You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

279 lines
14 KiB

6 years ago
  1. # Configurable Parameters in Kubespray
  2. ## Generic Ansible variables
  3. You can view facts gathered by Ansible automatically
  4. [here](https://docs.ansible.com/ansible/latest/user_guide/playbooks_vars_facts.html#ansible-facts).
  5. Some variables of note include:
  6. * *ansible_user*: user to connect to via SSH
  7. * *ansible_default_ipv4.address*: IP address Ansible automatically chooses.
  8. Generated based on the output from the command ``ip -4 route get 8.8.8.8``
  9. ## Common vars that are used in Kubespray
  10. * *calico_version* - Specify version of Calico to use
  11. * *calico_cni_version* - Specify version of Calico CNI plugin to use
  12. * *docker_version* - Specify version of Docker to used (should be quoted
  13. string). Must match one of the keys defined for *docker_versioned_pkg*
  14. in `roles/container-engine/docker/vars/*.yml`.
  15. * *containerd_version* - Specify version of containerd to use when setting `container_manager` to `containerd`
  16. * *docker_containerd_version* - Specify which version of containerd to use when setting `container_manager` to `docker`
  17. * *etcd_version* - Specify version of ETCD to use
  18. * *calico_ipip_mode* - Configures Calico ipip encapsulation - valid values are 'Never', 'Always' and 'CrossSubnet' (default 'Never')
  19. * *calico_vxlan_mode* - Configures Calico vxlan encapsulation - valid values are 'Never', 'Always' and 'CrossSubnet' (default 'Always')
  20. * *calico_network_backend* - Configures Calico network backend - valid values are 'none', 'bird' and 'vxlan' (default 'vxlan')
  21. * *kube_network_plugin* - Sets k8s network plugin (default Calico)
  22. * *kube_proxy_mode* - Changes k8s proxy mode to iptables mode
  23. * *kube_version* - Specify a given Kubernetes version
  24. * *searchdomains* - Array of DNS domains to search when looking up hostnames
  25. * *nameservers* - Array of nameservers to use for DNS lookup
  26. * *preinstall_selinux_state* - Set selinux state, permitted values are permissive, enforcing and disabled.
  27. ## Addressing variables
  28. * *ip* - IP to use for binding services (host var)
  29. * *access_ip* - IP for other hosts to use to connect to. Often required when
  30. deploying from a cloud, such as OpenStack or GCE and you have separate
  31. public/floating and private IPs.
  32. * *ansible_default_ipv4.address* - Not Kubespray-specific, but it is used if ip
  33. and access_ip are undefined
  34. * *ip6* - IPv6 address to use for binding services. (host var)
  35. If *enable_dual_stack_networks* is set to ``true`` and *ip6* is defined,
  36. kubelet's ``--node-ip`` and node's ``InternalIP`` will be the combination of *ip* and *ip6*.
  37. * *loadbalancer_apiserver* - If defined, all hosts will connect to this
  38. address instead of localhost for kube_control_planes and kube_control_plane[0] for
  39. kube_nodes. See more details in the
  40. [HA guide](/docs/ha-mode.md).
  41. * *loadbalancer_apiserver_localhost* - makes all hosts to connect to
  42. the apiserver internally load balanced endpoint. Mutual exclusive to the
  43. `loadbalancer_apiserver`. See more details in the
  44. [HA guide](/docs/ha-mode.md).
