richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7851 Commits
34 Branches
82 Tags
155 MiB
Tree: ebdc599b05
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ebdc599b05'
${ noResults }
kubespray/roles/kubernetes/control-plane/defaults/main/main.yml

245 lines
8.9 KiB
Raw Normal View History

Adding yamllinter to ci steps (#1556) * Adding yaml linter to ci check * Minor linting fixes from yamllint * Changing CI to install python pkgs from requirements.txt - adding in a secondary requirements.txt for tests - moving yamllint to tests requirements
7 years ago
Fix reconfigure and upgrade cluster (#3938)
6 years ago
Allow setting --bind-address for apiserver hyperkube (#1985) * Allow setting --bind-address for apiserver hyperkube This is required if you wish to configure a loadbalancer (e.g haproxy) running on the master nodes without choosing a different port for the vip from that used by the API - in this case you need the API to bind to a specific interface, then haproxy can bind the same port on the VIP: root@overcloud-controller-0 ~]# netstat -taupen | grep 6443 tcp 0 0 192.168.24.6:6443 0.0.0.0:* LISTEN 0 680613 134504/haproxy tcp 0 0 192.168.24.16:6443 0.0.0.0:* LISTEN 0 653329 131423/hyperkube tcp 0 0 192.168.24.16:6443 192.168.24.16:58404 ESTABLISHED 0 652991 131423/hyperkube tcp 0 0 192.168.24.16:58404 192.168.24.16:6443 ESTABLISHED 0 652986 131423/hyperkube This can be achieved e.g via: kube_apiserver_bind_address: 192.168.24.16 * Address code review feedback * Update kube-apiserver.manifest.j2
7 years ago
Fix if bind-address is not set to 0.0.0.0 (#8262) * if bind-address is not set to 0.0.0.0 * Update docs and left comments * fix yamllist check: remove space
3 years ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
Allow setting --bind-address for apiserver hyperkube (#1985) * Allow setting --bind-address for apiserver hyperkube This is required if you wish to configure a loadbalancer (e.g haproxy) running on the master nodes without choosing a different port for the vip from that used by the API - in this case you need the API to bind to a specific interface, then haproxy can bind the same port on the VIP: root@overcloud-controller-0 ~]# netstat -taupen | grep 6443 tcp 0 0 192.168.24.6:6443 0.0.0.0:* LISTEN 0 680613 134504/haproxy tcp 0 0 192.168.24.16:6443 0.0.0.0:* LISTEN 0 653329 131423/hyperkube tcp 0 0 192.168.24.16:6443 192.168.24.16:58404 ESTABLISHED 0 652991 131423/hyperkube tcp 0 0 192.168.24.16:58404 192.168.24.16:6443 ESTABLISHED 0 652986 131423/hyperkube This can be achieved e.g via: kube_apiserver_bind_address: 192.168.24.16 * Address code review feedback * Update kube-apiserver.manifest.j2
7 years ago
Add service-node-port-range parameter for kube-apiserver
8 years ago
Migrate k8s data to etcd3 api store Default backend is now etcd3 (was etcd2). The migration process consists of the following steps: * check if migration is necessary * stop etcd on first etcd server * run migration script * start etcd on first etcd server * stop kube-apiserver until configuration is updated * update kube-apiserver * purge old etcdv2 data
8 years ago
add kube_apiserver_etcd_compaction_interval (#10644)
1 year ago
add support for `service-account-lookup` parameter (#8781) * feat: add variable to manage service-account-lookup on kube-apiserver * docs: add documentation about service-account-lookup variable
2 years ago
Use K8s 1.14 and add kubeadm experimental control plane mode (#4514) * Use K8s 1.14 and add kubeadm experimental control plane mode This reverts commit d39c273d96afe610fed03a2558ffc1beec64c114. * Cleanup kubeadm setup run on first master * pin kubeadm_certificate_key in test * Remove kubelet autolabel of kube-node, add symlink for pki dir Change-Id: Id5e74dd667c60675dbfe4193b0bc9fb44380e1ca
5 years ago
Allow override of bind addr for controller-manager and scheduler (#3968) * allows to override the bind addresses for controller-manager and scheduler Useful for Prometheus metrics monitoring * Add bind addr override support in kubeadm/v1beta1 Adds support for override of bind addresses for controller-manager and scheduler in kubeadm/v1beta1 * Move location of bind address vars * Remove double declaration of schedulerExtraArgs
