Skip to content

Instantly share code, notes, and snippets.

@jayunit100

jayunit100/JSON_patches.yaml

Last active February 17, 2023 01:41
Show Gist options
  • Save jayunit100/d63944b2acda1797e1cc63bd07344283 to your computer and use it in GitHub Desktop.
Save jayunit100/d63944b2acda1797e1cc63bd07344283 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
JSON_patches.yaml
---
KubeadmControlPlaneTemplate:
jsonPatches:
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes"
value: []
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/etcd/local/extraArgs":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/etcd/local/extraArgs"
valueFrom:
template: |
{{ $containCipherSuites := false }}
{{- range $key, $val := .etcdExtraArgs }}
{{- if eq $key "cipher-suites" }}
{{- $containCipherSuites = "true" }}
{{- end }}
{{ $key -}} : "{{ $val }}"
{{- end }}
{{- if not $containCipherSuites }}
cipher-suites: "{{ .tlsCipherSuites }}"
{{- end }}
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs"
valueFrom:
template: |
{{ $containCipherSuites := false }}
{{ $containCloudProvider := false }}
{{- range $key, $val := .apiServerExtraArgs }}
{{- if eq $key "tls-cipher-suites" }}
{{- $containCipherSuites = "true" }}
{{- end }}
{{- if eq $key "cloud-provider" }}
{{- $containCloudProvider = "true" }}
{{- end }}
{{ $key -}} : "{{ $val }}"
{{- end }}
{{- if not $containCipherSuites }}
tls-cipher-suites: "{{ .tlsCipherSuites }}"
{{- end }}
{{- if not $containCloudProvider }}
cloud-provider: external
{{- end }}
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/scheduler/extraArgs":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/scheduler/extraArgs"
valueFrom:
template: |
{{ $containCipherSuites := false }}
{{- range $key, $val := .kubeSchedulerExtraArgs }}
{{- if eq $key "tls-cipher-suites" }}
{{- $containCipherSuites = "true" }}
{{- end }}
{{ $key -}} : "{{ $val }}"
{{- end }}
{{- if not $containCipherSuites }}
tls-cipher-suites: "{{ .tlsCipherSuites }}"
{{- end }}
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/controllerManager/extraArgs":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/controllerManager/extraArgs"
valueFrom:
template: |
{{ $containCipherSuites := false }}
{{ $containCloudProvider := false }}
{{- range $key, $val := .kubeControllerManagerExtraArgs }}
{{- if eq $key "tls-cipher-suites" }}
{{- $containCipherSuites = "true" }}
{{- end }}
{{- if eq $key "cloud-provider" }}
{{- $containCloudProvider = "true" }}
{{- end }}
{{ $key -}} : "{{ $val }}"
{{- end }}
{{- if not $containCipherSuites }}
tls-cipher-suites: "{{ .tlsCipherSuites }}"
{{- end }}
{{- if not $containCloudProvider }}
cloud-provider: external
{{- end }}
"/s/t/s/kubeadmConfigSpec/initConfiguration/nodeRegistration/kubeletExtraArgs":
- op: add
path: "/s/t/s/kubeadmConfigSpec/initConfiguration/nodeRegistration/kubeletExtraArgs"
valueFrom:
template: |
{{ $containCipherSuites := false }}
{{ $containCloudProvider := false }}
{{- range $key, $val := .controlPlaneKubeletExtraArgs }}
{{- if eq $key "tls-cipher-suites" }}
{{- $containCipherSuites = "true" }}
{{- end }}
{{- if eq $key "cloud-provider" }}
{{- $containCloudProvider = "true" }}
{{- end }}
{{ $key -}} : "{{ $val }}"
{{- end }}
{{- if not $containCipherSuites }}
tls-cipher-suites: "{{ .tlsCipherSuites }}"
{{- end }}
{{- if not $containCloudProvider }}
cloud-provider: external
{{- end }}
"/s/t/s/kubeadmConfigSpec/joinConfiguration/nodeRegistration/kubeletExtraArgs":
- op: add
path: "/s/t/s/kubeadmConfigSpec/joinConfiguration/nodeRegistration/kubeletExtraArgs"
valueFrom:
template: |
{{ $containCipherSuites := false }}
{{ $containCloudProvider := false }}
{{- range $key, $val := .controlPlaneKubeletExtraArgs }}
{{- if eq $key "tls-cipher-suites" }}
{{- $containCipherSuites = "true" }}
{{- end }}
{{- if eq $key "cloud-provider" }}
{{- $containCloudProvider = "true" }}
{{- end }}
{{ $key -}} : "{{ $val }}"
{{- end }}
{{- if not $containCipherSuites }}
tls-cipher-suites: "{{ .tlsCipherSuites }}"
{{- end }}
{{- if not $containCloudProvider }}
cloud-provider: external
{{- end }}
"/s/t/s/kubeadmConfigSpec/users":
- op: replace
path: "/s/t/s/kubeadmConfigSpec/users"
valueFrom:
template: |
- name: capv
sshAuthorizedKeys:
{{- range .user.sshAuthorizedKeys }}
- ' {{- . -}} '
{{- end }}
sudo: ALL=(ALL) NOPASSWD:ALL
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/imageRepository":
- op: replace
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/imageRepository"
valueFrom:
template: "{{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository}}"
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/etcd/local/imageRepository":
- op: replace
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/etcd/local/imageRepository"
valueFrom:
template: "{{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository}}"
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/etcd/local/imageTag":
- op: replace
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/etcd/local/imageTag"
valueFrom:
template: "{{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.etcd.imageTag}}"
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/dns/imageRepository":
- op: replace
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/dns/imageRepository"
valueFrom:
template: "{{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository}}"
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/dns/imageTag":
- op: replace
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/dns/imageTag"
valueFrom:
template: "{{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.coredns.imageTag}}"
"/s/t/s/kubeadmConfigSpec/files/-":
- op: add
path: "/s/t/s/kubeadmConfigSpec/files/-"
valueFrom:
template: |
owner: root:root
path: /etc/kubernetes/manifests/kube-vip.yaml
content: |
---
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: kube-vip
namespace: kube-system
spec:
containers:
- args:
- manager
env:
- name: cp_enable
value: "true"
- name: svc_enable
value: "{{ .kubeVipLoadBalancerProvider }}"
- name: vip_arp
value: "true"
- name: vip_leaderelection
value: "true"
- name: address
value: {{ .apiServerEndpoint }}
{{- if and (not .aviControlPlaneHAProvider) .apiServerPort }}
- name: port
value: "{{ .apiServerPort }}"
{{- end }}
- name: vip_interface
value: {{ .vipNetworkInterface }}
- name: vip_leaseduration
value: "30"
- name: vip_renewdeadline
value: "20"
- name: vip_retryperiod
value: "4"
image: {{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository}}/kube-vip:{{(index (index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec "kube-vip").imageTag}}
imagePullPolicy: IfNotPresent
name: kube-vip
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
volumeMounts:
- mountPath: /etc/kubernetes/admin.conf
name: kubeconfig
hostNetwork: "true"
hostAliases:
- hostnames:
- kubernetes
ip: 127.0.0.1
volumes:
- hostPath:
path: /etc/kubernetes/admin.conf
type: FileOrCreate
name: kubeconfig
status: {}
- op: add
path: "/s/t/s/kubeadmConfigSpec/files/-"
value:
content: ''
owner: root:root
path: "/etc/sysconfig/kubelet"
permissions: '0640'
- op: add
path: "/s/t/s/kubeadmConfigSpec/files/-"
valueFrom:
template: |
content: |
[Service]
Environment="HTTP_PROXY= {{- .proxy.httpProxy -}} "
Environment="HTTPS_PROXY= {{- .proxy.httpsProxy -}} "
Environment="NO_PROXY= {{- list "localhost" "127.0.0.1" ".svc" ".svc.cluster.local" ((list "IPv6" "DualStack" | has .builtin.cluster.network.ipFamily) | ternary "::1" nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods | uniq | sortAlpha | join "," -}} "
owner: root:root
path: /etc/systemd/system/containerd.service.d/http-proxy.conf
permissions: "0640"
- op: add
path: "/s/t/s/kubeadmConfigSpec/files/-"
valueFrom:
template: |
content: |
[Service]
Environment="HTTP_PROXY= {{- .proxy.httpProxy -}} "
Environment="HTTPS_PROXY= {{- .proxy.httpsProxy -}} "
Environment="NO_PROXY= {{- list "localhost" "127.0.0.1" ".svc" ".svc.cluster.local" ((list "IPv6" "DualStack" | has .builtin.cluster.network.ipFamily) | ternary "::1" nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods | uniq | sortAlpha | join "," -}} "
owner: root:root
path: /usr/lib/systemd/system/kubelet.service.d/http-proxy.conf
permissions: "0640"
- op: add
path: "/s/t/s/kubeadmConfigSpec/files/-"
valueFrom:
template: |
path: /etc/ssl/certs/tkg-custom-ca.pem
{{- $proxy := "" }}
{{- range .trust.additionalTrustedCAs }}
{{- if eq .name "proxy" }}
{{- $proxy = .data }}
{{- end }}
{{- end }}
content: {{ $proxy }}
encoding: base64
permissions: "0444"
- op: add
path: "/s/t/s/kubeadmConfigSpec/files/-"
valueFrom:
template: |
path: /etc/containerd/ {{- index (or .imageRepository.host (index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository | splitList "/") 0 -}} .crt
{{- $proxy := "" }}
{{- $image := "" }}
{{- range .trust.additionalTrustedCAs }}
{{- if eq .name "proxy" }}
{{- $proxy = .data }}
{{- end }}
{{- if eq .name "imageRepository" }}
{{- $image = .data }}
{{- end }}
{{- end }}
content: {{or $proxy $image}}
encoding: base64
permissions: "0444"
- op: add
path: "/s/t/s/kubeadmConfigSpec/files/-"
value:
content: |
---
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
#! The following requests were manually identified as high-volume and low-risk,
#! so drop them.
- level: None
users: ["system:serviceaccount:kube-system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" #! core
resources: ["endpoints", "services", "services/status"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" #! core
resources: ["nodes", "nodes/status"]
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: "" #! core
resources: ["endpoints"]
- level: None
users: ["system:apiserver"]
verbs: ["get"]
resources:
- group: "" #! core
resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
#! Don't log HPA fetching metrics.
- level: None
users:
- system:kube-controller-manager
verbs: ["get", "list"]
resources:
- group: "metrics.k8s.io"
#! Don't log these read-only URLs.
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
#! Don't log events requests.
- level: None
resources:
- group: "" #! core
resources: ["events"]
#! Don't log TMC service account performing read operations because they are high-volume.
- level: None
userGroups: ["system:serviceaccounts:vmware-system-tmc"]
verbs: ["get", "list", "watch"]
#! Don't log read requests from garbage collector because they are high-volume.
- level: None
users: ["system:serviceaccount:kube-system:generic-garbage-collector"]
verbs: ["get", "list", "watch"]
#! node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes
- level: Request
userGroups: ["system:nodes"]
verbs: ["update","patch"]
resources:
- group: "" #! core
resources: ["nodes/status", "pods/status"]
omitStages:
- "RequestReceived"
#! deletecollection calls can be large, don't log responses for expected namespace deletions
- level: Request
users: ["system:serviceaccount:kube-system:namespace-controller"]
verbs: ["deletecollection"]
omitStages:
- "RequestReceived"
#! Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
#! so only log at the Metadata level.
- level: Metadata
resources:
- group: "" #! core
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
omitStages:
- "RequestReceived"
#! Get repsonses can be large; skip them.
- level: Request
verbs: ["get", "list", "watch"]
resources:
- group: "" #! core
- group: "admissionregistration.k8s.io"
- group: "apiextensions.k8s.io"
- group: "apiregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "metrics.k8s.io"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
omitStages:
- "RequestReceived"
#! Default level for known APIs
- level: RequestResponse
resources:
- group: "" #! core
- group: "admissionregistration.k8s.io"
- group: "apiextensions.k8s.io"
- group: "apiregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "metrics.k8s.io"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
omitStages:
- "RequestReceived"
#! Default level for all other requests.
