# SPDX-license-identifier: Apache-2.0 ############################################################################## # Copyright (c) 2018 # All rights reserved. This program and the accompanying materials # are made available under the terms of the Apache License, Version 2.0 # which accompanies this distribution, and is available at # http://www.apache.org/licenses/LICENSE-2.0 ############################################################################## # Kubernetes configuration dirs and system namespace. # Those are where all the additional config stuff goes # kubernetes normally puts in /srv/kubernetes. # This puts them in a sane location and namespace. # Editing those values will almost surely break something. system_namespace: kube-system # Logging directory (sysvinit systems) kube_log_dir: "/var/log/kubernetes" kube_api_anonymous_auth: true # Users to create for basic auth in Kubernetes API via HTTP # Optionally add groups for user kube_api_pwd: "secret" kube_users: kube: pass: "{{kube_api_pwd}}" role: admin groups: - system:masters ## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth) #kube_oidc_auth: false kube_basic_auth: true kube_token_auth: true # Choose network plugin (calico, contiv, weave or flannel) # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing kube_network_plugin: flannel # Make a copy of kubeconfig (admin.conf) on the host that runs Ansible to inventory/artifacts kubeconfig_localhost: true # Copy kubectl binary on the host that runs Ansible to inventory/artifacts kubectl_localhost: true # Disable nodelocal dns cache enable_nodelocaldns: false # Enable MountPropagation gate feature local_volumes_enabled: true local_volume_provisioner_enabled: true # Helm deployment helm_enabled: true helm_stable_repo_url: "https://charts.helm.sh/stable" # Kube-proxy proxyMode configuration. # NOTE: Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and # works in the kernel space # https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs #kube_proxy_mode: ipvs # Download container images only once then push to cluster nodes in batches download_run_once: True # Where the binaries will be downloaded. # Note: ensure that you've enough disk space (about 1G) local_release_dir: "/tmp/releases" #Set download_localhost: True to make localhost the download delegate. This can be useful if #cluster nodes cannot access external addresses. To use this requires that docker is installed #and running on the ansible master and that the current user is either in the docker group or #can do passwordless sudo, to be able to access docker. download_localhost: True # Subnet for cluster IPs kube_service_addresses: 10.244.0.0/18 # Subnet for Pod IPs kube_pods_subnet: 10.244.64.0/18 # pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled) podsecuritypolicy_enabled: true # The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of # allowedCapabilities: # - '*' # by # allowedCapabilities: # - NET_ADMIN # - SYS_ADMIN # - SYS_NICE # - SYS_PTRACE # requiredDropCapabilities: # - NET_RAW podsecuritypolicy_restricted_spec: privileged: true allowedCapabilities: - NET_ADMIN - SYS_ADMIN - SYS_NICE - SYS_PTRACE allowPrivilegeEscalation: true volumes: - '*' hostNetwork: true hostPorts: - min: 0 max: 65535 hostIPC: true hostPID: true requiredDropCapabilities: - NET_RAW runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' readOnlyRootFilesystem: false # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags allowedUnsafeSysctls: - '*' # Customize kubelet config of CPU and topology manager kubelet_node_config_extra_args: cpuManagerPolicy: "static" # Options: none (disabled), static (default) topologyManagerPolicy: "best-effort" # Options: none (disabled), best-effort (default), restricted, single-numa-node