# Please keep kube-proxy configuration in-sync with: # cluster/addons/kube-proxy/kube-proxy-ds.yaml {% set kubeconfig = "--kubeconfig=/var/lib/kube-proxy/kubeconfig" -%} {% if grains.api_servers is defined -%} {% set api_servers = "--master=https://" + grains.api_servers -%} {% else -%} {% set ips = salt['mine.get']('roles:kubernetes-master', 'network.ip_addrs', 'grain').values() -%} {% set api_servers = "--master=https://" + ips[0][0] -%} {% endif -%} {% if grains['cloud'] is defined and grains.cloud == 'gce' %} {% set api_servers_with_port = api_servers -%} {% else -%} {% set api_servers_with_port = api_servers + ":6443" -%} {% endif -%} {% set test_args = "" -%} {% if pillar['kubeproxy_test_args'] is defined -%} {% set test_args=pillar['kubeproxy_test_args'] %} {% endif -%} {% set cluster_cidr = "" -%} {% if pillar['cluster_cidr'] is defined -%} {% set cluster_cidr=" --cluster-cidr=" + pillar['cluster_cidr'] %} {% endif -%} {% set log_level = pillar['log_level'] -%} {% if pillar['kubeproxy_test_log_level'] is defined -%} {% set log_level = pillar['kubeproxy_test_log_level'] -%} {% endif -%} {% set feature_gates = "" -%} {% if grains.feature_gates is defined -%} {% set feature_gates = "--feature-gates=" + grains.feature_gates -%} {% endif -%} {% set throttles = "--iptables-sync-period=1m --iptables-min-sync-period=10s --ipvs-sync-period=1m --ipvs-min-sync-period=10s" -%} {% set pod_priority = "" -%} {% if pillar.get('enable_pod_priority', '').lower() == 'true' -%} {% set pod_priority = "priorityClassName: system-node-critical" -%} {% endif -%} # test_args should always go last to overwrite prior configuration {% set params = log_level + " " + throttles + " " + feature_gates + " " + test_args -%} {% set container_env = "" -%} {% set kube_cache_mutation_detector_env_name = "" -%} {% set kube_cache_mutation_detector_env_value = "" -%} # kube-proxy podspec apiVersion: v1 kind: Pod metadata: name: kube-proxy namespace: kube-system # This annotation ensures that kube-proxy does not get evicted if the node # supports critical pod annotation based priority scheme. # Note that kube-proxy runs as a static pod so this annotation does NOT have # any effect on rescheduler (default scheduler and rescheduler are not # involved in scheduling kube-proxy). annotations: scheduler.alpha.kubernetes.io/critical-pod: '' labels: tier: node component: kube-proxy spec: {{pod_priority}} hostNetwork: true tolerations: - operator: "Exists" effect: "NoExecute" - operator: "Exists" effect: "NoSchedule" containers: - name: kube-proxy image: {{pillar['kube_docker_registry']}}/kube-proxy:{{pillar['kube-proxy_docker_tag']}} resources: requests: cpu: {{ cpurequest }} command: - /bin/sh - -c - exec kube-proxy {{api_servers_with_port}} {{kubeconfig}} {{cluster_cidr}} --resource-container="" --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1 {{container_env}} {{kube_cache_mutation_detector_env_name}} {{kube_cache_mutation_detector_env_value}} securityContext: privileged: true volumeMounts: - mountPath: /etc/ssl/certs name: etc-ssl-certs readOnly: true - mountPath: /usr/share/ca-certificates name: usr-ca-certs readOnly: true - mountPath: /var/log name: varlog readOnly: false - mountPath: /var/lib/kube-proxy/kubeconfig name: kubeconfig readOnly: false - mountPath: /run/xtables.lock name: iptableslock readOnly: false - mountPath: /lib/modules name: lib-modules readOnly: true volumes: - hostPath: path: /usr/share/ca-certificates name: usr-ca-certs - hostPath: path: /etc/ssl/certs name: etc-ssl-certs - hostPath: path: /var/lib/kube-proxy/kubeconfig type: FileOrCreate name: kubeconfig - hostPath: path: /var/log name: varlog - hostPath: path: /run/xtables.lock type: FileOrCreate name: iptableslock - name: lib-modules hostPath: path: /lib/modules