Commit graph

97 commits

Author SHA1 Message Date
Florian Ruynat
05c9169c70
Fix example value for etcd_quota_backend_bytes (#6724) 2020-09-21 05:42:31 -07:00
Hans Feldt
6da385de9d
Use "kubeadm join" to join masters to control plane (#6661)
Remove configuration variable kubeadm_control_plane
2020-09-17 04:34:45 -07:00
Florian Ruynat
a556f8f2bf
Remove deprecated (and removed in 1.19) flag and function --basic-auth-file (#6655) 2020-09-11 00:30:14 -07:00
Hans Feldt
803d52ffce
kubernetes: remove unused variables (#6601) 2020-09-04 04:53:56 -07:00
Sulochan Acharya
36924b63dc
Allow webhook authorization (#6502) 2020-08-24 06:29:41 -07:00
Florian Ruynat
78ceef6b15
Remove unused variable (#6522) 2020-08-18 00:45:29 -07:00
Sulochan Acharya
bfe143808f
Allows tls verify skip on webhook auth url (#6472) 2020-08-05 05:02:29 -07:00
fulii
ce22c0e6a4
Add option to configure IPVS timeouts in kube-proxy configration manifest. (#6396) 2020-08-01 00:33:40 -07:00
Konstantin Lebedev
a7ec0ed587
add audit webhook support (#6317)
* add audit webhook support

* use generic name auditsink
2020-07-20 01:32:54 -07:00
Samuel Liu
c29b21717d
Add event-ttl duration (#6310)
* Add event-ttl duration

* Fix wrong location
2020-06-24 08:15:17 -07:00
Samuel Liu
dba645421f
ADD tls cipher suites support (#6024)
* ADD tls cipher suites support

yaml lint

yamllint

* update test case

* update test case
2020-06-16 04:10:05 -07:00
Maxime Guyot
a7a204ebca
Add kube_encryption_resources variable to configure which resources are encrypted at rest (#5797) 2020-03-20 04:14:36 -07:00
Adrien Gooris
da86457cda
remove unused var 'kube_apiserver_admission_control' (#5648) (#5651) 2020-02-19 05:08:25 -08:00
Matthew Mosesohn
471589f1f4 Scale down coredns created by kubeadm upgrade to 0 replicas (#5308)
Change-Id: I128b0f9c1acbb956d9a6c4e5510b45a36e296af7
2019-11-05 03:34:38 -08:00
Etienne Champetier
81cb302399 MetalLB: fail if kube_proxy_strict_arp is false (#5180)
When using IPVS, kube_proxy_strict_arp = true is required
https://github.com/danderson/metallb/issues/153#issuecomment-518651132

Add kube_proxy_strict_arp to inventory/sample
2019-09-26 04:21:06 -07:00
Sergey
1cf6a99df4 generate kubeadm download image list with options useHyperKubeImage (#5203) 2019-09-25 18:03:06 -07:00
Sergey
8984096f35 use hyperkubeimage to run controlplane containers (#5178) 2019-09-17 18:33:28 -07:00
rptaylor
10e0fe86fb remove unimplemented custom_flags vars, document the extra_args vars (issue 4352) (#5108) 2019-08-23 01:21:18 -07:00
Tony Fouchard
f6a63d88a7 Allow to configure strict ARP on kube-proxy (#5092) 2019-08-20 18:21:17 -07:00
Zou Nengren
1bfbc5bbc4 remove resource-container default value for kube-proxy (#4994) 2019-08-15 05:30:33 -07:00
Matthew Mosesohn
7cf8ad4dc7 Optionally refresh kubeadm token every time (#5043)
Change-Id: I278cb14aa93abf20160cc001f69e2f472504e6d8
2019-08-06 00:59:53 -07:00
okamototk
f2b8a3614d Use K8s 1.15 (#4905)
* Use K8s 1.15

* Use Kubernetes 1.15 and use kubeadm.k8s.io/v1beta2 for
  InitConfiguration.
* bump to v1.15.0

* Remove k8s 1.13 checksums.

* Update README kubernetes version 1.15.0.

