RKE Cluster Configuration YAML

ConfigFile is a multiline string that represent a custom webhook config file

CacheTimeout controls how long to cache authentication decisions

Authentication strategy that will be used in kubernetes cluster

List of additional hostnames and IPs to include in the api server PKI cert

Authorization mode used by kubernetes

Authorization mode options

The cloud environment identifier. Takes values from https://github.com/Azure/go-autorest/blob/ec5f4903f77ed9927ac95b19ab8e44ada64c1356/autorest/azure/environments.go#L13

The AAD Tenant ID for the Subscription that the cluster is deployed in

The ID of the Azure Subscription that the cluster is deployed in

The name of the resource group that the cluster is deployed in

The location of the resource group that the cluster is deployed in

The name of the VNet that the cluster is deployed in

The name of the resource group that the Vnet is deployed in

The name of the subnet that the cluster is deployed in

The name of the security group attached to the cluster's subnet

(Optional in 1.6) The name of the route table attached to the subnet that the cluster is deployed in

(Optional) The name of the availability set that should be used as the load balancer backend If this is set, the Azure cloudprovider will only add nodes from that availability set to the load balancer backend pool. If this is not set, and multiple agent pools (availability sets) are used, then the cloudprovider will try to add all nodes to a single backend pool which is forbidden. In other words, if you use multiple agent pools (availability sets), you MUST set this field.

The type of azure nodes. Candidate valudes are: vmss and standard. If not set, it will be default to standard.

The name of the scale set that should be used as the load balancer backend. If this is set, the Azure cloudprovider will only add nodes from that scale set to the load balancer backend pool. If this is not set, and multiple agent pools (scale sets) are used, then the cloudprovider will try to add all nodes to a single backend pool which is forbidden. In other words, if you use multiple agent pools (scale sets), you MUST set this field.

The ClientID for an AAD application with RBAC access to talk to Azure RM APIs This's used for service principal authentication: https://github.com/Azure/aks-engine/blob/master/docs/topics/service-principals.md

The ClientSecret for an AAD application with RBAC access to talk to Azure RM APIs This's used for service principal authentication: https://github.com/Azure/aks-engine/blob/master/docs/topics/service-principals.md

The path of a client certificate for an AAD application with RBAC access to talk to Azure RM APIs This's used for client certificate authentication: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service

The password of the client certificate for an AAD application with RBAC access to talk to Azure RM APIs This's used for client certificate authentication: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service

Enable exponential backoff to manage resource request retries

Backoff retry limit

Backoff exponent

Backoff duration

Backoff jitter

Enable rate limiting

Rate limit QPS

Rate limit Bucket Size

Use instance metadata service where possible

Use managed service identity for the virtual machine to access Azure ARM APIs This's used for managed identity authentication: https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview For user-assigned managed identity, need to set the below UserAssignedIdentityID

Maximum allowed LoadBalancer Rule Count is the limit enforced by Azure Load balancer, default(0) to 148

The Client ID of the user assigned MSI which is assigned to the underlying VMs This's used for managed identity authentication: https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview

Sku of Load Balancer and Public IP: basic or standard, default(blank) to basic

Excludes master nodes (labeled with node-role.kubernetes.io/master) from the backend pool of Azure standard loadbalancer, default(nil) to true If want adding the master nodes to ALB, this should be set to false and remove the node-role.kubernetes.io/master label from master nodes

Address of Bastion Host

SSH Port of Bastion Host

ssh User to Bastion Host

SSH Agent Auth enable

SSH Private Key

SSH Private Key Path

SSH Certificate

SSH Certificate Path

Ignore proxy environment variables

overrides autodetection. v1 or v2. Defaults to auto

See Issue #33128

Cloud provider type used with calico

Name of the Cloud Provider

CustomCloudProvider is a multiline string that represent a custom cloud config file

DNS provider

DNS config options

Upstream nameservers

ReverseCIDRs

Stubdomains

NodeSelector key pair

Tolerations for Deployments

List of etcd urls

External CA certificate

External Client certificate

External Client key

External etcd prefix

UID to run etcd container as

GID to run etcd container as

Etcd Recurring snapshot Service, used by rke only

Etcd snapshot Retention period

Etcd snapshot Creation period

Alternate cloud interface for flannel

TODO: Is there any use for this? We can get it from the instance metadata service Maybe if we're not running on AWS, e.g. bootstrap; for now it is not very useful

The AWS VPC flag enables the possibility to run the master components on a different aws account, on a different cloud provider or on-premises. If the flag is set also the KubernetesClusterTag must be provided

SubnetID enables using a specific subnet to use for ELB's

RouteTableID enables using a specific RouteTable

RoleARN is the IAM role to assume when interaction with AWS APIs.

KubernetesClusterTag is the legacy cluster id we'll use to identify our cluster resources

KubernetesClusterID is the cluster id we'll use to identify our cluster resources

The aws provider creates an inbound rule per load balancer on the node security group. However, this can run into the AWS security group rule limit of 50 if many LoadBalancers are created.

