richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1222 Commits
29 Branches
81 Tags
146 MiB
Tree: 0909368339
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0909368339'
${ noResults }
kubespray/docs/ansible.md

135 lines
5.4 KiB
Raw Normal View History

add documentation
8 years ago
Add etcd proxy support * Enforce a etcd-proxy role to a k8s-cluster group members. This provides an HA layout for all of the k8s cluster internal clients. * Proxies to be run on each node in the group as a separate etcd instances with a readwrite proxy mode and listen the given endpoint, which is either the access_ip:2379 or the localhost:2379. * A notion for the 'kube_etcd_multiaccess' is: ignore endpoints and loadbalancers and use the etcd members IPs as a comma-separated list. Otherwise, clients shall use the local endpoint provided by a etcd-proxy instances on each etcd node. A Netwroking plugins always use that access mode. * Fix apiserver's etcd servers args to use the etcd_access_endpoint. * Fix networking plugins flannel/calico to use the etcd_endpoint. * Fix name env var for non masters to be set as well. * Fix etcd_client_url was not used anywhere and other etcd_* facts evaluation was duplicated in a few places. * Define proxy modes only in the env file, if not a master. Del an automatic proxy mode decisions for etcd nodes in init/unit scripts. * Use Wants= instead of Requires= as "This is the recommended way to hook start-up of one unit to the start-up of another unit" * Make apiserver/calico Wants= etcd-proxy to keep it always up Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
8 years ago
add documentation
8 years ago
Add etcd proxy support * Enforce a etcd-proxy role to a k8s-cluster group members. This provides an HA layout for all of the k8s cluster internal clients. * Proxies to be run on each node in the group as a separate etcd instances with a readwrite proxy mode and listen the given endpoint, which is either the access_ip:2379 or the localhost:2379. * A notion for the 'kube_etcd_multiaccess' is: ignore endpoints and loadbalancers and use the etcd members IPs as a comma-separated list. Otherwise, clients shall use the local endpoint provided by a etcd-proxy instances on each etcd node. A Netwroking plugins always use that access mode. * Fix apiserver's etcd servers args to use the etcd_access_endpoint. * Fix networking plugins flannel/calico to use the etcd_endpoint. * Fix name env var for non masters to be set as well. * Fix etcd_client_url was not used anywhere and other etcd_* facts evaluation was duplicated in a few places. * Define proxy modes only in the env file, if not a master. Del an automatic proxy mode decisions for etcd nodes in init/unit scripts. * Use Wants= instead of Requires= as "This is the recommended way to hook start-up of one unit to the start-up of another unit" * Make apiserver/calico Wants= etcd-proxy to keep it always up Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
8 years ago
add documentation
8 years ago
Add etcd proxy support * Enforce a etcd-proxy role to a k8s-cluster group members. This provides an HA layout for all of the k8s cluster internal clients. * Proxies to be run on each node in the group as a separate etcd instances with a readwrite proxy mode and listen the given endpoint, which is either the access_ip:2379 or the localhost:2379. * A notion for the 'kube_etcd_multiaccess' is: ignore endpoints and loadbalancers and use the etcd members IPs as a comma-separated list. Otherwise, clients shall use the local endpoint provided by a etcd-proxy instances on each etcd node. A Netwroking plugins always use that access mode. * Fix apiserver's etcd servers args to use the etcd_access_endpoint. * Fix networking plugins flannel/calico to use the etcd_endpoint. * Fix name env var for non masters to be set as well. * Fix etcd_client_url was not used anywhere and other etcd_* facts evaluation was duplicated in a few places. * Define proxy modes only in the env file, if not a master. Del an automatic proxy mode decisions for etcd nodes in init/unit scripts. * Use Wants= instead of Requires= as "This is the recommended way to hook start-up of one unit to the start-up of another unit" * Make apiserver/calico Wants= etcd-proxy to keep it always up Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
8 years ago
add documentation
8 years ago
Add tags Add tags to allow more granular tasks filtering. Add generator script for MD formatted tags found. Add docs for tags how-to. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add tags for bastion-ssh-config
8 years ago
