-
Notifications
You must be signed in to change notification settings - Fork 36
/
config.yaml
301 lines (285 loc) · 12.7 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
options:
allow-privileged:
type: string
default: "auto"
description: |
Allow kube-apiserver to run in privileged mode. Supported values are
"true", "false", and "auto". If "true", kube-apiserver will run in
privileged mode by default. If "false", kube-apiserver will never run in
privileged mode. If "auto", kube-apiserver will not run in privileged
mode by default, unless certain circumstances are discovered
* gpu hardware is detected on a worker node
* openstack-integrator successfully related
api-extra-args:
type: string
default: ""
description: |
Space separated list of flags and key=value pairs that will be passed as arguments to
kube-apiserver. For example a value like this:
runtime-config=batch/v2alpha1=true profiling=true
will result in kube-apiserver being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true
audit-policy:
type: string
default: |
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# Don't log read-only requests from the apiserver
- level: None
users: ["system:apiserver"]
verbs: ["get", "list", "watch"]
# Don't log kube-proxy watches
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- resources: ["endpoints", "services"]
# Don't log nodes getting their own status
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- resources: ["nodes"]
# Don't log kube-controller-manager and kube-scheduler getting endpoints
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- resources: ["endpoints"]
# Log everything else at the Request level.
- level: Request
omitStages:
- RequestReceived
description: |
Audit policy passed to kube-apiserver via --audit-policy-file.
For more info, please refer to the upstream documentation at
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
audit-webhook-config:
type: string
default: ""
description: |
Audit webhook config passed to kube-apiserver via --audit-webhook-config-file.
For more info, please refer to the upstream documentation at
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
authn-webhook-endpoint:
type: string
default: ""
description: |
Custom endpoint to check when authenticating kube-apiserver requests.
This must be an https url accessible by the kubernetes-control-plane units. For example:
https://your.server:8443/authenticate
When a JSON-serialized TokenReview object is POSTed to this endpoint, it must
respond with appropriate authentication details. For more info, please refer
to the upstream documentation at
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
authorization-mode:
type: string
default: "Node,RBAC"
description: |
Comma separated authorization modes. Allowed values are
"RBAC", "Node", "Webhook", "ABAC", "AlwaysDeny" and "AlwaysAllow".
authorization-webhook-config-file:
type: string
default: ""
description: |
Authorization webhook config passed to kube-apiserver via --authorization-webhook-config-file.
For more info, please refer to the upstream documentation at
https://kubernetes.io/docs/reference/access-authn-authz/webhook/
channel:
type: string
default: "latest/edge"
description: |
Snap channel to install Kubernetes control plane services from
controller-manager-extra-args:
type: string
default: ""
description: |
Space separated list of flags and key=value pairs that will be passed as arguments to
kube-controller-manager. For example a value like this:
runtime-config=batch/v2alpha1=true profiling=true
will result in kube-controller-manager being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true
default-cni:
type: string
default: ""
description: |
Default CNI network to use when multiple CNI subordinates are related.
The value of this config should be the application name of a related CNI
subordinate. For example:
juju config kubernetes-control-plane default-cni=flannel
If unspecified, then the default CNI network is chosen alphabetically.
default-storage:
type: string
default: "auto"
description: |-
The storage class to make the default storage class.
Setting to "auto" is the same as setting "ceph-xfs"
Any value is allowed, if it matches the name of a storage class,
it alone will be selected as the default storage class for the cluster.
dns_domain:
type: string
default: cluster.local
description: The local domain for cluster dns
dns-provider:
type: string
default: "auto"
description: |
DNS provider addon to use. Can be "auto", "core-dns", or "none".
CoreDNS is only supported on Kubernetes 1.14+.
When set to "auto", the behavior is as follows:
- New deployments of Kubernetes 1.14+ will use CoreDNS
- Upgraded deployments will continue to use whichever provider was
previously used.
enable-dashboard-addons:
type: boolean
default: true
description: Deploy the Kubernetes Dashboard
enable-nvidia-plugin:
type: string
default: "false"
description: |
Deprecation notice: This option is deprecated and may be removed in a future release.
If set to anything other than "false", the charm will be blocked with an error message.
Consult https://ubuntu.com/kubernetes/docs/gpu-workers to learn how to deploy GPU workers.
enable-metrics:
type: boolean
default: true
description: |
If true the metrics server for Kubernetes will be deployed onto the cluster
managed entirely by kubernetes addons. Consider disabling this option and deploying
`kubernetes-metrics-server-operator` into a kubernetes model.
extra_sans:
type: string
default: ""
description: |
Space-separated list of extra SAN entries to add to the x509 certificate
created for the control plane nodes.
ha-cluster-vip:
type: string
description: |
Virtual IP for the charm to use with the HA Cluster subordinate charm
Mutually exclusive with ha-cluster-dns. Multiple virtual IPs are
separated by spaces.
default: ""
ha-cluster-dns:
type: string
description: |
DNS entry to use with the HA Cluster subordinate charm.
