Commit graph

58 commits

Author SHA1 Message Date
Erwan Miran
1e22c83f0f kube_override_hostname must be in kubernetes/master role defaults (#3647) 2018-11-07 12:38:19 -08:00
Erwan Miran
7bec169d58 Fix ansible syntax to avoid ansible deprecation warnings (#3512)
* failed

* version_compare

* succeeded

* skipped

* success

* version_compare becomes version since ansible 2.5

* ansible minimal version updated in doc and spec

* last version_compare
2018-10-16 15:33:30 -07:00
sangwook
0536125f75 Better fix for openstack cinder zone issue using ignore-volume-az option (#2980)
* Better fix for openstack cinder zone issue[1][2]
using ignore-volume-az option[3].
[1]: https://github.com/kubernetes-incubator/kubespray/pull/2155
[2]: https://github.com/kubernetes-incubator/kubespray/pull/2346
[3]: https://github.com/kubernetes/kubernetes/pull/53523

* Remove kube-scheduler-policy.yaml
2018-09-27 22:15:47 -07:00
Andreas Krüger
d6ebe8c3e7 Sync manifests with kubeadm (#3383) 2018-09-24 02:17:18 -07:00
Erwan Miran
a644b7c267 Introducing credentials_dir in order to be able to override it 2018-09-03 18:04:50 +02:00
Rong Zhang
f453567cce
Merge pull request #3144 from riverzhang/fix-audit-log
Fix install audit failed
2018-08-23 14:41:37 +08:00
rongzhang
5a4352657d Fix install audit failed
1.fix audit log not write
2.fix Parameter not recognized
3.delete kubedm futuregates auditing and use apiServerExtraArgs
2018-08-23 01:47:15 +08:00
Erwan Miran
80cfeea957 psp, roles and rbs for PodSecurityPolicy when podsecuritypolicy_enabled is true 2018-08-22 18:16:13 +02:00
Andreas Krüger
c7de737551
Merge pull request #3133 from mirwan/auditlog_to_stdout_w_kubeadm
Audit log to stdout with kubeadm
2018-08-20 10:43:22 +02:00
Erwan Miran
fc38b6d0ca Ability to define custom audit polcy rules 2018-08-20 07:04:56 +02:00
Erwan Miran
c34900e569 Define apiserver flags directly instead of relying on auditPolicy section in order to have the ability to redirect audit log to stdout with kubeadm 2018-08-20 07:00:53 +02:00
Erwan Miran
58d4d65fab minor variable fix and reuse + handle auditlog redirected to stdout 2018-08-16 12:51:09 +02:00
rongzhang
2ffc1afe40 Support audit 2018-08-16 14:38:07 +08:00
Robert Everson
4eadf3228e Only add admission plugins if defined 2018-08-07 11:25:03 -07:00
Robert Everson
99c5aa5a02 Use k8s default plugin list 2018-08-07 11:25:03 -07:00
Robert Everson
6ed65d762b Separate out plugins into 2 variables 2018-08-07 11:25:03 -07:00
Matthew Mosesohn
07cc981971
refactor vault role (#2733)
* Move front-proxy-client certs back to kube mount

We want the same CA for all k8s certs

* Refactor vault to use a third party module

The module adds idempotency and reduces some of the repetitive
logic in the vault role

Requires ansible-modules-hashivault on ansible node and hvac
on the vault hosts themselves

Add upgrade test scenario
Remove bootstrap-os tags from tasks

* fix upgrade issues

* improve unseal logic

* specify ca and fix etcd check

* Fix initialization check

bump machine size
2018-05-11 19:11:38 +03:00
Suzuka Asagiri
f81e6d2ccf
Add oidc-user-prefix and oidc-group-prefix args 2018-04-23 12:23:59 +09:00
Marcelo Grebois
88765f62e6
Updating order
https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use
2018-04-10 17:17:39 +02:00
Marcelo Grebois
4c12b273ac
Enabling MutatingAdmissionWebhook for Istio Automatic sidecar injection
https://istio.io/docs/setup/kubernetes/sidecar-injection.html#automatic-sidecar-injection
2018-04-09 12:49:05 +02:00
Wong Hoi Sing Edison
195d6d791a Integrate jetstack/cert-manager 0.2.3 to Kubespray 2018-03-31 19:29:11 +08:00
mirwan
ee8f678010 Addition of the .creds extension to the credentials files generated by password lookup in order for Ansible not to consider them as inventory files with inventory_ignore_extensions set accordingly (#2446) 2018-03-21 10:50:32 +03:00
Andreas Krüger
3d6fd49179 Added option for encrypting secrets to etcd v.2 (#2428)
* Added option for encrypting secrets to etcd

