Kubernetes Control Plane

allow-privileged | string

Default: auto

Allow kube-apiserver to run in privileged mode. Supported values are "true", "false", and "auto". If "true", kube-apiserver will run in privileged mode by default. If "false", kube-apiserver will never run in privileged mode. If "auto", kube-apiserver will not run in privileged mode by default, unless certain circumstances are discovered * gpu hardware is detected on a worker node * openstack-integrator successfully related * ceph-client sucessfully related

api-aggregation-extension | boolean

Default: True

Note: required if 'enable-metrics' is enabled. Configuring the aggregation layer allows the Kubernetes apiserver to be extended with additional APIs, which are not part of the core Kubernetes APIs. For more information, see the upstream Kubernetes documentation about this feature: https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/#enable-kubernetes-apiserver-flags

api-extra-args | string

Space separated list of flags and key=value pairs that will be passed as arguments to kube-apiserver. For example a value like this: runtime-config=batch/v2alpha1=true profiling=true will result in kube-apiserver being run with the following options: --runtime-config=batch/v2alpha1=true --profiling=true

audit-policy | string

Default: apiVersion: audit.k8s.io/v1 kind: Policy rules: # Don't log read-only requests from the apiserver - level: None users: ["system:apiserver"] verbs: ["get", "list", "watch"] # Don't log kube-proxy watches - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - resources: ["endpoints", "services"] # Don't log nodes getting their own status - level: None userGroups: ["system:nodes"] verbs: ["get"] resources: - resources: ["nodes"] # Don't log kube-controller-manager and kube-scheduler getting endpoints - level: None users: ["system:unsecured"] namespaces: ["kube-system"] verbs: ["get"] resources: - resources: ["endpoints"] # Log everything else at the Request level. - level: Request omitStages: - RequestReceived

Audit policy passed to kube-apiserver via --audit-policy-file. For more info, please refer to the upstream documentation at https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

audit-webhook-config | string

Audit webhook config passed to kube-apiserver via --audit-webhook-config-file. For more info, please refer to the upstream documentation at https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

authn-webhook-endpoint | string

Custom endpoint to check when authenticating kube-apiserver requests. This must be an https url accessible by the kubernetes-control-plane units. For example: https://your.server:8443/authenticate When a JSON-serialized TokenReview object is POSTed to this endpoint, it must respond with appropriate authentication details. For more info, please refer to the upstream documentation at https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication

authorization-mode | string

Default: Node,RBAC

Comma separated authorization modes. Allowed values are "RBAC", "Node", "Webhook", "ABAC", "AlwaysDeny" and "AlwaysAllow".

cephfs-mounter | string

Default: default

The client driver used for cephfs based storage. Options are "fuse", "kernel" and "default".

channel | string

Default: 1.28/stable

Snap channel to install Kubernetes control plane services from

cinder-availability-zone | string

Availability zone to use with Cinder CSI. This is passed through to the parameters.availability field of the cdk-cinder StorageClass.

client_password | string

Password to be used for admin user (leave empty for random password).

controller-manager-extra-args | string

Space separated list of flags and key=value pairs that will be passed as arguments to kube-controller-manager. For example a value like this: runtime-config=batch/v2alpha1=true profiling=true will result in kube-controller-manager being run with the following options: --runtime-config=batch/v2alpha1=true --profiling=true

dashboard-auth | string

Default: auto

Method of authentication for the Kubernetes dashboard. Allowed values are "auto", "basic", and "token". If set to "auto", basic auth is used unless Keystone is related to kubernetes-control-plane, in which case token auth is used. DEPRECATED: this option has no effect on Kubernetes 1.19 and above.

default-cni | string

Default CNI network to use when multiple CNI subordinates are related. The value of this config should be the application name of a related CNI subordinate. For example: juju config kubernetes-control-plane default-cni=flannel If unspecified, then the default CNI network is chosen alphabetically.

default-storage | string

Default: auto

The storage class to make the default storage class. Setting to "auto" is the same as setting "ceph-xfs" Any value is allowed, if it matches the name of a storage class, it alone will be selected as the default storage class for the cluster.

dns-provider | string

Default: auto

DNS provider addon to use. Can be "auto", "core-dns", or "none". CoreDNS is only supported on Kubernetes 1.14+. When set to "auto", the behavior is as follows: - New deployments of Kubernetes 1.14+ will use CoreDNS - Upgraded deployments will continue to use whichever provider was previously used.

dns_domain | string

Default: cluster.local

The local domain for cluster dns

enable-dashboard-addons | boolean

Default: True

Deploy the Kubernetes Dashboard

enable-keystone-authorization | boolean

If true and the Keystone charm is related, users will authorize against the Keystone server. Note that if related, users will always authenticate against Keystone.

