Commit graph

159 commits

Author SHA1 Message Date
Matthew Mosesohn
71347322d6 Add cluster-cidr to kube-proxy config
This option enables masquerading for traffic directed at pods
that comes frmom outside the cluster.
2016-10-12 19:13:33 +03:00
Artem Roma
3919d666c1 Add possibility to enable network policy via Calico network controller
The requirements for network policy feature are described here [1]. In
order to enable it, appropriate configuration must be provided to the CNI
plug in and Calico policy controller must be set up. Beside that
corresponding extensions needed to be enabled in k8s API.

Now to turn on the feature user can define `enable_network_policy`
customization variable for Ansible.

[1] http://kubernetes.io/docs/user-guide/networkpolicies/
2016-10-10 17:22:12 +03:00
Sergey Vasilenko
dea4210da1 Bump Calico-CNI plugin binaries versions
and correct checksums
2016-10-07 13:14:46 +03:00
Sergey Vasilenko
a6344f7561 Changes in Kubernetes and Calico-CNI plugin config files
required for usage of Calico CNI plugin version 1.4.2
2016-10-06 19:33:16 +03:00
Smaine Kahlouch
c490e5c8a1 Merge pull request #528 from kubespray/proxy-nginx
Use nginx proxy on non-master nodes to proxy apiserver traffic
2016-10-05 19:19:32 +02:00
Matthew Mosesohn
84052ff0b6 use nginx proxy on non-master nodes to proxy apiserver traffic
Also adds all masters by hostname and localhost/127.0.0.1 to
apiserver SSL certificate.

Includes documentation update on how localhost loadbalancer works.
2016-10-05 20:09:10 +03:00
Aleksandr Didenko
fb0ee9d84a Add support for --masquerade-all in kube-proxy
New boolean var `kube_proxy_masquerade_all` which enables/disables
`--masquerade-all` argument for kube-proxy.

Closes #524
2016-10-03 12:24:43 +02:00
Bogdan Dobrelya
82ee60fe8b Make dnsmasq daemon set optional
Change additional dnsmasq opts:
- Adjust caching size and TTL
- Disable resolve conf to not create loops
- Change dnsPolicy to default (similarly to kubedns's dnsmasq). The
  ClusterFirst should not be used to not create loops
- Disable negative NXDOMAIN replies to be cached
- Make its very installation as optional step (enabled by default).
  If you don't want more than 3 DNS servers, including 1 for K8s, disable
  it.
- Add docs and a drawing to clarify DNS setup.
- Fix stdout logs for dnsmasq/kubedns app configs
- Add missed notifies to resolvconf -u handler
- Fix idempotency of resolvconf head file changes

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-09-23 12:59:06 +02:00
Spencer Smith
60f263b629 updated to no longer handle gce as cloud-provider. provided aws setup doc 2016-08-24 09:48:32 -04:00
Spencer Smith
f35e5e864f pass cloud provider flag in all cases, not just openstack 2016-08-23 13:57:32 -04:00
Matthew Mosesohn
0c953101ff Fix init scripts for etcd. Fixes #383
Fixes Ubuntu 14.04 deployment of etcd.
2016-08-15 14:09:42 +03:00
Matthew Mosesohn
e8a1c7a53f Move docker systemd unit creation to docker role
Creating the unit using default settings early on
and then changing it during network_plugin section
leads to too many docker restarts and duplicated code.

Reversed Wants= dependence on docker.service so it does not
restart docker when reloading systemd

Consolidated all docker restart handlers.
2016-08-02 17:56:24 +03:00
Bogdan Dobrelya
2af71f31b4 Rework systemd service units
* Add for docker system units:
    ExecReload=/bin/kill -s HUP $MAINPID
    Delegate=yes
    KillMode=process.
* Add missed DOCKER_OPTIONS for calico/weave docker systemd unit.
* Change Requires= to a less strict and non-faily Wants=, add missing
  Wants= for After=.
* Align wants/after in a wat if Wants=foo, After= has foo as well.
* Make wants/after docker.service to ask for the docker.socket as well.
* Move "docker rm -f" commands from ExecStartPre= to ExecStopPost=.
  hooks to ensure non-destructive start attempts issued by Wants=.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-08-02 10:55:42 +02:00
Bogdan Dobrelya
731d32afda Add HA/LB endpoints for kube-apiserver
* Add HA docs for API server.
* Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver
vars and usecases.
* Use facts for kube_apiserver to not repeat code and enable LB endpoints use.
* Use /healthz check for the wait-for apiserver.
* Use the single endpoint for kubelet instead of the list of apiservers
* Specify kube_apiserver_count to for HA layout

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-07-25 17:25:45 +02:00
Matthew Mosesohn
d0a1e15ef3 Deploy kubelet and kube-apiserver as containers
kubelet via docker
kube-apiserver as a static pod

Fixed etcd service start to be more tolerant of slow start.

