rphillips · May 8, 2018 15:16
diff --git a/kube-apiserver.yaml b/kube-apiserver.yaml
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: kube-apiserver
  namespace: kube-system
  labels:
    tier: control-plane
    k8s-app: kube-apiserver
 spec:
  selector:
    matchLabels:
      tier: control-plane
      k8s-app: kube-apiserver
  template:
    metadata:
      labels:
        tier: control-plane
        k8s-app: kube-apiserver
      annotations:
        checkpointer.alpha.coreos.com/checkpoint: "true"
        node.kubernetes.io/bootstrap-checkpoint: "true"
    spec:
      containers:
      - name: kube-apiserver
        image: k8s.gcr.io/hyperkube:v1.10.2
        command:
        - /hyperkube
        - apiserver
        - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction
        - --advertise-address=$(POD_IP)
        - --allow-privileged=true
        - --anonymous-auth=false
        - --authorization-mode=Node,RBAC
        - --bind-address=0.0.0.0
        - --client-ca-file=/etc/kubernetes/secrets/ca.crt
        - --cloud-provider=
        - --enable-bootstrap-token-auth=true
        - --etcd-servers=http://127.0.0.1:2379
        - --insecure-port=0
        - --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt
        - --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
        - --secure-port=7443
        - --storage-backend=etcd3
        - --tls-ca-file=/etc/kubernetes/secrets/ca.crt
        - --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
        - --tls-private-key-file=/etc/kubernetes/secrets/apiserver.key
        env:
        - name: POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        volumeMounts:
        - mountPath: /etc/ssl/certs
          name: ssl-certs-host
          readOnly: true
        - mountPath: /etc/kubernetes/secrets
          name: secrets
          readOnly: true
      hostNetwork: true
      volumes:
      - name: ssl-certs-host
        hostPath:
          path: /usr/share/ca-certificates
      - name: secrets
        secret:
          secretName: kube-apiserver
      securityContext:
        runAsNonRoot: true
        runAsUser: 65534
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate
diff --git a/startup-dev.sh b/startup-dev.sh
 #!/usr/bin/env bash

 set -eou pipefail

 export ENABLE_SELFHOSTED_API="true"
 export BOOTSTRAP_CHECKPOINT_PATH=$(mktemp -d)

 echo "Enable Self Hosted API Server: ${ENABLE_SELFHOSTED_API}"
 echo "Bootstrap Checkpoint Path: ${BOOTSTRAP_CHECKPOINT_PATH}"
 echo

 cleanup() {
  sudo rm -rf ${BOOTSTRAP_CHECKPOINT_PATH}
  sudo rm -rf /tmp/kube-*.log
 }
 trap cleanup EXIT

 sudo ENABLE_SELFHOSTED_API=${ENABLE_SELFHOSTED_API} \
     BOOTSTRAP_CHECKPOINT_PATH=${BOOTSTRAP_CHECKPOINT_PATH} \
     PATH="$PWD:$PATH" \
     hack/local-up-cluster.sh
	apiVersion: apps/v1
	kind: DaemonSet
	metadata:
	name: kube-apiserver
	namespace: kube-system
	labels:
	tier: control-plane
	k8s-app: kube-apiserver
	spec:
	selector:
	matchLabels:
	tier: control-plane
	k8s-app: kube-apiserver
	template:
	metadata:
	labels:
	tier: control-plane
	k8s-app: kube-apiserver
	annotations:
	checkpointer.alpha.coreos.com/checkpoint: "true"
	node.kubernetes.io/bootstrap-checkpoint: "true"
	spec:
	containers:
	- name: kube-apiserver
	image: k8s.gcr.io/hyperkube:v1.10.2
	command:
	- /hyperkube
	- apiserver
	- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction
	- --advertise-address=$(POD_IP)
	- --allow-privileged=true
	- --anonymous-auth=false
	- --authorization-mode=Node,RBAC
	- --bind-address=0.0.0.0
	- --client-ca-file=/etc/kubernetes/secrets/ca.crt
	- --cloud-provider=
	- --enable-bootstrap-token-auth=true
	- --etcd-servers=http://127.0.0.1:2379
	- --insecure-port=0
	- --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt
	- --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
	- --secure-port=7443
	- --storage-backend=etcd3
	- --tls-ca-file=/etc/kubernetes/secrets/ca.crt
	- --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
	- --tls-private-key-file=/etc/kubernetes/secrets/apiserver.key
	env:
	- name: POD_IP
	valueFrom:
	fieldRef:
	fieldPath: status.podIP
	volumeMounts:
	- mountPath: /etc/ssl/certs
	name: ssl-certs-host
	readOnly: true
	- mountPath: /etc/kubernetes/secrets
	name: secrets
	readOnly: true
	hostNetwork: true
	volumes:
	- name: ssl-certs-host
	hostPath:
	path: /usr/share/ca-certificates
	- name: secrets
	secret:
	secretName: kube-apiserver
	securityContext:
	runAsNonRoot: true
	runAsUser: 65534
	updateStrategy:
	rollingUpdate:
	maxUnavailable: 1
	type: RollingUpdate
	#!/usr/bin/env bash

	set -eou pipefail

	export ENABLE_SELFHOSTED_API="true"
	export BOOTSTRAP_CHECKPOINT_PATH=$(mktemp -d)

	echo "Enable Self Hosted API Server: ${ENABLE_SELFHOSTED_API}"
	echo "Bootstrap Checkpoint Path: ${BOOTSTRAP_CHECKPOINT_PATH}"
	echo

	cleanup() {
	sudo rm -rf ${BOOTSTRAP_CHECKPOINT_PATH}
	sudo rm -rf /tmp/kube-*.log
	}
	trap cleanup EXIT

	sudo ENABLE_SELFHOSTED_API=${ENABLE_SELFHOSTED_API} \
	BOOTSTRAP_CHECKPOINT_PATH=${BOOTSTRAP_CHECKPOINT_PATH} \
	PATH="$PWD:$PATH" \
	hack/local-up-cluster.sh