2 ## Copyright (c) 2020-2021 Intel Corporation.
4 ## Licensed under the Apache License, Version 2.0 (the "License");
5 ## you may not use this file except in compliance with the License.
6 ## You may obtain a copy of the License at
8 ## http://www.apache.org/licenses/LICENSE-2.0
10 ## Unless required by applicable law or agreed to in writing, software
11 ## distributed under the License is distributed on an "AS IS" BASIS,
12 ## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 ## See the License for the specific language governing permissions and
14 ## limitations under the License.
21 - { role: kubespray_install }
22 environment: "{{ proxy_env | d({}) }}"
23 any_errors_fatal: true
28 - role: cluster_defaults
29 - role: kubespray_target_setup
30 environment: "{{ proxy_env | d({}) }}"
31 any_errors_fatal: true
36 - name: prepare additional kubespray facts
38 kubelet_node_custom_flags_prepare: >-
39 {%- if native_cpu_manager_enabled | default(false) and native_cpu_manager_reserved_cpus is defined -%}
40 --reserved-cpus={{ native_cpu_manager_reserved_cpus }}
42 enable_admission_plugins_prepare: >-
43 [EventRateLimit,{% if always_pull_enabled %} AlwaysPullImages,{% endif %} NodeRestriction{% if psp_enabled %}, PodSecurityPolicy{% endif %}]
44 kube_config_dir: /etc/kubernetes
45 - name: set kube_cert_dir
47 kube_cert_dir: "{{ kube_config_dir }}/ssl"
48 kube_csr_dir: "{{ kube_config_dir }}/csr"
49 environment: "{{ proxy_env | d({}) }}"
50 any_errors_fatal: true
53 import_playbook: kubespray/cluster.yml
56 multus_conf_file: /host/etc/cni/net.d/templates/00-multus.conf
57 docker_iptables_enabled: true
58 docker_dns_servers_strict: false
59 override_system_hostname: false
60 docker_version: '19.03'
61 kube_proxy_mode: iptables
62 enable_nodelocaldns: false
64 dashboard_enabled: true
65 system_cpu_reserved: "{{ native_cpu_manager_system_reserved_cpus | default('1000m') }}"
66 kube_cpu_reserved: "{{ native_cpu_manager_kube_reserved_cpus | default('1000m') }}"
67 kubelet_node_custom_flags: "{{ kubelet_node_custom_flags_prepare | from_yaml }}"
68 kube_api_anonymous_auth: true
70 - CPUManager=true # feature gate can be enabled by default, default policy is none in Kubernetes
71 - TopologyManager={{ topology_manager_enabled | default(true) }}
72 - RotateKubeletServerCertificate=true
73 # Kubernetes cluster hardening
74 kubernetes_audit: true
75 audit_log_maxbackups: 10
76 kube_controller_manager_bind_address: 127.0.0.1
77 kube_scheduler_bind_address: 127.0.0.1
78 kube_proxy_healthz_bind_address: 127.0.0.1
79 kube_proxy_metrics_bind_address: 127.0.0.1
80 kube_read_only_port: 0
81 kube_override_hostname: ""
82 kube_kubeadm_apiserver_extra_args:
83 service-account-lookup: true
84 service-account-key-file: "{{ kube_cert_dir }}/sa.key"
85 admission-control-config-file: "{{ kube_config_dir }}/admission-control/config.yaml"
86 kube_kubeadm_scheduler_extra_args:
89 kube_kubeadm_controller_extra_args:
91 service-account-private-key-file: "{{ kube_cert_dir }}/sa.key"
92 kubelet_config_extra_args:
93 protectKernelDefaults: true
94 cpuManagerPolicy: "{% if native_cpu_manager_enabled | default(false) %}static{% else %}none{% endif %}"
95 topologyManagerPolicy: "{{ topology_manager_policy | default('none') }}"
97 kube_apiserver_request_timeout: 60s
98 kube_apiserver_enable_admission_plugins: "{{ enable_admission_plugins_prepare | from_yaml }}"
99 podsecuritypolicy_enabled: "{{ psp_enabled }}"
100 kube_encrypt_secret_data: true
101 apiserver_extra_volumes:
102 - name: admission-control-config
103 hostPath: /etc/kubernetes/admission-control/
104 mountPath: /etc/kubernetes/admission-control/
106 preinstall_selinux_state: "{{ selinux_mode | default('disabled') }}"
108 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
109 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
110 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
112 ETCD_CIPHER_SUITES: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
116 - name: restart docker daemon to recreate iptables rules
117 systemd: name=docker state=restarted
119 - name: restart kubelet to trigger static pods recreation
120 systemd: name=kubelet state=restarted
122 # note: fix for the issue mentioned here:
123 # https://github.com/kubernetes-sigs/kubespray/blob/58f48500b1adac3f18466fa1c5cf8aa9d9838150/docs/flannel.md#flannel
124 - name: check if flannel.1 interface exists
126 path: /sys/class/net/flannel.1
127 when: kube_network_plugin == "flannel"
128 register: flannel_endpoint
129 - name: disable offloading features on flannel.1
130 command: ethtool --offload flannel.1 rx off tx off
133 - kube_network_plugin == "flannel"
134 - flannel_endpoint.stat.exists
138 - name: change /var/lib/etcd owner
140 path: "{{ etcd_data_dir | default('/var/lib/etcd') }}"
146 - name: change /var/lib/etcd permissions
148 path: "{{ etcd_data_dir | default('/var/lib/etcd') }}"
156 - role: cluster_defaults
158 - role: docker_registry
160 - role: dockerhub_credentials
161 when: "'/bmra/roles/dockerhub_credentials/vars/main.yml' is file"
162 environment: "{{ proxy_env | d({}) }}"
163 any_errors_fatal: true
165 - name: run certificate generation for mTLS in kubelet
166 import_playbook: kubelet-certificates.yml