Remove deprecated (and removed in 1.19) flag and function --basic-auth-file (#6655)
parent
1765c9125a
commit
a556f8f2bf
|
@ -95,7 +95,7 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati
|
||||||
|
|
||||||
Supported version is kubernetes-dashboard v2.0.x :
|
Supported version is kubernetes-dashboard v2.0.x :
|
||||||
|
|
||||||
- Login options are : token/kubeconfig by default, basic can be enabled with `kube_basic_auth: true` inventory variable - not recommended because this requires ABAC api-server which is not tested by kubespray team
|
- Login option : token/kubeconfig by default
|
||||||
- Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory,
|
- Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory,
|
||||||
- Only serves over https
|
- Only serves over https
|
||||||
|
|
||||||
|
|
|
@ -209,11 +209,3 @@ in the form of dicts of key-value pairs of configuration parameters that will be
|
||||||
|
|
||||||
* *helm_version* - Defaults to v3.x, set to a v2 version (e.g. `v2.16.1` ) to install Helm 2.x (will install Tiller!).
|
* *helm_version* - Defaults to v3.x, set to a v2 version (e.g. `v2.16.1` ) to install Helm 2.x (will install Tiller!).
|
||||||
Picking v3 for an existing cluster running Tiller will leave it alone. In that case you will have to remove Tiller manually afterwards.
|
Picking v3 for an existing cluster running Tiller will leave it alone. In that case you will have to remove Tiller manually afterwards.
|
||||||
|
|
||||||
## User accounts
|
|
||||||
|
|
||||||
The variable `kube_basic_auth` is false by default, but if set to true, a user with admin rights is created, named `kube`.
|
|
||||||
The password can be viewed after deployment by looking at the file
|
|
||||||
`{{ credentials_dir }}/kube_user.creds` (`credentials_dir` is set to `{{ inventory_dir }}/credentials` by default). This contains a randomly generated
|
|
||||||
password. If you wish to set your own password, just precreate/modify this
|
|
||||||
file yourself or change `kube_api_pwd` var.
|
|
||||||
|
|
|
@ -14,9 +14,6 @@ kube_cert_dir: "{{ kube_config_dir }}/ssl"
|
||||||
# This is where all of the bearer tokens will be stored
|
# This is where all of the bearer tokens will be stored
|
||||||
kube_token_dir: "{{ kube_config_dir }}/tokens"
|
kube_token_dir: "{{ kube_config_dir }}/tokens"
|
||||||
|
|
||||||
# This is where to save basic auth file
|
|
||||||
kube_users_dir: "{{ kube_config_dir }}/users"
|
|
||||||
|
|
||||||
kube_api_anonymous_auth: true
|
kube_api_anonymous_auth: true
|
||||||
|
|
||||||
## Change this to use another Kubernetes version, e.g. a current beta release
|
## Change this to use another Kubernetes version, e.g. a current beta release
|
||||||
|
@ -41,19 +38,8 @@ kube_log_level: 2
|
||||||
# Directory where credentials will be stored
|
# Directory where credentials will be stored
|
||||||
credentials_dir: "{{ inventory_dir }}/credentials"
|
credentials_dir: "{{ inventory_dir }}/credentials"
|
||||||
|
|
||||||
# Users to create for basic auth in Kubernetes API via HTTP
|
## It is possible to activate / deactivate selected authentication methods (oidc, static token auth)
|
||||||
# Optionally add groups for user
|
|
||||||
kube_api_pwd: "{{ lookup('password', credentials_dir + '/kube_user.creds length=15 chars=ascii_letters,digits') }}"
|
|
||||||
kube_users:
|
|
||||||
kube:
|
|
||||||
pass: "{{kube_api_pwd}}"
|
|
||||||
role: admin
|
|
||||||
groups:
|
|
||||||
- system:masters
|
|
||||||
|
|
||||||
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
|
|
||||||
# kube_oidc_auth: false
|
# kube_oidc_auth: false
|
||||||
# kube_basic_auth: false
|
|
||||||
# kube_token_auth: false
|
# kube_token_auth: false
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -189,7 +189,7 @@ spec:
