k3s-server job from k3s-wrapper/0.2.0

Github source: d3bd8cb or master branch

Properties¶

containerd_registry¶

containerd registry configuration

k3s¶

additional-manifests¶

array of additionnel yaml to apply at k3s start

Default

[]

additional_tls_sans¶

array of additionnal tls-san for k8s api (added to default, ip, bosh-dns alias, or master vip if set)

Default

[]

audit-policy-file¶

if set, defines and activate audit policy for k8s server

Default

  |+
    apiVersion: audit.k8s.io/v1 # This is required.
    kind: Policy
  
    # Prevent requests in the RequestReceived stage from generating audit events.
    omitStages:
      - "RequestReceived"
  
    rules:
      # Log "pods/log", "pods/status" at Metadata level
      - level: Metadata
        resources:
        - group: ""
          resources: ["pods/log", "pods/status"]
      # Exclude logging requests to a configmap called "controller-config"
      - level: None
        resources:
        - group: ""
          resources: ["configmaps"]
          resourceNames: ["controller-config"]
      # Don't log watch requests by the "system:kube-proxy" on endpoints or services
      - level: None
        users: ["system:kube-proxy"]
        verbs: ["watch"]
        resources:
        - group: "" # core API group
          resources: ["endpoints", "services"]
      # Log deployment changes at RequestResponse level
      - level: Metadata
        resources:
        - group: ""
          resources: ["deployments"]
      # Log service changes at metadata level
      - level: Metadata
        resources:
        - group: ""
          resources: ["services"]
      # Log the request body of configmap changes in the kube-system namespace.
      - level: Request
        resources:
        - group: "" # core API group
          resources: ["configmaps"]
        # You can use an empty string [""] to select resources not associated with a namespace.
        namespaces: ["kube-system"]
      # Log configmap and secret changes in all other namespaces at the Metadata level.
      - level: Metadata
        resources:
        - group: "" # core API group
          resources: ["secrets", "configmaps","serviceaccounts/token"] #see https://github.com/kubernetes/kubernetes/issues/98612#issuecomment-962088315
      # Log all other resources in core and extensions at the Request level.
      - level: Request
        resources:
        - group: "" # core API group
        - group: "extensions" # Version of group should NOT be included.
      # A wild-card rule to log all other requests at the Metadata level.
      - level: Metadata
        # Long-running requests like watches that fall under this rule will not
        # generate an audit event in RequestReceived.
        omitStages:
          - "RequestReceived"

bind-address value¶

(listener) k3s bind address (default: 0.0.0.0)

Default

0.0.0.0

bosh-post-start-delay-seconds¶

bosh post start tempo, to let the kubelet start the pods before bosh triggers another node update

Default

30

cluster-cidr¶

(networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)

cluster-dns¶

(networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)

containerd_additional_env_vars¶

additional env vars (name/value map array) to set for containerd (the key will be prefixed with CONTAINERD_, and set in k3s launch context

Default

[]

datastore-cafile¶

TLS Certificate Authority file used to secure datastore backend communication

datastore-certfile¶

TLS certification file used to secure datastore backend communication

datastore-endpoint¶

Specify etcd, Mysql, Postgres, or Sqlite (default) data source name

datastore-keyfile¶

TLS key file used to secure datastore backend communication

disable¶

(components) Do not deploy packaged components and delete any deployed components (valid itemms are coredns, servicelb, traefik, local-storage, metrics-server)

Default

[]

disable-cloud-controller¶

(components) If set, Disable k3s default cloud controller manager

disable-kube-proxy¶

(components) Disable running kube-proxy

disable-network-policy¶

(components) Disable k3s default network policy controller

disable-vxlan-hardware-options¶

Disable VxLAN harware options on private interface

Default

  - tx-udp_tnl-segmentation
  - tx-udp_tnl-csum-segmentation

do-not-killall-on-post-stop¶

if set, the bosh post-stop script wont leverage k3s-killall.sh script

Default

false

drain¶

delete-emptydir-data¶

continue even if there are pods using emptyDir (local data that will be deleted when the node is drained).