  45. ## Cluster variables
  46. Kubernetes needs some parameters in order to get deployed. These are the
  47. following default cluster parameters:
  48. * *cluster_name* - Name of cluster (default is cluster.local)
  49. * *container_manager* - Container Runtime to install in the nodes (default is containerd)
  50. * *image_command_tool* - Tool used to pull images (default depends on `container_manager`
  51. and is `nerdctl` for `containerd`, `crictl` for `crio`, `docker` for `docker`)
  52. * *image_command_tool_on_localhost* - Tool used to pull images on localhost
  53. (default is equal to `image_command_tool`)
  54. * *dns_domain* - Name of cluster DNS domain (default is cluster.local)
  55. * *kube_network_plugin* - Plugin to use for container networking
  56. * *kube_service_addresses* - Subnet for cluster IPs (default is
  57. 10.233.0.0/18). Must not overlap with kube_pods_subnet
  58. * *kube_pods_subnet* - Subnet for Pod IPs (default is 10.233.64.0/18). Must not
  59. overlap with kube_service_addresses.
  60. * *kube_network_node_prefix* - Subnet allocated per-node for pod IPs. Remaining
  61. bits in kube_pods_subnet dictates how many kube_nodes can be in cluster. Setting this > 25 will
  62. raise an assertion in playbooks if the `kubelet_max_pods` var also isn't adjusted accordingly
  63. (assertion not applicable to calico which doesn't use this as a hard limit, see
  64. [Calico IP block sizes](https://docs.projectcalico.org/reference/resources/ippool#block-sizes).
  65. * *enable_dual_stack_networks* - Setting this to true will provision both IPv4 and IPv6 networking for pods and services.
  66. * *kube_service_addresses_ipv6* - Subnet for cluster IPv6 IPs (default is ``fd85:ee78:d8a6:8607::1000/116``). Must not overlap with ``kube_pods_subnet_ipv6``.
  67. * *kube_pods_subnet_ipv6* - Subnet for Pod IPv6 IPs (default is ``fd85:ee78:d8a6:8607::1:0000/112``). Must not overlap with ``kube_service_addresses_ipv6``.
  68. * *kube_network_node_prefix_ipv6* - Subnet allocated per-node for pod IPv6 IPs. Remaining bits in ``kube_pods_subnet_ipv6`` dictates how many kube_nodes can be in cluster.
  69. * *skydns_server* - Cluster IP for DNS (default is 10.233.0.3)
  70. * *skydns_server_secondary* - Secondary Cluster IP for CoreDNS used with coredns_dual deployment (default is 10.233.0.4)
  71. * *enable_coredns_k8s_external* - If enabled, it configures the [k8s_external plugin](https://coredns.io/plugins/k8s_external/)
  72. on the CoreDNS service.
  73. * *coredns_k8s_external_zone* - Zone that will be used when CoreDNS k8s_external plugin is enabled
  74. (default is k8s_external.local)
  75. * *enable_coredns_k8s_endpoint_pod_names* - If enabled, it configures endpoint_pod_names option for kubernetes plugin.
  76. on the CoreDNS service.
  77. * *cloud_provider* - Enable extra Kubelet option if operating inside GCE or
  78. OpenStack (default is unset)
  79. * *kube_feature_gates* - A list of key=value pairs that describe feature gates for
  80. alpha/experimental Kubernetes features. (defaults is `[]`).
  81. Additionally, you can use also the following variables to individually customize your kubernetes components installation (they works exactly like `kube_feature_gates`):
  82. * *kube_apiserver_feature_gates*
  83. * *kube_controller_feature_gates*
  84. * *kube_scheduler_feature_gates*
  85. * *kube_proxy_feature_gates*
  86. * *kubelet_feature_gates*
  87. * *kubeadm_feature_gates* - A list of key=value pairs that describe feature gates for
  88. alpha/experimental Kubeadm features. (defaults is `[]`)
  89. * *authorization_modes* - A list of [authorization mode](
  90. https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module)
  91. that the cluster should be configured for. Defaults to `['Node', 'RBAC']`
  92. (Node and RBAC authorizers).
  93. Note: `Node` and `RBAC` are enabled by default. Previously deployed clusters can be
  94. converted to RBAC mode. However, your apps which rely on Kubernetes API will
  95. require a service account and cluster role bindings. You can override this
  96. setting by setting authorization_modes to `[]`.
