Commit graph

13 commits

Author SHA1 Message Date
Raj Perera
992a974b1e Merge branch 'rbac-kp' into rbac-script-cert
# Conflicts:
#	roles/kubernetes-apps/ansible/tasks/main.yml
#	roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml
#	roles/kubernetes-apps/ansible/templates/kubedns-sa.yml
#	roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
#	roles/kubernetes/secrets/files/make-ssl.sh
2017-06-16 11:11:12 -04:00
Raj Perera
0dc38ff9b3 Basic RBAC functionality. (Based from work done by @jwfang (#1351))
* Add a flag "authorization_method", when set to "RBAC" enables role based access control.
* Add required cluster roles and bindings for kube-dns
* Patch tiller deployment to use a service account with proper credentials.
* Add a flag to regenerate kubernetes certs on the nodes.
2017-06-16 10:28:23 -04:00
jwfang
0ee229488e certs for system:kube-controller-manager system:kube-scheduler 2017-06-16 14:21:21 +08:00
jwfang
8b58394d8c seperate kube-proxy certs for each node 2017-06-15 19:20:58 +08:00
jwfang
f3a4c31e66 add kube-node to system:nodes group, add system:kube-proxy cert for kube-proxy 2017-06-15 18:15:52 +08:00
Matthew Mosesohn
a422ad0d50 More idempotency fixes
Fixed sync_tokens fact
Fixed sync_certs for k8s tokens fact
Disabled register docker images changability
Fixed CNI dir permission
Fix idempotency for etcd pre upgrade checks
2017-03-15 19:06:39 +03:00
Matthew Mosesohn
d176818c44 Use find module for checking for certificates
Also generate certs only when absent on master (rather than
when absent on target node)
2017-03-03 16:21:01 +03:00
Matthew Mosesohn
d821448e2f Merge branch 'master' into synthscale 2017-02-21 22:17:43 +03:00
Matthew Mosesohn
a21eb036ee Add no_log to cert tar tasks
This works around 4MB limit for gitlab CI runner.
2017-02-18 14:09:57 +04:00
Andrew Greenwood
ca9ea097df Cleanup legacy syntax, spacing, files all to yml
Migrate older inline= syntax to pure yml syntax for module args as to be consistant with most of the rest of the tasks
Cleanup some spacing in various files
Rename some files named yaml to yml for consistancy
2017-02-17 16:22:34 -05:00
Matthew Mosesohn
80c0e747a7 Fix references to CoreOS and Container Linux by CoreOS
Fixes #967
2017-02-16 19:25:17 +03:00
Vladimir Rutsky
09847567ae set "check_mode: no" for read-only "shell" steps that registers result
"shell" step doesn't support check mode, which currently leads to failures,
when Ansible is being run in check mode (because Ansible doesn't run command,
assuming that command might have effect, and no "rc" or "output" is registered).

Setting "check_mode: no" allows to run those "shell" commands in check mode
(which is safe, because those shell commands doesn't have side effects).
2017-02-13 18:53:41 +03:00
Josh Conant
245e05ce61 Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00
Renamed from roles/kubernetes/secrets/tasks/gen_certs.yml (Browse further)