enable-metrics | boolean

Default: True

If true the metrics server for Kubernetes will be deployed onto the cluster managed entirely by kubernetes addons. Consider disabling this option and deploying `kubernetes-metrics-server-operator` into a kubernetes model.

enable-nvidia-plugin | string

Default: auto

Load the nvidia device plugin daemonset. Supported values are "auto" and "false". When "auto", the daemonset will be loaded only if GPUs are detected. When "false" the nvidia device plugin will not be loaded.

extra_packages | string

Space separated list of extra deb packages to install.

extra_sans | string

Space-separated list of extra SAN entries to add to the x509 certificate created for the control plane nodes.

ha-cluster-dns | string

DNS entry to use with the HA Cluster subordinate charm. Mutually exclusive with ha-cluster-vip.

ha-cluster-vip | string

Virtual IP for the charm to use with the HA Cluster subordinate charm Mutually exclusive with ha-cluster-dns. Multiple virtual IPs are separated by spaces.

ignore-kube-system-pods | string

Space separated list of pod names in the kube-system namespace to ignore when checking for running pods. Any non-Running Pod whose name is on this list, will be ignored during the check.

ignore-missing-cni | boolean

If ignore-missing-cni is set to true, the charm will not enter a blocked state if a CNI has not been configured/provided via relation. If ignore-missing-cni is set to false, and a CNI has not been configured/provided via relation, then the charm will enter a blocked state with the message: "Missing CNI relation or config".

image-registry | string

Default: rocks.canonical.com:443/cdk

Container image registry to use for CDK. This includes addons like the Kubernetes dashboard, metrics server, ingress, and dns along with non-addon images including the pause container and default backend image.

install_keys | string

List of signing keys for install_sources package sources, per charmhelpers standard format (a yaml list of strings encoded as a string). The keys should be the full ASCII armoured GPG public keys. While GPG key ids are also supported and looked up on a keyserver, operators should be aware that this mechanism is insecure. null can be used if a standard package signing key is used that will already be installed on the machine, and for PPA sources where the package signing key is securely retrieved from Launchpad.

install_sources | string

List of extra apt sources, per charm-helpers standard format (a yaml list of strings encoded as a string). Each source may be either a line that can be added directly to sources.list(5), or in the form ppa:<user>/<ppa-name> for adding Personal Package Archives, or a distribution component to enable.

keystone-policy | string

Default: apiVersion: v1 kind: ConfigMap metadata: name: k8s-auth-policy namespace: kube-system labels: k8s-app: k8s-keystone-auth data: policies: | [ { "resource": { "verbs": ["get", "list", "watch"], "resources": ["*"], "version": "*", "namespace": "*" }, "match": [ { "type": "role", "values": ["k8s-viewers"] }, { "type": "project", "values": ["k8s"] } ] }, { "resource": { "verbs": ["*"], "resources": ["*"], "version": "*", "namespace": "default" }, "match": [ { "type": "role", "values": ["k8s-users"] }, { "type": "project", "values": ["k8s"] } ] }, { "resource": { "verbs": ["*"], "resources": ["*"], "version": "*", "namespace": "*" }, "match": [ { "type": "role", "values": ["k8s-admins"] }, { "type": "project", "values": ["k8s"] } ] } ]

Policy for Keystone authorization. This is used when a Keystone charm is related to kubernetes-control-plane in order to provide authorization for Keystone users on the Kubernetes cluster.

keystone-ssl-ca | string

Keystone certificate authority encoded in base64 for securing communications to Keystone. For example: `juju config kubernetes-control-plane keystone-ssl-ca=$(base64 /path/to/ca.crt)`

kubelet-extra-args | string

Space separated list of flags and key=value pairs that will be passed as arguments to kubelet. For example a value like this: runtime-config=batch/v2alpha1=true profiling=true will result in kubelet being run with the following options: --runtime-config=batch/v2alpha1=true --profiling=true Note: As of Kubernetes 1.10.x, many of Kubelet's args have been deprecated, and can be set with kubelet-extra-config instead.

kubelet-extra-config | string

Default: {}

Extra configuration to be passed to kubelet. Any values specified in this config will be merged into a KubeletConfiguration file that is passed to the kubelet service via the --config flag. This can be used to override values provided by the charm. The value for this config must be a YAML mapping that can be safely merged with a KubeletConfiguration file. For example: {evictionHard: {memory.available: 200Mi}} For more information about KubeletConfiguration, see upstream docs: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/

labels | string

Default: node-role.kubernetes.io/control-plane=

Labels can be used to organize and to select subsets of nodes in the cluster. Declare node labels in key=value format, separated by spaces.

