Appendix: Advanced Configuration of KubeSphere Core
KubeSphere Helm Chart Parameters
Global Configuration
| Name | Description | Value |
|---|---|---|
|
Global Docker image registry |
|
|
Global Docker image tag |
|
|
Global Docker registry secret names as an array |
|
Common Parameters
| Name | Description | Value |
|---|---|---|
|
String to partially override common.names.fullname |
|
|
String to fully override common.names.fullname |
|
|
Labels to add to all deployed objects |
|
|
Annotations to add to all deployed objects |
|
Multi-cluster Configuration
| Name | Description | Value |
|---|---|---|
|
Multi-cluster role (host/member) |
|
|
Host cluster name |
|
Portal Configuration
| Name | Description | Value |
|---|---|---|
|
The public domain name or IP address to access the |
|
|
The HTTP port exposed by the |
|
S3 Storage Configuration
| Name | Description | Value |
|---|---|---|
|
S3 endpoint URL |
|
|
S3 region |
|
|
Disable SSL for S3 |
|
|
Force path style for S3 |
|
|
S3 access key ID |
|
|
S3 secret access key |
|
|
S3 bucket name |
|
Authentication Configuration
| Name | Description | Value |
|---|---|---|
|
Maximum authentication attempts |
|
|
Rate limiter duration |
|
|
Login history retention period |
|
|
Enable multi-login |
|
|
Maximum inactivity duration |
|
|
Admin password |
|
|
Maximum clock skew for JWT |
|
|
JWT secret |
|
|
Access token maximum age |
|
|
Access token inactivity timeout |
|
Security Configuration
| Name | Description | Value |
|---|---|---|
|
Enable password expiration |
|
|
Maximum password age in days |
|
|
Days before password expiration to start reminding |
|
|
Force users to change password when expired |
|
Experimental Features
| Name | Description | Value |
|---|---|---|
|
Validation directive (Strict/Ignore/Warn) |
|
|
Enable maintenance mode |
|
|
Enable platform maintenance |
|
|
Maintenance description |
|
|
Enable OpenAPI |
|
|
Enable HNC (Hierarchical Namespace Controller) |
|
Auditing Configuration
| Name | Description | Value |
|---|---|---|
|
Enable auditing |
|
|
Audit level (Metadata/Request/RequestResponse) |
|
|
Audit log path |
|
|
Maximum age of audit logs |
|
|
Maximum number of audit log backups |
|
|
Maximum size of audit log files |
|
Service Account Configuration
| Name | Description | Value |
|---|---|---|
|
Create service account |
|
|
Service account annotations |
|
|
Service account name |
|
Pod Configuration
| Name | Description | Value |
|---|---|---|
|
Pod tolerations |
|
|
Pod affinity configuration |
|
|
Node selector for pod assignment |
|
|
Enable TLS communication between all components |
|
API Server Configuration
| Name | Description | Value |
|---|---|---|
|
API server image registry |
|
|
API server image repository |
|
|
API server image tag |
|
|
API server image digest |
|
|
API server image pull policy |
|
|
List of container ports to enable in the ks-apiserver container |
|
|
The resource limits for the ks-apiserver containers |
|
|
The requested resources for the ks-apiserver containers |
|
|
Override default container command |
|
|
Array with extra environment variables to add to ks-apiserver |
|
|
Extra list of additional volumeMounts for the ks-apiserver container(s) |
|
|
Extra list of additional volumes for the ks-apiserver pod(s) |
|
|
Whether the ks-apiserver pods should be forced to run on separate nodes |
|
Console Configuration
| Name | Description | Value |
|---|---|---|
|
Console image registry |
|
|
Console image repository |
|
|
Console image tag |
|
|
Console image digest |
|
|
Console image pull policy |
|
|
Enable kubeconfig in console |
|
|
Enable node list terminal in console |
|
|
List of container ports to enable in the ks-console container |
|
|
Node port for console service |
|
|
The resource limits for the ks-console containers |
|
|
The requested resources for the ks-console containers |
|
|
Override default container command |
|
|
Array with extra environment variables to add to ks-console |
|
|
Extra list of additional volumeMounts for the ks-console container(s) |
|
|