- level: Metadata
omitStages:
- "RequestReceived"
owner: root:root
path: "/etc/kubernetes/audit-policy.yaml"
permissions: '0600'
- op: add
path: "/s/t/s/kubeadmConfigSpec/files/-"
valueFrom:
template: |-
path: /etc/kubernetes/admission-control-config.yaml
content: |-
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
{{- if and (not .podSecurityStandard.deactivated) (semverCompare ">= v1.24" .builtin.controlPlane.version) }}
{{ $namespace_exemptions := printf "%q, %q" "kube-system" "tkg-system" -}}
{{ $defaultWarnAudit := "baseline" }}
{{- if .podSecurityStandard.exemptions.namespaces -}}
{{ range $namespace := .podSecurityStandard.exemptions.namespaces -}}
{{ $namespace_exemptions = printf "%s, %q" $namespace_exemptions $namespace -}}
{{- end -}}
{{- end -}}
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
enforce: "{{ if .podSecurityStandard.enforce -}}
{{ .podSecurityStandard.enforce }}
{{- end }}"
enforce-version: "{{ .podSecurityStandard.enforceVersion -}}"
audit: "{{ if .podSecurityStandard.audit -}}
{{ .podSecurityStandard.audit }}
{{- else -}}
{{ $defaultWarnAudit }}
{{- end }}"
audit-version: "{{ .podSecurityStandard.auditVersion -}}"
warn: "{{ if .podSecurityStandard.warn -}}
{{ .podSecurityStandard.warn }}
{{- else -}}
{{ $defaultWarnAudit }}
{{- end }}"
warn-version: "{{ .podSecurityStandard.warnVersion -}}"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [{{ $namespace_exemptions }}]
{{- end }}
{{- if .eventRateLimitConf }}
- name: EventRateLimit
path: eventConfig.yaml
{{- end }}
- op: add
path: "/s/t/s/kubeadmConfigSpec/files/-"
valueFrom:
template: |-
path: /etc/kubernetes/eventConfig.yaml
encoding: base64
content: {{ .eventRateLimitConf}}
"/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-":
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
value: echo "::1 localhost" >> /etc/hosts
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
value: echo "KUBELET_EXTRA_ARGS=--node-ip=$(ip -6 -json addr show dev eth0 scope
global | jq -r .[0].addr_info[0].local)" >> /etc/sysconfig/kubelet
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
value: systemctl daemon-reload
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
value: systemctl stop containerd
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
value: systemctl start containerd
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
valueFrom:
template: 'export HTTP_PROXY= {{- .proxy.httpProxy }}
'
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
valueFrom:
template: 'export HTTPS_PROXY= {{- .proxy.httpsProxy }}
'
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
valueFrom:
template: 'export NO_PROXY= {{- list "localhost" "127.0.0.1" ".svc" ".svc.cluster.local"
((list "IPv6" "DualStack" | has .builtin.cluster.network.ipFamily) | ternary "::1"
nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods
| uniq | sortAlpha | join "," }}
'
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
value: "! which rehash_ca_certificates.sh 2>/dev/null || rehash_ca_certificates.sh"
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
value: "! which update-ca-certificates 2>/dev/null || (mv /etc/ssl/certs/tkg-custom-ca.pem
/usr/local/share/ca-certificates/tkg-custom-ca.crt && update-ca-certificates)"
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
value: "! which update-ca-trust 2>/dev/null || (update-ca-trust force-enable
&& mv /etc/ssl/certs/tkg-custom-ca.pem /etc/pki/ca-trust/source/anchors/tkg-custom-ca.crt
&& update-ca-trust extract)"
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
value: systemctl restart containerd
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
valueFrom:
template: 'sed -i ''s|".*/pause|" {{- or .imageRepository.host (index .TKR_DATA
.builtin.controlPlane.version).kubernetesSpec.imageRepository -}} /pause|''
/etc/containerd/config.toml
'
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
valueFrom:
template: |
{{- $host := index (or .imageRepository.host (index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository | splitList "/") 0 -}}
echo '[plugins."io.containerd.grpc.v1.cri".registry.configs." {{- $host -}} ".tls]' >> /etc/containerd/config.toml
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
valueFrom:
template: |
{{- $host := index (or .imageRepository.host (index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository | splitList "/") 0 }}
{{- $val := list "ca_file = \"/etc/containerd/" $host ".crt\"" | join "" }}
{{- with .imageRepository }}
{{- if .tlsCertificateValidation | eq false }}
{{- $val = "insecure_skip_verify = "true"" }}
{{- end }}
{{- end -}}
{{- define "echo" -}}
echo ' {{ . -}} ' >> /etc/containerd/config.toml
{{- end }}
{{- template "echo" $val -}}
- op: add
path: "/s/t/s/kubeadmConfigSpec/preKubeadmCommands/-"
value: systemctl restart containerd
"/s/t/s/kubeadmConfigSpec/initConfiguration/localAPIEndpoint":
- op: add
path: "/s/t/s/kubeadmConfigSpec/initConfiguration/localAPIEndpoint"
valueFrom:
template: |
{{ if .builtin.cluster.network.ipFamily | eq "IPv6" | or (.builtin.cluster.network.ipFamily | eq "DualStack" | and (.network.ipv6Primary | default false)) -}}
advertiseAddress: '::/0'
{{- else -}}
advertiseAddress: '0.0.0.0'
{{- end }}
bindPort: {{ .apiServerPort }}
"/s/t/s/kubeadmConfigSpec/joinConfiguration/controlPlane":
- op: add
path: "/s/t/s/kubeadmConfigSpec/joinConfiguration/controlPlane"
valueFrom:
template: |
localAPIEndpoint:
{{ if .builtin.cluster.network.ipFamily | eq "IPv6" | or (.builtin.cluster.network.ipFamily | eq "DualStack" | and (.network.ipv6Primary | default false)) -}}
advertiseAddress: '::/0'
{{- else -}}
advertiseAddress: '0.0.0.0'
{{- end }}
bindPort: {{ .apiServerPort }}
"/s/t/s/kubeadmConfigSpec/initConfiguration/nodeRegistration/kubeletExtraArgs/node-ip":
- op: add
path: "/s/t/s/kubeadmConfigSpec/initConfiguration/nodeRegistration/kubeletExtraArgs/node-ip"
value: "::"
"/s/t/s/kubeadmConfigSpec/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-ip":
- op: add
path: "/s/t/s/kubeadmConfigSpec/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-ip"
value: "::"
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/advertise-address":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/advertise-address"
valueFrom:
variable: apiServerEndpoint
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/bind-address":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/bind-address"
value: "::"
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/controllerManager/extraArgs/bind-address":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/controllerManager/extraArgs/bind-address"
value: "::"
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/scheduler/extraArgs/bind-address":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/scheduler/extraArgs/bind-address"
value: "::"
"/s/t/s/kubeadmConfigSpec/initConfiguration/nodeRegistration/kubeletExtraArgs/node-labels":
- op: add
path: "/s/t/s/kubeadmConfigSpec/initConfiguration/nodeRegistration/kubeletExtraArgs/node-labels"
valueFrom:
template: |
{{ $first := "true" }}
{{- range $key, $val := (index .TKR_DATA .builtin.controlPlane.version).labels }}
{{- if regexMatch "^(?:[a-zA-z])(?:[-\\w\\.]*[a-zA-z])$" $val }}
{{- if $first }}
{{- $first = false }}
{{- else -}}
,
{{- end }}
{{- $key -}} = {{- $val }}
{{- end }}
{{- end }}
{{- if .controlPlane.nodeLabels -}}
{{- if (index .TKR_DATA .builtin.controlPlane.version).labels -}}
,
{{- end -}}
{{- $first := "true" }}
{{- range .controlPlane.nodeLabels }}
{{- if $first }}
{{- $first = false }}
{{- else -}}
,
{{- end }}
{{- .key -}} = {{- .value -}}
{{ end }}
{{ end }}
"/s/t/s/kubeadmConfigSpec/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-labels":
- op: add
path: "/s/t/s/kubeadmConfigSpec/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-labels"
valueFrom:
template: |
{{ $first := "true" }}
{{- range $key, $val := (index .TKR_DATA .builtin.controlPlane.version).labels }}
{{- if regexMatch "^(?:[a-zA-z])(?:[-\\w\\.]*[a-zA-z])$" $val }}
{{- if $first }}
{{- $first = false }}
{{- else -}}
,
{{- end }}
{{- $key -}} = {{- $val }}
{{- end }}
{{- end }}
{{- if .controlPlane.nodeLabels -}}
{{- if (index .TKR_DATA .builtin.controlPlane.version).labels -}}
,
{{- end -}}
{{- $first := "true" }}
{{- range .controlPlane.nodeLabels }}
{{- if $first }}
{{- $first = false }}
{{- else -}}
,
{{- end }}
{{- .key -}} = {{- .value -}}
{{ end }}
{{ end }}
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-path":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-path"
value: "/var/log/kubernetes/audit.log"
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-policy-file":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-policy-file"
value: "/etc/kubernetes/audit-policy.yaml"
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-maxage":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-maxage"
value: '30'
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-maxbackup":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-maxbackup"
value: '10'
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-maxsize":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-maxsize"
value: '100'
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-"
value:
hostPath: "/etc/kubernetes/audit-policy.yaml"
mountPath: "/etc/kubernetes/audit-policy.yaml"
name: audit-policy
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-"
value:
hostPath: "/var/log/kubernetes"
mountPath: "/var/log/kubernetes"
name: audit-logs
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-"
valueFrom:
template: |
name: admin-control-conf
hostPath: /etc/kubernetes/admission-control-config.yaml
mountPath: /etc/kubernetes/admission-control-config.yaml
readOnly: "true"
pathType: "File"
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-"
valueFrom:
template: |
name: event-conf
hostPath: /etc/kubernetes/eventConfig.yaml
mountPath: /etc/kubernetes/eventConfig.yaml
readOnly: "true"
, pathType: "File"
"/s/t/s/kubeadmConfigSpec/initConfiguration/nodeRegistration/taints":
- op: add
path: "/s/t/s/kubeadmConfigSpec/initConfiguration/nodeRegistration/taints"
value: []
"/s/t/s/kubeadmConfigSpec/joinConfiguration/nodeRegistration/taints":
- op: add
path: "/s/t/s/kubeadmConfigSpec/joinConfiguration/nodeRegistration/taints"
value: []
"/s/t/s/rolloutBefore":
- op: add
path: "/s/t/s/rolloutBefore"
valueFrom:
template: 'certificatesExpiryDays: {{ .controlPlaneCertificateRotation.daysBefore
}}
'
"/s/t/s/kubeadmConfigSpec/ntp":
- op: add
path: "/s/t/s/kubeadmConfigSpec/ntp"
valueFrom:
template: |
enabled: "true"
servers:
{{- range .ntpServers }}
- {{ . }}
{{- end }}
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs"
valueFrom:
template: |
{{- range .additionalFQDN }}
- {{ . }}
{{- end }}
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/admission-control-config-file":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/admission-control-config-file"
value: "/etc/kubernetes/admission-control-config.yaml"
"/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/enable-admission-plugins":
- op: add
path: "/s/t/s/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/enable-admission-plugins"
valueFrom:
template: |
{{ $containEnableAdmissionPlugin := false }}
{{- $admissionPlugins := "" }}
{{- range $key, $val := .apiServerExtraArgs }}
{{- if eq $key "enable-admission-plugins" }}
{{- $containEnableAdmissionPlugin = "true" }}
{{- $admissionPlugins = $val }}
{{- end }}
{{- end }}
{{- if not $containEnableAdmissionPlugin }}
NodeRestriction,EventRateLimit
{{- else -}}
{{- $admissionPlugins -}},EventRateLimit
{{- end }}
selector:
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlaneTemplate
matchResources:
controlPlane: 'true'
KubeadmConfigTemplate:
jsonPatches:
"/s/t/s/joinConfiguration/nodeRegistration/kubeletExtraArgs":
- op: add
path: "/s/t/s/joinConfiguration/nodeRegistration/kubeletExtraArgs"
valueFrom:
template: |
{{ $containCipherSuites := false }}
{{ $containCloudProvider := false }}
{{- range $key, $val := .workerKubeletExtraArgs }}
{{- if eq $key "tls-cipher-suites" }}
{{- $containCipherSuites = "true" }}
{{- end }}
{{- if eq $key "cloud-provider" }}
{{- $containCloudProvider = "true" }}
{{- end }}
{{ $key -}} : "{{ $val }}"
{{- end }}
{{- if not $containCipherSuites }}
tls-cipher-suites: "{{ .tlsCipherSuites }}"
{{- end }}
{{- if not $containCloudProvider }}
cloud-provider: external
{{- end }}
"/s/t/s/users":
- op: replace
path: "/s/t/s/users"
valueFrom:
template: |
- name: capv
sshAuthorizedKeys:
{{- range .user.sshAuthorizedKeys }}
- ' {{- . -}} '
{{- end }}
sudo: ALL=(ALL) NOPASSWD:ALL
- op: replace
path: "/s/t/s/users"
valueFrom:
template: |
- name: capv
groups: Administrators
sshAuthorizedKeys:
{{- range .user.sshAuthorizedKeys }}
- ' {{- . -}} '
{{- end }}
sudo: ALL=(ALL) NOPASSWD:ALL
"/s/t/s/preKubeadmCommands/-":
- op: add
path: "/s/t/s/preKubeadmCommands/-"
value: echo "::1 localhost" >> /etc/hosts
- op: add
path: "/s/t/s/preKubeadmCommands/-"
value: systemctl daemon-reload
- op: add
path: "/s/t/s/preKubeadmCommands/-"
value: systemctl restart containerd
- op: add
path: "/s/t/s/preKubeadmCommands/-"
valueFrom:
template: 'export HTTP_PROXY= {{- .proxy.httpProxy }}
'
- op: add
path: "/s/t/s/preKubeadmCommands/-"
valueFrom:
template: 'export HTTPS_PROXY= {{- .proxy.httpsProxy }}
'
- op: add
path: "/s/t/s/preKubeadmCommands/-"
valueFrom:
template: 'export NO_PROXY= {{- list "localhost" "127.0.0.1" ".svc" ".svc.cluster.local"
((list "IPv6" "DualStack" | has .builtin.cluster.network.ipFamily) | ternary "::1"
nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods
| uniq | sortAlpha | join "," }}
'
- op: add
path: "/s/t/s/preKubeadmCommands/-"
value: "! which rehash_ca_certificates.sh 2>/dev/null || rehash_ca_certificates.sh"
- op: add
path: "/s/t/s/preKubeadmCommands/-"
value: "! which update-ca-certificates 2>/dev/null || (mv /etc/ssl/certs/tkg-custom-ca.pem
/usr/local/share/ca-certificates/tkg-custom-ca.crt && update-ca-certificates)"
- op: add
path: "/s/t/s/preKubeadmCommands/-"
value: "! which update-ca-trust 2>/dev/null || (update-ca-trust force-enable
&& mv /etc/ssl/certs/tkg-custom-ca.pem /etc/pki/ca-trust/source/anchors/tkg-custom-ca.crt
&& update-ca-trust extract)"
- op: add
path: "/s/t/s/preKubeadmCommands/-"
value: systemctl restart containerd
- op: add
path: "/s/t/s/preKubeadmCommands/-"
valueFrom:
template: 'sed -i ''s|".*/pause|" {{- or .imageRepository.host (index .TKR_DATA
.builtin.machineDeployment.version).kubernetesSpec.imageRepository -}} /pause|''
/etc/containerd/config.toml
'
- op: add
path: "/s/t/s/preKubeadmCommands/-"
valueFrom:
template: |
{{- $host := index (or .imageRepository.host (index .TKR_DATA .builtin.machineDeployment.version).kubernetesSpec.imageRepository | splitList "/") 0 -}}
echo '[plugins."io.containerd.grpc.v1.cri".registry.configs." {{- $host -}} ".tls]' >> /etc/containerd/config.toml
- op: add
path: "/s/t/s/preKubeadmCommands/-"
valueFrom:
template: |
{{- $host := index (or .imageRepository.host (index .TKR_DATA .builtin.machineDeployment.version).kubernetesSpec.imageRepository | splitList "/") 0 }}
{{- $val := list "ca_file = \"/etc/containerd/" $host ".crt\"" | join "" }}
{{- with .imageRepository }}
{{- if .tlsCertificateValidation | eq false }}
{{- $val = "insecure_skip_verify = "true"" }}
{{- end }}
{{- end -}}
{{- define "echo" -}}
echo ' {{ . -}} ' >> /etc/containerd/config.toml
{{- end }}
{{- template "echo" $val -}}
- op: add
path: "/s/t/s/preKubeadmCommands/-"
value: systemctl restart containerd
"/s/t/s/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-ip":
- op: add
path: "/s/t/s/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-ip"
value: "::"
"/s/t/s/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-labels":
- op: add
path: "/s/t/s/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-labels"
valueFrom:
template: |
{{ $first := "true" }}
{{- range $key, $val := (index .TKR_DATA .builtin.machineDeployment.version).labels }}
{{- if regexMatch "^(?:[a-zA-z])(?:[-\\w\\.]*[a-zA-z])$" $val }}
{{- if $first }}
{{- $first = false }}
{{- else -}}
,
{{- end }}
{{- $key -}} = {{- $val }}
{{- end }}
{{- end }}
{{- if .nodePoolLabels -}}
,
{{- $first := "true" }}
{{- range .nodePoolLabels }}
{{- if $first }}
{{- $first = false }}
{{- else -}}
,
{{- end }}
{{- .key -}} = {{- .value -}}
{{ end }}
{{ end }}
"/s/t/s/files/-":
- op: add
path: "/s/t/s/files/-"
valueFrom:
template: |
content: |
[Service]
Environment="HTTP_PROXY= {{- .proxy.httpProxy -}} "
Environment="HTTPS_PROXY= {{- .proxy.httpsProxy -}} "
Environment="NO_PROXY= {{- list "localhost" "127.0.0.1" ".svc" ".svc.cluster.local" ((list "IPv6" "DualStack" | has .builtin.cluster.network.ipFamily) | ternary "::1" nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods | uniq | sortAlpha | join "," -}} "
owner: root:root
path: /etc/systemd/system/containerd.service.d/http-proxy.conf
permissions: "0640"
- op: add
path: "/s/t/s/files/-"
valueFrom:
template: |
content: |
[Service]
Environment="HTTP_PROXY= {{- .proxy.httpProxy -}} "
Environment="HTTPS_PROXY= {{- .proxy.httpsProxy -}} "
Environment="NO_PROXY= {{- list "localhost" "127.0.0.1" ".svc" ".svc.cluster.local" ((list "IPv6" "DualStack" | has .builtin.cluster.network.ipFamily) | ternary "::1" nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods | uniq | sortAlpha | join "," -}} "
owner: root:root
path: /usr/lib/systemd/system/kubelet.service.d/http-proxy.conf
permissions: "0640"
- op: add
path: "/s/t/s/files/-"
valueFrom:
template: |
path: /etc/ssl/certs/tkg-custom-ca.pem
{{- $proxy := "" }}
{{- range .trust.additionalTrustedCAs }}
{{- if eq .name "proxy" }}
{{- $proxy = .data }}
{{- end }}
{{- end }}
content: {{ $proxy }}
encoding: base64
permissions: "0444"
- op: add
path: "/s/t/s/files/-"
valueFrom:
template: |
path: /etc/containerd/{{ index (or .imageRepository.host (index .TKR_DATA .builtin.machineDeployment.version).kubernetesSpec.imageRepository | splitList "/") 0 }}.crt
{{- $proxy := "" }}
{{- $image := "" }}
{{- range .trust.additionalTrustedCAs }}
{{- if eq .name "proxy" }}
{{- $proxy = .data }}
{{- end }}
{{- if eq .name "imageRepository" }}
{{- $image = .data }}
{{- end }}
{{- end }}
content: {{or $proxy $image}}
encoding: base64
permissions: "0444"
- op: add
path: "/s/t/s/files/-"
value:
content: 'Set-Service -Name "wuauserv" -StartupType Disabled -Status Stopped
'
path: C:\k\prevent_windows_updates.ps1
- op: add
path: "/s/t/s/files/-"
value:
content: |
function WaitForSaToken($KubeCfgFile, $ServiceAcctName) {
$SaToken = $null
$LoopCount = 400
do {
$LoopCount = $LoopCount - 1
if ($LoopCount -eq 0) {
break
}
sleep 5
$SaToken=$(kubectl --kubeconfig=$KubeCfgFile get secrets -n kube-system -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='$ServiceAcctName')].data.token}")
} while ($SaToken -eq $null)
return $SaToken
}
# Disable firewall temporarily for SSH and other internal ports access
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
$TempFolder = 'C:\programdata\temp'
$AntreaInTempFolder = "$TempFolder\antrea-windows-advanced.zip"
$KubeproxyInTempFolder = "$TempFolder\kube-proxy.exe"
# Create Folders
$folders = @('C:\k\antrea', 'C:\var\log\antrea', 'C:\k\antrea\bin', 'C:\var\log\kube-proxy', 'C:\opt\cni\bin', 'C:\etc\cni\net.d')
foreach ($f in $folders) {
New-Item -ItemType Directory -Force -Path $f
}
# Add Windows Defender Options
$avexceptions = @('C:\program files\containerd\ctr.exe', 'C:\program files\containerd\containerd.exe')
foreach ($e in $avexceptions) {
Add-MpPreference -ExclusionProcess $e
}
# Extract Antrea, Antrea binary should be packed into windows OVA already
$antreaZipFile = 'C:\k\antrea\antrea-windows-advanced.zip'
if (!(Test-Path $antreaZipFile)) {
cp $AntreaInTempFolder $antreaZipFile
}
Expand-Archive -Force -Path $antreaZipFile -DestinationPath C:\k\antrea
cp C:\k\antrea\bin\antrea-cni.exe C:\opt\cni\bin\antrea.exe -Force
cp C:\k\antrea\bin\host-local.exe C:\opt\cni\bin\host-local.exe -Force
cp C:\k\antrea\etc\antrea-cni.conflist C:\etc\cni\net.d\10-antrea.conflist -Force
# Get HostIP and set in kubeadm-flags.env
[Environment]::SetEnvironmentVariable("NODE_NAME", (hostname).ToLower())
$env:HostIP = (
Get-NetIPConfiguration |
Where-Object {
$_.IPv4DefaultGateway -ne $null -and $_.NetAdapter.Status -ne "Disconnected"
}
).IPv4Address.IPAddress
$file = 'C:\var\lib\kubelet\kubeadm-flags.env'
$newstr = "--node-ip=" + $env:HostIP
$raw = Get-Content -Path $file -TotalCount 1
$raw = $raw -replace ".$"
$new = "$($raw) $($newstr)`""
Set-Content $file $new
$KubeConfigFile = 'C:\etc\kubernetes\kubelet.conf'
# Wait for antrea-agent token to be ready, the token will be used by Install-AntreaAgent
$AntreaAgentToken = (WaitForSaToken $KubeConfigFile 'antrea-agent')
# Setup Kube-Proxy config file
$KubeProxyToken = (WaitForSaToken $KubeConfigFile 'kube-proxy-windows')
$KubeProxyConfig = 'C:\k\antrea\etc\kube-proxy.conf'
$KubeAPIServer = $(kubectl --kubeconfig=$KubeConfigFile config view -o jsonpath='{.clusters[0].cluster.server}')
$KubeProxyToken = $([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($KubeProxyToken)))
kubectl config --kubeconfig=$KubeProxyConfig set-cluster kubernetes --server=$KubeAPIServer --insecure-skip-tls-verify
kubectl config --kubeconfig=$KubeProxyConfig set-credentials kube-proxy-windows --token=$KubeProxyToken
kubectl config --kubeconfig=$KubeProxyConfig set-context kube-proxy-windows@kubernetes --cluster=kubernetes --user=kube-proxy-windows
kubectl config --kubeconfig=$KubeProxyConfig use-context kube-proxy-windows@kubernetes
# kube-proxy.exe should be packed into windows OVA
if (!(Test-Path 'C:\k\kube-proxy.exe')) {
cp $KubeproxyInTempFolder 'C:\k\kube-proxy.exe'
}
# Install antrea-agent & OVS
Import-Module C:\k\antrea\helper.psm1
& Install-AntreaAgent -KubernetesHome "C:\k" -KubeConfig "C:\etc\kubernetes\kubelet.conf" -AntreaHome "C:\k\antrea" -AntreaVersion "1.7.1"
New-KubeProxyServiceInterface
& C:\k\antrea\Install-OVS.ps1 -ImportCertificate $false -LocalFile C:\k\antrea\ovs-win64.zip
# Setup Services
$nssm = (Get-Command nssm).Source
& $nssm set kubelet start SERVICE_AUTO_START
& $nssm install kube-proxy "C:\k\kube-proxy.exe" "--proxy-mode=userspace --kubeconfig=$KubeProxyConfig --log-dir=C:\var\log\kube-proxy --logtostderr=false --alsologtostderr"
& $nssm install antrea-agent "C:\k\antrea\bin\antrea-agent.exe" "--config=C:\k\antrea\etc\antrea-agent.conf --logtostderr=false --log_dir=C:\var\log\antrea --alsologtostderr --log_file_max_size=100 --log_file_max_num=4"
