C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

minor tune after merge @rajiteh's work

Browse source
This commit is contained in:
jwfang 2017-06-21 11:30:15 +08:00
parent 27a10c9623
commit 4cfffba749
6 changed files with 12 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docs/vars.md
View file

@ -67,7 +67,7 @@ following default cluster paramters:
OpenStack (default is unset)
* *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
Kubernetes
* *authorization_mode* - A list of [authorization modes](
* *authorization_modes* - A list of [authorization mode](
https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module)
that the cluster should be configured for. Defaults to `['AlwaysAllow']`.
Note: Only `AlwaysAllow`, `AlwaysDeny` and `RBAC` are tested.

4
roles/kargo-defaults/defaults/main.yaml
View file

@ -118,5 +118,5 @@ enable_network_policy: false
## List of authorization modes that must be configured for
## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
## 'RBAC' modes are tested.
authorization_mode: ['AlwaysAllow']
rbac_enabled: "{{ 'RBAC' in authorization_mode }}"
authorization_modes: ['AlwaysAllow']
rbac_enabled: "{{ 'RBAC' in authorization_modes }}"

5
roles/kubernetes-apps/ansible/defaults/main.yml
View file

@ -42,7 +42,6 @@ etcd_cert_dir: "/etc/ssl/etcd/ssl"
canal_cert_dir: "/etc/canal/certs"
kubedns_rbac_resources:
- clusterrole,
- clusterrolebinding,
- clusterrole
- clusterrolebinding
- sa
- serviceaccount

4
roles/kubernetes-apps/ansible/tasks/main.yml
View file

@ -21,7 +21,9 @@
- {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
- {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
register: manifests
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in kubedns_rbac_resources or rbac_enabled)
when:
- dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
- rbac_enabled or item.type not in kubedns_rbac_resources
tags: dnsmasq
# see https://github.com/kubernetes/kubernetes/issues/45084

2
roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml
View file

@ -46,4 +46,6 @@ spec:
- --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}}
- --logtostderr=true
- --v=2
{% if rbac_enabled %}
serviceAccountName: cluster-proportional-autoscaler
{% endif %}

4
roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
View file

@ -81,8 +81,8 @@ spec:
{% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %}
- --anonymous-auth={{ kube_api_anonymous_auth }}
{% endif %}
{% if authorization_mode %}
- --authorization-mode={{ authorization_mode|join(',') }}
{% if authorization_modes %}
- --authorization-mode={{ authorization_modes|join(',') }}
{% endif %}
{% if apiserver_custom_flags is string %}
- {{ apiserver_custom_flags }}