Commit graph

28 commits

Author SHA1 Message Date
Raj Perera
c8a2fe321b Basic RBAC functionality. (Based from work done by @jwfang (#1351))
* Add a flag "authorization_method", when set to "RBAC" enables role based access control.
* Add required cluster roles and bindings for kube-dns
* Patch tiller deployment to use a service account with proper credentials.
* Add a flag to regenerate kubernetes certs on the nodes.
2017-06-26 16:42:47 +08:00
jwfang
4fa142be0b certs for system:kube-controller-manager system:kube-scheduler 2017-06-26 16:35:24 +08:00
jwfang
27e3998cb6 add kube-node to system:nodes group, add system:kube-proxy cert for kube-proxy 2017-06-26 16:35:24 +08:00
Sergii Golovatiuk
0a687a22ff Change DNS policy for kubernetes components
According to code apiserver, scheduler, controller-manager, proxy don't
use resolution of objects they created. It's not harmful to change
policy to have external resolver.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-20 11:22:57 +02:00
Sergii Golovatiuk
16dd412d89 Refactoring resolv.conf
- Renaming templates for netchecker
- Add dnsPolicy: ClusterFirstWithHostNet to kube-proxy

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-05 09:28:01 +02:00
Vijay Katam
8fc5a844b3 Add support for atomic host
Updates based on feedback

Simplify checks for file exists

remove invalid char

Review feedback. Use regular systemd file.

Add template for docker systemd atomic
2017-03-01 09:38:19 -08:00
Bogdan Dobrelya
6e1c0cdd15 Systemd units, limits, and bin path fixes
* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
  systemd limits due to the lack of consensus in the kernel community
  requires out-of-tree kernel patches.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-28 15:49:42 +01:00
Bogdan Dobrelya
272b506802 Address standalone kubelet config case
Also place in global vars and do not repeat the kube_*_config_dir
and kube_namespace vars for better code maintainability and UX.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-13 16:35:53 +01:00
Matthew Mosesohn
224f5fae63 Add dbus socket dir to kube-proxy 2016-12-05 19:25:27 +03:00
Bogdan Dobrelya
c34c49d4d9 Tune dnsmasq/kubedns limits, replicas, logging
* Add dns_replicas, dns_memory/cpu_limit/requests vars for
dns related apps.
* When kube_log_level=4, log dnsmasq queries as well.
* Add log level control for skydns (part of kubedns app).
* Add limits/requests vars for dnsmasq (part of kubedns app) and
  dnsmasq daemon set.
* Drop string defaults for kube_log_level as it is int and
  is defined in the global vars as well.
* Add docs

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-25 12:49:17 +01:00
Bogdan Dobrelya
1bd3d3a080 Allow pre-downloaded images to be used effectively
According to http://kubernetes.io/docs/user-guide/images/ :
By default, the kubelet will try to pull each image from the
specified registry. However, if the imagePullPolicy property
of the container is set to IfNotPresent or Never, then a local\
image is used (preferentially or exclusively, respectively).

Use IfNotPresent value to allow images prepared by the download
role dependencies to be effectively used by kubelet without pull
errors resulting apps to stay blocked in PullBackOff/Error state
even when there are images on the localhost exist.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-22 16:16:04 +01:00
Bogdan Dobrelya
9f6c2fd32a Label k8s apps, adjust collect/upload info steps
- Drop debugs from collect-info playbook
- Drop sudo from collect-info step and add target dir var (required for travis jobs)
- Label all k8s apps, including static manifests
- Add logs for K8s apps to be collected as well
- Fix upload to GCS as a public-read tarball

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-10 16:05:50 +01:00
Matthew Mosesohn
0cc3636a37 Add cluster-cidr to kube-proxy config
This option enables masquerading for traffic directed at pods
that comes frmom outside the cluster.
2016-10-12 19:13:33 +03:00
Aleksandr Didenko
40a94947c8 Add support for --masquerade-all in kube-proxy
New boolean var `kube_proxy_masquerade_all` which enables/disables
`--masquerade-all` argument for kube-proxy.

