ansible/roles/kube_master/defaults/main.yaml

   1 ---
   2 # Copyright 2019 Nokia
   3 #
   4 # Licensed under the Apache License, Version 2.0 (the "License");
   5 # you may not use this file except in compliance with the License.
   6 # You may obtain a copy of the License at
   7 #
   8 #     http://www.apache.org/licenses/LICENSE-2.0
   9 #
  10 # Unless required by applicable law or agreed to in writing, software
  11 # distributed under the License is distributed on an "AS IS" BASIS,
  12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 # See the License for the specific language governing permissions and
  14 # limitations under the License.
  15
  16 apiserver_admission_controllers:
  17   - DefaultStorageClass
  18   - LimitRanger
  19   - MutatingAdmissionWebhook
  20   - NamespaceExists
  21   - NamespaceLifecycle
  22   - NodeRestriction
  23   - PodSecurityPolicy
  24   - ResourceQuota
  25   - ServiceAccount
  26   - ValidatingAdmissionWebhook
  27
  28 apiserver_feature_gates:
  29   CPUManager: false
  30   DevicePlugins: true
  31   HugePages: true
  32   TokenRequest: true
  33   SCTPSupport: true
  34
  35 apiserver_params:
  36   - "--admission-control={{ apiserver_admission_controllers | join(',') }}"
  37   - "--advertise-address={{ apiserver }}"
  38   - "--allow-privileged=true"
  39   - "--anonymous-auth=false"
  40   - "--apiserver-count={{ groups['caas_master']|length|int }}"
  41   - "--audit-policy-file={{ caas.caas_policy_directory }}/audit-policy.yaml"
  42   - "--audit-log-format=json"
  43   - "--audit-log-maxsize={{ caas.audit_log_file_size }}"
  44   - "--audit-log-maxbackup={{ ((audit_disc_size.stdout|int*caas.caas_max_audit_size)/caas.audit_log_file_size)|int }}"
  45   - "--audit-log-path=/var/log/audit/kube_apiserver/kube-apiserver-audit.log"
  46   - "--authorization-mode=Node,RBAC"
  47   - "--bind-address={{ apiserver }}"
  48   - "--client-ca-file=/etc/openssl/ca.pem"
  49   - "--enable-bootstrap-token-auth=true"
  50   - "--etcd-cafile=/etc/etcd/ssl/ca.pem"
  51   - "--etcd-certfile=/etc/etcd/ssl/etcd{{ nodeindex }}.pem"
  52   - "--etcd-keyfile=/etc/etcd/ssl/etcd{{ nodeindex }}-key.pem"
  53   - "--etcd-servers=https://{{ hostvars[hostname]['networking']['infra_internal']['ip'] }}:{{ caas.etcd_api_port }}{% for host in ( groups['caas_master'] | reject('search', hostname) ) %},https://{{ hostvars[host]['networking']['infra_internal']['ip'] }}:{{ caas.etcd_api_port }}{% endfor %}"
  54   - "--experimental-encryption-provider-config={{ caas.cert_path }}/{{ caas._secrets_conf }}"
  55   - "--feature-gates={{ apiserver_feature_gates | get_kube_options }}"
  56   - "--insecure-port=0"
  57   - "--kubelet-certificate-authority=/etc/openssl/ca.pem"
  58   - "--kubelet-client-certificate=/etc/kubernetes/ssl/kubelet-server.pem"
  59   - "--kubelet-client-key=/etc/kubernetes/ssl/kubelet-server-key.pem"
  60   - "--kubelet-https=true"
  61   - "--max-requests-inflight=1000"
  62   - "--proxy-client-cert-file=/etc/kubernetes/ssl/metrics.crt"
  63   - "--proxy-client-key-file=/etc/kubernetes/ssl/metrics.key"
  64   - "--requestheader-client-ca-file=/etc/openssl/ca.pem"
  65   - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
  66   - "--requestheader-group-headers=X-Remote-Group"
  67   - "--requestheader-username-headers=X-Remote-User"
  68   - "--secure-port={{ apiserver_port }}"
  69   - "--service-account-key-file=/etc/kubernetes/ssl/service-account.pem"
  70   - "--service-account-lookup=true"
  71   - "--service-cluster-ip-range={{ caas.service_cluster_ip_cidr }}"
  72   - "--tls-cert-file=/etc/kubernetes/ssl/tls-cert.pem"
  73   - "--tls-private-key-file=/etc/kubernetes/ssl/apiserver{{ nodeindex }}-key.pem"
  74   - "--token-auth-file={{ caas.cert_path }}/{{ caas.tokenscsv_filename }}"
  75
  76 controllermanager_feature_gates:
  77   CPUManager: false
  78   DevicePlugins: true
  79   HugePages: true
  80
  81 scheduler_feature_gates:
  82   CPUManager: false
  83   DevicePlugins: true
  84   HugePages: true