mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2025-12-13 21:34:40 +03:00
633d39448e
Most variables should have a default instead of relying on the default filter. (Note that the variable is misnomed, this should be certs and not keys, but it's not worth breaking compat).
271 lines
10 KiB
YAML
271 lines
10 KiB
YAML
---
|
||
# disable upgrade cluster
|
||
upgrade_cluster_setup: false
|
||
|
||
# By default the external API listens on all interfaces, this can be changed to
|
||
# listen on a specific address/interface.
|
||
# NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost
|
||
# loadbalancer_apiserver_localhost (nginx/haproxy) will deploy on control plane nodes on 127.0.0.1:{{ loadbalancer_apiserver_port | default(kube_apiserver_port) }} too.
|
||
kube_apiserver_bind_address: "::"
|
||
|
||
# A port range to reserve for services with NodePort visibility.
|
||
# Inclusive at both ends of the range.
|
||
kube_apiserver_node_port_range: "30000-32767"
|
||
|
||
# ETCD backend for k8s data
|
||
kube_apiserver_storage_backend: etcd3
|
||
|
||
# The interval of compaction requests. If 0, the compaction request from apiserver is disabled.
|
||
kube_apiserver_etcd_compaction_interval: "5m0s"
|
||
|
||
# CIS 1.2.26
|
||
# Validate that the service account token
|
||
# in the request is actually present in etcd.
|
||
kube_apiserver_service_account_lookup: true
|
||
|
||
kube_etcd_cacert_file: ca.pem
|
||
kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
|
||
kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
|
||
|
||
# Associated interfaces must be reachable by the rest of the cluster, and by
|
||
# CLI/web clients.
|
||
kube_controller_manager_bind_address: "::"
|
||
|
||
## Control plane health check settings
|
||
control_plane_health_retries: 60 # Default retries for apiserver, scheduler, controller-manager health checks
|
||
|
||
# Leader election lease durations and timeouts for controller-manager
|
||
kube_controller_manager_leader_elect_lease_duration: 15s
|
||
kube_controller_manager_leader_elect_renew_deadline: 10s
|
||
|
||
# discovery_timeout modifies the discovery timeout
|
||
discovery_timeout: 5m0s
|
||
|
||
# Instruct first control plane node to refresh kubeadm token
|
||
kubeadm_refresh_token: true
|
||
|
||
# Scale down coredns replicas to 0 if not using coredns dns_mode
|
||
kubeadm_scale_down_coredns_enabled: true
|
||
|
||
# audit support
|
||
kubernetes_audit: false
|
||
# path to audit log file
|
||
audit_log_path: /var/log/audit/kube-apiserver-audit.log
|
||
# num days
|
||
audit_log_maxage: 30
|
||
# the num of audit logs to retain
|
||
audit_log_maxbackups: 10
|
||
# the max size in MB to retain
|
||
audit_log_maxsize: 100
|
||
# policy file
|
||
audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
|
||
# custom audit policy rules (to replace the default ones)
|
||
# audit_policy_custom_rules: |
|
||
# - level: None
|
||
# users: []
|
||
# verbs: []
|
||
# resources: []
|
||
|
||
# audit log hostpath
|
||
audit_log_name: audit-logs
|
||
audit_log_hostpath: /var/log/kubernetes/audit
|
||
audit_log_mountpath: "{{ audit_log_path | dirname }}"
|
||
|
||
# audit policy hostpath
|
||
audit_policy_name: audit-policy
|
||
audit_policy_hostpath: "{{ audit_policy_file | dirname }}"
|
||
audit_policy_mountpath: "{{ audit_policy_hostpath }}"