|
||||||
{% if dashboard_skip_login %}
|
{% if dashboard_skip_login %}
|
||||||
- --enable-skip-login
|
- --enable-skip-login
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %}
|
- --authentication-mode=token
|
||||||
# Uncomment the following line to manually specify Kubernetes API server Host
|
# Uncomment the following line to manually specify Kubernetes API server Host
|
||||||
# If not specified, Dashboard will attempt to auto discover the API server and connect
|
# If not specified, Dashboard will attempt to auto discover the API server and connect
|
||||||
# to it. Uncomment only if the default does not work.
|
# to it. Uncomment only if the default does not work.
|
||||||
|
|
|
@ -95,7 +95,6 @@ kube_apiserver_disable_admission_plugins: []
|
||||||
kube_api_runtime_config: []
|
kube_api_runtime_config: []
|
||||||
|
|
||||||
## Enable/Disable Kube API Server Authentication Methods
|
## Enable/Disable Kube API Server Authentication Methods
|
||||||
kube_basic_auth: false
|
|
||||||
kube_token_auth: false
|
kube_token_auth: false
|
||||||
kube_oidc_auth: false
|
kube_oidc_auth: false
|
||||||
kube_webhook_token_auth: false
|
kube_webhook_token_auth: false
|
||||||
|
|
|
@ -3,10 +3,6 @@
|
||||||
tags:
|
tags:
|
||||||
- k8s-pre-upgrade
|
- k8s-pre-upgrade
|
||||||
|
|
||||||
- import_tasks: users-file.yml
|
|
||||||
when:
|
|
||||||
- kube_basic_auth|default(true)
|
|
||||||
|
|
||||||
- name: Create webhook token auth config
|
- name: Create webhook token auth config
|
||||||
template:
|
template:
|
||||||
src: webhook-token-auth-config.yaml.j2
|
src: webhook-token-auth-config.yaml.j2
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
---
|
|
||||||
- name: Make sure the users directory exits
|
|
||||||
file:
|
|
||||||
path: "{{ kube_users_dir }}"
|
|
||||||
state: directory
|
|
||||||
mode: o-rwx
|
|
||||||
group: "{{ kube_cert_group }}"
|
|
||||||
|
|
||||||
- name: Populate users for basic auth in API
|
|
||||||
template:
|
|
||||||
src: known_users.csv.j2
|
|
||||||
dest: "{{ kube_users_dir }}/known_users.csv"
|
|
||||||
mode: 0640
|
|
||||||
backup: yes
|
|
|
@ -1,4 +0,0 @@
|
||||||
{% for user in kube_users %}
|
|
||||||
{{kube_users[user].pass}},{{user}},{{kube_users[user].role}}{% if kube_users[user].groups is defined %},{% set groups_csv = kube_users[user].groups|join(',') -%}"{{groups_csv}}"{% endif %}
|
|
||||||
|
|
||||||
{% endfor %}
|
|
|
@ -126,9 +126,6 @@ apiServer:
|
||||||
profiling: "{{ kube_profiling }}"
|
profiling: "{{ kube_profiling }}"
|
||||||
request-timeout: "{{ kube_apiserver_request_timeout }}"
|
request-timeout: "{{ kube_apiserver_request_timeout }}"
|
||||||
enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
|
enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
|
||||||
{% if kube_basic_auth|default(true) %}
|
|
||||||
basic-auth-file: {{ kube_users_dir }}/known_users.csv
|
|
||||||
{% endif %}
|
|
||||||
{% if kube_token_auth|default(true) %}
|
{% if kube_token_auth|default(true) %}
|
||||||
token-auth-file: {{ kube_token_dir }}/known_tokens.csv
|
token-auth-file: {{ kube_token_dir }}/known_tokens.csv
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -202,18 +199,13 @@ apiServer:
|
||||||
{% if kubelet_rotate_server_certificates %}
|
{% if kubelet_rotate_server_certificates %}
|
||||||
kubelet-certificate-authority: {{ kube_cert_dir }}/ca.crt
|
