diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml index a400d05f9..f3830a521 100644 --- a/inventory/group_vars/k8s-cluster.yml +++ b/inventory/group_vars/k8s-cluster.yml @@ -20,7 +20,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens" # This is where to save basic auth file kube_users_dir: "{{ kube_config_dir }}/users" -kube_api_anonymous_auth: false +kube_api_anonymous_auth: true ## Change this to use another Kubernetes version, e.g. a current beta release kube_version: v1.8.2 @@ -106,6 +106,8 @@ kube_network_node_prefix: 24 kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}" kube_apiserver_port: 6443 # (https) kube_apiserver_insecure_port: 8080 # (http) +# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true +#kube_apiserver_insecure_port: 0 # (disabled) # DNS configuration. # Kubernetes cluster name, also will be used as DNS domain diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index 025b4fab6..f4349669a 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -1,7 +1,10 @@ --- - name: Kubernetes Apps | Wait for kube-apiserver uri: - url: "{{ kube_apiserver_insecure_endpoint }}/healthz" + url: "{{ kube_apiserver_endpoint }}/healthz" + validate_certs: no + client_cert: "{{ kube_cert_dir }}/apiserver.pem" + client_key: "{{ kube_cert_dir }}/apiserver-key.pem" register: result until: result.status == 200 retries: 10 diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml index 24f94aac5..75be11d4f 100644 --- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml +++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml @@ -1,7 +1,10 @@ --- - name: Kubernetes Apps | Wait for kube-apiserver uri: - url: "{{ kube_apiserver_insecure_endpoint }}/healthz" + url: "{{ kube_apiserver_endpoint }}/healthz" + validate_certs: no + client_cert: "{{ kube_cert_dir }}/apiserver.pem" + client_key: "{{ kube_cert_dir }}/apiserver-key.pem" register: result until: result.status == 200 retries: 10 diff --git a/roles/kubernetes/master/handlers/main.yml b/roles/kubernetes/master/handlers/main.yml index 1c6dc956c..02f0b62b9 100644 --- a/roles/kubernetes/master/handlers/main.yml +++ b/roles/kubernetes/master/handlers/main.yml @@ -39,7 +39,10 @@ - name: Master | wait for the apiserver to be running uri: - url: "{{ kube_apiserver_insecure_endpoint }}/healthz" + url: "{{ kube_apiserver_endpoint }}/healthz" + validate_certs: no + client_cert: "{{ kube_cert_dir }}/apiserver.pem" + client_key: "{{ kube_cert_dir }}/apiserver-key.pem" register: result until: result.status == 200 retries: 20 diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index 5d4f6cf47..2d0f0c9fb 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -110,9 +110,17 @@ spec: httpGet: host: 127.0.0.1 path: /healthz +{% if kube_apiserver_insecure_port == 0 %} + port: {{ kube_apiserver_port }} + scheme: HTTPS +{% else %} port: {{ kube_apiserver_insecure_port }} - initialDelaySeconds: 30 - timeoutSeconds: 10 +{% endif %} + failureThreshold: 8 + initialDelaySeconds: 15 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 15 volumeMounts: - mountPath: {{ kube_config_dir }} name: kubernetes-config diff --git a/roles/kubernetes/preinstall/tasks/verify-settings.yml b/roles/kubernetes/preinstall/tasks/verify-settings.yml index 9dbd7ab8c..b7bf2d664 100644 --- a/roles/kubernetes/preinstall/tasks/verify-settings.yml +++ b/roles/kubernetes/preinstall/tasks/verify-settings.yml @@ -78,3 +78,9 @@ that: ansible_swaptotal_mb == 0 when: kubelet_fail_swap_on|default(true) ignore_errors: "{{ ignore_assert_errors }}" + +- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled + assert: + that: rbac_enabled and kube_api_anonymous_auth + when: kube_apiserver_insecure_port == 0 + ignore_errors: "{{ ignore_assert_errors }}" \ No newline at end of file