Merge pull request #1234 from wzshiming/feat/etcd-tracing

[kwokctl] Enable tracing for etcd
kubernetes-sigs · Sep 27, 2024 · 1b2faee · 1b2faee
2 parents c445c4e + 3468a80
commit 1b2faee
Show file tree

Hide file tree

Showing 12 changed files with 66 additions and 20 deletions.
diff --git a/pkg/kwokctl/components/etcd.go b/pkg/kwokctl/components/etcd.go
@@ -45,6 +45,7 @@ type BuildEtcdComponentConfig struct {
  PeerPort uint32
  Verbosity log.Level
  QuotaBackendSize string
+ OtlpGrpcAddress string
 }
 
 // BuildEtcdComponent builds an etcd component.
@@ -156,6 +157,14 @@ func BuildEtcdComponent(conf BuildEtcdComponentConfig) (component internalversio
  }
  }
 
+ if conf.OtlpGrpcAddress != "" {
+ etcdArgs = append(etcdArgs,
+ "--experimental-enable-distributed-tracing=true",
+ "--experimental-distributed-tracing-address="+conf.OtlpGrpcAddress,
+ "--experimental-distributed-tracing-sampling-rate=1000000",
+ )
+ }
+
  envs := []internalversion.Env{}
  if runtime.GOARCH != "amd64" {
  envs = append(envs, internalversion.Env{

diff --git a/pkg/kwokctl/components/jaeger.go b/pkg/kwokctl/components/jaeger.go
@@ -63,7 +63,7 @@ func BuildJaegerComponent(conf BuildJaegerComponentConfig) (component internalve
  )
  jaegerArgs = append(jaegerArgs,
  "--query.http-server.host-port="+conf.BindAddress+":16686",
- "--collector.otlp.grpc.host-port="+net.LocalAddress+":4317",
+ "--collector.otlp.grpc.host-port="+conf.BindAddress+":4317",
  )
  } else {
  ports = append(

diff --git a/pkg/kwokctl/runtime/binary/cluster.go b/pkg/kwokctl/runtime/binary/cluster.go
@@ -255,6 +255,16 @@ func (c *Cluster) Install(ctx context.Context) error {
  return err
  }
 
+ if env.kwokctlConfig.Options.JaegerPort != 0 {
+ err = c.setupPorts(ctx,
+ env.usedPorts,
+ &env.kwokctlConfig.Options.JaegerOtlpGrpcPort,
+ )
+ if err != nil {
+ return err
+ }
+ }
+
  err = c.addEtcd(ctx, env)
  if err != nil {
  return err
@@ -327,6 +337,11 @@ func (c *Cluster) addEtcd(ctx context.Context, env *env) (err error) {
  return err
  }
 
+ otlpGrpcAddress := ""
+ if conf.JaegerOtlpGrpcPort != 0 {
+ otlpGrpcAddress = net.LocalAddress + ":" + format.String(conf.JaegerOtlpGrpcPort)
+ }
+
  etcdComponent, err := components.BuildEtcdComponent(components.BuildEtcdComponentConfig{
  Runtime: conf.Runtime,
  ProjectName: c.Name(),
@@ -339,6 +354,7 @@ func (c *Cluster) addEtcd(ctx context.Context, env *env) (err error) {
  PeerPort: conf.EtcdPeerPort,
  Verbosity: env.verbosity,
  QuotaBackendSize: conf.EtcdQuotaBackendSize,
+ OtlpGrpcAddress: otlpGrpcAddress,
  })
  if err != nil {
  return err
@@ -362,15 +378,7 @@ func (c *Cluster) addKubeApiserver(ctx context.Context, env *env) (err error) {
  }
 
  kubeApiserverTracingConfigPath := ""
- if conf.JaegerPort != 0 {
- err = c.setupPorts(ctx,
- env.usedPorts,
- &conf.JaegerOtlpGrpcPort,
- )
- if err != nil {
- return err
- }
-
+ if conf.JaegerOtlpGrpcPort != 0 {
  kubeApiserverTracingConfigData, err := k8s.BuildKubeApiserverTracingConfig(k8s.BuildKubeApiserverTracingConfigParam{
  Endpoint: net.LocalAddress + ":" + format.String(conf.JaegerOtlpGrpcPort),
  })

diff --git a/pkg/kwokctl/runtime/compose/cluster.go b/pkg/kwokctl/runtime/compose/cluster.go
@@ -364,6 +364,11 @@ func (c *Cluster) addEtcd(ctx context.Context, env *env) (err error) {
  return err
  }
 
