The customizations in this section are applicable to all providers.
This is the multi-page printable view of this section. Click here to print.
Generic
- 1: Global Image Registry Mirror
- 2: HTTP proxy
- 3: Image registries
- 4: Network Time Protocol (NTP)
- 5: Tainting nodes
- 6: Users
1 - Global Image Registry Mirror
Add containerd image registry mirror configuration to all Nodes in the cluster.
When the globalImageRegistryMirror
variable is set, files
with configurations for
Containerd default mirror.
This customization will be available when the
provider-specific cluster configuration patch is included in the ClusterClass
.
Example
To provide an image registry mirror with a CA certificate, specify the following configuration:
If the registry mirror requires a private or self-signed CA certificate,
create a Kubernetes Secret with the ca.crt
key populated with the CA certificate in PEM format:
kubectl create secret generic my-mirror-ca-cert \
--from-file=ca.crt=registry-ca.crt
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
globalImageRegistryMirror:
url: https://example.com
credentials:
secretRef:
name: my-mirror-ca-cert
Applying this configuration will result in following new files on the
KubeadmControlPlaneTemplate
and KubeadmConfigTemplate
resources:
/etc/containerd/certs.d/_default/hosts.toml
/etc/certs/mirror.pem
To use a public hosted image registry (e.g. ECR) as a registry mirror, specify the following configuration:
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
globalImageRegistryMirror:
url: https://123456789.dkr.ecr.us-east-1.amazonaws.com
Applying this configuration will result in following new files on the
KubeadmControlPlaneTemplate
and KubeadmConfigTemplate
resources:
/etc/containerd/certs.d/_default/hosts.toml
2 - HTTP proxy
In some network environments it is necessary to use HTTP proxy to successfuly execute HTTP requests.
This customization will configure Kubernetes components (containerd
, kubelet
) with appropriate configuration for
control plane and worker nodes, utilising systemd drop-ins to configure the necessary environment variables.
This customization will be available when the
provider-specific cluster configuration patch is included in the ClusterClass
.
Example
To configure HTTP proxy values, specify the following configuration:
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
proxy:
http: http://example.com
https: http://example.com
additionalNo:
- no-proxy-1.example.com
- no-proxy-2.example.com
The additionalNo
list will be added to default pre-calculated values that apply on k8s networking
localhost,127.0.0.1,<POD CIDRS>,<SERVICE CIDRS>,kubernetes,kubernetes.default,.svc,.svc.cluster.local
, plus
provider-specific addresses as required.
Applying this configuration will result in the following value being set:
KubeadmControlPlaneTemplate
:spec: kubeadmConfigSpec: clusterConfiguration: files: - path: "/etc/systemd/system/containerd.service.d/http-proxy.conf" content: <generated> - path: "/etc/systemd/system/kubelet.service.d/http-proxy.conf" content: <generated>
KubeadmConfigTemplate
:spec: files: - path: "/etc/systemd/system/containerd.service.d/http-proxy.conf" content: <generated> - path: "/etc/systemd/system/kubelet.service.d/http-proxy.conf" content: <generated>
Applying this configuration will result in new bootstrap files on the KubeadmControlPlaneTemplate
and KubeadmConfigTemplate
.
3 - Image registries
Add image registry configuration to all Nodes in the cluster.
When the credentials
variable is set, files
and preKubeadmnCommands
with configurations for
Kubelet image credential provider
and dynamic credential provider will be added.
This customization will be available when the
provider-specific cluster configuration patch is included in the ClusterClass
.
Example
If your registry requires static credentials, create a Kubernetes Secret with keys for username
and password
:
kubectl create secret generic my-registry-credentials \
--from-literal username=${REGISTRY_USERNAME} --from-literal password=${REGISTRY_PASSWORD}
If your registry requires a private or self-signed CA certificate,
create a Kubernetes Secret with the ca.crt
key populated with the CA certificate in PEM format:
kubectl create secret generic my-mirror-ca-cert \
--from-file=ca.crt=registry-ca.crt
To set both image registry credentials and CA certificate,
create a Kubernetes Secret with keys for username
, password
, and ca.crt
:
kubectl create secret generic my-registry-credentials \
--from-literal username=${REGISTRY_USERNAME} --from-literal password=${REGISTRY_PASSWORD} \
--from-file=ca.crt=registry-ca.crt
To add image registry credentials and/or CA certificate, specify the following configuration:
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
imageRegistries:
- url: https://my-registry.io
credentials:
secretRef:
name: my-registry-credentials
Applying this configuration will result in new files and preKubeadmCommands
on the KubeadmControlPlaneTemplate
and KubeadmConfigTemplate
.
