2022-10-19 20:35:04 +08:00
---
# Instance settings
cloud_image : ubuntu-2004
mode : aio
# Kubespray settings
auto_renew_certificates : true
# Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko
kube_proxy_mode : iptables
enable_nodelocaldns : False
# The followings are for hardening
## kube-apiserver
authorization_modes : [ 'Node' , 'RBAC' ]
# AppArmor-based OS
kube_apiserver_feature_gates : [ 'AppArmor=true' ]
kube_apiserver_request_timeout : 120s
kube_apiserver_service_account_lookup : true
# enable kubernetes audit
kubernetes_audit : true
audit_log_path : "/var/log/kube-apiserver-log.json"
audit_log_maxage : 30
audit_log_maxbackups : 10
audit_log_maxsize : 100
tls_min_version : VersionTLS12
tls_cipher_suites :
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
# enable encryption at rest
kube_encrypt_secret_data : true
kube_encryption_resources : [ secrets]
kube_encryption_algorithm : "secretbox"
2022-10-26 15:28:37 +08:00
kube_apiserver_enable_admission_plugins :
- EventRateLimit
- AlwaysPullImages
- ServiceAccount
- NamespaceLifecycle
- NodeRestriction
- LimitRanger
- ResourceQuota
- MutatingAdmissionWebhook
- ValidatingAdmissionWebhook
- PodNodeSelector
- PodSecurity
2022-10-19 20:35:04 +08:00
kube_apiserver_admission_control_config_file : true
# EventRateLimit plugin configuration
kube_apiserver_admission_event_rate_limits :
limit_1 :
type : Namespace
qps : 50
burst : 100
cache_size : 2000
limit_2 :
type : User
qps : 50
burst : 100
kube_profiling : false
## kube-controller-manager
kube_controller_manager_bind_address : 127.0 .0 .1
kube_controller_terminated_pod_gc_threshold : 50
# AppArmor-based OS
kube_controller_feature_gates : [ "RotateKubeletServerCertificate=true" , "AppArmor=true" ]
## kube-scheduler
kube_scheduler_bind_address : 127.0 .0 .1
# AppArmor-based OS
kube_scheduler_feature_gates : [ "AppArmor=true" ]
## etcd
etcd_deployment_type : kubeadm
## kubelet
kubelet_authentication_token_webhook : true
kube_read_only_port : 0
kubelet_rotate_server_certificates : true
kubelet_protect_kernel_defaults : true
kubelet_event_record_qps : 1
kubelet_rotate_certificates : true
kubelet_streaming_connection_idle_timeout : "5m"
kubelet_make_iptables_util_chains : true
kubelet_feature_gates : [ "RotateKubeletServerCertificate=true" , "SeccompDefault=true" ]
kubelet_seccomp_default : true
kubelet_systemd_hardening : true
# In case you have multiple interfaces in your
# control plane nodes and you want to specify the right
# IP addresses, kubelet_secure_addresses allows you
# to specify the IP from which the kubelet
# will receive the packets.
# kubelet_secure_addresses: "192.168.10.110 192.168.10.111 192.168.10.112"
# additional configurations
kube_owner : root
kube_cert_group : root
# create a default Pod Security Configuration and deny running of insecure pods
# kube-system namespace is exempted by default
kube_pod_security_use_default : true
kube_pod_security_default_enforce : restricted