+ otlpGrpcAddress := ""
+ if conf.JaegerPort != 0 {
+ otlpGrpcAddress = c.Name() + "-jaeger:4317"
+ }
+
  etcdComponent, err := components.BuildEtcdComponent(components.BuildEtcdComponentConfig{
  Runtime: conf.Runtime,
  ProjectName: c.Name(),
@@ -375,6 +380,7 @@ func (c *Cluster) addEtcd(ctx context.Context, env *env) (err error) {
  DataPath: env.etcdDataPath,
  Verbosity: env.verbosity,
  QuotaBackendSize: conf.EtcdQuotaBackendSize,
+ OtlpGrpcAddress: otlpGrpcAddress,
  })
  if err != nil {
  return err

diff --git a/pkg/kwokctl/runtime/kind/kind.go b/pkg/kwokctl/runtime/kind/kind.go
@@ -150,6 +150,23 @@ func expendExtrasForBuildKind(conf BuildKindConfig) (BuildKindConfig, error) {
  }
  }
 
+ if conf.JaegerPort != 0 {
+ conf.EtcdExtraArgs = append(conf.EtcdExtraArgs,
+ internalversion.ExtraArgs{
+ Key: "experimental-enable-distributed-tracing",
+ Value: "true",
+ },
+ internalversion.ExtraArgs{
+ Key: "experimental-distributed-tracing-address",
+ Value: "127.0.0.1:4317",
+ },
+ internalversion.ExtraArgs{
+ Key: "experimental-distributed-tracing-sampling-rate",
+ Value: "1000000",
+ },
+ )
+ }
+
  if conf.Verbosity != log.LevelInfo {
  v := format.String(log.ToKlogLevel(conf.Verbosity))
  sl := log.ToLogSeverityLevel(conf.Verbosity)

diff --git a/test/e2e/kwokctl/dryrun/testdata/binary/create_cluster_with_verbosity.txt b/test/e2e/kwokctl/dryrun/testdata/binary/create_cluster_with_verbosity.txt
@@ -154,7 +154,7 @@ users: null
 EOF
 # Save cluster config to <ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/kwok.yaml
 # Add context kwok-<CLUSTER_NAME> to ~/.kube/config
-cd <ROOT_DIR>/workdir/clusters/<CLUSTER_NAME> && etcd --name=node0 --auto-compaction-retention=1 --quota-backend-bytes=8589934592 --data-dir=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/etcd --initial-advertise-peer-urls=http://0.0.0.0:32766 --listen-peer-urls=http://0.0.0.0:32766 --advertise-client-urls=http://0.0.0.0:32765 --listen-client-urls=http://0.0.0.0:32765 --initial-cluster=node0=http://0.0.0.0:32766 ><ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/logs/etcd.log 2>&1 &
+cd <ROOT_DIR>/workdir/clusters/<CLUSTER_NAME> && etcd --name=node0 --auto-compaction-retention=1 --quota-backend-bytes=8589934592 --data-dir=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/etcd --initial-advertise-peer-urls=http://0.0.0.0:32766 --listen-peer-urls=http://0.0.0.0:32766 --advertise-client-urls=http://0.0.0.0:32765 --listen-client-urls=http://0.0.0.0:32765 --initial-cluster=node0=http://0.0.0.0:32766 --experimental-enable-distributed-tracing=true --experimental-distributed-tracing-address=127.0.0.1:32762 --experimental-distributed-tracing-sampling-rate=1000000 ><ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/logs/etcd.log 2>&1 &
 echo $! ><ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pids/etcd.pid
 cd <ROOT_DIR>/workdir/clusters/<CLUSTER_NAME> && jaeger --collector.otlp.enabled=true --query.http-server.host-port=0.0.0.0:16686 --collector.otlp.grpc.host-port=127.0.0.1:32762 ><ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/logs/jaeger.log 2>&1 &
 echo $! ><ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pids/jaeger.pid

