kube-proxy.manifest.j2

apiVersion: v1
kind: Pod
metadata:
  name: kube-proxy
  namespace: kube-system
  labels:
    k8s-app: kube-proxy
  annotations:
    kubespray.kube-proxy-cert/serial: "{{ kube_proxy_cert_serial }}"
spec:
  hostNetwork: true
{% if kube_version | version_compare('v1.6', '>=') %}
  dnsPolicy: ClusterFirst
{% endif %}
  containers:
  - name: kube-proxy
    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
    imagePullPolicy: {{ k8s_image_pull_policy }}
    resources:
      limits:
        cpu: {{ kube_proxy_cpu_limit }}
        memory: {{ kube_proxy_memory_limit }}
      requests:
        cpu: {{ kube_proxy_cpu_requests }}
        memory: {{ kube_proxy_memory_requests }}
    livenessProbe:
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 10256
      failureThreshold: 8
      initialDelaySeconds: 15
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 15
    command:
    - /hyperkube
    - proxy
    - --v={{ kube_log_level }}
    - --kubeconfig={{kube_config_dir}}/kube-proxy-kubeconfig.yaml
    - --bind-address={{ ip | default(ansible_default_ipv4.address) }}
    - --cluster-cidr={{ kube_pods_subnet }}
    - --proxy-mode={{ kube_proxy_mode }}
    - --oom-score-adj=-998
    - --healthz-bind-address=127.0.0.1
{% if kube_proxy_masquerade_all and kube_proxy_mode == "iptables" %}
    - --masquerade-all
{% elif kube_proxy_mode == 'ipvs' %}
    - --masquerade-all
{% if kube_version | version_compare('v1.10', '<') %}
    - --feature-gates=SupportIPVSProxyMode=true
{% endif %}
    - --ipvs-min-sync-period=5s
    - --ipvs-sync-period=5s
    - --ipvs-scheduler=rr
{% endif %}
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ssl-certs-host
      readOnly: true
    - mountPath: "{{ kube_config_dir }}/ssl"
      name: etc-kube-ssl
      readOnly: true
    - mountPath: "{{ kube_config_dir }}/kube-proxy-kubeconfig.yaml"
      name: kubeconfig
      readOnly: true
    - mountPath: /var/run/dbus
      name: var-run-dbus
      readOnly: false
    - mountPath: /lib/modules
      name: lib-modules
      readOnly: true
    - mountPath: /run/xtables.lock
      name: xtables-lock
      readOnly: false
  volumes:
  - name: ssl-certs-host
    hostPath:
{% if ansible_os_family == 'RedHat' %}
      path: /etc/pki/tls
{% else %}
      path: /usr/share/ca-certificates
{% endif %}
  - name: etc-kube-ssl
    hostPath:
      path: "{{ kube_config_dir }}/ssl"
  - name: kubeconfig
    hostPath:
      path: "{{ kube_config_dir }}/kube-proxy-kubeconfig.yaml"
  - name: var-run-dbus
    hostPath:
      path: /var/run/dbus
  - hostPath:
      path: /lib/modules
    name: lib-modules
  - hostPath:
      path: /run/xtables.lock
      type: FileOrCreate
    name: xtables-lock