Stop templating kube-system namespace and creating it (#2545)

Kubernetes makes this namespace automatically, so there is no need for kubespray to manage it.
2018-03-30 14:29:13 +03:00 · 2018-03-30 14:29:13 +03:00 · 03bcfa7ff5
commit 03bcfa7ff5
parent f619eb08b1
91 changed files with 122 additions and 159 deletions
--- a/inventory/sample/group_vars/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster.yml
@ -6,7 +6,6 @@
 kube_config_dir: /etc/kubernetes
 kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
 kube_manifest_dir: "{{ kube_config_dir }}/manifests"
-system_namespace: kube-system

 # This is where all the cert scripts and certs will be located
 kube_cert_dir: "{{ kube_config_dir }}/ssl"
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@ -91,7 +91,7 @@
 - name: Start Resources
  kube:
    name: "{{item.item.name}}"
-    namespace: "{{system_namespace}}"
+    namespace: "kube-system"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
--- a/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml
+++ b/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml
@ -3,11 +3,11 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: dnsmasq
-  namespace: "{{ system_namespace }}"
+  namespace: "kube-system"
 subjects:
  - kind: ServiceAccount
    name: dnsmasq
-    namespace: "{{ system_namespace}}"
+    namespace: "kube-system"
 roleRef:
  kind: ClusterRole
  name: cluster-admin
--- a/roles/dnsmasq/templates/dnsmasq-deploy.yml
+++ b/roles/dnsmasq/templates/dnsmasq-deploy.yml
@ -3,7 +3,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: dnsmasq
-  namespace: "{{system_namespace}}"
+  namespace: "kube-system"
  labels:
    k8s-app: dnsmasq
    kubernetes.io/cluster-service: "true"
--- a/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml
+++ b/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml
@ -3,6 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: dnsmasq
-  namespace: "{{ system_namespace }}"
+  namespace: "kube-system"
  labels:
    kubernetes.io/cluster-service: "true"
--- a/roles/dnsmasq/templates/dnsmasq-svc.yml
+++ b/roles/dnsmasq/templates/dnsmasq-svc.yml
@ -6,7 +6,7 @@ metadata:
    kubernetes.io/cluster-service: 'true'
    k8s-app: dnsmasq
  name: dnsmasq
-  namespace: {{system_namespace}}
+  namespace: kube-system
 spec:
  ports:
    - port: 53
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@ -12,9 +12,9 @@ etcd_cert_group: root
 # Note: This does not set up DNS entries. It simply adds the following DNS
 # entries to the certificate
 etcd_cert_alt_names:
-  - "etcd.{{ system_namespace }}.svc.{{ dns_domain }}"
-  - "etcd.{{ system_namespace }}.svc"
-  - "etcd.{{ system_namespace }}"
+  - "etcd.kube-system.svc.{{ dns_domain }}"
+  - "etcd.kube-system.svc"
+  - "etcd.kube-system"
  - "etcd"

 etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
--- a/roles/kubernetes-apps/ansible/tasks/cleanup_dns.yml
+++ b/roles/kubernetes-apps/ansible/tasks/cleanup_dns.yml
@ -2,7 +2,7 @@
 - name: Kubernetes Apps | Delete old CoreDNS resources
  kube:
    name: "coredns"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item }}"
    state: absent
@ -16,7 +16,7 @@
 - name: Kubernetes Apps | Delete kubeadm CoreDNS
  kube:
    name: "coredns"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "deploy"
    state: absent
@ -28,7 +28,7 @@
 - name: Kubernetes Apps | Delete old KubeDNS resources
  kube:
    name: "kube-dns"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item }}"
    state: absent
@ -41,7 +41,7 @@
 - name: Kubernetes Apps | Delete kubeadm KubeDNS
  kube:
    name: "kube-dns"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item }}"
    state: absent
--- a/roles/kubernetes-apps/ansible/tasks/dashboard.yml
+++ b/roles/kubernetes-apps/ansible/tasks/dashboard.yml
@ -22,7 +22,7 @@
 - name: Kubernetes Apps | Start dashboard
  kube:
    name: "{{ item.item.name }}"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item.item.type }}"
    filename: "{{ kube_config_dir }}/{{ item.item.file }}"
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@ -37,7 +37,7 @@
 - name: Kubernetes Apps | Start Resources
  kube:
    name: "{{ item.item.name }}"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item.item.type }}"
    filename: "{{ kube_config_dir }}/{{ item.item.file }}"
--- a/roles/kubernetes-apps/ansible/templates/coredns-clusterrolebinding.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-clusterrolebinding.yml.j2
@ -15,4 +15,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: coredns
-  namespace: {{ system_namespace }}
+  namespace: kube-system
--- a/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2
@ -3,7 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: coredns
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
 data:
--- a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
@ -3,7 +3,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: coredns{{ coredns_ordinal_suffix | default('') }}
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: coredns{{ coredns_ordinal_suffix | default('') }}
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/ansible/templates/coredns-sa.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-sa.yml.j2
@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: coredns
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
--- a/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2
@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: coredns{{ coredns_ordinal_suffix | default('') }}
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: coredns{{ coredns_ordinal_suffix | default('') }}
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
@ -25,7 +25,7 @@ metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 type: Opaque

 ---
@ -37,7 +37,7 @@ metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
-  namespace: {{ system_namespace }}
+  namespace: kube-system

 ---
 # ------------------- Dashboard Role & Role Binding ------------------- #
@ -46,7 +46,7 @@ kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: kubernetes-dashboard-minimal
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
 - apiGroups: [""]
@ -81,7 +81,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: kubernetes-dashboard-minimal
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@ -89,7 +89,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: kubernetes-dashboard
-  namespace: {{ system_namespace }}
+  namespace: kube-system

 ---
 # ------------------- Gross Hack For anonymous auth through api proxy ------------------- #
@ -103,7 +103,7 @@ rules:
  resources: ["services/proxy"]
  resourceNames: ["https:kubernetes-dashboard:"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/{{ system_namespace }}/services/https:kubernetes-dashboard:/proxy/*"]
+- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

 ---
@ -128,7 +128,7 @@ metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 spec:
  replicas: 1
  revisionHistoryLimit: 10
@ -200,7 +200,7 @@ metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 spec:
  ports:
    - port: 443
--- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrole.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrole.yml.j2
@ -17,7 +17,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: cluster-proportional-autoscaler
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 rules:
  - apiGroups: [""]
    resources: ["nodes"]
--- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml.j2
@ -17,11 +17,11 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: cluster-proportional-autoscaler
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 subjects:
  - kind: ServiceAccount
    name: cluster-proportional-autoscaler
-    namespace: {{ system_namespace }}
+    namespace: kube-system
 roleRef:
  kind: ClusterRole
  name: cluster-proportional-autoscaler
--- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-sa.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-sa.yml.j2
@ -17,4 +17,4 @@ kind: ServiceAccount
 apiVersion: v1
 metadata:
  name: cluster-proportional-autoscaler
-  namespace: {{ system_namespace }}
+  namespace: kube-system
--- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2
@ -17,7 +17,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: kubedns-autoscaler
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: kubedns-autoscaler
    kubernetes.io/cluster-service: "true"
@ -40,7 +40,7 @@ spec:
            memory: "10Mi"
        command:
        - /cluster-proportional-autoscaler
-        - --namespace={{ system_namespace }}
+        - --namespace=kube-system
        - --configmap=kubedns-autoscaler
        # Should keep target in sync with cluster/addons/dns/kubedns-controller.yaml.base
        - --target=Deployment/kube-dns
--- a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2
@ -3,7 +3,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: kube-dns
-  namespace: "{{system_namespace}}"
+  namespace: kube-system
  labels:
    k8s-app: kube-dns
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/ansible/templates/kubedns-sa.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-sa.yml.j2
@ -3,6 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: kube-dns
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/ansible/templates/kubedns-svc.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-svc.yml.j2
@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: kube-dns
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: kube-dns
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
@ -126,32 +126,3 @@
    - kube_version | version_compare('v1.9.3', '<=')
    - inventory_hostname == groups['kube-master'][0]
  tags: vsphere
-
-# This is not a cluster role, but should be run after kubeconfig is set on master
- name: Write kube system namespace manifest
-  template:
-    src: namespace.j2
-    dest: "{{kube_config_dir}}/{{system_namespace}}-ns.yml"
-  when: inventory_hostname == groups['kube-master'][0]
-  tags:
-    - apps
-
- name: Check if kube system namespace exists
-  command: "{{ bin_dir }}/kubectl get ns {{system_namespace}}"
-  register: 'kubesystem'
-  changed_when: False
-  failed_when: False
-  when: inventory_hostname == groups['kube-master'][0]
-  tags:
-    - apps
-
- name: Create kube system namespace
-  command: "{{ bin_dir }}/kubectl create -f {{kube_config_dir}}/{{system_namespace}}-ns.yml"
-  retries: 4
-  delay: "{{ retry_stagger | random + 3 }}"
-  register: create_system_ns
-  until: create_system_ns.rc == 0
-  changed_when: False
-  when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0
-  tags:
-    - apps
--- a/roles/kubernetes-apps/cluster_roles/templates/namespace.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/namespace.j2
@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: "{{system_namespace}}"
+  name: "kube-system"
--- a/roles/kubernetes-apps/efk/elasticsearch/tasks/main.yml
+++ b/roles/kubernetes-apps/efk/elasticsearch/tasks/main.yml
@ -10,7 +10,7 @@
  when: rbac_enabled

