ea1f072c7e
It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
137 lines
4.6 KiB
YAML
137 lines
4.6 KiB
YAML
# Valid bootstrap options (required): ubuntu, coreos, centos, none
|
|
bootstrap_os: none
|
|
|
|
#Directory where etcd data stored
|
|
etcd_data_dir: /var/lib/etcd
|
|
|
|
# Directory where the binaries will be installed
|
|
bin_dir: /usr/local/bin
|
|
|
|
# Kubernetes configuration dirs and system namespace.
|
|
# Those are where all the additional config stuff goes
|
|
# the kubernetes normally puts in /srv/kubernets.
|
|
# This puts them in a sane location and namespace.
|
|
# Editting those values will almost surely break something.
|
|
kube_config_dir: /etc/kubernetes
|
|
kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
|
|
kube_manifest_dir: "{{ kube_config_dir }}/manifests"
|
|
system_namespace: kube-system
|
|
|
|
# Logging directory (sysvinit systems)
|
|
kube_log_dir: "/var/log/kubernetes"
|
|
|
|
# This is where all the cert scripts and certs will be located
|
|
kube_cert_dir: "{{ kube_config_dir }}/ssl"
|
|
|
|
# This is where all of the bearer tokens will be stored
|
|
kube_token_dir: "{{ kube_config_dir }}/tokens"
|
|
|
|
# This is where to save basic auth file
|
|
kube_users_dir: "{{ kube_config_dir }}/users"
|
|
|
|
kube_api_anonymous_auth: false
|
|
|
|
## Change this to use another Kubernetes version, e.g. a current beta release
|
|
kube_version: v1.5.3
|
|
|
|
# Where the binaries will be downloaded.
|
|
# Note: ensure that you've enough disk space (about 1G)
|
|
local_release_dir: "/tmp/releases"
|
|
# Random shifts for retrying failed ops like pushing/downloading
|
|
retry_stagger: 5
|
|
|
|
# This is the group that the cert creation scripts chgrp the
|
|
# cert files to. Not really changable...
|
|
kube_cert_group: kube-cert
|
|
|
|
# Cluster Loglevel configuration
|
|
kube_log_level: 2
|
|
|
|
# Users to create for basic auth in Kubernetes API via HTTP
|
|
kube_api_pwd: "changeme"
|
|
kube_users:
|
|
kube:
|
|
pass: "{{kube_api_pwd}}"
|
|
role: admin
|
|
root:
|
|
pass: "{{kube_api_pwd}}"
|
|
role: admin
|
|
|
|
|
|
|
|
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
|
|
#kube_oidc_auth: false
|
|
#kube_basic_auth: false
|
|
#kube_token_auth: false
|
|
|
|
|
|
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
|
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
|
|
|
|
# kube_oidc_url: https:// ...
|
|
# kube_oidc_client_id: kubernetes
|
|
## Optional settings for OIDC
|
|
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
|
|
# kube_oidc_username_claim: sub
|
|
# kube_oidc_groups_claim: groups
|
|
|
|
|
|
# Choose network plugin (calico, weave or flannel)
|
|
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
|
|
kube_network_plugin: calico
|
|
|
|
# Kubernetes internal network for services, unused block of space.
|
|
kube_service_addresses: 10.233.0.0/18
|
|
|
|
# internal network. When used, it will assign IP
|
|
# addresses from this range to individual pods.
|
|
# This network must be unused in your network infrastructure!
|
|
kube_pods_subnet: 10.233.64.0/18
|
|
|
|
# internal network node size allocation (optional). This is the size allocated
|
|
# to each node on your network. With these defaults you should have
|
|
# room for 4096 nodes with 254 pods per node.
|
|
kube_network_node_prefix: 24
|
|
|
|
# The port the API Server will be listening on.
|
|
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
|
|
kube_apiserver_port: 6443 # (https)
|
|
kube_apiserver_insecure_port: 8080 # (http)
|
|
|
|
# DNS configuration.
|
|
# Kubernetes cluster name, also will be used as DNS domain
|
|
cluster_name: cluster.local
|
|
# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
|
|
ndots: 2
|
|
# Can be dnsmasq_kubedns, kubedns or none
|
|
dns_mode: dnsmasq_kubedns
|
|
# Can be docker_dns, host_resolvconf or none
|
|
resolvconf_mode: docker_dns
|
|
# Deploy netchecker app to verify DNS resolve as an HTTP service
|
|
deploy_netchecker: false
|
|
# Ip address of the kubernetes skydns service
|
|
skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
|
|
dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
|
|
dns_domain: "{{ cluster_name }}"
|
|
|
|
# Path used to store Docker data
|
|
docker_daemon_graph: "/var/lib/docker"
|
|
|
|
## A string of extra options to pass to the docker daemon.
|
|
## This string should be exactly as you wish it to appear.
|
|
## An obvious use case is allowing insecure-registry access
|
|
## to self hosted registries like so:
|
|
docker_options: "--insecure-registry={{ kube_service_addresses }} --graph={{ docker_daemon_graph }} --iptables=false"
|
|
docker_bin_dir: "/usr/bin"
|
|
|
|
# Settings for containerized control plane (etcd/kubelet/secrets)
|
|
etcd_deployment_type: docker
|
|
kubelet_deployment_type: docker
|
|
cert_management: script
|
|
vault_deployment_type: docker
|
|
|
|
# K8s image pull policy (imagePullPolicy)
|
|
k8s_image_pull_policy: IfNotPresent
|
|
|
|
# Monitoring apps for k8s
|
|
efk_enabled: false
|