|
||
|
||
# audit webhook support
|
||
kubernetes_audit_webhook: false
|
||
|
||
# path to audit webhook config file
|
||
audit_webhook_config_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-webhook-config.yaml"
|
||
audit_webhook_server_url: "https://audit.app"
|
||
audit_webhook_server_extra_args: {}
|
||
audit_webhook_mode: batch
|
||
audit_webhook_batch_max_size: 100
|
||
audit_webhook_batch_max_wait: 1s
|
||
|
||
kube_controller_node_monitor_grace_period: 40s
|
||
kube_controller_node_monitor_period: 5s
|
||
kube_controller_terminated_pod_gc_threshold: 12500
|
||
kube_apiserver_request_timeout: "1m0s"
|
||
kube_apiserver_pod_eviction_not_ready_timeout_seconds: "300"
|
||
kube_apiserver_pod_eviction_unreachable_timeout_seconds: "300"
|
||
|
||
# 1.10+ admission plugins
|
||
kube_apiserver_enable_admission_plugins: []
|
||
|
||
# enable admission plugins configuration
|
||
kube_apiserver_admission_control_config_file: false
|
||
|
||
# data structure to configure EventRateLimit admission plugin
|
||
# this should have the following structure:
|
||
# kube_apiserver_admission_event_rate_limits:
|
||
# <limit_name>:
|
||
# type: <limit_type>
|
||
# qps: <qps_value>
|
||
# burst: <burst_value>
|
||
# cache_size: <cache_size_value>
|
||
kube_apiserver_admission_event_rate_limits: {}
|
||
|
||
## PodSecurityAdmission plugin configuration
|
||
kube_pod_security_use_default: false
|
||
kube_pod_security_default_enforce: baseline
|
||
kube_pod_security_default_enforce_version: "v{{ kube_major_version }}"
|
||
kube_pod_security_default_audit: restricted
|
||
kube_pod_security_default_audit_version: "v{{ kube_major_version }}"
|
||
kube_pod_security_default_warn: restricted
|
||
kube_pod_security_default_warn_version: "v{{ kube_major_version }}"
|
||
kube_pod_security_exemptions_usernames: []
|
||
kube_pod_security_exemptions_runtime_class_names: []
|
||
kube_pod_security_exemptions_namespaces:
|
||
- kube-system
|
||
|
||
## ResourceQuota plugin configuration
|
||
## Resources that ResourceQuota should limit by default if no quota exists
|
||
## Example below enforces quota on all storage classes
|
||
# kube_resource_quota_limited_resources:
|
||
# - apiGroup: ""
|
||
# resource: persistentvolumeclaims
|
||
# matchContains:
|
||
# - .storageclass.storage.k8s.io/requests.storage
|
||
kube_resource_quota_limited_resources: []
|
||
|
||
# 1.10+ list of disabled admission plugins
|
||
kube_apiserver_disable_admission_plugins: []
|
||
|
||
# extra runtime config
|
||
kube_api_runtime_config: []
|
||
|
||
## Enable/Disable Kube API Server Authentication Methods
|
||
kube_token_auth: false
|
||
kube_oidc_auth: false
|
||
|
||
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
|
||
kube_webhook_token_auth: false
|
||
kube_webhook_token_auth_url_skip_tls_verify: false
|
||
# kube_webhook_token_auth_url: https://...
|
||
## base64-encoded string of the webhook's CA certificate
|
||
# kube_webhook_token_auth_ca_data: "LS0t..."
|
||
|
||
## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/
|
||
# kube_webhook_authorization_url: https://...
|
||
kube_webhook_authorization: false
|
||
kube_webhook_authorization_url_skip_tls_verify: false
|
||
|
||
# Default podnodeselector
|
||
kube_apiserver_admission_plugins_podnodeselector_default_node_selector: ""