4 - Network Time Protocol (NTP)
You can configure cluster nodes (control plane, and workers) to update their system clock from a specific set of NTP servers.
Keep in mind that each node's operating system is almost certainly configured with a default set of NTP servers. In some cases, the node must use different NTP servers. For example, if the node cannot reach the default servers.
Example
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
ntp
servers:
- time1.example.com
- time2.example.com
Applying this configuration will result in the following values being set
for the control plane, on the KubeadmControlPlaneTemplate
spec:
kubeadmConfigSpec:
ntp:
enabled: true
servers:
- time1.example.com
- time2.example.com
and for every worker, on its respective KubeadmConfigTemplate
spec:
ntp:
enabled: true
servers:
- time1.example.com
- time2.example.com
5 - Tainting nodes
Tainting nodes prevents pods from being scheduled on them unless they explicitly tolerate the taints applied to the nodes. See the Kubernetes Taints and Tolerations documentation for more details.
This customization will be available when the
provider-specific cluster configuration patch is included in the ClusterClass
.
Example
Control plane taints
To configure taints for the control plane nodes, specify the following configuration:
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
controlPlane:
taints:
- key: some-key
effect: NoSchedule
value: some-value
Applying this configuration will result in the following value being set:
KubeadmControlPlaneTemplate
:spec: kubeadmConfigSpec: initConfiguration: nodeRegistration: taints: - key: some-key effect: NoSchedule value: some-value joinConfiguration: nodeRegistration: taints: - key: some-key effect: NoSchedule value: some-value
Default control-plane taint applied by kubeadm
When using this customization, the default taint added by kubeadm to the control plane nodes will not be added unless explicitly specified as well.
To add the default taint back to the control-plane, add the following taint along with any custom taints you wish to add to the control-plane taints:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
Removing all taints from control-plane nodes
To remove the default control plane taints set by kubeadm (and therefore allow scheduling to control plane nodes without
adding explicit tolerations to your pod manifests), set controlPlane.taints
to an empty array:
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
controlPlane:
taints: []
Worker node taints
Taints for individual nodepools can be configured similarly:
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
workers:
machineDeployments:
- class: default-worker
name: md-0
variables:
overrides:
- name: workerConfig
value:
taints:
- key: some-key
effect: NoSchedule
value: some-value
Applying this configuration will result in the following value being set:
KubeadmConfigTemplate
:spec: joinConfiguration: nodeRegistration: taints: - key: some-key effect: NoSchedule value: some-value
6 - Users
Configure users for all machines in the cluster, the user's superuser capabilities using sudo
user specifications, and
the login authentication mechanism.
SSH authorized keys are just public SSH keys that are used to authenticate a login. See the SSH man page for more information.
For information on sudo user specifications, see the sudo documentation.
Local password authentication is disabled for the user by default. It is enabled only when a hashed password is provided.
Examples
Admin user with SSH public key login
Creates a user with the name admin
, grants the user the ability to run any command as the superuser, and allows you to
login via SSH using the username and private key corresponding to the authorized public key.
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
users:
- name: username
sshAuthorizedKeys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAua0lo8BiGWgvIiDCKnQDKL5uERHfnehm0ns5CEJpJw optionalcomment"
sudo: "ALL=(ALL) NOPASSWD:ALL"
Admin user with serial console password login
Creates a user with the name admin,
grants the user the ability to run any command as the superuser, and allows you to
login via serial console using the username and password.
Note that this does not allow you to login via SSH using the username and password; in most cases, you must also configure the SSH server to allow password authentication.
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: <NAME>
spec:
topology:
variables:
- name: clusterConfig
value:
users:
- name: admin
hashedPassword: "$y$j9T$UraH8eN4XvapXBmmSaUrP0$Nyxdf1cJDGZcp0WDKu.CFHprrkPG4ubirqSqiD43Ix3"
sudo: "ALL=(ALL) NOPASSWD:ALL"