Add tags Add tags to allow more granular tasks filtering. Add generator script for MD formatted tags found. Add docs for tags how-to. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Preconfigure DNS stack and docker early In order to enable offline/intranet installation cases: * Move DNS/resolvconf configuration to preinstall role. Remove skip_dnsmasq_k8s var as not needed anymore. * Preconfigure DNS stack early, which may be the case when downloading artifacts from intranet repositories. Do not configure K8s DNS resolvers for hosts /etc/resolv.conf yet early (as they may be not existing). * Reconfigure K8s DNS resolvers for hosts only after kubedns/dnsmasq was set up and before K8s apps to be created. * Move docker install task to early stage as well and unbind it from the etcd role's specific install path. Fix external flannel dependency on docker role handlers. Also fix the docker restart handlers' steps ordering to match the expected sequence (the socket then the service). * Add default resolver fact, which is the cloud provider specific and remove hardcoded GCE resolver. * Reduce default ndots for hosts /etc/resolv.conf to 2. Multiple search domains combined with high ndots values lead to poor performance of DNS stack and make ansible workers to fail very often with the "Timeout (12s) waiting for privilege escalation prompt:" error. * Update docs. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
More granular control for download/upload images/binaries Add upload tag allow users to exclude distributing images across nodes when running with the download tag set. Add related tags and update docs as well. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add tags Add tags to allow more granular tasks filtering. Add generator script for MD formatted tags found. Add docs for tags how-to. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
More granular control for download/upload images/binaries Add upload tag allow users to exclude distributing images across nodes when running with the download tag set. Add related tags and update docs as well. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add tags Add tags to allow more granular tasks filtering. Add generator script for MD formatted tags found. Add docs for tags how-to. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
More granular control for download/upload images/binaries Add upload tag allow users to exclude distributing images across nodes when running with the download tag set. Add related tags and update docs as well. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add tags Add tags to allow more granular tasks filtering. Add generator script for MD formatted tags found. Add docs for tags how-to. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
More granular control for download/upload images/binaries Add upload tag allow users to exclude distributing images across nodes when running with the download tag set. Add related tags and update docs as well. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add tags Add tags to allow more granular tasks filtering. Add generator script for MD formatted tags found. Add docs for tags how-to. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
More granular control for download/upload images/binaries Add upload tag allow users to exclude distributing images across nodes when running with the download tag set. Add related tags and update docs as well. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add tags Add tags to allow more granular tasks filtering. Add generator script for MD formatted tags found. Add docs for tags how-to. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add documentation about bastion hosts
8 years ago
  1. Ansible variables
  2. ===============
  5. Inventory
  6. -------------
  7. The inventory is composed of 3 groups:
  9. * **kube-node** : list of kubernetes nodes where the pods will run.
  10. * **kube-master** : list of servers where kubernetes master components (apiserver, scheduler, controller) will run.
  11. Note: if you want the server to act both as master and node the server must be defined on both groups _kube-master_ and _kube-node_
  12. * **etcd**: list of server to compose the etcd server. you should have at least 3 servers for failover purposes.
  14. Below is a complete inventory example:
  16. ```
  17. ## Configure 'ip' variable to bind kubernetes services on a
  18. ## different ip than the default iface
  19. node1 ansible_ssh_host=95.54.0.12 # ip=10.3.0.1
  20. node2 ansible_ssh_host=95.54.0.13 # ip=10.3.0.2
  21. node3 ansible_ssh_host=95.54.0.14 # ip=10.3.0.3
  22. node4 ansible_ssh_host=95.54.0.15 # ip=10.3.0.4
  23. node5 ansible_ssh_host=95.54.0.16 # ip=10.3.0.5
  24. node6 ansible_ssh_host=95.54.0.17 # ip=10.3.0.6
  26. [kube-master]
  27. node1
  28. node2
  30. [etcd]
  31. node1
  32. node2
  33. node3
  35. [kube-node]
  36. node2
  37. node3
  38. node4
  39. node5
  40. node6
  42. [k8s-cluster:children]