& $nssm set antrea-agent DependOnService kube-proxy ovs-vswitchd
& $nssm set antrea-agent Start SERVICE_AUTO_START
# Start Services
start-service kubelet
start-service kube-proxy
start-service antrea-agent
path: C:\Temp\antrea.ps1
"/s/t/s/useExperimentalRetryJoin":
- op: remove
path: "/s/t/s/useExperimentalRetryJoin"
"/s/t/s/joinConfiguration/nodeRegistration/criSocket":
- op: add
path: "/s/t/s/joinConfiguration/nodeRegistration/criSocket"
value: npipe:////./pipe/containerd-containerd
"/s/t/s/joinConfiguration/nodeRegistration/kubeletExtraArgs/tls-cipher-suites":
- op: remove
path: "/s/t/s/joinConfiguration/nodeRegistration/kubeletExtraArgs/tls-cipher-suites"
"/s/t/s/joinConfiguration/nodeRegistration/kubeletExtraArgs/register-with-taints":
- op: add
path: "/s/t/s/joinConfiguration/nodeRegistration/kubeletExtraArgs/register-with-taints"
value: os=windows:NoSchedule
"/s/t/s/joinConfiguration/nodeRegistration/name":
- op: replace
path: "/s/t/s/joinConfiguration/nodeRegistration/name"
value: "{{ ds.meta_data.hostname }}"
"/s/t/s/preKubeadmCommands":
- op: replace
path: "/s/t/s/preKubeadmCommands"
valueFrom:
template: |
- echo | set /p="::1 ipv6-localhost ipv6-loopback localhost6 localhost6.localdomain6" > C:\etc\hosts & echo. >> C:\etc\hosts
- echo | set /p="127.0.0.1 {{" {{ ds.meta_data.hostname }} "}} localhost localhost.localdomain localhost4 localhost4.localdomain4" >> C:\etc\hosts
"/s/t/s/postKubeadmCommands/-":
- op: add
path: "/s/t/s/postKubeadmCommands/-"
value: powershell c:/k/prevent_windows_updates.ps1 -ExecutionPolicy Bypass
- op: add
path: "/s/t/s/postKubeadmCommands/-"
value: powershell C:/Temp/antrea.ps1 -ExecutionPolicy Bypass
"/s/t/s/ntp":
- op: add
path: "/s/t/s/ntp"
valueFrom:
template: |
enabled: "true"
servers:
{{- range .ntpServers }}
- {{ . }}
{{- end }}
selector:
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate
matchResources:
machineDeploymentClass:
names:
- tkg-worker
VSphereClusterTemplate:
jsonPatches:
"/s/t/s/controlPlaneEndpoint":
- op: add
path: "/s/t/s/controlPlaneEndpoint"
valueFrom:
template: |
host: '{{ .apiServerEndpoint }}'
port: 6443
"/s/t/s/thumbprint":
- op: replace
path: "/s/t/s/thumbprint"
valueFrom:
variable: vcenter.tlsThumbprint
"/s/t/s/server":
- op: replace
path: "/s/t/s/server"
valueFrom:
variable: vcenter.server
"/s/t/s/identityRef":
- op: add
path: "/s/t/s/identityRef"
valueFrom:
template: |
{{ if .identityRef -}}
kind: {{ .identityRef.kind }}
name: {{ .identityRef.name }}
{{- else -}}
kind: Secret
name: '{{ .builtin.cluster.name }}'
{{- end }}
"/s/t/s/controlPlaneEndpoint/port":
- op: replace
path: "/s/t/s/controlPlaneEndpoint/port"
valueFrom:
variable: apiServerPort
selector:
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: VSphereClusterTemplate
matchResources:
infrastructureCluster: 'true'
VSphereMachineTemplate:
jsonPatches:
"/s/t/s/numCPUs":
- op: replace
path: "/s/t/s/numCPUs"
valueFrom:
variable: controlPlane.machine.numCPUs
- op: replace
path: "/s/t/s/numCPUs"
valueFrom:
variable: worker.machine.numCPUs
"/s/t/s/diskGiB":
- op: replace
path: "/s/t/s/diskGiB"
valueFrom:
variable: controlPlane.machine.diskGiB
- op: replace
path: "/s/t/s/diskGiB"
valueFrom:
variable: worker.machine.diskGiB
"/s/t/s/memoryMiB":
- op: replace
path: "/s/t/s/memoryMiB"
valueFrom:
variable: controlPlane.machine.memoryMiB
- op: replace
path: "/s/t/s/memoryMiB"
valueFrom:
variable: worker.machine.memoryMiB
"/s/t/s/cloneMode":
- op: replace
path: "/s/t/s/cloneMode"
valueFrom:
variable: vcenter.cloneMode
- op: replace
path: "/s/t/s/cloneMode"
valueFrom:
variable: vcenter.cloneMode
"/s/t/s/network":
- op: replace
path: "/s/t/s/network"
valueFrom:
variable: vcenter.network
- op: replace
path: "/s/t/s/network"
valueFrom:
variable: vcenter.network
- op: replace
path: "/s/t/s/network"
valueFrom:
template: |
devices:
- networkName: {{ .vcenter.network }}
{{ if .controlPlane.network.nameservers -}}
nameservers:
{{- range .controlPlane.network.nameservers }}
- {{ . }}
{{- end }}
{{- end }}
{{ if .controlPlane.network.searchDomains -}}
searchDomains:
{{- range .controlPlane.network.searchDomains }}
- {{ . }}
{{- end }}
{{- end }}
{{ if list "IPv4" "DualStack" | has .builtin.cluster.network.ipFamily | and (empty .network.addressesFromPools) -}} dhcp4: "true" {{- end }}
{{ if list "IPv6" "DualStack" | has .builtin.cluster.network.ipFamily | and (empty .network.addressesFromPools) -}} dhcp6: "true" {{- end }}
{{ if .network.addressesFromPools -}}
addressesFromPools:
{{- range .network.addressesFromPools }}
- apiGroup: {{ .apiGroup }}
kind: {{ .kind }}
name: {{ .name }}
{{- end }}
{{- end }}
- op: add
path: "/s/t/s/network"
valueFrom:
template: |
devices:
- networkName: {{ .vcenter.network }}
{{ if .worker.network.nameservers -}}
nameservers:
{{- range .worker.network.nameservers }}
- {{ . }}
{{- end }}
{{- end }}
{{ if .controlPlane.network.searchDomains -}}
searchDomains:
{{- range .controlPlane.network.searchDomains }}
- {{ . }}
{{- end }}
{{- end }}
{{ if list "IPv4" "DualStack" | has .builtin.cluster.network.ipFamily | and (empty .network.addressesFromPools) -}} dhcp4: "true" {{- end }}
{{ if list "IPv6" "DualStack" | has .builtin.cluster.network.ipFamily | and (empty .network.addressesFromPools) -}} dhcp6: "true" {{- end }}
{{ if .network.addressesFromPools -}}
addressesFromPools:
{{- range .network.addressesFromPools }}
- apiGroup: {{ .apiGroup }}
kind: {{ .kind }}
name: {{ .name }}
{{- end }}
{{- end }}
"/s/t/s/datacenter":
- op: replace
path: "/s/t/s/datacenter"
valueFrom:
variable: vcenter.datacenter
- op: replace
path: "/s/t/s/datacenter"
valueFrom:
variable: vcenter.datacenter
"/s/t/s/datastore":
- op: replace
path: "/s/t/s/datastore"
valueFrom:
variable: vcenter.datastore
- op: replace
path: "/s/t/s/datastore"
valueFrom:
variable: vcenter.datastore
"/s/t/s/folder":
- op: replace
path: "/s/t/s/folder"
valueFrom:
variable: vcenter.folder
- op: replace
path: "/s/t/s/folder"
valueFrom:
variable: vcenter.folder
"/s/t/s/resourcePool":
- op: replace
path: "/s/t/s/resourcePool"
valueFrom:
variable: vcenter.resourcePool
- op: replace
path: "/s/t/s/resourcePool"
valueFrom:
variable: vcenter.resourcePool
"/s/t/s/storagePolicyName":
- op: replace
path: "/s/t/s/storagePolicyName"
valueFrom:
variable: vcenter.storagePolicyID
- op: replace
path: "/s/t/s/storagePolicyName"
valueFrom:
variable: vcenter.storagePolicyID
"/s/t/s/server":
- op: replace
path: "/s/t/s/server"
valueFrom:
variable: vcenter.server
- op: replace
path: "/s/t/s/server"
valueFrom:
variable: vcenter.server
"/s/t/s/template":
- op: replace
path: "/s/t/s/template"
valueFrom:
template: "{{ (index .TKR_DATA .builtin.controlPlane.version).osImageRef.template
}}"
- op: replace
path: "/s/t/s/template"
valueFrom:
template: "{{ (index .TKR_DATA .builtin.machineDeployment.version).osImageRef.template
}}"
selector:
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: VSphereMachineTemplate
matchResources:
machineDeploymentClass:
names:
- tkg-worker
- tkg-worker-windows
Raw
parser.py
import json
a = [
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes",
"value": []
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"name": "KCP_INIT_APISERVER_EMPTY_EXTRAVOLUMES_ARRAY"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/etcd/local/extraArgs",
"valueFrom": {
"template": "{{ $containCipherSuites := false }}\n{{- range $key, $val := .etcdExtraArgs }}\n{{- if eq $key \"cipher-suites\" }}\n {{- $containCipherSuites = \"true\" }}\n{{- end }}\n{{ $key -}} : \"{{ $val }}\"\n{{- end }}\n{{- if not $containCipherSuites }}\ncipher-suites: \"{{ .tlsCipherSuites }}\"\n{{- end }}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"name": "etcdExtraArgs"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs",
"valueFrom": {
"template": "{{ $containCipherSuites := false }}\n{{ $containCloudProvider := false }}\n{{- range $key, $val := .apiServerExtraArgs }}\n{{- if eq $key \"tls-cipher-suites\" }}\n {{- $containCipherSuites = \"true\" }}\n{{- end }}\n{{- if eq $key \"cloud-provider\" }}\n {{- $containCloudProvider = \"true\" }}\n{{- end }}\n{{ $key -}} : \"{{ $val }}\"\n{{- end }}\n{{- if not $containCipherSuites }}\ntls-cipher-suites: \"{{ .tlsCipherSuites }}\"\n{{- end }}\n{{- if not $containCloudProvider }}\ncloud-provider: external\n{{- end }}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"name": "apiServerExtraArgs"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/scheduler/extraArgs",
"valueFrom": {
"template": "{{ $containCipherSuites := false }}\n{{- range $key, $val := .kubeSchedulerExtraArgs }}\n{{- if eq $key \"tls-cipher-suites\" }}\n {{- $containCipherSuites = \"true\" }}\n{{- end }}\n{{ $key -}} : \"{{ $val }}\"\n{{- end }}\n{{- if not $containCipherSuites }}\ntls-cipher-suites: \"{{ .tlsCipherSuites }}\"\n{{- end }}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"name": "kubeSchedulerExtraArgs"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/controllerManager/extraArgs",
"valueFrom": {
"template": "{{ $containCipherSuites := false }}\n{{ $containCloudProvider := false }}\n{{- range $key, $val := .kubeControllerManagerExtraArgs }}\n{{- if eq $key \"tls-cipher-suites\" }}\n {{- $containCipherSuites = \"true\" }}\n{{- end }}\n{{- if eq $key \"cloud-provider\" }}\n {{- $containCloudProvider = \"true\" }}\n{{- end }}\n{{ $key -}} : \"{{ $val }}\"\n{{- end }}\n{{- if not $containCipherSuites }}\ntls-cipher-suites: \"{{ .tlsCipherSuites }}\"\n{{- end }}\n{{- if not $containCloudProvider }}\ncloud-provider: external\n{{- end }}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"name": "kubeControllerManagerExtraArgs"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/initConfiguration/nodeRegistration/kubeletExtraArgs",
"valueFrom": {
"template": "{{ $containCipherSuites := false }}\n{{ $containCloudProvider := false }}\n{{- range $key, $val := .controlPlaneKubeletExtraArgs }}\n{{- if eq $key \"tls-cipher-suites\" }}\n {{- $containCipherSuites = \"true\" }}\n{{- end }}\n{{- if eq $key \"cloud-provider\" }}\n {{- $containCloudProvider = \"true\" }}\n{{- end }}\n{{ $key -}} : \"{{ $val }}\"\n{{- end }}\n{{- if not $containCipherSuites }}\ntls-cipher-suites: \"{{ .tlsCipherSuites }}\"\n{{- end }}\n{{- if not $containCloudProvider }}\ncloud-provider: external\n{{- end }}\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/joinConfiguration/nodeRegistration/kubeletExtraArgs",
"valueFrom": {
"template": "{{ $containCipherSuites := false }}\n{{ $containCloudProvider := false }}\n{{- range $key, $val := .controlPlaneKubeletExtraArgs }}\n{{- if eq $key \"tls-cipher-suites\" }}\n {{- $containCipherSuites = \"true\" }}\n{{- end }}\n{{- if eq $key \"cloud-provider\" }}\n {{- $containCloudProvider = \"true\" }}\n{{- end }}\n{{ $key -}} : \"{{ $val }}\"\n{{- end }}\n{{- if not $containCipherSuites }}\ntls-cipher-suites: \"{{ .tlsCipherSuites }}\"\n{{- end }}\n{{- if not $containCloudProvider }}\ncloud-provider: external\n{{- end }}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"name": "controlPlaneKubeletExtraArgs"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/joinConfiguration/nodeRegistration/kubeletExtraArgs",
