--- # change to 0.0.0.0 to enable insecure access from anywhere (not recommended) kube_apiserver_insecure_bind_address: 127.0.0.1 # advertised host IP for kubelet. This affects network plugin config. Take caution kubelet_address: "{{ ip | default(fallback_ips[inventory_hostname]) }}{{ ',' + ip6 if enable_dual_stack_networks and ip6 is defined }}" # bind address for kubelet. Set to 0.0.0.0 to listen on all interfaces kubelet_bind_address: "{{ ip | default('0.0.0.0') }}" # resolv.conf to base dns config kube_resolv_conf: "/etc/resolv.conf" # Set to empty to avoid cgroup creation kubelet_enforce_node_allocatable: "\"\"" # Set runtime and kubelet cgroups when using systemd as cgroup driver (default) kubelet_runtime_cgroups: "/systemd/system.slice" kubelet_kubelet_cgroups: "/systemd/system.slice" # Set runtime and kubelet cgroups when using cgroupfs as cgroup driver kubelet_runtime_cgroups_cgroupfs: "/system.slice/containerd.service" kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service" ### fail with swap on (default true) kubelet_fail_swap_on: true # Reserve this space for kube resources kube_memory_reserved: 256Mi kube_cpu_reserved: 100m # Reservation for master hosts kube_master_memory_reserved: 512Mi kube_master_cpu_reserved: 200m # Set to true to reserve resources for system daemons system_reserved: false system_memory_reserved: 512Mi system_cpu_reserved: 500m # Reservation for master hosts system_master_memory_reserved: 256Mi system_master_cpu_reserved: 250m ## Eviction Thresholds to avoid system OOMs # https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#eviction-thresholds eviction_hard: {} eviction_hard_control_plane: {} kubelet_status_update_frequency: 10s # Requests for load balancer app loadbalancer_apiserver_memory_requests: 32M loadbalancer_apiserver_cpu_requests: 25m loadbalancer_apiserver_keepalive_timeout: 5m # Uncomment if you need to enable deprecated runtimes # kube_api_runtime_config: # - apps/v1beta1=true # - apps/v1beta2=true # - extensions/v1beta1/daemonsets=true # - extensions/v1beta1/deployments=true # - extensions/v1beta1/replicasets=true # - extensions/v1beta1/networkpolicies=true # - extensions/v1beta1/podsecuritypolicies=true # A port range to reserve for services with NodePort visibility. # Inclusive at both ends of the range. kube_apiserver_node_port_range: "30000-32767" # Configure the amount of pods able to run on single node # default is equal to application default kubelet_max_pods: 110 ## Support parameters to be passed to kubelet via kubelet-config.yaml kubelet_config_extra_args: {} ## Parameters to be passed to kubelet via kubelet-config.yaml when cgroupfs is used as cgroup driver kubelet_config_extra_args_cgroupfs: systemCgroups: /system.slice cgroupRoot: / ## Support parameters to be passed to kubelet via kubelet-config.yaml only on nodes, not masters kubelet_node_config_extra_args: {} # Maximum number of container log files that can be present for a container. kubelet_logfiles_max_nr: 5 # Maximum size of the container log file before it is rotated kubelet_logfiles_max_size: 10Mi ## Support custom flags to be passed to kubelet kubelet_custom_flags: [] ## Support custom flags to be passed to kubelet only on nodes, not masters kubelet_node_custom_flags: [] # If non-empty, will use this string as identification instead of the actual hostname kube_override_hostname: >- {%- if cloud_provider is defined and cloud_provider in [ 'aws' ] -%} {%- else -%} {{ inventory_hostname }} {%- endif -%} # The read-only port for the Kubelet to serve on with no authentication/authorization. kube_read_only_port: 0 # Port for healthz for Kubelet kubelet_healthz_port: 10248 # Bind address for healthz for Kubelet kubelet_healthz_bind_address: 127.0.0.1 # sysctl_file_path to add sysctl conf to sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf" # For the openstack integration kubelet will need credentials to access # openstack apis like nova and cinder. Per default this values will be # read from the environment. openstack_auth_url: "{{ lookup('env','OS_AUTH_URL') }}" openstack_username: "{{ lookup('env','OS_USERNAME') }}" openstack_password: "{{ lookup('env','OS_PASSWORD') }}" openstack_region: "{{ lookup('env','OS_REGION_NAME') }}" openstack_tenant_id: "{{ lookup('env','OS_TENANT_ID')| default(lookup('env','OS_PROJECT_ID')|default(lookup('env','OS_PROJECT_NAME'),true),true) }}" openstack_tenant_name: "{{ lookup('env','OS_TENANT_NAME') }}" openstack_domain_name: "{{ lookup('env','OS_USER_DOMAIN_NAME') }}" openstack_domain_id: "{{ lookup('env','OS_USER_DOMAIN_ID') }}" # For the vsphere integration, kubelet will need credentials to access # vsphere apis # Documentation regarding these values can be found # https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/vsphere/vsphere.go#L105 vsphere_vcenter_ip: "{{ lookup('env', 'VSPHERE_VCENTER') }}" vsphere_vcenter_port: "{{ lookup('env', 'VSPHERE_VCENTER_PORT') }}" vsphere_user: "{{ lookup('env', 'VSPHERE_USER') }}" vsphere_password: "{{ lookup('env', 'VSPHERE_PASSWORD') }}" vsphere_datacenter: "{{ lookup('env', 'VSPHERE_DATACENTER') }}" vsphere_datastore: "{{ lookup('env', 'VSPHERE_DATASTORE') }}" vsphere_working_dir: "{{ lookup('env', 'VSPHERE_WORKING_DIR') }}" vsphere_insecure: "{{ lookup('env', 'VSPHERE_INSECURE') }}" vsphere_resource_pool: "{{ lookup('env', 'VSPHERE_RESOURCE_POOL') }}" vsphere_scsi_controller_type: pvscsi # vsphere_public_network is name of the network the VMs are joined to vsphere_public_network: "{{ lookup('env', 'VSPHERE_PUBLIC_NETWORK')|default('') }}" ## When azure is used, you need to also set the following variables. ## see docs/azure.md for details on how to get these values # azure_tenant_id: # azure_subscription_id: # azure_aad_client_id: # azure_aad_client_secret: # azure_resource_group: # azure_location: # azure_subnet_name: # azure_security_group_name: # azure_vnet_name: # azure_route_table_name: # supported values are 'standard' or 'vmss' # azure_vmtype: standard # Sku of Load Balancer and Public IP. Candidate values are: basic and standard. azure_loadbalancer_sku: basic # excludes master nodes from standard load balancer. azure_exclude_master_from_standard_lb: true # disables the outbound SNAT for public load balancer rules azure_disable_outbound_snat: false # use instance metadata service where possible azure_use_instance_metadata: true # use specific Azure API endpoints azure_cloud: AzurePublicCloud ## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. # tls_min_version: "" ## Support tls cipher suites. # tls_cipher_suites: # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # - TLS_ECDHE_RSA_WITH_RC4_128_SHA # - TLS_RSA_WITH_3DES_EDE_CBC_SHA # - TLS_RSA_WITH_AES_128_CBC_SHA # - TLS_RSA_WITH_AES_128_CBC_SHA256 # - TLS_RSA_WITH_AES_128_GCM_SHA256 # - TLS_RSA_WITH_AES_256_CBC_SHA # - TLS_RSA_WITH_AES_256_GCM_SHA384 # - TLS_RSA_WITH_RC4_128_SHA