You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

213 lines
11 KiB

6 years ago
  1. # Configurable Parameters in Kubespray
  2. ## Generic Ansible variables
  3. You can view facts gathered by Ansible automatically
  4. [here](https://docs.ansible.com/ansible/playbooks_variables.html#information-discovered-from-systems-facts).
  5. Some variables of note include:
  6. * *ansible_user*: user to connect to via SSH
  7. * *ansible_default_ipv4.address*: IP address Ansible automatically chooses.
  8. Generated based on the output from the command ``ip -4 route get 8.8.8.8``
  9. ## Common vars that are used in Kubespray
  10. * *calico_version* - Specify version of Calico to use
  11. * *calico_cni_version* - Specify version of Calico CNI plugin to use
  12. * *docker_version* - Specify version of Docker to used (should be quoted
  13. string). Must match one of the keys defined for *docker_versioned_pkg*
  14. in `roles/container-engine/docker/vars/*.yml`.
  15. * *etcd_version* - Specify version of ETCD to use
  16. * *ipip* - Enables Calico ipip encapsulation by default
  17. * *kube_network_plugin* - Sets k8s network plugin (default Calico)
  18. * *kube_proxy_mode* - Changes k8s proxy mode to iptables mode
  19. * *kube_version* - Specify a given Kubernetes hyperkube version
  20. * *searchdomains* - Array of DNS domains to search when looking up hostnames
  21. * *nameservers* - Array of nameservers to use for DNS lookup
  22. * *preinstall_selinux_state* - Set selinux state, permitted values are permissive and disabled.
  23. ## Addressing variables
  24. * *ip* - IP to use for binding services (host var)
  25. * *access_ip* - IP for other hosts to use to connect to. Often required when
  26. deploying from a cloud, such as OpenStack or GCE and you have separate
  27. public/floating and private IPs.
  28. * *ansible_default_ipv4.address* - Not Kubespray-specific, but it is used if ip
  29. and access_ip are undefined
  30. * *loadbalancer_apiserver* - If defined, all hosts will connect to this
  31. address instead of localhost for kube-masters and kube-master[0] for
  32. kube-nodes. See more details in the
  33. [HA guide](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/ha-mode.md).
  34. * *loadbalancer_apiserver_localhost* - makes all hosts to connect to
  35. the apiserver internally load balanced endpoint. Mutual exclusive to the
  36. `loadbalancer_apiserver`. See more details in the
  37. [HA guide](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/ha-mode.md).
  38. ## Cluster variables
  39. Kubernetes needs some parameters in order to get deployed. These are the
  40. following default cluster parameters:
  41. * *cluster_name* - Name of cluster (default is cluster.local)
  42. * *dns_domain* - Name of cluster DNS domain (default is cluster.local)
  43. * *kube_network_plugin* - Plugin to use for container networking
  44. * *kube_service_addresses* - Subnet for cluster IPs (default is
  45. 10.233.0.0/18). Must not overlap with kube_pods_subnet
  46. * *kube_pods_subnet* - Subnet for Pod IPs (default is 10.233.64.0/18). Must not
  47. overlap with kube_service_addresses.
  48. * *kube_network_node_prefix* - Subnet allocated per-node for pod IPs. Remaining
  49. bits in kube_pods_subnet dictates how many kube-nodes can be in cluster.
  50. * *skydns_server* - Cluster IP for DNS (default is 10.233.0.3)
  51. * *skydns_server_secondary* - Secondary Cluster IP for CoreDNS used with coredns_dual deployment (default is 10.233.0.4)
  52. * *enable_coredns_k8s_external* - If enabled, it configures the [k8s_external plugin](https://coredns.io/plugins/k8s_external/)
  53. on the CoreDNS service.
  54. * *coredns_k8s_external_zone* - Zone that will be used when CoreDNS k8s_external plugin is enabled
  55. (default is k8s_external.local)
  56. * *enable_coredns_k8s_endpoint_pod_names* - If enabled, it configures endpoint_pod_names option for kubernetes plugin.
  57. on the CoreDNS service.
  58. * *cloud_provider* - Enable extra Kubelet option if operating inside GCE or
  59. OpenStack (default is unset)
  60. * *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
  61. Kubernetes
  62. * *kube_feature_gates* - A list of key=value pairs that describe feature gates for
  63. alpha/experimental Kubernetes features. (defaults is `[]`)
  64. * *authorization_modes* - A list of [authorization mode](
  65. https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module)
  66. that the cluster should be configured for. Defaults to `['Node', 'RBAC']`
  67. (Node and RBAC authorizers).
  68. Note: `Node` and `RBAC` are enabled by default. Previously deployed clusters can be
  69. converted to RBAC mode. However, your apps which rely on Kubernetes API will
  70. require a service account and cluster role bindings. You can override this
  71. setting by setting authorization_modes to `[]`.
  72. Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
  73. private addresses, make sure to pick another values for ``kube_service_addresses``
  74. and ``kube_pods_subnet``, for example from the ``172.18.0.0/16``.
  75. ## DNS variables
  76. By default, hosts are set up with 8.8.8.8 as an upstream DNS server and all
  77. other settings from your existing /etc/resolv.conf are lost. Set the following
  78. variables to match your requirements.
  79. * *upstream_dns_servers* - Array of upstream DNS servers configured on host in
  80. addition to Kubespray deployed DNS
  81. * *nameservers* - Array of DNS servers configured for use by hosts
  82. * *searchdomains* - Array of up to 4 search domains
  83. For more information, see [DNS
  84. Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.md).
  85. ## Other service variables
  86. * *docker_options* - Commonly used to set
  87. ``--insecure-registry=myregistry.mydomain:5000``
  88. * *docker_plugins* - This list can be used to define [Docker plugins](https://docs.docker.com/engine/extend/) to install.
