aboutsummaryrefslogtreecommitdiffstats
path: root/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml
blob: 7d0404a5bd433065270b4d0866c8b31a8f14be4f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# SPDX-license-identifier: Apache-2.0
##############################################################################
# Copyright (c) 2018
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Apache License, Version 2.0
# which accompanies this distribution, and is available at
# http://www.apache.org/licenses/LICENSE-2.0
##############################################################################

# Kubernetes configuration dirs and system namespace.
# Those are where all the additional config stuff goes
# kubernetes normally puts in /srv/kubernetes.
# This puts them in a sane location and namespace.
# Editing those values will almost surely break something.
system_namespace: kube-system

docker_version: 'latest'

# Logging directory (sysvinit systems)
kube_log_dir: "/var/log/kubernetes"

kube_api_anonymous_auth: true

# Users to create for basic auth in Kubernetes API via HTTP
# Optionally add groups for user
kube_api_pwd: "secret"
kube_users:
  kube:
    pass: "{{kube_api_pwd}}"
    role: admin
    groups:
      - system:masters

## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
#kube_oidc_auth: false
kube_basic_auth: true
kube_token_auth: true

# Choose network plugin (calico, contiv, weave or flannel)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: flannel

# Make a copy of kubeconfig (admin.conf) on the host that runs Ansible to inventory/artifacts
kubeconfig_localhost: true
# Copy kubectl binary on the host that runs Ansible to inventory/artifacts
kubectl_localhost: true

# Enable MountPropagation gate feature
local_volumes_enabled: true
local_volume_provisioner_enabled: true

# Helm deployment
helm_enabled: true
helm_stable_repo_url: "https://charts.helm.sh/stable"

# Kube-proxy proxyMode configuration.
# NOTE: Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and
# works in the kernel space
# https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs
#kube_proxy_mode: ipvs

# Download container images only once then push to cluster nodes in batches
download_run_once: false

# Where the binaries will be downloaded.
# Note: ensure that you've enough disk space (about 1G)
local_release_dir: "/tmp/releases"

# Makes the installer node a delegate for pushing images while running
# the deployment with ansible. This maybe the case if cluster nodes
# cannot access each over via ssh or you want to use local docker
# images as a cache for multiple clusters.
download_localhost: false

# Subnet for cluster IPs
kube_service_addresses: 10.244.0.0/18

# Subnet for Pod IPs
kube_pods_subnet: 10.244.64.0/18

# disable localdns cache
enable_nodelocaldns: false

# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
podsecuritypolicy_enabled: true
# The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of
#   allowedCapabilities:
#     - '*'
# by
#  allowedCapabilities:
#    - NET_ADMIN
#    - SYS_ADMIN
#    - SYS_NICE
#    - SYS_PTRACE
#   requiredDropCapabilities:
#    - NET_RAW
podsecuritypolicy_restricted_spec:
  privileged: true
  allowedCapabilities:
    - NET_ADMIN
    - SYS_ADMIN
    - SYS_NICE
    - SYS_PTRACE
  allowPrivilegeEscalation: true
  volumes:
    - '*'
  hostNetwork: true
  hostPorts:
    - min: 0
      max: 65535
  hostIPC: true
  hostPID: true
  requiredDropCapabilities:
    - NET_RAW
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false
  # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
  allowedUnsafeSysctls:
    - '*'