Extra list of additional volumes for the ks-console pod(s) |
|
|
Whether the ks-console pods should be forced to run on separate nodes |
|
Controller Configuration
| Name | Description | Value |
|---|---|---|
|
Controller image registry |
|
|
Controller image repository |
|
|
Controller image tag |
|
|
Controller image digest |
|
|
Controller image pull policy |
|
|
List of container ports to enable in the ks-controller-manager container |
|
|
The resource limits for the ks-controller-manager containers |
|
|
The requested resources for the ks-controller-manager containers |
|
|
Override default container command |
|
|
Array with extra environment variables to add to ks-controller-manager |
|
|
Extra list of additional volumeMounts for the ks-controller-manager container(s) |
|
|
Extra list of additional volumes for the ks-controller-manager pod(s) |
|
|
Whether the ks-controller-manager pods should be forced to run on separate nodes |
|
Agent Configuration
| Name | Description | Value |
|---|---|---|
|
Number of agent replicas |
|
Helm Executor Configuration
| Name | Description | Value |
|---|---|---|
|
Helm executor timeout |
|
|
Maximum helm history |
|
|
Job TTL after finished |
|
|
Helm executor image registry |
|
|
Helm executor image repository |
|
|
Helm executor image tag |
|
|
Helm executor image pull policy |
|
|
Resource limits for helm executor |
|
|
Resource requests for helm executor |
|
|
Affinity configuration for helm executor |
|
Composed App Configuration
| Name | Description | Value |
|---|---|---|
|
Selector to filter k8s applications to reconcile |
|
Kubectl Configuration
| Name | Description | Value |
|---|---|---|
|
Kubectl image registry |
|
|
Kubectl image repository |
|
|
Kubectl image tag |
|
|
Kubectl image pull policy |
|
Ingress Configuration
| Name | Description | Value |
|---|---|---|
|
Enable ingress |
|
|
Ingress class name |
|
|
Enable TLS |
|
|
TLS source (generation/importation/letsEncrypt) |
|
|
TLS secret name |
|
Let’s Encrypt Configuration
| Name | Description | Value |
|---|---|---|
|
Let’s Encrypt environment (production/staging) |
|
Cert Manager Configuration
| Name | Description | Value |
|---|---|---|
|
Certificate duration |
|
|
Certificate renewal before expiration |
|
Terminal Configuration
| Name | Description | Value |
|---|---|---|
|
Enable kubectl terminal |
|
|
Kubectl terminal image registry |
|
|
Kubectl terminal image repository |
|
|
Kubectl terminal image tag |
|
|
Kubectl terminal image pull policy |
|
|
Enable node terminal |
|
|
Node terminal image registry |
|
|
Node terminal image repository |
|
|
Node terminal image tag |
|
|
Node terminal image pull policy |
|
|
Enable pod terminal |
|
|
Upload file limit for pod terminal |
|
|
Enable file upload in pod terminal |
|
|
Enable file download in pod terminal |
|
Cloud Configuration
| Name | Description | Value |
|---|---|---|
|
Enable cloud features |
|
|
Cloud environment |
|
|
Custom cloud environment configuration |
|
Extension Configuration
| Name | Description | Value |
|---|---|---|
|
Extension image registry |
|
|
Node selector for extensions |
|
|
Extension ingress class name |
|
|
Domain suffix for extension ingresses |
|
|
HTTP port for extension ingress |
|
|
HTTPS port for extension ingress |
|
Upgrade Configuration
| Name | Description | Value |
|---|---|---|
|
Enable upgrade |
|
|
Upgrade image registry |
|
|
Upgrade image repository |
|
|
Upgrade image tag |
|
|
Upgrade image pull policy |
|
|
Upgrade persistence volume name |
|
|
Upgrade storage class name |
|
|
Upgrade access mode |
|
|
Upgrade volume size |
|
|
Upgrade configuration |
|
High Availability Configuration
| Name | Description | Value |
|---|---|---|
|
Enable high availability |
|
Redis Configuration
| Name | Description | Value |
|---|---|---|
|
Redis port |
|
|
Redis replica count |
|
|
Redis image registry |
|
|
Redis image repository |
|
|
Redis image digest |
|
|
Redis image tag |
|
|
Redis image pull policy |
|
|
Enable Redis persistent volume |
|
|
Redis persistent volume size |
|
Redis HA Configuration
