#cloud-config coreos: locksmith: endpoint: https://10.0.1.4:2379,https://10.0.1.5:2379,https://10.0.1.6:2379 etcd_cafile: /etc/etcd2/ssl/etcd-ca.pem etcd_certfile: /etc/etcd2/ssl/etcd-client.pem etcd_keyfile: /etc/etcd2/ssl/etcd-client-key.pem update: reboot_strategy: etcd-lock flannel: etcd_endpoints: https://10.0.1.4:2379,https://10.0.1.5:2379,https://10.0.1.6:2379 etcd_cafile: /etc/etcd2/ssl/etcd-ca.pem etcd_certfile: /etc/etcd2/ssl/etcd-client.pem etcd_keyfile: /etc/etcd2/ssl/etcd-client-key.pem interface: $private_ipv4 units: - name: docker.service command: start drop-ins: - name: 40-flannel.conf content: | [Unit] Requires=flanneld.service After=flanneld.service - name: 50-opts.conf content: | [Service] Environment=DOCKER_OPTS='--log-driver=journald' - name: flanneld.service command: start drop-ins: - name: 20-wait-tls.conf content: | [Service] ExecStartPre=/opt/kaws/decrypt-pki - name: 50-network-config.conf content: | [Service] Environment=ETCD_SSL_DIR=/etc/etcd2/ssl Environment=ETCDCTL_CA_FILE=/etc/etcd2/ssl/etcd-ca.pem Environment=ETCDCTL_CERT_FILE=/etc/etcd2/ssl/etcd-client.pem Environment=ETCDCTL_KEY_FILE=/etc/etcd2/ssl/etcd-client-key.pem Environment=ETCDCTL_ENDPOINT=https://10.0.1.4:2379,https://10.0.1.5:2379,https://10.0.1.6:2379 ExecStartPre=/usr/bin/etcdctl set /coreos.com/network/config "{\"Network\":\"10.2.0.0/16\"}" - name: kubelet.service command: start drop-ins: - name: 20-wait-docker.conf content: | [Unit] Requires=docker.service After=docker.service content: | [Unit] Description=Kubernetes Kubelet [Service] Environment=KUBELET_IMAGE_TAG=v${version} Environment=KUBELET_IMAGE_URL=docker://gcr.io/google_containers/hyperkube Environment="RKT_RUN_ARGS=--volume resolv,kind=host,source=/etc/resolv.conf --mount volume=resolv,target=/etc/resolv.conf --insecure-options=image" ExecStart=/usr/lib/coreos/kubelet-wrapper \ --allow-privileged=true \ --api-servers=http://127.0.0.1:8080 \ --cloud-provider=aws \ --cluster-dns=10.3.0.10 \ --cluster-domain=cluster.local \ --hostname-override=$private_ipv4 \ --logtostderr=true \ --pod-manifest-path=/etc/kubernetes/manifests \ --register-schedulable=false Restart=always RestartSec=10 [Install] WantedBy=multi-user.target ssh_authorized_keys: [${ssh_public_keys}] write_files: - path: /etc/kubernetes/manifests/kaws-rbac.yml content: | apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: kaws:kube-system namespace: kube-system subjects: - kind: ServiceAccount name: default namespace: kube-system roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io - path: /etc/kubernetes/manifests/kube-apiserver.yml content: | apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: hostNetwork: true containers: - name: kube-apiserver image: gcr.io/google_containers/hyperkube:v${version} command: - /hyperkube - apiserver - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds - --advertise-address=$private_ipv4 - --allow-privileged=true - --anonymous-auth=false - --authorization-mode=RBAC - --bind-address=0.0.0.0 - --client-ca-file=/etc/kubernetes/ssl/ca.pem - --cloud-provider=aws - --etcd-cafile=/etc/etcd2/ssl/etcd-ca.pem - --etcd-certfile=/etc/etcd2/ssl/etcd-client.pem - --etcd-keyfile=/etc/etcd2/ssl/etcd-client-key.pem - --etcd-servers=https://10.0.1.4:2379,https://10.0.1.5:2379,https://10.0.1.6:2379 - --external-hostname=https://kubernetes.