  89. * *http_proxy/https_proxy/no_proxy* - Proxy variables for deploying behind a
  90. proxy. Note that no_proxy defaults to all internal cluster IPs and hostnames
  91. that correspond to each node.
  92. * *kubelet_deployment_type* - Controls which platform to deploy kubelet on.
  93. Available options are ``host`` and ``docker``. ``docker`` mode
  94. is unlikely to work on newer releases. Starting with Kubernetes v1.7
  95. series, this now defaults to ``host``. Before v1.7, the default was Docker.
  96. This is because of cgroup [issues](https://github.com/kubernetes/kubernetes/issues/43704).
  97. * *kubelet_load_modules* - For some things, kubelet needs to load kernel modules. For example,
  98. dynamic kernel services are needed for mounting persistent volumes into containers. These may not be
  99. loaded by preinstall kubernetes processes. For example, ceph and rbd backed volumes. Set this variable to
  100. true to let kubelet load kernel modules.
  101. * *kubelet_cgroup_driver* - Allows manual override of the
  102. cgroup-driver option for Kubelet. By default autodetection is used
  103. to match Docker configuration.
  104. * *kubelet_rotate_certificates* - Auto rotate the kubelet client certificates by requesting new certificates
  105. from the kube-apiserver when the certificate expiration approaches.
  106. * *node_labels* - Labels applied to nodes via kubelet --node-labels parameter.
  107. For example, labels can be set in the inventory as variables or more widely in group_vars.
  108. *node_labels* can be defined either as a dict or a comma-separated labels string:
  109. ```yml
  110. node_labels:
  111. label1_name: label1_value
  112. label2_name: label2_value
  113. node_labels: "label1_name=label1_value,label2_name=label2_value"
  114. ```
  115. * *node_taints* - Taints applied to nodes via kubelet --register-with-taints parameter.
  116. For example, taints can be set in the inventory as variables or more widely in group_vars.
  117. *node_taints* has to be defined as a list of strings in format `key=value:effect`, e.g.:
  118. ```yml
  119. node_taints:
  120. - "node.example.com/external=true:NoSchedule"
  121. ```
  122. * *podsecuritypolicy_enabled* - When set to `true`, enables the PodSecurityPolicy admission controller and defines two policies `privileged` (applying to all resources in `kube-system` namespace and kubelet) and `restricted` (applying all other namespaces).
  123. Addons deployed in kube-system namespaces are handled.
  124. * *kubernetes_audit* - When set to `true`, enables Auditing.
  125. The auditing parameters can be tuned via the following variables (which default values are shown below):
  126. * `audit_log_path`: /var/log/audit/kube-apiserver-audit.log
  127. * `audit_log_maxage`: 30
  128. * `audit_log_maxbackups`: 1
  129. * `audit_log_maxsize`: 100
  130. * `audit_policy_file`: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
  131. By default, the `audit_policy_file` contains [default rules](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/kubernetes/master/templates/apiserver-audit-policy.yaml.j2) that can be overridden with the `audit_policy_custom_rules` variable.
  132. ### Custom flags for Kube Components
  133. For all kube components, custom flags can be passed in. This allows for edge cases where users need changes to the default deployment that may not be applicable to all deployments.
  134. Extra flags for the kubelet can be specified using these variables,
  135. in the form of dicts of key-value pairs of configuration parameters that will be inserted into the kubelet YAML config file. The `kubelet_node_config_extra_args` apply kubelet settings only to nodes and not masters. Example:
  136. ```yml
  137. kubelet_config_extra_args:
  138. EvictionHard:
  139. memory.available: "<100Mi"
  140. EvictionSoftGracePeriod:
  141. memory.available: "30s"
  142. EvictionSoft:
  143. memory.available: "<300Mi"
  144. ```
  145. The possible vars are:
  146. * *kubelet_config_extra_args*
  147. * *kubelet_node_config_extra_args*
  148. Previously, the same paramaters could be passed as flags to kubelet binary with the following vars:
  149. * *kubelet_custom_flags*
  150. * *kubelet_node_custom_flags*
  151. The `kubelet_node_custom_flags` apply kubelet settings only to nodes and not masters. Example:
  152. ```yml
  153. kubelet_custom_flags:
  154. - "--eviction-hard=memory.available<100Mi"
  155. - "--eviction-soft-grace-period=memory.available=30s"
  156. - "--eviction-soft=memory.available<300Mi"
  157. ```
  158. This alternative is deprecated and will remain until the flags are completely removed from kubelet
  159. Extra flags for the API server, controller, and scheduler components can be specified using these variables,
  160. in the form of dicts of key-value pairs of configuration parameters that will be inserted into the kubeadm YAML config file:
  161. * *kube_kubeadm_apiserver_extra_args*
  162. * *kube_kubeadm_controller_extra_args*
  163. * *kube_kubeadm_scheduler_extra_args*
  164. ## App variables
  165. * *helm_version* - Defaults to v3.x, set to a v2 version (e.g. `v2.16.1` ) to install Helm 2.x (will install Tiller!).
  166. Picking v3 for an existing cluster running Tiller will leave it alone. In that case you will have to remove Tiller manually afterwards.
  167. ## User accounts
  168. The variable `kube_basic_auth` is false by default, but if set to true, a user with admin rights is created, named `kube`.
  169. The password can be viewed after deployment by looking at the file
  170. `{{ credentials_dir }}/kube_user.creds` (`credentials_dir` is set to `{{ inventory_dir }}/credentials` by default). This contains a randomly generated
  171. password. If you wish to set your own password, just precreate/modify this
  172. file yourself or change `kube_api_pwd` var.