0c7e1889e4
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to: 1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS) 2. Add apiserver client cert/key to the "Wait for apiserver up" checks 3. Update apiserver liveness probe to use HTTPS ports 4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately) 5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well. Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check. Options: 1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not. 2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port) 3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest) Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
182 lines
6.3 KiB
YAML
182 lines
6.3 KiB
YAML
# Kubernetes configuration dirs and system namespace.
|
|
# Those are where all the additional config stuff goes
|
|
# the kubernetes normally puts in /srv/kubernets.
|
|
# This puts them in a sane location and namespace.
|
|
# Editting those values will almost surely break something.
|
|
kube_config_dir: /etc/kubernetes
|
|
kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
|
|
kube_manifest_dir: "{{ kube_config_dir }}/manifests"
|
|
system_namespace: kube-system
|
|
|
|
# Logging directory (sysvinit systems)
|
|
kube_log_dir: "/var/log/kubernetes"
|
|
|
|
# This is where all the cert scripts and certs will be located
|
|
kube_cert_dir: "{{ kube_config_dir }}/ssl"
|
|
|
|
# This is where all of the bearer tokens will be stored
|
|
kube_token_dir: "{{ kube_config_dir }}/tokens"
|
|
|
|
# This is where to save basic auth file
|
|
kube_users_dir: "{{ kube_config_dir }}/users"
|
|
|
|
kube_api_anonymous_auth: true
|
|
|
|
## Change this to use another Kubernetes version, e.g. a current beta release
|
|
kube_version: v1.8.2
|
|
|
|
# Where the binaries will be downloaded.
|
|
# Note: ensure that you've enough disk space (about 1G)
|
|
local_release_dir: "/tmp/releases"
|
|
# Random shifts for retrying failed ops like pushing/downloading
|
|
retry_stagger: 5
|
|
|
|
# This is the group that the cert creation scripts chgrp the
|
|
# cert files to. Not really changable...
|
|
kube_cert_group: kube-cert
|
|
|
|
# Cluster Loglevel configuration
|
|
kube_log_level: 2
|
|
|
|
# Users to create for basic auth in Kubernetes API via HTTP
|
|
# Optionally add groups for user
|
|
kube_api_pwd: "{{ lookup('password', 'credentials/kube_user length=15 chars=ascii_letters,digits') }}"
|
|
kube_users:
|
|
kube:
|
|
pass: "{{kube_api_pwd}}"
|
|
role: admin
|
|
groups:
