1 # SPDX-license-identifier: Apache-2.0
2 ##############################################################################
4 # All rights reserved. This program and the accompanying materials
5 # are made available under the terms of the Apache License, Version 2.0
6 # which accompanies this distribution, and is available at
7 # http://www.apache.org/licenses/LICENSE-2.0
8 ##############################################################################
10 # Kubernetes configuration dirs and system namespace.
11 # Those are where all the additional config stuff goes
12 # kubernetes normally puts in /srv/kubernetes.
13 # This puts them in a sane location and namespace.
14 # Editing those values will almost surely break something.
15 system_namespace: kube-system
17 # Logging directory (sysvinit systems)
18 kube_log_dir: "/var/log/kubernetes"
20 kube_api_anonymous_auth: true
22 # Users to create for basic auth in Kubernetes API via HTTP
23 # Optionally add groups for user
24 kube_api_pwd: "secret"
27 pass: "{{kube_api_pwd}}"
32 ## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
33 #kube_oidc_auth: false
37 # Choose network plugin (calico, contiv, weave or flannel)
38 # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
39 kube_network_plugin: flannel
41 # Make a copy of kubeconfig (admin.conf) on the host that runs Ansible to inventory/artifacts
42 kubeconfig_localhost: true
43 # Copy kubectl binary on the host that runs Ansible to inventory/artifacts
44 kubectl_localhost: true
45 # Disable nodelocal dns cache
46 enable_nodelocaldns: false
47 # Enable MountPropagation gate feature
48 local_volumes_enabled: true
49 local_volume_provisioner_enabled: true
53 helm_stable_repo_url: "https://charts.helm.sh/stable"
55 # Kube-proxy proxyMode configuration.
56 # NOTE: Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and
57 # works in the kernel space
58 # https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs
59 #kube_proxy_mode: ipvs
61 # Download container images only once then push to cluster nodes in batches
62 download_run_once: True
64 # Where the binaries will be downloaded.
65 # Note: ensure that you've enough disk space (about 1G)
66 local_release_dir: "/tmp/releases"
68 #Set download_localhost: True to make localhost the download delegate. This can be useful if
69 #cluster nodes cannot access external addresses. To use this requires that docker is installed
70 #and running on the ansible master and that the current user is either in the docker group or
71 #can do passwordless sudo, to be able to access docker.
72 download_localhost: True
74 # Subnet for cluster IPs
75 kube_service_addresses: 10.244.0.0/18
77 kube_pods_subnet: 10.244.64.0/18
79 # pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
80 podsecuritypolicy_enabled: true
81 # The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of
82 # allowedCapabilities:
85 # allowedCapabilities:
90 # requiredDropCapabilities:
92 podsecuritypolicy_restricted_spec:
99 allowPrivilegeEscalation: true
108 requiredDropCapabilities:
118 readOnlyRootFilesystem: false
119 # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
120 allowedUnsafeSysctls:
123 # Customize kubelet config of CPU and topology manager
124 kubelet_node_config_extra_args:
125 cpuManagerPolicy: "static" # Options: none (disabled), static (default)
126 topologyManagerPolicy: "best-effort" # Options: none (disabled), best-effort (default), restricted, single-numa-node