* Fix keylength to 32

* Forgot the default

* Rename secrets.yaml to secrets_encryption.yaml

* Fix static path for secrets file to use ansible variable

* Rename secrets.yaml.j2 to secrets_encryption.yaml.j2

* Base64 encode the token

* Fixed merge error

* Changed path to credentials dir

* Update path to secrets file which is now readable inside the apiserver container. Set better file permissions

* Add encryption option to k8s-cluster.yml
2018-03-15 22:20:05 +03:00
Ayaz Ahmed Khan
89847d5684 Explicitly defines the --kubelet-preferred-address-types parameter
to the API server configuration.

This solves the problem where if you have non-resolvable node names,
and try to scale the server by adding new nodes, kubectl commands
start to fail for newly added nodes, giving a TCP timeout error when
trying to resolve the node hostname against a public DNS.
2018-03-05 15:25:14 +01:00
Maxim Krasilnikov
03c61685fb
Added apiserver extra args variable for kubeadm config (#2291) 2018-02-12 10:29:46 +03:00
mlushpenko
4e61fb9cd3 Refactored kubeadm join process and fixed uncrodonng for master nodes 2018-02-09 15:51:47 +01:00
Maxim Krasilnikov
95b8ac5f62 Added optional controller and scheduler extra args to kubeadm config (#2205) 2018-02-05 16:49:13 +03:00
Brad Beam
98300e3165
Merge pull request #2155 from brutus333/fix/pvc
Fix for Issue #2141
2018-01-24 16:15:33 -06:00
Virgil Chereches
a4d142368b Renamed variable from disable_volume_zone_conflict to volume_cross_zone_attachment and removed cloud provider condition; fix identation 2018-01-23 13:14:00 +00:00
Virgil Chereches
3125f93b3f Added disable_volume_zone_conflict variable 2018-01-18 10:55:23 +00:00
Matthew Mosesohn
6bb46e3ecb
Fix param names in preparation for Kubernetes v1.9.0 (#2098)
This does not update v1.9.0, but fixes two incompatibilities
when trying to deploy v1.9.0.
2017-12-20 10:48:09 +00:00
Steven Hardy
d39a88d63f Allow setting --bind-address for apiserver hyperkube (#1985)
* Allow setting --bind-address for apiserver hyperkube

This is required if you wish to configure a loadbalancer (e.g haproxy)
running on the master nodes without choosing a different port for the
vip from that used by the API - in this case you need the API to bind to
a specific interface, then haproxy can bind the same port on the VIP:

root@overcloud-controller-0 ~]# netstat -taupen | grep 6443
tcp        0      0 192.168.24.6:6443       0.0.0.0:*               LISTEN      0          680613     134504/haproxy
tcp        0      0 192.168.24.16:6443      0.0.0.0:*               LISTEN      0          653329     131423/hyperkube
tcp        0      0 192.168.24.16:6443      192.168.24.16:58404     ESTABLISHED 0          652991     131423/hyperkube
tcp        0      0 192.168.24.16:58404     192.168.24.16:6443      ESTABLISHED 0          652986     131423/hyperkube

This can be achieved e.g via:

kube_apiserver_bind_address: 192.168.24.16

* Address code review feedback

* Update kube-apiserver.manifest.j2
2017-11-29 15:24:02 +00:00
Chiang Fong Lee
5dc56df64e Fix ordering of kube-apiserver admission control plug-ins (#1841) 2017-10-24 17:28:07 +01:00
Matthew Mosesohn
d487b2f927 Security best practice fixes (#1783)
* Disable basic and token auth by default

