Merge pull request #1937 from chadswen/disable-api-insecure-port
Support for disabling apiserver insecure port
This commit is contained in:
commit
f25e4dc3ed
6 changed files with 31 additions and 6 deletions
|
@ -20,7 +20,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
|
|||
# This is where to save basic auth file
|
||||
kube_users_dir: "{{ kube_config_dir }}/users"
|
||||
|
||||
kube_api_anonymous_auth: false
|
||||
kube_api_anonymous_auth: true
|
||||
|
||||
## Change this to use another Kubernetes version, e.g. a current beta release
|
||||
kube_version: v1.8.2
|
||||
|
@ -106,6 +106,8 @@ kube_network_node_prefix: 24
|
|||
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
|
||||
kube_apiserver_port: 6443 # (https)
|
||||
kube_apiserver_insecure_port: 8080 # (http)
|
||||
# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
|
||||
#kube_apiserver_insecure_port: 0 # (disabled)
|
||||
|
||||
# DNS configuration.
|
||||
# Kubernetes cluster name, also will be used as DNS domain
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
---
|
||||
- name: Kubernetes Apps | Wait for kube-apiserver
|
||||
uri:
|
||||
url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
|
||||
url: "{{ kube_apiserver_endpoint }}/healthz"
|
||||
validate_certs: no
|
||||
client_cert: "{{ kube_cert_dir }}/apiserver.pem"
|
||||
client_key: "{{ kube_cert_dir }}/apiserver-key.pem"
|
||||
register: result
|
||||
until: result.status == 200
|
||||
retries: 10
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
---
|
||||
- name: Kubernetes Apps | Wait for kube-apiserver
|
||||
uri:
|
||||
url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
|
||||
url: "{{ kube_apiserver_endpoint }}/healthz"
|
||||
validate_certs: no
|
||||
client_cert: "{{ kube_cert_dir }}/apiserver.pem"
|
||||
client_key: "{{ kube_cert_dir }}/apiserver-key.pem"
|
||||
register: result
|
||||
until: result.status == 200
|
||||
retries: 10
|
||||
|
|
|
@ -39,7 +39,10 @@
|
|||
|
||||
- name: Master | wait for the apiserver to be running
|
||||
uri:
|
||||
url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
|
||||
url: "{{ kube_apiserver_endpoint }}/healthz"
|
||||
validate_certs: no
|
||||
client_cert: "{{ kube_cert_dir }}/apiserver.pem"
|
||||
client_key: "{{ kube_cert_dir }}/apiserver-key.pem"
|
||||
register: result
|
||||
until: result.status == 200
|
||||
retries: 20
|
||||
|
|
|
@ -110,9 +110,17 @@ spec:
|
|||
httpGet:
|
||||
host: 127.0.0.1
|
||||
path: /healthz
|
||||
{% if kube_apiserver_insecure_port == 0 %}
|
||||
port: {{ kube_apiserver_port }}
|
||||
scheme: HTTPS
|
||||
{% else %}
|
||||
port: {{ kube_apiserver_insecure_port }}
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 10
|
||||
{% endif %}
|
||||
failureThreshold: 8
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 15
|
||||
volumeMounts:
|
||||
- mountPath: {{ kube_config_dir }}
|
||||
name: kubernetes-config
|
||||
|
|
|
@ -78,3 +78,9 @@
|
|||
that: ansible_swaptotal_mb == 0
|
||||
when: kubelet_fail_swap_on|default(true)
|
||||
ignore_errors: "{{ ignore_assert_errors }}"
|
||||
|
||||
- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
|
||||
assert:
|
||||
that: rbac_enabled and kube_api_anonymous_auth
|
||||
when: kube_apiserver_insecure_port == 0
|
||||
ignore_errors: "{{ ignore_assert_errors }}"
|
Loading…
Reference in a new issue