2017-08-24 17:09:52 +08:00
---
2018-12-25 15:06:27 +08:00
# disable upgrade cluster
upgrade_cluster_setup : false
2016-10-24 21:11:52 +08:00
# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
kube_apiserver_insecure_bind_address : 127.0 .0 .1
2017-11-29 23:24:02 +08:00
# By default the external API listens on all interfaces, this can be changed to
# listen on a specific address/interface.
2021-12-06 15:58:32 +08:00
# NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost
# loadbalancer_apiserver_localhost (nginx/haproxy) will deploy on masters on 127.0.0.1:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }} too.
2017-11-29 23:24:02 +08:00
kube_apiserver_bind_address : 0.0 .0 .0
2016-11-18 20:56:55 +08:00
# A port range to reserve for services with NodePort visibility.
# Inclusive at both ends of the range.
kube_apiserver_node_port_range : "30000-32767"
2017-03-06 18:22:13 +08:00
# ETCD backend for k8s data
kube_apiserver_storage_backend : etcd3
2022-05-06 15:39:07 +08:00
# CIS 1.2.26
# Validate that the service account token
# in the request is actually present in etcd.
kube_apiserver_service_account_lookup : true
2019-04-19 21:01:54 +08:00
kube_etcd_cacert_file : ca.pem
kube_etcd_cert_file : node-{{ inventory_hostname }}.pem
kube_etcd_key_file : node-{{ inventory_hostname }}-key.pem
2019-01-08 12:41:54 +08:00
# Associated interfaces must be reachable by the rest of the cluster, and by
# CLI/web clients.
kube_controller_manager_bind_address : 0.0 .0 .0
2021-04-06 15:35:35 +08:00
# Leader election lease durations and timeouts for controller-manager
2020-09-25 23:21:11 +08:00
kube_controller_manager_leader_elect_lease_duration : 15s
kube_controller_manager_leader_elect_renew_deadline : 10s
2019-04-19 21:01:54 +08:00
# discovery_timeout modifies the discovery timeout
discovery_timeout : 5m0s
2019-08-06 15:59:53 +08:00
# Instruct first master to refresh kubeadm token
kubeadm_refresh_token : true
2019-11-05 19:34:38 +08:00
# Scale down coredns replicas to 0 if not using coredns dns_mode
kubeadm_scale_down_coredns_enabled : true
2018-08-15 16:41:13 +08:00
# audit support
kubernetes_audit : false
2018-08-20 13:00:53 +08:00
# path to audit log file
2018-08-15 16:41:13 +08:00
audit_log_path : /var/log/audit/kube-apiserver-audit.log
# num days
audit_log_maxage : 30
# the num of audit logs to retain
audit_log_maxbackups : 1
2018-08-23 00:16:13 +08:00
# the max size in MB to retain
2018-08-15 16:41:13 +08:00
audit_log_maxsize : 100
# policy file
audit_policy_file : "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"
2018-08-20 13:04:56 +08:00
# custom audit policy rules (to replace the default ones)
2018-08-21 15:04:04 +08:00
# audit_policy_custom_rules: |
2018-08-20 13:04:56 +08:00
# - level: None
# users: []
# verbs: []
# resources: []
2018-08-15 16:41:13 +08:00
# audit log hostpath
audit_log_name : audit-logs
audit_log_hostpath : /var/log/kubernetes/audit
2018-08-16 18:51:09 +08:00
audit_log_mountpath : "{{ audit_log_path | dirname }}"
2018-08-15 16:41:13 +08:00
# audit policy hostpath
audit_policy_name : audit-policy
2018-08-16 18:51:09 +08:00
audit_policy_hostpath : "{{ audit_policy_file | dirname }}"
2018-08-15 16:41:13 +08:00
audit_policy_mountpath : "{{ audit_policy_hostpath }}"
2020-07-20 16:32:54 +08:00
# audit webhook support
kubernetes_audit_webhook : false
# path to audit webhook config file
audit_webhook_config_file : "{{ kube_config_dir }}/audit-policy/apiserver-audit-webhook-config.yaml"
audit_webhook_server_url : "https://audit.app"
2020-09-21 21:44:32 +08:00
audit_webhook_server_extra_args : {}
2020-07-20 16:32:54 +08:00
audit_webhook_mode : batch
audit_webhook_batch_max_size : 100
audit_webhook_batch_max_wait : 1s
2017-02-07 22:01:02 +08:00
kube_controller_node_monitor_grace_period : 40s
kube_controller_node_monitor_period : 5s
2018-09-24 17:17:18 +08:00
kube_controller_terminated_pod_gc_threshold : 12500
kube_apiserver_request_timeout : "1m0s"
2021-01-08 23:20:53 +08:00
kube_apiserver_pod_eviction_not_ready_timeout_seconds : "300"
kube_apiserver_pod_eviction_unreachable_timeout_seconds : "300"
2017-02-27 20:24:21 +08:00
2018-08-04 02:58:03 +08:00
# 1.10+ admission plugins
2018-08-07 01:54:20 +08:00
kube_apiserver_enable_admission_plugins : [ ]
2018-08-04 02:58:03 +08:00
2022-05-03 02:03:15 +08:00
# enable admission plugins configuration
kube_apiserver_admission_control_config_file : false
# data structure to configure EventRateLimit admission plugin
# this should have the following structure:
# kube_apiserver_admission_event_rate_limits:
# <limit_name>:
# type: <limit_type>
# qps: <qps_value>
# burst: <burst_value>
# cache_size: <cache_size_value>
kube_apiserver_admission_event_rate_limits : {}
2018-08-04 02:58:03 +08:00
# 1.10+ list of disabled admission plugins
kube_apiserver_disable_admission_plugins : [ ]
2017-10-13 22:42:54 +08:00
# extra runtime config
2019-04-19 21:01:54 +08:00
kube_api_runtime_config : [ ]