 - name: "ElasticSearch | Create Serviceaccount and Clusterrolebinding (RBAC)"
-  command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/{{ item }} -n {{ system_namespace }}"
+  command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/{{ item }} -n kube-system"
  with_items:
    - "efk-sa.yml"
    - "efk-clusterrolebinding.yml"
@ -24,7 +24,7 @@
  register: es_deployment_manifest

 - name: "ElasticSearch | Create ES deployment"
-  command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-deployment.yaml -n {{ system_namespace }}"
+  command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-deployment.yaml -n kube-system"
  run_once: true
  when: es_deployment_manifest.changed

@ -35,6 +35,6 @@
  register: es_service_manifest

 - name: "ElasticSearch | Create ES service"
-  command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-service.yaml -n {{ system_namespace }}"
+  command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-service.yaml -n kube-system"
  run_once: true
  when: es_service_manifest.changed
--- a/roles/kubernetes-apps/efk/elasticsearch/templates/efk-clusterrolebinding.yml
+++ b/roles/kubernetes-apps/efk/elasticsearch/templates/efk-clusterrolebinding.yml
@ -3,11 +3,11 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: efk
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 subjects:
  - kind: ServiceAccount
    name: efk
-    namespace: {{ system_namespace }}
+    namespace: kube-system
 roleRef:
  kind: ClusterRole
  name: cluster-admin
--- a/roles/kubernetes-apps/efk/elasticsearch/templates/efk-sa.yml
+++ b/roles/kubernetes-apps/efk/elasticsearch/templates/efk-sa.yml
@ -3,6 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: efk
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/efk/elasticsearch/templates/elasticsearch-deployment.yml.j2
+++ b/roles/kubernetes-apps/efk/elasticsearch/templates/elasticsearch-deployment.yml.j2
@ -4,7 +4,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: elasticsearch-logging-v1
-  namespace: "{{ system_namespace }}"
+  namespace: kube-system
  labels:
    k8s-app: elasticsearch-logging
    version: "{{ elasticsearch_image_tag }}"
--- a/roles/kubernetes-apps/efk/elasticsearch/templates/elasticsearch-service.yml.j2
+++ b/roles/kubernetes-apps/efk/elasticsearch/templates/elasticsearch-service.yml.j2
@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: elasticsearch-logging
-  namespace: "{{ system_namespace }}"
+  namespace: "kube-system"
  labels:
    k8s-app: elasticsearch-logging
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/efk/fluentd/tasks/main.yml
+++ b/roles/kubernetes-apps/efk/fluentd/tasks/main.yml
@ -17,6 +17,6 @@
  register: fluentd_ds_manifest