* Update metrics server 0.3.3 for k8s 1.15

* Remove less than k8s 1.14 related code

* Use kubeadm with --upload-certs instead of --experimental-upload-certs due to depricate

* Update dnsautoscaler 1.6.0

* Skip certificateKey if it's not defined

* Add kubeadm-conftolplane.v2beta2 for k8s 1.15 or later

* Support kubeadm control plane for k8s 1.15

* Update sonobuoy version 0.15.0 for k8s 1.15
2019-07-02 01:51:08 -07:00
Tony Fouchard
216631bf02 Repair kube_proxy_exclude_cidrs (#4909) 2019-06-28 00:39:37 -07:00
Matthew Mosesohn
4348e78b24 Enable kubeadm etcd mode (#4818)
* Enable kubeadm etcd mode

Uses cert commands from kubeadm experimental control plane to
enable non-master nodes to obtain etcd certs.

Related story: PROD-29434

Change-Id: Idafa1d223e5c6ceadf819b6f9c06adf4c4f74178

* Add validation checks and exclude calico kdd mode

Change-Id: Ic234f5e71261d33191376e70d438f9f6d35f358c

* Move etcd mode test to ubuntu flannel HA job

Change-Id: I9af6fd80a1bbb1692ab10d6da095eb368f6bc732

* rename etcd_mode to etcd_kubeadm_enabled

Change-Id: Ib196d6c8a52f48cae370b026f7687ff9ca69c172
2019-06-20 11:12:51 -07:00
Sergey Kolekonov
4a10dca7d4 Add an ability to provide oidc cert in base64 (#4618) 2019-04-24 09:40:01 -07:00
Matthew Mosesohn
05dc2b3a09 Use K8s 1.14 and add kubeadm experimental control plane mode (#4514)
* Use K8s 1.14 and add kubeadm experimental control plane mode

This reverts commit d39c273d96.

* Cleanup kubeadm setup run on first master

* pin kubeadm_certificate_key in test

* Remove kubelet autolabel of kube-node, add symlink for pki dir

Change-Id: Id5e74dd667c60675dbfe4193b0bc9fb44380e1ca
2019-04-19 06:01:54 -07:00
Matthew Mosesohn
d39c273d96 Revert "Use K8s 1.14 and add kubeadm experimental control plane mode (#4317)" (#4510)
This reverts commit 316508626d.
2019-04-11 12:52:43 -07:00
Matthew Mosesohn
316508626d Use K8s 1.14 and add kubeadm experimental control plane mode (#4317)
* Use Kubernetes 1.14 and experimental control plane support

* bump to v1.14.0
2019-04-11 05:30:13 -07:00
Xavi
20b12751af add Cinder allowVolumeExpansion option (#4415) 2019-04-04 02:36:50 -07:00
Sergey
55890e1b82 keep compatibility as it was before (#4268) 2019-04-03 01:39:42 -07:00
Manuel Cintron
07b2894080 Adding ability to maintain existing Encryption Secrets at Rest. (#4255)
* Adding ability to maintain existing Encryption Secrets at Rest.

If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token.

This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets.

* Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
2019-02-19 07:31:45 -08:00
Chad Swenson
1d9c0c7d17 Fix readOnly flag in kubeadm-config.v1beta1.yaml.j2
In v1beta1 of `ClusterConfiguration` the extraVolumes `writable` field was changed to `readOnly` and its boolean value must be negated.

Also, the json field for `useHyperKubeImage` was incorrectly capitalized.
2019-01-09 20:43:35 -06:00
Andreas Holmsten
4d5b41b8db Allow override of bind addr for controller-manager and scheduler (#3968)
* allows to override the bind addresses for controller-manager and scheduler

Useful for Prometheus metrics monitoring

* Add bind addr override support in kubeadm/v1beta1

Adds support for override of bind addresses for controller-manager
and scheduler in kubeadm/v1beta1

