Available in editions: CE, BE, SE, SE+, EE
The module lifecycle stage: General Availability
Some cluster parameters that affect control plane management are derived from the ClusterConfiguration resource.
The module has 28 alerts.
The module is enabled by default in the Default bundle.
The module is disabled by default in the following bundles: Managed, Minimal.
Conversions
The module is configured using the ModuleConfig resource, the schema of which contains a version number. When you apply an old version of the ModuleConfig schema in a cluster, automatic transformations are performed. To manually update the ModuleConfig schema version, the following steps must be completed sequentially for each version :
- Updates from version 1 to 2:
Delete
etcd.externalMembersNames - Updates from version 2 to 3:
Replace
.apiserver.loadBalancerwith.apiserver.publishAPI.loadBalancer.
Parameters
Schema version: 3
Example:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: control-plane-manager
spec:
version: 3
enabled: true
settings:
apiserver:
bindToWildcard: true
certSANs:
- bakery.infra
- devs.infra
publishAPI: {}
- objectsettings
- objectsettings.apiserver
kube-apiserverparameters.- array of stringssettings.apiserver.admissionPlugins
List of enabled additional admission plugins.
Note, that in addition to the admission plugins enabled by default in Kubernetes, the following admission plugins are also always enabled:
ExtendedResourceTolerationPodNodeSelectorPodTolerationRestriction-
EventRateLimitwith the following config:apiVersion: eventratelimit.admission.k8s.io/v1alpha1 kind: Configuration limits: - type: Namespace qps: 50 burst: 100 cacheSize: 2000
Note that th
PodNodeSelectoradmission plugin does not require specifiying a global configuration, it relies on annotated Namespaces.Example:
admissionPlugins: - AlwaysPullImages - NamespaceAutoProvision- stringElement of the array
Allowed values:
AlwaysPullImages,NamespaceAutoProvision,OwnerReferencesPermissionEnforcement,PodNodeSelector,PodTolerationRestriction
- objectsettings.apiserver.auditLog
Audit policy settings
Default:
{"output":"File"}- stringsettings.apiserver.auditLog.output
Required value
Audit logs target stream.
Default:
FileAllowed values:
File,StdoutExample:
output: Stdout - stringsettings.apiserver.auditLog.path
Directory path for logs if the output is “File”, otherwise ignored.
Default:
/var/log/kube-auditPattern:
^[a-zA-Z0-9_/.-]+[a-zA-Z0-9_.-]$
- booleansettings.apiserver.auditPolicyEnabled
Set the audit policies using the configuration from the
kube-system/audit-policySecret.Default:
false - objectsettings.apiserver.authn
Optional authentication parameters for Kubernetes API clients.
By default, they are taken from user-authn module ConfigMap.
- stringsettings.apiserver.authn.oidcCA
OIDC provider CA.
- stringsettings.apiserver.authn.oidcIssuerAddress
OIDC provider network address alias.
Examples:
oidcIssuerAddress: 1.2.3.4oidcIssuerAddress: '' - stringsettings.apiserver.authn.oidcIssuerURL
OIDC provider URL.
Example:
oidcIssuerURL: https://my-super-site.tech/ - stringsettings.apiserver.authn.webhookCA
Authorization webhook CA.
- stringsettings.apiserver.authn.webhookCacheTTL
The duration to cache responses from the webhook token authenticator.
It is specified as a string containing the time unit in hours and minutes: 30m, 1h, 2h30m, 24h.
Pattern:
^([0-9]+h)?([0-9]+m)?([0-9]+s)?$Example:
webhookCacheTTL: 5m - stringsettings.apiserver.authn.webhookURL
Authentication webhook URL.
Example:
webhookURL: https://127.0.0.1:40443/
- objectsettings.apiserver.authz
Optional authorization parameters for Kubernetes API clients.
By default, they are taken from user-authz module ConfigMap.
- stringsettings.apiserver.authz.webhookCA
Authorization webhook CA.
- stringsettings.apiserver.authz.webhookURL
Authorization webhook URL.
Example:
webhookURL: https://127.0.0.1:40443/
- booleansettings.apiserver.basicAuditPolicyEnabled
Enforce basic Deckhouse audit policies.
Default:
true - booleansettings.apiserver.bindToWildcard
Specifies whether to listen on
0.0.0.0.By default, the API server listens on the hostIP. The latter usually corresponds to the Internal node address; however, the actual IP depends on the cluster type (Static or Cloud) and the layout selected.
Default:
false - array of stringssettings.apiserver.certSANs
Array of SANs, with which the API server certificate will be generated.
In addition to the passed list, the following list is always used:
kubernetes;kubernetes.default;kubernetes.default.svc;kubernetes.default.svc.cluster.local;- Kubernetes API server address;
127.0.0.1;- host name;
- host IP.
Example:
certSANs: - my-site.com - 192.168.67.76- stringElement of the array
Pattern:
^[0-9a-zA-Z\.-]+$
- booleansettings.apiserver.encryptionEnabled
Enables data encryption in etcd (see Encrypting secret data at rest).
