6744726089
* kubeadm support * move k8s master to a subtask * disable k8s secrets when using kubeadm * fix etcd cert serial var * move simple auth users to master role * make a kubeadm-specific env file for kubelet * add non-ha CI job * change ci boolean vars to json format * fixup * Update create-gce.yml * Update create-gce.yml * Update create-gce.yml
73 lines
2.1 KiB
YAML
73 lines
2.1 KiB
YAML
---
|
|
# An experimental dev/test only dynamic volumes provisioner,
|
|
# for PetSets. Works for kube>=v1.3 only.
|
|
kube_hostpath_dynamic_provisioner: "false"
|
|
|
|
# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
|
|
kube_apiserver_insecure_bind_address: 127.0.0.1
|
|
|
|
# A port range to reserve for services with NodePort visibility.
|
|
# Inclusive at both ends of the range.
|
|
kube_apiserver_node_port_range: "30000-32767"
|
|
|
|
# ETCD cert dir for connecting apiserver to etcd
|
|
etcd_config_dir: /etc/ssl/etcd
|
|
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
|
|
|
|
# ETCD backend for k8s data
|
|
kube_apiserver_storage_backend: etcd3
|
|
|
|
# By default, force back to etcd2. Set to true to force etcd3 (experimental!)
|
|
force_etcd3: false
|
|
|
|
# Limits for kube components
|
|
kube_controller_memory_limit: 512M
|
|
kube_controller_cpu_limit: 250m
|
|
kube_controller_memory_requests: 100M
|
|
kube_controller_cpu_requests: 100m
|
|
kube_controller_node_monitor_grace_period: 40s
|
|
kube_controller_node_monitor_period: 5s
|
|
kube_controller_pod_eviction_timeout: 5m0s
|
|
kube_scheduler_memory_limit: 512M
|
|
kube_scheduler_cpu_limit: 250m
|
|
kube_scheduler_memory_requests: 170M
|
|
kube_scheduler_cpu_requests: 80m
|
|
kube_apiserver_memory_limit: 2000M
|
|
kube_apiserver_cpu_limit: 800m
|
|
kube_apiserver_memory_requests: 256M
|
|
kube_apiserver_cpu_requests: 100m
|
|
|
|
# Admission control plug-ins
|
|
kube_apiserver_admission_control:
|
|
- NamespaceLifecycle
|
|
- LimitRanger
|
|
- ServiceAccount
|
|
- DefaultStorageClass
|
|
- ResourceQuota
|
|
|
|
## Enable/Disable Kube API Server Authentication Methods
|
|
kube_basic_auth: true
|
|
kube_token_auth: true
|
|
kube_oidc_auth: false
|
|
|
|
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
|
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
|
|
|
|
# kube_oidc_url: https:// ...
|
|
# kube_oidc_client_id: kubernetes
|
|
## Optional settings for OIDC
|
|
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
|
|
# kube_oidc_username_claim: sub
|
|
# kube_oidc_groups_claim: groups
|
|
|
|
## Variables for custom flags
|
|
apiserver_custom_flags: []
|
|
|
|
controller_mgr_custom_flags: []
|
|
|
|
scheduler_custom_flags: []
|
|
|
|
# kubeadm settings
|
|
# Value of 0 means it never expires
|
|
kubeadm_token_ttl: 0
|