 - name: "Fluentd | Create fluentd daemonset"
-  command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/fluentd-ds.yaml -n {{ system_namespace }}"
+  command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/fluentd-ds.yaml -n kube-system"
  run_once: true
  when: fluentd_ds_manifest.changed
--- a/roles/kubernetes-apps/efk/fluentd/templates/fluentd-config.yml.j2
+++ b/roles/kubernetes-apps/efk/fluentd/templates/fluentd-config.yml.j2
@ -2,7 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: fluentd-config
-  namespace: "{{ system_namespace }}"
+  namespace: "kube-system"
 data:
  {{ fluentd_config_file }}: |
    # This configuration file for Fluentd / td-agent is used
--- a/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2
+++ b/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2
@ -4,7 +4,7 @@ apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
  name: "fluentd-es-v{{ fluentd_version }}"
-  namespace: "{{ system_namespace }}"
+  namespace: "kube-system"
  labels:
    k8s-app: fluentd-es
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/efk/kibana/tasks/main.yml
+++ b/roles/kubernetes-apps/efk/kibana/tasks/main.yml
@ -10,7 +10,7 @@
    filename: "{{kube_config_dir}}/kibana-deployment.yaml"
    kubectl: "{{bin_dir}}/kubectl"
    name: "kibana-logging"
-    namespace: "{{system_namespace}}"
+    namespace: "kube-system"
    resource: "deployment"
    state: "latest"
  with_items: "{{ kibana_deployment_manifest.changed }}"
@ -27,7 +27,7 @@
    filename: "{{kube_config_dir}}/kibana-service.yaml"
    kubectl: "{{bin_dir}}/kubectl"
    name: "kibana-logging"
-    namespace: "{{system_namespace}}"
+    namespace: "kube-system"
    resource: "svc"
    state: "latest"
  with_items: "{{ kibana_service_manifest.changed }}"
--- a/roles/kubernetes-apps/efk/kibana/templates/kibana-deployment.yml.j2
+++ b/roles/kubernetes-apps/efk/kibana/templates/kibana-deployment.yml.j2
@ -4,7 +4,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: kibana-logging
-  namespace: "{{ system_namespace  }}"
+  namespace: "kube-system"
  labels:
    k8s-app: kibana-logging
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/efk/kibana/templates/kibana-service.yml.j2
+++ b/roles/kubernetes-apps/efk/kibana/templates/kibana-service.yml.j2
@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: kibana-logging
-  namespace: "{{ system_namespace }}"
+  namespace: "kube-system"
  labels:
    k8s-app: kibana-logging
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/defaults/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/defaults/main.yml
@ -2,7 +2,7 @@
 cephfs_provisioner_image_repo: quay.io/kubespray/cephfs-provisioner
 cephfs_provisioner_image_tag: 92295a30

-cephfs_provisioner_namespace: "{{ system_namespace }}"
+cephfs_provisioner_namespace: "kube-system"
 cephfs_provisioner_cluster: ceph
 cephfs_provisioner_monitors: []
 cephfs_provisioner_admin_id: admin
--- a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/defaults/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/defaults/main.yml
@ -2,7 +2,7 @@
 local_volume_provisioner_image_repo: quay.io/external_storage/local-volume-provisioner
 local_volume_provisioner_image_tag: v2.0.0

-local_volume_provisioner_namespace: "{{ system_namespace }}"
+local_volume_provisioner_namespace: "kube-system"
 local_volume_provisioner_base_dir: /mnt/disks
 local_volume_provisioner_mount_dir: /mnt/disks
 local_volume_provisioner_storage_class: local-storage
--- a/roles/kubernetes-apps/helm/tasks/main.yml
+++ b/roles/kubernetes-apps/helm/tasks/main.yml
@ -18,7 +18,7 @@
 - name: Helm | Apply Helm Manifests (RBAC)
  kube:
    name: "{{item.item.name}}"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
@ -28,7 +28,7 @@