  97. * *kube_apiserver_admission_control_config_file* - Enable configuration for `kube-apiserver` admission plugins.
  98. Currently this variable allow you to configure the `EventRateLimit` admission plugin.
  99. To configure the **EventRateLimit** plugin you have to define a data structure like this:
  100. ```yml
  101. kube_apiserver_admission_event_rate_limits:
  102. limit_1:
  103. type: Namespace
  104. qps: 50
  105. burst: 100
  106. cache_size: 2000
  107. limit_2:
  108. type: User
  109. qps: 50
  110. burst: 100
  111. ...
  112. ```
  113. Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
  114. private addresses, make sure to pick another values for ``kube_service_addresses``
  115. and ``kube_pods_subnet``, for example from the ``172.18.0.0/16``.
  116. ## Enabling Dual Stack (IPV4 + IPV6) networking
  117. If *enable_dual_stack_networks* is set to ``true``, Dual Stack networking will be enabled in the cluster. This will use the default IPv4 and IPv6 subnets specified in the defaults file in the ``kubespray-defaults`` role, unless overridden of course. The default config will give you room for up to 256 nodes with 126 pods per node, and up to 4096 services.
  118. ## DNS variables
  119. By default, hosts are set up with 8.8.8.8 as an upstream DNS server and all
  120. other settings from your existing /etc/resolv.conf are lost. Set the following
  121. variables to match your requirements.
  122. * *upstream_dns_servers* - Array of upstream DNS servers configured on host in
  123. addition to Kubespray deployed DNS
  124. * *nameservers* - Array of DNS servers configured for use by hosts
  125. * *searchdomains* - Array of up to 4 search domains
  126. * *dns_etchosts* - Content of hosts file for coredns and nodelocaldns
  127. For more information, see [DNS
  128. Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.md).
  129. ## Other service variables
  130. * *docker_options* - Commonly used to set
  131. ``--insecure-registry=myregistry.mydomain:5000``
  132. * *docker_plugins* - This list can be used to define [Docker plugins](https://docs.docker.com/engine/extend/) to install.
  133. * *containerd_default_runtime* - Sets the default Containerd runtime used by the Kubernetes CRI plugin.
  134. * *containerd_additional_runtimes* - Sets the additional Containerd runtimes used by the Kubernetes CRI plugin.
  135. [Default config](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/container-engine/containerd/defaults/main.yml) can be overriden in inventory vars.
  136. * *http_proxy/https_proxy/no_proxy/no_proxy_exclude_workers/additional_no_proxy* - Proxy variables for deploying behind a
  137. proxy. Note that no_proxy defaults to all internal cluster IPs and hostnames
  138. that correspond to each node.
  139. * *kubelet_cgroup_driver* - Allows manual override of the cgroup-driver option for Kubelet.
  140. By default autodetection is used to match container manager configuration.
  141. `systemd` is the preferred driver for `containerd` though it can have issues with `cgroups v1` and `kata-containers` in which case you may want to change to `cgroupfs`.
  142. * *kubelet_rotate_certificates* - Auto rotate the kubelet client certificates by requesting new certificates
  143. from the kube-apiserver when the certificate expiration approaches.
  144. * *kubelet_rotate_server_certificates* - Auto rotate the kubelet server certificates by requesting new certificates
  145. from the kube-apiserver when the certificate expiration approaches.
  146. **Note** that server certificates are **not** approved automatically. Approve them manually
  147. (`kubectl get csr`, `kubectl certificate approve`) or implement custom approving controller like
  148. [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp).
  149. * *node_labels* - Labels applied to nodes via kubelet --node-labels parameter.
  150. For example, labels can be set in the inventory as variables or more widely in group_vars.
  151. *node_labels* can only be defined as a dict:
  152. ```yml
  153. node_labels:
  154. label1_name: label1_value
  155. label2_name: label2_value
  156. ```
  157. * *node_taints* - Taints applied to nodes via kubelet --register-with-taints parameter.