This flag disables the automatic ingress creation. It requires that the user has setup a rule that allows inbound traffic on kubelet ports from the local VPC subnet (so load balancers can access it). E.g. 10.82.0.0/16 30000-32000.

AWS has a hard limit of 500 security groups. For large clusters creating a security group for each ELB can cause the max number of security groups to be reached. If this is set instead of creating a new Security group for each ELB this security group will be used instead.

During the instantiation of an new AWS cloud provider, the detected region is validated against a known set of regions.

In a non-standard, AWS like environment (e.g. Eucalyptus), this check may be undesirable. Setting this to true will disable the check and provide a warning that the check was skipped. Please note that this is an experimental feature and work-in-progress for the moment. If you find yourself in an non-AWS cloud and open an issue, please indicate that in the issue body.

Ingress controller type used by kubernetes

These options are NOT for configuring Ingress's addon template. They are used for its ConfigMap options specifically.

NodeSelector key pair

Ingress controller extra arguments

DNS Policy

Extra Env vars

Extra volumes

Extra volume mounts

Http port for ingress controller daemonset

Https port for ingress controller daemonset

NetworkMode selector for ingress controller pods. Default is HostNetwork

Tolerations for Deployments

Enable or disable nginx default-http-backend

Priority class name for Nginx-Ingress's "default-http-backend" deployment

Priority class name for Nginx-Ingress's "nginx-ingress-controller" daemonset

Virtual IP range that will be used by Kubernetes services

Port range for services defined with NodePort type

Enabled/Disable PodSecurityPolicy

Enable/Disable AlwaysPullImages admissions plugin

CIDR Range for Pods in cluster

Virtual IP range that will be used by Kubernetes services

Domain of the cluster (default: "cluster.local")

The image whose network/ipc namespaces containers in each pod will use

Cluster DNS service ip

Fail if swap is enabled

Generate per node kubelet serving certificates created using kube-ca

overrides autodetection. Only support v2.

uses Octavia V2 service catalog endpoint

overrides autodetection.

If specified, will create floating ip for loadbalancer, or do not create floating ip.

default to ROUND_ROBIN.

Number of monitoring addon pods

Monitoring server provider

These options are NOT for configuring the Metrics-Server's addon template. They are used to pass command args to the metric-server's deployment containers specifically.

NodeSelector key pair

Tolerations for Deployments

Priority class name for Metrics-Server's "metrics-server" deployment

Network Plugin That will be used in kubernetes cluster

Plugin options to configure network properties

Set MTU for CNI provider

NodeSelector key pair

Tolerations for Deployments

Time to wait (in seconds) before giving up for one try

Drain node even if there are pods not managed by a ReplicationController, Job, or DaemonSet Drain will not proceed without Force set to true if there are such pods

If there are DaemonSet-managed pods, drain will not proceed without IgnoreDaemonSets set to true (even when set to true, kubectl won't delete pods - so setting default to true)

Continue even if there are pods using emptyDir

Period of time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used

MaxUnavailableWorker input can be a number of nodes or a percentage of nodes (example, max_unavailable_worker: 2 OR max_unavailable_worker: 20%)

MaxUnavailableControlplane input can be a number of nodes or a percentage of nodes

link-local IP for nodelocal DNS

NodeSelector key pair

Priority class name for NodeLocal's "node-local-dns" daemonset

URL for the registry

User name for registry acces

Password for registry access

Default registry

Name of the host provisioned via docker machine

IP or FQDN that is fully resolvable and used for SSH communication

Port used for SSH communication

Optional - Internal address that will be used for components communication

Node role in kubernetes cluster (controlplane, worker, or etcd)

Optional - Hostname of the node

SSH usesr that will be used by RKE

Optional - Docker socket on the node that will be used in tunneling

SSH Agent Auth enable

SSH Private Key

SSH Private Key Path

SSH Certificate

SSH Certificate Path

Node Labels

Node Taints

etcd image

Alpine image

rke-nginx-proxy image

rke-cert-deployer image

rke-service-sidekick image

KubeDNS image

DNSMasq image

KubeDNS side car image

KubeDNS autoscaler image

CoreDNS image

CoreDNS autoscaler image

Nodelocal image

Kubernetes image

Flannel image

Flannel CNI image

Calico Node image

Calico CNI image

Calico Controllers image

Calicoctl image

CalicoFlexVol image

Canal Node Image

Canal CNI image

Canal Controllers Image needed for Calico/Canal v3.14.0+

CanalFlannel image

CanalFlexVol image

Weave Node image

Weave CNI image

Pod infra container image

Ingress Controller image

Ingress Controller Backend image

Ingress Webhook image

Metrics Server image

Pod infra container image for Windows

Cni deployer container image for Cisco ACI

host container image for Cisco ACI

opflex agent container image for Cisco ACI

mcast daemon container image for Cisco ACI

OpenvSwitch container image for Cisco ACI

Controller container image for Cisco ACI

GBP Server container image for Cisco ACI

Opflex Server container image for Cisco ACI

Kubernetes nodes