AKE uses default YAML configuration file to set up components such as etcd, kube-apiserver, kube-controller-manager, kube-scheduler, and kubelet in the Kubernetes cluster. You can also customize the parameters of these components based on your business-specific requirements.
If adjustments are needed, you can modify the relevant parameter as required in Configuration and then click Next. If no adjustments are necessary, you can leave Configuration blank and click Next.
Note:
Incorrect configuration of Kubernetes component parameters may result in the failure to create a physical-machine-based workload cluster. If unnecessary, refrain from editing the parameters arbitrarily.
The default configuration parameters for Kubernetes components in AKE are as follows.
etcd
| Parameter | Default value | Description |
|---|---|---|
| cipher-suites | "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" | A comma-separated list of encryption algorithms for the etcd server. If not set, the default algorithm list of the Go programming language encryption package is used. |
kube-apiserver
| Parameter | Default Value | Description |
|---|---|---|
| profiling | "false" | Whether to enable profiling via web interface host: port/debug/pprof/. Setting it to "false" will disable profiling. |
| audit-log-path | /var/log/apiserver/audit.log | Specifies the path for storing the audit log file for kube-apiserver. All requests reaching the API server are recorded in this file. |
| audit-log-maxage | "30" | Maximum days to retain old audit log files based on the encoded timestamps in the file names. |
| audit-log-maxbackup | "10" | Maximum number of old audit log files to retain. Setting this value to 0 means an unlimited number of files. |
| audit-log-maxsize | "100" | Maximum size of the audit log file in megabytes. When the audit log file reaches the specified maximum size, it is renamed, and a new audit log file is created for continued recording. |
| enable-admission-plugins | EventRateLimit | Additional admission addons that need to be enabled, separated by commas. Addons that are enabled by default include the following: NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, ClusterTrustBundleAttest, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook, ResourceQuota |
| admission-control-config-file | /etc/kubernetes/admission.yaml | Specifies the path for the admission control configuration file. |
| audit-policy-file | /etc/kubernetes/auditpolicy.yaml | Specifies the path for the audit policy configuration file. |
| request-timeout | "300s" | Specifies the default timeout when making requests to the Kubernetes API server. This value may be overridden by tags such as --min-request-timeout. |
| tls-min-version | "VersionTLS12" | The minimum TLS version supported by kube-apiserver. |
| tls-cipher-suites | "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" | The list of encryption algorithms for the server, separated by English commas. If not set, the default algorithm list of the Go programming language encryption package is used. |
kube-controller-manager
| Parameter | Default value | Description |
|---|---|---|
| profiling | "false" | Whether to enable profiling via web interface host: port/debug/pprof/. Setting it to "false" will disable profiling. |
| terminated-pod-gc-threshold | "10" | Maximum number of terminated pods that can be retained before the terminated pod garbage collector deletes terminated pods. If the value is less than or equal to 0, the terminated pod garbage collector will be disabled. |
| tls-min-version | "VersionTLS12" | The minimum TLS version supported by kube-controller-manager. |
| tls-cipher-suites | "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" | The list of encryption algorithms for the server, separated by English commas. If not set, the default algorithm list of the Go programming language encryption package is used. |
kube-scheduler
| Parameter | Default value | Description |
|---|---|---|
| profiling | "false" | Whether to enable profiling via web interface host: port/debug/pprof/. Setting it to "false" will disable profiling. |
| tls-min-version | "VersionTLS12" | The minimum TLS version supported by kube-scheduler. |
| tls-cipher-suites | "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" | The list of encryption algorithms for the server, separated by English commas. If not set, the default algorithm list of the Go programming language encryption package is used. |
kubelet
kubeletExtraArgs
| Parameter | Default value | Description |
|---|---|---|
| protect-kernel-defaults | "true" | Set to true to enforce the use of kubelet's default kernel configuration. If any kernel tunables differ from the kubelet defaults, kubelet will report an error. |
| event-qps | "0" | Limits the number of events that can be generated per second. Set to 0 for no limit. |
