AKE uses default YAML configuration file to set up K8s components such as etcd, kube-apiserver, kube-controller-manager, kube-scheduler, and kubelet in the cluster. You can also customize the parameters of these components based on your actual needs.
If parameter adjustments are needed, you can modify the relevant parameter as required in Configuration and then click Next. If no adjustments are necessary, you can leave Configuration blank and click Next.
Note:
Incorrect configuration of K8s addon parameters may result in the failure to create a workload cluster. You should only edit parameter configurations when it is necessary.
The default configuration parameters for K8s addons in AKE are as follows:
etcd
| Parameter | Default value | Description |
|---|---|---|
| cipher-suites | "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" | An English-comma-separated list of encryption algorithms for the etcd server. If not set, the default algorithm list provided by the Go programming language encryption package will be used. |
kube-apiserver
| Parameter | Default value | Description |
|---|---|---|
| profiling | "false" | Whether to enable profiling via web interface host:port/debug/pprof/. The default value is "false", meaning profiling is disabled. |
| audit-log-path | /var/log/apiserver/audit.log | Specifies the path for storing the audit log file for kube-apiserver. All requests reaching the API server are recorded in this file. |
| audit-log-maxage | "30" | Maximum days to retain old audit log files based on the encoded timestamps in the file names. |
| audit-log-maxbackup | "10" | Maximum number of old audit log files to retain. Setting this value to 0 means an unlimited number of files. |
| audit-log-maxsize | "100" | Maximum size of the audit log file in megabytes. When the audit log file reaches the specified maximum size, it is renamed, and a new audit log file is created for continued recording. |
| enable-admission-plugins | EventRateLimit | Additional admission addons that need to be enabled, separated by English commas. Addons that are enabled by default include the following: NamespaceLifecycle,LimitRanger,ServiceAccount,TaintNodesByCondition,PodSecurity,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,RuntimeClass,CertificateApproval,CertificateSigning,ClusterTrustBundleAttest,CertificateSubjectRestriction,DefaultIngressClass,MutatingAdmissionWebhook,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook,ResourceQuota |
| admission-control-config-file | /etc/kubernetes/admission.yaml | Specifies the path for the admission control configuration file. |
| audit-policy-file | /etc/kubernetes/auditpolicy.yaml | Specifies the path for the audit policy configuration file. |
| request-timeout | "300s" | Specifies the default timeout when making requests to the Kubernetes API server. For specific types of requests, this value may be overridden by tags such as --min-request-timeout. |
| tls-min-version | "VersionTLS12" | The minimum TLS version supported by kube-apiserver. |
| tls-cipher-suites | "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" | The list of encryption algorithms for the server, separated by English commas. If not set, the default algorithm list provided by the Go programming language encryption package will be used. |
kube-controller-manager
| Parameter | Default value | Description |
|---|---|---|
| profiling | "false" | Whether to enable profiling via web interface host:port/debug/pprof/. The default value is "false", meaning profiling is disabled. |
| terminated-pod-gc-threshold | "10" | Maximum number of terminated pods that can be retained before the terminated pod garbage collector deletes terminated pods. If the value is less than or equal to 0, the terminated pod garbage collector will be disabled. |
| tls-min-version | "VersionTLS12" | The minimum TLS version supported by kube-controller-manager. |
| tls-cipher-suites | "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" | The list of encryption algorithms for the server, separated by English commas. If not set, the default algorithm list provided by the Go programming language encryption package will be used. |
kube-scheduler
| Parameter | Default value | Description |
|---|---|---|
| profiling | "false" | Whether to enable profiling via web interface host:port/debug/pprof/. The default value is "false", meaning profiling is disabled. |
| tls-min-version | "VersionTLS12" | The minimum TLS version supported by kube-scheduler. |
| tls-cipher-suites | "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" | The list of encryption algorithms for the server, separated by English commas. If not set, the default algorithm list provided by the Go programming language encryption package will be used. |
kubelet
kubeletExtraArgs
| Parameter | Default value | Description |
|---|---|---|
| protect-kernel-defaults | "true" | Set to "true" to enforce the use of kubelet's default kernel configuration. If any kernel tunables differ from the kubelet defaults, kubelet will report an error. |