 - name: Helm | Install/upgrade helm
  command: >
-    {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ system_namespace }}
+    {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace=kube-system
    {% if helm_skip_refresh %} --skip-refresh{% endif %}
    {% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
    {% if rbac_enabled %} --service-account=tiller{% endif %}
--- a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml
+++ b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml
@ -3,11 +3,11 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: tiller
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 subjects:
  - kind: ServiceAccount
    name: tiller
-    namespace: {{ system_namespace }}
+    namespace: kube-system
 roleRef:
  kind: ClusterRole
  name: cluster-admin
--- a/roles/kubernetes-apps/helm/templates/tiller-sa.yml
+++ b/roles/kubernetes-apps/helm/templates/tiller-sa.yml
@ -3,6 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: tiller
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/network_plugin/calico/tasks/main.yml
+++ b/roles/kubernetes-apps/network_plugin/calico/tasks/main.yml
@ -2,7 +2,7 @@
 - name: Start Calico resources
  kube:
    name: "{{item.item.name}}"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
--- a/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml
+++ b/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml
@ -2,7 +2,7 @@
 - name: Canal | Start Resources
  kube:
    name: "{{item.item.name}}"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
--- a/roles/kubernetes-apps/network_plugin/cilium/tasks/main.yml
+++ b/roles/kubernetes-apps/network_plugin/cilium/tasks/main.yml
@ -2,7 +2,7 @@
 - name: Cilium | Start Resources
  kube:
    name: "{{item.item.name}}"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
@ -11,7 +11,7 @@
  when: inventory_hostname == groups['kube-master'][0] and not item|skipped

 - name: Cilium | Wait for pods to run
-  command: "{{bin_dir}}/kubectl -n {{system_namespace}} get pods -l k8s-app=cilium -o jsonpath='{.items[?(@.status.containerStatuses[0].ready==false)].metadata.name}'"
+  command: "{{bin_dir}}/kubectl -n kube-system get pods -l k8s-app=cilium -o jsonpath='{.items[?(@.status.containerStatuses[0].ready==false)].metadata.name}'"
  register: pods_not_ready
  until: pods_not_ready.stdout.find("cilium")==-1
  retries: 30
--- a/roles/kubernetes-apps/network_plugin/contiv/tasks/main.yml
+++ b/roles/kubernetes-apps/network_plugin/contiv/tasks/main.yml
@ -3,7 +3,7 @@
 - name: Contiv | Create Kubernetes resources
  kube:
    name: "{{ item.item.name }}"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item.item.type }}"
    filename: "{{ contiv_config_dir }}/{{ item.item.file }}"
--- a/roles/kubernetes-apps/network_plugin/flannel/tasks/main.yml
+++ b/roles/kubernetes-apps/network_plugin/flannel/tasks/main.yml
@ -2,7 +2,7 @@
 - name: Flannel | Start Resources
  kube:
    name: "{{item.item.name}}"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
--- a/roles/kubernetes-apps/network_plugin/weave/tasks/main.yml
+++ b/roles/kubernetes-apps/network_plugin/weave/tasks/main.yml
@ -5,7 +5,7 @@
    kubectl: "{{ bin_dir }}/kubectl"
    filename: "{{ kube_config_dir }}/weave-net.yml"
    resource: "ds"
-    namespace: "{{system_namespace}}"
+    namespace: "kube-system"
    state: "latest"
  when: inventory_hostname == groups['kube-master'][0]

--- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
@ -12,7 +12,7 @@
    name: calico-policy-controller
    kubectl: "{{bin_dir}}/kubectl"
    resource: rs
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    state: absent
  run_once: true