diff --git a/test/e2e/kwokctl/dryrun/testdata/binary/start_cluster.txt b/test/e2e/kwokctl/dryrun/testdata/binary/start_cluster.txt
@@ -1,4 +1,4 @@
-cd <ROOT_DIR>/workdir/clusters/<CLUSTER_NAME> && etcd --name=node0 --auto-compaction-retention=1 --quota-backend-bytes=8589934592 --data-dir=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/etcd --initial-advertise-peer-urls=http://0.0.0.0:32766 --listen-peer-urls=http://0.0.0.0:32766 --advertise-client-urls=http://0.0.0.0:2400 --listen-client-urls=http://0.0.0.0:2400 --initial-cluster=node0=http://0.0.0.0:32766 ><ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/logs/etcd.log 2>&1 &
+cd <ROOT_DIR>/workdir/clusters/<CLUSTER_NAME> && etcd --name=node0 --auto-compaction-retention=1 --quota-backend-bytes=8589934592 --data-dir=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/etcd --initial-advertise-peer-urls=http://0.0.0.0:32766 --listen-peer-urls=http://0.0.0.0:32766 --advertise-client-urls=http://0.0.0.0:2400 --listen-client-urls=http://0.0.0.0:2400 --initial-cluster=node0=http://0.0.0.0:32766 --experimental-enable-distributed-tracing=true --experimental-distributed-tracing-address=127.0.0.1:32764 --experimental-distributed-tracing-sampling-rate=1000000 ><ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/logs/etcd.log 2>&1 &
 echo $! ><ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pids/etcd.pid
 cd <ROOT_DIR>/workdir/clusters/<CLUSTER_NAME> && jaeger --collector.otlp.enabled=true --query.http-server.host-port=0.0.0.0:16686 --collector.otlp.grpc.host-port=127.0.0.1:32764 ><ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/logs/jaeger.log 2>&1 &
 echo $! ><ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pids/jaeger.pid