2017-02-27 21:15:50 +08:00
## Enable/Disable Kube API Server Authentication Methods
2017-10-16 03:41:17 +08:00
kube_token_auth : false
2017-02-27 21:15:50 +08:00
kube_oidc_auth : false
2022-05-06 05:52:43 +08:00
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
2018-12-26 17:52:53 +08:00
kube_webhook_token_auth : false
2020-08-05 20:02:29 +08:00
kube_webhook_token_auth_url_skip_tls_verify : false
2020-08-24 21:29:41 +08:00
# kube_webhook_token_auth_url: https://...
2022-05-06 05:52:43 +08:00
## base64-encoded string of the webhook's CA certificate
# kube_webhook_token_auth_ca_data: "LS0t..."
2020-08-24 21:29:41 +08:00
## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/
# kube_webhook_authorization_url: https://...
2022-05-06 05:52:43 +08:00
kube_webhook_authorization : false
2020-08-24 21:29:41 +08:00
kube_webhook_authorization_url_skip_tls_verify : false
2017-02-27 21:15:50 +08:00
2017-02-27 20:24:21 +08:00
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
2017-02-27 21:15:50 +08:00
2017-08-24 17:09:52 +08:00
# kube_oidc_url: https:// ...
2017-02-27 20:24:21 +08:00
# kube_oidc_client_id: kubernetes
## Optional settings for OIDC
# kube_oidc_username_claim: sub
2021-04-21 08:32:10 +08:00
# kube_oidc_username_prefix: 'oidc:'
2017-02-27 20:24:21 +08:00
# kube_oidc_groups_claim: groups
2021-04-21 08:32:10 +08:00
# kube_oidc_groups_prefix: 'oidc:'
2019-04-25 00:40:01 +08:00
# Copy oidc CA file to the following path if needed
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
# Optionally include a base64-encoded oidc CA cert
# kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20...
2017-04-15 05:33:04 +08:00
2017-07-12 15:51:12 +08:00
# List of the preferred NodeAddressTypes to use for kubelet connections.
kubelet_preferred_address_types : 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP'
2018-02-05 21:49:13 +08:00
## Extra args for k8s components passing by kubeadm
2018-02-12 15:29:46 +08:00
kube_kubeadm_apiserver_extra_args : {}
2018-02-05 21:49:13 +08:00
kube_kubeadm_controller_extra_args : {}
2018-01-18 18:55:23 +08:00
2018-11-29 15:16:55 +08:00
## Extra control plane host volume mounts
## Example:
2018-12-18 16:34:19 +08:00
# apiserver_extra_volumes:
2018-11-29 15:16:55 +08:00
# - name: name
# hostPath: /host/path
# mountPath: /mount/path
2019-01-10 10:43:35 +08:00
# readOnly: true
2018-11-29 15:16:55 +08:00
apiserver_extra_volumes : {}
controller_manager_extra_volumes : {}
2018-03-16 03:20:05 +08:00
## Encrypting Secret Data at Rest
kube_encrypt_secret_data : false
2018-09-04 00:04:50 +08:00
kube_encrypt_token : "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
2018-03-28 22:30:00 +08:00
# Must be either: aescbc, secretbox or aesgcm
2022-02-23 19:04:18 +08:00
kube_encryption_algorithm : "secretbox"
2020-03-20 19:14:36 +08:00
# Which kubernetes resources to encrypt
kube_encryption_resources : [ secrets]
2018-05-12 00:11:38 +08:00
2018-11-08 04:38:19 +08:00
# If non-empty, will use this string as identification instead of the actual hostname
kube_override_hostname : >-
{%- if cloud_provider is defined and cloud_provider in [ 'aws' ] -%}
{%- else -%}
{{ inventory_hostname }}
{%- endif -%}
2019-02-19 23:31:45 +08:00
secrets_encryption_query : "resources[*].providers[0].{{kube_encryption_algorithm}}.keys[0].secret"
2020-06-16 19:10:05 +08:00
## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
# tls_min_version: ""
## Support tls cipher suites.
# tls_cipher_suites:
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA256
# - TLS_RSA_WITH_AES_128_GCM_SHA256
# - TLS_RSA_WITH_AES_256_CBC_SHA
# - TLS_RSA_WITH_AES_256_GCM_SHA384
# - TLS_RSA_WITH_RC4_128_SHA
2020-06-24 23:15:17 +08:00
## Amount of time to retain events. (default 1h0m0s)
event_ttl_duration : "1h0m0s"
2021-03-23 02:22:48 +08:00
## Automatically renew K8S control plane certificates on first Monday of each month
auto_renew_certificates : false
2021-04-13 00:47:45 +08:00
# First Monday of each month
auto_renew_certificates_systemd_calendar : "Mon *-*-1,2,3,4,5,6,7 03:{{ groups['kube_control_plane'].index(inventory_hostname) }}0:00"
2021-09-17 19:31:00 +08:00
# kubeadm renews all the certificates during control plane upgrade.
# If we have requirement like without renewing certs upgrade the cluster,
# we can opt out from the default behavior by setting kubeadm_upgrade_auto_cert_renewal to false
kubeadm_upgrade_auto_cert_renewal : true