flannel-backend: wireguard-native
protect-kernel-defaults: true
{% if kubernetes_master|bool %}
secrets-encryption: true
kube-apiserver-arg:
  - "enable-admission-plugins=NodeRestriction,AlwaysPullImages,EventRateLimit"
  - 'admission-control-config-file=/etc/kubernetes/psa.yaml'
  - 'audit-log-path=/var/log/apiserver/audit.log'
  - 'audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml'
  - 'audit-log-maxage=30'
  - 'audit-log-maxbackup=10'
  - 'audit-log-maxsize=100'
#  - "request-timeout=300s"
kube-controller-manager-arg:
  - 'terminated-pod-gc-threshold=10'
{% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
cluster-init: true
{% else %}
server: https://{{ kubernetes_master }}:6443
token: ${NODE_TOKEN}
{% endif %}
{% else %}
server: https://{{ kubernetes_master }}:6443
token: ${NODE_TOKEN}
{% endif %}
kubelet-arg:
  - 'streaming-connection-idle-timeout=5m'
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
{% if ansible_os_family == "RedHat" %}
selinux: true
{% endif %}
#embedded-registry: true
disable:
  - traefik
{% if false %}
# node-external-ip: 1.2.3.4
#node-label:
#  - "foo=bar"
#  - "something=amazing"
{% endif %}