Browse Source
Merge pull request #2019 from chadswen/disable-api-insecure-port
Support for disabling apiserver insecure port (the sequel)
pull/2191/head
Brad Beam
6 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with
44 additions and
8 deletions
-
inventory/group_vars/k8s-cluster.yml
-
roles/kubernetes-apps/ansible/tasks/main.yml
-
roles/kubernetes-apps/cluster_roles/tasks/main.yml
-
roles/kubernetes/master/handlers/main.yml
-
roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
-
roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
-
roles/kubernetes/preinstall/tasks/verify-settings.yml
-
roles/kubespray-defaults/defaults/main.yaml
|
|
|
@ -20,7 +20,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens" |
|
|
|
# This is where to save basic auth file |
|
|
|
kube_users_dir: "{{ kube_config_dir }}/users" |
|
|
|
|
|
|
|
kube_api_anonymous_auth: false |
|
|
|
kube_api_anonymous_auth: true |
|
|
|
|
|
|
|
## Change this to use another Kubernetes version, e.g. a current beta release |
|
|
|
kube_version: v1.9.0 |
|
|
|
@ -106,6 +106,8 @@ kube_network_node_prefix: 24 |
|
|
|
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}" |
|
|
|
kube_apiserver_port: 6443 # (https) |
|
|
|
kube_apiserver_insecure_port: 8080 # (http) |
|
|
|
# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true |
|
|
|
#kube_apiserver_insecure_port: 0 # (disabled) |
|
|
|
|
|
|
|
# DNS configuration. |
|
|
|
# Kubernetes cluster name, also will be used as DNS domain |
|
|
|
|
|
|
|
@ -1,7 +1,10 @@ |
|
|
|
--- |
|
|
|
- name: Kubernetes Apps | Wait for kube-apiserver |
|
|
|
uri: |
|
|
|
url: "{{ kube_apiserver_insecure_endpoint }}/healthz" |
|
|
|
url: "{{ kube_apiserver_endpoint }}/healthz" |
|
|
|
validate_certs: no |
|
|
|
client_cert: "{{ kube_apiserver_client_cert }}" |
|
|
|
client_key: "{{ kube_apiserver_client_key }}" |
|
|
|
register: result |
|
|
|
until: result.status == 200 |
|
|
|
retries: 10 |
|
|
|
|
|
|
|
@ -1,7 +1,10 @@ |
|
|
|
--- |
|
|
|
- name: Kubernetes Apps | Wait for kube-apiserver |
|
|
|
uri: |
|
|
|
url: "{{ kube_apiserver_insecure_endpoint }}/healthz" |
|
|
|
url: "{{ kube_apiserver_endpoint }}/healthz" |
|
|
|
validate_certs: no |
|
|
|
client_cert: "{{ kube_apiserver_client_cert }}" |
|
|
|
client_key: "{{ kube_apiserver_client_key }}" |
|
|
|
register: result |
|
|
|
until: result.status == 200 |
|
|
|
retries: 10 |
|
|
|
|
|
|
|
@ -78,7 +78,10 @@ |
|
|
|
|
|
|
|
- name: Master | wait for the apiserver to be running |
|
|
|
uri: |
|
|
|
url: "{{ kube_apiserver_insecure_endpoint }}/healthz" |
|
|
|
url: "{{ kube_apiserver_endpoint }}/healthz" |
|
|
|
validate_certs: no |
|
|
|
client_cert: "{{ kube_apiserver_client_cert }}" |
|
|
|
client_key: "{{ kube_apiserver_client_key }}" |
|
|
|
register: result |
|
|
|
until: result.status == 200 |
|
|
|
retries: 20 |
|
|
|
|
|
|
|
@ -6,7 +6,7 @@ |
|
|
|
remote_src: yes |
|
|
|
with_items: |
|
|
|
- {src: apiserver.pem, dest: apiserver.crt} |
|
|
|
- {src: apiserver.pem, dest: apiserver.key} |
|
|
|
- {src: apiserver-key.pem, dest: apiserver.key} |
|
|
|
- {src: ca.pem, dest: ca.crt} |
|
|
|
- {src: ca-key.pem, dest: ca.key} |
|
|
|
register: kubeadm_copy_old_certs |
|
|
|
@ -111,9 +111,17 @@ spec: |
|
|
|
httpGet: |
|
|
|
host: 127.0.0.1 |
|
|
|
path: /healthz |
|
|
|
{% if kube_apiserver_insecure_port == 0 %} |
|
|
|
port: {{ kube_apiserver_port }} |
|
|
|
scheme: HTTPS |
|
|
|
{% else %} |
|
|
|
port: {{ kube_apiserver_insecure_port }} |
|
|
|
initialDelaySeconds: 30 |
|
|
|
timeoutSeconds: 10 |
|
|
|
{% endif %} |
|
|
|
failureThreshold: 8 |
|
|
|
initialDelaySeconds: 15 |
|
|
|
periodSeconds: 10 |
|
|
|
successThreshold: 1 |
|
|
|
timeoutSeconds: 15 |
|
|
|
volumeMounts: |
|
|
|
- mountPath: {{ kube_config_dir }} |
|
|
|
name: kubernetes-config |
|
|
|
|
|
|
|
@ -78,9 +78,14 @@ |
|
|
|
when: kubelet_fail_swap_on|default(true) |
|
|
|
ignore_errors: "{{ ignore_assert_errors }}" |
|
|
|
|
|
|
|
|
|
|
|
- name: Stop if RBAC is not enabled when dashboard is enabled |
|
|
|
assert: |
|
|
|
that: rbac_enabled |
|
|
|
when: dashboard_enabled |
|
|
|
ignore_errors: "{{ ignore_assert_errors }}" |
|
|
|
|
|
|
|
- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled |
|
|
|
assert: |
|
|
|
that: rbac_enabled and kube_api_anonymous_auth |
|
|
|
when: kube_apiserver_insecure_port == 0 |
|
|
|
ignore_errors: "{{ ignore_assert_errors }}" |
|
|
|
@ -229,6 +229,18 @@ kube_apiserver_endpoint: |- |
|
|
|
{%- endif %} |
|
|
|
kube_apiserver_insecure_endpoint: >- |
|
|
|
http://{{ kube_apiserver_insecure_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_insecure_port }} |
|
|
|
kube_apiserver_client_cert: |- |
|
|
|
{% if kubeadm_enabled -%} |
|
|
|
{{ kube_cert_dir }}/ca.crt |
|
|
|
{%- else -%} |
|
|
|
{{ kube_cert_dir }}/apiserver.pem |
|
|
|
{%- endif %} |
|
|
|
kube_apiserver_client_key: |- |
|
|
|
{% if kubeadm_enabled -%} |
|
|
|
{{ kube_cert_dir }}/ca.key |
|
|
|
{%- else -%} |
|
|
|
{{ kube_cert_dir }}/apiserver-key.pem |
|
|
|
{%- endif %} |
|
|
|
|
|
|
|
# Vars for pointing to etcd endpoints |
|
|
|
is_etcd_master: "{{ inventory_hostname in groups['etcd'] }}" |
|
|
|
|