"valueFrom": {
"template": "{{ $containCipherSuites := false }}\n{{ $containCloudProvider := false }}\n{{- range $key, $val := .workerKubeletExtraArgs }}\n{{- if eq $key \"tls-cipher-suites\" }}\n {{- $containCipherSuites = \"true\" }}\n{{- end }}\n{{- if eq $key \"cloud-provider\" }}\n {{- $containCloudProvider = \"true\" }}\n{{- end }}\n{{ $key -}} : \"{{ $val }}\"\n{{- end }}\n{{- if not $containCipherSuites }}\ntls-cipher-suites: \"{{ .tlsCipherSuites }}\"\n{{- end }}\n{{- if not $containCloudProvider }}\ncloud-provider: external\n{{- end }}\n"
}
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker",
"tkg-worker-windows"
]
}
}
}
}
],
"name": "workerKubeletExtraArgs"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/controlPlaneEndpoint",
"valueFrom": {
"template": "host: '{{ .apiServerEndpoint }}'\nport: 6443\n"
}
},
{
"op": "replace",
"path": "/spec/template/spec/thumbprint",
"valueFrom": {
"variable": "vcenter.tlsThumbprint"
}
},
{
"op": "replace",
"path": "/spec/template/spec/server",
"valueFrom": {
"variable": "vcenter.server"
}
}
],
"selector": {
"apiVersion": "infrastructure.cluster.x-k8s.io/v1beta1",
"kind": "VSphereClusterTemplate",
"matchResources": {
"infrastructureCluster": "true"
}
}
}
],
"name": "vsphereClusterTemplate"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/identityRef",
"valueFrom": {
"template": "{{ if .identityRef -}}\nkind: {{ .identityRef.kind }}\nname: {{ .identityRef.name }}\n{{- else -}}\nkind: Secret\nname: '{{ .builtin.cluster.name }}'\n{{- end }}\n"
}
}
],
"selector": {
"apiVersion": "infrastructure.cluster.x-k8s.io/v1beta1",
"kind": "VSphereClusterTemplate",
"matchResources": {
"infrastructureCluster": "true"
}
}
}
],
"name": "vSphereClusterIdentityRef"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "replace",
"path": "/spec/template/spec/numCPUs",
"valueFrom": {
"variable": "controlPlane.machine.numCPUs"
}
},
{
"op": "replace",
"path": "/spec/template/spec/diskGiB",
"valueFrom": {
"variable": "controlPlane.machine.diskGiB"
}
},
{
"op": "replace",
"path": "/spec/template/spec/memoryMiB",
"valueFrom": {
"variable": "controlPlane.machine.memoryMiB"
}
},
{
"op": "replace",
"path": "/spec/template/spec/cloneMode",
"valueFrom": {
"variable": "vcenter.cloneMode"
}
},
{
"op": "replace",
"path": "/spec/template/spec/network",
"valueFrom": {
"variable": "vcenter.network"
}
},
{
"op": "replace",
"path": "/spec/template/spec/datacenter",
"valueFrom": {
"variable": "vcenter.datacenter"
}
},
{
"op": "replace",
"path": "/spec/template/spec/datastore",
"valueFrom": {
"variable": "vcenter.datastore"
}
},
{
"op": "replace",
"path": "/spec/template/spec/folder",
"valueFrom": {
"variable": "vcenter.folder"
}
},
{
"op": "replace",
"path": "/spec/template/spec/resourcePool",
"valueFrom": {
"variable": "vcenter.resourcePool"
}
},
{
"op": "replace",
"path": "/spec/template/spec/storagePolicyName",
"valueFrom": {
"variable": "vcenter.storagePolicyID"
}
},
{
"op": "replace",
"path": "/spec/template/spec/server",
"valueFrom": {
"variable": "vcenter.server"
}
},
{
"op": "replace",
"path": "/spec/template/spec/template",
"valueFrom": {
"template": "{{ (index .TKR_DATA .builtin.controlPlane.version).osImageRef.template }}"
}
}
],
"selector": {
"apiVersion": "infrastructure.cluster.x-k8s.io/v1beta1",
"kind": "VSphereMachineTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"name": "controlPlaneMachineTemplate"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "replace",
"path": "/spec/template/spec/numCPUs",
"valueFrom": {
"variable": "worker.machine.numCPUs"
}
},
{
"op": "replace",
"path": "/spec/template/spec/diskGiB",
"valueFrom": {
"variable": "worker.machine.diskGiB"
}
},
{
"op": "replace",
"path": "/spec/template/spec/memoryMiB",
"valueFrom": {
"variable": "worker.machine.memoryMiB"
}
},
{
"op": "replace",
"path": "/spec/template/spec/cloneMode",
"valueFrom": {
"variable": "vcenter.cloneMode"
}
},
{
"op": "replace",
"path": "/spec/template/spec/network",
"valueFrom": {
"variable": "vcenter.network"
}
},
{
"op": "replace",
"path": "/spec/template/spec/datacenter",
"valueFrom": {
"variable": "vcenter.datacenter"
}
},
{
"op": "replace",
"path": "/spec/template/spec/datastore",
"valueFrom": {
"variable": "vcenter.datastore"
}
},
{
"op": "replace",
"path": "/spec/template/spec/folder",
"valueFrom": {
"variable": "vcenter.folder"
}
},
{
"op": "replace",
"path": "/spec/template/spec/resourcePool",
"valueFrom": {
"variable": "vcenter.resourcePool"
}
},
{
"op": "replace",
"path": "/spec/template/spec/storagePolicyName",
"valueFrom": {
"variable": "vcenter.storagePolicyID"
}
},
{
"op": "replace",
"path": "/spec/template/spec/server",
"valueFrom": {
"variable": "vcenter.server"
}
},
{
"op": "replace",
"path": "/spec/template/spec/template",
"valueFrom": {
"template": "{{ (index .TKR_DATA .builtin.machineDeployment.version).osImageRef.template }}"
}
}
],
"selector": {
"apiVersion": "infrastructure.cluster.x-k8s.io/v1beta1",
"kind": "VSphereMachineTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker",
"tkg-worker-windows"
]
}
}
}
}
],
"name": "workerMachineTemplate"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "replace",
"path": "/spec/template/spec/kubeadmConfigSpec/users",
"valueFrom": {
"template": "- name: capv\n sshAuthorizedKeys:\n {{- range .user.sshAuthorizedKeys }}\n - ' {{- . -}} '\n {{- end }}\n sudo: ALL=(ALL) NOPASSWD:ALL\n"
}
},
{
"op": "replace",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/imageRepository",
"valueFrom": {
"template": "{{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository}}"
}
},
{
"op": "replace",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/etcd/local/imageRepository",
"valueFrom": {
"template": "{{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository}}"
}
},
{
"op": "replace",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/etcd/local/imageTag",
"valueFrom": {
"template": "{{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.etcd.imageTag}}"
}
},
{
"op": "replace",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/dns/imageRepository",
"valueFrom": {
"template": "{{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository}}"
}
},
{
"op": "replace",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/dns/imageTag",
"valueFrom": {
"template": "{{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.coredns.imageTag}}"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"name": "kubeadmControlPlaneTemplate"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "replace",
"path": "/spec/template/spec/users",
"valueFrom": {
"template": "- name: capv\n sshAuthorizedKeys:\n {{- range .user.sshAuthorizedKeys }}\n - ' {{- . -}} '\n {{- end }}\n sudo: ALL=(ALL) NOPASSWD:ALL\n"
}
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker"
]
}
}
}
}
],
"name": "KubeadmConfigTemplate"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/files/-",
"valueFrom": {
"template": "owner: root:root\npath: /etc/kubernetes/manifests/kube-vip.yaml\ncontent: |\n ---\n apiVersion: v1\n kind: Pod\n metadata:\n creationTimestamp: null\n name: kube-vip\n namespace: kube-system\n spec:\n containers:\n - args:\n - manager\n env:\n - name: cp_enable\n value: \"true\"\n - name: svc_enable\n value: \"{{ .kubeVipLoadBalancerProvider }}\"\n - name: vip_arp\n value: \"true\"\n - name: vip_leaderelection\n value: \"true\"\n - name: address\n value: {{ .apiServerEndpoint }}\n {{- if and (not .aviControlPlaneHAProvider) .apiServerPort }}\n - name: port\n value: \"{{ .apiServerPort }}\"\n {{- end }}\n - name: vip_interface\n value: {{ .vipNetworkInterface }}\n - name: vip_leaseduration\n value: \"30\"\n - name: vip_renewdeadline\n value: \"20\"\n - name: vip_retryperiod\n value: \"4\"\n image: {{(index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository}}/kube-vip:{{(index (index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec \"kube-vip\").imageTag}}\n imagePullPolicy: IfNotPresent\n name: kube-vip\n resources: {}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n - NET_RAW\n volumeMounts:\n - mountPath: /etc/kubernetes/admin.conf\n name: kubeconfig\n hostNetwork: \"true\"\n hostAliases:\n - hostnames:\n - kubernetes\n ip: 127.0.0.1\n volumes:\n - hostPath:\n path: /etc/kubernetes/admin.conf\n type: FileOrCreate\n name: kubeconfig\n status: {}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"enabledIf": "{{ not .aviAPIServerHAProvider }}",
"name": "kubeVIPPod"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "replace",
"path": "/spec/template/spec/network",
"valueFrom": {
"template": "devices:\n- networkName: {{ .vcenter.network }}\n {{ if .controlPlane.network.nameservers -}}\n nameservers:\n {{- range .controlPlane.network.nameservers }}\n - {{ . }}\n {{- end }}\n {{- end }}\n {{ if .controlPlane.network.searchDomains -}}\n searchDomains:\n {{- range .controlPlane.network.searchDomains }}\n - {{ . }}\n {{- end }}\n {{- end }}\n {{ if list \"IPv4\" \"DualStack\" | has .builtin.cluster.network.ipFamily | and (empty .network.addressesFromPools) -}} dhcp4: \"true\" {{- end }}\n {{ if list \"IPv6\" \"DualStack\" | has .builtin.cluster.network.ipFamily | and (empty .network.addressesFromPools) -}} dhcp6: \"true\" {{- end }}\n {{ if .network.addressesFromPools -}}\n addressesFromPools:\n {{- range .network.addressesFromPools }}\n - apiGroup: {{ .apiGroup }}\n kind: {{ .kind }}\n name: {{ .name }}\n {{- end }}\n {{- end }}\n"
}
}
],
"selector": {
"apiVersion": "infrastructure.cluster.x-k8s.io/v1beta1",
"kind": "VSphereMachineTemplate",
"matchResources": {
"controlPlane": "true"
}
}
},
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/network",
"valueFrom": {
"template": "devices:\n- networkName: {{ .vcenter.network }}\n {{ if .worker.network.nameservers -}}\n nameservers:\n {{- range .worker.network.nameservers }}\n - {{ . }}\n {{- end }}\n {{- end }}\n {{ if .controlPlane.network.searchDomains -}}\n searchDomains:\n {{- range .controlPlane.network.searchDomains }}\n - {{ . }}\n {{- end }}\n {{- end }}\n {{ if list \"IPv4\" \"DualStack\" | has .builtin.cluster.network.ipFamily | and (empty .network.addressesFromPools) -}} dhcp4: \"true\" {{- end }}\n {{ if list \"IPv6\" \"DualStack\" | has .builtin.cluster.network.ipFamily | and (empty .network.addressesFromPools) -}} dhcp6: \"true\" {{- end }}\n {{ if .network.addressesFromPools -}}\n addressesFromPools:\n {{- range .network.addressesFromPools }}\n - apiGroup: {{ .apiGroup }}\n kind: {{ .kind }}\n name: {{ .name }}\n {{- end }}\n {{- end }}\n"
}
}
],
"selector": {
"apiVersion": "infrastructure.cluster.x-k8s.io/v1beta1",
"kind": "VSphereMachineTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker",
"tkg-worker-windows"
]
}
}
}
}
],
"name": "networkConfiguration"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"value": "echo \"::1 localhost\" >> /etc/hosts"
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
},
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"value": "echo \"::1 localhost\" >> /etc/hosts"
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker"
]
}
}
}
}
],
"enabledIf": "{{ list \"IPv6\" \"DualStack\" | has .builtin.cluster.network.ipFamily }}",
