b075960e3b
To use OpenID Connect Authentication beside deploying an OpenID Connect Identity Provider it is necesarry to pass additional arguments to the Kube API Server. These required arguments were added to the kube apiserver manifest.
43 lines
1.5 KiB
YAML
43 lines
1.5 KiB
YAML
# An experimental dev/test only dynamic volumes provisioner,
|
|
# for PetSets. Works for kube>=v1.3 only.
|
|
kube_hostpath_dynamic_provisioner: "false"
|
|
|
|
# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
|
|
kube_apiserver_insecure_bind_address: 127.0.0.1
|
|
|
|
# A port range to reserve for services with NodePort visibility.
|
|
# Inclusive at both ends of the range.
|
|
kube_apiserver_node_port_range: "30000-32767"
|
|
|
|
# ETCD cert dir for connecting apiserver to etcd
|
|
etcd_config_dir: /etc/ssl/etcd
|
|
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
|
|
|
|
# Limits for kube components
|
|
kube_controller_memory_limit: 512M
|
|
kube_controller_cpu_limit: 250m
|
|
kube_controller_memory_requests: 170M
|
|
kube_controller_cpu_requests: 100m
|
|
kube_controller_node_monitor_grace_period: 40s
|
|
kube_controller_node_monitor_period: 5s
|
|
kube_controller_pod_eviction_timeout: 5m0s
|
|
kube_scheduler_memory_limit: 512M
|
|
kube_scheduler_cpu_limit: 250m
|
|
kube_scheduler_memory_requests: 170M
|
|
kube_scheduler_cpu_requests: 100m
|
|
kube_apiserver_memory_limit: 2000M
|
|
kube_apiserver_cpu_limit: 800m
|
|
kube_apiserver_memory_requests: 256M
|
|
kube_apiserver_cpu_requests: 300m
|
|
kube_apiserver_storage_backend: etcd2
|
|
|
|
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
|
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
|
|
kube_oidc_auth: false
|
|
#kube_oidc_url: https:// ...
|
|
# kube_oidc_client_id: kubernetes
|
|
## Optional settings for OIDC
|
|
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
|
|
# kube_oidc_username_claim: sub
|
|
# kube_oidc_groups_claim: groups
|