- Feb 28, 2018
-
-
Andrew Greenwood authored
Adding this into the default example inventory so it has less of a chance of biting others after weeks of random failures (as etcd does not express that it has run out of RAM it just stalls).. 512MB was not enough for us to run one of our products.
-
- Feb 27, 2018
-
-
RongZhang authored
Upgrade to Kubernetes v1.9.3
-
David Chang authored
-
- Feb 21, 2018
-
-
Wong Hoi Sing Edison authored
-
Wong Hoi Sing Edison authored
-
- Feb 17, 2018
-
-
melkosoft authored
* Added cilium support * Fix typo in debian test config * Remove empty lines * Changed cilium version from <latest> to <v1.0.0-rc3> * Add missing changes for cilium * Add cilium to CI pipeline * Fix wrong file name * Check kernel version for cilium * fixed ci error * fixed cilium-ds.j2 template * added waiting for cilium pods to run * Fixed missing EOF * Fixed trailing spaces * Fixed trailing spaces * Fixed trailing spaces * Fixed too many blank lines * Updated tolerations,annotations in cilium DS template * Set cilium_version to iptables-1.9 to see if bug is fixed in CI * Update cilium image tag to v1.0.0-rc4 * Update Cilium test case CI vars filenames * Add optional prometheus flag, adjust initial readiness delay * Update README.md with cilium info
-
- Feb 10, 2018
-
-
Wong Hoi Sing Edison authored
-
- Feb 09, 2018
-
-
mlushpenko authored
Tokens are generated automatically during init process and on-demand for nodes joining process
-
- Feb 08, 2018
-
-
Wong Hoi Sing Edison authored
-
Wong Hoi Sing Edison authored
-
- Feb 07, 2018
-
-
Erwan Miran authored
-
Erwan Miran authored
-
- Feb 05, 2018
-
-
woopstar authored
-
woopstar authored
-
woopstar authored
-
Wong Hoi Sing Edison authored
-
- Feb 01, 2018
-
-
Wong Hoi Sing Edison authored
-
- Jan 30, 2018
-
-
Matthew Mosesohn authored
-
Sébastien Han authored
Some installation are failing to authenticate with peers due to etcd picking up/resoling the wrong node. By setting 'etcd_peer_client_auth' to "False" you can disable peer client cert authentication. Signed-off-by:
Sébastien Han <seb@redhat.com>
-
rong.zhang authored
Support ipvs mode for kube-proxy
-
rong.zhang authored
-
- Jan 25, 2018
-
-
Matthew Mosesohn authored
Raise drain timeout to 5m
-
- Jan 23, 2018
-
-
Matthew Mosesohn authored
-
Virgil Chereches authored
Renamed variable from disable_volume_zone_conflict to volume_cross_zone_attachment and removed cloud provider condition; fix identation
-
- Jan 18, 2018
-
-
Virgil Chereches authored
-
- Jan 17, 2018
-
-
Dave Carley authored
-
- Jan 16, 2018
-
-
Jonas Kongslund authored
-
- Jan 05, 2018
-
-
ArchiFleKs authored
Simplify the number of variables necessary to "just" enable OpenStack cloud provider. Also add the new options available in K8s 1.9.
-
- Dec 25, 2017
-
-
Matthew Mosesohn authored
Update checksum for kubeadm Use v1.9.0 kubeadm params Include hash of ca.crt for kubeadm join Update tag for testing upgrades Add workaround for testing upgrades Remove scale CI scenarios because of slow inventory parsing in ansible 2.4.x. Change region for tests to us-central1 to improve ansible performance
-
- Dec 19, 2017
-
-
Stanislav Makar authored
Add possibility to create default OpenStack Cinder Storage Class Closes: #1609
-
- Dec 05, 2017
-
-
Chad Swenson authored
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). Rework of #1937 with kubeadm support Also, fixed an issue in `kubeadm-migrate-certs` where the old apiserver cert was copied as the kubeadm key
-
- Dec 04, 2017
-
-
Stanislav Makar authored
* Update k8s version to 1.8.4 * Update main.yml
-
- Nov 29, 2017
-
-
Matthew Mosesohn authored
-
unclejack authored
* Add Contiv support Contiv is a network plugin for Kubernetes and Docker. It supports vlan/vxlan/BGP/Cisco ACI technologies. It support firewall policies, multiple networks and bridging pods onto physical networks. * Update contiv version to 1.1.4 Update contiv version to 1.1.4 and added SVC_SUBNET in contiv-config. * Load openvswitch module to workaround on CentOS7.4 * Set contiv cni version to 0.1.0 Correct contiv CNI version to 0.1.0. * Use kube_apiserver_endpoint for K8S_API_SERVER Use kube_apiserver_endpoint as K8S_API_SERVER to make contiv talks to a available endpoint no matter if there's a loadbalancer or not. * Make contiv use its own etcd Before this commit, contiv is using a etcd proxy mode to k8s etcd, this work fine when the etcd hosts are co-located with contiv etcd proxy, however the k8s peering certs are only in etcd group, as a result the etcd-proxy is not able to peering with the k8s etcd on etcd group, plus the netplugin is always trying to find the etcd endpoint on localhost, this will cause problem for all netplugins not runnign on etcd group nodes. This commit make contiv uses its own etcd, separate from k8s one. on kube-master nodes (where net-master runs), it will run as leader mode and on all rest nodes it will run as proxy mode. * Use cp instead of rsync to copy cni binaries Since rsync has been removed from hyperkube, this commit changes it to use cp instead. * Make contiv-etcd able to run on master nodes * Add rbac_enabled flag for contiv pods * Add contiv into CNI network plugin lists * migrate contiv test to tests/files Signed-off-by:
Cristian Staretu <cristian.staretu@gmail.com> * Add required rules for contiv netplugin * Better handling json return of fwdMode * Make contiv etcd port configurable * Use default var instead of templating * roles/download/defaults/main.yml: use contiv 1.1.7 Signed-off-by:
Cristian Staretu <cristian.staretu@gmail.com>
-
- Nov 23, 2017
-
-
Bob Killen authored
-
- Nov 15, 2017
-
-
Chad Swenson authored
-
Chad Swenson authored
This version required changing the previous access model for dashboard completely but it's a change for the better. Docs were updated. * New login/auth options that use apiserver auth proxying by default * Requires RBAC in `authorization_modes` * Only serves over https * No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL: * Can access from https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login you will be prompted for credentials * Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ * It is recommended to access dashboard from behind a gateway that enforces an authentication token, details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
-
- Nov 14, 2017
-
-
Matthew Mosesohn authored
-
- Nov 07, 2017
-
-
Chad Swenson authored
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to: 1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS) 2. Add apiserver client cert/key to the "Wait for apiserver up" checks 3. Update apiserver liveness probe to use HTTPS ports 4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately) 5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well. Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check. Options: 1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not. 2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port) 3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest) Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
-
- Nov 03, 2017
-
-
Matthew Mosesohn authored
-