diff --git a/test/e2e/kwokctl/dryrun/testdata/docker/create_cluster_with_verbosity.txt b/test/e2e/kwokctl/dryrun/testdata/docker/create_cluster_with_verbosity.txt
@@ -162,8 +162,8 @@ users:
 EOF
 # Save cluster config to <ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/kwok.yaml
 docker network create kwok-<CLUSTER_NAME> --label=com.docker.compose.project=kwok-<CLUSTER_NAME>
-docker create --name=kwok-<CLUSTER_NAME>-etcd --pull=never --entrypoint=etcd --network=kwok-<CLUSTER_NAME> --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> registry.k8s.io/etcd:3.5.15-0 --name=node0 --auto-compaction-retention=1 --quota-backend-bytes=8589934592 --data-dir=/etcd-data --initial-advertise-peer-urls=http://0.0.0.0:2380 --listen-peer-urls=http://0.0.0.0:2380 --advertise-client-urls=http://0.0.0.0:2379 --listen-client-urls=http://0.0.0.0:2379 --initial-cluster=node0=http://0.0.0.0:2380
-docker create --name=kwok-<CLUSTER_NAME>-jaeger --pull=never --network=kwok-<CLUSTER_NAME> --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> --publish=16686:16686/tcp docker.io/jaegertracing/all-in-one:1.58.1 --collector.otlp.enabled=true --query.http-server.host-port=0.0.0.0:16686 --collector.otlp.grpc.host-port=127.0.0.1:4317
+docker create --name=kwok-<CLUSTER_NAME>-etcd --pull=never --entrypoint=etcd --network=kwok-<CLUSTER_NAME> --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> registry.k8s.io/etcd:3.5.15-0 --name=node0 --auto-compaction-retention=1 --quota-backend-bytes=8589934592 --data-dir=/etcd-data --initial-advertise-peer-urls=http://0.0.0.0:2380 --listen-peer-urls=http://0.0.0.0:2380 --advertise-client-urls=http://0.0.0.0:2379 --listen-client-urls=http://0.0.0.0:2379 --initial-cluster=node0=http://0.0.0.0:2380 --experimental-enable-distributed-tracing=true --experimental-distributed-tracing-address=kwok-<CLUSTER_NAME>-jaeger:4317 --experimental-distributed-tracing-sampling-rate=1000000
+docker create --name=kwok-<CLUSTER_NAME>-jaeger --pull=never --network=kwok-<CLUSTER_NAME> --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> --publish=16686:16686/tcp docker.io/jaegertracing/all-in-one:1.58.1 --collector.otlp.enabled=true --query.http-server.host-port=0.0.0.0:16686 --collector.otlp.grpc.host-port=0.0.0.0:4317
 docker create --name=kwok-<CLUSTER_NAME>-kube-apiserver --pull=never --entrypoint=kube-apiserver --network=kwok-<CLUSTER_NAME> --link=kwok-<CLUSTER_NAME>-etcd --link=kwok-<CLUSTER_NAME>-jaeger --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> --publish=32766:6443/tcp --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/ca.crt:/etc/kubernetes/pki/ca.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.crt:/etc/kubernetes/pki/admin.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.key:/etc/kubernetes/pki/admin.key:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/audit.yaml:/etc/kubernetes/audit-policy.yaml:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/logs/audit.log:/var/log/kubernetes/audit/audit.log --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/apiserver-tracing-config.yaml:/etc/kubernetes/apiserver-tracing-config.yaml:ro registry.k8s.io/kube-apiserver:v1.31.0 --etcd-prefix=/registry --allow-privileged=true --max-requests-inflight=0 --max-mutating-requests-inflight=0 --enable-priority-and-fairness=false --etcd-servers=http://kwok-<CLUSTER_NAME>-etcd:2379 --authorization-mode=Node,RBAC --bind-address=0.0.0.0 --secure-port=6443 --tls-cert-file=/etc/kubernetes/pki/admin.crt --tls-private-key-file=/etc/kubernetes/pki/admin.key --client-ca-file=/etc/kubernetes/pki/ca.crt --service-account-key-file=/etc/kubernetes/pki/admin.key --service-account-signing-key-file=/etc/kubernetes/pki/admin.key --service-account-issuer=https://kubernetes.default.svc.cluster.local --proxy-client-key-file=/etc/kubernetes/pki/admin.key --proxy-client-cert-file=/etc/kubernetes/pki/admin.crt --audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-log-path=/var/log/kubernetes/audit/audit.log --tracing-config-file=/etc/kubernetes/apiserver-tracing-config.yaml
 docker create --name=kwok-<CLUSTER_NAME>-kube-apiserver-insecure-proxy --pull=never --entrypoint=kubectl --network=kwok-<CLUSTER_NAME> --link=kwok-<CLUSTER_NAME>-kube-apiserver --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> --publish=6080:8001/tcp --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/kubeconfig:~/.kube/config:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/ca.crt:/etc/kubernetes/pki/ca.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.crt:/etc/kubernetes/pki/admin.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.key:/etc/kubernetes/pki/admin.key:ro registry.k8s.io/kubectl:v1.31.0 proxy --accept-hosts=^*$ --address=0.0.0.0 --kubeconfig=~/.kube/config --port=8001
 docker create --name=kwok-<CLUSTER_NAME>-kube-controller-manager --pull=never --entrypoint=kube-controller-manager --network=kwok-<CLUSTER_NAME> --link=kwok-<CLUSTER_NAME>-kube-apiserver --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/kubeconfig:~/.kube/config:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/ca.crt:/etc/kubernetes/pki/ca.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.crt:/etc/kubernetes/pki/admin.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.key:/etc/kubernetes/pki/admin.key:ro registry.k8s.io/kube-controller-manager:v1.31.0 --node-monitor-period=25s --node-monitor-grace-period=3m20s --kubeconfig=~/.kube/config --authorization-always-allow-paths=/healthz,/readyz,/livez,/metrics --bind-address=0.0.0.0 --secure-port=10257 --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/admin.key --kube-api-qps=5000 --kube-api-burst=10000

