Commits · acb6f243fd03233b3b6f2f26b6618e479d8f9b5b · Mirror / Kubespray

Aug 30, 2022

feat: add kubelet systemd service hardening option (#9194) · acb6f243

Alessio Greggi authored Aug 30, 2022



* feat: add kubelet systemd service hardening option

* refactor: move variable name to kubelet_secure_addresses

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* docs: add diagram about kubelet_secure_addresses variable

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

acb6f243

kube-vip shoud fail if kube_proxy_strict_arp is false in arp mod (#9223) · b46ddf35
Kay Yan authored Aug 30, 2022
```
* fix-kube-vip-strict-arp

* fix-kube-vip-strict-arp
```
b46ddf35

Aug 23, 2022
- optimize the format of evictionHard in kubelet-config.yaml template (#9204) · c8a61ec9
  Shelming.Song authored Aug 23, 2022
  
  c8a61ec9
Aug 18, 2022

Add the option to enable default Pod Security Configuration (#9017) · 30c77ea4

Tomas Zvala authored Aug 18, 2022

* Add the option to enable default Pod Security Configuration

Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.

* Fix the PR according to code review comments

* Revert the latest changes

- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration

30c77ea4

Disable DNSStubListener for Flatcar Linux (#9160) · be5fdab3
Ho Kim authored Aug 18, 2022
```
* Disable DNSStubListener for Flatcar Linux

* Fix missing "Flatcar" condition of os_family
```
be5fdab3

Aug 16, 2022
- add-tar-in-common-package (#9184) · 0088fe0a
  Kay Yan authored Aug 16, 2022
  
  0088fe0a
Aug 04, 2022
- Add docker support for Kylin V10 (#9144) · 47050003
  ERIK authored Aug 04, 2022
```
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
```
  47050003
Aug 01, 2022
- Add kylin OS support (#9078) · f2f9f1d3
  ERIK authored Aug 02, 2022
```
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
```
  f2f9f1d3
Jul 31, 2022
- pid reserved must be str (#9124) · e73803c7
  Samuel Liu authored Jul 31, 2022
  
  e73803c7
Jul 19, 2022

add kube-vip sans (#9099) · f592fa12
Kay Yan authored Jul 20, 2022

f592fa12

hardening: Add `SeccompDefault` admission plugin for kubelet (#9074) · 3ce5458f

Alessio Greggi authored Jul 19, 2022

* docs(hardening): add SeccompDefault admission plugin to kubelet feature gates

* fix(kubelet-config): enable config through kubelet_feature_gates

* feat(kubelet): add kubelet_seccomp_default variable

3ce5458f

Jul 08, 2022

Allow "openSUSE Tumbleweed" to be run (#9072) · c01656b1

Kenichi Omichi authored Jul 08, 2022

The commit 1ce2f04f tried to merge multiple SUSE OS checks including
"openSUSE Leap" and "openSUSE Tumbleweed" into a single SUSE, but
that was a perfect change.
Then the commit c16efc9a tried to fix it for "openSUSE Leap", but it
didn't take care of "openSUSE Tumbleweed".
Then this adds "openSUSE Tumbleweed" to the OS check.

c01656b1

Jul 05, 2022
- Adding support for node & pod pid limit (#9038) · 3bb95426
  h9-HSFRQDH authored Jul 05, 2022
  
  3bb95426
Jul 04, 2022
- remove-etcd-unsupported-arch (#9049) · 1d0b3829
  Kay Yan authored Jul 04, 2022
  
  1d0b3829
Jun 28, 2022
- add-managed-ntp-support (#9027) · 4b03f6c2
  Kay Yan authored Jun 29, 2022
  
  4b03f6c2
- fix-the-issue-of-miss-the-etcd-user (#9016) · d4de9d09
  Kay Yan authored Jun 29, 2022
  
  d4de9d09
Jun 22, 2022
- Fixed concatenate str & int in auto_renew_certificates_systemd_calendar var (#8979) · 6bf33064
  Florian Ruynat authored Jun 22, 2022
  
  6bf33064
Jun 17, 2022

Add assertion for IPv6 in verify settings · e7729dae
Citrullin authored Jun 08, 2022
```
Co-authored-by: Kenichi Omichi <ken1ohmichi@gmail.com>
```
e7729dae

feat: make kubernetes owner parametrized (#8952) · 97b4d79e

Alessio Greggi authored Jun 17, 2022

* feat: make kubernetes owner parametrized

* docs: update hardening guide with configuration for CIS 1.1.19

* fix: set etcd data directory permissions to be compliant to CIS 1.1.12

97b4d79e

Jun 15, 2022
- [kubernetes] drop support for configuring insecure apiserver · 24c8ba83
  Calin Cristian Andrei authored Jun 14, 2022
  
  24c8ba83
- [kubeadm] use v1beta3 configuration version · 2cd8c51a
  Calin Cristian Andrei authored Jun 06, 2022
```
* extra admission controls now don't have a version in their file names
  eventratelimit.v1beta2.yaml.j2 -> eventratelimit.yaml.j2
* cri_socket variable includes the unix:// prefix to be conformat with
  upstream
```
  2cd8c51a
- [CI] remove docker stand-alone molecule test · 589823bd
  Calin Cristian Andrei authored Jun 06, 2022
  