* Add recommended security params

* allow basic auth to fail in tests

* Enable TLS authentication for kubelet
2017-10-15 20:41:17 +01:00
Matthew Mosesohn
ef47a73382 Add new addon Istio (#1744)
* add istio addon

* add addons to a ci job
2017-10-13 15:42:54 +01:00
Matthew Mosesohn
6744726089 kubeadm support (#1631)
* kubeadm support

* move k8s master to a subtask
* disable k8s secrets when using kubeadm
* fix etcd cert serial var
* move simple auth users to master role
* make a kubeadm-specific env file for kubelet
* add non-ha CI job

* change ci boolean vars to json format

* fixup

* Update create-gce.yml

* Update create-gce.yml

* Update create-gce.yml
2017-09-13 19:00:51 +01:00
Brad Beam
8b151d12b9 Adding yamllinter to ci steps (#1556)
* Adding yaml linter to ci check

* Minor linting fixes from yamllint

* Changing CI to install python pkgs from requirements.txt

- adding in a secondary requirements.txt for tests
- moving yamllint to tests requirements
2017-08-24 12:09:52 +03:00
jwfang
092bf07cbf basic rbac support 2017-07-17 19:29:59 +08:00
Spencer Smith
c3c9e955e5 Merge pull request #1232 from rsmitty/custom-flags
add ability for custom flags
2017-04-17 14:01:32 -04:00
gbolo
49be805001
allow admission control plug-ins to be easily customized 2017-04-16 22:03:45 -04:00
Spencer Smith
94596388f7 add ability for custom flags 2017-04-14 17:33:04 -04:00
Matthew Mosesohn
80828a7c77 use etcd2 when upgrading unless forced 2017-04-03 15:07:42 +03:00
Matthew Mosesohn
e9a294fd9c Significantly reduce memory requirements
Canal runs more pods and upgrades need a bit of extra
room to load new pods in and get the old ones out.
2017-03-27 13:28:37 +03:00
Matthew Mosesohn
4354162067 Merge pull request #1080 from VincentS/Granular_Auth_Control
Granular authentication Control
2017-03-15 13:12:51 +03:00
Vincent Schwarzer
026da060f2 Granular authentication Control
It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.

The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.
2017-03-14 16:57:35 +01:00
Matthew Mosesohn
804e9a09c0 Migrate k8s data to etcd3 api store
Default backend is now etcd3 (was etcd2).
The migration process consists of the following steps:
* check if migration is necessary
* stop etcd on first etcd server
* run migration script
* start etcd on first etcd server
* stop kube-apiserver until configuration is updated
* update kube-apiserver
* purge old etcdv2 data
2017-03-14 17:50:20 +03:00
Vincent Schwarzer
b075960e3b Added Support for OpenID Connect Authentication
To use OpenID Connect Authentication beside deploying an OpenID Connect
Identity Provider it is necesarry to pass additional arguments to the Kube API Server.
These required arguments were added to the kube apiserver manifest.
2017-03-06 12:40:35 +01:00
Sergii Golovatiuk
295103adc0 Allow to specify etcd backend for kube-api
Kubernetes project is about to set etcdv3 as default storage engine in
1.6. This patch allows to specify particular backend for
kube-apiserver. User may force the option to etcdv3 for new environment.
At the same time if the environment uses v2 it will continue uses it
until user decides to upgrade to v3.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-28 17:13:22 +01:00
Sergii Golovatiuk
c07d60bc90 Kubernetes Reliability Improvements
- Exclude kubelet CPU/RAM (kube-reserved) from cgroup. It decreases a
  chance of overcommitment
- Add a possibility to modify Kubelet node-status-update-frequency
- Add a posibility to configure node-monitor-grace-period,
  node-monitor-period, pod-eviction-timeout for Kubernetes controller
  manager
- Add Kubernetes Relaibility Documentation with recomendations for
  various scenarios.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-09 23:54:08 +01:00
Matthew Mosesohn
fd30131dc2 Revert "Drop linux capabilities and rework users/groups" 2017-02-06 15:58:54 +03:00