-
Notifications
You must be signed in to change notification settings - Fork 10
/
k8s-cluster.tpl
204 lines (152 loc) · 8.19 KB
/
k8s-cluster.tpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
---
# SPDX-license-identifier: Apache-2.0
##############################################################################
# Copyright (c) 2018
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Apache License, Version 2.0
# which accompanies this distribution, and is available at
# http://www.apache.org/licenses/LICENSE-2.0
##############################################################################
# Kubernetes configuration dirs and system namespace.
# Those are where all the additional config stuff goes
# kubernetes normally puts in /srv/kubernetes.
# This puts them in a sane location and namespace.
# Editing those values will almost surely break something.
system_namespace: kube-system
# Logging directory (sysvinit systems)
kube_log_dir: "/var/log/kubernetes"
kube_api_anonymous_auth: true
# Users to create for basic auth in Kubernetes API via HTTP
# Optionally add groups for user
kube_api_pwd: "secret"
kube_users:
kube:
pass: "{{ kube_api_pwd }}"
role: admin
groups:
- system:masters
# It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
kube_basic_auth: false
kube_token_auth: false
# Choose network plugin (calico, contiv, weave or flannel)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: $KRD_NETWORK_PLUGIN
# Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
kubeconfig_localhost: true
# Change this to use another Kubernetes version, e.g. a current beta release
kube_version: v1.30.4
# Kube-proxy proxyMode configuration.
# NOTE: Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and
# works in the kernel space
# https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs
kube_proxy_mode: $KRD_KUBE_PROXY_MODE
# Download container images only once then push to cluster nodes in batches
download_run_once: $KRD_DOWNLOAD_RUN_ONCE
# Where the binaries will be downloaded.
# Note: ensure that you've enough disk space (about 1G)
local_release_dir: "/tmp/releases"
# Helm deployment
helm_enabled: false
# Local volume provisioner deployment
local_volume_provisioner_enabled: $KRD_LOCAL_VOLUME_PROVISIONER_ENABLED
# Makes the installer node a delegate for pushing images while running
# the deployment with ansible. This maybe the case if cluster nodes
# cannot access each over via ssh or you want to use local docker
# images as a cache for multiple clusters.
download_localhost: $KRD_DOWNLOAD_LOCALHOST
# Enable Multus
kube_network_plugin_multus: $KRD_MULTUS_ENABLED
# Download kubectl onto the host that runs Ansible in {{ bin_dir }}
kubectl_localhost: false
# Settings for containerized control plane (etcd/kubelet/secrets)
etcd_deployment_type: $KUBESPRAY_ETCD_KUBELET_DEPLOYMENT_TYPE
# Controls which platform to deploy kubelet on. Available options are host, rkt, and docker.
kubelet_deployment_type: $KUBESPRAY_ETCD_KUBELET_DEPLOYMENT_TYPE
# Container for runtime
container_manager: $KRD_CONTAINER_RUNTIME
# Rook requires a FlexVolume plugin directory to integrate with K8s for performing storage operations
kubelet_flexvolumes_plugins_dir: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
# Dashboard
dashboard_enabled: $KRD_DASHBOARD_ENABLED
dashboard_skip_login: true
# Cert manager deployment
cert_manager_enabled: $KRD_CERT_MANAGER_ENABLED
# Nginx ingress controller deployment
ingress_nginx_enabled: $KRD_INGRESS_NGINX_ENABLED
# Kata Containers is an OCI runtime, where containers are run inside lightweight VMs
kata_containers_enabled: $KRD_KATA_CONTAINERS_ENABLED
# crun is a container runtime which has lower footprint, better performance and cgroup2 support
crun_enabled: $KRD_CRUN_ENABLED
# youki is an implementation of the OCI runtime-spec in Rust, similar to runc.
youki_enabled: $KRD_YOUKI_ENABLED
# gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system call interface.
gvisor_enabled: $KRD_GVISOR_ENABLED
# The Mount propagation feature allows for sharing volumes mounted by
# a container to other containers in the same pod, or even to other
# pods on the same node
docker_mount_flags: shared
# Should be set to a cluster IP if using a custom cluster DNS
manual_dns_server: ""