|
|
- system:masters
|
|
|
|
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
|
|
#kube_oidc_auth: false
|
|
#kube_basic_auth: false
|
|
#kube_token_auth: false
|
|
|
|
|
|
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
|
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
|
|
|
|
# kube_oidc_url: https:// ...
|
|
# kube_oidc_client_id: kubernetes
|
|
## Optional settings for OIDC
|
|
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
|
|
# kube_oidc_username_claim: sub
|
|
# kube_oidc_groups_claim: groups
|
|
|
|
|
|
# Choose network plugin (calico, weave or flannel)
|
|
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
|
|
kube_network_plugin: calico
|
|
|
|
# weave's network password for encryption
|
|
# if null then no network encryption
|
|
# you can use --extra-vars to pass the password in command line
|
|
weave_password: EnterPasswordHere
|
|
|
|
# Weave uses consensus mode by default
|
|
# Enabling seed mode allow to dynamically add or remove hosts
|
|
# https://www.weave.works/docs/net/latest/ipam/
|
|
weave_mode_seed: false
|
|
|
|
# This two variable are automatically changed by the weave's role, do not manually change these values
|
|
# To reset values :
|
|
# weave_seed: uninitialized
|
|
# weave_peers: uninitialized
|
|
weave_seed: uninitialized
|
|
weave_peers: uninitialized
|
|
|
|
# Enable kubernetes network policies
|
|
enable_network_policy: false
|
|
|
|
# Kubernetes internal network for services, unused block of space.
|
|
kube_service_addresses: 10.233.0.0/18
|
|
|
|
# internal network. When used, it will assign IP
|
|
# addresses from this range to individual pods.
|
|
# This network must be unused in your network infrastructure!
|
|
kube_pods_subnet: 10.233.64.0/18
|
|
|
|
# internal network node size allocation (optional). This is the size allocated
|
|
# to each node on your network. With these defaults you should have
|
|
# room for 4096 nodes with 254 pods per node.
|
|
kube_network_node_prefix: 24
|
|
|
|
# The port the API Server will be listening on.
|
|
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
|
|
kube_apiserver_port: 6443 # (https)
|
|
kube_apiserver_insecure_port: 8080 # (http)
|
|
# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
|
|
#kube_apiserver_insecure_port: 0 # (disabled)
|
|
|
|
# DNS configuration.
|
|
# Kubernetes cluster name, also will be used as DNS domain
|
|
cluster_name: cluster.local
|
|
# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
|
|
ndots: 2
|
|
# Can be dnsmasq_kubedns, kubedns or none
|
|
dns_mode: kubedns
|
|
# Can be docker_dns, host_resolvconf or none
|
|
resolvconf_mode: docker_dns
|
|
# Deploy netchecker app to verify DNS resolve as an HTTP service
|
|
deploy_netchecker: false
|
|
# Ip address of the kubernetes skydns service
|
|
skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
|
|
dnsmasq_dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
|
|
dns_domain: "{{ cluster_name }}"
|
|
|
|
# Path used to store Docker data
|
|
docker_daemon_graph: "/var/lib/docker"
|
|
|
|
## A string of extra options to pass to the docker daemon.
|
|
## This string should be exactly as you wish it to appear.
|
|
## An obvious use case is allowing insecure-registry access
|
|
## to self hosted registries like so:
|
|
|
|
docker_options: "--insecure-registry={{ kube_service_addresses }} --graph={{ docker_daemon_graph }} {{ docker_log_opts }}"
|
|
docker_bin_dir: "/usr/bin"
|
|
|
|
# Settings for containerized control plane (etcd/kubelet/secrets)
|
|
etcd_deployment_type: docker
|
|
kubelet_deployment_type: host
|
|
vault_deployment_type: docker
|
|
helm_deployment_type: docker
|
|
|
|
# K8s image pull policy (imagePullPolicy)
|
|
k8s_image_pull_policy: IfNotPresent
|
|
|
|
# Kubernetes dashboard (available at http://first_master:6443/ui by default)
|
|
dashboard_enabled: true
|
|
|
|
# Monitoring apps for k8s
|
|
efk_enabled: false
|
|
|
|
# Helm deployment
|
|
helm_enabled: false
|
|
|
|
# Istio deployment
|
|
istio_enabled: false
|
|
|
|
# Local volume provisioner deployment
|
|
local_volumes_enabled: false
|
|
|
|
# Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
|
|
# kubeconfig_localhost: false
|
|
# Download kubectl onto the host that runs Ansible in GITDIR/artifacts
|
|
# kubectl_localhost: false
|
|
|
|
# dnsmasq
|
|
# dnsmasq_upstream_dns_servers:
|
|
# - /resolvethiszone.with/10.0.4.250
|
|
# - 8.8.8.8
|
|
|
|
# Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. (default true)
|
|
# kubelet_cgroups_per_qos: true
|
|
|
|
# A comma separated list of levels of node allocatable enforcement to be enforced by kubelet.
|
|
# Acceptible options are 'pods', 'system-reserved', 'kube-reserved' and ''. Default is "".
|
|
# kubelet_enforce_node_allocatable: pods
|
|
|
|
## Supplementary addresses that can be added in kubernetes ssl keys.
|
|
## That can be usefull for example to setup a keepalived virtual IP
|
|
# supplementary_addresses_in_ssl_keys: [10.0.0.1, 10.0.0.2, 10.0.0.3]
|