Mutually exclusive with ha-cluster-vip.
default: ""
ignore-kube-system-pods:
type: string
default: ""
description: |
Space separated list of pod names in the kube-system namespace to ignore
when checking for running pods. Any non-Running Pod whose name is on
this list, will be ignored during the check.
image-registry:
type: string
default: "rocks.canonical.com:443/cdk"
description: |
Container image registry to use for CDK. This includes addons like the Kubernetes dashboard,
metrics server, ingress, and dns along with non-addon images including the pause
container and default backend image.
kubelet-extra-args:
type: string
default: ""
description: |
Space separated list of flags and key=value pairs that will be passed as arguments to
kubelet. For example a value like this:
runtime-config=batch/v2alpha1=true profiling=true
will result in kubelet being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true
Note: As of Kubernetes 1.10.x, many of Kubelet's args have been deprecated, and can
be set with kubelet-extra-config instead.
kubelet-extra-config:
default: "{}"
type: string
description: |
Extra configuration to be passed to kubelet. Any values specified in this
config will be merged into a KubeletConfiguration file that is passed to
the kubelet service via the --config flag. This can be used to override
values provided by the charm.
The value for this config must be a YAML mapping that can be safely
merged with a KubeletConfiguration file. For example:
{evictionHard: {memory.available: 200Mi}}
For more information about KubeletConfiguration, see upstream docs:
https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
labels:
type: string
default: "node-role.kubernetes.io/control-plane="
description: |
Labels can be used to organize and to select subsets of nodes in the
cluster. Declare node labels in key=value format, separated by spaces.
loadbalancer-ips:
type: string
description: |
Space separated list of IP addresses of loadbalancers in front of the control plane.
These can be either virtual IP addresses that have been floated in front of the control
plane or the IP of a loadbalancer appliance such as an F5. Currently, workers will only
use the first address that is specified.
default: ""
proxy-extra-args:
type: string
default: ""
description: |
Space separated list of flags and key=value pairs that will be passed as arguments to
kube-proxy. For example a value like this:
runtime-config=batch/v2alpha1=true profiling=true
will result in kube-apiserver being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true
proxy-extra-config:
default: "{}"
type: string
description: |
Extra configuration to be passed to kube-proxy. Any values specified in
this config will be merged into a KubeProxyConfiguration file that is
passed to the kube-proxy service via the --config flag. This can be used
to override values provided by the charm.
The value for this config must be a YAML mapping that can be safely
merged with a KubeProxyConfiguration file. For example:
{mode: ipvs, ipvs: {strictARP: true}}
For more information about KubeProxyConfiguration, see upstream docs:
https://kubernetes.io/docs/reference/config-api/kube-proxy-config.v1alpha1/
register-with-taints:
type: string
default: "node-role.kubernetes.io/control-plane:NoSchedule"
description: |
Space-separated list of taints to apply to this node at registration time.
This config is only used at deploy time when Kubelet first registers the
node with Kubernetes. To change node taints after deploy time, use kubectl
instead.
For more information, see the upstream Kubernetes documentation about
taints:
https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
scheduler-extra-args:
type: string
default: ""
description: |
Space separated list of flags and key=value pairs that will be passed as arguments to
kube-scheduler. For example a value like this:
runtime-config=batch/v2alpha1=true profiling=true
will result in kube-scheduler being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true
service-cidr:
type: string
default: 10.152.183.0/24
description: |
CIDR to use for Kubernetes services. After deployment it is
only possible to increase the size of the IP range. It is not possible to
change or shrink the address range after deployment.
sysctl:
type: string
default: "{net.ipv4.conf.all.forwarding: 1, net.ipv4.conf.all.rp_filter: 1, net.ipv4.neigh.default.gc_thresh1: 128, net.ipv4.neigh.default.gc_thresh2: 28672, net.ipv4.neigh.default.gc_thresh3: 32768, net.ipv6.neigh.default.gc_thresh1: 128, net.ipv6.neigh.default.gc_thresh2: 28672, net.ipv6.neigh.default.gc_thresh3: 32768, fs.inotify.max_user_instances: 8192, fs.inotify.max_user_watches: 1048576, kernel.panic: 10, kernel.panic_on_oops: 1, vm.overcommit_memory: 1}"
description: |
YAML formatted associative array of sysctl values, e.g.:
'{kernel.pid_max: 4194303}'. Note that kube-proxy handles
the conntrack settings. The proper way to alter them is to
use the proxy-extra-args config to set them, e.g.:
juju config kubernetes-control-plane proxy-extra-args="conntrack-min=1000000 conntrack-max-per-core=250000"
juju config kubernetes-worker proxy-extra-args="conntrack-min=1000000 conntrack-max-per-core=250000"
The proxy-extra-args conntrack-min and conntrack-max-per-core can be set to 0 to ignore
kube-proxy's settings and use the sysctl settings instead. Note the fundamental difference between
the setting of conntrack-max-per-core vs nf_conntrack_max.