserver