richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5763 Commits
33 Branches
82 Tags
153 MiB
Tree: ae3a1d7c01
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ae3a1d7c01'
${ noResults }
kubespray/roles/kubernetes/control-plane/defaults/main/main.yml

195 lines
6.8 KiB
Raw Normal View History

Adding yamllinter to ci steps (#1556) * Adding yaml linter to ci check * Minor linting fixes from yamllint * Changing CI to install python pkgs from requirements.txt - adding in a secondary requirements.txt for tests - moving yamllint to tests requirements
7 years ago
Fix reconfigure and upgrade cluster (#3938)
6 years ago
Enable kubeadm etcd mode (#4818) * Enable kubeadm etcd mode Uses cert commands from kubeadm experimental control plane to enable non-master nodes to obtain etcd certs. Related story: PROD-29434 Change-Id: Idafa1d223e5c6ceadf819b6f9c06adf4c4f74178 * Add validation checks and exclude calico kdd mode Change-Id: Ic234f5e71261d33191376e70d438f9f6d35f358c * Move etcd mode test to ubuntu flannel HA job Change-Id: I9af6fd80a1bbb1692ab10d6da095eb368f6bc732 * rename etcd_mode to etcd_kubeadm_enabled Change-Id: Ib196d6c8a52f48cae370b026f7687ff9ca69c172
5 years ago
Fix idempotency/recurrence of download and preinstall * Don't push containers if not changed * Do preinstall role only once and redistribute defaults to corresponding roles Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Allow setting --bind-address for apiserver hyperkube (#1985) * Allow setting --bind-address for apiserver hyperkube This is required if you wish to configure a loadbalancer (e.g haproxy) running on the master nodes without choosing a different port for the vip from that used by the API - in this case you need the API to bind to a specific interface, then haproxy can bind the same port on the VIP: root@overcloud-controller-0 ~]# netstat -taupen | grep 6443 tcp 0 0 192.168.24.6:6443 0.0.0.0:* LISTEN 0 680613 134504/haproxy tcp 0 0 192.168.24.16:6443 0.0.0.0:* LISTEN 0 653329 131423/hyperkube tcp 0 0 192.168.24.16:6443 192.168.24.16:58404 ESTABLISHED 0 652991 131423/hyperkube tcp 0 0 192.168.24.16:58404 192.168.24.16:6443 ESTABLISHED 0 652986 131423/hyperkube This can be achieved e.g via: kube_apiserver_bind_address: 192.168.24.16 * Address code review feedback * Update kube-apiserver.manifest.j2
7 years ago
Add service-node-port-range parameter for kube-apiserver
8 years ago
Migrate k8s data to etcd3 api store Default backend is now etcd3 (was etcd2). The migration process consists of the following steps: * check if migration is necessary * stop etcd on first etcd server * run migration script * start etcd on first etcd server * stop kube-apiserver until configuration is updated * update kube-apiserver * purge old etcdv2 data
8 years ago
Use K8s 1.14 and add kubeadm experimental control plane mode (#4514) * Use K8s 1.14 and add kubeadm experimental control plane mode This reverts commit d39c273d96afe610fed03a2558ffc1beec64c114. * Cleanup kubeadm setup run on first master * pin kubeadm_certificate_key in test * Remove kubelet autolabel of kube-node, add symlink for pki dir Change-Id: Id5e74dd667c60675dbfe4193b0bc9fb44380e1ca
5 years ago
Allow override of bind addr for controller-manager and scheduler (#3968) * allows to override the bind addresses for controller-manager and scheduler Useful for Prometheus metrics monitoring * Add bind addr override support in kubeadm/v1beta1 Adds support for override of bind addresses for controller-manager and scheduler in kubeadm/v1beta1 * Move location of bind address vars * Remove double declaration of schedulerExtraArgs
6 years ago
Add KubeSchedulerConfiguration for k8s 1.19 and up (#7351) * Add KubeSchedulerConfiguration for k8s 1.19 and up With release of version 1.19.0 of kubernetes KubeSchedulerConfiguration was graduated to beta. It allows to extend different stages of scheduling with profiles. Such effect is achieved by using plugins and extensions. This patch adds KubeSchedulerConfiguration for versions 1.19 and later. Configuration is set to k8s defaults or to kubespray vars. Moving those defaults to new vars will be done in following patch. Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com> * KubeSchedulerConfiguration: add defaults Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
3 years ago
add leader election timeouts and durations to available parameters (#6691)
4 years ago
Use K8s 1.14 and add kubeadm experimental control plane mode (#4514) * Use K8s 1.14 and add kubeadm experimental control plane mode This reverts commit d39c273d96afe610fed03a2558ffc1beec64c114. * Cleanup kubeadm setup run on first master * pin kubeadm_certificate_key in test * Remove kubelet autolabel of kube-node, add symlink for pki dir Change-Id: Id5e74dd667c60675dbfe4193b0bc9fb44380e1ca
5 years ago
Optionally refresh kubeadm token every time (#5043) Change-Id: I278cb14aa93abf20160cc001f69e2f472504e6d8
5 years ago
Scale down coredns created by kubeadm upgrade to 0 replicas (#5308) Change-Id: I128b0f9c1acbb956d9a6c4e5510b45a36e296af7
5 years ago
Support audit
6 years ago
Define apiserver flags directly instead of relying on auditPolicy section in order to have the ability to redirect audit log to stdout with kubeadm
6 years ago
Support audit
6 years ago
psp, roles and rbs for PodSecurityPolicy when podsecuritypolicy_enabled is true
6 years ago
Support audit
6 years ago
Ability to define custom audit polcy rules
6 years ago
Fix install audit failed 1.fix audit log not write 2.fix Parameter not recognized 3.delete kubedm futuregates auditing and use apiServerExtraArgs
6 years ago
Ability to define custom audit polcy rules
6 years ago
Support audit
6 years ago
minor variable fix and reuse + handle auditlog redirected to stdout
6 years ago
Support audit
6 years ago
minor variable fix and reuse + handle auditlog redirected to stdout
6 years ago
Support audit
6 years ago
add audit webhook support (#6317) * add audit webhook support * use generic name auditsink
4 years ago
add new variable allowing additionnal audit webhook server options (#6726)
4 years ago
add audit webhook support (#6317) * add audit webhook support * use generic name auditsink
4 years ago
Kubernetes Reliability Improvements - Exclude kubelet CPU/RAM (kube-reserved) from cgroup. It decreases a chance of overcommitment - Add a possibility to modify Kubelet node-status-update-frequency - Add a posibility to configure node-monitor-grace-period, node-monitor-period, pod-eviction-timeout for Kubernetes controller manager - Add Kubernetes Relaibility Documentation with recomendations for various scenarios. Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
8 years ago
Sync manifests with kubeadm (#3383)
6 years ago
Fixed issue #7112.  Created new API Server vars that replace defunct Controller Manager one (#7114) Signed-off-by: Brendan Holmes <5072156+holmesb@users.noreply.github.com>
4 years ago
Added Support for OpenID Connect Authentication To use OpenID Connect Authentication beside deploying an OpenID Connect Identity Provider it is necesarry to pass additional arguments to the Kube API Server. These required arguments were added to the kube apiserver manifest.
8 years ago
Separate out plugins into 2 variables
6 years ago
Use k8s default plugin list
6 years ago
Separate out plugins into 2 variables
6 years ago
Add new addon Istio (#1744) * add istio addon * add addons to a ci job
7 years ago
Use K8s 1.14 and add kubeadm experimental control plane mode (#4514) * Use K8s 1.14 and add kubeadm experimental control plane mode This reverts commit d39c273d96afe610fed03a2558ffc1beec64c114. * Cleanup kubeadm setup run on first master * pin kubeadm_certificate_key in test * Remove kubelet autolabel of kube-node, add symlink for pki dir Change-Id: Id5e74dd667c60675dbfe4193b0bc9fb44380e1ca
5 years ago
Granular authentication Control It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
8 years ago
Security best practice fixes (#1783) * Disable basic and token auth by default * Add recommended security params * allow basic auth to fail in tests * Enable TLS authentication for kubelet
7 years ago
Granular authentication Control It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
8 years ago
Adds support for webhook token auth. (#3939) Webhook token auth: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication Fixes #3063.
6 years ago
Allows tls verify skip on webhook auth url (#6472)
4 years ago
Allow webhook authorization (#6502)
4 years ago
Granular authentication Control It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
8 years ago
Added Support for OpenID Connect Authentication To use OpenID Connect Authentication beside deploying an OpenID Connect Identity Provider it is necesarry to pass additional arguments to the Kube API Server. These required arguments were added to the kube apiserver manifest.
8 years ago
Granular authentication Control It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
8 years ago
Adding yamllinter to ci steps (#1556) * Adding yaml linter to ci check * Minor linting fixes from yamllint * Changing CI to install python pkgs from requirements.txt - adding in a secondary requirements.txt for tests - moving yamllint to tests requirements
7 years ago
Added Support for OpenID Connect Authentication To use OpenID Connect Authentication beside deploying an OpenID Connect Identity Provider it is necesarry to pass additional arguments to the Kube API Server. These required arguments were added to the kube apiserver manifest.
8 years ago
Fix OpenId Connect example prefixes (#7527) Fixes "mapping values are not allowed in this context
3 years ago
Added Support for OpenID Connect Authentication To use OpenID Connect Authentication beside deploying an OpenID Connect Identity Provider it is necesarry to pass additional arguments to the Kube API Server. These required arguments were added to the kube apiserver manifest.
8 years ago
Fix OpenId Connect example prefixes (#7527) Fixes "mapping values are not allowed in this context
3 years ago
Add an ability to provide oidc cert in base64 (#4618)
5 years ago
add ability for custom flags
7 years ago
Explicitly defines the --kubelet-preferred-address-types parameter to the API server configuration. This solves the problem where if you have non-resolvable node names, and try to scale the server by adding new nodes, kubectl commands start to fail for newly added nodes, giving a TCP timeout error when trying to resolve the node hostname against a public DNS.
7 years ago
Added optional controller and scheduler extra args to kubeadm config (#2205)
7 years ago
Added apiserver extra args variable for kubeadm config (#2291)
7 years ago
Added optional controller and scheduler extra args to kubeadm config (#2205)
7 years ago
Added disable_volume_zone_conflict variable
7 years ago
Add options for configuring control plane component extra volumes (#3779) This takes care of a few arbitrary use cases that may require custom mounts inside of apiserver, controller manager, or scheduler.
6 years ago
add vars for cilium init container (#3893) * add vars for cilium init container * make yamllint happy * add var cilium_init in downloads
6 years ago
Add options for configuring control plane component extra volumes (#3779) This takes care of a few arbitrary use cases that may require custom mounts inside of apiserver, controller manager, or scheduler.
6 years ago
Fix readOnly flag in kubeadm-config.v1beta1.yaml.j2 In v1beta1 of `ClusterConfiguration` the extraVolumes `writable` field was changed to `readOnly` and its boolean value must be negated. Also, the json field for `useHyperKubeImage` was incorrectly capitalized.
6 years ago
Add options for configuring control plane component extra volumes (#3779) This takes care of a few arbitrary use cases that may require custom mounts inside of apiserver, controller manager, or scheduler.
