241 lines
6.9 KiB
Django/Jinja
241 lines
6.9 KiB
Django/Jinja
apiVersion: kubeadm.k8s.io/v1beta3
|
|
kind: InitConfiguration
|
|
{% if kubetoken is defined %}
|
|
bootstrapTokens:
|
|
- token: "{{ kubetoken.stdout }}"
|
|
description: "kubeadm bootstrap token"
|
|
ttl: "24h"
|
|
{% endif %}
|
|
nodeRegistration:
|
|
{% if kubernetes_cri == "containerd" %}
|
|
criSocket: "/run/containerd/containerd.sock"
|
|
{% elif kubernetes_cri == "cri-o" %}
|
|
criSocket: "/var/run/crio/crio.sock"
|
|
{% elif kubernetes_cri == "docker" %}
|
|
criSocket: "/var/run/docker.sock"
|
|
{% endif %}
|
|
name: {{ ansible_hostname }}
|
|
{% if false %}
|
|
imagePullPolicy: IfNotPresent
|
|
taints:
|
|
- key: "kubeadmNode"
|
|
value: "master"
|
|
effect: "NoSchedule"
|
|
{% endif %}
|
|
kubeletExtraArgs:
|
|
{% if ansible_service_mgr == "systemd" %}
|
|
cgroup-driver: "systemd"
|
|
{% endif %}
|
|
container-runtime: "remote"
|
|
runtime-request-timeout: "5m"
|
|
{% if kubernetes_cri == "containerd" %}
|
|
container-runtime-endpoint: "unix:///run/containerd/containerd.sock"
|
|
{% elif kubernetes_cri == "cri-o" %}
|
|
container-runtime-endpoint: "unix:///var/run/crio/crio.sock"
|
|
{% endif %}
|
|
node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}
|
|
read-only-port: "10255"
|
|
ignorePreflightErrors:
|
|
- SystemVerification
|
|
{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
|
|
- NumCPU
|
|
{% endif %}
|
|
{% if true == false %}
|
|
- IsPrivilegedUser
|
|
{% endif %}
|
|
localAPIEndpoint:
|
|
advertiseAddress: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}"
|
|
bindPort: 6443
|
|
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
|
|
certificateKey: "{{ kubernetes_certificateKey.stdout }}"
|
|
{% endif %}
|
|
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
|
|
---
|
|
apiVersion: kubeadm.k8s.io/v1beta3
|
|
kind: ClusterConfiguration
|
|
kubernetesVersion: stable
|
|
{% if lbip_kubeapiserver is defined %}
|
|
controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
|
|
{% else %}
|
|
controlPlaneEndpoint: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}:6443"
|
|
{% endif %}
|
|
apiServer:
|
|
extraArgs:
|
|
enable-admission-plugins: NodeRestriction
|
|
authorization-mode: "Node,RBAC"
|
|
audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
|
|
audit-log-path: "/var/log/apiserver/audit.log"
|
|
audit-log-maxage: "30"
|
|
audit-log-maxbackup: "10"
|
|
audit-log-maxsize: "100"
|
|
{% if false %}
|
|
# Falco
|
|
audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig"
|
|
audit-webhook-batch-max-wait: "5s"
|
|
{% endif %}
|
|
extraVolumes:
|
|
- name: "audit-log"
|
|
hostPath: "/var/log/apiserver"
|
|
mountPath: "/var/log/apiserver"
|
|
readOnly: false
|
|
pathType: DirectoryOrCreate
|
|
- name: "audit-policies"
|
|
hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
|
|
mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
|
|
readOnly: false
|
|
pathType: File
|
|
{% if lb_kubemaster is defined %}
|
|
certSANs:
|
|
- "{{ lb_kubemaster }}"
|
|
{% endif %}
|
|
{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
|
|
networking:
|
|
podSubnet: "{{ kubernetes_pods_network }}"
|
|
{% endif %}
|
|
controllerManager:
|
|
extraArgs:
|
|
bind-address: 0.0.0.0
|
|
scheduler:
|
|
extraArgs:
|
|
bind-address: 0.0.0.0
|
|
etcd:
|
|
local:
|
|
dataDir: /var/lib/etcd
|
|
extraArgs:
|
|
listen-metrics-urls: http://0.0.0.0:2381
|
|
{% endif %}
|
|
{% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
|
|
---
|
|
apiVersion: kubeadm.k8s.io/v1beta3
|
|
kind: JoinConfiguration
|
|
{% if kubernetes_master|bool %}
|
|
controlPlane:
|
|
localAPIEndpoint:
|
|
advertiseAddress: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}"
