You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

107 lines
3.0 KiB

  1. ---
  2. # Instance settings
  3. cloud_image: ubuntu-2004
  4. mode: aio
  5. # Kubespray settings
  6. auto_renew_certificates: true
  7. # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko
  8. kube_proxy_mode: iptables
  9. enable_nodelocaldns: False
  10. # The followings are for hardening
  11. ## kube-apiserver
  12. authorization_modes: ['Node', 'RBAC']
  13. # AppArmor-based OS
  14. kube_apiserver_feature_gates: ['AppArmor=true']
  15. kube_apiserver_request_timeout: 120s
  16. kube_apiserver_service_account_lookup: true
  17. # enable kubernetes audit
  18. kubernetes_audit: true
  19. audit_log_path: "/var/log/kube-apiserver-log.json"
  20. audit_log_maxage: 30
  21. audit_log_maxbackups: 10
  22. audit_log_maxsize: 100
  23. tls_min_version: VersionTLS12
  24. tls_cipher_suites:
  25. - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  26. - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  27. - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
  28. # enable encryption at rest
  29. kube_encrypt_secret_data: true
  30. kube_encryption_resources: [secrets]
  31. kube_encryption_algorithm: "secretbox"
  32. kube_apiserver_enable_admission_plugins:
  33. - EventRateLimit
  34. - AlwaysPullImages
  35. - ServiceAccount
  36. - NamespaceLifecycle
  37. - NodeRestriction
  38. - LimitRanger
  39. - ResourceQuota
  40. - MutatingAdmissionWebhook
  41. - ValidatingAdmissionWebhook
  42. - PodNodeSelector
  43. - PodSecurity
  44. kube_apiserver_admission_control_config_file: true
  45. # EventRateLimit plugin configuration
  46. kube_apiserver_admission_event_rate_limits:
  47. limit_1:
  48. type: Namespace
  49. qps: 50
  50. burst: 100
  51. cache_size: 2000
  52. limit_2:
  53. type: User
  54. qps: 50
  55. burst: 100
  56. kube_profiling: false
  57. ## kube-controller-manager
  58. kube_controller_manager_bind_address: 127.0.0.1
  59. kube_controller_terminated_pod_gc_threshold: 50
  60. # AppArmor-based OS
  61. kube_controller_feature_gates: ["RotateKubeletServerCertificate=true", "AppArmor=true"]
  62. ## kube-scheduler
  63. kube_scheduler_bind_address: 127.0.0.1
  64. kube_kubeadm_scheduler_extra_args:
  65. profiling: false
  66. # AppArmor-based OS
  67. kube_scheduler_feature_gates: ["AppArmor=true"]
  68. ## etcd
  69. etcd_deployment_type: kubeadm
  70. ## kubelet
  71. kubelet_authentication_token_webhook: true
  72. kube_read_only_port: 0
  73. kubelet_rotate_server_certificates: true
  74. kubelet_protect_kernel_defaults: true
  75. kubelet_event_record_qps: 1
  76. kubelet_rotate_certificates: true
  77. kubelet_streaming_connection_idle_timeout: "5m"
  78. kubelet_make_iptables_util_chains: true
  79. kubelet_feature_gates: ["RotateKubeletServerCertificate=true", "SeccompDefault=true"]
  80. kubelet_seccomp_default: true
  81. kubelet_systemd_hardening: true
  82. # In case you have multiple interfaces in your
  83. # control plane nodes and you want to specify the right
  84. # IP addresses, kubelet_secure_addresses allows you
  85. # to specify the IP from which the kubelet
  86. # will receive the packets.
  87. # kubelet_secure_addresses: "192.168.10.110 192.168.10.111 192.168.10.112"
  88. # additional configurations
  89. kube_owner: root
  90. kube_cert_group: root
  91. # create a default Pod Security Configuration and deny running of insecure pods
  92. # kube-system namespace is exempted by default
  93. kube_pod_security_use_default: true
  94. kube_pod_security_default_enforce: restricted