Code Review / kuberef.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Added support for Docker Hub credentials (CI)
[kuberef.git] / sw_config / bmra / patched_k8s.yml
1 ##
2 ##   Copyright (c) 2020-2021 Intel Corporation.
3 ##
4 ##   Licensed under the Apache License, Version 2.0 (the "License");
5 ##   you may not use this file except in compliance with the License.
6 ##   You may obtain a copy of the License at
7 ##
8 ##       http://www.apache.org/licenses/LICENSE-2.0
9 ##
10 ##   Unless required by applicable law or agreed to in writing, software
11 ##   distributed under the License is distributed on an "AS IS" BASIS,
12 ##   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 ##   See the License for the specific language governing permissions and
14 ##   limitations under the License.
15 ##
16 ---
17 - hosts: 127.0.0.1
18   connection: local
19   tasks: []
20   roles:
21     - { role: kubespray_install }
22   environment: "{{ proxy_env | d({}) }}"
23   any_errors_fatal: true
24
25 - hosts: k8s-cluster
26   tasks: []
27   roles:
28     - role: cluster_defaults
29     - role: kubespray_target_setup
30   environment: "{{ proxy_env | d({}) }}"
31   any_errors_fatal: true
32
33 - hosts: all
34   gather_facts: false
35   tasks:
36     - name: prepare additional kubespray facts
37       set_fact:
38         kubelet_node_custom_flags_prepare: >-
39           {%- if native_cpu_manager_enabled | default(false) and native_cpu_manager_reserved_cpus is defined -%}
40             --reserved-cpus={{ native_cpu_manager_reserved_cpus }}
41           {%- endif -%}
42         enable_admission_plugins_prepare: >-
43           [EventRateLimit,{% if always_pull_enabled %} AlwaysPullImages,{% endif %} NodeRestriction{% if psp_enabled %}, PodSecurityPolicy{% endif %}]
44         kube_config_dir: /etc/kubernetes
45     - name: set kube_cert_dir
46       set_fact:
47         kube_cert_dir: "{{ kube_config_dir }}/ssl"
48         kube_csr_dir: "{{ kube_config_dir }}/csr"
49   environment: "{{ proxy_env | d({}) }}"
50   any_errors_fatal: true
51
52 - name: run kubespray
53   import_playbook: kubespray/cluster.yml
54   vars:
55     kubeadm_enabled: true
56     multus_conf_file: /host/etc/cni/net.d/templates/00-multus.conf
57     docker_iptables_enabled: true
58     docker_dns_servers_strict: false
59     override_system_hostname: false
60     docker_version: '19.03'
61     kube_proxy_mode: iptables
62     enable_nodelocaldns: false
63     system_reserved: true
64     dashboard_enabled: true
65     system_cpu_reserved: "{{ native_cpu_manager_system_reserved_cpus | default('1000m') }}"
66     kube_cpu_reserved: "{{ native_cpu_manager_kube_reserved_cpus | default('1000m') }}"
67     kubelet_node_custom_flags: "{{ kubelet_node_custom_flags_prepare | from_yaml }}"
68     kube_api_anonymous_auth: true
69     kube_feature_gates:
70       - CPUManager=true # feature gate can be enabled by default, default policy is none in Kubernetes
71       - TopologyManager={{ topology_manager_enabled | default(true) }}
72       - RotateKubeletServerCertificate=true
73     # Kubernetes cluster hardening
74     kubernetes_audit: true
75     audit_log_maxbackups: 10
76     kube_controller_manager_bind_address: 127.0.0.1
77     kube_scheduler_bind_address: 127.0.0.1
78     kube_proxy_healthz_bind_address: 127.0.0.1
79     kube_proxy_metrics_bind_address: 127.0.0.1
80     kube_read_only_port: 0
81     kube_override_hostname: ""
82     kube_kubeadm_apiserver_extra_args:
83       service-account-lookup: true
84       service-account-key-file: "{{ kube_cert_dir }}/sa.key"
85       admission-control-config-file: "{{ kube_config_dir }}/admission-control/config.yaml"
86     kube_kubeadm_scheduler_extra_args:
87       address: 127.0.0.1
88       profiling: false
89     kube_kubeadm_controller_extra_args:
90       address: 127.0.0.1
91       service-account-private-key-file: "{{ kube_cert_dir }}/sa.key"
92     kubelet_config_extra_args:
93       protectKernelDefaults: true
94       cpuManagerPolicy: "{% if native_cpu_manager_enabled | default(false) %}static{% else %}none{% endif %}"
95       topologyManagerPolicy: "{{ topology_manager_policy | default('none') }}"
96       eventRecordQPS: 0
97     kube_apiserver_request_timeout: 60s
98     kube_apiserver_enable_admission_plugins: "{{ enable_admission_plugins_prepare | from_yaml }}"
99     podsecuritypolicy_enabled: "{{ psp_enabled }}"
100     kube_encrypt_secret_data: true
101     apiserver_extra_volumes:
102       - name: admission-control-config
103         hostPath: /etc/kubernetes/admission-control/
104         mountPath: /etc/kubernetes/admission-control/
105         readOnly: true
106     preinstall_selinux_state: "{{ selinux_mode | default('disabled') }}"
107     tls_cipher_suites:
108       - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
109       - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
110       - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
111     etcd_extra_vars:
112       ETCD_CIPHER_SUITES: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
113
114 - hosts: k8s-cluster
115   tasks:
116     - name: restart docker daemon to recreate iptables rules
117       systemd: name=docker state=restarted
118       become: yes
119     - name: restart kubelet to trigger static pods recreation
120       systemd: name=kubelet state=restarted
121       become: yes
122     # note: fix for the issue mentioned here:
123     # https://github.com/kubernetes-sigs/kubespray/blob/58f48500b1adac3f18466fa1c5cf8aa9d9838150/docs/flannel.md#flannel
124     - name: check if flannel.1 interface exists
125       stat:
126         path: /sys/class/net/flannel.1
127       when: kube_network_plugin == "flannel"
128       register: flannel_endpoint
129     - name: disable offloading features on flannel.1
130       command: ethtool --offload flannel.1 rx off tx off
131       become: yes
132       when:
133         - kube_network_plugin == "flannel"
134         - flannel_endpoint.stat.exists
135
136 - hosts: etcd
137   tasks:
138     - name: change /var/lib/etcd owner
139       file:
140         path: "{{ etcd_data_dir | default('/var/lib/etcd') }}"
141         owner: etcd
142         group: etcd
143         recurse: true
144         state: directory
145         mode: 0700
146     - name: change /var/lib/etcd permissions
147       file:
148         path: "{{ etcd_data_dir | default('/var/lib/etcd') }}"
149         owner: etcd
150         group: etcd
151         mode: '0700'
152         state: directory
153
154 - hosts: k8s-cluster
155   roles:
156     - role: cluster_defaults
157       tags: defaults
158     - role: docker_registry
159       tags: registry
160     - role: dockerhub_credentials
161       when: "'/bmra/roles/dockerhub_credentials/vars/main.yml' is file"
162   environment: "{{ proxy_env | d({}) }}"
163   any_errors_fatal: true
164
165 - name: run certificate generation for mTLS in kubelet
166   import_playbook: kubelet-certificates.yml
"kuberef"