* Move location of bind address vars

* Remove double declaration of schedulerExtraArgs
2019-01-07 20:41:54 -08:00
Chad Swenson
80379f6cab Fix kube-proxy configuration for kubeadm (#3958)
- Creates and defaults an ansible variable for every configuration option in the `kubeproxy.config.k8s.io/v1alpha1` type spec
  - Fixes vars that were orphaned by removing non-kubeadm
  - Fixes previously harcoded kubeadm values
- Introduces a `main` directory for role default files per component (requires ansible 2.6.0+)
  - Split out just `kube-proxy.yml` in this first effort
- Removes the kube-proxy server field patch task

We should continue to pull out other components from `main.yml` into their own defaults files as I did here for `defaults/main/kube-proxy.yml`. I hope for and will need others to join me in this refactoring across the project until each component config template has a matching role defaults file, with shared defaults in `kubespray-defaults` or `downloads`
2019-01-03 00:04:26 -08:00
Seongjin Cho
16715adfa0 Adds support for webhook token auth. (#3939)
Webhook token auth:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication

Fixes #3063.
2018-12-26 01:52:53 -08:00
Rong Zhang
cd42e649a7 Fix reconfigure and upgrade cluster (#3938) 2018-12-24 23:06:27 -08:00
ihard
30a9149b52 add vars for cilium init container (#3893)
* add vars for cilium init container

* make yamllint happy

* add var cilium_init in downloads
2018-12-18 00:34:19 -08:00
Andreas Krüger
d5ce5874e8 Streamline path to certs dir (#3836)
* Streamline path to certs dir

* More fixes

* Set path to etcd certs in kubernetes defaults instead
2018-12-06 23:11:53 -08:00
Chad Swenson
487cfa5e6c Add options for configuring control plane component extra volumes (#3779)
This takes care of a few arbitrary use cases that may require custom mounts
inside of apiserver, controller manager, or scheduler.
2018-11-28 23:16:55 -08:00
Erwan Miran
1e22c83f0f kube_override_hostname must be in kubernetes/master role defaults (#3647) 2018-11-07 12:38:19 -08:00
Erwan Miran
7bec169d58 Fix ansible syntax to avoid ansible deprecation warnings (#3512)
* failed

* version_compare

* succeeded

* skipped

* success

* version_compare becomes version since ansible 2.5

* ansible minimal version updated in doc and spec

* last version_compare
2018-10-16 15:33:30 -07:00
sangwook
0536125f75 Better fix for openstack cinder zone issue using ignore-volume-az option (#2980)
* Better fix for openstack cinder zone issue[1][2]
using ignore-volume-az option[3].
[1]: https://github.com/kubernetes-incubator/kubespray/pull/2155
[2]: https://github.com/kubernetes-incubator/kubespray/pull/2346
[3]: https://github.com/kubernetes/kubernetes/pull/53523

* Remove kube-scheduler-policy.yaml
2018-09-27 22:15:47 -07:00
Andreas Krüger
d6ebe8c3e7 Sync manifests with kubeadm (#3383) 2018-09-24 02:17:18 -07:00
Erwan Miran
a644b7c267 Introducing credentials_dir in order to be able to override it 2018-09-03 18:04:50 +02:00
Rong Zhang
f453567cce
Merge pull request #3144 from riverzhang/fix-audit-log
Fix install audit failed
2018-08-23 14:41:37 +08:00
rongzhang
5a4352657d Fix install audit failed
1.fix audit log not write
2.fix Parameter not recognized
3.delete kubedm futuregates auditing and use apiServerExtraArgs
2018-08-23 01:47:15 +08:00
Erwan Miran
80cfeea957 psp, roles and rbs for PodSecurityPolicy when podsecuritypolicy_enabled is true 2018-08-22 18:16:13 +02:00
Andreas Krüger
c7de737551
Merge pull request #3133 from mirwan/auditlog_to_stdout_w_kubeadm
Audit log to stdout with kubeadm
2018-08-20 10:43:22 +02:00
Erwan Miran
fc38b6d0ca Ability to define custom audit polcy rules 2018-08-20 07:04:56 +02:00
Erwan Miran
c34900e569 Define apiserver flags directly instead of relying on auditPolicy section in order to have the ability to redirect audit log to stdout with kubeadm 2018-08-20 07:00:53 +02:00