@ -32,7 +32,7 @@
 - name: Start of Calico kube controllers
  kube:
    name: "{{item.item.name}}"
-    namespace: "{{ system_namespace }}"
+    namespace: "kube-system"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
@ -2,7 +2,7 @@ apiVersion: apps/v1beta2
 kind: Deployment
 metadata:
  name: calico-kube-controllers
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: calico-kube-controllers
    kubernetes.io/cluster-service: "true"
@ -15,7 +15,7 @@ spec:
  template:
    metadata:
      name: calico-kube-controllers
-      namespace: {{ system_namespace }}
+      namespace: kube-system
      labels:
        kubernetes.io/cluster-service: "true"
        k8s-app: calico-kube-controllers
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
@ -3,7 +3,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: calico-kube-controllers
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 rules:
  - apiGroups:
    - ""
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-crb.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-crb.yml.j2
@ -10,4 +10,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: calico-kube-controllers
-  namespace: {{ system_namespace }}
+  namespace: kube-system
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-sa.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-sa.yml.j2
@ -3,6 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: calico-kube-controllers
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
--- a/roles/kubernetes-apps/registry/defaults/main.yml
+++ b/roles/kubernetes-apps/registry/defaults/main.yml
@ -4,6 +4,6 @@ registry_image_tag: 2.6
 registry_proxy_image_repo: gcr.io/google_containers/kube-registry-proxy
 registry_proxy_image_tag: 0.4

-registry_namespace: "{{ system_namespace }}"
+registry_namespace: "kube-system"
 registry_storage_class: ""
 registry_disk_size: "10Gi"
--- a/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
+++ b/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
@ -44,5 +44,5 @@
  when: needs_rotation

 - name: Rotate Tokens | Delete pods in system namespace
-  command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
+  command: "{{ bin_dir }}/kubectl delete pods -n kube-system --all"
  when: needs_rotation
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: kube-apiserver
-  namespace: {{system_namespace}}
+  namespace: kube-system
  labels:
    k8s-app: kube-apiserver
    kubespray: v2
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: kube-controller-manager
-  namespace: {{system_namespace}}
+  namespace: kube-system
  labels:
    k8s-app: kube-controller-manager
  annotations:
--- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: kube-scheduler
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: kube-scheduler
  annotations:
--- a/roles/kubernetes/master/vars/main.yml
+++ b/roles/kubernetes/master/vars/main.yml
@ -1,6 +0,0 @@
---
-namespace_kubesystem:
-  apiVersion: v1
-  kind: Namespace
-  metadata:
-    name: "{{system_namespace}}"
--- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: kube-proxy
-  namespace: {{system_namespace}}
+  namespace: kube-system
  labels:
    k8s-app: kube-proxy
  annotations:
--- a/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: nginx-proxy
-  namespace: {{system_namespace}}
+  namespace: kube-system
  labels:
    k8s-app: kube-nginx
 spec:
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@ -61,7 +61,6 @@ dns_domain: "{{ cluster_name }}"
 kube_config_dir: /etc/kubernetes
 kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
 kube_manifest_dir: "{{ kube_config_dir }}/manifests"
-system_namespace: kube-system

 # This is where all the cert scripts and certs will be located
 kube_cert_dir: "{{ kube_config_dir }}/ssl"
--- a/roles/network_plugin/calico/templates/calico-config.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-config.yml.j2
@ -2,7 +2,7 @@ kind: ConfigMap
 apiVersion: v1
 metadata:
  name: calico-config
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 data:
  etcd_endpoints: "{{ etcd_access_addresses }}"
  etcd_ca: "/calico-secrets/ca_cert.crt"
--- a/roles/network_plugin/calico/templates/calico-cr.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2
@ -3,7 +3,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: calico-node
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 rules:
  - apiGroups: [""]
    resources:
--- a/roles/network_plugin/calico/templates/calico-crb.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-crb.yml.j2
@ -10,4 +10,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: calico-node
-  namespace: {{ system_namespace }}
+  namespace: kube-system
--- a/roles/network_plugin/calico/templates/calico-node-sa.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node-sa.yml.j2
@ -3,6 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: calico-node
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@ -6,7 +6,7 @@ kind: DaemonSet
 apiVersion: extensions/v1beta1
 metadata:
  name: calico-node
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: calico-node
 spec:
--- a/roles/network_plugin/canal/templates/canal-cr-calico.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-cr-calico.yml.j2
@ -3,7 +3,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: calico
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 rules:
  - apiGroups: [""]
    resources:
--- a/roles/network_plugin/canal/templates/canal-crb-calico.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-crb-calico.yml.j2
@ -11,4 +11,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: canal
-  namespace: {{ system_namespace }}
+  namespace: kube-system
--- a/roles/network_plugin/canal/templates/canal-crb-flannel.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-crb-flannel.yml.j2
@ -11,4 +11,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: canal
-  namespace: {{ system_namespace }}
+  namespace: kube-system
--- a/roles/network_plugin/canal/templates/canal-node-sa.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-node-sa.yml.j2
@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: canal
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"