"name": "ipv6localhost"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "replace",
"path": "/spec/template/spec/controlPlaneEndpoint/port",
"valueFrom": {
"variable": "apiServerPort"
}
}
],
"selector": {
"apiVersion": "infrastructure.cluster.x-k8s.io/v1beta1",
"kind": "VSphereClusterTemplate",
"matchResources": {
"infrastructureCluster": "true"
}
}
}
],
"enabledIf": "{{ not (empty .apiServerPort) }}",
"name": "clusterApiServerPort"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/initConfiguration/localAPIEndpoint",
"valueFrom": {
"template": "{{ if .builtin.cluster.network.ipFamily | eq \"IPv6\" | or (.builtin.cluster.network.ipFamily | eq \"DualStack\" | and (.network.ipv6Primary | default false)) -}}\n advertiseAddress: '::/0'\n{{- else -}}\n advertiseAddress: '0.0.0.0'\n{{- end }}\nbindPort: {{ .apiServerPort }}\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/joinConfiguration/controlPlane",
"valueFrom": {
"template": "localAPIEndpoint:\n {{ if .builtin.cluster.network.ipFamily | eq \"IPv6\" | or (.builtin.cluster.network.ipFamily | eq \"DualStack\" | and (.network.ipv6Primary | default false)) -}}\n advertiseAddress: '::/0'\n {{- else -}}\n advertiseAddress: '0.0.0.0'\n {{- end }}\n bindPort: {{ .apiServerPort }}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"enabledIf": "{{ and (not .aviAPIServerHAProvider) (not (empty .apiServerPort)) }}",
"name": "apiServerEndpointConfiguration"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/initConfiguration/nodeRegistration/kubeletExtraArgs/node-ip",
"value": "::"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-ip",
"value": "::"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/advertise-address",
"valueFrom": {
"variable": "apiServerEndpoint"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/bind-address",
"value": "::"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/controllerManager/extraArgs/bind-address",
"value": "::"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/scheduler/extraArgs/bind-address",
"value": "::"
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
},
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-ip",
"value": "::"
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker"
]
}
}
}
}
],
"enabledIf": "{{ .builtin.cluster.network.ipFamily | eq \"DualStack\" | and (.network.ipv6Primary | default false) }}",
"name": "bindAddressConfiguration"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/files/-",
"value": {
"content": "",
"owner": "root:root",
"path": "/etc/sysconfig/kubelet",
"permissions": "0640"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"value": "echo \"KUBELET_EXTRA_ARGS=--node-ip=$(ip -6 -json addr show dev eth0 scope global | jq -r .[0].addr_info[0].local)\" >> /etc/sysconfig/kubelet"
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"enabledIf": "{{ and (.builtin.cluster.network.ipFamily | eq \"IPv6\" | or (.builtin.cluster.network.ipFamily | eq \"DualStack\" | and (.network.ipv6Primary | default false))) (not .aviAPIServerHAProvider) }}",
"name": "ipv6KubeletNodeIPConfiguration"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/initConfiguration/nodeRegistration/kubeletExtraArgs/node-labels",
"valueFrom": {
"template": "{{ $first := \"true\" }}\n{{- range $key, $val := (index .TKR_DATA .builtin.controlPlane.version).labels }}\n{{- if regexMatch \"^(?:[a-zA-z])(?:[-\\\\w\\\\.]*[a-zA-z])$\" $val }}\n{{- if $first }}\n {{- $first = false }}\n{{- else -}}\n ,\n{{- end }}\n{{- $key -}} = {{- $val }}\n{{- end }}\n{{- end }}\n{{- if .controlPlane.nodeLabels -}}\n {{- if (index .TKR_DATA .builtin.controlPlane.version).labels -}}\n ,\n {{- end -}}\n {{- $first := \"true\" }}\n {{- range .controlPlane.nodeLabels }}\n {{- if $first }}\n {{- $first = false }}\n {{- else -}}\n ,\n {{- end }}\n {{- .key -}} = {{- .value -}}\n {{ end }}\n{{ end }}\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-labels",
"valueFrom": {
"template": "{{ $first := \"true\" }}\n{{- range $key, $val := (index .TKR_DATA .builtin.controlPlane.version).labels }}\n{{- if regexMatch \"^(?:[a-zA-z])(?:[-\\\\w\\\\.]*[a-zA-z])$\" $val }}\n{{- if $first }}\n {{- $first = false }}\n{{- else -}}\n ,\n{{- end }}\n{{- $key -}} = {{- $val }}\n{{- end }}\n{{- end }}\n{{- if .controlPlane.nodeLabels -}}\n {{- if (index .TKR_DATA .builtin.controlPlane.version).labels -}}\n ,\n {{- end -}}\n {{- $first := \"true\" }}\n {{- range .controlPlane.nodeLabels }}\n {{- if $first }}\n {{- $first = false }}\n {{- else -}}\n ,\n {{- end }}\n {{- .key -}} = {{- .value -}}\n {{ end }}\n{{ end }}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
},
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/joinConfiguration/nodeRegistration/kubeletExtraArgs/node-labels",
"valueFrom": {
"template": "{{ $first := \"true\" }}\n{{- range $key, $val := (index .TKR_DATA .builtin.machineDeployment.version).labels }}\n{{- if regexMatch \"^(?:[a-zA-z])(?:[-\\\\w\\\\.]*[a-zA-z])$\" $val }}\n{{- if $first }}\n {{- $first = false }}\n{{- else -}}\n ,\n{{- end }}\n{{- $key -}} = {{- $val }}\n{{- end }}\n{{- end }}\n{{- if .nodePoolLabels -}}\n ,\n {{- $first := \"true\" }}\n {{- range .nodePoolLabels }}\n {{- if $first }}\n {{- $first = false }}\n {{- else -}}\n ,\n {{- end }}\n {{- .key -}} = {{- .value -}}\n {{ end }}\n{{ end }}\n"
}
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker",
"tkg-worker-windows"
]
}
}
}
}
],
"name": "nodeLabels"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/files/-",
"valueFrom": {
"template": "content: |\n [Service]\n Environment=\"HTTP_PROXY= {{- .proxy.httpProxy -}} \"\n Environment=\"HTTPS_PROXY= {{- .proxy.httpsProxy -}} \"\n Environment=\"NO_PROXY= {{- list \"localhost\" \"127.0.0.1\" \".svc\" \".svc.cluster.local\" ((list \"IPv6\" \"DualStack\" | has .builtin.cluster.network.ipFamily) | ternary \"::1\" nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods | uniq | sortAlpha | join \",\" -}} \"\nowner: root:root\npath: /etc/systemd/system/containerd.service.d/http-proxy.conf\npermissions: \"0640\"\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/files/-",
"valueFrom": {
"template": "content: |\n [Service]\n Environment=\"HTTP_PROXY= {{- .proxy.httpProxy -}} \"\n Environment=\"HTTPS_PROXY= {{- .proxy.httpsProxy -}} \"\n Environment=\"NO_PROXY= {{- list \"localhost\" \"127.0.0.1\" \".svc\" \".svc.cluster.local\" ((list \"IPv6\" \"DualStack\" | has .builtin.cluster.network.ipFamily) | ternary \"::1\" nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods | uniq | sortAlpha | join \",\" -}} \"\nowner: root:root\npath: /usr/lib/systemd/system/kubelet.service.d/http-proxy.conf\npermissions: \"0640\"\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"value": "systemctl daemon-reload"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"value": "systemctl stop containerd"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"value": "systemctl start containerd"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"valueFrom": {
"template": "export HTTP_PROXY= {{- .proxy.httpProxy }}\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"valueFrom": {
"template": "export HTTPS_PROXY= {{- .proxy.httpsProxy }}\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"valueFrom": {
"template": "export NO_PROXY= {{- list \"localhost\" \"127.0.0.1\" \".svc\" \".svc.cluster.local\" ((list \"IPv6\" \"DualStack\" | has .builtin.cluster.network.ipFamily) | ternary \"::1\" nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods | uniq | sortAlpha | join \",\" }}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
},
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/files/-",
"valueFrom": {
"template": "content: |\n [Service]\n Environment=\"HTTP_PROXY= {{- .proxy.httpProxy -}} \"\n Environment=\"HTTPS_PROXY= {{- .proxy.httpsProxy -}} \"\n Environment=\"NO_PROXY= {{- list \"localhost\" \"127.0.0.1\" \".svc\" \".svc.cluster.local\" ((list \"IPv6\" \"DualStack\" | has .builtin.cluster.network.ipFamily) | ternary \"::1\" nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods | uniq | sortAlpha | join \",\" -}} \"\nowner: root:root\npath: /etc/systemd/system/containerd.service.d/http-proxy.conf\npermissions: \"0640\"\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/files/-",
"valueFrom": {
"template": "content: |\n [Service]\n Environment=\"HTTP_PROXY= {{- .proxy.httpProxy -}} \"\n Environment=\"HTTPS_PROXY= {{- .proxy.httpsProxy -}} \"\n Environment=\"NO_PROXY= {{- list \"localhost\" \"127.0.0.1\" \".svc\" \".svc.cluster.local\" ((list \"IPv6\" \"DualStack\" | has .builtin.cluster.network.ipFamily) | ternary \"::1\" nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods | uniq | sortAlpha | join \",\" -}} \"\nowner: root:root\npath: /usr/lib/systemd/system/kubelet.service.d/http-proxy.conf\npermissions: \"0640\"\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"value": "systemctl daemon-reload"
},
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"value": "systemctl restart containerd"
},
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"valueFrom": {
"template": "export HTTP_PROXY= {{- .proxy.httpProxy }}\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"valueFrom": {
"template": "export HTTPS_PROXY= {{- .proxy.httpsProxy }}\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"valueFrom": {
"template": "export NO_PROXY= {{- list \"localhost\" \"127.0.0.1\" \".svc\" \".svc.cluster.local\" ((list \"IPv6\" \"DualStack\" | has .builtin.cluster.network.ipFamily) | ternary \"::1\" nil) | concat .proxy.noProxy .builtin.cluster.network.services .builtin.cluster.network.pods | uniq | sortAlpha | join \",\" }}\n"
}
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker"
]
}
}
}
}
],
"enabledIf": "{{ not (empty .proxy) }}",
"name": "httpProxy"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"value": "! which rehash_ca_certificates.sh 2>/dev/null || rehash_ca_certificates.sh"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"value": "! which update-ca-certificates 2>/dev/null || (mv /etc/ssl/certs/tkg-custom-ca.pem /usr/local/share/ca-certificates/tkg-custom-ca.crt && update-ca-certificates)"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"value": "! which update-ca-trust 2>/dev/null || (update-ca-trust force-enable && mv /etc/ssl/certs/tkg-custom-ca.pem /etc/pki/ca-trust/source/anchors/tkg-custom-ca.crt && update-ca-trust extract)"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"value": "systemctl restart containerd"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/files/-",
"valueFrom": {
"template": "path: /etc/ssl/certs/tkg-custom-ca.pem\n{{- $proxy := \"\" }}\n{{- range .trust.additionalTrustedCAs }}\n {{- if eq .name \"proxy\" }}\n {{- $proxy = .data }}\n {{- end }}\n{{- end }}\ncontent: {{ $proxy }}\nencoding: base64\npermissions: \"0444\"\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
},
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"value": "! which rehash_ca_certificates.sh 2>/dev/null || rehash_ca_certificates.sh"
},
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"value": "! which update-ca-certificates 2>/dev/null || (mv /etc/ssl/certs/tkg-custom-ca.pem /usr/local/share/ca-certificates/tkg-custom-ca.crt && update-ca-certificates)"
