1 # SPDX-FileCopyrightText: 2021 Intel Corporation.
3 # SPDX-License-Identifier: Apache-2.0
10 - { role: kubespray_install }
11 environment: "{{ proxy_env | d({}) }}"
12 any_errors_fatal: true
17 - role: cluster_defaults
18 - role: kubespray_target_setup
19 environment: "{{ proxy_env | d({}) }}"
20 any_errors_fatal: true
25 - name: prepare additional kubespray facts
27 kubelet_node_custom_flags_prepare: >-
28 {%- if native_cpu_manager_enabled | default(false) and native_cpu_manager_reserved_cpus is defined -%}
29 --reserved-cpus={{ native_cpu_manager_reserved_cpus }}
31 enable_admission_plugins_prepare: >-
32 [EventRateLimit,{% if always_pull_enabled %} AlwaysPullImages,{% endif %} NodeRestriction{% if psp_enabled %}, PodSecurityPolicy{% endif %}]
33 kube_config_dir: /etc/kubernetes
34 - name: set kube_cert_dir
36 kube_cert_dir: "{{ kube_config_dir }}/ssl"
37 kube_csr_dir: "{{ kube_config_dir }}/csr"
38 environment: "{{ proxy_env | d({}) }}"
39 any_errors_fatal: true
42 import_playbook: kubespray/cluster.yml
45 multus_conf_file: /host/etc/cni/net.d/templates/00-multus.conf
46 docker_iptables_enabled: true
47 docker_dns_servers_strict: false
48 override_system_hostname: false
49 docker_version: '19.03'
50 kube_proxy_mode: iptables
51 enable_nodelocaldns: false
53 dashboard_enabled: true
54 system_cpu_reserved: "{{ native_cpu_manager_system_reserved_cpus | default('1000m') }}"
55 kube_cpu_reserved: "{{ native_cpu_manager_kube_reserved_cpus | default('1000m') }}"
56 kubelet_node_custom_flags: "{{ kubelet_node_custom_flags_prepare | from_yaml }}"
57 kube_api_anonymous_auth: true
59 - CPUManager=true # feature gate can be enabled by default, default policy is none in Kubernetes
60 - TopologyManager={{ topology_manager_enabled | default(true) }}
61 - RotateKubeletServerCertificate=true
62 # Kubernetes cluster hardening
63 kubernetes_audit: true
64 audit_log_maxbackups: 10
65 kube_controller_manager_bind_address: 127.0.0.1
66 kube_scheduler_bind_address: 127.0.0.1
67 kube_proxy_healthz_bind_address: 127.0.0.1
68 kube_proxy_metrics_bind_address: 127.0.0.1
69 kube_read_only_port: 0
70 kube_override_hostname: ""
71 kube_kubeadm_apiserver_extra_args:
72 service-account-lookup: true
73 service-account-key-file: "{{ kube_cert_dir }}/sa.key"
74 admission-control-config-file: "{{ kube_config_dir }}/admission-control/config.yaml"
75 kube_kubeadm_scheduler_extra_args:
78 kube_kubeadm_controller_extra_args:
80 service-account-private-key-file: "{{ kube_cert_dir }}/sa.key"
81 kubelet_config_extra_args:
82 protectKernelDefaults: true
83 cpuManagerPolicy: "{% if native_cpu_manager_enabled | default(false) %}static{% else %}none{% endif %}"
84 topologyManagerPolicy: "{{ topology_manager_policy | default('none') }}"
86 kube_apiserver_request_timeout: 60s
87 kube_apiserver_enable_admission_plugins: "{{ enable_admission_plugins_prepare | from_yaml }}"
88 podsecuritypolicy_enabled: "{{ psp_enabled }}"
89 kube_encrypt_secret_data: true
90 apiserver_extra_volumes:
91 - name: admission-control-config
92 hostPath: /etc/kubernetes/admission-control/
93 mountPath: /etc/kubernetes/admission-control/
95 preinstall_selinux_state: "{{ selinux_mode | default('disabled') }}"
97 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
98 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
99 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
101 ETCD_CIPHER_SUITES: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
105 - name: restart docker daemon to recreate iptables rules
106 systemd: name=docker state=restarted
108 - name: restart kubelet to trigger static pods recreation
109 systemd: name=kubelet state=restarted
111 # note: fix for the issue mentioned here:
112 # https://github.com/kubernetes-sigs/kubespray/blob/58f48500b1adac3f18466fa1c5cf8aa9d9838150/docs/flannel.md#flannel
113 - name: check if flannel.1 interface exists
115 path: /sys/class/net/flannel.1
116 when: kube_network_plugin == "flannel"
117 register: flannel_endpoint
118 - name: disable offloading features on flannel.1
119 command: ethtool --offload flannel.1 rx off tx off
122 - kube_network_plugin == "flannel"
123 - flannel_endpoint.stat.exists
127 - name: change /var/lib/etcd owner
129 path: "{{ etcd_data_dir | default('/var/lib/etcd') }}"
135 - name: change /var/lib/etcd permissions
137 path: "{{ etcd_data_dir | default('/var/lib/etcd') }}"
145 - role: cluster_defaults
147 - role: docker_registry
149 - role: dockerhub_credentials
150 when: "'/bmra/roles/dockerhub_credentials/vars/main.yml' is file"
151 environment: "{{ proxy_env | d({}) }}"
152 any_errors_fatal: true
154 - name: run certificate generation for mTLS in kubelet
155 import_playbook: kubelet-certificates.yml