--- a/roles/network_plugin/canal/templates/canal-node.yaml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yaml.j2
@ -3,7 +3,7 @@ kind: DaemonSet
 apiVersion: extensions/v1beta1
 metadata:
  name: canal-node
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: canal-node
 spec:
--- a/roles/network_plugin/cilium/templates/cilium-config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
@ -2,7 +2,7 @@ kind: ConfigMap
 apiVersion: v1
 metadata:
  name: cilium-config
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 data:
  # This etcd-config contains the etcd endpoints of your cluster. If you use
  # TLS please make sure you uncomment the ca-file line and add the respective
--- a/roles/network_plugin/cilium/templates/cilium-crb.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-crb.yml.j2
@ -10,6 +10,6 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: cilium
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 - kind: Group
  name: system:nodes
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@ -3,7 +3,7 @@ apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
  name: cilium
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 spec:
  template:
    metadata:
--- a/roles/network_plugin/cilium/templates/cilium-sa.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-sa.yml.j2
@ -3,4 +3,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cilium
-  namespace: {{ system_namespace }}
+  namespace: kube-system
--- a/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2
@ -3,7 +3,7 @@ apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
  name: contiv-api-proxy
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: contiv-api-proxy
 spec:
@ -12,7 +12,7 @@ spec:
  template:
    metadata:
      name: contiv-api-proxy
-      namespace: {{ system_namespace }}
+      namespace: kube-system
      labels:
        k8s-app: contiv-api-proxy
      annotations:
--- a/roles/network_plugin/contiv/templates/contiv-config.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-config.yml.j2
@ -5,7 +5,7 @@ kind: ConfigMap
 apiVersion: v1
 metadata:
  name: contiv-config
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 data:
  # The location of your cluster store. This is set to the
  # avdertise-client value below from the contiv-etcd service.
--- a/roles/network_plugin/contiv/templates/contiv-etcd-proxy.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-etcd-proxy.yml.j2
@ -3,7 +3,7 @@ kind: DaemonSet
 apiVersion: extensions/v1beta1
 metadata:
  name: contiv-etcd-proxy
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: contiv-etcd-proxy
 spec:
--- a/roles/network_plugin/contiv/templates/contiv-etcd.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-etcd.yml.j2
@ -3,7 +3,7 @@ kind: DaemonSet
 apiVersion: extensions/v1beta1
 metadata:
  name: contiv-etcd
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: contiv-etcd
 spec:
--- a/roles/network_plugin/contiv/templates/contiv-netmaster-clusterrole.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netmaster-clusterrole.yml.j2
@ -2,7 +2,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: contiv-netmaster
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 rules:
  - apiGroups:
    - ""
--- a/roles/network_plugin/contiv/templates/contiv-netmaster-clusterrolebinding.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netmaster-clusterrolebinding.yml.j2
@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: contiv-netmaster
-  namespace: {{ system_namespace }}
+  namespace: kube-system
--- a/roles/network_plugin/contiv/templates/contiv-netmaster-serviceaccount.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netmaster-serviceaccount.yml.j2
@ -2,6 +2,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: contiv-netmaster
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
--- a/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2
@ -3,7 +3,7 @@ kind: DaemonSet
 apiVersion: extensions/v1beta1
 metadata:
  name: contiv-netmaster
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: contiv-netmaster
 spec:
@ -12,7 +12,7 @@ spec:
  template:
    metadata:
      name: contiv-netmaster
-      namespace: {{ system_namespace }}
+      namespace: kube-system
      labels:
        k8s-app: contiv-netmaster
      annotations:
--- a/roles/network_plugin/contiv/templates/contiv-netplugin-clusterrole.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netplugin-clusterrole.yml.j2
