--- # disable upgrade cluster upgrade_cluster_setup: false # By default the external API listens on all interfaces, this can be changed to # listen on a specific address/interface. # NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost # loadbalancer_apiserver_localhost (nginx/haproxy) will deploy on control plane nodes on 127.0.0.1:{{ loadbalancer_apiserver_port | default(kube_apiserver_port) }} too. kube_apiserver_bind_address: 0.0.0.0 # A port range to reserve for services with NodePort visibility. # Inclusive at both ends of the range. kube_apiserver_node_port_range: "30000-32767" # ETCD backend for k8s data kube_apiserver_storage_backend: etcd3 # The interval of compaction requests. If 0, the compaction request from apiserver is disabled. kube_apiserver_etcd_compaction_interval: "5m0s" # CIS 1.2.26 # Validate that the service account token # in the request is actually present in etcd. kube_apiserver_service_account_lookup: true kube_etcd_cacert_file: ca.pem kube_etcd_cert_file: node-{{ inventory_hostname }}.pem kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem # Associated interfaces must be reachable by the rest of the cluster, and by # CLI/web clients. kube_controller_manager_bind_address: 0.0.0.0 # Leader election lease durations and timeouts for controller-manager kube_controller_manager_leader_elect_lease_duration: 15s kube_controller_manager_leader_elect_renew_deadline: 10s # discovery_timeout modifies the discovery timeout discovery_timeout: 5m0s # Instruct first control plane node to refresh kubeadm token kubeadm_refresh_token: true # Scale down coredns replicas to 0 if not using coredns dns_mode kubeadm_scale_down_coredns_enabled: true # audit support kubernetes_audit: false # path to audit log file audit_log_path: /var/log/audit/kube-apiserver-audit.log # num days audit_log_maxage: 30 # the num of audit logs to retain audit_log_maxbackups: 10 # the max size in MB to retain audit_log_maxsize: 100 # policy file audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml" # custom audit policy rules (to replace the default ones) # audit_policy_custom_rules: | # - level: None # users: [] # verbs: [] # resources: [] # audit log hostpath audit_log_name: audit-logs audit_log_hostpath: /var/log/kubernetes/audit audit_log_mountpath: "{{ audit_log_path | dirname }}" # audit policy hostpath audit_policy_name: audit-policy audit_policy_hostpath: "{{ audit_policy_file | dirname }}" audit_policy_mountpath: "{{ audit_policy_hostpath }}" # audit webhook support kubernetes_audit_webhook: false # path to audit webhook config file audit_webhook_config_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-webhook-config.yaml" audit_webhook_server_url: "https://audit.app" audit_webhook_server_extra_args: {} audit_webhook_mode: batch audit_webhook_batch_max_size: 100 audit_webhook_batch_max_wait: 1s kube_controller_node_monitor_grace_period: 40s kube_controller_node_monitor_period: 5s kube_controller_terminated_pod_gc_threshold: 12500 kube_apiserver_request_timeout: "1m0s" kube_apiserver_pod_eviction_not_ready_timeout_seconds: "300" kube_apiserver_pod_eviction_unreachable_timeout_seconds: "300" # 1.10+ admission plugins kube_apiserver_enable_admission_plugins: [] # enable admission plugins configuration kube_apiserver_admission_control_config_file: false # data structure to configure EventRateLimit admission plugin # this should have the following structure: # kube_apiserver_admission_event_rate_limits: # : # type: # qps: # burst: # cache_size: kube_apiserver_admission_event_rate_limits: {} kube_pod_security_use_default: false kube_pod_security_default_enforce: baseline kube_pod_security_default_enforce_version: "{{ kube_major_version }}" kube_pod_security_default_audit: restricted kube_pod_security_default_audit_version: "{{ kube_major_version }}" kube_pod_security_default_warn: restricted kube_pod_security_default_warn_version: "{{ kube_major_version }}" kube_pod_security_exemptions_usernames: [] kube_pod_security_exemptions_runtime_class_names: [] kube_pod_security_exemptions_namespaces: - kube-system # 1.10+ list of disabled admission plugins kube_apiserver_disable_admission_plugins: [] # extra runtime config kube_api_runtime_config: [] ## Enable/Disable Kube API Server Authentication Methods kube_token_auth: false kube_oidc_auth: false ## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication kube_webhook_token_auth: false kube_webhook_token_auth_url_skip_tls_verify: false # kube_webhook_token_auth_url: https://... ## base64-encoded string of the webhook's CA certificate # kube_webhook_token_auth_ca_data: "LS0t..." ## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/ # kube_webhook_authorization_url: https://... kube_webhook_authorization: false kube_webhook_authorization_url_skip_tls_verify: false # Default podnodeselector kube_apiserver_admission_plugins_podnodeselector_default_node_selector: "" ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) # kube_oidc_url: https:// ... # kube_oidc_client_id: kubernetes ## Optional settings for OIDC # kube_oidc_username_claim: sub # kube_oidc_username_prefix: 'oidc:' # kube_oidc_groups_claim: groups # kube_oidc_groups_prefix: 'oidc:' # Copy oidc CA file to the following path if needed # kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem # Optionally include a base64-encoded oidc CA cert # kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20... # List of the preferred NodeAddressTypes to use for kubelet connections. kubelet_preferred_address_types: 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP' ## Extra args for k8s components passing by kubeadm kube_kubeadm_apiserver_extra_args: {} kube_kubeadm_controller_extra_args: {} ## Extra control plane host volume mounts ## Example: # apiserver_extra_volumes: # - name: name # hostPath: /host/path # mountPath: /mount/path # readOnly: true apiserver_extra_volumes: {} controller_manager_extra_volumes: {} ## Encrypting Secret Data at Rest kube_encrypt_secret_data: false kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}" # Must be either: aescbc, secretbox or aesgcm kube_encryption_algorithm: "secretbox" # Which kubernetes resources to encrypt kube_encryption_resources: [secrets] # If non-empty, will use this string as identification instead of the actual hostname kube_override_hostname: >- {%- if cloud_provider is defined and cloud_provider in ['aws'] -%} {%- else -%} {{ inventory_hostname }} {%- endif -%} secrets_encryption_query: "resources[*].providers[0].{{ kube_encryption_algorithm }}.keys[0].secret" ## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. # tls_min_version: "" ## Support tls cipher suites. # tls_cipher_suites: # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 # - TLS_ECDHE_RSA_WITH_RC4_128_SHA # - TLS_RSA_WITH_3DES_EDE_CBC_SHA # - TLS_RSA_WITH_AES_128_CBC_SHA # - TLS_RSA_WITH_AES_128_CBC_SHA256 # - TLS_RSA_WITH_AES_128_GCM_SHA256 # - TLS_RSA_WITH_AES_256_CBC_SHA # - TLS_RSA_WITH_AES_256_GCM_SHA384 # - TLS_RSA_WITH_RC4_128_SHA ## Amount of time to retain events. (default 1h0m0s) event_ttl_duration: "1h0m0s" ## Automatically renew K8S control plane certificates on first Monday of each month auto_renew_certificates: false # First Monday of each month auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:00:00" # kubeadm renews all the certificates during control plane upgrade. # If we have requirement like without renewing certs upgrade the cluster, # we can opt out from the default behavior by setting kubeadm_upgrade_auto_cert_renewal to false kubeadm_upgrade_auto_cert_renewal: true # Bash alias of kubectl to interact with Kubernetes cluster much easier # kubectl_alias: k ## Enable distributed tracing for kube-apiserver kube_apiserver_tracing: false kube_apiserver_tracing_endpoint: 0.0.0.0:4317 kube_apiserver_tracing_sampling_rate_per_million: 100 # Enable kubeadm file discovery if anonymous access has been removed kubeadm_use_file_discovery: "{{ remove_anonymous_access }}"