# Flannel may be paired with several different backends.
# default - VXLAN is the recommended choice.
# host-gw is recommended for more experienced users who want the performance
# improvement and whose infrastructure support it (typically it can't be used in
# cloud environments).
# UDP is suggested for debugging only or for very old kernels that don't support VXLAN.
flannel_backend_type: $KRD_FLANNEL_BACKEND_TYPE
# Specify version of Docker to used (should be quoted string).
docker_version: "$KRD_DOCKER_VERSION"
# Specify version of ContainerD to used (should be quoted string).
containerd_version: "$KRD_CONTAINERD_VERSION"
# Enable nodelocal to make pods reach out to the dns (core-dns) caching agent
# running on the same node, thereby avoiding iptables DNAT rules and connection tracking.
enable_nodelocaldns: $KRD_ENABLE_NODELOCALDNS
# sets a threshold for the number of dots which must appear in a name before an
# initial absolute query will be made. The default for n is 1, meaning that if
# there are any dots in a name, the name will be tried first as an absolute name
# before any search list elements are appended to it.
ndots: $KRD_NDOTS
# configures how will be setup DNS for `hostNetwork: true` PODs and non-k8s containers.
resolvconf_mode: $KRD_RESOLVCONF_MODE
# The ipvs scheduler type when proxy mode is ipvs
# rr: Round Robin distributes jobs equally amongst the available real servers.
# lc: Least-Connection assigns more jobs to real servers with fewer active jobs.
# dh: Destination Hashing assigns jobs to servers through looking up a statically assigned hash table by their destination IP addresses.
# sh: Source Hashing assigns jobs to servers through looking up a statically assigned hash table by their source IP addresses.
# sed: Shortest Expected Delay assigns an incoming job to the server with the shortest expected delay.
# nq: Never Queue assigns an incoming job to an idle server if there is, instead of waiting for a fast one; if all the servers are busy, it adopts the Shortest Expected Delay policy to assign the job.
kube_proxy_scheduler: $KRD_KUBE_PROXY_SCHEDULER
kube_feature_gates:
- ContainerCheckpoint=$KRD_CONTAINER_CHECKPOINT_ENABLED # Ability to create stateful copies of a running container.
# When set to `true`, enables the container checkpoint/restore in CRI-O.
crio_criu_support_enabled: $KRD_CONTAINER_CHECKPOINT_ENABLED
# configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface
# must be set to true for MetalLB to work
kube_proxy_strict_arp: $KRD_METALLB_ENABLED
# Enables MetalLB deployment
metallb_enabled: $KRD_METALLB_ENABLED
# Enables Kubernetes Auditing
kubernetes_audit: $KRD_KUBERNETES_AUDIT
# Enables Kubernetes Webhook Audit backend
kubernetes_audit_webhook: $KRD_KUBERNETES_AUDIT_WEBHOOK
audit_webhook_server_url: $KRD_AUDIT_WEBHOOK_SERVER_URL
# Maximum number of container log files that can be present for a container.
kubelet_logfiles_max_nr: $KRD_KUBELET_LOGFILES_MAX_NR
# Maximum size of the container log file before it is rotated
kubelet_logfiles_max_size: $KRD_KUBELET_LOGFILES_MAX_SIZE
# Specify version of cert-manager to used (should be quoted string).
cert_manager_version: "$KRD_CERT_MANAGER_VERSION"
# Overlay Network Mode
cilium_tunnel_mode: $KRD_CILIUM_TUNNEL_MODE
# Enable native IP masquerade support in eBPF
cilium_enable_bpf_masquerade: $KRD_CILIUM_ENABLE_BPF_MASQUERADE
# Kube Proxy Replacement mode (strict/probe/partial)
cilium_kube_proxy_replacement: $KRD_CILIUM_KUBE_PROXY_REPLACEMENT
# IP in IP encapsulation mode: "Always", "CrossSubnet", "Never"
calico_ipip_mode: $KRD_CALICO_IPIP_MODE
# VXLAN encapsulation mode: "Always", "CrossSubnet", "Never"
calico_vxlan_mode: $KRD_CALICO_VXLAN_MODE
# Calico network backend: "bird", "vxlan" or "none"
calico_network_backend: $KRD_CALICO_NETWORK_BACKEND
# TODO: Remove this workaround until fix is published (https://github.com/kubernetes-sigs/kubespray/pull/9845)
crun_bin_dir: /usr/local/bin/