@ -2,7 +2,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: contiv-netplugin
-  namespace: {{ system_namespace }}
+  namespace: kube-system
 rules:
  - apiGroups:
    - ""
--- a/roles/network_plugin/contiv/templates/contiv-netplugin-clusterrolebinding.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netplugin-clusterrolebinding.yml.j2
@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: contiv-netplugin
-  namespace: {{ system_namespace }}
+  namespace: kube-system
--- a/roles/network_plugin/contiv/templates/contiv-netplugin-serviceaccount.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netplugin-serviceaccount.yml.j2
@ -2,6 +2,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: contiv-netplugin
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
--- a/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2
@ -5,7 +5,7 @@ kind: DaemonSet
 apiVersion: extensions/v1beta1
 metadata:
  name: contiv-netplugin
-  namespace: {{ system_namespace }}
+  namespace: kube-system
  labels:
    k8s-app: contiv-netplugin
 spec:
--- a/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2
+++ b/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2
@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: flannel
-  namespace: "{{system_namespace}}"
+  namespace: "kube-system"
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
@ -41,4 +41,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: flannel
-  namespace: "{{system_namespace}}"
+  namespace: "kube-system"
--- a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
+++ b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
@ -3,7 +3,7 @@ kind: ConfigMap
 apiVersion: v1
 metadata:
  name: kube-flannel-cfg
-  namespace: "{{system_namespace}}"
+  namespace: "kube-system"
  labels:
    tier: node
    app: flannel
@ -41,7 +41,7 @@ apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
  name: kube-flannel
-  namespace: "{{system_namespace}}"
+  namespace: "kube-system"
  labels:
    tier: node
    k8s-app: flannel
--- a/roles/network_plugin/weave/templates/weave-net.yml.j2
+++ b/roles/network_plugin/weave/templates/weave-net.yml.j2
@ -8,14 +8,14 @@ items:
      name: weave-net
      labels:
        name: weave-net
-      namespace: {{ system_namespace }}
+      namespace: kube-system
  - apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRole
    metadata:
      name: weave-net
      labels:
        name: weave-net
-      namespace: {{ system_namespace }}
+      namespace: kube-system
    rules:
      - apiGroups:
          - ''
@ -41,7 +41,7 @@ items:
      name: weave-net
      labels:
        name: weave-net
-      namespace: {{ system_namespace }}
+      namespace: kube-system
    roleRef:
      kind: ClusterRole
      name: weave-net
@ -49,14 +49,14 @@ items:
    subjects:
      - kind: ServiceAccount
        name: weave-net
-        namespace: {{ system_namespace }}
+        namespace: kube-system
  - apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: Role
    metadata:
      name: weave-net
      labels:
        name: weave-net
-      namespace: {{ system_namespace }}
+      namespace: kube-system
    rules:
      - apiGroups:
          - ''
@ -79,7 +79,7 @@ items:
      name: weave-net
      labels:
        name: weave-net
-      namespace: {{ system_namespace }}
+      namespace: kube-system
    roleRef:
      kind: Role
      name: weave-net
@ -87,7 +87,7 @@ items:
    subjects:
      - kind: ServiceAccount
        name: weave-net
-        namespace: {{ system_namespace }}
+        namespace: kube-system
  - apiVersion: extensions/v1beta1
    kind: DaemonSet
    metadata:
@ -95,7 +95,7 @@ items:
      labels:
        name: weave-net
        version: v{{ weave_version }}
-      namespace: {{ system_namespace }}
+      namespace: kube-system
    spec:
      minReadySeconds: 5
      template:
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@ -86,7 +86,7 @@ vault_ca_options:
    format: pem
    ttl: "{{ vault_max_lease_ttl }}"
    exclude_cn_from_sans: true
-    alt_names: "vault.{{ system_namespace }}.svc.{{ dns_domain }},vault.{{ system_namespace }}.svc,vault.{{ system_namespace }},vault"
+    alt_names: "vault.kube-system.svc.{{ dns_domain }},vault.kube-system.svc,vault.kube-system,vault"
  etcd:
    common_name: etcd
    format: pem