| tls-min-version | "VersionTLS12" | The minimum TLS version supported by kubelet. |
| tls-cipher-suites | "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" | The list of encryption algorithms for the server, separated by English commas. If not set, the default algorithm list of the Go programming language encryption package is used. |
| serialize-image-pulls | "false" | Setting it to "true" means kubelet pulls only one image at a time. Current default value is false, meaning kubelet supports concurrent pulling of multiple images. |
kubeletConfiguration
| Parameter | Default value | Description |
|---|---|---|
| shutdownGracePeriod | 45s | Specifies the total duration that the virtual machine or physical machine corresponding to the Kubernetes node should delay the shutdown by, as well as the total termination grace period provided for the pods running on the node. |
| shutdownGracePeriodCriticalPods | 30s | Specifies the total termination grace period for critical pods on the node when the virtual machine or physical machine corresponding to the Kubernetes node shuts down normally. This duration should be shorter than shutdownGracePeriod. For example: shutdownGracePeriod=30s, shutdownGracePeriodCriticalPods=10s. When the virtual machine or pyhsical machine corresponding to the Kubernetes node is shutdown, kubelet first gracefully terminates regular pods, leaving a termination grace period of shutdownGracePeriod- shutdownGracePeriod CriticalPods=20s for regular pods, and then proceeds to gracefully terminate critical pods, leaving a termination grace period of 10 seconds for system critical pods. |
The complete default YAML configuration file is as follows:
controlPlane:
clusterConfiguration:
apiServer:
# Refer to https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
extraArgs:
profiling: "false"
audit-log-path: "/var/log/apiserver/audit.log"
audit-log-maxage: "30"
audit-log-maxbackup: "10"
audit-log-maxsize: "100"
enable-admission-plugins: "EventRateLimit"
admission-control-config-file: "/etc/kubernetes/admission.yaml"
audit-policy-file: "/etc/kubernetes/auditpolicy.yaml"
request-timeout: "300s"
tls-min-version: "VersionTLS12"
extraVolumes:
- hostPath: /var/log/apiserver
mountPath: /var/log/apiserver
name: apiserver-log
pathType: DirectoryOrCreate
- hostPath: /etc/kubernetes/admission.yaml
mountPath: /etc/kubernetes/admission.yaml
name: admission-config
pathType: FileOrCreate
readOnly: true
- hostPath: /etc/kubernetes/auditpolicy.yaml
mountPath: /etc/kubernetes/auditpolicy.yaml
name: audit-policy
pathType: FileOrCreate
readOnly: true
controllerManager:
# Refer to https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
extraArgs:
profiling: "false"
terminated-pod-gc-threshold: "10"
tls-min-version: "VersionTLS12"
scheduler:
# Refer to https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/
extraArgs:
profiling: "false"
tls-min-version: "VersionTLS12"
# For the first ControlPlane
initConfiguration:
nodeRegistration:
# Refer to https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
kubeletExtraArgs:
protect-kernel-defaults: "true"
event-qps: "0"
tls-min-version: "VersionTLS12"
serialize-image-pulls: "false"
# For other ControlPlanes
joinConfiguration:
nodeRegistration:
# Refer to https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
kubeletExtraArgs:
protect-kernel-defaults: "true"
event-qps: "0"
tls-min-version: "VersionTLS12"
serialize-image-pulls: "false"
preKubeadmCommands: []
postKubeadmCommands: []
files:
- content: |
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: EventRateLimit
configuration:
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
kind: Configuration
limits:
- type: Server
burst: 20000
qps: 5000
owner: root:root
path: /etc/kubernetes/admission.yaml
- content: |
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None
userGroups:
- system:nodes
- level: None
users:
- system:kube-scheduler
- system:volume-scheduler
- system:kube-controller-manager
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
- level: Metadata
resources:
- resources: ["secrets", "configmaps", "tokenreviews"]
- level: Metadata
omitStages:
- RequestReceived
resources:
- resources: ["pods", "deployments"]
owner: root:root
path: /etc/kubernetes/auditpolicy.yaml
workers:
joinConfiguration:
nodeRegistration:
kubeletExtraArgs:
protect-kernel-defaults: "true"
event-qps: "0"
tls-min-version: "VersionTLS12"
serialize-image-pulls: "false"
preKubeadmCommands: []
postKubeadmCommands: []
files: []
# Currently the kubeletConfiguration field only takes effect when creating/upgrading a cluster but not updating, because it's appended into /run/kubeadm/kubeadm.yaml.
kubeletConfiguration:
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
# These two shutdownGracePeriod related fields are not supported via kubeletExtraArgs, so put them here.
shutdownGracePeriod: 45s
shutdownGracePeriodCriticalPods: 30s