-
Notifications
You must be signed in to change notification settings - Fork 68
/
Copy path_k8s-profiles-uses.html.md.erb
137 lines (114 loc) · 5.58 KB
/
_k8s-profiles-uses.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
<table>
<tr><th>Use Case</th><th>Description</th></tr>
<tr>
<td>Encrypt a secret in an etcd database.</td>
<td>Use an encryption provider to encrypt secrets in a cluster's etcd database. For more information, see
<a href="./k8s-profiles-encrypt-etcd.html">Encrypt Secrets in an etcd Database</a>.</td>
</tr>
<tr>
<td>Limit the resource usage of incoming requests.</td>
<td>Use the <code>ResourceQuota</code> admission control plugin to restrict incoming requests by resource usage.
For more information, see <a href="#admission-quota">Admission Control: ResourceQuota</a> below.</td>
</tr>
<tr>
<td>Assign an IP range for the NodePort Service</a>.</td>
<td>Use <code>service-node-port-range</code> to specify an IP range for for <code>NodePort</code> services.
For more information, see <a href="#port-range">Set Service Node Port Range</a> below.</td>
</tr>
<tr>
<td>Add an OIDC provider.</td>
<td>Customize a cluster's OIDC provider by deploying a <a href="https://github.com/dexidp/dex">dex</a> connector or other OIDC provider to its pod. For more information, see <a href="./k8s-profiles-dex-oidc.html">Adding an OIDC Provider</a>.</td>
</tr>
<tr>
<td>Restrict Apiserver client authentication.</td>
<td>Set <code>requestheader-allowed-names</code> for Apiserver client authentication.
For more information, see <a href="#request-allowed">Restrict Request Header Names</a> below.</td>
</tr>
<tr>
<td>Define the service cluster IP range.</td>
<td>Change the service cluster IP range.
For more information, see <a href="#extend-service-ip-range">Modify the Service Cluster IP Range</a> below.</td>
</tr>
<tr>
<td>Configure Pod Security Admission.</td>
<td>Configure cluster-specific PSA in TKGI. For more information, see <a href="./pod-security-admission.html#psa-cluster">Pod Security Admission in a TKGI Cluster</a> in <em>Pod Security Admission in TKGI</em>.</td>
</tr>
</table>
<br>
#### <a id='admission-quota'></a> Admission Control: ResourceQuota
To create a Kubernetes profile that includes the `ResourceQuota` admission control plugin:
* Follow the [Create a Kubernetes Profile](./k8s-profiles.html#create)
instructions.
* Include the following `customizations` in your profile configuration file:
```
"customizations": [
{
"component": "kube-apiserver",
"arguments": {
"enable-admission-plugins": PLUGINS-LIST
}
}
],
```
Where:
* `PLUGINS-LIST` is one of the following:
* The string `"ResourceQuota"`.
* A comma-delimited string list of validated plugins that includes `ResourceQuota`.
For more information, see [ResourceQuota](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#resourcequota) in the Kubernetes documentation.
<br>
#### <a id='port-range'></a> Set Service Node Port Range
To create a Kubernetes profile that uses `service-node-port-range` for `NodePort` type services:
* Follow the [Create a Kubernetes Profile](./k8s-profiles.html#create)
instructions.
* Include the following `customizations` in your profile configuration file:
```
"customizations": [
{
"component": "kube-apiserver",
"arguments": {
"service-node-port-range": PORT-RANGE
}
}
],
```
Where `PORT-RANGE` is a CIDR notation IP range from which to assign service cluster IPs, such as `30000-40000`.
If the specified `PORT-RANGE` is not valid, the `tkgi create-k8s-profile` command returns an error `invalid value for service-node-port-range`.
For more information, see [Type NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#nodeport) in the Kubernetes documentation.
<br>
#### <a id='request-allowed'></a> Restrict Request Header Names
To create a Kubernetes profile that uses `requestheader-allowed-names` for Apiserver client authentication:
* Follow the [Create a Kubernetes Profile](./k8s-profiles.html#create)
instructions.
* Include the following `customizations` in your profile configuration file:
```
"customizations": [
{
"component": "kube-apiserver",
"arguments": {
"requestheader-allowed-names": COMMON-NAMES
}
}
],
```
Where `COMMON-NAMES` is a string list of valid Common Name values in the signed client certificate, such as `"cn1.com,c2.com"`.
For more information, see [Kubernetes Apiserver Client Authentication](https://kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/) in the Kubernetes documentation.
<br>
#### <a id='extend-service-ip-range'></a> Modify the Service Cluster IP Range
To create a Kubernetes profile that modifies the service cluster IP range:
* Follow the [Create a Kubernetes Profile](./k8s-profiles.html#create)
instructions.
* Include the following `customizations` in your profile configuration file:
```
"customizations": [
{
"component": "kube-apiserver",
"arguments": {
"service-cluster-ip-range": IP-RANGE
}
}
],
```
Where `IP-RANGE` is a CIDR notation IP range from which to assign service cluster IPs.
The IP range can be a maximum of two dual-stack CIDRs and must not overlap with any IP ranges assigned to nodes or pods.
For more information, see kube-apiserver [Options](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options)
in the Kubernetes documentation.