Deploy a Production Ready Kubernetes Cluster on bare metal or raw VMs - This is a clone of https://github.com/kubernetes-sigs/kubespray.git with a kitten twist.
Find a file
Chad Swenson 0c7e1889e4 Support for disabling apiserver insecure port
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to:

1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS)
2. Add apiserver client cert/key to the "Wait for apiserver up" checks
3. Update apiserver liveness probe to use HTTPS ports
4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately)
5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well.

Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check.

Options:

1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not.
2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port)
3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest)

Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
2017-11-06 14:01:10 -06:00
.github rename almost all mentions of kargo 2017-06-16 13:25:46 -04:00
contrib change how terraform generates apiserver variables (#1922) 2017-11-02 12:26:11 +00:00
docs Fix Typo (#1935) 2017-11-06 13:51:22 +00:00
extra_playbooks Move cluster roles and system namespace to new role 2017-10-26 14:36:05 +01:00
inventory Support for disabling apiserver insecure port 2017-11-06 14:01:10 -06:00
library Idempotency fixes (#1838) 2017-10-25 21:19:40 +01:00
roles Support for disabling apiserver insecure port 2017-11-06 14:01:10 -06:00
scripts premoderator breaks on redirect. update to use kubespray. 2017-06-23 11:49:48 -04:00
tests New addon: local_volume_provisioner (#1909) 2017-11-01 14:25:35 +00:00
.gitignore update terraform, fix deprecated values add default_tags, fix ansible inventory (#1821) 2017-10-18 11:44:32 +01:00
.gitlab-ci.yml Merge pull request #1880 from mattymo/node_auth_fixes2 2017-10-26 10:02:24 -05:00
.gitmodules Remove submodules 2016-03-04 16:14:01 +01:00
.yamllint Adding yamllinter to ci steps (#1556) 2017-08-24 12:09:52 +03:00
ansible.cfg change ssh_args/bastion configuration (#1883) 2017-10-27 12:18:39 +01:00
cluster.yml Remove proxy settings from etcd and kubernetes/master roles 2017-11-03 01:41:17 -05:00
code-of-conduct.md Update Community Code of Conduct (#1530) 2017-08-15 16:24:20 +03:00
CONTRIBUTING.md files needed to move kargo to k8s 2016-08-16 14:01:03 +02:00
LICENSE Create LICENSE 2016-03-01 15:37:01 +01:00
OWNERS Update OWNERS 2016-10-28 11:16:11 +04:00
README.md update link to latest Digital Rebar integration (#1933) 2017-11-06 13:49:54 +00:00
RELEASE.md fix typo 'on' > 'one' 2017-07-14 15:25:09 -04:00
requirements.txt Update gce CI (#1748) 2017-10-05 16:52:28 +01:00
reset.yml rename kargo mentions in top-level yml files 2017-06-16 12:18:35 -04:00
scale.yml add bastion role to scale (#1882) 2017-11-06 13:51:36 +00:00
setup.cfg Align pbr config data with the spec file 2017-08-18 16:04:48 +02:00
setup.py Add pbr build configuration 2017-08-18 12:56:01 +02:00
upgrade-cluster.yml Move cluster roles and system namespace to new role 2017-10-26 14:36:05 +01:00
Vagrantfile Change deprecated vagrant ansible flag 'sudo' to 'become' 2017-10-30 14:37:06 +01:00

Kubernetes Logo

Deploy a production ready kubernetes cluster

If you have questions, join us on the kubernetes slack, channel #kubespray.

  • Can be deployed on AWS, GCE, Azure, OpenStack or Baremetal
  • High available cluster
  • Composable (Choice of the network plugin for instance)
  • Support most popular Linux distributions
  • Continuous integration tests

To deploy the cluster you can use :

kubespray-cli
Ansible usual commands and inventory builder
vagrant by simply running vagrant up (for tests purposes)

Supported Linux distributions

  • Container Linux by CoreOS
  • Debian Jessie
  • Ubuntu 16.04
  • CentOS/RHEL 7

Note: Upstart/SysV init based OS types are not supported.

Versions of supported components

kubernetes v1.8.2
etcd v3.2.4
flanneld v0.8.0
calico v2.5.0
canal (given calico/flannel versions)
weave v2.0.1
docker v1.13 (see note)
rkt v1.21.0 (see Note 2)

Note: kubernetes doesn't support newer docker versions. Among other things kubelet currently breaks on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).

Note 2: rkt support as docker alternative is limited to control plane (etcd and kubelet). Docker is still used for Kubernetes cluster workloads and network plugins' related OS services. Also note, only one of the supported network plugins can be deployed for a given single cluster.

Requirements

  • Ansible v2.4 (or newer) and python-netaddr is installed on the machine that will run Ansible commands
  • Jinja 2.9 (or newer) is required to run the Ansible Playbooks
  • The target servers must have access to the Internet in order to pull docker images.
  • The target servers are configured to allow IPv4 forwarding.
  • Your ssh key must be copied to all the servers part of your inventory.
  • The firewalls are not managed, you'll need to implement your own rules the way you used to. in order to avoid any issue during deployment you should disable your firewall.

Network plugins

You can choose between 4 network plugins. (default: calico, except Vagrant uses flannel)

  • flannel: gre/vxlan (layer 2) networking.

  • calico: bgp (layer 3) networking.

  • canal: a composition of calico and flannel plugins.

  • weave: Weave is a lightweight container overlay network that doesn't require an external K/V database cluster.
    (Please refer to weave troubleshooting documentation).

The choice is defined with the variable kube_network_plugin. There is also an option to leverage built-in cloud provider networking instead. See also Network checker.

Community docs and resources

Tools and projects on top of Kubespray

CI Tests

Gitlab Logo

Build graphs

CI/end-to-end tests sponsored by Google (GCE), DigitalOcean, teuto.net (openstack). See the test matrix for details.