Closes #524
2016-10-03 12:24:43 +02:00
Bogdan Dobrelya
575ec168a3 Add HA/LB endpoints for kube-apiserver
* Add HA docs for API server.
* Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver
vars and usecases.
* Use facts for kube_apiserver to not repeat code and enable LB endpoints use.
* Use /healthz check for the wait-for apiserver.
* Use the single endpoint for kubelet instead of the list of apiservers
* Specify kube_apiserver_count to for HA layout

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-07-25 17:25:45 +02:00
Matthew Mosesohn
74129d199c Revert "Add HA/LB endpoints for kube-apiserver"
This reverts commit a70c3b661e.
2016-07-22 13:54:38 +03:00
Bogdan Dobrelya
fcb1735c09 Add HA/LB endpoints for kube-apiserver
* Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver
vars and usecases.
* Add loadbalancer_apiserver_localhost (default false). If enabled, override
the external LB and expect localhost:443/8080 to be new internal only frontends.
* Add kube_apiserver_multiaccess to ignore loadbalancers, and make clients
to access the apiservers as a comma-separated list of access_ip/ip/ansible ip
(a default mode). When disabled, allow clients to use the given loadbalancers.
* Define connections security mode for kube controllers, schedulers, proxies.
It is insecure be default, which is the current deployment choice.
* Rework the groups['kube-master'][0] hardcode defining the apiserver
endpoints.
* Improve grouping of vars and add facts for kube_apiserver.
* Define kube_apiserver_insecure_bind_address as a fact, add more
facts for ease of use.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-07-21 11:05:03 +02:00
Smana
cb3cc6f523 adding option --proxy-mode for kubeproxy 2016-02-29 11:41:08 +01:00
Greg Althaus
6f1fe0cda2 Force kube-proxy to bind to local address 2016-02-10 10:53:22 -06:00
Greg Althaus
bedcca922c Add variables and defaults for multiple types of ip addresses.
Each node can have 3 IPs.
1. ansible_default_ip4 - whatever ansible things is the first IPv4 address
   usually with the default gw.
2. ip - An address to use on the local node to bind listeners and do local
   communication.  For example, Vagrant boxes have a first address that is the
   NAT bridge and is common for all nodes.  The second address/interface should
   be used.
3. access_ip - An address to use for node-to-node access.  This is assumed to
   be used by other nodes to access the node and may not be actually assigned
   on the node.  For example, AWS public ip that is not assigned to node.

This updates the places addresses are used to use either ip or access_ip and walk
up the list to find an address.
2016-01-27 16:05:39 -06:00
Smaine Kahlouch
9914229484 using ip address instead of inventory_hostname for kube-proxy 2015-12-17 10:43:06 +01:00
ant31
6012230110 Merge branch 'ha_master' of https://github.com/ansibl8s/setup-kubernetes into ha 2015-12-15 17:42:01 +01:00
Smaine Kahlouch
c91a3183d3 manage undefined vars for loadbalancing 2015-12-15 16:51:55 +01:00
ant31
693230ace9 Merge branch 'ha_master' of https://github.com/ansibl8s/setup-kubernetes into ha 2015-12-15 16:28:49 +01:00
ant31
f21f660cc5 Use kube_apiserver_port 2015-12-15 16:27:12 +01:00
Smaine Kahlouch
953f482585 kube-proxy loadbalancing, need an external loadbalancer 2015-12-15 15:20:08 +01:00
Smaine Kahlouch
5efc09710b Renaming hyperkube image vars 2015-12-14 09:54:58 +01:00
Smaine Kahlouch
d1e19563b0 Master and nodes will run the 'node' role, kube-proxy is run under a container, new script for ssl certs 2015-12-12 19:37:08 +01:00