  43. kube-node
  44. kube-master
  45. etcd
  46. ```
  48. Group vars
  49. --------------
  50. The main variables to change are located in the directory ```inventory/group_vars/all.yml```.
  52. Ansible tags
  53. ------------
  54. The following tags are defined in playbooks:
  56. | Tag name | Used for
  57. |--------------------------|---------
  58. | apps | K8s apps definitions
  59. | azure | Cloud-provider Azure
  60. | bastion | Setup ssh config for bastion
  61. | bootstrap-os | Anything related to host OS configuration
  62. | calico | Network plugin Calico
  63. | canal | Network plugin Canal
  64. | cloud-provider | Cloud-provider related tasks
  65. | dnsmasq | Configuring DNS stack for hosts and K8s apps
  66. | docker | Configuring docker for hosts
  67. | download | Fetching container images to a delegate host
  68. | etcd | Configuring etcd cluster
  69. | etcd-pre-upgrade | Upgrading etcd cluster
  70. | etcd-secrets | Configuring etcd certs/keys
  71. | etchosts | Configuring /etc/hosts entries for hosts
  72. | facts | Gathering facts and misc check results
  73. | flannel | Network plugin flannel
  74. | gce | Cloud-provider GCP
  75. | hyperkube | Manipulations with K8s hyperkube image
  76. | k8s-pre-upgrade | Upgrading K8s cluster
  77. | k8s-secrets | Configuring K8s certs/keys
  78. | kpm | Installing K8s apps definitions with KPM
  79. | kube-apiserver | Configuring self-hosted kube-apiserver
  80. | kube-controller-manager | Configuring self-hosted kube-controller-manager
  81. | kubectl | Installing kubectl and bash completion
  82. | kubelet | Configuring kubelet service
  83. | kube-proxy | Configuring self-hosted kube-proxy
  84. | kube-scheduler | Configuring self-hosted kube-scheduler
  85. | localhost | Special steps for the localhost (ansible runner)
  86. | master | Configuring K8s master node role
  87. | netchecker | Installing netchecker K8s app
  88. | network | Configuring networking plugins for K8s
  89. | nginx | Configuring LB for kube-apiserver instances
  90. | node | Configuring K8s minion (compute) node role
  91. | openstack | Cloud-provider OpenStack
  92. | preinstall | Preliminary configuration steps
  93. | resolvconf | Configuring /etc/resolv.conf for hosts/apps
  94. | upgrade | Upgrading, f.e. container images/binaries
  95. | upload | Distributing images/binaries across hosts
  96. | weave | Network plugin Weave
  98. Note: Use the ``bash scripts/gen_tags.sh`` command to generate a list of all
  99. tags found in the codebase. New tags will be listed with the empty "Used for"
  100. field.
  102. Example commands
  103. ----------------
  104. Example command to filter and apply only DNS configuration tasks and skip
  105. everything else related to host OS configuration and downloading images of containers:
  107. ```
  108. ansible-playbook -i inventory/inventory.ini cluster.yml --tags preinstall,dnsmasq,facts --skip-tags=download,bootstrap-os
  109. ```
  110. And this play only removes the K8s cluster DNS resolver IP from hosts' /etc/resolv.conf files:
  111. ```
  112. ansible-playbook -i inventory/inventory.ini -e dns_server='' cluster.yml --tags resolvconf
  113. ```
  114. And this prepares all container images localy (at the ansible runner node) without installing
  115. or upgrading related stuff or trying to upload container to K8s cluster nodes:
  116. ```
  117. ansible-playbook -i inventory/inventory.ini cluster.yaml \
  118. -e download_run_once=true -e download_localhost=true \
  119. --tags download --skip-tags upload,upgrade
  120. ```
  122. Note: use `--tags` and `--skip-tags` wise and only if you're 100% sure what you're doing.
  124. Bastion host
  125. --------------
  126. If you prefer to not make your nodes publicly accessible (nodes with private IPs only),
  127. you can use a so called *bastion* host to connect to your nodes. To specify and use a bastion,
  128. simply add a line to your inventory, where you have to replace x.x.x.x with the public IP of the
  129. bastion host.
  131. ```
  132. bastion ansible_ssh_host=x.x.x.x
  133. ```
  135. For more information about Ansible and bastion hosts, read
  136. [Running Ansible Through an SSH Bastion Host](http://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host/)