This charm is an encapsulation of the Kubernetes control plane processes and related operations to run on any cloud for the entire lifecycle of the cluster.
Deployment
This charm is not fully functional when deployed by itself. It requires other
charms to model a complete Kubernetes cluster. A Kubernetes cluster needs a
distributed key value store such as Etcd and the
kubernetes-worker
charm which delivers the Kubernetes node services. Other common
requirements include a Software Defined Network (SDN), a Container Runtime such as
containerd, and a Transport Layer
Security (TLS) provider so the components in a cluster can communicate securely.
Please take a look at the Charmed Kubernetes or the Kubernetes core bundles for examples of complete models of Kubernetes clusters.
Resources
The kubernetes-control-plane
charm takes advantage of Juju Resources to deliver core Kubernetes software.
In deployments on public clouds, resources are provided to the charm automatically with no user intervention. Some environments with strict firewall rules may not be able to fetch these directly. In these network restricted environments, local resources can be uploaded to the model by the Juju operator.
Snap Refresh
The Kubernetes resources used by this charm are snap packages. When not
specified during deployment, these resources come from the public store. By
default, the snapd
daemon will refresh all snaps installed from the store
four (4) times per day. A charm configuration option is provided for operators
to control this refresh frequency.
NOTE: this is a global configuration option and will affect the refresh time for all snaps installed on a system.
Examples:
## refresh kubernetes-control-plane snaps every tuesday
juju config kubernetes-control-plane snapd_refresh="tue"
## refresh snaps at 11pm on the last (5th) friday of the month
juju config kubernetes-control-plane snapd_refresh="fri5,23:00"
## delay the refresh as long as possible
juju config kubernetes-control-plane snapd_refresh="max"
## use the system default refresh timer
juju config kubernetes-control-plane snapd_refresh=""
For more information, see the snap refresh documentation.
Configuration
Charmed Kubernetes ships with sensible, tested default configurations to ensure a reliable Kubernetes experience, but of course these can be changed to reflect the purpose and resources of your cluster. The configuration section details all available configuration options, while this section deals with specific, commonly used settings. You may wish to also read the Addons page for information on the extra services installed with Charmed Kubernetes.
IPVS (IP Virtual Server)
IPVS implements transport-layer load balancing as part of the Linux kernel, and
can be used by the kube-proxy
service to handle service routing. By default
kube-proxy
uses a solution based on iptables, but this can cause a lot of
overhead in systems with large numbers of nodes. There is more information on
this in the upstream Kubernetes IPVS deep dive documentation.
IPVS is an extra option for kube-proxy, and can be enabled by changing the configuration:
juju config kubernetes-control-plane proxy-extra-config='{mode: ipvs, ipvs: {strictARP: true}}'
It is also necessary to change this configuration option on the worker:
juju config kubernetes-worker proxy-extra-config='{mode: ipvs, ipvs: {strictARP: true}}'
Admission controls
As with other aspects of the Kubernetes API, admission controls can be
enabled by adding extra values to the charm’s api-extra-args
configuration.
For admission controls, it may be useful to refer to the
Kubernetes blog for more information on the options, but
for example, to add the PersistentVolumeLabel
admission controller:
- Check any current config settings for
api-extra-args
(there are none by default):juju config kubernetes-control-plane api-extra-args
- Append the desired config option to the previous output and apply:
juju config kubernetes-control-plane api-extra-args="enable-admission-plugins=PersistentVolumeLabel"
Adding SANs and certificate regeneration
As explained in the Certificates and trust overview, the
extra_sans
configuration settings can be used to add
SANs and regenerate x509 certificate(s) for the API server running on the
Kubernetes control plane node(s), and for the load balancer. When this configuration is
changed, the control plane node(s) will regenerate certificates and restart the API
server to update the certificate used for communication.
NOTE: this is disruptive as the Kubernetes API server is restarted.
The process is the same for both the kubernetes-control-plane
and the
kubeapi-load-balancer
charms. The configuration option takes a space-separated list
of extra entries:
juju config kubernetes-control-plane extra_sans="main.mydomain.com lb.mydomain.com"
juju config kubeapi-load-balancer extra_sans="main.mydomain.com lb.mydomain.com"
To clear the entries out of the certificate, use an empty string:
juju config kubernetes-control-plane extra_sans=""
juju config kubeapi-load-balancer extra_sans=""