diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml
index 800d9dbb9551a36c5d20a202df7850eca2da77eb..4bfefdc7bb5988dcfd450525c869af70efcad2ed 100644
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -20,7 +20,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
# This is where to save basic auth file
kube_users_dir: "{{ kube_config_dir }}/users"
-kube_api_anonymous_auth: false
+kube_api_anonymous_auth: true
## Change this to use another Kubernetes version, e.g. a current beta release
kube_version: v1.8.4
@@ -106,6 +106,8 @@ kube_network_node_prefix: 24
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
kube_apiserver_port: 6443 # (https)
kube_apiserver_insecure_port: 8080 # (http)
+# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
+#kube_apiserver_insecure_port: 0 # (disabled)
# DNS configuration.
# Kubernetes cluster name, also will be used as DNS domain
diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml
index 7b36d453628c6d1c883925c07b0f7c9bc1c2fbfc..1b1853b178910e7a4d7aad57965a7971c41bb06f 100644
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -1,7 +1,10 @@
---
- name: Kubernetes Apps | Wait for kube-apiserver
uri:
- url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
+ url: "{{ kube_apiserver_endpoint }}/healthz"
+ validate_certs: no
+ client_cert: "{{ kube_apiserver_client_cert }}"
+ client_key: "{{ kube_apiserver_client_key }}"
register: result
until: result.status == 200
retries: 10
diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
index 24f94aac5f7b73adcf8a0af51079f355d1a24d61..5bf6709495e050ba24d526bc1bc5b7c903536358 100644
--- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
@@ -1,7 +1,10 @@
---
- name: Kubernetes Apps | Wait for kube-apiserver
uri:
- url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
+ url: "{{ kube_apiserver_endpoint }}/healthz"
+ validate_certs: no
+ client_cert: "{{ kube_apiserver_client_cert }}"
+ client_key: "{{ kube_apiserver_client_key }}"
register: result
until: result.status == 200
retries: 10
diff --git a/roles/kubernetes/master/handlers/main.yml b/roles/kubernetes/master/handlers/main.yml
index dd3b0326409f9bb4a8ab071fa41749bd2feecf01..b0766398c6879ae6b00eee5630ca1738d1fd41a6 100644
--- a/roles/kubernetes/master/handlers/main.yml
+++ b/roles/kubernetes/master/handlers/main.yml
@@ -66,7 +66,10 @@
- name: Master | wait for the apiserver to be running
uri:
- url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
+ url: "{{ kube_apiserver_endpoint }}/healthz"
+ validate_certs: no
+ client_cert: "{{ kube_apiserver_client_cert }}"
+ client_key: "{{ kube_apiserver_client_key }}"
register: result
until: result.status == 200
retries: 20
diff --git a/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
index 3120126ae99e15e8ba26612727e3b2a5dee813da..a9f9383185e29461f26e5b3a049a5570d4e45881 100644
--- a/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
@@ -6,7 +6,7 @@
remote_src: yes
with_items:
- {src: apiserver.pem, dest: apiserver.crt}
- - {src: apiserver.pem, dest: apiserver.key}
+ - {src: apiserver-key.pem, dest: apiserver.key}
- {src: ca.pem, dest: ca.crt}
- {src: ca-key.pem, dest: ca.key}
register: kubeadm_copy_old_certs
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index fdf4737999937fb5157ac1b86cdd8ff3de6ca20e..39974846d543df3c2bd5336b29f9512d7d008708 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -111,9 +111,17 @@ spec:
httpGet:
host: 127.0.0.1
path: /healthz
+{% if kube_apiserver_insecure_port == 0 %}
+ port: {{ kube_apiserver_port }}
+ scheme: HTTPS
+{% else %}
port: {{ kube_apiserver_insecure_port }}
- initialDelaySeconds: 30
- timeoutSeconds: 10
+{% endif %}
+ failureThreshold: 8
+ initialDelaySeconds: 15
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 15
volumeMounts:
- mountPath: {{ kube_config_dir }}
name: kubernetes-config
diff --git a/roles/kubernetes/preinstall/tasks/verify-settings.yml b/roles/kubernetes/preinstall/tasks/verify-settings.yml
index 9ae6652873d836ae6683fbe42843ace655a7b782..02f9cb14b2dc65aeec681ed9fcf5517eedb37e12 100644
--- a/roles/kubernetes/preinstall/tasks/verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/verify-settings.yml
@@ -79,9 +79,14 @@
when: kubelet_fail_swap_on|default(true)
ignore_errors: "{{ ignore_assert_errors }}"
-
- name: Stop if RBAC is not enabled when dashboard is enabled
assert:
that: rbac_enabled
when: dashboard_enabled
+ ignore_errors: "{{ ignore_assert_errors }}"
+
+- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
+ assert:
+ that: rbac_enabled and kube_api_anonymous_auth
+ when: kube_apiserver_insecure_port == 0
ignore_errors: "{{ ignore_assert_errors }}"
\ No newline at end of file
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index ec928b298bb61e479b021f7464e91360c75ba12e..08b3f0e2b58ef1debd85b017727861c363a6ed3c 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -220,6 +220,18 @@ kube_apiserver_endpoint: |-
{%- endif %}
kube_apiserver_insecure_endpoint: >-
http://{{ kube_apiserver_insecure_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_insecure_port }}
+kube_apiserver_client_cert: |-
+ {% if kubeadm_enabled -%}
+ {{ kube_cert_dir }}/ca.crt
+ {%- else -%}
+ {{ kube_cert_dir }}/apiserver.pem
+ {%- endif %}
+kube_apiserver_client_key: |-
+ {% if kubeadm_enabled -%}
+ {{ kube_cert_dir }}/ca.key
+ {%- else -%}
+ {{ kube_cert_dir }}/apiserver-key.pem
+ {%- endif %}
# Vars for pointing to etcd endpoints
is_etcd_master: "{{ inventory_hostname in groups['etcd'] }}"