loadbalancer-ips | string

Space separated list of IP addresses of loadbalancers in front of the control plane. These can be either virtual IP addresses that have been floated in front of the control plane or the IP of a loadbalancer appliance such as an F5. Workers will alternate IP addresses from this list to distribute load - for example If you have 2 IPs and 4 workers, each IP will be used by 2 workers. Note that this will only work if kubeapi-load-balancer is not in use and there is a relation between kubernetes-control-plane:kube-api-endpoint and kubernetes-worker:kube-api-endpoint. If using the kubeapi-load-balancer, see the loadbalancer-ips configuration variable on the kubeapi-load-balancer charm.

nagios_context | string

Default: juju

Used by the nrpe subordinate charms. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-myservice-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.

nagios_servicegroups | string

A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup

package_status | string

Default: install

The status of service-affecting packages will be set to this value in the dpkg database. Valid values are "install" and "hold".

pod-security-policy | string

Default RBAC pod security policy [0] and privileged cluster roles formatted as a YAML file as a string. A good example of a PSP policy can be found here [1]. [0] https://kubernetes.io/docs/concepts/policy/pod-security-policy/ [1] https://github.com/kubernetes/examples/blob/master/staging/podsecuritypolicy/rbac/policies.yaml

proxy-extra-args | string

Space separated list of flags and key=value pairs that will be passed as arguments to kube-proxy. For example a value like this: runtime-config=batch/v2alpha1=true profiling=true will result in kube-apiserver being run with the following options: --runtime-config=batch/v2alpha1=true --profiling=true

proxy-extra-config | string

Default: {}

Extra configuration to be passed to kube-proxy. Any values specified in this config will be merged into a KubeProxyConfiguration file that is passed to the kube-proxy service via the --config flag. This can be used to override values provided by the charm. The value for this config must be a YAML mapping that can be safely merged with a KubeProxyConfiguration file. For example: {mode: ipvs, ipvs: {strictARP: true}} For more information about KubeProxyConfiguration, see upstream docs: https://kubernetes.io/docs/reference/config-api/kube-proxy-config.v1alpha1/

register-with-taints | string

Default: node-role.kubernetes.io/control-plane:NoSchedule

Space-separated list of taints to apply to this node at registration time. This config is only used at deploy time when Kubelet first registers the node with Kubernetes. To change node taints after deploy time, use kubectl instead. For more information, see the upstream Kubernetes documentation about taints: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

require-manual-upgrade | boolean

Default: True

When true, control plane nodes will not be upgraded until the user triggers it manually by running the upgrade action.

scheduler-extra-args | string

Space separated list of flags and key=value pairs that will be passed as arguments to kube-scheduler. For example a value like this: runtime-config=batch/v2alpha1=true profiling=true will result in kube-scheduler being run with the following options: --runtime-config=batch/v2alpha1=true --profiling=true

service-cidr | string

Default: 10.152.183.0/24

CIDR to use for Kubernetes services. After deployment it is only possible to increase the size of the IP range. It is not possible to change or shrink the address range after deployment.

snapd_refresh | string

Default: max

How often snapd handles updates for installed snaps. Setting an empty string will check 4x per day. Set to "max" to delay the refresh as long as possible. You may also set a custom string as described in the 'refresh.timer' section here: https://forum.snapcraft.io/t/system-options/87 DEPRECATED in 1.19: Manage installed snap versions with the snap-store-proxy model config. See: https://snapcraft.io/snap-store-proxy and https://juju.is/docs/offline-mode-strategies#heading--snap-specific-proxy

storage-backend | string

Default: auto

The storage backend for kube-apiserver persistence. Can be "etcd2", "etcd3", or "auto". Auto mode will select etcd3 on new installations, or etcd2 on upgrades.

sysctl | string

Default: {net.ipv4.conf.all.forwarding: 1, net.ipv4.conf.all.rp_filter: 1, net.ipv4.neigh.default.gc_thresh1: 128, net.ipv4.neigh.default.gc_thresh2: 28672, net.ipv4.neigh.default.gc_thresh3: 32768, net.ipv6.neigh.default.gc_thresh1: 128, net.ipv6.neigh.default.gc_thresh2: 28672, net.ipv6.neigh.default.gc_thresh3: 32768, fs.inotify.max_user_instances: 8192, fs.inotify.max_user_watches: 1048576, kernel.panic: 10, kernel.panic_on_oops: 1, vm.overcommit_memory: 1}

YAML formatted associative array of sysctl values, e.g.: '{kernel.pid_max: 4194303}'. Note that kube-proxy handles the conntrack settings. The proper way to alter them is to use the proxy-extra-args config to set them, e.g.: juju config kubernetes-control-plane proxy-extra-args="conntrack-min=1000000 conntrack-max-per-core=250000" juju config kubernetes-worker proxy-extra-args="conntrack-min=1000000 conntrack-max-per-core=250000" The proxy-extra-args conntrack-min and conntrack-max-per-core can be set to 0 to ignore kube-proxy's settings and use the sysctl settings instead. Note the fundamental difference between the setting of conntrack-max-per-core vs nf_conntrack_max.