When enabled, a Secret
kube-system/d8-secret-encryption-keyis created to store the encryption key.Enabling this parameter automatically enables the
CRDSensitiveDatafeature gate forkube-apiserver, which protects custom resource fields marked withx-kubernetes-sensitive-data: truevia encryption in etcd, RBAC-based field filtering with the<resource>/sensitivesubresource and hiding values from the audit log.Warning. Once enabled, this parameter can’t be disabled.
Default:
false - objectsettings.apiserver.publishAPI
Publishing access to Kubernetes API.
- objectsettings.apiserver.publishAPI.ingress
Settings for PublishAPI type Ingress.
- booleansettings.apiserver.publishAPI.ingress.addKubeconfigGeneratorEntry
Setting it to
falsewill remove an entry in kubeconfig-generator.Default:
true - booleansettings.apiserver.publishAPI.ingress.enabled
Setting it to
truewill create an Ingress resourcekubernetes-apiin thekube-systemnamespace in the cluster (it exposes the Kubernetes API).Default:
false - objectsettings.apiserver.publishAPI.ingress.https
The HTTPS mode for the API server Ingress.
Examples:
https: mode: SelfSignedhttps: mode: Global global: kubeconfigGeneratorMasterCA: plainstring- objectsettings.apiserver.publishAPI.ingress.https.global
An additional parameter for the
Globalmode.- stringsettings.apiserver.publishAPI.ingress.https.global.kubeconfigGeneratorMasterCA
If there is an external load balancer in front of the Ingress that terminates HTTPS traffic using non-public CA, then you need to specify the CA so it will be included in kubectl-config.
If you are using certificates issued by the
cert-managermodule and Let’s Encrypt in your cluster, you should set an empty string""as the value.Also, you can set the external LB’s certificate itself as a CA if you can’t get the CA that signed it for some reason. Note that after the certificate is updated on the LB, all the previously generated kubeconfigs will stop working.
- stringsettings.apiserver.publishAPI.ingress.https.mode
The mode of issuing certificates for the Ingress resource.
In the
SelfSignedmode, a CA-signed certificate will be issued for the Ingress resource.Use the following command to get the certificate:
d8 k -n kube-system get secrets kubernetes-api-ca-key-pair -oyaml.In the
Globalmode, the policies specified in theglobal.modules.https.modeglobal parameter will be applied. Thus, if the global parameter has theCertManagermode set (withletsencryptas the ClusterIssuer), then the Let’s Encrypt certificate will be issued for the Ingress resource.Default:
SelfSignedAllowed values:
SelfSigned,Global
- stringsettings.apiserver.publishAPI.ingress.ingressClass
The Ingress class that will be used to expose the Kubernetes API via Ingress.
Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - array of stringssettings.apiserver.publishAPI.ingress.whitelistSourceRanges
An array of CIDRs that are allowed to connect to the API server.
- stringElement of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))?$
- objectsettings.apiserver.publishAPI.loadBalancer
Settings type LoadBalancer
- objectsettings.apiserver.publishAPI.loadBalancer.annotations
Annotations to attach to a service to fine-tune the load balancer.
Caution! The module does not take into account the specifics of setting annotations in various cloud environments. If the annotations for load balancer provisioning are only applied when creating a service, you will need to delete and add the
apiserver.loadBalancerparameter to update such parameters. - booleansettings.apiserver.publishAPI.loadBalancer.enabled
If set to
true, servicekube-system/d8-control-plane-apiserverof the LoadBalancer type will be created.Default:
false - integersettings.apiserver.publishAPI.loadBalancer.port
External LoadBalancer TCP port.
Default:
443Allowed values:
1 <= X <= 65534 - array of stringssettings.apiserver.publishAPI.loadBalancer.sourceRanges
A list of CIDRs that are allowed to connect to the API.
The cloud provider may not support this option or ignore it.
- stringElement of the array
Pattern:
^[0-9]{1,}\.[0-9]{1,}\.[0-9]{1,}\.[0-9]{1,}\/[0-9]+$
- objectsettings.apiserver.serviceAccount
ServiceAccount issuing settings.
Examples:
serviceAccount: {}serviceAccount: additionalAPIAudiences: - istio-ca- array of stringssettings.apiserver.serviceAccount.additionalAPIAudiences
A list of API audiences to add when provisioning ServiceAccount tokens.
The default audiences list includes:
serviceAccount.issuer, if specified.serviceAccount.additionalAPIIssuers, if specified.https://kubernetes.default.svc.${clusterDomain}, for example,https://kubernetes.default.svc.cluster.local– this audience is always added for backward compatibility.
The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences.
This option is beneficial when migrating from one API issuer to another.
- array of stringssettings.apiserver.serviceAccount.additionalAPIIssuers
A list of additional issuers to include when provisioning ServiceAccount tokens.
Issuers (
iss) are used to verify the source of the tokens, ensuring they originate from trusted entities.The first issuer is automatically generated based on the template
https://kubernetes.default.svc.${clusterDomain}, for example,https://kubernetes.default.svc.cluster.local. When multiple issuers are specified, the first issuer is used to generate tokens, and all provided issuers are accepted for token verification.This option is beneficial when migrating from one API issuer to another.
