mirror of https://github.com/easzlab/kubeasz.git
set kubelet authentication/authorization webhook
parent
64e38717dd
commit
aa869e17ff
|
@ -35,9 +35,7 @@ spec:
|
|||
command:
|
||||
- /metrics-server
|
||||
- --metric-resolution=30s
|
||||
- --kubelet-port=10255
|
||||
- --deprecated-kubelet-completely-insecure=true
|
||||
- --kubelet-insecure-tls
|
||||
volumeMounts:
|
||||
- name: tmp-dir
|
||||
mountPath: /tmp
|
||||
|
||||
|
|
|
@ -10,8 +10,8 @@ ExecStart={{ bin_dir }}/kube-apiserver \
|
|||
--insecure-bind-address=127.0.0.1 \
|
||||
--authorization-mode=Node,RBAC \
|
||||
--kubelet-https=true \
|
||||
--kubelet-client-certificate={{ ca_dir }}/kubernetes.pem \
|
||||
--kubelet-client-key={{ ca_dir }}/kubernetes-key.pem \
|
||||
--kubelet-client-certificate={{ ca_dir }}/admin.pem \
|
||||
--kubelet-client-key={{ ca_dir }}/admin-key.pem \
|
||||
--anonymous-auth=false \
|
||||
--basic-auth-file={{ ca_dir }}/basic-auth.csv \
|
||||
--service-cluster-ip-range={{ SERVICE_CIDR }} \
|
||||
|
|
|
@ -10,8 +10,8 @@ ExecStart={{ bin_dir }}/kube-apiserver \
|
|||
--insecure-bind-address=127.0.0.1 \
|
||||
--authorization-mode=Node,RBAC \
|
||||
--kubelet-https=true \
|
||||
--kubelet-client-certificate={{ ca_dir }}/kubernetes.pem \
|
||||
--kubelet-client-key={{ ca_dir }}/kubernetes-key.pem \
|
||||
--kubelet-client-certificate={{ ca_dir }}/admin.pem \
|
||||
--kubelet-client-key={{ ca_dir }}/admin-key.pem \
|
||||
--anonymous-auth=false \
|
||||
--basic-auth-file={{ ca_dir }}/basic-auth.csv \
|
||||
--service-cluster-ip-range={{ SERVICE_CIDR }} \
|
||||
|
|
|
@ -11,6 +11,8 @@ ExecStart={{ bin_dir }}/kubelet \
|
|||
--address={{ inventory_hostname }} \
|
||||
--allow-privileged=true \
|
||||
--anonymous-auth=false \
|
||||
--authentication-token-webhook \
|
||||
--authorization-mode=Webhook \
|
||||
--client-ca-file={{ ca_dir }}/ca.pem \
|
||||
--cluster-dns={{ CLUSTER_DNS_SVC_IP }} \
|
||||
--cluster-domain={{ CLUSTER_DNS_DOMAIN }} \
|
||||
|
|
|
@ -25,9 +25,11 @@
|
|||
synchronize: src=/root/.kube/config dest=/root/.kube/config
|
||||
delegate_to: "{{ groups.deploy[0] }}"
|
||||
|
||||
- name: 分发 CA 证书
|
||||
- name: 分发证书相关
|
||||
synchronize: src={{ ca_dir }}/{{ item }} dest={{ ca_dir }}/{{ item }}
|
||||
with_items:
|
||||
- admin.pem
|
||||
- admin-key.pem
|
||||
- ca.pem
|
||||
- ca-key.pem
|
||||
- ca.csr
|
||||
|
|
Loading…
Reference in New Issue