kubelet-certificate-authority: {{ kube_cert_dir }}/ca.crt
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes or ssl_ca_dirs|length %}
|
{% if kubernetes_audit or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes or ssl_ca_dirs|length %}
|
||||||
extraVolumes:
|
extraVolumes:
|
||||||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
|
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
|
||||||
- name: cloud-config
|
- name: cloud-config
|
||||||
hostPath: {{ kube_config_dir }}/cloud_config
|
hostPath: {{ kube_config_dir }}/cloud_config
|
||||||
mountPath: {{ kube_config_dir }}/cloud_config
|
mountPath: {{ kube_config_dir }}/cloud_config
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if kube_basic_auth|default(true) %}
|
|
||||||
- name: basic-auth-config
|
|
||||||
hostPath: {{ kube_users_dir }}
|
|
||||||
mountPath: {{ kube_users_dir }}
|
|
||||||
{% endif %}
|
|
||||||
{% if kube_token_auth|default(true) %}
|
{% if kube_token_auth|default(true) %}
|
||||||
- name: token-auth-config
|
- name: token-auth-config
|
||||||
hostPath: {{ kube_token_dir }}
|
hostPath: {{ kube_token_dir }}
|
||||||
|
|
|
@ -133,10 +133,6 @@ kube_cert_compat_dir: "/etc/kubernetes/pki"
|
||||||
# This is where all of the bearer tokens will be stored
|
# This is where all of the bearer tokens will be stored
|
||||||
kube_token_dir: "{{ kube_config_dir }}/tokens"
|
kube_token_dir: "{{ kube_config_dir }}/tokens"
|
||||||
|
|
||||||
# This is where to save basic auth file
|
|
||||||
kube_users_dir: "{{ kube_config_dir }}/users"
|
|
||||||
|
|
||||||
|
|
||||||
# This is the group that the cert creation scripts chgrp the
|
# This is the group that the cert creation scripts chgrp the
|
||||||
# cert files to. Not really changeable...
|
# cert files to. Not really changeable...
|
||||||
kube_cert_group: kube-cert
|
kube_cert_group: kube-cert
|
||||||
|
@ -144,13 +140,6 @@ kube_cert_group: kube-cert
|
||||||
# Cluster Loglevel configuration
|
# Cluster Loglevel configuration
|
||||||
kube_log_level: 2
|
kube_log_level: 2
|
||||||
|
|
||||||
# Users to create for basic auth in Kubernetes API via HTTP
|
|
||||||
kube_api_pwd: "changeme"
|
|
||||||
kube_users:
|
|
||||||
kube:
|
|
||||||
pass: "{{kube_api_pwd}}"
|
|
||||||
role: admin
|
|
||||||
|
|
||||||
# Choose network plugin (cilium, calico, weave or flannel)
|
# Choose network plugin (cilium, calico, weave or flannel)
|
||||||
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
|
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
|
||||||
kube_network_plugin: calico
|
kube_network_plugin: calico
|
||||||
|
|
|
@ -24,5 +24,4 @@ cert_manager_enabled: true
|
||||||
metrics_server_enabled: false
|
metrics_server_enabled: false
|
||||||
metrics_server_kubelet_insecure_tls: true
|
metrics_server_kubelet_insecure_tls: true
|
||||||
kube_token_auth: true
|
kube_token_auth: true
|
||||||
kube_basic_auth: true
|
|
||||||
enable_nodelocaldns: false
|
enable_nodelocaldns: false
|
||||||
|
|
|
@ -24,5 +24,4 @@ cert_manager_enabled: true
|
||||||
metrics_server_enabled: false
|
metrics_server_enabled: false
|
||||||
metrics_server_kubelet_insecure_tls: true
|
metrics_server_kubelet_insecure_tls: true
|
||||||
kube_token_auth: true
|
kube_token_auth: true
|
||||||
kube_basic_auth: true
|
|
||||||
enable_nodelocaldns: false
|
enable_nodelocaldns: false
|
||||||
|
|
Loading…
Reference in New Issue