6 years ago
Added option for encrypting secrets to etcd v.2 (#2428) * Added option for encrypting secrets to etcd * Fix keylength to 32 * Forgot the default * Rename secrets.yaml to secrets_encryption.yaml * Fix static path for secrets file to use ansible variable * Rename secrets.yaml.j2 to secrets_encryption.yaml.j2 * Base64 encode the token * Fixed merge error * Changed path to credentials dir * Update path to secrets file which is now readable inside the apiserver container. Set better file permissions * Add encryption option to k8s-cluster.yml
7 years ago
Introducing credentials_dir in order to be able to override it
6 years ago
Integrate jetstack/cert-manager 0.2.3 to Kubespray
7 years ago
Add kube_encryption_resources variable to configure which resources are encrypted at rest (#5797)
5 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
kube_override_hostname must be in kubernetes/master role defaults (#3647)
6 years ago
Adding ability to maintain existing Encryption Secrets at Rest. (#4255) * Adding ability to maintain existing Encryption Secrets at Rest. If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token. This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets. * Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
6 years ago
ADD tls cipher suites support (#6024) * ADD tls cipher suites support yaml lint yamllint * update test case * update test case
4 years ago
Add event-ttl duration (#6310) * Add event-ttl duration * Fix wrong location
4 years ago
Auto renew control plane certificates (#7358) While at it remove force_certificate_regeneration This boolean only forced the renewal of the apiserver certs Either manually use k8s-certs-renew.sh or set auto_renew_certificates Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
3 years ago
Add auto_renew_certificates_systemd_calendar (#7490) This allow to configure when K8S certificates renewal runs Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
3 years ago
  1. ---
  2. # disable upgrade cluster
  3. upgrade_cluster_setup: false
  5. # Experimental kubeadm etcd deployment mode. Available only for new deployment
  6. etcd_kubeadm_enabled: false
  8. # change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
  9. kube_apiserver_insecure_bind_address: 127.0.0.1
  11. # By default the external API listens on all interfaces, this can be changed to
  12. # listen on a specific address/interface.
  13. kube_apiserver_bind_address: 0.0.0.0
  15. # A port range to reserve for services with NodePort visibility.
  16. # Inclusive at both ends of the range.
  17. kube_apiserver_node_port_range: "30000-32767"
  19. # ETCD backend for k8s data
  20. kube_apiserver_storage_backend: etcd3
  22. kube_etcd_cacert_file: ca.pem
  23. kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
  24. kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
  26. # Associated interfaces must be reachable by the rest of the cluster, and by
  27. # CLI/web clients.
  28. kube_controller_manager_bind_address: 0.0.0.0
  30. # Leader election lease durations and timeouts for controller-manager
  31. kube_controller_manager_leader_elect_lease_duration: 15s
  32. kube_controller_manager_leader_elect_renew_deadline: 10s
  34. # discovery_timeout modifies the discovery timeout
  35. discovery_timeout: 5m0s
  37. # Instruct first master to refresh kubeadm token
  38. kubeadm_refresh_token: true
  40. # Scale down coredns replicas to 0 if not using coredns dns_mode
  41. kubeadm_scale_down_coredns_enabled: true
  43. # audit support
  44. kubernetes_audit: false
  45. # path to audit log file
  46. audit_log_path: /var/log/audit/kube-apiserver-audit.log
  47. # num days
  48. audit_log_maxage: 30
  49. # the num of audit logs to retain
  50. audit_log_maxbackups: 1
  51. # the max size in MB to retain
  52. audit_log_maxsize: 100
  53. # policy file
  54. audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
  55. # custom audit policy rules (to replace the default ones)
  56. # audit_policy_custom_rules: |
  57. # - level: None
  58. # users: []
  59. # verbs: []
  60. # resources: []
  62. # audit log hostpath
  63. audit_log_name: audit-logs
  64. audit_log_hostpath: /var/log/kubernetes/audit
  65. audit_log_mountpath: "{{ audit_log_path | dirname }}"
  67. # audit policy hostpath
  68. audit_policy_name: audit-policy
  69. audit_policy_hostpath: "{{ audit_policy_file | dirname }}"
  70. audit_policy_mountpath: "{{ audit_policy_hostpath }}"
  72. # audit webhook support
  73. kubernetes_audit_webhook: false
  75. # path to audit webhook config file
  76. audit_webhook_config_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-webhook-config.yaml"
  77. audit_webhook_server_url: "https://audit.app"
  78. audit_webhook_server_extra_args: {}
  79. audit_webhook_mode: batch
  80. audit_webhook_batch_max_size: 100
  81. audit_webhook_batch_max_wait: 1s
  83. kube_controller_node_monitor_grace_period: 40s
  84. kube_controller_node_monitor_period: 5s
  85. kube_controller_terminated_pod_gc_threshold: 12500
  86. kube_apiserver_request_timeout: "1m0s"
  87. kube_apiserver_pod_eviction_not_ready_timeout_seconds: "300"
  88. kube_apiserver_pod_eviction_unreachable_timeout_seconds: "300"
  90. # 1.10+ admission plugins
  91. kube_apiserver_enable_admission_plugins: []
  93. # 1.10+ list of disabled admission plugins
  94. kube_apiserver_disable_admission_plugins: []
  96. # extra runtime config
  97. kube_api_runtime_config: []
  99. ## Enable/Disable Kube API Server Authentication Methods
  100. kube_token_auth: false
  101. kube_oidc_auth: false
  102. kube_webhook_token_auth: false
  103. kube_webhook_token_auth_url_skip_tls_verify: false
  104. ## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
  105. # kube_webhook_token_auth_url: https://...
