-
Nicolas Goudry authored
* feat: add user facing variable with default * feat: remove rolebinding to anonymous users after init and upgrade * feat: use file discovery for secondary control plane nodes * feat: use file discovery for nodes * fix: do not fail if rolebinding does not exist * docs: add warning about kube_api_anonymous_auth * style: improve readability of delegate_to parameter * refactor: rename discovery kubeconfig file * test: enable new variable in hardening and upgrade test cases * docs: add option to config parameters * test: multiple instances and upgrade
Nicolas Goudry authored* feat: add user facing variable with default * feat: remove rolebinding to anonymous users after init and upgrade * feat: use file discovery for secondary control plane nodes * feat: use file discovery for nodes * fix: do not fail if rolebinding does not exist * docs: add warning about kube_api_anonymous_auth * style: improve readability of delegate_to parameter * refactor: rename discovery kubeconfig file * test: enable new variable in hardening and upgrade test cases * docs: add option to config parameters * test: multiple instances and upgrade
main.yml 26.75 KiB
---
# Use proxycommand if bastion host is in group all
# This change obseletes editing ansible.cfg file depending on bastion existence
ansible_ssh_common_args: "{% if 'bastion' in groups['all'] %} -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -W %h:%p -p {{ hostvars['bastion']['ansible_port'] | default(22) }} {{ hostvars['bastion']['ansible_user'] }}@{{ hostvars['bastion']['ansible_host'] }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %} ' {% endif %}"
# selinux state
preinstall_selinux_state: permissive
# Setting this value to false will fail
# For details, read this comment https://github.com/kubernetes-sigs/kubespray/pull/11016#issuecomment-2004985001
kube_api_anonymous_auth: true
# Default value, but will be set to true automatically if detected
is_fedora_coreos: false
# Swap settings
kubelet_fail_swap_on: true
kubelet_swap_behavior: LimitedSwap
## Change this to use another Kubernetes version, e.g. a current beta release
kube_version: v1.29.3
## The minimum version working
kube_version_min_required: v1.27.0
## Kube Proxy mode One of ['iptables', 'ipvs']
kube_proxy_mode: ipvs
## The timeout for init first control-plane
kubeadm_init_timeout: 300s
## List of kubeadm init phases that should be skipped during control plane setup
## By default 'addon/coredns' is skipped
## 'addon/kube-proxy' gets skipped for some network plugins
kubeadm_init_phases_skip_default: [ "addon/coredns" ]
kubeadm_init_phases_skip: >-
{%- if kube_network_plugin == 'kube-router' and (kube_router_run_service_proxy is defined and kube_router_run_service_proxy) -%}
{{ kubeadm_init_phases_skip_default + ["addon/kube-proxy"] }}
{%- elif kube_network_plugin == 'cilium' and (cilium_kube_proxy_replacement is defined and cilium_kube_proxy_replacement == 'strict') -%}
{{ kubeadm_init_phases_skip_default + ["addon/kube-proxy"] }}
{%- elif kube_network_plugin == 'calico' and (calico_bpf_enabled is defined and calico_bpf_enabled) -%}
{{ kubeadm_init_phases_skip_default + ["addon/kube-proxy"] }}
{%- elif kube_proxy_remove is defined and kube_proxy_remove -%}
{{ kubeadm_init_phases_skip_default + ["addon/kube-proxy"] }}
{%- else -%}
{{ kubeadm_init_phases_skip_default }}
{%- endif -%}
# List of kubeadm phases that should be skipped when joining a new node
# You may need to set this to ['preflight'] for air-gaped deployments to avoid failing connectivity tests.
kubeadm_join_phases_skip_default: []
kubeadm_join_phases_skip: >-
{{ kubeadm_join_phases_skip_default }}
# Set to true to remove the role binding to anonymous users created by kubeadm
remove_anonymous_access: false
# A string slice of values which specify the addresses to use for NodePorts.
# Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32).
# The default empty string slice ([]) means to use all local addresses.
# kube_proxy_nodeport_addresses_cidr is retained for legacy config
kube_proxy_nodeport_addresses: >-
{%- if kube_proxy_nodeport_addresses_cidr is defined -%}
[{{ kube_proxy_nodeport_addresses_cidr }}]
{%- else -%}
[]
{%- endif -%}
# Set to true to allow pre-checks to fail and continue deployment
ignore_assert_errors: false