minor tune after merge @rajiteh's work

This commit is contained in:
jwfang 2017-06-21 11:30:15 +08:00
parent 27a10c9623
commit 4cfffba749
6 changed files with 12 additions and 9 deletions

View file

@ -67,7 +67,7 @@ following default cluster paramters:
OpenStack (default is unset) OpenStack (default is unset)
* *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in * *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
Kubernetes Kubernetes
* *authorization_mode* - A list of [authorization modes]( * *authorization_modes* - A list of [authorization mode](
https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module) https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module)
that the cluster should be configured for. Defaults to `['AlwaysAllow']`. that the cluster should be configured for. Defaults to `['AlwaysAllow']`.
Note: Only `AlwaysAllow`, `AlwaysDeny` and `RBAC` are tested. Note: Only `AlwaysAllow`, `AlwaysDeny` and `RBAC` are tested.

View file

@ -118,5 +118,5 @@ enable_network_policy: false
## List of authorization modes that must be configured for ## List of authorization modes that must be configured for
## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and ## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
## 'RBAC' modes are tested. ## 'RBAC' modes are tested.
authorization_mode: ['AlwaysAllow'] authorization_modes: ['AlwaysAllow']
rbac_enabled: "{{ 'RBAC' in authorization_mode }}" rbac_enabled: "{{ 'RBAC' in authorization_modes }}"

View file

@ -42,7 +42,6 @@ etcd_cert_dir: "/etc/ssl/etcd/ssl"
canal_cert_dir: "/etc/canal/certs" canal_cert_dir: "/etc/canal/certs"
kubedns_rbac_resources: kubedns_rbac_resources:
- clusterrole, - clusterrole
- clusterrolebinding, - clusterrolebinding
- sa - sa
- serviceaccount

View file

@ -21,7 +21,9 @@
- {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding} - {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
- {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment} - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
register: manifests register: manifests
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in kubedns_rbac_resources or rbac_enabled) when:
- dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
- rbac_enabled or item.type not in kubedns_rbac_resources
tags: dnsmasq tags: dnsmasq
# see https://github.com/kubernetes/kubernetes/issues/45084 # see https://github.com/kubernetes/kubernetes/issues/45084

View file

@ -46,4 +46,6 @@ spec:
- --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}} - --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}}
- --logtostderr=true - --logtostderr=true
- --v=2 - --v=2
{% if rbac_enabled %}
serviceAccountName: cluster-proportional-autoscaler serviceAccountName: cluster-proportional-autoscaler
{% endif %}

View file

@ -81,8 +81,8 @@ spec:
{% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %} {% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %}
- --anonymous-auth={{ kube_api_anonymous_auth }} - --anonymous-auth={{ kube_api_anonymous_auth }}
{% endif %} {% endif %}
{% if authorization_mode %} {% if authorization_modes %}
- --authorization-mode={{ authorization_mode|join(',') }} - --authorization-mode={{ authorization_modes|join(',') }}
{% endif %} {% endif %}
{% if apiserver_custom_flags is string %} {% if apiserver_custom_flags is string %}
- {{ apiserver_custom_flags }} - {{ apiserver_custom_flags }}