  158. For example, taints can be set in the inventory as variables or more widely in group_vars.
  159. *node_taints* has to be defined as a list of strings in format `key=value:effect`, e.g.:
  160. ```yml
  161. node_taints:
  162. - "node.example.com/external=true:NoSchedule"
  163. ```
  164. * *podsecuritypolicy_enabled* - When set to `true`, enables the PodSecurityPolicy admission controller and defines two policies `privileged` (applying to all resources in `kube-system` namespace and kubelet) and `restricted` (applying all other namespaces).
  165. Addons deployed in kube-system namespaces are handled.
  166. * *kubernetes_audit* - When set to `true`, enables Auditing.
  167. The auditing parameters can be tuned via the following variables (which default values are shown below):
  168. * `audit_log_path`: /var/log/audit/kube-apiserver-audit.log
  169. * `audit_log_maxage`: 30
  170. * `audit_log_maxbackups`: 1
  171. * `audit_log_maxsize`: 100
  172. * `audit_policy_file`: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
  173. By default, the `audit_policy_file` contains [default rules](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/kubernetes/control-plane/templates/apiserver-audit-policy.yaml.j2) that can be overridden with the `audit_policy_custom_rules` variable.
  174. * *kubernetes_audit_webhook* - When set to `true`, enables the webhook audit backend.
  175. The webhook parameters can be tuned via the following variables (which default values are shown below):
  176. * `audit_webhook_config_file`: "{{ kube_config_dir }}/audit-policy/apiserver-audit-webhook-config.yaml"
  177. * `audit_webhook_server_url`: `"https://audit.app"`
  178. * `audit_webhook_server_extra_args`: {}
  179. * `audit_webhook_mode`: batch
  180. * `audit_webhook_batch_max_size`: 100
  181. * `audit_webhook_batch_max_wait`: 1s
  182. ### Custom flags for Kube Components
  183. For all kube components, custom flags can be passed in. This allows for edge cases where users need changes to the default deployment that may not be applicable to all deployments.
  184. Extra flags for the kubelet can be specified using these variables,
  185. in the form of dicts of key-value pairs of configuration parameters that will be inserted into the kubelet YAML config file. The `kubelet_node_config_extra_args` apply kubelet settings only to nodes and not control planes. Example:
  186. ```yml
  187. kubelet_config_extra_args:
  188. evictionHard:
  189. memory.available: "100Mi"
  190. evictionSoftGracePeriod:
  191. memory.available: "30s"
  192. evictionSoft:
  193. memory.available: "300Mi"
  194. ```
  195. The possible vars are:
  196. * *kubelet_config_extra_args*
  197. * *kubelet_node_config_extra_args*
  198. Previously, the same parameters could be passed as flags to kubelet binary with the following vars:
  199. * *kubelet_custom_flags*
  200. * *kubelet_node_custom_flags*
  201. The `kubelet_node_custom_flags` apply kubelet settings only to nodes and not control planes. Example:
  202. ```yml
  203. kubelet_custom_flags:
  204. - "--eviction-hard=memory.available<100Mi"
  205. - "--eviction-soft-grace-period=memory.available=30s"
  206. - "--eviction-soft=memory.available<300Mi"
  207. ```
  208. This alternative is deprecated and will remain until the flags are completely removed from kubelet
  209. Extra flags for the API server, controller, and scheduler components can be specified using these variables,
  210. in the form of dicts of key-value pairs of configuration parameters that will be inserted into the kubeadm YAML config file:
  211. * *kube_kubeadm_apiserver_extra_args*
  212. * *kube_kubeadm_controller_extra_args*
  213. * *kube_kubeadm_scheduler_extra_args*
  214. ## App variables
  215. * *helm_version* - Only supports v3.x. Existing v2 installs (with Tiller) will not be modified and need to be removed manually.