6 years ago
Add KubeSchedulerConfiguration for k8s 1.19 and up (#7351) * Add KubeSchedulerConfiguration for k8s 1.19 and up With release of version 1.19.0 of kubernetes KubeSchedulerConfiguration was graduated to beta. It allows to extend different stages of scheduling with profiles. Such effect is achieved by using plugins and extensions. This patch adds KubeSchedulerConfiguration for versions 1.19 and later. Configuration is set to k8s defaults or to kubespray vars. Moving those defaults to new vars will be done in following patch. Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com> * KubeSchedulerConfiguration: add defaults Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
3 years ago
add leader election timeouts and durations to available parameters (#6691)
4 years ago
Use K8s 1.14 and add kubeadm experimental control plane mode (#4514) * Use K8s 1.14 and add kubeadm experimental control plane mode This reverts commit d39c273d96afe610fed03a2558ffc1beec64c114. * Cleanup kubeadm setup run on first master * pin kubeadm_certificate_key in test * Remove kubelet autolabel of kube-node, add symlink for pki dir Change-Id: Id5e74dd667c60675dbfe4193b0bc9fb44380e1ca
5 years ago
Rename master to control plane - non-breaking changes only (#11394) K8s is moving away from the "master" terminology, so kubespray should follow the same naming conventions. See https://github.com/kubernetes/community/blob/65d886bb3029e73d9729e1d4f27422a7985233ed/sig-architecture/naming/recommendations/001-master-control-plane.md
5 months ago
Optionally refresh kubeadm token every time (#5043) Change-Id: I278cb14aa93abf20160cc001f69e2f472504e6d8
5 years ago
Scale down coredns created by kubeadm upgrade to 0 replicas (#5308) Change-Id: I128b0f9c1acbb956d9a6c4e5510b45a36e296af7
5 years ago
Support audit
6 years ago
Define apiserver flags directly instead of relying on auditPolicy section in order to have the ability to redirect audit log to stdout with kubeadm
6 years ago
Support audit
6 years ago
fix-kube-bench-1.2.20 (#9939)
1 year ago
psp, roles and rbs for PodSecurityPolicy when podsecuritypolicy_enabled is true
6 years ago
Support audit
6 years ago
Ability to define custom audit polcy rules
6 years ago
Fix install audit failed 1.fix audit log not write 2.fix Parameter not recognized 3.delete kubedm futuregates auditing and use apiServerExtraArgs
6 years ago
Ability to define custom audit polcy rules
6 years ago
Support audit
6 years ago
minor variable fix and reuse + handle auditlog redirected to stdout
6 years ago
Support audit
6 years ago
minor variable fix and reuse + handle auditlog redirected to stdout
6 years ago
Support audit
6 years ago
add audit webhook support (#6317) * add audit webhook support * use generic name auditsink
4 years ago
add new variable allowing additionnal audit webhook server options (#6726)
4 years ago
add audit webhook support (#6317) * add audit webhook support * use generic name auditsink
4 years ago
Kubernetes Reliability Improvements - Exclude kubelet CPU/RAM (kube-reserved) from cgroup. It decreases a chance of overcommitment - Add a possibility to modify Kubelet node-status-update-frequency - Add a posibility to configure node-monitor-grace-period, node-monitor-period, pod-eviction-timeout for Kubernetes controller manager - Add Kubernetes Relaibility Documentation with recomendations for various scenarios. Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
8 years ago
Sync manifests with kubeadm (#3383)
6 years ago
Fixed issue #7112.  Created new API Server vars that replace defunct Controller Manager one (#7114) Signed-off-by: Brendan Holmes <5072156+holmesb@users.noreply.github.com>
4 years ago
Added Support for OpenID Connect Authentication To use OpenID Connect Authentication beside deploying an OpenID Connect Identity Provider it is necesarry to pass additional arguments to the Kube API Server. These required arguments were added to the kube apiserver manifest.
8 years ago
Separate out plugins into 2 variables
6 years ago
Use k8s default plugin list
6 years ago
Separate out plugins into 2 variables
6 years ago
add support for `EventRateLimit` plugin configuration (#8711) * feat: add support for EventRateLimit admission plugin * docs: add documentation about admission_control_config_file and EventRateLimit configuration
2 years ago
Add the option to enable default Pod Security Configuration (#9017) * Add the option to enable default Pod Security Configuration Enable Pod Security in all namespaces by default with the option to exempt some namespaces. Without the change only namespaces explicitly configured will receive the admission plugin treatment. * Fix the PR according to code review comments * Revert the latest changes - leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file - don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
2 years ago
[podSecurityConfiguration]: fix apiVersion and change default policy versions (#10210) Signed-off-by: Ugur <ugurozturk918@gmail.com>
1 year ago
Add the option to enable default Pod Security Configuration (#9017) * Add the option to enable default Pod Security Configuration Enable Pod Security in all namespaces by default with the option to exempt some namespaces. Without the change only namespaces explicitly configured will receive the admission plugin treatment. * Fix the PR according to code review comments * Revert the latest changes - leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file - don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
2 years ago
[podSecurityConfiguration]: fix apiVersion and change default policy versions (#10210) Signed-off-by: Ugur <ugurozturk918@gmail.com>
1 year ago
Add the option to enable default Pod Security Configuration (#9017) * Add the option to enable default Pod Security Configuration Enable Pod Security in all namespaces by default with the option to exempt some namespaces. Without the change only namespaces explicitly configured will receive the admission plugin treatment. * Fix the PR according to code review comments * Revert the latest changes - leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file - don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
2 years ago
[podSecurityConfiguration]: fix apiVersion and change default policy versions (#10210) Signed-off-by: Ugur <ugurozturk918@gmail.com>
1 year ago
Add the option to enable default Pod Security Configuration (#9017) * Add the option to enable default Pod Security Configuration Enable Pod Security in all namespaces by default with the option to exempt some namespaces. Without the change only namespaces explicitly configured will receive the admission plugin treatment. * Fix the PR according to code review comments * Revert the latest changes - leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file - don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
2 years ago
Separate out plugins into 2 variables
6 years ago
Add new addon Istio (#1744) * add istio addon * add addons to a ci job
7 years ago
Use K8s 1.14 and add kubeadm experimental control plane mode (#4514) * Use K8s 1.14 and add kubeadm experimental control plane mode This reverts commit d39c273d96afe610fed03a2558ffc1beec64c114. * Cleanup kubeadm setup run on first master * pin kubeadm_certificate_key in test * Remove kubelet autolabel of kube-node, add symlink for pki dir Change-Id: Id5e74dd667c60675dbfe4193b0bc9fb44380e1ca
5 years ago
Granular authentication Control It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
8 years ago
Security best practice fixes (#1783) * Disable basic and token auth by default * Add recommended security params * allow basic auth to fail in tests * Enable TLS authentication for kubelet
7 years ago
Granular authentication Control It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
8 years ago
Add optional setting for ca data in auth webhook (#8777) * Add optional setting for ca data in auth webhook * add webhook token auth variables to sample inventory
2 years ago
Adds support for webhook token auth. (#3939) Webhook token auth: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication Fixes #3063.
6 years ago
Allows tls verify skip on webhook auth url (#6472)
4 years ago
Allow webhook authorization (#6502)
4 years ago
Add optional setting for ca data in auth webhook (#8777) * Add optional setting for ca data in auth webhook * add webhook token auth variables to sample inventory
2 years ago
Allow webhook authorization (#6502)
4 years ago
Add optional setting for ca data in auth webhook (#8777) * Add optional setting for ca data in auth webhook * add webhook token auth variables to sample inventory
2 years ago
Allow webhook authorization (#6502)
4 years ago
New PR default node selector (#10607)
1 year ago
Granular authentication Control It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
8 years ago
Added Support for OpenID Connect Authentication To use OpenID Connect Authentication beside deploying an OpenID Connect Identity Provider it is necesarry to pass additional arguments to the Kube API Server. These required arguments were added to the kube apiserver manifest.
8 years ago
Granular authentication Control It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
8 years ago
Adding yamllinter to ci steps (#1556) * Adding yaml linter to ci check * Minor linting fixes from yamllint * Changing CI to install python pkgs from requirements.txt - adding in a secondary requirements.txt for tests - moving yamllint to tests requirements
7 years ago
Added Support for OpenID Connect Authentication To use OpenID Connect Authentication beside deploying an OpenID Connect Identity Provider it is necesarry to pass additional arguments to the Kube API Server. These required arguments were added to the kube apiserver manifest.
