357 lines
11 KiB
YAML
357 lines
11 KiB
YAML
apiVersion: cluster.x-k8s.io/v1beta1
|
|
kind: ClusterClass
|
|
metadata:
|
|
name: quick-start
|
|
namespace: default
|
|
spec:
|
|
controlPlane:
|
|
machineHealthCheck:
|
|
unhealthyConditions:
|
|
- status: Unknown
|
|
timeout: 300s
|
|
type: Ready
|
|
- status: "False"
|
|
timeout: 300s
|
|
type: Ready
|
|
machineInfrastructure:
|
|
ref:
|
|
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
|
|
kind: DockerMachineTemplate
|
|
name: quick-start-control-plane
|
|
ref:
|
|
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
|
|
kind: KubeadmControlPlaneTemplate
|
|
name: quick-start-control-plane
|
|
infrastructure:
|
|
ref:
|
|
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
|
|
kind: DockerClusterTemplate
|
|
name: quick-start-cluster
|
|
patches:
|
|
- definitions:
|
|
- jsonPatches:
|
|
- op: add
|
|
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/imageRepository
|
|
valueFrom:
|
|
variable: imageRepository
|
|
selector:
|
|
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
|
|
kind: KubeadmControlPlaneTemplate
|
|
matchResources:
|
|
controlPlane: true
|
|
description: Sets the imageRepository used for the KubeadmControlPlane.
|
|
enabledIf: '{{ ne .imageRepository "" }}'
|
|
name: imageRepository
|
|
- definitions:
|
|
- jsonPatches:
|
|
- op: add
|
|
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/etcd
|
|
valueFrom:
|
|
template: |
|
|
local:
|
|
imageTag: {{ .etcdImageTag }}
|
|
selector:
|
|
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
|
|
kind: KubeadmControlPlaneTemplate
|
|
matchResources:
|
|
controlPlane: true
|
|
description: Sets tag to use for the etcd image in the KubeadmControlPlane.
|
|
name: etcdImageTag
|
|
- definitions:
|
|
- jsonPatches:
|
|
- op: add
|
|
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/dns
|
|
valueFrom:
|
|
template: |
|
|
imageTag: {{ .coreDNSImageTag }}
|
|
selector:
|
|
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
|
|
kind: KubeadmControlPlaneTemplate
|
|
matchResources:
|
|
controlPlane: true
|
|
description: Sets tag to use for the etcd image in the KubeadmControlPlane.
|
|
name: coreDNSImageTag
|
|
- definitions:
|
|
- jsonPatches:
|
|
- op: add
|
|
path: /spec/template/spec/customImage
|
|
valueFrom:
|
|
template: |
|
|
kindest/node:{{ .builtin.machineDeployment.version | replace "+" "_" }}
|
|
selector:
|
|
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
|
|
kind: DockerMachineTemplate
|
|
matchResources:
|
|
machineDeploymentClass:
|
|
names:
|
|
- default-worker
|
|
- jsonPatches:
|
|
- op: add
|
|
path: /spec/template/spec/template/customImage
|
|
valueFrom:
|
|
template: |
|
|
kindest/node:{{ .builtin.machinePool.version | replace "+" "_" }}
|
|
selector:
|
|
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
|
|
kind: DockerMachinePoolTemplate
|
|
matchResources:
|
|
machinePoolClass:
|
|
names:
|
|
- default-worker
|
|
- jsonPatches:
|
|
- op: add
|
|
path: /spec/template/spec/customImage
|
|
valueFrom:
|
|
template: |
|
|
kindest/node:{{ .builtin.controlPlane.version | replace "+" "_" }}
|
|
selector:
|
|
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
|
|
kind: DockerMachineTemplate
|
|
matchResources:
|
|
controlPlane: true
|
|
description: Sets the container image that is used for running dockerMachines for the controlPlane and default-worker machineDeployments.