Workaround for kube_version to stay in download role, but not
download an files by creating a new "nothing" download entry.
2016-07-22 16:42:34 +03:00
Matthew Mosesohn
7f212ca9cb Revert "Add HA/LB endpoints for kube-apiserver"
This reverts commit a70c3b661e.
2016-07-22 13:54:38 +03:00
Bogdan Dobrelya
a70c3b661e Add HA/LB endpoints for kube-apiserver
* Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver
vars and usecases.
* Add loadbalancer_apiserver_localhost (default false). If enabled, override
the external LB and expect localhost:443/8080 to be new internal only frontends.
* Add kube_apiserver_multiaccess to ignore loadbalancers, and make clients
to access the apiservers as a comma-separated list of access_ip/ip/ansible ip
(a default mode). When disabled, allow clients to use the given loadbalancers.
* Define connections security mode for kube controllers, schedulers, proxies.
It is insecure be default, which is the current deployment choice.
* Rework the groups['kube-master'][0] hardcode defining the apiserver
endpoints.
* Improve grouping of vars and add facts for kube_apiserver.
* Define kube_apiserver_insecure_bind_address as a fact, add more
facts for ease of use.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-07-21 11:05:03 +02:00
Matthew Mosesohn
c3e5aac18e Add variable kube_resolv_conf
Allow configuration of a custom /etc/resolv.conf for kubelet.
2016-07-20 11:57:47 +03:00
Bogdan Dobrelya
32cd6e99b2 Add etcd proxy support
* Enforce a etcd-proxy role to a k8s-cluster group members. This
provides an HA layout for all of the k8s cluster internal clients.
* Proxies to be run on each node in the group as a separate etcd
instances with a readwrite proxy mode and listen the given endpoint,
which is either the access_ip:2379 or the localhost:2379.
* A notion for the 'kube_etcd_multiaccess' is: ignore endpoints and
loadbalancers and use the etcd members IPs as a comma-separated
list. Otherwise, clients shall use the local endpoint provided by a
etcd-proxy instances on each etcd node. A Netwroking plugins always
use that access mode.
* Fix apiserver's etcd servers args to use the etcd_access_endpoint.
* Fix networking plugins flannel/calico to use the etcd_endpoint.
* Fix name env var for non masters to be set as well.
* Fix etcd_client_url was not used anywhere and other etcd_* facts
evaluation was duplicated in a few places.
* Define proxy modes only in the env file, if not a master. Del
an automatic proxy mode decisions for etcd nodes in init/unit scripts.
* Use Wants= instead of Requires= as "This is the recommended way to
hook start-up of one unit to the start-up of another unit"
* Make apiserver/calico Wants= etcd-proxy to keep it always up

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
2016-07-19 14:09:40 +02:00
Daniel Leining
1d148e9755 fix kubelet ip with quotes 2016-07-05 17:23:08 -04:00
Daniel Leining
d84ed1b4b3 make kubelet use "ip" as bind address 2016-07-05 17:14:12 -04:00
Smana
97de82bbcc upgrade weave to v1.5.0 with cni 2016-04-20 17:09:09 +02:00
teuto.net Netzdienste GmbH
9f8da6c225 Implemented cloud-provider integration for OpenStack.
Currently kubespray does not install kubernetes in a way that allows cinder volumes to be used. This commit provides the necessary cloud configuration file and configures kubelet and kube-apiserver to use it.
2016-03-29 15:17:22 +02:00
Smaine Kahlouch
e8aec5f4f0 Don't call the apiserver when the server is master only 2016-03-22 13:25:41 +01:00
Smana
cb3cc6f523 adding option --proxy-mode for kubeproxy 2016-02-29 11:41:08 +01:00
Smana
a649aa8b7e use ansible_service_mgr to detect init system 2016-02-13 11:46:53 +01:00
Smana
91fca69aa0 generate secrets on deployment machine
test travis with sudo=true instead of required
2016-02-13 06:51:54 +01:00
Smaine Kahlouch
05c8a29688 Merge branch 'master' into weave_network_plugin 2016-02-10 18:33:48 +01:00
Greg Althaus
6f1fe0cda2 Force kube-proxy to bind to local address 2016-02-10 10:53:22 -06:00
Smana
ab007e4ab8 weave network plugin 2016-02-09 17:55:12 +01:00
Smaine Kahlouch
4f92417a5d split network plugins into distinct roles 2016-02-09 11:42:00 +01:00
Greg Althaus
bedcca922c Add variables and defaults for multiple types of ip addresses.
Each node can have 3 IPs.
1. ansible_default_ip4 - whatever ansible things is the first IPv4 address
   usually with the default gw.
2. ip - An address to use on the local node to bind listeners and do local
   communication.  For example, Vagrant boxes have a first address that is the
   NAT bridge and is common for all nodes.  The second address/interface should
   be used.
3. access_ip - An address to use for node-to-node access.  This is assumed to
   be used by other nodes to access the node and may not be actually assigned
   on the node.  For example, AWS public ip that is not assigned to node.

