diff --git a/.gitignore b/.gitignore index 8d5d5088b..4df491aa1 100644 --- a/.gitignore +++ b/.gitignore @@ -24,6 +24,7 @@ __pycache__/ .Python env/ build/ +credentials/ develop-eggs/ dist/ downloads/ diff --git a/docs/getting-started.md b/docs/getting-started.md index 25bcbfaad..5494e6f0c 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -57,7 +57,7 @@ ansible-playbook -i my_inventory/inventory.cfg cluster.yml -b -v \ See more details in the [ansible guide](ansible.md). Adding nodes --------------------------- +------------ You may want to add worker nodes to your existing cluster. This can be done by re-running the `cluster.yml` playbook, or you can target the bare minimum needed to get kubelet installed on the worker and talking to your masters. This is especially helpful when doing something like autoscaling your clusters. @@ -66,4 +66,26 @@ You may want to add worker nodes to your existing cluster. This can be done by r ``` ansible-playbook -i my_inventory/inventory.cfg scale.yml -b -v \ --private-key=~/.ssh/private_key -``` \ No newline at end of file +``` + +Connecting to Kubernetes +------------------------ +By default, Kubespray configures kube-master hosts with insecure access to +kube-apiserver via port 8080. A kubeconfig file is not necessary in this case, +because kubectl will use http://localhost:8080 to connect. The kubeconfig files +generated will point to localhost (on kube-masters) and kube-node hosts will +connect either to a localhost nginx proxy or to a loadbalancer if configured. +More details on this process is in the [HA guide](ha.md). + +Kubespray permits connecting to the cluster remotely on any IP of any +kube-master host on port 6443 by default. However, this requires +authentication. One could generate a kubeconfig based on one installed +kube-master hosts (needs improvement) or connect with a username and password. +By default, two users are created: `kube` and `admin` with the same password. +The password can be viewed after deployment by looking at the file +`PATH_TO_KUBESPRAY/credentials/kube_user`. This contains a randomly generated +password. If you wish to set your own password, just precreate/modify this +file yourself. + +For more information on kubeconfig and accessing a Kubernetes cluster, refer to +the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/). diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml index fb926c729..81d7017cb 100644 --- a/inventory/group_vars/k8s-cluster.yml +++ b/inventory/group_vars/k8s-cluster.yml @@ -40,18 +40,11 @@ kube_log_level: 2 # Users to create for basic auth in Kubernetes API via HTTP # Optionally add groups for user -kube_api_pwd: "changeme" +kube_api_pwd: "{{ lookup('password', 'credentials/kube_user length=15') }}" kube_users: kube: pass: "{{kube_api_pwd}}" role: admin - root: - pass: "{{kube_api_pwd}}" - role: admin - # groups: - # - system:masters - - ## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth) #kube_oidc_auth: false diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index c86f322fc..fac0b44d8 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -66,9 +66,6 @@ kube_users: kube: pass: "{{kube_api_pwd}}" role: admin - root: - pass: "{{kube_api_pwd}}" - role: admin # Choose network plugin (calico, weave or flannel) # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing diff --git a/tests/testcases/010_check-apiserver.yml b/tests/testcases/010_check-apiserver.yml index 8ca19e196..a9123f976 100644 --- a/tests/testcases/010_check-apiserver.yml +++ b/tests/testcases/010_check-apiserver.yml @@ -2,10 +2,12 @@ - hosts: kube-master tasks: + - debug: + msg: "kube pass: {{ lookup('password', '../../credentials/kube_user length=15') }}" - name: Check the API servers are responding uri: url: "https://{{ access_ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}/api/v1" user: kube - password: changeme + password: "{{ lookup('password', '../../credentials/kube_user length=15') }}" validate_certs: no status_code: 200