  106. kube_webhook_authorization: false
  107. ## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/
  108. # kube_webhook_authorization_url: https://...
  109. kube_webhook_authorization_url_skip_tls_verify: false
  112. ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
  113. ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
  115. # kube_oidc_url: https:// ...
  116. # kube_oidc_client_id: kubernetes
  117. ## Optional settings for OIDC
  118. # kube_oidc_username_claim: sub
  119. # kube_oidc_username_prefix: 'oidc:'
  120. # kube_oidc_groups_claim: groups
  121. # kube_oidc_groups_prefix: 'oidc:'
  122. # Copy oidc CA file to the following path if needed
  123. # kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
  124. # Optionally include a base64-encoded oidc CA cert
  125. # kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20...
  127. # List of the preferred NodeAddressTypes to use for kubelet connections.
  128. kubelet_preferred_address_types: 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP'
  130. ## Extra args for k8s components passing by kubeadm
  131. kube_kubeadm_apiserver_extra_args: {}
  132. kube_kubeadm_controller_extra_args: {}
  134. ## Extra control plane host volume mounts
  135. ## Example:
  136. # apiserver_extra_volumes:
  137. # - name: name
  138. # hostPath: /host/path
  139. # mountPath: /mount/path
  140. # readOnly: true
  141. apiserver_extra_volumes: {}
  142. controller_manager_extra_volumes: {}
  144. ## Encrypting Secret Data at Rest
  145. kube_encrypt_secret_data: false
  146. kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
  147. # Must be either: aescbc, secretbox or aesgcm
  148. kube_encryption_algorithm: "aescbc"
  149. # Which kubernetes resources to encrypt
  150. kube_encryption_resources: [secrets]
  152. # If non-empty, will use this string as identification instead of the actual hostname
  153. kube_override_hostname: >-
  154. {%- if cloud_provider is defined and cloud_provider in [ 'aws' ] -%}
  155. {%- else -%}
  156. {{ inventory_hostname }}
  157. {%- endif -%}
  159. secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm}}.keys[0].secret"
  161. ## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
  162. # tls_min_version: ""
  164. ## Support tls cipher suites.
  165. # tls_cipher_suites:
  166. # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  167. # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  168. # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  169. # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  170. # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  171. # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
  172. # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  173. # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  174. # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  175. # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  176. # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  177. # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  178. # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  179. # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
  180. # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  181. # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  182. # - TLS_RSA_WITH_AES_128_CBC_SHA
  183. # - TLS_RSA_WITH_AES_128_CBC_SHA256
  184. # - TLS_RSA_WITH_AES_128_GCM_SHA256
  185. # - TLS_RSA_WITH_AES_256_CBC_SHA
  186. # - TLS_RSA_WITH_AES_256_GCM_SHA384
  187. # - TLS_RSA_WITH_RC4_128_SHA
  189. ## Amount of time to retain events. (default 1h0m0s)
  190. event_ttl_duration: "1h0m0s"
  192. ## Automatically renew K8S control plane certificates on first Monday of each month
  193. auto_renew_certificates: false
  194. # First Monday of each month
  195. auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:{{ groups['kube_control_plane'].index(inventory_hostname) }}0:00"