  589823bd
- [docker] use cri-dockerd instead of dockershim for any kubernetes version... · fad29661
  Calin Cristian Andrei authored Jun 06, 2022
```
[docker] use cri-dockerd instead of dockershim for any kubernetes version deployed with docker as the container_manager
```
  fad29661
- [kubeconfig] generate admin kube config from /etc/kubernetes/admin.conf... · 6380483e
  Calin Cristian Andrei authored Jun 11, 2022
```
[kubeconfig] generate admin kube config from /etc/kubernetes/admin.conf instead of the workaround of using kubeadm init phase kubeadm admin which fails with cri-dockerd
```
  6380483e
- [kubernetes] drop pre 1.22.0 workarounds · ae1dcb03
  Calin Cristian Andrei authored Jun 06, 2022
  
  ae1dcb03
- [kubernetes] make 1.24.1 the new default · d69d4a83
  Calin Cristian Andrei authored Jun 06, 2022
  
  d69d4a83
Jun 14, 2022
- Remove unneeded socat installation for Flatcar (#8970) · 7d3e59cf
  Ho Kim authored Jun 14, 2022
  
  7d3e59cf
Jun 06, 2022

Fix: set fallback value of kubelet ip6 (#8858) (#8926) · 77f436fa

Ho Kim authored Jun 07, 2022



* Fix: set fallback value of kubelet ip6 (#8858)

* Prune the spurious comma in the end of kubelet_address

- Update `roles/kubernetes/node/defaults/main.yml`

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* Fix: set fallback value of kubelet ip6 (#8858)

- Apply the lint: https://github.com/kubernetes-sigs/kubespray/pull/8926/commits/132606368e31bdb992fe45df80bd74d524b8ed89



Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

77f436fa

support reserve ephemeral-storage (#8895) · 01ca7293
Thearas authored Jun 06, 2022

01ca7293

Jun 01, 2022

Revert "Set exact user for Kubelet services" (#8872) · 5512465b

Max Gautier authored Jun 01, 2022

This reverts commit e3756786.

The workaround of explicitly specifying root for the kubelet unit was
for pulling images from private registry. Kubernetes now have a
dedicated mechanism with imagePullSecret.

5512465b

May 26, 2022

Delete kube_version v1.20- related code (#8869) · 73fc70db

Kenichi Omichi authored May 25, 2022

Current Kubespray supports the Kubernetes version 1.21 or upper with
`kube_version_min_required: v1.21.0`

Then kube_version v1.20- related code is not used at all.
This deletes those code for cleanup.

73fc70db

May 23, 2022

[etcd] Add support for setting the request size limit (#8849) · dc1af5a9

Necatican Yıldırım authored May 23, 2022



* [etcd] Add extra documentation for `etcd_memory_limit` and `etcd_quota_backend_bytes`

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [etcd] Add support for setting ETCD_MAX_REQUEST_BYTES

Signed-off-by: necatican <necaticanyildirim@gmail.com>

dc1af5a9

May 18, 2022
- Fix the invalid kube vip manifest (#8831) · 3d8f3bc0
  Kay Yan authored May 18, 2022
```
* add Feature synchronized time checking

* fix-invalid-kube-vip-manifest
```
  3d8f3bc0
May 10, 2022
- Fix condition on kata_containers_version/kube_version when kata_containers_enabled is false (#8804) · 8f618ab4
  emiran-orange authored May 09, 2022
  
  8f618ab4
May 09, 2022
- feat: add variables to manage makeIPTablesUtilChains and... · 37a5271f
  Alessio Greggi authored May 09, 2022
```
feat: add variables to manage makeIPTablesUtilChains and streamingConnectionIdleTimeout kubelet parameters (#8796)
```
  37a5271f
- [PodSecurityPolicy] Move the install of psp (#8744) · 42fc71fa
  Robin Wallace authored May 09, 2022
  
  42fc71fa
May 07, 2022
- [kubelet] set correct resolv.conf for Ubuntu 22.04 (#8795) · 323a1113
  Andy authored May 07, 2022
  
  323a1113
May 06, 2022

add support for `service-account-lookup` parameter (#8781) · e7df4d3d

Alessio Greggi authored May 06, 2022

* feat: add variable to manage service-account-lookup on kube-apiserver

* docs: add documentation about service-account-lookup variable

e7df4d3d

Add optional setting for ca data in auth webhook (#8777) · 3e52a0db

David Louks authored May 05, 2022

* Add optional setting for ca data in auth webhook

* add webhook token auth variables to sample inventory

3e52a0db

May 05, 2022

Assert that IP range is enough for the nodes (#8720) · 0d6ea851

Elif Akyıldırım authored May 05, 2022



* Assert that IP range is enough for the nodes 

Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com>

* Fixed whitespace

* Fixed errors

* Fixed errors

Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com>

0d6ea851