| Name | Description | Value |
|---|---|---|
|
Enable Redis HA |
|
|
Redis HA port |
|
|
Redis HA image registry |
|
|
Redis HA image repository |
|
|
Redis HA image tag |
|
|
Redis HA image pull policy |
|
|
Enable Redis HA persistent volume |
|
|
Redis HA persistent volume size |
|
|
Enable Redis HA authentication |
|
|
Redis HA existing secret |
|
|
Redis HA tolerations |
|
|
Redis HA hard anti-affinity |
|
|
Redis HA additional affinities |
|
|
HAProxy service port |
|
|
HAProxy container port |
|
|
HAProxy image registry |
|
|
HAProxy image repository |
|
|
HAProxy image tag |
|
|
HAProxy image digest |
|
|
HAProxy image pull policy |
|
|
HAProxy hard anti-affinity |
|
|
HAProxy additional affinities |
|
KubeSphere CRDs Configuration
| Name | Description | Value |
|---|---|---|
|
Kubectl image registry for CRDs |
|
|
Kubectl image repository for CRDs |
|
|
Kubectl image tag for CRDs |
|
|
Kubectl image pull policy for CRDs |
|
KSE Extension Repository Configuration
| Name | Description | Value |
|---|---|---|
|
Enable KSE extension repository |
|
|
Extension repository image registry |
|
|
Extension repository image repository |
|
|
Extension repository image tag |
|
|
Extension repository image pull policy |
|
KubeSphere Console Embed Configuration
| Name | Description | Value |
|---|---|---|
|
Console embed image repository |
|
|
Console embed image tag |
|
|
Console embed image pull policy |
|
Application Configuration
| Name | Description | Value |
|---|---|---|
|
Enable built-in repository |
|
TLS Configuration
-
Select SSL Configuration
KubeSphere security configuration includes Ingress SSL Configuration and Internal SSL Configuration. The Ingress SSL Configuration supports three modes by default to enable SSL/TLS for secure access.
-
Ingress SSL Configuration
Configuration Helm Chart Option Cert-manager Required KubeSphere Generated TLS Certificates
ingress.tls.source=generation
No
Let’s Encrypt
ingress.tls.source=letsEncrypt
Yes
Import Existing Certificates
ingress.tls.source=importation
No
-
KubeSphere Generated TLS Certificates: Supports both cert-manager and Helm methods.
-
If cert-manager is already installed in the Kubernetes cluster, it is preferred to use cert-manager to generate certificates. KubeSphere uses cert-manager to issue and maintain certificates. KubeSphere generates its CA certificate, signs a certificate using that CA, and then manages the certificate with cert-manager.
-
If cert-manager is not installed, Helm is used to generate certificates. During the installation process with Helm, KubeSphere generates CA and TLS certificates based on the configured
hostname. In this option, certificates do not support automatic expiration rotation.
-
-
Let’s Encrypt
When using the Let’s Encrypt option, cert-manager must be utilized. In this scenario, cert-manager combines with a special issuer for Let’s Encrypt that performs all actions (including request and validation) necessary for getting a Let’s Encrypt issued cert. This configuration uses HTTP validation (HTTP-01), so the load balancer must have a public DNS record and be accessible from the internet.
-
Import Existing Certificates
This option allows you to bring your own public- or private-CA signed certificate. KubeSphere will use that certificate to secure websocket and HTTPS traffic. In this case, you must upload this certificate (and associated key) as PEM-encoded files with the name
tls.crtandtls.key. If you are using a private CA, you must also upload that certificate. This is due to the fact that this private CA may not be trusted by your nodes.
-
-
Internal SSL Configuration
After enabling internal SSL configuration, both Console UI and Apiserver in KubeSphere will use HTTPS. This configuration inherently supports cert-manager and helm generated certificates. When cert-manager is already installed in the Kubernetes cluster, it is preferred to use cert-manager to generate/manage certificates, and the DNS for certificates defaults to Console UI and Apiserver’s Service DNS within the Kubernetes cluster.
