Address PR feedback.
* Consolidate variable definitions to `kargo-defaults`. * Set `AlwaysAllow` as the default authorization mode. * Ability to set multiple authorization modes. * Various style fixes and typos
This commit is contained in:
Raj Perera
Raj Perera
parent
b800f7bb07
commit
e663c6b61a
10 changed files with 18 additions and 17 deletions
|
|
@ -114,3 +114,9 @@ vault_deployment_type: docker
|
||||||
k8s_image_pull_policy: IfNotPresent
|
k8s_image_pull_policy: IfNotPresent
|
||||||
efk_enabled: false
|
efk_enabled: false
|
||||||
enable_network_policy: false
|
enable_network_policy: false
|
||||||
|
|
||||||
|
## List of authorization plugins that must be configured for
|
||||||
|
## the k8s cluster. Only 'AlwaysAllow' and 'RBAC' is supported
|
||||||
|
## at the moment.
|
||||||
|
authorization_mode: ['AlwaysAllow']
|
||||||
|
rbac_enabled: "{{ 'RBAC' in authorization_mode }}"
|
||||||
|
|
|
||||||
|
|
@ -41,10 +41,9 @@ netchecker_server_memory_requests: 64M
|
||||||
etcd_cert_dir: "/etc/ssl/etcd/ssl"
|
etcd_cert_dir: "/etc/ssl/etcd/ssl"
|
||||||
canal_cert_dir: "/etc/canal/certs"
|
canal_cert_dir: "/etc/canal/certs"
|
||||||
|
|
||||||
# RBAC
|
# RBAC specific resources that will be ignored when RBAC is not enabled.
|
||||||
rbac_resources:
|
apiserver_rbac_resources:
|
||||||
- clusterrole,
|
- clusterrole,
|
||||||
- clusterrolebinding,
|
- clusterrolebinding,
|
||||||
- sa
|
- sa
|
||||||
|
- serviceaccount
|
||||||
rbac_enabled: "{{ authorization_mode == 'RBAC' }}"
|
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@
|
||||||
- {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
|
- {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
|
||||||
- {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
|
- {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
|
||||||
register: manifests
|
register: manifests
|
||||||
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in rbac_resources or rbac_enabled)
|
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in apiserver_rbac_resources or rbac_enabled)
|
||||||
tags: dnsmasq
|
tags: dnsmasq
|
||||||
|
|
||||||
- name: Kubernetes Apps | Start Resources
|
- name: Kubernetes Apps | Start Resources
|
||||||
|
|
|
||||||
|
|
@ -24,4 +24,4 @@ subjects:
|
||||||
roleRef:
|
roleRef:
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
name: cluster-proportional-autoscaler
|
name: cluster-proportional-autoscaler
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
|
||||||
|
|
@ -114,7 +114,6 @@ spec:
|
||||||
- containerPort: 8080
|
- containerPort: 8080
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
dnsPolicy: Default # Don't use cluster DNS.
|
dnsPolicy: Default # Don't use cluster DNS.
|
||||||
{% if authorization_mode is defined and authorization_mode == "RBAC" %}
|
{% if rbac_enabled %}
|
||||||
serviceAccount: kube-dns
|
|
||||||
serviceAccountName: kube-dns
|
serviceAccountName: kube-dns
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
|
||||||
|
|
@ -2,5 +2,3 @@ helm_enabled: false
|
||||||
|
|
||||||
# specify a dir and attach it to helm for HELM_HOME.
|
# specify a dir and attach it to helm for HELM_HOME.
|
||||||
helm_home_dir: "/root/.helm"
|
helm_home_dir: "/root/.helm"
|
||||||
|
|
||||||
rbac_enabled: "{{ authorization_mode == 'RBAC' }}"
|
|
||||||
|
|
@ -66,4 +66,3 @@ controller_mgr_custom_flags: []
|
||||||
|
|
||||||
scheduler_custom_flags: []
|
scheduler_custom_flags: []
|
||||||
|
|
||||||
authorization_mode: RBAC
|
|
||||||
|
|
@ -82,7 +82,7 @@ spec:
|
||||||
- --anonymous-auth={{ kube_api_anonymous_auth }}
|
- --anonymous-auth={{ kube_api_anonymous_auth }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if authorization_mode %}
|
{% if authorization_mode %}
|
||||||
- --authorization-mode={{ authorization_mode }}
|
- --authorization-mode={{ authorization_mode|join(',') }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if apiserver_custom_flags is string %}
|
{% if apiserver_custom_flags is string %}
|
||||||
- {{ apiserver_custom_flags }}
|
- {{ apiserver_custom_flags }}
|
||||||
|
|
@ -127,4 +127,4 @@ spec:
|
||||||
- hostPath:
|
- hostPath:
|
||||||
path: /etc/ssl/certs/ca-bundle.crt
|
path: /etc/ssl/certs/ca-bundle.crt
|
||||||
name: rhel-ca-bundle
|
name: rhel-ca-bundle
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
|
||||||
|
|
@ -35,7 +35,7 @@ spec:
|
||||||
- --node-monitor-period={{ kube_controller_node_monitor_period }}
|
- --node-monitor-period={{ kube_controller_node_monitor_period }}
|
||||||
- --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
|
- --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
|
||||||
- --v={{ kube_log_level }}
|
- --v={{ kube_log_level }}
|
||||||
{% if authorization_mode is defined and authorization_mode == "RBAC" %}
|
{% if rbac_enabled %}
|
||||||
- --use-service-account-credentials
|
- --use-service-account-credentials
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}
|
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}
|
||||||
|
|
|
||||||
|
|
@ -10,8 +10,8 @@
|
||||||
|
|
||||||
- name: "Check_certs | Set default value for 'sync_certs', 'gen_certs', and 'secret_changed' to false"
|
- name: "Check_certs | Set default value for 'sync_certs', 'gen_certs', and 'secret_changed' to false"
|
||||||
set_fact:
|
set_fact:
|
||||||
sync_certs: true
|
sync_certs: false
|
||||||
gen_certs: true
|
gen_certs: false
|
||||||
secret_changed: false
|
secret_changed: false
|
||||||
|
|
||||||
- name: "Check certs | check if a cert already exists on node"
|
- name: "Check certs | check if a cert already exists on node"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue