Last active
June 24, 2020 01:40
-
-
Save jaimegag/8150b3efb9112ffaa8527e82d9ef8197 to your computer and use it in GitHub Desktop.
KubeadmControlPlane with audit logs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: controlplane.cluster.x-k8s.io/v1alpha3 | |
| kind: KubeadmControlPlane | |
| metadata: | |
| name: '${ CLUSTER_NAME }-control-plane' | |
| namespace: '${ NAMESPACE }' | |
| spec: | |
| infrastructureTemplate: | |
| apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3 | |
| kind: VSphereMachineTemplate | |
| name: '${ CLUSTER_NAME }-control-plane' | |
| kubeadmConfigSpec: | |
| useExperimentalRetryJoin: true | |
| clusterConfiguration: | |
| imageRepository: '${ _TKG_K8S_IMAGE_REPOSITORY }' | |
| kubernetesVersion: '${ KUBERNETES_VERSION }' | |
| etcd: | |
| local: | |
| dataDir: /var/lib/etcd | |
| imageRepository: '${ _TKG_ETCD_IMAGE_REPOSITORY }' | |
| imageTag: '${ _TKG_ETCD_IMAGE_TAG }' | |
| extraArgs: | |
| cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
| dns: | |
| type: CoreDNS | |
| imageRepository: '${ _TKG_COREDNS_IMAGE_REPOSITORY }' | |
| imageTag: '${ _TKG_COREDNS_IMAGE_TAG }' | |
| apiServer: | |
| timeoutForControlPlane: "8m0s" | |
| extraArgs: | |
| cloud-provider: external | |
| tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
| oidc-client-id: ${ CLUSTER_NAME } | |
| oidc-issuer-url: ${ OIDC_ISSUER_URL } | |
| oidc-username-claim: ${ OIDC_USERNAME_CLAIM } | |
| oidc-groups-claim: ${ OIDC_GROUPS_CLAIM } | |
| oidc-ca-file: /etc/tkg/pki/dex-ca.crt | |
| audit-log-path: /var/log/kubernetes/audit.log | |
| audit-policy-file: /etc/kubernetes/audit-policy.yaml | |
| audit-log-maxage: "30" | |
| audit-log-maxbackup: "10" | |
| audit-log-maxsize: "100" | |
| extraVolumes: | |
| - name: dex-ca | |
| hostPath: /etc/tkg/pki | |
| mountPath: /etc/tkg/pki | |
| readOnly: true | |
| pathType: DirectoryOrCreate | |
| - name: audit-policy | |
| hostPath: /etc/kubernetes/audit-policy.yaml | |
| mountPath: /etc/kubernetes/audit-policy.yaml | |
| - name: audit-logs | |
| hostPath: /var/log/kubernetes | |
| mountPath: /var/log/kubernetes | |
| controllerManager: | |
| extraArgs: | |
| cloud-provider: external | |
| tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
| scheduler: | |
| extraArgs: | |
| tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
| initConfiguration: | |
| nodeRegistration: | |
