enable kubelet client certificate rotation (#4081)
* enable kubelet client certificate rotation * change to variable kubelet_rotate_certificates
This commit is contained in:
parent
a8dd69cf17
commit
740d8b0a26
3 changed files with 9 additions and 0 deletions
|
@ -113,6 +113,8 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m
|
||||||
* *kubelet_cgroup_driver* - Allows manual override of the
|
* *kubelet_cgroup_driver* - Allows manual override of the
|
||||||
cgroup-driver option for Kubelet. By default autodetection is used
|
cgroup-driver option for Kubelet. By default autodetection is used
|
||||||
to match Docker configuration.
|
to match Docker configuration.
|
||||||
|
* *kubelet_rotate_certificates* - Auto rotate the kubelet client certificates by requesting new certificates
|
||||||
|
from the kube-apiserver when the certificate expiration approaches.
|
||||||
* *node_labels* - Labels applied to nodes via kubelet --node-labels parameter.
|
* *node_labels* - Labels applied to nodes via kubelet --node-labels parameter.
|
||||||
For example, labels can be set in the inventory as variables or more widely in group_vars.
|
For example, labels can be set in the inventory as variables or more widely in group_vars.
|
||||||
*node_labels* must be defined as a dict:
|
*node_labels* must be defined as a dict:
|
||||||
|
|
|
@ -28,6 +28,9 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
--enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} \
|
--enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} \
|
||||||
--client-ca-file={{ kube_cert_dir }}/ca.crt \
|
--client-ca-file={{ kube_cert_dir }}/ca.crt \
|
||||||
|
{% if kubelet_rotate_certificates %}
|
||||||
|
--rotate-certificates \
|
||||||
|
{% endif %}
|
||||||
--pod-manifest-path={{ kube_manifest_dir }} \
|
--pod-manifest-path={{ kube_manifest_dir }} \
|
||||||
{% if kube_version is version('v1.12.0', '<') %}
|
{% if kube_version is version('v1.12.0', '<') %}
|
||||||
--cadvisor-port={{ kube_cadvisor_port }} \
|
--cadvisor-port={{ kube_cadvisor_port }} \
|
||||||
|
|
|
@ -308,6 +308,10 @@ kubelet_authentication_token_webhook: true
|
||||||
# When enabled, access to the kubelet API requires authorization by delegation to the API server
|
# When enabled, access to the kubelet API requires authorization by delegation to the API server
|
||||||
kubelet_authorization_mode_webhook: false
|
kubelet_authorization_mode_webhook: false
|
||||||
|
|
||||||
|
# kubelet uses certificates for authenticating to the Kubernetes API
|
||||||
|
# Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration
|
||||||
|
kubelet_rotate_certificates: true
|
||||||
|
|
||||||
## v1.11 feature
|
## v1.11 feature
|
||||||
feature_gate_v1_11:
|
feature_gate_v1_11:
|
||||||
- "PersistentLocalVolumes={{ local_volume_provisioner_enabled | string }}"
|
- "PersistentLocalVolumes={{ local_volume_provisioner_enabled | string }}"
|
||||||
|
|
Loading…
Reference in a new issue