9e2d282709
By default do not allow "unqualified" (without a registry) images because it is considered unsecure and subject to mitm attacks. To enable insecure pull configure for example: crio_registries: - "docker.io" - "quay.io"
28 lines
1 KiB
YAML
28 lines
1 KiB
YAML
---
|
|
|
|
crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('systemd') }}"
|
|
crio_conmon: "/usr/bin/conmon"
|
|
crio_enable_metrics: false
|
|
crio_log_level: "info"
|
|
crio_metrics_port: "9090"
|
|
crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
|
|
|
|
# Trusted registries to pull unqualified images (e.g. alpine:latest) from
|
|
# By default unqualified images are not allowed for security reasons
|
|
crio_registries: []
|
|
|
|
crio_runc_path: "/usr/bin/runc"
|
|
crio_seccomp_profile: ""
|
|
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
|
|
crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
|
|
crio_storage_driver: "overlay2"
|
|
crio_stream_port: "10010"
|
|
|
|
crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"
|
|
|
|
crio_kubernetes_version_matrix:
|
|
"1.18": "1.18"
|
|
"1.17": "1.17"
|
|
"1.16": "1.16"
|
|
|
|
crio_version: "{{ crio_kubernetes_version_matrix[crio_required_version] | default('1.17') }}"
|