1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
# SPDX-license-identifier: Apache-2.0
##############################################################################
# Copyright (c) 2018
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Apache License, Version 2.0
# which accompanies this distribution, and is available at
# http://www.apache.org/licenses/LICENSE-2.0
##############################################################################
# Kubernetes configuration dirs and system namespace.
# Those are where all the additional config stuff goes
# kubernetes normally puts in /srv/kubernetes.
# This puts them in a sane location and namespace.
# Editing those values will almost surely break something.
system_namespace: kube-system
# Logging directory (sysvinit systems)
kube_log_dir: "/var/log/kubernetes"
kube_api_anonymous_auth: true
# Users to create for basic auth in Kubernetes API via HTTP
# Optionally add groups for user
kube_api_pwd: "secret"
kube_users:
kube:
pass: "{{kube_api_pwd}}"
role: admin
groups:
- system:masters
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
#kube_oidc_auth: false
kube_basic_auth: true
kube_token_auth: true
# Choose network plugin (calico, contiv, weave or flannel)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: flannel
# Make a copy of kubeconfig (admin.conf) on the host that runs Ansible to inventory/artifacts
kubeconfig_localhost: true
# Copy kubectl binary on the host that runs Ansible to inventory/artifacts
kubectl_localhost: true
# Disable nodelocal dns cache
enable_nodelocaldns: false
# Enable MountPropagation gate feature
local_volumes_enabled: true
local_volume_provisioner_enabled: true
# Helm deployment
helm_enabled: true
helm_stable_repo_url: "https://charts.helm.sh/stable"
# Kube-proxy proxyMode configuration.
# NOTE: Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and
# works in the kernel space
# https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs
#kube_proxy_mode: ipvs
# Download container images only once then push to cluster nodes in batches
download_run_once: True
# Where the binaries will be downloaded.
# Note: ensure that you've enough disk space (about 1G)
local_release_dir: "/tmp/releases"
#Set download_localhost: True to make localhost the download delegate. This can be useful if
#cluster nodes cannot access external addresses. To use this requires that docker is installed
#and running on the ansible master and that the current user is either in the docker group or
#can do passwordless sudo, to be able to access docker.
download_localhost: True
# Subnet for cluster IPs
kube_service_addresses: 10.244.0.0/18
# Subnet for Pod IPs
kube_pods_subnet: 10.244.64.0/18
# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
podsecuritypolicy_enabled: true
# The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of
# allowedCapabilities:
# - '*'
# by
# allowedCapabilities:
# - NET_ADMIN
# - SYS_ADMIN
# - SYS_NICE
# - SYS_PTRACE
# requiredDropCapabilities:
# - NET_RAW
podsecuritypolicy_restricted_spec:
privileged: true
allowedCapabilities:
- NET_ADMIN
- SYS_ADMIN
- SYS_NICE
- SYS_PTRACE
allowPrivilegeEscalation: true
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
requiredDropCapabilities:
- NET_RAW
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
# This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
allowedUnsafeSysctls:
- '*'
# Customize kubelet config of CPU and topology manager
kubelet_node_config_extra_args:
cpuManagerPolicy: "static" # Options: none (disabled), static (default)
topologyManagerPolicy: "best-effort" # Options: none (disabled), best-effort (default), restricted, single-numa-node
|