8 years ago
Fix OpenId Connect example prefixes (#7527) Fixes "mapping values are not allowed in this context
3 years ago
Added Support for OpenID Connect Authentication To use OpenID Connect Authentication beside deploying an OpenID Connect Identity Provider it is necesarry to pass additional arguments to the Kube API Server. These required arguments were added to the kube apiserver manifest.
8 years ago
Fix OpenId Connect example prefixes (#7527) Fixes "mapping values are not allowed in this context
3 years ago
Add an ability to provide oidc cert in base64 (#4618)
5 years ago
add ability for custom flags
8 years ago
Explicitly defines the --kubelet-preferred-address-types parameter to the API server configuration. This solves the problem where if you have non-resolvable node names, and try to scale the server by adding new nodes, kubectl commands start to fail for newly added nodes, giving a TCP timeout error when trying to resolve the node hostname against a public DNS.
7 years ago
Added optional controller and scheduler extra args to kubeadm config (#2205)
7 years ago
Added apiserver extra args variable for kubeadm config (#2291)
7 years ago
Added optional controller and scheduler extra args to kubeadm config (#2205)
7 years ago
Added disable_volume_zone_conflict variable
7 years ago
Add options for configuring control plane component extra volumes (#3779) This takes care of a few arbitrary use cases that may require custom mounts inside of apiserver, controller manager, or scheduler.
6 years ago
add vars for cilium init container (#3893) * add vars for cilium init container * make yamllint happy * add var cilium_init in downloads
6 years ago
Add options for configuring control plane component extra volumes (#3779) This takes care of a few arbitrary use cases that may require custom mounts inside of apiserver, controller manager, or scheduler.
6 years ago
Fix readOnly flag in kubeadm-config.v1beta1.yaml.j2 In v1beta1 of `ClusterConfiguration` the extraVolumes `writable` field was changed to `readOnly` and its boolean value must be negated. Also, the json field for `useHyperKubeImage` was incorrectly capitalized.
6 years ago
Add options for configuring control plane component extra volumes (#3779) This takes care of a few arbitrary use cases that may require custom mounts inside of apiserver, controller manager, or scheduler.
6 years ago
Added option for encrypting secrets to etcd v.2 (#2428) * Added option for encrypting secrets to etcd * Fix keylength to 32 * Forgot the default * Rename secrets.yaml to secrets_encryption.yaml * Fix static path for secrets file to use ansible variable * Rename secrets.yaml.j2 to secrets_encryption.yaml.j2 * Base64 encode the token * Fixed merge error * Changed path to credentials dir * Update path to secrets file which is now readable inside the apiserver container. Set better file permissions * Add encryption option to k8s-cluster.yml
7 years ago
Introducing credentials_dir in order to be able to override it
6 years ago
Integrate jetstack/cert-manager 0.2.3 to Kubespray
7 years ago
Encrypting Secret Data at Rest (#8574) * change default value for Encrypting Secret Data at Rest to secretbox, remove experimental flag and add documentation * fix MD012/no-multiple-blanks
3 years ago
Add kube_encryption_resources variable to configure which resources are encrypted at rest (#5797)
5 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
kube_override_hostname must be in kubernetes/master role defaults (#3647)
6 years ago
project: fix var-spacing ansible rule (#10266) * project: fix var-spacing ansible rule Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing on the beginning/end of jinja template Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing of default filter Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing between filter arguments Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix double space at beginning/end of jinja Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix remaining jinja[spacing] ansible-lint warning Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
kube_override_hostname must be in kubernetes/master role defaults (#3647)
6 years ago
Adding ability to maintain existing Encryption Secrets at Rest. (#4255) * Adding ability to maintain existing Encryption Secrets at Rest. If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token. This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets. * Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
6 years ago
project: fix var-spacing ansible rule (#10266) * project: fix var-spacing ansible rule Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing on the beginning/end of jinja template Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing of default filter Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing between filter arguments Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix double space at beginning/end of jinja Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix remaining jinja[spacing] ansible-lint warning Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
ADD tls cipher suites support (#6024) * ADD tls cipher suites support yaml lint yamllint * update test case * update test case
4 years ago
Correct the POLY1305 cipher suites by adding the suffix _SHA256 (#10641)
1 year ago
ADD tls cipher suites support (#6024) * ADD tls cipher suites support yaml lint yamllint * update test case * update test case
4 years ago
Correct the POLY1305 cipher suites by adding the suffix _SHA256 (#10641)
1 year ago
ADD tls cipher suites support (#6024) * ADD tls cipher suites support yaml lint yamllint * update test case * update test case
4 years ago
Add event-ttl duration (#6310) * Add event-ttl duration * Fix wrong location
4 years ago
Auto renew control plane certificates (#7358) While at it remove force_certificate_regeneration This boolean only forced the renewal of the apiserver certs Either manually use k8s-certs-renew.sh or set auto_renew_certificates Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
4 years ago
Add auto_renew_certificates_systemd_calendar (#7490) This allow to configure when K8S certificates renewal runs Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
3 years ago
Move control plane certs renewal "spread out" into the systemd timer (#10596) * Use RandomizedDelaySec to spread out control certificates renewal plane If the number of control plane node is superior to 6, using (index * 10 minutes) will fail (03:60:00 is not a valid timestamp). Compared to just fixing the jinja expression (to use a modulo for example), this should avoid having two control planes certificates update node being triggered at the same time. * Make k8s-certs-renew.timer Persistent If the control plane happens to be offline during the scheduled certificates renewal (node failure or anything like that), we still want the renewal to happen.
1 year ago
Add option to kubeadm upgrade command to control certificates renewal during control plane upgrade (#7976) * Add option to kubeadm upgrade command to control certificates renewal during control plane upgrade * Remove training whitespace
3 years ago
Add kubectl alias support (#10552) Signed-off-by: tu1h <lihai.tu@daocloud.io>
1 year ago
[apiserver-kubelet/tracing]: add distributed tracing config variables (#10795) * [apiserver-kubelet/tracing]: add distributed tracing config flags Signed-off-by: Ugur Ozturk <ugurozturk918@gmail.com> * [apiserver-kubelet/tracing]: add distributed tracing config flags - fix Signed-off-by: Ugur Ozturk <ugurozturk918@gmail.com> * [apiserver-kubelet/tracing]: add distributed tracing config flags - fix Signed-off-by: Ugur Ozturk <ugurozturk918@gmail.com> --------- Signed-off-by: Ugur Ozturk <ugurozturk918@gmail.com>
1 year ago
Remove access to cluster from anonymous users (#11016) * feat: add user facing variable with default * feat: remove rolebinding to anonymous users after init and upgrade * feat: use file discovery for secondary control plane nodes * feat: use file discovery for nodes * fix: do not fail if rolebinding does not exist * docs: add warning about kube_api_anonymous_auth * style: improve readability of delegate_to parameter * refactor: rename discovery kubeconfig file * test: enable new variable in hardening and upgrade test cases * docs: add option to config parameters * test: multiple instances and upgrade
11 months ago
  1. ---
  2. # disable upgrade cluster
  3. upgrade_cluster_setup: false
  5. # By default the external API listens on all interfaces, this can be changed to
  6. # listen on a specific address/interface.
  7. # NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost
  8. # loadbalancer_apiserver_localhost (nginx/haproxy) will deploy on control plane nodes on 127.0.0.1:{{ loadbalancer_apiserver_port | default(kube_apiserver_port) }} too.
  9. kube_apiserver_bind_address: 0.0.0.0
  11. # A port range to reserve for services with NodePort visibility.
  12. # Inclusive at both ends of the range.
  13. kube_apiserver_node_port_range: "30000-32767"
  15. # ETCD backend for k8s data
  16. kube_apiserver_storage_backend: etcd3
  18. # The interval of compaction requests. If 0, the compaction request from apiserver is disabled.
  19. kube_apiserver_etcd_compaction_interval: "5m0s"
  21. # CIS 1.2.26
  22. # Validate that the service account token
  23. # in the request is actually present in etcd.
  24. kube_apiserver_service_account_lookup: true
  26. kube_etcd_cacert_file: ca.pem
  27. kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
  28. kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
  30. # Associated interfaces must be reachable by the rest of the cluster, and by
  31. # CLI/web clients.
  32. kube_controller_manager_bind_address: 0.0.0.0
  34. # Leader election lease durations and timeouts for controller-manager
  35. kube_controller_manager_leader_elect_lease_duration: 15s
  36. kube_controller_manager_leader_elect_renew_deadline: 10s
  38. # discovery_timeout modifies the discovery timeout
  39. discovery_timeout: 5m0s
  41. # Instruct first control plane node to refresh kubeadm token
  42. kubeadm_refresh_token: true
  44. # Scale down coredns replicas to 0 if not using coredns dns_mode
  45. kubeadm_scale_down_coredns_enabled: true
  47. # audit support
  48. kubernetes_audit: false
  49. # path to audit log file
  50. audit_log_path: /var/log/audit/kube-apiserver-audit.log
  51. # num days
  52. audit_log_maxage: 30
  53. # the num of audit logs to retain
  54. audit_log_maxbackups: 10
  55. # the max size in MB to retain
  56. audit_log_maxsize: 100
  57. # policy file
  58. audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
  59. # custom audit policy rules (to replace the default ones)
  60. # audit_policy_custom_rules: |
  61. # - level: None
  62. # users: []
  63. # verbs: []
  64. # resources: []
  66. # audit log hostpath
  67. audit_log_name: audit-logs
  68. audit_log_hostpath: /var/log/kubernetes/audit
  69. audit_log_mountpath: "{{ audit_log_path | dirname }}"
  71. # audit policy hostpath
  72. audit_policy_name: audit-policy
  73. audit_policy_hostpath: "{{ audit_policy_file | dirname }}"
  74. audit_policy_mountpath: "{{ audit_policy_hostpath }}"
  76. # audit webhook support
  77. kubernetes_audit_webhook: false
  79. # path to audit webhook config file
  80. audit_webhook_config_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-webhook-config.yaml"
  81. audit_webhook_server_url: "https://audit.app"
  82. audit_webhook_server_extra_args: {}
  83. audit_webhook_mode: batch
  84. audit_webhook_batch_max_size: 100
  85. audit_webhook_batch_max_wait: 1s
  87. kube_controller_node_monitor_grace_period: 40s
  88. kube_controller_node_monitor_period: 5s
  89. kube_controller_terminated_pod_gc_threshold: 12500
  90. kube_apiserver_request_timeout: "1m0s"
  91. kube_apiserver_pod_eviction_not_ready_timeout_seconds: "300"
  92. kube_apiserver_pod_eviction_unreachable_timeout_seconds: "300"
  94. # 1.10+ admission plugins
  95. kube_apiserver_enable_admission_plugins: []
  97. # enable admission plugins configuration
  98. kube_apiserver_admission_control_config_file: false
  100. # data structure to configure EventRateLimit admission plugin
  101. # this should have the following structure:
  102. # kube_apiserver_admission_event_rate_limits:
  103. # <limit_name>:
  104. # type: <limit_type>
  105. # qps: <qps_value>
  106. # burst: <burst_value>
  107. # cache_size: <cache_size_value>
  108. kube_apiserver_admission_event_rate_limits: {}
  110. kube_pod_security_use_default: false
  111. kube_pod_security_default_enforce: baseline
  112. kube_pod_security_default_enforce_version: "{{ kube_major_version }}"
  113. kube_pod_security_default_audit: restricted
  114. kube_pod_security_default_audit_version: "{{ kube_major_version }}"
  115. kube_pod_security_default_warn: restricted
  116. kube_pod_security_default_warn_version: "{{ kube_major_version }}"
  117. kube_pod_security_exemptions_usernames: []
  118. kube_pod_security_exemptions_runtime_class_names: []
  119. kube_pod_security_exemptions_namespaces:
  120. - kube-system
  122. # 1.10+ list of disabled admission plugins
  123. kube_apiserver_disable_admission_plugins: []
  125. # extra runtime config
  126. kube_api_runtime_config: []
  128. ## Enable/Disable Kube API Server Authentication Methods
  129. kube_token_auth: false
  130. kube_oidc_auth: false
  132. ## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
  133. kube_webhook_token_auth: false
  134. kube_webhook_token_auth_url_skip_tls_verify: false
  135. # kube_webhook_token_auth_url: https://...
  136. ## base64-encoded string of the webhook's CA certificate
  137. # kube_webhook_token_auth_ca_data: "LS0t..."
  139. ## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/
  140. # kube_webhook_authorization_url: https://...
  141. kube_webhook_authorization: false
  142. kube_webhook_authorization_url_skip_tls_verify: false
  144. # Default podnodeselector
  145. kube_apiserver_admission_plugins_podnodeselector_default_node_selector: ""
  147. ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
  148. ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
  150. # kube_oidc_url: https:// ...
  151. # kube_oidc_client_id: kubernetes
  152. ## Optional settings for OIDC
  153. # kube_oidc_username_claim: sub
  154. # kube_oidc_username_prefix: 'oidc:'
  155. # kube_oidc_groups_claim: groups
  156. # kube_oidc_groups_prefix: 'oidc:'
  157. # Copy oidc CA file to the following path if needed
  158. # kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
  159. # Optionally include a base64-encoded oidc CA cert
  160. # kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20...
  162. # List of the preferred NodeAddressTypes to use for kubelet connections.
  163. kubelet_preferred_address_types: 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP'
  165. ## Extra args for k8s components passing by kubeadm
  166. kube_kubeadm_apiserver_extra_args: {}
  167. kube_kubeadm_controller_extra_args: {}
  169. ## Extra control plane host volume mounts
  170. ## Example:
  171. # apiserver_extra_volumes:
  172. # - name: name
  173. # hostPath: /host/path
  174. # mountPath: /mount/path
  175. # readOnly: true
  176. apiserver_extra_volumes: {}
  177. controller_manager_extra_volumes: {}
  179. ## Encrypting Secret Data at Rest
  180. kube_encrypt_secret_data: false
  181. kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
  182. # Must be either: aescbc, secretbox or aesgcm
  183. kube_encryption_algorithm: "secretbox"
  184. # Which kubernetes resources to encrypt
  185. kube_encryption_resources: [secrets]
  187. # If non-empty, will use this string as identification instead of the actual hostname
  188. kube_override_hostname: >-
  189. {%- if cloud_provider is defined and cloud_provider in ['aws'] -%}
  190. {%- else -%}
  191. {{ inventory_hostname }}
  192. {%- endif -%}
  194. secrets_encryption_query: "resources[*].providers[0].{{ kube_encryption_algorithm }}.keys[0].secret"
  196. ## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
  197. # tls_min_version: ""
  199. ## Support tls cipher suites.
  200. # tls_cipher_suites:
  201. # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  202. # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  203. # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  204. # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  205. # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  206. # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  207. # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  208. # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  209. # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  210. # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  211. # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  212. # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  213. # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  214. # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  215. # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  216. # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  217. # - TLS_RSA_WITH_AES_128_CBC_SHA
  218. # - TLS_RSA_WITH_AES_128_CBC_SHA256
  219. # - TLS_RSA_WITH_AES_128_GCM_SHA256
  220. # - TLS_RSA_WITH_AES_256_CBC_SHA
  221. # - TLS_RSA_WITH_AES_256_GCM_SHA384
  222. # - TLS_RSA_WITH_RC4_128_SHA
  224. ## Amount of time to retain events. (default 1h0m0s)
  225. event_ttl_duration: "1h0m0s"
  227. ## Automatically renew K8S control plane certificates on first Monday of each month
  228. auto_renew_certificates: false
  229. # First Monday of each month
  230. auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:00:00"
  231. # kubeadm renews all the certificates during control plane upgrade.
  232. # If we have requirement like without renewing certs upgrade the cluster,
  233. # we can opt out from the default behavior by setting kubeadm_upgrade_auto_cert_renewal to false
  234. kubeadm_upgrade_auto_cert_renewal: true
  236. # Bash alias of kubectl to interact with Kubernetes cluster much easier
  237. # kubectl_alias: k
  239. ## Enable distributed tracing for kube-apiserver
  240. kube_apiserver_tracing: false
  241. kube_apiserver_tracing_endpoint: 0.0.0.0:4317
  242. kube_apiserver_tracing_sampling_rate_per_million: 100
  244. # Enable kubeadm file discovery if anonymous access has been removed
  245. kubeadm_use_file_discovery: "{{ remove_anonymous_access }}"