- stringsettings.apiserver.serviceAccount.issuer
ServiceAccount issuer. This is the URL of the API server. The values of this field are used as the
issclaim of the token and to verify Service Account JWT tokens.Note, all pods in the cluster using ServiceAccount tokens must be restarted upon changing this option.
Example:
issuer: https://api.example.com
- array of stringssettings.enabledFeatureGates
List of feature gates enabled in the control plane.
More information about feature gates is available in the Kubernetes documentation. The list of feature gates supported in DKP can be found on the module overview page.
Default:
[]- stringElement of the array
Pattern:
^[a-zA-Z]+$
- stringsettings.encryptionAlgorithm
Asymmetric encryption algorithm used when generating keys and certificates for the following control-plane components:
apiserver;apiserver-kubelet-client;apiserver-etcd-client;front-proxy-client;etcd-server;etcd-peer;etcd-healthcheck-client.
Certificates for the components listed above will be reissued using the selected algorithm and key length.
If parameter not set, the value from
ClusterConfiguration.encryptionAlgorithmis used (defaults toRSA-2048).Warning. When reissuing certificates, the root certificate (CA) is not rotated. The root certificate is created with the selected algorithm only during the initial cluster bootstrap.
Default:
RSA-2048Allowed values:
RSA-2048,RSA-3072,RSA-4096,ECDSA-P256Example:
encryptionAlgorithm: ECDSA-P256 - objectsettings.etcd
etcdparameters.- objectsettings.etcd.backup
etcd backup parameters.
- stringsettings.etcd.backup.cronSchedule
Backup schedule etcd in cron format. The local time zone of the
kube-controller-manageris used.Default:
0 0 * * *Example:
cronSchedule: 0 1 * * * - booleansettings.etcd.backup.enabled
Enable etcd backup.
Default:
true - stringsettings.etcd.backup.hostPath
Host path on masters nodes for etcd backup.
Default:
/var/lib/etcd
- objectsettings.etcd.defrag
etcd defragmentation parameters.
Default:
{"cronSchedule":"0 1 * * *"}- stringsettings.etcd.defrag.cronSchedule
Defragmentation schedule in cron format (UTC).
Default:
0 1 * * *Pattern:
^(\*(\/[0-9]+)?|[0-9]+(-[0-9]+)?(\/[0-9]+)?(,[0-9]+(-[0-9]+)?(\/[0-9]+)?)*)\s+(\*(\/[0-9]+)?|[0-9]+(-[0-9]+)?(\/[0-9]+)?(,[0-9]+(-[0-9]+)?(\/[0-9]+)?)*)\s+(\*(\/[0-9]+)?|[0-9]+(-[0-9]+)?(\/[0-9]+)?(,[0-9]+(-[0-9]+)?(\/[0-9]+)?)*)\s+(\*(\/[0-9]+)?|[0-9]+(-[0-9]+)?(\/[0-9]+)?(,[0-9]+(-[0-9]+)?(\/[0-9]+)?)*)\s+(\*(\/[0-9]+)?|[0-9]+(-[0-9]+)?(\/[0-9]+)?(,[0-9]+(-[0-9]+)?(\/[0-9]+)?)*)$Example:
cronSchedule: 0 1 * * * - booleansettings.etcd.defrag.enabled
Enable periodic etcd defragmentation.
Defaults to
truewhen the cluster has three or more etcd members (masters ≥ 3, or masters = 2 with an etcd-arbiter node); otherwise defaults tofalse. An explicit value always takes priority over the computed default.Warning. Enabling defragmentation on a single-master cluster will cause a brief control plane unavailability while etcd is being defragmented.
- numbersettings.etcd.maxDbSize
quota-backend-bytes parameter. Deckhouse automatically manages the
quota-backend-bytesparameter. If themaxDbSizeparameter is set, deckhouse will use this value for thequota-backend-bytesetcd parameter.Minimum: 512MB.
Maximum: 8GB.
Experimental. It can be removed in the future.
Allowed values:
536870912 <= X <= 8589934592
- integersettings.failedNodePodEvictionTimeoutSeconds
The number of seconds after which pods will be deleted from the node with the
Unreachablestatus.Note! If you change the parameter, the pods must be restarted.
Default:
300 - integersettings.nodeMonitorGracePeriodSeconds
The number of seconds after which the node will enter the
Unreachablestatus in case of lost connection.Default:
40 - booleansettings.rootKubeconfigSymlink
Whether to maintain a symlink from
/root/.kube/configto/etc/kubernetes/admin.confon control-plane nodes.When the user-authz module is enabled and this parameter is
false, the symlink is removed and theNODE_ADMIN_KUBECONFIGenvironment variable is set on control-plane-manager pods accordingly. Used8 kwith--kubeconfig=/etc/kubernetes/admin.conf(or other credentials) when you need API access from the node.When the
user-authzmodule is disabled,control-plane-managerignores this parameter and keeps the default (symlink present).Setting the value back to
truerestores the symlink on the next reconciliation.Default:
trueExamples:
rootKubeconfigSymlink: truerootKubeconfigSymlink: false