|
||
|
||
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
||
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
|
||
|
||
# kube_oidc_url: https:// ...
|
||
# kube_oidc_client_id: kubernetes
|
||
## Optional settings for OIDC
|
||
# kube_oidc_username_claim: sub
|
||
# kube_oidc_username_prefix: 'oidc:'
|
||
# kube_oidc_groups_claim: groups
|
||
# kube_oidc_groups_prefix: 'oidc:'
|
||
# Copy oidc CA file to the following path if needed
|
||
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
|
||
# Optionally include a base64-encoded oidc CA cert
|
||
# kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20...
|
||
|
||
# List of the preferred NodeAddressTypes to use for kubelet connections.
|
||
kubelet_preferred_address_types: 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP'
|
||
|
||
## Extra args for k8s components passing by kubeadm
|
||
kube_kubeadm_apiserver_extra_args: {}
|
||
kube_kubeadm_controller_extra_args: {}
|
||
|
||
## Extra control plane host volume mounts
|
||
## Example:
|
||
# apiserver_extra_volumes:
|
||
# - name: name
|
||
# hostPath: /host/path
|
||
# mountPath: /mount/path
|
||
# readOnly: true
|
||
apiserver_extra_volumes: {}
|
||
controller_manager_extra_volumes: {}
|
||
|
||
## Encrypting Secret Data at Rest
|
||
kube_encrypt_secret_data: false
|
||
kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
|
||
# Must be either: aescbc, secretbox or aesgcm
|
||
kube_encryption_algorithm: "secretbox"
|
||
# Which kubernetes resources to encrypt
|
||
kube_encryption_resources: [secrets]
|
||
|
||
secrets_encryption_query: "resources[*].providers[0].{{ kube_encryption_algorithm }}.keys[0].secret"
|
||
|
||
## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
|
||
# tls_min_version: ""
|
||
|
||
## Support tls cipher suites.
|
||
# tls_cipher_suites:
|
||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
||
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
||
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||
# - TLS_RSA_WITH_AES_128_CBC_SHA
|
||
# - TLS_RSA_WITH_AES_128_CBC_SHA256
|
||
# - TLS_RSA_WITH_AES_128_GCM_SHA256
|
||
# - TLS_RSA_WITH_AES_256_CBC_SHA
|
||
# - TLS_RSA_WITH_AES_256_GCM_SHA384
|
||
# - TLS_RSA_WITH_RC4_128_SHA
|
||
|
||
## Amount of time to retain events. (default 1h0m0s)
|
||
event_ttl_duration: "1h0m0s"
|
||
|
||
## Automatically renew K8S control plane certificates on first Monday of each month
|
||
auto_renew_certificates: false
|
||
# First Monday of each month
|
||
auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:00:00"
|
||
# kubeadm renews all the certificates during control plane upgrade.
|
||
# If we have requirement like without renewing certs upgrade the cluster,
|
||
# we can opt out from the default behavior by setting kubeadm_upgrade_auto_cert_renewal to false
|
||
kubeadm_upgrade_auto_cert_renewal: true
|
||
|
||
# Add Subject Alternative Names to the Kubernetes apiserver certificates.
|
||
# Useful if you access the API from multiples load balancers, for instance.
|
||
supplementary_addresses_in_ssl_keys: []
|
||
|
||
# Bash alias of kubectl to interact with Kubernetes cluster much easier
|
||
# kubectl_alias: k
|
||
|
||
## Enable distributed tracing for kube-apiserver
|
||
kube_apiserver_tracing: false
|
||
kube_apiserver_tracing_endpoint: "[::]:4317"
|
||
kube_apiserver_tracing_sampling_rate_per_million: 100
|
||
|
||
# Enable kubeadm file discovery if anonymous access has been removed
|
||
kubeadm_use_file_discovery: "{{ remove_anonymous_access }}"
|
||
|
||
# imagePullSerial specifies if image pulling performed by kubeadm must be done serially or in parallel. Default: true
|
||
kubeadm_image_pull_serial: true
|
||
|
||
# Supported asymmetric encryption algorithm types for the cluster's keys and certificates.
|
||
# can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
|
||
# ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
|
||
kube_asymmetric_encryption_algorithm: "RSA-2048"
|
||
|
||
# certificates validity period configuration
|
||
# non-CA certificate validity period, default 1 year (365d × 24h = 8760h)
|
||
kube_cert_validity_period: 8760h
|
||
# CA certificate validity period, default 10 years (365d × 24h × 10 = 87600h)
|
||
kube_ca_cert_validity_period: 87600h
|