diff --git a/test/e2e/kwokctl/dryrun/testdata/kind-podman/create_cluster_with_verbosity.txt b/test/e2e/kwokctl/dryrun/testdata/kind-podman/create_cluster_with_verbosity.txt
@@ -58,6 +58,9 @@ kubeadmConfigPatches:
  local:
  dataDir: /var/lib/etcd
  extraArgs:
+ experimental-distributed-tracing-address: 127.0.0.1:4317
+ experimental-distributed-tracing-sampling-rate: "1000000"
+ experimental-enable-distributed-tracing: "true"
  quota-backend-bytes: "8589934592"
  kind: ClusterConfiguration
  networking: {}
@@ -502,7 +505,7 @@ spec:
  - args:
  - --collector.otlp.enabled=true
  - --query.http-server.host-port=0.0.0.0:16686
- - --collector.otlp.grpc.host-port=127.0.0.1:4317
+ - --collector.otlp.grpc.host-port=0.0.0.0:4317
  image: docker.io/jaegertracing/all-in-one:1.58.1
  imagePullPolicy: Never
  name: jaeger

diff --git a/test/e2e/kwokctl/dryrun/testdata/kind/create_cluster_with_verbosity.txt b/test/e2e/kwokctl/dryrun/testdata/kind/create_cluster_with_verbosity.txt
@@ -58,6 +58,9 @@ kubeadmConfigPatches:
  local:
  dataDir: /var/lib/etcd
  extraArgs:
+ experimental-distributed-tracing-address: 127.0.0.1:4317
+ experimental-distributed-tracing-sampling-rate: "1000000"
+ experimental-enable-distributed-tracing: "true"
  quota-backend-bytes: "8589934592"
  kind: ClusterConfiguration
  networking: {}
@@ -502,7 +505,7 @@ spec:
  - args:
  - --collector.otlp.enabled=true
  - --query.http-server.host-port=0.0.0.0:16686
- - --collector.otlp.grpc.host-port=127.0.0.1:4317
+ - --collector.otlp.grpc.host-port=0.0.0.0:4317
  image: docker.io/jaegertracing/all-in-one:1.58.1
  imagePullPolicy: Never
  name: jaeger

