diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
index 416d23e837a6ab13a64c83d6aeb8157bfcbf694f..52f9c88f3c620b27ecfa078008196edd93aea500 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
@@ -68,9 +68,18 @@ apiServerExtraArgs:
{% endif %}
service-node-port-range: {{ kube_apiserver_node_port_range }}
kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
+ profiling: "{{ kube_profiling }}"
+ repair-malformed-updates: "false"
+ enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
+{% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %}
+ anonymous-auth: "{{ kube_api_anonymous_auth }}"
+{% endif %}
{% if kube_basic_auth|default(true) %}
basic-auth-file: {{ kube_users_dir }}/known_users.csv
{% endif %}
+{% if kube_token_auth|default(true) %}
+ token-auth-file: {{ kube_token_dir }}/known_tokens.csv
+{% endif %}
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
oidc-issuer-url: {{ kube_oidc_url }}
oidc-client-id: {{ kube_oidc_client_id }}
@@ -92,6 +101,13 @@ apiServerExtraArgs:
runtime-config: {{ kube_api_runtime_config | join(',') }}
{% endif %}
allow-privileged: "true"
+{% if kubernetes_audit %}
+ audit-log-path: "{{ audit_log_path }}"
+ audit-log-maxage: "{{ audit_log_maxage }}"
+ audit-log-maxbackup: "{{ audit_log_maxbackups }}"
+ audit-log-maxsize: "{{ audit_log_maxsize }}"
+ audit-policy-file: {{ audit_policy_file }}
+{% endif %}
{% for key in kube_kubeadm_apiserver_extra_args %}
{{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
{% endfor %}
@@ -102,19 +118,21 @@ controllerManagerExtraArgs:
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
node-monitor-period: {{ kube_controller_node_monitor_period }}
pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
+ profiling: "{{ kube_profiling }}"
{% if kube_feature_gates %}
feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %}
+{% for key in kube_kubeadm_controller_extra_args %}
+ {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
+{% endfor %}
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
controllerManagerExtraVolumes:
- name: openstackcacert
hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
{% endif %}
-{% for key in kube_kubeadm_controller_extra_args %}
- {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
-{% endfor %}
schedulerExtraArgs:
+ profiling: "{{ kube_profiling }}"
{% if kube_feature_gates %}
feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
index 4c729e9ac88e4bcdcf8f070fd218989a596b140d..f7d7e9bc2b6c7d116325461928079d0312bcbf47 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
@@ -60,9 +60,18 @@ apiServerExtraArgs:
{% endif %}
service-node-port-range: {{ kube_apiserver_node_port_range }}
kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
+ profiling: "{{ kube_profiling }}"
+ repair-malformed-updates: "false"
+ enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
+{% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=') %}
+ anonymous-auth: "{{ kube_api_anonymous_auth }}"
+{% endif %}
{% if kube_basic_auth|default(true) %}
basic-auth-file: {{ kube_users_dir }}/known_users.csv
{% endif %}
+{% if kube_token_auth|default(true) %}
+ token-auth-file: {{ kube_token_dir }}/known_tokens.csv
+{% endif %}
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
oidc-issuer-url: {{ kube_oidc_url }}
oidc-client-id: {{ kube_oidc_client_id }}
@@ -101,9 +110,13 @@ controllerManagerExtraArgs:
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
node-monitor-period: {{ kube_controller_node_monitor_period }}
pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
+ profiling: "{{ kube_profiling }}"
{% if kube_feature_gates %}
feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %}
+{% for key in kube_kubeadm_controller_extra_args %}
+ {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
+{% endfor %}
{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
controllerManagerExtraVolumes:
- name: openstackcacert
@@ -122,10 +135,8 @@ apiServerExtraVolumes:
writable: true
{% endif %}
{% endif %}
-{% for key in kube_kubeadm_controller_extra_args %}