| event-qps | "0" | Limits the number of events that can be generated per second. Set to 0 for no limit. |
| tls-min-version | "VersionTLS12" | The minimum TLS version supported by kubelet. |
| tls-cipher-suites | "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" | The list of encryption algorithms for the server, separated by English commas. If not set, the default algorithm list provided by the Go programming language encryption package will be used. |
| serialize-image-pulls | "false" | Setting it to "true" means kubelet pulls only one image at a time. Current default value is false, meaning kubelet supports concurrent pulling of multiple images. |
kubeletConfiguration
| Parameter | Default value | Description |
|---|---|---|
| shutdownGracePeriod | 45s | Specifies the total duration that the virtual machine or physical machine corresponding to the Kubernetes node should delay the shutdown by, as well as the total termination grace period provided for the pods running on the node. |
| shutdownGracePeriodCriticalPods | 30s | Specifies the total termination grace period for critical pods on the node when the virtual machine hosting the Kubernetes node is shut down normally. This duration should be shorter than shutdownGracePeriod. For example: shutdownGracePeriod = 30s, shutdownGracePeriodCriticalPods = 10s. When the virtual machine corresponding to the Kubernetes node is shut down, kubelet first gracefully terminates regular pods, leaving a termination grace period of shutdownGracePeriod - shutdownGracePeriodCriticalPods = 20s for regular pods, and then proceeds to gracefully terminate critical pods, leaving a termination grace period of 10 seconds for system critical pods. |
The complete default YAML configuration file is as follows:
controlPlane:
clusterConfiguration:
apiServer:
# Refer to https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
extraArgs:
audit-log-maxage: "30"
audit-log-maxbackup: "10"
audit-log-maxsize: "100"
request-timeout: "300s"
extraVolumes:
- hostPath: /var/log/apiserver
mountPath: /var/log/apiserver
name: apiserver-log
pathType: DirectoryOrCreate
- hostPath: /etc/kubernetes/admission.yaml
mountPath: /etc/kubernetes/admission.yaml
name: admission-config
pathType: FileOrCreate
readOnly: true
- hostPath: /etc/kubernetes/auditpolicy.yaml
mountPath: /etc/kubernetes/auditpolicy.yaml
name: audit-policy
pathType: FileOrCreate
readOnly: true
controllerManager:
# Refer to https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
extraArgs:
terminated-pod-gc-threshold: "10"
etcd:
local:
# Refer to https://etcd.io/docs/v3.5/op-guide/configuration/#command-line-flags
extraArgs: {}
scheduler:
# Refer to https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/
extraArgs: {}
# For the first ControlPlane
initConfiguration:
nodeRegistration:
# Refer to https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
kubeletExtraArgs:
event-qps: "0"
# For other ControlPlanes
joinConfiguration:
nodeRegistration:
# Refer to https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
kubeletExtraArgs:
event-qps: "0"
# preKubeadmCommands specifies extra commands to run before kubeadm runs during node provision.
preKubeadmCommands: []
# postKubeadmCommands specifies extra commands to run after kubeadm runs during node provision.
postKubeadmCommands: []
# nodeIdempotentCommands specifies extra idempotent commands to run when during creation or update in place.
nodeIdempotentCommands: []
# sysctlParams specifies a map of sysctl parameters to set on the node.
sysctlParams: {}
files:
- content: |
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: EventRateLimit
configuration:
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
kind: Configuration
limits:
- type: Server
burst: 20000
qps: 5000
owner: root:root
path: /etc/kubernetes/admission.yaml
- content: |
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None
userGroups:
- system:nodes
- level: None
users:
- system:kube-scheduler
- system:volume-scheduler
- system:kube-controller-manager
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
- level: Metadata
resources:
- resources: ["secrets", "configmaps", "tokenreviews"]
- level: Metadata
omitStages:
- RequestReceived
resources:
- resources: ["pods", "deployments"]
owner: root:root
path: /etc/kubernetes/auditpolicy.yaml
workers:
joinConfiguration:
nodeRegistration:
kubeletExtraArgs:
event-qps: "0"
# preKubeadmCommands specifies extra commands to run before kubeadm runs during node provision.
preKubeadmCommands: []
# postKubeadmCommands specifies extra commands to run after kubeadm runs during node provision.
postKubeadmCommands: []
# nodeIdempotentCommands specifies extra idempotent commands to run when during creation or update in place.
nodeIdempotentCommands: []
# sysctlParams specifies a map of sysctl parameters to set on the node.
sysctlParams: {}
files: []
# kubeletConfiguration is a patch for the KubeletConfiguration to modify the default or current values in the global kubelet-config ConfigMap of the cluster.
kubeletConfiguration:
shutdownGracePeriod: 45s
shutdownGracePeriodCriticalPods: 30s