${domain} - --insecure-bind-address=0.0.0.0 - --runtime-config=batch/v2alpha1=true - --secure-port=443 - --service-account-key-file=/etc/kubernetes/ssl/master-key.pem - --service-cluster-ip-range=10.3.0.1/24 - --storage-backend=etcd2 - --storage-media-type=application/json - --tls-cert-file=/etc/kubernetes/ssl/master.pem - --tls-private-key-file=/etc/kubernetes/ssl/master-key.pem ports: - containerPort: 443 hostPort: 443 name: https - containerPort: 8080 hostPort: 8080 name: local volumeMounts: - mountPath: /etc/etcd2/ssl name: ssl-certs-etcd readOnly: true - mountPath: /etc/kubernetes/ssl name: ssl-certs-kubernetes readOnly: true - mountPath: /etc/ssl/certs name: ssl-certs-host readOnly: true volumes: - hostPath: path: /etc/etcd2/ssl name: ssl-certs-etcd - hostPath: path: /etc/kubernetes/ssl name: ssl-certs-kubernetes - hostPath: path: /usr/share/ca-certificates name: ssl-certs-host - path: /etc/kubernetes/manifests/kube-proxy.yml content: | apiVersion: v1 kind: Pod metadata: name: kube-proxy namespace: kube-system spec: hostNetwork: true containers: - name: kube-proxy image: gcr.io/google_containers/hyperkube:v${version} command: - /hyperkube - proxy - --master=http://127.0.0.1:8080 - --proxy-mode=iptables securityContext: privileged: true volumeMounts: - mountPath: /etc/ssl/certs name: ssl-certs-host readOnly: true volumes: - hostPath: path: /usr/share/ca-certificates name: ssl-certs-host - path: /etc/kubernetes/manifests/kube-controller-manager.yml content: | apiVersion: v1 kind: Pod metadata: name: kube-controller-manager namespace: kube-system spec: containers: - name: kube-controller-manager image: gcr.io/google_containers/hyperkube:v${version} command: - /hyperkube - controller-manager - --cloud-provider=aws - --leader-elect=true - --master=http://127.0.0.1:8080 - --root-ca-file=/etc/kubernetes/ssl/ca.pem - --service-account-private-key-file=/etc/kubernetes/ssl/master-key.pem resources: requests: cpu: 200m livenessProbe: httpGet: host: 127.0.0.1 path: /healthz port: 10252 initialDelaySeconds: 15 timeoutSeconds: 1 volumeMounts: - mountPath: /etc/kubernetes/ssl name: ssl-certs-kubernetes readOnly: true - mountPath: /etc/ssl/certs name: ssl-certs-host readOnly: true hostNetwork: true volumes: - hostPath: path: /etc/kubernetes/ssl name: ssl-certs-kubernetes - hostPath: path: /usr/share/ca-certificates name: ssl-certs-host - path: /etc/kubernetes/manifests/kube-scheduler.yml content: | apiVersion: v1 kind: Pod metadata: name: kube-scheduler namespace: kube-system spec: hostNetwork: true containers: - name: kube-scheduler image: gcr.io/google_containers/hyperkube:v${version} command: - /hyperkube - scheduler - --master=http://127.0.0.1:8080 - --leader-elect=true resources: requests: cpu: 100m livenessProbe: httpGet: host: 127.0.0.1 path: /healthz port: 10251 initialDelaySeconds: 15 timeoutSeconds: 15 - path: /opt/kaws/decrypt-pki permissions: "0500" content: | #!/bin/bash -e for file in $(find /etc/etcd2/ssl/*.binary /etc/kubernetes/ssl/*.binary); do /usr/bin/rkt run \ --net=host \ --volume=dns,kind=host,source=/etc/resolv.conf,readOnly=true \ --mount=volume=dns,target=/etc/resolv.conf \ --volume=etcd-pki,kind=host,source=/etc/etcd2/ssl \ --mount=volume=etcd-pki,target=/etc/etcd2/ssl \ --volume=k8s-pki,kind=host,source=/etc/kubernetes/ssl \ --mount=volume=k8s-pki,target=/etc/kubernetes/ssl \ --trust-keys-from-https \ quay.io/coreos/awscli \ --exec=/bin/bash \ -- \ -c "aws --region ${region} kms decrypt --ciphertext-blob fileb://$file --output text --query Plaintext | base64 -d > $${file/-encrypted.binary/.pem}" done - path: /etc/etcd2/ssl/etcd-ca.pem encoding: "base64" content: "${etcd_ca_cert}" - path: /etc/etcd2/ssl/etcd-client.pem encoding: "base64" content: "${etcd_client_cert}" - path: /etc/etcd2/ssl/etcd-client-key-encrypted.binary encoding: "base64" content: "${etcd_client_key}" - path: /etc/kubernetes/ssl/ca.pem encoding: "base64" content: "${k8s_ca_cert}" - path: /etc/kubernetes/ssl/master.pem encoding: "base64" content: "${k8s_master_cert}" - path: /etc/kubernetes/ssl/master-key-encrypted.binary encoding: "base64" content: "${k8s_master_key}"