| criSocket: /var/run/containerd/containerd.sock | |
| kubeletExtraArgs: | |
| cloud-provider: external | |
| tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
| name: '{{ ds.meta_data.hostname }}' | |
| joinConfiguration: | |
| nodeRegistration: | |
| criSocket: /var/run/containerd/containerd.sock | |
| kubeletExtraArgs: | |
| cloud-provider: external | |
| tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
| name: '{{ ds.meta_data.hostname }}' | |
| preKubeadmCommands: | |
| - hostname "{{ ds.meta_data.hostname }}" | |
| - echo "::1 ipv6-localhost ipv6-loopback" >/etc/hosts | |
| - echo "127.0.0.1 localhost" >>/etc/hosts | |
| - echo "127.0.0.1 {{ ds.meta_data.hostname }}" >>/etc/hosts | |
| - echo "{{ ds.meta_data.hostname }}" >/etc/hostname | |
| users: | |
| - name: capv | |
| sshAuthorizedKeys: | |
| - '${ VSPHERE_SSH_AUTHORIZED_KEY }' | |
| sudo: ALL=(ALL) NOPASSWD:ALL | |
| files: | |
| - path: /etc/tkg/pki/dex-ca.crt | |
| encoding: "gzip+base64" | |
| # kubectl get secret dex-cert-tls -n tanzu-system-auth -o 'go-template={{ index .data "ca.crt" }}' | base64 -D | gzip | base64 | |
| content: '${ DEX_CA }' | |
| - path: /etc/kubernetes/audit-policy.yaml | |
| owner: "root:root" | |
| permissions: "0600" | |
| encoding: base64 | |
| content: 'YXBpVmVyc2lvbjogYXVkaXQuazhzLmlvL3YxYmV0YTEKa2luZDogUG9saWN5CnJ1bGVzOgogICMgVGhlIGZvbGxvd2luZyByZXF1ZXN0cyB3ZXJlIG1hbnVhbGx5IGlkZW50aWZpZWQgYXMgaGlnaC12b2x1bWUgYW5kIGxvdy1yaXNrLAogICMgc28gZHJvcCB0aGVtLgogIC0gbGV2ZWw6IE5vbmUKICAgIHVzZXJzOiBbInN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlLXByb3h5Il0KICAgIHZlcmJzOiBbIndhdGNoIl0KICAgIHJlc291cmNlczoKICAgICAgLSBncm91cDogIiIgIyBjb3JlCiAgICAgICAgcmVzb3VyY2VzOiBbImVuZHBvaW50cyIsICJzZXJ2aWNlcyIsICJzZXJ2aWNlcy9zdGF0dXMiXQogIC0gbGV2ZWw6IE5vbmUKICAgIHVzZXJHcm91cHM6IFsic3lzdGVtOm5vZGVzIl0KICAgIHZlcmJzOiBbImdldCJdCiAgICByZXNvdXJjZXM6CiAgICAgIC0gZ3JvdXA6ICIiICMgY29yZQogICAgICAgIHJlc291cmNlczogWyJub2RlcyIsICJub2Rlcy9zdGF0dXMiXQogIC0gbGV2ZWw6IE5vbmUKICAgIHVzZXJzOgogICAgICAtIHN5c3RlbTprdWJlLWNvbnRyb2xsZXItbWFuYWdlcgogICAgICAtIHN5c3RlbTprdWJlLXNjaGVkdWxlcgogICAgICAtIHN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTplbmRwb2ludC1jb250cm9sbGVyCiAgICB2ZXJiczogWyJnZXQiLCAidXBkYXRlIl0KICAgIG5hbWVzcGFjZXM6IFsia3ViZS1zeXN0ZW0iXQogICAgcmVzb3VyY2VzOgogICAgICAtIGdyb3VwOiAiIiAjIGNvcmUKICAgICAgICByZXNvdXJjZXM6IFsiZW5kcG9pbnRzIl0KICAtIGxldmVsOiBOb25lCiAgICB1c2VyczogWyJzeXN0ZW06YXBpc2VydmVyIl0KICAgIHZlcmJzOiBbImdldCJdCiAgICByZXNvdXJjZXM6CiAgICAgIC0gZ3JvdXA6ICIiICMgY29yZQogICAgICAgIHJlc291cmNlczogWyJuYW1lc3BhY2VzIiwgIm5hbWVzcGFjZXMvc3RhdHVzIiwgIm5hbWVzcGFjZXMvZmluYWxpemUiXQogICMgRG9uJ3QgbG9nIEhQQSBmZXRjaGluZyBtZXRyaWNzLgogIC0gbGV2ZWw6IE5vbmUKICAgIHVzZXJzOgogICAgICAtIHN5c3RlbTprdWJlLWNvbnRyb2xsZXItbWFuYWdlcgogICAgdmVyYnM6IFsiZ2V0IiwgImxpc3QiXQogICAgcmVzb3VyY2VzOgogICAgICAtIGdyb3VwOiAibWV0cmljcy5rOHMuaW8iCiAgIyBEb24ndCBsb2cgdGhlc2UgcmVhZC1vbmx5IFVSTHMuCiAgLSBsZXZlbDogTm9uZQogICAgbm9uUmVzb3VyY2VVUkxzOgogICAgICAtIC9oZWFsdGh6KgogICAgICAtIC92ZXJzaW9uCiAgICAgIC0gL3N3YWdnZXIqCiAgIyBEb24ndCBsb2cgZXZlbnRzIHJlcXVlc3RzLgogIC0gbGV2ZWw6IE5vbmUKICAgIHJlc291cmNlczoKICAgICAgLSBncm91cDogIiIgIyBjb3JlCiAgICAgICAgcmVzb3VyY2VzOiBbImV2ZW50cyJdCiAgIyBEb24ndCBsb2cgVE1DIHNlcnZpY2UgYWNjb3VudCBwZXJmb3JtaW5nIHJlYWQgb3BlcmF0aW9ucyBiZWNhdXNlIHRoZXkgYXJlIGhpZ2gtdm9sdW1lLgogIC0gbGV2ZWw6IE5vbmUKICAgIHVzZXJHcm91cHM6IFsic3lzdGVtOnNlcnZpY2VhY2NvdW50czp2bXdhcmUtc3lzdGVtLXRtYyJdCiAgICB2ZXJiczogWyJnZXQiLCAibGlzdCIsICJ3YXRjaCJdCiAgIyBEb24ndCBsb2cgcmVhZCByZXF1ZXN0cyBmcm9tIGdhcmJhZ2UgY29sbGVjdG9yIGJlY2F1c2UgdGhleSBhcmUgaGlnaC12b2x1bWUuCiAgLSBsZXZlbDogTm9uZQogICAgdXNlcnM6IFsic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmdlbmVyaWMtZ2FyYmFnZS1jb2xsZWN0b3IiXQogICAgdmVyYnM6IFsiZ2V0IiwgImxpc3QiLCAid2F0Y2giXQogICMgbm9kZSBhbmQgcG9kIHN0YXR1cyBjYWxscyBmcm9tIG5vZGVzIGFyZSBoaWdoLXZvbHVtZSBhbmQgY2FuIGJlIGxhcmdlLCBkb24ndCBsb2cgcmVzcG9uc2VzIGZvciBleHBlY3RlZCB1cGRhdGVzIGZyb20gbm9kZXMKICAtIGxldmVsOiBSZXF1ZXN0CiAgICB1c2VyR3JvdXBzOiBbInN5c3RlbTpub2RlcyJdCiAgICB2ZXJiczogWyJ1cGRhdGUiLCJwYXRjaCJdCiAgICByZXNvdXJjZXM6CiAgICAgIC0gZ3JvdXA6ICIiICMgY29yZQogICAgICAgIHJlc291cmNlczogWyJub2Rlcy9zdGF0dXMiLCAicG9kcy9zdGF0dXMiXQogICAgb21pdFN0YWdlczoKICAgICAgLSAiUmVxdWVzdFJlY2VpdmVkIgogICMgZGVsZXRlY29sbGVjdGlvbiBjYWxscyBjYW4gYmUgbGFyZ2UsIGRvbid0IGxvZyByZXNwb25zZXMgZm9yIGV4cGVjdGVkIG5hbWVzcGFjZSBkZWxldGlvbnMKICAtIGxldmVsOiBSZXF1ZXN0CiAgICB1c2VyczogWyJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06bmFtZXNwYWNlLWNvbnRyb2xsZXIiXQogICAgdmVyYnM6IFsiZGVsZXRlY29sbGVjdGlvbiJdCiAgICBvbWl0U3RhZ2VzOgogICAgICAtICJSZXF1ZXN0UmVjZWl2ZWQiCiAgIyBTZWNyZXRzLCBDb25maWdNYXBzLCBhbmQgVG9rZW5SZXZpZXdzIGNhbiBjb250YWluIHNlbnNpdGl2ZSAmIGJpbmFyeSBkYXRhLAogICMgc28gb25seSBsb2cgYXQgdGhlIE1ldGFkYXRhIGxldmVsLgogIC0gbGV2ZWw6IE1ldGFkYXRhCiAgICByZXNvdXJjZXM6CiAgICAgIC0gZ3JvdXA6ICIiICMgY29yZQogICAgICAgIHJlc291cmNlczogWyJzZWNyZXRzIiwgImNvbmZpZ21hcHMiXQogICAgICAtIGdyb3VwOiBhdXRoZW50aWNhdGlvbi5rOHMuaW8KICAgICAgICByZXNvdXJjZXM6IFsidG9rZW5yZXZpZXdzIl0KICAgIG9taXRTdGFnZXM6CiAgICAgIC0gIlJlcXVlc3RSZWNlaXZlZCIKICAjIEdldCByZXBzb25zZXMgY2FuIGJlIGxhcmdlOyBza2lwIHRoZW0uCiAgLSBsZXZlbDogUmVxdWVzdAogICAgdmVyYnM6IFsiZ2V0IiwgImxpc3QiLCAid2F0Y2giXQogICAgcmVzb3VyY2VzOgogICAgICAtIGdyb3VwOiAiIiAjIGNvcmUKICAgICAgLSBncm91cDogImFkbWlzc2lvbnJlZ2lzdHJhdGlvbi5rOHMuaW8iCiAgICAgIC0gZ3JvdXA6ICJhcGlleHRlbnNpb25zLms4cy5pbyIKICAgICAgLSBncm91cDogImFwaXJlZ2lzdHJhdGlvbi5rOHMuaW8iCiAgICAgIC0gZ3JvdXA6ICJhcHBzIgogICAgICAtIGdyb3VwOiAiYXV0aGVudGljYXRpb24uazhzLmlvIgogICAgICAtIGdyb3VwOiAiYXV0aG9yaXphdGlvbi5rOHMuaW8iCiAgICAgIC0gZ3JvdXA6ICJhdXRvc2NhbGluZyIKICAgICAgLSBncm91cDogImJhdGNoIgogICAgICAtIGdyb3VwOiAiY2VydGlmaWNhdGVzLms4cy5pbyIKICAgICAgLSBncm91cDogImV4dGVuc2lvbnMiCiAgICAgIC0gZ3JvdXA6ICJtZXRyaWNzLms4cy5pbyIKICAgICAgLSBncm91cDogIm5ldHdvcmtpbmcuazhzLmlvIgogICAgICAtIGdyb3VwOiAicG9saWN5IgogICAgICAtIGdyb3VwOiAicmJhYy5hdXRob3JpemF0aW9uLms4cy5pbyIKICAgICAgLSBncm91cDogInNldHRpbmdzLms4cy5pbyIKICAgICAgLSBncm91cDogInN0b3JhZ2UuazhzLmlvIgogICAgb21pdFN0YWdlczoKICAgICAgLSAiUmVxdWVzdFJlY2VpdmVkIgogICMgRGVmYXVsdCBsZXZlbCBmb3Iga25vd24gQVBJcwogIC0gbGV2ZWw6IFJlcXVlc3RSZXNwb25zZQogICAgcmVzb3VyY2VzOgogICAgICAtIGdyb3VwOiAiIiAjIGNvcmUKICAgICAgLSBncm91cDogImFkbWlzc2lvbnJlZ2lzdHJhdGlvbi5rOHMuaW8iCiAgICAgIC0gZ3JvdXA6ICJhcGlleHRlbnNpb25zLms4cy5pbyIKICAgICAgLSBncm91cDogImFwaXJlZ2lzdHJhdGlvbi5rOHMuaW8iCiAgICAgIC0gZ3JvdXA6ICJhcHBzIgogICAgICAtIGdyb3VwOiAiYXV0aGVudGljYXRpb24uazhzLmlvIgogICAgICAtIGdyb3VwOiAiYXV0aG9yaXphdGlvbi5rOHMuaW8iCiAgICAgIC0gZ3JvdXA6ICJhdXRvc2NhbGluZyIKICAgICAgLSBncm91cDogImJhdGNoIgogICAgICAtIGdyb3VwOiAiY2VydGlmaWNhdGVzLms4cy5pbyIKICAgICAgLSBncm91cDogImV4dGVuc2lvbnMiCiAgICAgIC0gZ3JvdXA6ICJtZXRyaWNzLms4cy5pbyIKICAgICAgLSBncm91cDogIm5ldHdvcmtpbmcuazhzLmlvIgogICAgICAtIGdyb3VwOiAicG9saWN5IgogICAgICAtIGdyb3VwOiAicmJhYy5hdXRob3JpemF0aW9uLms4cy5pbyIKICAgICAgLSBncm91cDogInNldHRpbmdzLms4cy5pbyIKICAgICAgLSBncm91cDogInN0b3JhZ2UuazhzLmlvIgogICAgb21pdFN0YWdlczoKICAgICAgLSAiUmVxdWVzdFJlY2VpdmVkIgogICMgRGVmYXVsdCBsZXZlbCBmb3IgYWxsIG90aGVyIHJlcXVlc3RzLgogIC0gbGV2ZWw6IE1ldGFkYXRhCiAgICBvbWl0U3RhZ2VzOgogICAgICAtICJSZXF1ZXN0UmVjZWl2ZWQiCgo=' | |
| replicas: ${ CONTROL_PLANE_MACHINE_COUNT } | |
| version: '${ KUBERNETES_VERSION }' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment