a962fa2357
[podSecurityConfiguration]: fix apiVersion and change default policy versions ( #10210 )
Signed-off-by: Ugur <ugurozturk918@gmail.com>
1 year ago
ce13699dfa
Use a uniform way to get the local path of the binaries ( #10211 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
1 year ago
c98e1d1b5b
add-kube-profile-to-scheduler ( #9993 )
2 years ago
0104396c50
use var: kube_apiserver_address ( #9967 )
2 years ago
e8f0fb82fe
fix-kube-bench-1.2.20 ( #9939 )
2 years ago
a676c106d3
change bash for loop for SAN check ( #9060 )
fix merge conflict
2 years ago
baed5f0b32
Remove deprecated udpIdleTimeout field in KubeProxyConfiguration ( #9925 )
2 years ago
eb4bd36f73
fix(kubernetes): Also apply kubeadm patches during upgrade ( #9781 )
2 years ago
fd8260b930
fix(upgrade-cluster): retry other masters upgrade ( #9768 )
Signed-off-by: Maxime Leroy <19607336+maxime1907@users.noreply.github.com>
2 years ago
2c93c997cf
pre-commit autocorrected files ( #9750 )
2 years ago
2c2e608eac
fix(k8s-certs-renew): Use kube_apiserver_port instead of hard-coding ( #9620 )
Signed-off-by: Kevin Huang <git@kevin.huang.to>
Signed-off-by: Kevin Huang <git@kevin.huang.to>
2 years ago
791064a3d9
Allow custom timeout for kubeadm init ( #9617 )
Signed-off-by: tu1h <lihai.tu@daocloud.io>
Signed-off-by: tu1h <lihai.tu@daocloud.io>
2 years ago
fc0d58ff48
fix-missing-control-plane-taint ( #9592 )
2 years ago
ee3b7c5da5
Use the correct api version and resourcer type. The current values work but do not match the documentation, which can be confusing. ( #9575 )
2 years ago
20d99886ca
Update etcd log-level parameter name ( #9540 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
eeb376460d
Fix inconsistent handling of admission plugin list ( #9407 )
* Fix inconsistent handling of admission plugin list
* Adjust hardening doc with the normalized admission plugin list
* Add pre-check for admission plugins format change
* Ignore checking admission plugins value when variable is not defined
2 years ago
23716b0eff
don't define kubeadm_patches by default ( #9372 )
2 years ago
d689f57c94
Features/support kubeadm patches v1beta3 ( #9326 )
* Support kubeadm patches in v1beta3
* Update kubeadm patches sample files in inventory
* Fix pre-commit syntax
* Set kubeadm_patches enabled to false in sample inventory
2 years ago
841e2f44c0
Remove references to 1.22 ( #9342 )
2 years ago
b46ddf35fc
kube-vip shoud fail if kube_proxy_strict_arp is false in arp mod ( #9223 )
* fix-kube-vip-strict-arp
* fix-kube-vip-strict-arp
2 years ago
30c77ea4c1
Add the option to enable default Pod Security Configuration ( #9017 )
* Add the option to enable default Pod Security Configuration
Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.
* Fix the PR according to code review comments
* Revert the latest changes
- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
2 years ago
f592fa1235
add kube-vip sans ( #9099 )
2 years ago
1d0b3829ed
remove-etcd-unsupported-arch ( #9049 )
2 years ago
d4de9d096f
fix-the-issue-of-miss-the-etcd-user ( #9016 )
2 years ago
6bf3306401
Fixed concatenate str & int in auto_renew_certificates_systemd_calendar var ( #8979 )
2 years ago
97b4d79ed5
feat: make kubernetes owner parametrized ( #8952 )
* feat: make kubernetes owner parametrized
* docs: update hardening guide with configuration for CIS 1.1.19
* fix: set etcd data directory permissions to be compliant to CIS 1.1.12
2 years ago
24c8ba832a
[kubernetes] drop support for configuring insecure apiserver
2 years ago
2cd8c51a07
[kubeadm] use v1beta3 configuration version
* extra admission controls now don't have a version in their file names
eventratelimit.v1beta2.yaml.j2 -> eventratelimit.yaml.j2
* cri_socket variable includes the unix:// prefix to be conformat with
upstream
3 years ago
ae1dcb031f
[kubernetes] drop pre 1.22.0 workarounds
3 years ago
dc1af5a9c5
[etcd] Add support for setting the request size limit ( #8849 )
* [etcd] Add extra documentation for `etcd_memory_limit` and `etcd_quota_backend_bytes`
Signed-off-by: necatican <necaticanyildirim@gmail.com>
* [etcd] Add support for setting ETCD_MAX_REQUEST_BYTES
Signed-off-by: necatican <necaticanyildirim@gmail.com>
3 years ago
42fc71fafa
[PodSecurityPolicy] Move the install of psp ( #8744 )
3 years ago
e7df4d3dd9
add support for `service-account-lookup` parameter ( #8781 )
* feat: add variable to manage service-account-lookup on kube-apiserver
* docs: add documentation about service-account-lookup variable
3 years ago
3e52a0db95
Add optional setting for ca data in auth webhook ( #8777 )
* Add optional setting for ca data in auth webhook
* add webhook token auth variables to sample inventory
3 years ago
fa1d222eee
add support for `EventRateLimit` plugin configuration ( #8711 )
* feat: add support for EventRateLimit admission plugin
* docs: add documentation about admission_control_config_file and EventRateLimit configuration
3 years ago
3261d26181
[etcd] ensure etcd is properly upgraded when managed by kubeadm ( #8722 )
* [etcd] ensure etcd is properly upgraded when managed by kubeadm
* [CI] add periodic job to test upgrade of etcd managed by kubeadm
3 years ago
30306d6ec7
Enable external CA mode for control-plane deployment ( #8620 )
3 years ago
bba91a7524
split kube_feature_gates variable for different kubernetes components ( #8677 )
* feat: split kube_feature_gates variable for different kubernetes components
* docs: add kube_feaute_gates componet variables
3 years ago
ee079f4740
fix(coredns): make sure to keep coredns repository namespace ( #8572 )
fix: regex
fix: wrong regex_replace usage
3 years ago
36393d77d3
Encrypting Secret Data at Rest ( #8574 )
* change default value for Encrypting Secret Data at Rest to secretbox, remove experimental flag and add documentation
* fix MD012/no-multiple-blanks
3 years ago
e9c8913248
Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable ( #8317 )
* Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable
Signed-off-by: necatican <necaticanyildirim@gmail.com>
* Add etcd kubeadm deployment documentation
Signed-off-by: necatican <necaticanyildirim@gmail.com>
* Refactor warning for the deprecated 'etcd_kubeadm_enabled' variable
Signed-off-by: necatican <necaticanyildirim@gmail.com>
3 years ago
52f221f976
Adaptive Kube-ovn ( #8454 )
3 years ago
7c67ec4976
Fix kubectl call before installing it ( #8412 )
3 years ago
57a1d18db3
Improve first_kube_control_plane variable management to avoid installation failures due to variable overlapping ( #8388 )
3 years ago
92abf26d29
Ensure taint configuration for secondary control-plane nodes ( #8363 )
3 years ago
cb54eb40ce
Use a variable for standardizing kubectl invocation ( #8329 )
* Add kubectl variable
* Replace kubectl usage by kubectl variable in roles
* Remove redundant --kubeconfig on kubectl usage
* Replace unecessary shell usage with command
3 years ago
c1954ff918
Support deploying kubernetes 1.23 ( #8323 )
* Ensure entries for 1.23 are added for supported_versions vars
* cri-o: add support for kubernetes 1.23 but still use cri-o 1.22
* kubescheduler-config: diferentiate config versions based on kube_version
3 years ago
b49ae8c21d
Delete "kubeadm alpha certs" code ( #8322 )
"kubeadm alpha certs" command has been promoted to "kubeadm certs" command,
and "kubeadm alpha certs" has been deprecated since Kubernetes v1.20 as [1].
In addition, Kubespray supports Kubernetes v1.20+.
This delete the deprecated command for cleanup.
[1]: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md#deprecation
3 years ago
27ab364df5
Improve control plane scale flow ( #13 ) ( #7989 )
* Improve control plane scale flow (#13 )
* Added version 1.20.10 of K8s
* Setting first_kube_control_plane to a existing one
* Setting first_kube_control_plane to a existing one
* change first_kube_master for first_kube_control_plane
* Ansible-lint changes
3 years ago
615216f397
Fix if bind-address is not set to 0.0.0.0 ( #8262 )
* if bind-address is not set to 0.0.0.0
* Update docs and left comments
* fix yamllist check: remove space
3 years ago
ee0f1e9d58
Update etcd-servers for apiserver ( #8253 )
3 years ago
Ugur Can Ozturk
ERIK
Kay Yan
Samuel Liu
R. P. Taylor
HirazawaUi
Marijn van der Giesen
Maxime Leroy
Bas
Kevin Huang
tu1h
Lukas Najman
William Turner
Cristian Calin
Huang Chen-Yi
Florian Ruynat
Tomas Zvala
Alessio Greggi
Calin Cristian Andrei
Necatican Yıldırım
Robin Wallace
David Louks
Julien Le Fur
Nicolas Goudry
Alex
华忠啊
Unai Arríen
Max Gautier
Kenichi Omichi
Alvaro Campesino
Hanna Bledai