Configuration Helm Chart Option Cert-manager Required Enable Internal SSL
internalTLS=true
No
-
-
Install cert-manager
If you are using your own certificate files (ingress.tls.source=importation), you can skip this step.
Only when using KubeSphere-generated certificates (ingress.tls.source=generation) or Let’s Encrypt issued certificates (ingress.tls.source=letsEncrypt), you need to install cert-manager.
# Add Jetstack Helm repository helm repo add jetstack https://charts.jetstack.io # Update local Helm Chart repository cache helm repo update # Install cert-manager Helm Chart helm install cert-manager jetstack/cert-manager -n cert-manager --create-namespace --set prometheus.enabled=false # Or kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/<VERSION>/cert-manager.yamlAfter installing cert-manager, check the running pods in the cert-manager namespace to verify that it has been deployed correctly:
kubectl get pods --namespace cert-manager -
Based on your selected certificate option, enable SSL configuration for KubeSphere using Helm.
-
Enable Ingress SSL Configuration
-
KubeSphere Generated Certificates
helm upgrade --install -n kubesphere-system --create-namespace ks-core $chart --version $version \ --set ingress.enabled=true \ --set hostname=kubesphere.my.org -
Let’s Encrypt
This option uses cert-manager to automatically request and renew Let’s Encrypt certificates. Let’s Encrypt is free and a trusted CA, so it can provide valid certificates.
helm upgrade --install -n kubesphere-system --create-namespace ks-core $chart --version $version \ --set hostname=kubesphere.my.org \ --set ingress.enabled=true \ --set ingress.tls.source=letsEncrypt \ --set letsEncrypt.email=me@example.org -
Import External Certificates
# Import external certificates kubectl create secret tls tls-ks-core-ingress --cert=tls.crt --key=tls.key -n kubesphere-system # Install KubeSphere helm upgrade --install -n kubesphere-system --create-namespace ks-core $chart --version $version \ --set ingress.enabled=true \ --set hostname=kubesphere.my.org \ --set ingress.tls.source=importation
-
-
Enable Internal SSL Configuration.
helm upgrade --install -n kubesphere-system --create-namespace ks-core $chart --version $version \ --set internalTLS=true
-
Configure the ratelimit Limiter
Once the limiter is enabled, it will independently limit requests for all users in KubeSphere, primarily supporting the following two methods:
-
Setting a rate limit for all users in KubeSphere, without support for setting individual rate limits for each user at the moment;
-
Setting a rate limit independently for each ServiceAccount in KubeSphere.
Enable the Limiter
Enabling the limiter means setting a rate limit for all users in KubeSphere.
-
Modify the
kubesphere-systemconfigmap.kubectl -n kubesphere-system edit cm kubesphere-systemAdd the following content:
rateLimit: enable: true # Enable the limiter driver: memory # Memory mode QPS: 40.0 # Token recovery rate burst: 80 # Token bucket capacity -
Restart the ks-apiserver.
kubectl -n kubesphere-system rollout restart deploy ks-apiserver
Set the ServiceAccount Limiter
Before setting, you need to enable the limiter as in the previous step. Then execute the following command to set the rate limit for ServiceAccount.
kubectl -n <Namespace> patch serviceaccounts.kubesphere.io <ServiceAccount> --type merge -p '{"metadata": {"annotations": {"kubesphere.io/ratelimiter-qps": "20.0", "kubesphere.io/ratelimiter-burst": "40"}}}'Parameter Description
| Option | Default Value | Description |
|---|---|---|
rateLimit.enable |
false |
bool - Enable the limiter. |
rateLimit.driver |
memory |
string - Limiter storage type, options: "memory". |
rateLimit.QPS |
5.0 |
float32 - Number of tokens recovered per second in the limiter token bucket algorithm. |
rateLimit.burst |
10 |
int - Maximum capacity of the token bucket in the limiter token bucket algorithm. |
| Note |
|---|
The recommended QPS for token recovery rate should be half the burst capacity. |