},
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"value": "! which update-ca-trust 2>/dev/null || (update-ca-trust force-enable && mv /etc/ssl/certs/tkg-custom-ca.pem /etc/pki/ca-trust/source/anchors/tkg-custom-ca.crt && update-ca-trust extract)"
},
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"value": "systemctl restart containerd"
},
{
"op": "add",
"path": "/spec/template/spec/files/-",
"valueFrom": {
"template": "path: /etc/ssl/certs/tkg-custom-ca.pem\n{{- $proxy := \"\" }}\n{{- range .trust.additionalTrustedCAs }}\n {{- if eq .name \"proxy\" }}\n {{- $proxy = .data }}\n {{- end }}\n{{- end }}\ncontent: {{ $proxy }}\nencoding: base64\npermissions: \"0444\"\n"
}
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker"
]
}
}
}
}
],
"enabledIf": "{{ $hasProxyCert := false }} {{- range .trust.additionalTrustedCAs }} {{- if .name | eq \"proxy\" }} {{- $hasProxyCert = \"true\" }} {{- end }} {{- end }} {{- $hasProxyCert }}",
"name": "httpProxyCACert"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"valueFrom": {
"template": "sed -i 's|\".*/pause|\" {{- or .imageRepository.host (index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository -}} /pause|' /etc/containerd/config.toml\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
},
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"valueFrom": {
"template": "sed -i 's|\".*/pause|\" {{- or .imageRepository.host (index .TKR_DATA .builtin.machineDeployment.version).kubernetesSpec.imageRepository -}} /pause|' /etc/containerd/config.toml\n"
}
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker"
]
}
}
}
}
],
"enabledIf": "{{ not (empty .imageRepository.host) }}",
"name": "customizedImageRepo"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"valueFrom": {
"template": "{{- $host := index (or .imageRepository.host (index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository | splitList \"/\") 0 -}}\necho '[plugins.\"io.containerd.grpc.v1.cri\".registry.configs.\" {{- $host -}} \".tls]' >> /etc/containerd/config.toml\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"valueFrom": {
"template": "{{- $host := index (or .imageRepository.host (index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository | splitList \"/\") 0 }}\n{{- $val := list \"ca_file = \\\"/etc/containerd/\" $host \".crt\\\"\" | join \"\" }}\n{{- with .imageRepository }}\n {{- if .tlsCertificateValidation | eq false }}\n {{- $val = \"insecure_skip_verify = \"true\"\" }}\n {{- end }}\n{{- end -}}\n{{- define \"echo\" -}}\n echo ' {{ . -}} ' >> /etc/containerd/config.toml\n{{- end }}\n{{- template \"echo\" $val -}}\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"value": "systemctl restart containerd"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/files/-",
"valueFrom": {
"template": "path: /etc/containerd/ {{- index (or .imageRepository.host (index .TKR_DATA .builtin.controlPlane.version).kubernetesSpec.imageRepository | splitList \"/\") 0 -}} .crt\n{{- $proxy := \"\" }}\n{{- $image := \"\" }}\n{{- range .trust.additionalTrustedCAs }}\n {{- if eq .name \"proxy\" }}\n {{- $proxy = .data }}\n {{- end }}\n {{- if eq .name \"imageRepository\" }}\n {{- $image = .data }}\n {{- end }}\n{{- end }}\ncontent: {{or $proxy $image}}\nencoding: base64\npermissions: \"0444\"\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
},
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"valueFrom": {
"template": "{{- $host := index (or .imageRepository.host (index .TKR_DATA .builtin.machineDeployment.version).kubernetesSpec.imageRepository | splitList \"/\") 0 -}}\necho '[plugins.\"io.containerd.grpc.v1.cri\".registry.configs.\" {{- $host -}} \".tls]' >> /etc/containerd/config.toml\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"valueFrom": {
"template": "{{- $host := index (or .imageRepository.host (index .TKR_DATA .builtin.machineDeployment.version).kubernetesSpec.imageRepository | splitList \"/\") 0 }}\n{{- $val := list \"ca_file = \\\"/etc/containerd/\" $host \".crt\\\"\" | join \"\" }}\n{{- with .imageRepository }}\n {{- if .tlsCertificateValidation | eq false }}\n {{- $val = \"insecure_skip_verify = \"true\"\" }}\n {{- end }}\n{{- end -}}\n{{- define \"echo\" -}}\n echo ' {{ . -}} ' >> /etc/containerd/config.toml\n{{- end }}\n{{- template \"echo\" $val -}}\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/preKubeadmCommands/-",
"value": "systemctl restart containerd"
},
{
"op": "add",
"path": "/spec/template/spec/files/-",
"valueFrom": {
"template": "path: /etc/containerd/{{ index (or .imageRepository.host (index .TKR_DATA .builtin.machineDeployment.version).kubernetesSpec.imageRepository | splitList \"/\") 0 }}.crt\n{{- $proxy := \"\" }}\n{{- $image := \"\" }}\n{{- range .trust.additionalTrustedCAs }}\n {{- if eq .name \"proxy\" }}\n {{- $proxy = .data }}\n {{- end }}\n {{- if eq .name \"imageRepository\" }}\n {{- $image = .data }}\n {{- end }}\n{{- end }}\ncontent: {{or $proxy $image}}\nencoding: base64\npermissions: \"0444\"\n"
}
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker"
]
}
}
}
}
],
"enabledIf": "{{ not (empty .trust.additionalTrustedCAs) }}",
"name": "registryCACert"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-path",
"value": "/var/log/kubernetes/audit.log"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-policy-file",
"value": "/etc/kubernetes/audit-policy.yaml"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-maxage",
"value": "30"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-maxbackup",
"value": "10"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/audit-log-maxsize",
"value": "100"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-",
"value": {
"hostPath": "/etc/kubernetes/audit-policy.yaml",
"mountPath": "/etc/kubernetes/audit-policy.yaml",
"name": "audit-policy"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-",
"value": {
"hostPath": "/var/log/kubernetes",
"mountPath": "/var/log/kubernetes",
"name": "audit-logs"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/files/-",
"value": {
"content": "---\napiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n #! The following requests were manually identified as high-volume and low-risk,\n #! so drop them.\n - level: None\n users: [\"system:serviceaccount:kube-system:kube-proxy\"]\n verbs: [\"watch\"]\n resources:\n - group: \"\" #! core\n resources: [\"endpoints\", \"services\", \"services/status\"]\n - level: None\n userGroups: [\"system:nodes\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" #! core\n resources: [\"nodes\", \"nodes/status\"]\n - level: None\n users:\n - system:kube-controller-manager\n - system:kube-scheduler\n - system:serviceaccount:kube-system:endpoint-controller\n verbs: [\"get\", \"update\"]\n namespaces: [\"kube-system\"]\n resources:\n - group: \"\" #! core\n resources: [\"endpoints\"]\n - level: None\n users: [\"system:apiserver\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" #! core\n resources: [\"namespaces\", \"namespaces/status\", \"namespaces/finalize\"]\n #! Don't log HPA fetching metrics.\n - level: None\n users:\n - system:kube-controller-manager\n verbs: [\"get\", \"list\"]\n resources:\n - group: \"metrics.k8s.io\"\n #! Don't log these read-only URLs.\n - level: None\n nonResourceURLs:\n - /healthz*\n - /version\n - /swagger*\n #! Don't log events requests.\n - level: None\n resources:\n - group: \"\" #! core\n resources: [\"events\"]\n #! Don't log TMC service account performing read operations because they are high-volume.\n - level: None\n userGroups: [\"system:serviceaccounts:vmware-system-tmc\"]\n verbs: [\"get\", \"list\", \"watch\"]\n #! Don't log read requests from garbage collector because they are high-volume.\n - level: None\n users: [\"system:serviceaccount:kube-system:generic-garbage-collector\"]\n verbs: [\"get\", \"list\", \"watch\"]\n #! node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes\n - level: Request\n userGroups: [\"system:nodes\"]\n verbs: [\"update\",\"patch\"]\n resources:\n - group: \"\" #! core\n resources: [\"nodes/status\", \"pods/status\"]\n omitStages:\n - \"RequestReceived\"\n #! deletecollection calls can be large, don't log responses for expected namespace deletions\n - level: Request\n users: [\"system:serviceaccount:kube-system:namespace-controller\"]\n verbs: [\"deletecollection\"]\n omitStages:\n - \"RequestReceived\"\n #! Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,\n #! so only log at the Metadata level.\n - level: Metadata\n resources:\n - group: \"\" #! core\n resources: [\"secrets\", \"configmaps\"]\n - group: authentication.k8s.io\n resources: [\"tokenreviews\"]\n omitStages:\n - \"RequestReceived\"\n #! Get repsonses can be large; skip them.\n - level: Request\n verbs: [\"get\", \"list\", \"watch\"]\n resources:\n - group: \"\" #! core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n #! Default level for known APIs\n - level: RequestResponse\n resources:\n - group: \"\" #! core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n #! Default level for all other requests.\n - level: Metadata\n omitStages:\n - \"RequestReceived\"\n",
"owner": "root:root",
"path": "/etc/kubernetes/audit-policy.yaml",
"permissions": "0600"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"enabledIf": "{{ .auditLogging.enabled }}",
"name": "auditLogging"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/initConfiguration/nodeRegistration/taints",
"value": []
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/joinConfiguration/nodeRegistration/taints",
"value": []
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"enabledIf": "{{ not .controlPlaneTaint }}",
"name": "controlPlaneTaint"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/rolloutBefore",
"valueFrom": {
"template": "certificatesExpiryDays: {{ .controlPlaneCertificateRotation.daysBefore }}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"enabledIf": "{{ .controlPlaneCertificateRotation.activate }}",
"name": "kcptCertificateRotation"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "remove",
"path": "/spec/template/spec/useExperimentalRetryJoin"
},
{
"op": "add",
"path": "/spec/template/spec/joinConfiguration/nodeRegistration/criSocket",
"value": "npipe:////./pipe/containerd-containerd"
},
{
"op": "remove",
"path": "/spec/template/spec/joinConfiguration/nodeRegistration/kubeletExtraArgs/tls-cipher-suites"
},
{
"op": "add",
"path": "/spec/template/spec/joinConfiguration/nodeRegistration/kubeletExtraArgs/register-with-taints",
"value": "os=windows:NoSchedule"
},
{
"op": "replace",
"path": "/spec/template/spec/joinConfiguration/nodeRegistration/name",
"value": "{{ ds.meta_data.hostname }}"
},
{
"op": "replace",
"path": "/spec/template/spec/preKubeadmCommands",
"valueFrom": {
"template": "- echo | set /p=\"::1 ipv6-localhost ipv6-loopback localhost6 localhost6.localdomain6\" > C:\\etc\\hosts & echo. >> C:\\etc\\hosts\n- echo | set /p=\"127.0.0.1 {{\" {{ ds.meta_data.hostname }} \"}} localhost localhost.localdomain localhost4 localhost4.localdomain4\" >> C:\\etc\\hosts\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/files/-",
"value": {
"content": "Set-Service -Name \"wuauserv\" -StartupType Disabled -Status Stopped\n",