|
|
name: customImage
|
|
- definitions:
|
|
- jsonPatches:
|
|
- op: add
|
|
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs
|
|
value:
|
|
admission-control-config-file: /etc/kubernetes/kube-apiserver-admission-pss.yaml
|
|
- op: add
|
|
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes
|
|
value:
|
|
- hostPath: /etc/kubernetes/kube-apiserver-admission-pss.yaml
|
|
mountPath: /etc/kubernetes/kube-apiserver-admission-pss.yaml
|
|
name: admission-pss
|
|
pathType: File
|
|
readOnly: true
|
|
- op: add
|
|
path: /spec/template/spec/kubeadmConfigSpec/files
|
|
valueFrom:
|
|
template: |
|
|
- content: |
|
|
apiVersion: apiserver.config.k8s.io/v1
|
|
kind: AdmissionConfiguration
|
|
plugins:
|
|
- name: PodSecurity
|
|
configuration:
|
|
apiVersion: pod-security.admission.config.k8s.io/v1{{ if semverCompare "< v1.25" .builtin.controlPlane.version }}beta1{{ end }}
|
|
kind: PodSecurityConfiguration
|
|
defaults:
|
|
enforce: "{{ .podSecurityStandard.enforce }}"
|
|
enforce-version: "latest"
|
|
audit: "{{ .podSecurityStandard.audit }}"
|
|
audit-version: "latest"
|
|
warn: "{{ .podSecurityStandard.warn }}"
|
|
warn-version: "latest"
|
|
exemptions:
|
|
usernames: []
|
|
runtimeClasses: []
|
|
namespaces: [kube-system]
|
|
path: /etc/kubernetes/kube-apiserver-admission-pss.yaml
|
|
selector:
|
|
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
|
|
kind: KubeadmControlPlaneTemplate
|
|
matchResources:
|
|
controlPlane: true
|
|
description: Adds an admission configuration for PodSecurity to the kube-apiserver.
|
|
enabledIf: '{{ .podSecurityStandard.enabled }}'
|
|
name: podSecurityStandard
|
|
variables:
|
|
- name: imageRepository
|
|
required: true
|
|
schema:
|
|
openAPIV3Schema:
|
|
default: ""
|
|
description: imageRepository sets the container registry to pull images from.
|
|
If empty, nothing will be set and the from of kubeadm will be used.
|
|
example: registry.k8s.io
|
|
type: string
|
|
- name: etcdImageTag
|
|
required: true
|
|
schema:
|
|
openAPIV3Schema:
|
|
default: ""
|
|
description: etcdImageTag sets the tag for the etcd image.
|
|
example: 3.5.3-0
|
|
type: string
|
|
- name: coreDNSImageTag
|
|
required: true
|
|
schema:
|
|
openAPIV3Schema:
|
|
default: ""
|
|
description: coreDNSImageTag sets the tag for the coreDNS image.
|
|
example: v1.8.5
|
|
type: string
|
|
- name: podSecurityStandard
|
|
required: false
|
|
schema:
|
|
openAPIV3Schema:
|
|
properties:
|
|
audit:
|
|
default: restricted
|
|
description: audit sets the level for the audit PodSecurityConfiguration mode. One of privileged, baseline, restricted.
|
|
type: string
|
|
enabled:
|
|
default: true
|
|
description: enabled enables the patches to enable Pod Security Standard via AdmissionConfiguration.
|
|
type: boolean
|
|
enforce:
|
|
default: baseline
|
|
description: enforce sets the level for the enforce PodSecurityConfiguration mode. One of privileged, baseline, restricted.
|
|
type: string
|
|
warn:
|
|
default: restricted
|
|
description: warn sets the level for the warn PodSecurityConfiguration mode. One of privileged, baseline, restricted.