diff --git a/test/e2e/kwokctl/dryrun/testdata/nerdctl/create_cluster_with_verbosity.txt b/test/e2e/kwokctl/dryrun/testdata/nerdctl/create_cluster_with_verbosity.txt
@@ -162,8 +162,8 @@ users:
 EOF
 # Save cluster config to <ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/kwok.yaml
 nerdctl network create kwok-<CLUSTER_NAME> --label=com.docker.compose.project=kwok-<CLUSTER_NAME>
-nerdctl create --name=kwok-<CLUSTER_NAME>-etcd --pull=never --entrypoint=etcd --network=kwok-<CLUSTER_NAME> --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> registry.k8s.io/etcd:3.5.15-0 --name=node0 --auto-compaction-retention=1 --quota-backend-bytes=8589934592 --data-dir=/etcd-data --initial-advertise-peer-urls=http://0.0.0.0:2380 --listen-peer-urls=http://0.0.0.0:2380 --advertise-client-urls=http://0.0.0.0:2379 --listen-client-urls=http://0.0.0.0:2379 --initial-cluster=node0=http://0.0.0.0:2380
-nerdctl create --name=kwok-<CLUSTER_NAME>-jaeger --pull=never --network=kwok-<CLUSTER_NAME> --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> --publish=16686:16686/tcp docker.io/jaegertracing/all-in-one:1.58.1 --collector.otlp.enabled=true --query.http-server.host-port=0.0.0.0:16686 --collector.otlp.grpc.host-port=127.0.0.1:4317
+nerdctl create --name=kwok-<CLUSTER_NAME>-etcd --pull=never --entrypoint=etcd --network=kwok-<CLUSTER_NAME> --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> registry.k8s.io/etcd:3.5.15-0 --name=node0 --auto-compaction-retention=1 --quota-backend-bytes=8589934592 --data-dir=/etcd-data --initial-advertise-peer-urls=http://0.0.0.0:2380 --listen-peer-urls=http://0.0.0.0:2380 --advertise-client-urls=http://0.0.0.0:2379 --listen-client-urls=http://0.0.0.0:2379 --initial-cluster=node0=http://0.0.0.0:2380 --experimental-enable-distributed-tracing=true --experimental-distributed-tracing-address=kwok-<CLUSTER_NAME>-jaeger:4317 --experimental-distributed-tracing-sampling-rate=1000000
+nerdctl create --name=kwok-<CLUSTER_NAME>-jaeger --pull=never --network=kwok-<CLUSTER_NAME> --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> --publish=16686:16686/tcp docker.io/jaegertracing/all-in-one:1.58.1 --collector.otlp.enabled=true --query.http-server.host-port=0.0.0.0:16686 --collector.otlp.grpc.host-port=0.0.0.0:4317
 nerdctl create --name=kwok-<CLUSTER_NAME>-kube-apiserver --pull=never --entrypoint=kube-apiserver --network=kwok-<CLUSTER_NAME> --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> --publish=32766:6443/tcp --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/ca.crt:/etc/kubernetes/pki/ca.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.crt:/etc/kubernetes/pki/admin.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.key:/etc/kubernetes/pki/admin.key:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/audit.yaml:/etc/kubernetes/audit-policy.yaml:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/logs/audit.log:/var/log/kubernetes/audit/audit.log --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/apiserver-tracing-config.yaml:/etc/kubernetes/apiserver-tracing-config.yaml:ro registry.k8s.io/kube-apiserver:v1.31.0 --etcd-prefix=/registry --allow-privileged=true --max-requests-inflight=0 --max-mutating-requests-inflight=0 --enable-priority-and-fairness=false --etcd-servers=http://kwok-<CLUSTER_NAME>-etcd:2379 --authorization-mode=Node,RBAC --bind-address=0.0.0.0 --secure-port=6443 --tls-cert-file=/etc/kubernetes/pki/admin.crt --tls-private-key-file=/etc/kubernetes/pki/admin.key --client-ca-file=/etc/kubernetes/pki/ca.crt --service-account-key-file=/etc/kubernetes/pki/admin.key --service-account-signing-key-file=/etc/kubernetes/pki/admin.key --service-account-issuer=https://kubernetes.default.svc.cluster.local --proxy-client-key-file=/etc/kubernetes/pki/admin.key --proxy-client-cert-file=/etc/kubernetes/pki/admin.crt --audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-log-path=/var/log/kubernetes/audit/audit.log --tracing-config-file=/etc/kubernetes/apiserver-tracing-config.yaml
 nerdctl create --name=kwok-<CLUSTER_NAME>-kube-apiserver-insecure-proxy --pull=never --entrypoint=kubectl --network=kwok-<CLUSTER_NAME> --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> --publish=6080:8001/tcp --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/kubeconfig:~/.kube/config:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/ca.crt:/etc/kubernetes/pki/ca.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.crt:/etc/kubernetes/pki/admin.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.key:/etc/kubernetes/pki/admin.key:ro registry.k8s.io/kubectl:v1.31.0 proxy --accept-hosts=^*$ --address=0.0.0.0 --kubeconfig=~/.kube/config --port=8001
 nerdctl create --name=kwok-<CLUSTER_NAME>-kube-controller-manager --pull=never --entrypoint=kube-controller-manager --network=kwok-<CLUSTER_NAME> --restart=unless-stopped --label=com.docker.compose.project=kwok-<CLUSTER_NAME> --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/kubeconfig:~/.kube/config:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/ca.crt:/etc/kubernetes/pki/ca.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.crt:/etc/kubernetes/pki/admin.crt:ro --volume=<ROOT_DIR>/workdir/clusters/<CLUSTER_NAME>/pki/admin.key:/etc/kubernetes/pki/admin.key:ro registry.k8s.io/kube-controller-manager:v1.31.0 --node-monitor-period=25s --node-monitor-grace-period=3m20s --kubeconfig=~/.kube/config --authorization-always-allow-paths=/healthz,/readyz,/livez,/metrics --bind-address=0.0.0.0 --secure-port=10257 --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/admin.key --kube-api-qps=5000 --kube-api-burst=10000