1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
# SPDX-license-identifier: Apache-2.0
##############################################################################
# Copyright (c) 2018
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Apache License, Version 2.0
# which accompanies this distribution, and is available at
# http://www.apache.org/licenses/LICENSE-2.0
##############################################################################
# Kubernetes configuration dirs and system namespace.
# Those are where all the additional config stuff goes
# kubernetes normally puts in /srv/kubernetes.
# This puts them in a sane location and namespace.
# Editing those values will almost surely break something.
system_namespace: kube-system
# Logging directory (sysvinit systems)
kube_log_dir: "/var/log/kubernetes"
kube_api_anonymous_auth: true
# Users to create for basic auth in Kubernetes API via HTTP
# Optionally add groups for user
kube_api_pwd: "secret"
kube_users:
kube:
pass: "{{kube_api_pwd}}"
role: admin
groups:
- system:masters
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
#kube_oidc_auth: false
#kube_basic_auth: true
kube_token_auth: true
# Choose network plugin (calico, contiv, weave or flannel)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: flannel
# Make a copy of kubeconfig (admin.conf) on the host that runs Ansible to inventory/artifacts
kubeconfig_localhost: true
# Copy kubectl binary on the host that runs Ansible to inventory/artifacts
kubectl_localhost: true
# Enable MountPropagation gate feature
local_volumes_enabled: true
local_volume_provisioner_enabled: true
## Change this to use another Kubernetes version, e.g. a current beta release
kube_version: v1.20.7
# Helm deployment
helm_enabled: true
helm_stable_repo_url: "https://charts.helm.sh/stable"
# Kube-proxy proxyMode configuration.
# NOTE: Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and
# works in the kernel space
# https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs
#kube_proxy_mode: ipvs
# Download container images only once then push to cluster nodes in batches
download_run_once: false
# Where the binaries will be downloaded.
# Note: ensure that you've enough disk space (about 1G)
local_release_dir: "/tmp/releases"
# Makes the installer node a delegate for pushing images while running
# the deployment with ansible. This maybe the case if cluster nodes
# cannot access each over via ssh or you want to use local docker
# images as a cache for multiple clusters.
download_localhost: false
# Subnet for cluster IPs
kube_service_addresses: 10.244.0.0/18
# Subnet for Pod IPs
kube_pods_subnet: 10.244.64.0/18
# disable localdns cache
enable_nodelocaldns: false
# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
podsecuritypolicy_enabled: true
# The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of
# allowedCapabilities:
# - '*'
# by
# allowedCapabilities:
# - NET_ADMIN
# - SYS_ADMIN
# - SYS_NICE
# - SYS_PTRACE
# requiredDropCapabilities:
# - NET_RAW
podsecuritypolicy_restricted_spec:
privileged: true
allowedCapabilities:
- NET_ADMIN
- SYS_ADMIN
- SYS_NICE
- SYS_PTRACE
allowPrivilegeEscalation: true
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
requiredDropCapabilities:
- NET_RAW
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
# This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
allowedUnsafeSysctls:
- '*'
# Customize kubelet config of CPU and topology manager
kubelet_node_config_extra_args:
cpuManagerPolicy: "static" # Options: none (disabled), static (default)
topologyManagerPolicy: "best-effort" # Options: none (disabled), best-effort (default), restricted, single-numa-node
# Deploy the Kubernetes dashboard
dashboard_enabled: true
|
