Use a generated password for kube user (#1624)
Removed unnecessary root user
This commit is contained in:
parent
e26aec96b0
commit
7117614ee5
5 changed files with 29 additions and 14 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -24,6 +24,7 @@ __pycache__/
|
||||||
.Python
|
.Python
|
||||||
env/
|
env/
|
||||||
build/
|
build/
|
||||||
|
credentials/
|
||||||
develop-eggs/
|
develop-eggs/
|
||||||
dist/
|
dist/
|
||||||
downloads/
|
downloads/
|
||||||
|
|
|
@ -57,7 +57,7 @@ ansible-playbook -i my_inventory/inventory.cfg cluster.yml -b -v \
|
||||||
See more details in the [ansible guide](ansible.md).
|
See more details in the [ansible guide](ansible.md).
|
||||||
|
|
||||||
Adding nodes
|
Adding nodes
|
||||||
--------------------------
|
------------
|
||||||
|
|
||||||
You may want to add worker nodes to your existing cluster. This can be done by re-running the `cluster.yml` playbook, or you can target the bare minimum needed to get kubelet installed on the worker and talking to your masters. This is especially helpful when doing something like autoscaling your clusters.
|
You may want to add worker nodes to your existing cluster. This can be done by re-running the `cluster.yml` playbook, or you can target the bare minimum needed to get kubelet installed on the worker and talking to your masters. This is especially helpful when doing something like autoscaling your clusters.
|
||||||
|
|
||||||
|
@ -66,4 +66,26 @@ You may want to add worker nodes to your existing cluster. This can be done by r
|
||||||
```
|
```
|
||||||
ansible-playbook -i my_inventory/inventory.cfg scale.yml -b -v \
|
ansible-playbook -i my_inventory/inventory.cfg scale.yml -b -v \
|
||||||
--private-key=~/.ssh/private_key
|
--private-key=~/.ssh/private_key
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Connecting to Kubernetes
|
||||||
|
------------------------
|
||||||
|
By default, Kubespray configures kube-master hosts with insecure access to
|
||||||
|
kube-apiserver via port 8080. A kubeconfig file is not necessary in this case,
|
||||||
|
because kubectl will use http://localhost:8080 to connect. The kubeconfig files
|
||||||
|
generated will point to localhost (on kube-masters) and kube-node hosts will
|
||||||
|
connect either to a localhost nginx proxy or to a loadbalancer if configured.
|
||||||
|
More details on this process is in the [HA guide](ha.md).
|
||||||
|
|
||||||
|
Kubespray permits connecting to the cluster remotely on any IP of any
|
||||||
|
kube-master host on port 6443 by default. However, this requires
|
||||||
|
authentication. One could generate a kubeconfig based on one installed
|
||||||
|
kube-master hosts (needs improvement) or connect with a username and password.
|
||||||
|
By default, two users are created: `kube` and `admin` with the same password.
|
||||||
|
The password can be viewed after deployment by looking at the file
|
||||||
|
`PATH_TO_KUBESPRAY/credentials/kube_user`. This contains a randomly generated
|
||||||
|
password. If you wish to set your own password, just precreate/modify this
|
||||||
|
file yourself.
|
||||||
|
|
||||||
|
For more information on kubeconfig and accessing a Kubernetes cluster, refer to
|
||||||
|
the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).
|
||||||
|
|
|
@ -40,18 +40,11 @@ kube_log_level: 2
|
||||||
|
|
||||||
# Users to create for basic auth in Kubernetes API via HTTP
|
# Users to create for basic auth in Kubernetes API via HTTP
|
||||||
# Optionally add groups for user
|
# Optionally add groups for user
|
||||||
kube_api_pwd: "changeme"
|
kube_api_pwd: "{{ lookup('password', 'credentials/kube_user length=15') }}"
|
||||||
kube_users:
|
kube_users:
|
||||||
kube:
|
kube:
|
||||||
pass: "{{kube_api_pwd}}"
|
pass: "{{kube_api_pwd}}"
|
||||||
role: admin
|
role: admin
|
||||||
root:
|
|
||||||
pass: "{{kube_api_pwd}}"
|
|
||||||
role: admin
|
|
||||||
# groups:
|
|
||||||
# - system:masters
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
|
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
|
||||||
#kube_oidc_auth: false
|
#kube_oidc_auth: false
|
||||||
|
|
|
@ -66,9 +66,6 @@ kube_users:
|
||||||
kube:
|
kube:
|
||||||
pass: "{{kube_api_pwd}}"
|
pass: "{{kube_api_pwd}}"
|
||||||
role: admin
|
role: admin
|
||||||
root:
|
|
||||||
pass: "{{kube_api_pwd}}"
|
|
||||||
role: admin
|
|
||||||
|
|
||||||
# Choose network plugin (calico, weave or flannel)
|
# Choose network plugin (calico, weave or flannel)
|
||||||
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
|
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
|
||||||
|
|
|
@ -2,10 +2,12 @@
|
||||||
- hosts: kube-master
|
- hosts: kube-master
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
|
- debug:
|
||||||
|
msg: "kube pass: {{ lookup('password', '../../credentials/kube_user length=15') }}"
|
||||||
- name: Check the API servers are responding
|
- name: Check the API servers are responding
|
||||||
uri:
|
uri:
|
||||||
url: "https://{{ access_ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}/api/v1"
|
url: "https://{{ access_ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}/api/v1"
|
||||||
user: kube
|
user: kube
|
||||||
password: changeme
|
password: "{{ lookup('password', '../../credentials/kube_user length=15') }}"
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
status_code: 200
|
status_code: 200
|
||||||
|
|
Loading…
Reference in a new issue