diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml index f3830a521..a400d05f9 100644 --- a/inventory/group_vars/k8s-cluster.yml +++ b/inventory/group_vars/k8s-cluster.yml @@ -20,7 +20,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens" # This is where to save basic auth file kube_users_dir: "{{ kube_config_dir }}/users" -kube_api_anonymous_auth: true +kube_api_anonymous_auth: false ## Change this to use another Kubernetes version, e.g. a current beta release kube_version: v1.8.2 @@ -106,8 +106,6 @@ kube_network_node_prefix: 24 kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}" kube_apiserver_port: 6443 # (https) kube_apiserver_insecure_port: 8080 # (http) -# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true -#kube_apiserver_insecure_port: 0 # (disabled) # DNS configuration. # Kubernetes cluster name, also will be used as DNS domain diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index f4349669a..025b4fab6 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -1,10 +1,7 @@ --- - name: Kubernetes Apps | Wait for kube-apiserver uri: - url: "{{ kube_apiserver_endpoint }}/healthz" - validate_certs: no - client_cert: "{{ kube_cert_dir }}/apiserver.pem" - client_key: "{{ kube_cert_dir }}/apiserver-key.pem" + url: "{{ kube_apiserver_insecure_endpoint }}/healthz" register: result until: result.status == 200 retries: 10 diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml index 75be11d4f..24f94aac5 100644 --- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml +++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml @@ -1,10 +1,7 @@ --- - name: Kubernetes Apps | Wait for kube-apiserver uri: - url: "{{ kube_apiserver_endpoint }}/healthz" - validate_certs: no - client_cert: "{{ kube_cert_dir }}/apiserver.pem" - client_key: "{{ kube_cert_dir }}/apiserver-key.pem" + url: "{{ kube_apiserver_insecure_endpoint }}/healthz" register: result until: result.status == 200 retries: 10 diff --git a/roles/kubernetes/master/handlers/main.yml b/roles/kubernetes/master/handlers/main.yml index 551b18c7d..dd3b03264 100644 --- a/roles/kubernetes/master/handlers/main.yml +++ b/roles/kubernetes/master/handlers/main.yml @@ -66,10 +66,7 @@ - name: Master | wait for the apiserver to be running uri: - url: "{{ kube_apiserver_endpoint }}/healthz" - validate_certs: no - client_cert: "{{ kube_cert_dir }}/apiserver.pem" - client_key: "{{ kube_cert_dir }}/apiserver-key.pem" + url: "{{ kube_apiserver_insecure_endpoint }}/healthz" register: result until: result.status == 200 retries: 20 diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index 2d0f0c9fb..5d4f6cf47 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -110,17 +110,9 @@ spec: httpGet: host: 127.0.0.1 path: /healthz -{% if kube_apiserver_insecure_port == 0 %} - port: {{ kube_apiserver_port }} - scheme: HTTPS -{% else %} port: {{ kube_apiserver_insecure_port }} -{% endif %} - failureThreshold: 8 - initialDelaySeconds: 15 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 15 + initialDelaySeconds: 30 + timeoutSeconds: 10 volumeMounts: - mountPath: {{ kube_config_dir }} name: kubernetes-config diff --git a/roles/kubernetes/preinstall/tasks/verify-settings.yml b/roles/kubernetes/preinstall/tasks/verify-settings.yml index b7bf2d664..9dbd7ab8c 100644 --- a/roles/kubernetes/preinstall/tasks/verify-settings.yml +++ b/roles/kubernetes/preinstall/tasks/verify-settings.yml @@ -78,9 +78,3 @@ that: ansible_swaptotal_mb == 0 when: kubelet_fail_swap_on|default(true) ignore_errors: "{{ ignore_assert_errors }}" - -- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled - assert: - that: rbac_enabled and kube_api_anonymous_auth - when: kube_apiserver_insecure_port == 0 - ignore_errors: "{{ ignore_assert_errors }}" \ No newline at end of file