Skip to content
  1. Nov 29, 2017
  2. Nov 23, 2017
    • Bogdan Dobrelya's avatar
      Defaults for apiserver_loadbalancer_domain_name (#1993) · 8aafe643
      Bogdan Dobrelya authored
      
      
      * Defaults for apiserver_loadbalancer_domain_name
      
      When loadbalancer_apiserver is defined, use the
      apiserver_loadbalancer_domain_name with a given default value.
      
      Fix unconsistencies for checking if apiserver_loadbalancer_domain_name
      is defined AND using it with a default value provided at once.
      
      Signed-off-by: default avatarBogdan Dobrelya <bogdando@mail.ru>
      
      * Define defaults for LB modes in common defaults
      
      Adjust the defaults for apiserver_loadbalancer_domain_name and
      loadbalancer_apiserver_localhost to come from a single source, which is
      kubespray-defaults. Removes some confusion and simplefies the code.
      
      Signed-off-by: default avatarBogdan Dobrelya <bogdando@mail.ru>
      8aafe643
  3. Nov 16, 2017
  4. Nov 15, 2017
  5. Nov 14, 2017
  6. Nov 13, 2017
  7. Nov 12, 2017
  8. Nov 10, 2017
  9. Nov 09, 2017
  10. Nov 08, 2017
  11. Nov 06, 2017
    • Chad Swenson's avatar
      Support for disabling apiserver insecure port · 0c7e1889
      Chad Swenson authored
      This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to:
      
      1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS)
      2. Add apiserver client cert/key to the "Wait for apiserver up" checks
      3. Update apiserver liveness probe to use HTTPS ports
      4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately)
      5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well.
      
      Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check.
      
      Options:
      
      1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not.
      2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port)
      3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest)
      
      Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
      0c7e1889
    • Aivars Sterns's avatar
      add bastion role to scale (#1882) · 8b2bec70
      Aivars Sterns authored
      8b2bec70
    • Amit Kumar Jaiswal's avatar
      Fix Typo (#1935) · 12526754
      Amit Kumar Jaiswal authored
      12526754
    • Günther Grill's avatar
    • Haiwei Liu's avatar
      Add support cAdvisor (#1908) · ad0cd693
      Haiwei Liu authored
      
      
      Signed-off-by: default avatarHaiwei Liu <carllhw@gmail.com>
      ad0cd693
    • Rob Hirschfeld's avatar
  12. Nov 05, 2017
  13. Nov 04, 2017
  14. Nov 03, 2017
Loading