"path": "C:\\k\\prevent_windows_updates.ps1"
}
},
{
"op": "add",
"path": "/spec/template/spec/postKubeadmCommands/-",
"value": "powershell c:/k/prevent_windows_updates.ps1 -ExecutionPolicy Bypass"
},
{
"op": "replace",
"path": "/spec/template/spec/users",
"valueFrom": {
"template": "- name: capv\n groups: Administrators\n sshAuthorizedKeys:\n {{- range .user.sshAuthorizedKeys }}\n - ' {{- . -}} '\n {{- end }}\n sudo: ALL=(ALL) NOPASSWD:ALL\n"
}
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker-windows"
]
}
}
}
}
],
"name": "windows"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/files/-",
"value": {
"content": "function WaitForSaToken($KubeCfgFile, $ServiceAcctName) {\n $SaToken = $null\n $LoopCount = 400\n do {\n $LoopCount = $LoopCount - 1\n if ($LoopCount -eq 0) {\n break\n }\n sleep 5\n $SaToken=$(kubectl --kubeconfig=$KubeCfgFile get secrets -n kube-system -o jsonpath=\"{.items[?(@.metadata.annotations['kubernetes\\.io/service-account\\.name']=='$ServiceAcctName')].data.token}\")\n } while ($SaToken -eq $null)\n return $SaToken\n}\n\n# Disable firewall temporarily for SSH and other internal ports access\nSet-NetFirewallProfile -Profile Domain,Public,Private -Enabled False\n\n$TempFolder = 'C:\\programdata\\temp'\n$AntreaInTempFolder = \"$TempFolder\\antrea-windows-advanced.zip\"\n$KubeproxyInTempFolder = \"$TempFolder\\kube-proxy.exe\"\n\n# Create Folders\n$folders = @('C:\\k\\antrea', 'C:\\var\\log\\antrea', 'C:\\k\\antrea\\bin', 'C:\\var\\log\\kube-proxy', 'C:\\opt\\cni\\bin', 'C:\\etc\\cni\\net.d')\nforeach ($f in $folders) {\n New-Item -ItemType Directory -Force -Path $f\n}\n\n# Add Windows Defender Options\n$avexceptions = @('C:\\program files\\containerd\\ctr.exe', 'C:\\program files\\containerd\\containerd.exe')\nforeach ($e in $avexceptions) {\n Add-MpPreference -ExclusionProcess $e\n}\n\n# Extract Antrea, Antrea binary should be packed into windows OVA already\n$antreaZipFile = 'C:\\k\\antrea\\antrea-windows-advanced.zip'\nif (!(Test-Path $antreaZipFile)) {\n cp $AntreaInTempFolder $antreaZipFile\n}\nExpand-Archive -Force -Path $antreaZipFile -DestinationPath C:\\k\\antrea\ncp C:\\k\\antrea\\bin\\antrea-cni.exe C:\\opt\\cni\\bin\\antrea.exe -Force\ncp C:\\k\\antrea\\bin\\host-local.exe C:\\opt\\cni\\bin\\host-local.exe -Force\ncp C:\\k\\antrea\\etc\\antrea-cni.conflist C:\\etc\\cni\\net.d\\10-antrea.conflist -Force\n\n# Get HostIP and set in kubeadm-flags.env\n[Environment]::SetEnvironmentVariable(\"NODE_NAME\", (hostname).ToLower())\n$env:HostIP = (\n Get-NetIPConfiguration |\n Where-Object {\n $_.IPv4DefaultGateway -ne $null -and $_.NetAdapter.Status -ne \"Disconnected\"\n }\n).IPv4Address.IPAddress\n$file = 'C:\\var\\lib\\kubelet\\kubeadm-flags.env'\n$newstr = \"--node-ip=\" + $env:HostIP\n$raw = Get-Content -Path $file -TotalCount 1\n$raw = $raw -replace \".$\"\n$new = \"$($raw) $($newstr)`\"\"\nSet-Content $file $new\n\n$KubeConfigFile = 'C:\\etc\\kubernetes\\kubelet.conf'\n\n# Wait for antrea-agent token to be ready, the token will be used by Install-AntreaAgent\n$AntreaAgentToken = (WaitForSaToken $KubeConfigFile 'antrea-agent')\n\n# Setup Kube-Proxy config file\n$KubeProxyToken = (WaitForSaToken $KubeConfigFile 'kube-proxy-windows')\n$KubeProxyConfig = 'C:\\k\\antrea\\etc\\kube-proxy.conf'\n$KubeAPIServer = $(kubectl --kubeconfig=$KubeConfigFile config view -o jsonpath='{.clusters[0].cluster.server}')\n$KubeProxyToken = $([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($KubeProxyToken)))\nkubectl config --kubeconfig=$KubeProxyConfig set-cluster kubernetes --server=$KubeAPIServer --insecure-skip-tls-verify\nkubectl config --kubeconfig=$KubeProxyConfig set-credentials kube-proxy-windows --token=$KubeProxyToken\nkubectl config --kubeconfig=$KubeProxyConfig set-context kube-proxy-windows@kubernetes --cluster=kubernetes --user=kube-proxy-windows\nkubectl config --kubeconfig=$KubeProxyConfig use-context kube-proxy-windows@kubernetes\n\n# kube-proxy.exe should be packed into windows OVA\nif (!(Test-Path 'C:\\k\\kube-proxy.exe')) {\n cp $KubeproxyInTempFolder 'C:\\k\\kube-proxy.exe'\n}\n\n# Install antrea-agent & OVS\nImport-Module C:\\k\\antrea\\helper.psm1\n& Install-AntreaAgent -KubernetesHome \"C:\\k\" -KubeConfig \"C:\\etc\\kubernetes\\kubelet.conf\" -AntreaHome \"C:\\k\\antrea\" -AntreaVersion \"1.7.1\"\nNew-KubeProxyServiceInterface\n& C:\\k\\antrea\\Install-OVS.ps1 -ImportCertificate $false -LocalFile C:\\k\\antrea\\ovs-win64.zip\n\n# Setup Services\n$nssm = (Get-Command nssm).Source\n& $nssm set kubelet start SERVICE_AUTO_START\n& $nssm install kube-proxy \"C:\\k\\kube-proxy.exe\" \"--proxy-mode=userspace --kubeconfig=$KubeProxyConfig --log-dir=C:\\var\\log\\kube-proxy --logtostderr=false --alsologtostderr\"\n& $nssm install antrea-agent \"C:\\k\\antrea\\bin\\antrea-agent.exe\" \"--config=C:\\k\\antrea\\etc\\antrea-agent.conf --logtostderr=false --log_dir=C:\\var\\log\\antrea --alsologtostderr --log_file_max_size=100 --log_file_max_num=4\"\n& $nssm set antrea-agent DependOnService kube-proxy ovs-vswitchd\n& $nssm set antrea-agent Start SERVICE_AUTO_START\n\n# Start Services\nstart-service kubelet\nstart-service kube-proxy\nstart-service antrea-agent\n",
"path": "C:\\Temp\\antrea.ps1"
}
},
{
"op": "add",
"path": "/spec/template/spec/postKubeadmCommands/-",
"value": "powershell C:/Temp/antrea.ps1 -ExecutionPolicy Bypass"
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker-windows"
]
}
}
}
}
],
"enabledIf": "{{ .cni | eq \"antrea\" }}",
"name": "windows-antrea"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/ntp",
"valueFrom": {
"template": "enabled: \"true\"\nservers:\n {{- range .ntpServers }}\n- {{ . }}\n {{- end }}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
},
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/ntp",
"valueFrom": {
"template": "enabled: \"true\"\nservers:\n {{- range .ntpServers }}\n- {{ . }}\n {{- end }}\n"
}
}
],
"selector": {
"apiVersion": "bootstrap.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmConfigTemplate",
"matchResources": {
"machineDeploymentClass": {
"names": [
"tkg-worker"
]
}
}
}
}
],
"enabledIf": "{{ not (empty .ntpServers) }}",
"name": "ntpServers"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs",
"valueFrom": {
"template": "{{- range .additionalFQDN }}\n- {{ . }}\n{{- end }}\n"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"enabledIf": "{{ not (empty .additionalFQDN) }}",
"name": "additionalFQDN"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/admission-control-config-file",
"value": "/etc/kubernetes/admission-control-config.yaml"
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-",
"valueFrom": {
"template": "name: admin-control-conf\nhostPath: /etc/kubernetes/admission-control-config.yaml\nmountPath: /etc/kubernetes/admission-control-config.yaml\nreadOnly: \"true\"\npathType: \"File\"\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/files/-",
"valueFrom": {
"template": "path: /etc/kubernetes/admission-control-config.yaml\ncontent: |-\n apiVersion: apiserver.config.k8s.io/v1\n kind: AdmissionConfiguration\n plugins:\n {{- if and (not .podSecurityStandard.deactivated) (semverCompare \">= v1.24\" .builtin.controlPlane.version) }}\n {{ $namespace_exemptions := printf \"%q, %q\" \"kube-system\" \"tkg-system\" -}}\n {{ $defaultWarnAudit := \"baseline\" }}\n {{- if .podSecurityStandard.exemptions.namespaces -}}\n {{ range $namespace := .podSecurityStandard.exemptions.namespaces -}}\n {{ $namespace_exemptions = printf \"%s, %q\" $namespace_exemptions $namespace -}}\n {{- end -}}\n {{- end -}}\n - name: PodSecurity\n configuration:\n apiVersion: pod-security.admission.config.k8s.io/v1beta1\n kind: PodSecurityConfiguration\n defaults:\n enforce: \"{{ if .podSecurityStandard.enforce -}}\n {{ .podSecurityStandard.enforce }}\n {{- end }}\"\n enforce-version: \"{{ .podSecurityStandard.enforceVersion -}}\"\n audit: \"{{ if .podSecurityStandard.audit -}}\n {{ .podSecurityStandard.audit }}\n {{- else -}}\n {{ $defaultWarnAudit }}\n {{- end }}\"\n audit-version: \"{{ .podSecurityStandard.auditVersion -}}\"\n warn: \"{{ if .podSecurityStandard.warn -}}\n {{ .podSecurityStandard.warn }}\n {{- else -}}\n {{ $defaultWarnAudit }}\n {{- end }}\"\n warn-version: \"{{ .podSecurityStandard.warnVersion -}}\"\n exemptions:\n usernames: []\n runtimeClasses: []\n namespaces: [{{ $namespace_exemptions }}]\n {{- end }}\n {{- if .eventRateLimitConf }}\n - name: EventRateLimit\n path: eventConfig.yaml\n {{- end }}"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"description": "Adds an admission configuration for kube-apiserver.",
"enabledIf": "{{ or (and (not .podSecurityStandard.deactivated) (semverCompare \">= v1.24\" .builtin.controlPlane.version)) (.eventRateLimitConf) }}",
"name": "podSecurityStandard"
},
{
"definitions": [
{
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/enable-admission-plugins",
"valueFrom": {
"template": "{{ $containEnableAdmissionPlugin := false }}\n{{- $admissionPlugins := \"\" }}\n{{- range $key, $val := .apiServerExtraArgs }}\n{{- if eq $key \"enable-admission-plugins\" }}\n {{- $containEnableAdmissionPlugin = \"true\" }}\n {{- $admissionPlugins = $val }}\n{{- end }}\n{{- end }}\n{{- if not $containEnableAdmissionPlugin }}\nNodeRestriction,EventRateLimit\n{{- else -}}\n{{- $admissionPlugins -}},EventRateLimit\n{{- end }}\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-",
"valueFrom": {
"template": "name: event-conf\nhostPath: /etc/kubernetes/eventConfig.yaml\nmountPath: /etc/kubernetes/eventConfig.yaml\nreadOnly: \"true\"\n, pathType: \"File\"\n"
}
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/files/-",
"valueFrom": {
"template": "path: /etc/kubernetes/eventConfig.yaml\nencoding: base64\ncontent: {{ .eventRateLimitConf}}"
}
}
],
"selector": {
"apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
"kind": "KubeadmControlPlaneTemplate",
"matchResources": {
"controlPlane": "true"
}
}
}
],
"description": "Adds an admission configuration for EventRateLimit.",
"enabledIf": "{{ not (empty .eventRateLimitConf) }}",
"name": "eventRateLimitConf"
}
]
x = 0
valid = 0
invalid = 0
# Verify that entry of the patches has a "definitions" stanze
for deff in a:
if "definitions" in deff:
valid = valid + 1
else:
invalid = invalid + 1
#print("Verified definitions:", valid, invalid)
import pprint
# Group of selectorws... i.e. KubeadmControlPlaneTemplate,
# KubeadmConfigTemplate, VSphereClusterTemplate, ...
selector = {}
for definitions in a:
#print("\t", len(definitions["definitions"]))
for deff in definitions["definitions"]:
key = deff["selector"]["kind"]
if key not in selector:
selector[key] = {}
selector[key]["jsonPatches"] = {}
selector[key]["selector"] = {}
# deduplicate all patches under the same "path"
for patch in deff["jsonPatches"]:
### Make easier to read by replacing spec/template/spec
patch["path"] = patch["path"].replace("/spec/template/spec/","/s/t/s/")
if patch["path"] not in selector[key]["jsonPatches"]:
selector[key]["jsonPatches"][patch["path"]]=[]
selector[key]["jsonPatches"][patch["path"]].append(patch)
selector[key]["selector"] = deff["selector"]
o = json.dumps(selector)
print(o)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment