Commits · ef10ce04e27b4e435467ef5d06fd488ee272202a · Mirror / Kubespray

Feb 06, 2017
- Revert "Drop linux capabilities and rework users/groups" · fd30131d
  Matthew Mosesohn authored Feb 06, 2017
  
  fd30131d
Jan 20, 2017

Drop linux capabilities and rework users/groups · cb2e5ac7

Bogdan Dobrelya authored Dec 28, 2016



* Drop linux capabilities for unprivileged containerized
  worlkoads Kargo configures for deployments.
* Configure required securityContext/user/group/groups for kube
  components' static manifests, etcd, calico-rr and k8s apps,
  like dnsmasq daemonset.
* Rework cloud-init (etcd) users creation for CoreOS.
* Fix nologin paths, adjust defaults for addusers role and ensure
  supplementary groups membership added for users.
* Add netplug user for network plugins (yet unused by privileged
  networking containers though).
* Grant the kube and netplug users read access for etcd certs via
  the etcd certs group.
* Grant group read access to kube certs via the kube cert group.
* Remove priveleged mode for calico-rr and run it under its uid/gid
  and supplementary etcd_cert group.
* Adjust docs.
* Align cpu/memory limits and dropped caps with added rkt support
  for control plane.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

cb2e5ac7

Dec 28, 2016

Systemd units, limits, and bin path fixes · a56d9de5

Bogdan Dobrelya authored Dec 23, 2016



* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
  systemd limits due to the lack of consensus in the kernel community
  requires out-of-tree kernel patches.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>

a56d9de5

Dec 13, 2016

Address standalone kubelet config case · c75f3947

Bogdan Dobrelya authored Dec 13, 2016

Also place in global vars and do not repeat the kube_*_config_dir
and kube_namespace vars for better code maintainability and UX.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>

c75f3947

Nov 18, 2016
- Add service-node-port-range parameter for kube-apiserver · cc2f26b8
  Maciej Filipiak authored Nov 18, 2016
  
  cc2f26b8
Nov 09, 2016
- Add etcd TLS support · a32cd85e
  Matthew Mosesohn authored Nov 09, 2016
  
  a32cd85e
Oct 24, 2016

Fix idempotency/recurrence of download and preinstall · c59c3a1b

Bogdan Dobrelya authored Oct 24, 2016



* Don't push containers if not changed
* Do preinstall role only once and redistribute defaults to
  corresponding roles

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>

c59c3a1b

Sep 15, 2016

Download containers and save all · 42242890

Bogdan Dobrelya authored Sep 14, 2016



Move version/repo vars to download role.
Add container to download params, which overrides url/source_url,
if enabled.
Fix networking plugins download depending on kube_network_plugin.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>

42242890

Aug 25, 2016

Refactor roles and hosts · 8168689c

Bogdan Dobrelya authored Aug 25, 2016



Shorten deployment time with:
- Remove redundand roles if duplicated by a dependency and vice versa
- When a member of k8s-cluster, always install docker as a dependency
  of the etcd role and drop the docker role from cluster.yaml.
- Drop etcd and node role dependencies from master role as they are
  covered by the node role in k8s-cluster group as well. Copy defaults
  for master from node role.
- Decouple master, node, secrets roles handlers and vars to be used w/o
  cross references.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>

8168689c