|
|
type: string
|
|
type: object
|
|
workers:
|
|
machineDeployments:
|
|
- class: default-worker
|
|
machineHealthCheck:
|
|
unhealthyConditions:
|
|
- status: Unknown
|
|
timeout: 300s
|
|
type: Ready
|
|
- status: "False"
|
|
timeout: 300s
|
|
type: Ready
|
|
template:
|
|
bootstrap:
|
|
ref:
|
|
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
|
|
kind: KubeadmConfigTemplate
|
|
name: quick-start-default-worker-bootstraptemplate
|
|
infrastructure:
|
|
ref:
|
|
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
|
|
kind: DockerMachineTemplate
|
|
name: quick-start-default-worker-machinetemplate
|
|
machinePools:
|
|
- class: default-worker
|
|
template:
|
|
bootstrap:
|
|
ref:
|
|
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
|
|
kind: KubeadmConfigTemplate
|
|
name: quick-start-default-worker-bootstraptemplate
|
|
infrastructure:
|
|
ref:
|
|
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
|
|
kind: DockerMachinePoolTemplate
|
|
name: quick-start-default-worker-machinepooltemplate
|
|
---
|
|
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
|
|
kind: DockerClusterTemplate
|
|
metadata:
|
|
name: quick-start-cluster
|
|
namespace: default
|
|
spec:
|
|
template:
|
|
spec: {}
|
|
---
|
|
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
|
|
kind: KubeadmControlPlaneTemplate
|
|
metadata:
|
|
name: quick-start-control-plane
|
|
namespace: default
|
|
spec:
|
|
template:
|
|
spec:
|
|
kubeadmConfigSpec:
|
|
clusterConfiguration:
|
|
apiServer:
|
|
certSANs:
|
|
- localhost
|
|
- 127.0.0.1
|
|
- 0.0.0.0
|
|
- host.docker.internal
|
|
initConfiguration:
|
|
nodeRegistration: {}
|
|
joinConfiguration:
|
|
nodeRegistration: {}
|
|
---
|
|
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
|
|
kind: DockerMachineTemplate
|
|
metadata:
|
|
name: quick-start-control-plane
|
|
namespace: default
|
|
spec:
|
|
template:
|
|
spec:
|
|
extraMounts:
|
|
- containerPath: /var/run/docker.sock
|
|
hostPath: /var/run/docker.sock
|
|
---
|
|
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
|
|
kind: DockerMachineTemplate
|
|
metadata:
|
|
name: quick-start-default-worker-machinetemplate
|
|
namespace: default
|
|
spec:
|
|
template:
|
|
spec:
|
|
extraMounts:
|
|
- containerPath: /var/run/docker.sock
|
|
hostPath: /var/run/docker.sock
|
|
---
|
|
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
|
|
kind: DockerMachinePoolTemplate
|
|
metadata:
|
|
name: quick-start-default-worker-machinepooltemplate
|
|
namespace: default
|
|
spec:
|
|
template:
|
|
spec:
|
|
template: {}
|
|
---
|
|
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
|
|
kind: KubeadmConfigTemplate
|
|
metadata:
|
|
name: quick-start-default-worker-bootstraptemplate
|
|
namespace: default
|
|
spec:
|
|
template:
|
|
spec:
|
|
joinConfiguration:
|
|
nodeRegistration: {}
|
|
---
|
|
apiVersion: cluster.x-k8s.io/v1beta1
|
|
kind: Cluster
|
|
metadata:
|
|
name: capi-quickstart
|
|
namespace: default
|
|
spec:
|
|
clusterNetwork:
|
|
pods:
|
|
cidrBlocks:
|
|
- 192.168.0.0/16
|
|
serviceDomain: cluster.local
|
|
services:
|
|
cidrBlocks:
|
|
- 10.128.0.0/12
|
|
topology:
|
|
class: quick-start
|
|
controlPlane:
|
|
metadata: {}
|
|
replicas: 1
|
|
variables:
|
|
- name: imageRepository
|
|
value: ""
|
|
- name: etcdImageTag
|
|
value: ""
|
|
- name: coreDNSImageTag
|
|
value: ""
|
|
- name: podSecurityStandard
|
|
value:
|
|
audit: restricted
|
|
enabled: true
|
|
enforce: baseline
|
|
warn: restricted
|
|
version: v1.33.0
|
|
workers:
|
|
machineDeployments:
|
|
- class: default-worker
|
|
name: md-0
|
|
replicas: 3
|