This updates the places addresses are used to use either ip or access_ip and walk
up the list to find an address.
2016-01-27 16:05:39 -06:00
Smaine Kahlouch
283c4169ac run apiserver as a service
reorder master handlers

typo for sysvinit
2016-01-23 14:21:04 +01:00
Smaine Kahlouch
99d16913d3 use bin_dir var in init scripts 2016-01-04 14:35:01 +01:00
Smaine Kahlouch
d172457504 sysvinit scripts 2016-01-04 14:30:37 +01:00
Smaine Kahlouch
6103d673b7 New calico's configuration 2016-01-04 14:30:37 +01:00
Smaine Kahlouch
15cd1bfc56 rename env file 2015-12-31 14:55:06 +01:00
Smaine Kahlouch
1695682d85 handle sysvinit 2015-12-31 14:05:55 +01:00
Smaine Kahlouch
c9d9ccf025 move network-environment template into node role, required by kubelet 2015-12-29 21:36:51 +01:00
Smaine Kahlouch
9914229484 using ip address instead of inventory_hostname for kube-proxy 2015-12-17 10:43:06 +01:00
Smaine Kahlouch
b3841659d7 Review role order, use master ip even when fqdn are used in the inventory 2015-12-16 23:49:01 +01:00
ant31
6012230110 Merge branch 'ha_master' of https://github.com/ansibl8s/setup-kubernetes into ha 2015-12-15 17:42:01 +01:00
Smaine Kahlouch
c91a3183d3 manage undefined vars for loadbalancing 2015-12-15 16:51:55 +01:00
ant31
693230ace9 Merge branch 'ha_master' of https://github.com/ansibl8s/setup-kubernetes into ha 2015-12-15 16:28:49 +01:00
ant31
f21f660cc5 Use kube_apiserver_port 2015-12-15 16:27:12 +01:00
Smaine Kahlouch
953f482585 kube-proxy loadbalancing, need an external loadbalancer 2015-12-15 15:20:08 +01:00
Smaine Kahlouch
4055980ce6 ha apiservers for kubelet 2015-12-15 13:14:27 +01:00
Smaine Kahlouch
5efc09710b Renaming hyperkube image vars 2015-12-14 09:54:58 +01:00
Smaine Kahlouch
0a1b92f348 cluster log level variable 'kube_log_level' 2015-12-12 19:37:08 +01:00
Smaine Kahlouch
af9b945874 add the loadbalancer address to ssl certs 2015-12-12 19:37:08 +01:00
Smaine Kahlouch
d1e19563b0 Master and nodes will run the 'node' role, kube-proxy is run under a container, new script for ssl certs 2015-12-12 19:37:08 +01:00
Smaine Kahlouch
4a9a82ca86 include kubernetes config 2015-11-22 18:04:50 +01:00
Antoine Legrand
57e1831f78 Update calico to 0.11.0 2015-11-20 10:38:39 +01:00
Smaine Kahlouch
3f411bffe4 include config file into systemd unit file 2015-11-16 22:22:19 +01:00
Smaine Kahlouch
5cc29b77aa add option proxy mode iptables for better performances 2015-11-16 22:21:17 +01:00
ant31
3bf74530ce Add IP var 2015-11-01 11:12:12 +01:00
Smaine Kahlouch
f216302f95 Calico is not a network overlay 2015-10-27 15:49:07 +01:00
Smaine Kahlouch
6183a4d3b1 dns vars for skydns submodule 2015-10-13 17:12:59 +02:00
Smaine Kahlouch
00c562828f Initial commit 2015-10-03 22:19:50 +02:00