kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

New PR default node selector (#10607)

pull/10725/head
jandres - moscardo 2023-12-12 14:51:26 +01:00 committed by GitHub
parent 8abf49ae13
commit cb848fa7cb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/hardening.md
View File

@ -54,6 +54,11 @@ kube_apiserver_enable_admission_plugins:
- PodNodeSelector - PodNodeSelector
- PodSecurity - PodSecurity
kube_apiserver_admission_control_config_file: true kube_apiserver_admission_control_config_file: true
# Creates config file for PodNodeSelector
# kube_apiserver_admission_plugins_needs_configuration: [PodNodeSelector]
# Define the default node selector, by default all the workloads will be scheduled on nodes
# with label network=srv1
# kube_apiserver_admission_plugins_podnodeselector_default_node_selector: "network=srv1"
# EventRateLimit plugin configuration # EventRateLimit plugin configuration
kube_apiserver_admission_event_rate_limits: kube_apiserver_admission_event_rate_limits:
limit_1: limit_1:

2
roles/kubernetes/control-plane/defaults/main/main.yml
View File

@ -141,6 +141,8 @@ kube_webhook_token_auth_url_skip_tls_verify: false
kube_webhook_authorization: false kube_webhook_authorization: false
kube_webhook_authorization_url_skip_tls_verify: false kube_webhook_authorization_url_skip_tls_verify: false
# Default podnodeselector
kube_apiserver_admission_plugins_podnodeselector_default_node_selector: ""
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)

9
roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
View File

@ -108,6 +108,15 @@
- item in kube_apiserver_admission_plugins_needs_configuration - item in kube_apiserver_admission_plugins_needs_configuration
loop: "{{ kube_apiserver_enable_admission_plugins }}" loop: "{{ kube_apiserver_enable_admission_plugins }}"
- name: Kubeadm | Configure default cluster podnodeslector
template:
src: "podnodeselector.yaml.j2"
dest: "{{ kube_config_dir }}/admission-controls/podnodeselector.yaml"
mode: 0640
when:
- kube_apiserver_admission_plugins_podnodeselector_default_node_selector is defined
- kube_apiserver_admission_plugins_podnodeselector_default_node_selector | length > 0
- name: Kubeadm | Check apiserver.crt SANs - name: Kubeadm | Check apiserver.crt SANs
vars: vars:
apiserver_ips: "{{ apiserver_sans | map('ansible.utils.ipaddr') | reject('equalto', False) | list }}" apiserver_ips: "{{ apiserver_sans | map('ansible.utils.ipaddr') | reject('equalto', False) | list }}"

2
roles/kubernetes/control-plane/templates/podnodeselector.yaml.j2 100644
View File

@ -0,0 +1,2 @@
podNodeSelectorPluginConfig:
clusterDefaultNodeSelector: {{ kube_apiserver_admission_plugins_podnodeselector_default_node_selector }}