|
|
bindPort: 6443
|
|
{% if groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
|
|
certificateKey: "{{ kubernetes_certificateKey.stdout }}"
|
|
{% endif %}
|
|
{% endif %}
|
|
discovery:
|
|
bootstrapToken:
|
|
apiServerEndpoint: "{{ lb_kubemaster }}:6443"
|
|
{% if groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
|
|
caCertHashes:
|
|
- sha256:{{ cacerthash.stdout }}
|
|
token: "{{ kubetoken.stdout }}"
|
|
{% endif %}
|
|
nodeRegistration:
|
|
kubeletExtraArgs:
|
|
node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}
|
|
# read-only-port: "10255"
|
|
ignorePreflightErrors:
|
|
- SystemVerification
|
|
{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
|
|
- NumCPU
|
|
{% endif %}
|
|
{% endif %}
|
|
---
|
|
apiVersion: kubeproxy.config.k8s.io/v1alpha1
|
|
kind: KubeProxyConfiguration
|
|
metricsBindAddress: "0.0.0.0:10249"
|
|
{% if kubernetes_kubeproxy_mode is defined %}
|
|
mode: {{ kubernetes_kubeproxy_mode }}
|
|
{% if kubernetes_kubeproxy_mode == "ipvs" %}
|
|
ipvs:
|
|
strictARP: true
|
|
{% endif %}
|
|
{% endif %}
|
|
---
|
|
apiVersion: kubelet.config.k8s.io/v1beta1
|
|
kind: KubeletConfiguration
|
|
#authentication:
|
|
# anonymous:
|
|
# enabled: false
|
|
# webhook:
|
|
# cacheTTL: 2m0s
|
|
# enabled: true
|
|
# x509:
|
|
# clientCAFile: /etc/kubernetes/pki/ca.crt
|
|
#authorization:
|
|
# mode: Webhook
|
|
# webhook:
|
|
# cacheAuthorizedTTL: 5m0s
|
|
# cacheUnauthorizedTTL: 30s
|
|
{% if ansible_service_mgr == "systemd" %}
|
|
cgroupDriver: systemd
|
|
{% endif %}
|
|
#cgroupsPerQOS: true
|
|
#clusterDNS:
|
|
#- 10.96.0.10
|
|
#clusterDomain: cluster.local
|
|
#configMapAndSecretChangeDetectionStrategy: Watch
|
|
#containerLogMaxFiles: 5
|
|
#containerLogMaxSize: 10Mi
|
|
#contentType: application/vnd.kubernetes.protobuf
|
|
#cpuCFSQuota: true
|
|
#cpuCFSQuotaPeriod: 100ms
|
|
#cpuManagerPolicy: none
|
|
#cpuManagerReconcilePeriod: 10s
|
|
#enableControllerAttachDetach: true
|
|
#enableDebuggingHandlers: true
|
|
#enforceNodeAllocatable:
|
|
#- pods
|
|
#eventBurst: 10
|
|
#eventRecordQPS: 5
|
|
#evictionHard:
|
|
# imagefs.available: 15%
|
|
# memory.available: 500Mi
|
|
# nodefs.available: 10%
|
|
# nodefs.inodesFree: 5%
|
|
#evictionPressureTransitionPeriod: 5m0s
|
|
#failSwapOn: true
|
|
#fileCheckFrequency: 20s
|
|
#hairpinMode: promiscuous-bridge
|
|
#healthzBindAddress: 127.0.0.1
|
|
#healthzPort: 10248
|
|
#httpCheckFrequency: 20s
|
|
#imageGCHighThresholdPercent: 85
|
|
#imageGCLowThresholdPercent: 80
|
|
#imageMinimumGCAge: 2m0s
|
|
#iptablesDropBit: 15
|
|
#iptablesMasqueradeBit: 14
|
|
#kubeAPIBurst: 10
|
|
#kubeAPIQPS: 5
|
|
#logging: {}
|
|
#makeIPTablesUtilChains: true
|
|
#maxOpenFiles: 1000000
|
|
#maxPods: 110
|
|
#memorySwap: {}
|
|
#nodeLeaseDurationSeconds: 40
|
|
#nodeStatusReportFrequency: 1m0s
|
|
#nodeStatusUpdateFrequency: 10s
|
|
#oomScoreAdj: -999
|
|
#podPidsLimit: -1
|
|
#port: 10250
|
|
#registryBurst: 10
|
|
#registryPullQPS: 5
|
|
#resolvConf: /etc/resolv.conf
|
|
#rotateCertificates: true
|
|
runtimeRequestTimeout: 5m
|
|
#serializeImagePulls: true
|
|
#shutdownGracePeriod: 0s
|
|
#shutdownGracePeriodCriticalPods: 0s
|
|
#staticPodPath: /etc/kubernetes/manifests
|
|
#streamingConnectionIdleTimeout: 4h0m0s
|
|
#syncFrequency: 1m0s
|
|
#topologyManagerPolicy: none
|
|
#volumeStatsAggPeriod: 1m0s
|
|
|
|
{% if false %}
|
|
readOnlyPort: 1
|
|
systemReserved:
|
|
cpu=200m,memory=200M
|
|
|
|
containerRuntime: remote
|
|
{% if kubernetes_cri == "containerd" %}
|
|
containerRuntimeEndpoint: "unix:///run/containerd/containerd.sock"
|
|
{% elif kubernetes_cri == "cri-o" %}
|
|
containerRuntimeEndpoint: "unix:///var/run/crio/crio.sock"
|
|
{% endif %}
|
|
{% endif %}
|