- {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
-{% endfor %}
schedulerExtraArgs:
+ profiling: "{{ kube_profiling }}"
{% if kube_feature_gates %}
feature-gates: {{ kube_feature_gates|join(',') }}
{% endif %}
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index 928b16c7545cabd9d27f718c0b18b0a8def1bcf5..e1023d088fd9cfeae6b85505642ebe05187d59e6 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -33,7 +33,7 @@ spec:
- --audit-log-maxage={{ audit_log_maxage }}
- --audit-log-maxbackup={{ audit_log_maxbackups }}
- --audit-log-maxsize={{ audit_log_maxsize }}
- - --audit-policy-file={{ audit_policy_file }}
+ - --audit-policy-file={{ audit_policy_file }}
{% endif %}
- --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
- --etcd-servers={{ etcd_access_addresses }}
@@ -58,16 +58,16 @@ spec:
- --admission-control={{ kube_apiserver_admission_control | join(',') }}
{% else %}
{% if kube_apiserver_enable_admission_plugins|length > 0 %}
- - --enable-admission-plugins={{ kube_apiserver_enable_admission_plugins | join(',') }}
+ - --enable-admission-plugins={{ kube_apiserver_enable_admission_plugins | join(',') }}
{% endif %}
{% if kube_apiserver_disable_admission_plugins|length > 0 %}
- - --disable-admission-plugins={{ kube_apiserver_disable_admission_plugins | join(',') }}
+ - --disable-admission-plugins={{ kube_apiserver_disable_admission_plugins | join(',') }}
{% endif %}
{% endif %}
- --service-cluster-ip-range={{ kube_service_addresses }}
- --service-node-port-range={{ kube_apiserver_node_port_range }}
- --client-ca-file={{ kube_cert_dir }}/ca.pem
- - --profiling=false
+ - --profiling={{ kube_profiling }}
- --repair-malformed-updates=false
- --kubelet-client-certificate={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem
- --kubelet-client-key={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem
diff --git a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
index 0557c4498ac3aea5bf714bf4572640ce1aafc544..848a65a5939cdfa169b52d35f268c1dfe2531d1f 100644
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@@ -37,7 +37,7 @@ spec:
- --node-monitor-grace-period={{ kube_controller_node_monitor_grace_period }}
- --node-monitor-period={{ kube_controller_node_monitor_period }}
- --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
- - --profiling=false
+ - --profiling={{ kube_profiling }}
- --terminated-pod-gc-threshold=12500
- --v={{ kube_log_level }}
{% if rbac_enabled %}
diff --git a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
index fee223eecfcfa94f0bfcf60890d2ac0fb4dab39d..813731fa2e7877826605328641a20b909475105f 100644
--- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
@@ -32,7 +32,7 @@ spec:
- --use-legacy-policy-config
- --policy-config-file={{ kube_config_dir }}/kube-scheduler-policy.yaml
{% endif %}
- - --profiling=false
+ - --profiling={{ kube_profiling }}
- --v={{ kube_log_level }}
{% if kube_feature_gates %}
- --feature-gates={{ kube_feature_gates|join(',') }}
diff --git a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2 b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
index 0424efdf9a305de94a6dcc91fcf1013f23f1939d..72b1e4884656ce806b85be8f5fe53291353dc476 100644
--- a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
+++ b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
@@ -26,6 +26,7 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
{% if kubelet_authorization_mode_webhook %}
--authorization-mode=Webhook \
{% endif %}
+--enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} \
--client-ca-file={{ kube_cert_dir }}/ca.crt \
--pod-manifest-path={{ kube_manifest_dir }} \
--cadvisor-port={{ kube_cadvisor_port }} \
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index b41134323b0e9898d8d30ca3de2ad6c258a56629..a81eb85f06371a23536fb7548f76e51fc417675c 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -147,6 +147,9 @@ dynamic_kubelet_configuration_dir: "{{ kubelet_config_dir | default(default_kube
# Aggregator
kube_api_aggregator_routing: false
+# Profiling
+kube_profiling: false
+
# Container for runtime
container_manager: docker