Default

true

disable-eviction¶

force drain to use delete, even if eviction is supported. This will bypass checking PodDisruptionBudgets, use with caution

Default

false

grace-period¶

period of time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used.

Default

-1

ignore-daemonsets¶

Ignore DaemonSet-managed pods.

Default

true

pod-selector¶

Label selector to filter pods on the node

selector¶

Selector (label query) to filter on

skip-wait-for-delete-timeout¶

If pod DeletionTimestamp older than N seconds, skip waiting for the pod. Seconds must be greater than 0 to skip.

Default

0

timeout¶

The length of time to wait before giving up, zero means infinite

Default

90s

embedded-ha-etcd¶

if set, use embedded etcd in ha mode. requires an odd number of servers, overrides datastore-endpoints

flannel-backend¶

(networking) One of ‘none’, ‘vxlan’, ‘ipsec’, or ‘wireguard’

Default

vxlan

kube-apiserver-arg¶

(flags) Customized flag for kube-apiserver process

Default

[]

kube-cloud-controller-manager-arg¶

(flags) Customized flag for kube-cloud-controller-manager process

Default

[]

kube-controller-manager-arg¶

(flags) Customized flag for kube-controller-manager process

Default

[]

kube-proxy-arg¶

(agent/flags) Customized flag for kube-proxy process

Default

[]

kube-scheduler-arg¶

(flags) Customized flag for kube-scheduler process

Default

[]

kubelet-args¶

(agent/flags) Customized flag for kubelet process

Default

[]

kubelet-config-file¶

content of kubelet config file, to enable eg GraceFull Node Shutdown

Default

  |+
    apiVersion: kubelet.config.k8s.io/v1beta1
    kind: KubeletConfiguration
    shutdownGracePeriod: 30s
    shutdownGracePeriodCriticalPods: 10s

master_vip_api¶

externaly defined vip ip for HA k3s (enables multi master instance groups). This is used for public api access, tls-san, and agents to server communication

node-labels¶

(agent/node) Registering and starting kubelet with set of labels

Default

[]

node-taints¶

(agent/node) Registering kubelet with set of taints.format is key=value:Effect)

Default

[]

node_name_prefix¶

explicitly set k8s node name. If not set, - is set automatically. If set, name is -

service-cidr¶

(networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)

set-provider-id-prefix¶

If set, the default provider id (k3s://- will be set as kubelet arg as ://-

token¶

(cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]

token-file-content¶

token-file content. see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#static-token-file

v¶

(logging) Number for the log level verbosity (default: 0)

Default

0

registry¶

mirrors¶

tls¶

ca¶

private registry ca

cert¶

private registry certificate

key¶

private registry private key

Templates¶

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/k3s-server/ directory (learn more).

• bin/ctl (from bin/ctl.erb)
• bin/drain (from bin/drain.erb)
• bin/envrc (from bin/envrc)
• bin/k3s-killall.sh (from bin/k3s-killall.sh)
• bin/post-deploy (from bin/post-deploy.erb)
• bin/post-start (from bin/post-start.erb)
• bin/pre-start (from bin/pre-start.erb)
• bin/pre-stop (from bin/pre-stop.erb)
• bin/setup-user-env (from bin/setup-user-env.erb)
• config/additional-manifest.yaml (from config/additional-manifest.yaml.erb)
• config/audit-policy.yaml (from config/audit-policy.yaml.erb)
• config/bpm.yml (from config/bpm.yml)
• config/datastore-cafile (from config/datastore-cafile.erb)
• config/datastore-certfile (from config/datastore-certfile.erb)
• config/datastore-keyfile (from config/datastore-keyfile.erb)
• config/kubelet-config.yaml (from config/kubelet-config.yaml.erb)
• config/registries.yaml (from config/registries.yaml.erb)
• config/registry.ca (from config/registry.ca.erb)
• config/registry.cert (from config/registry.cert.erb)
• config/registry.key (from config/registry.key.erb)
• config/token.csv (from config/token.csv.erb)

Packages¶

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.

This job relies on no runtime packages.