1 # SPDX-license-identifier: Apache-2.0
2 ##############################################################################
4 # All rights reserved. This program and the accompanying materials
5 # are made available under the terms of the Apache License, Version 2.0
6 # which accompanies this distribution, and is available at
7 # http://www.apache.org/licenses/LICENSE-2.0
8 ##############################################################################
10 # Kubernetes configuration dirs and system namespace.
11 # Those are where all the additional config stuff goes
12 # kubernetes normally puts in /srv/kubernetes.
13 # This puts them in a sane location and namespace.
14 # Editing those values will almost surely break something.
15 system_namespace: kube-system
17 docker_version: 'latest'
19 # Logging directory (sysvinit systems)
20 kube_log_dir: "/var/log/kubernetes"
22 kube_api_anonymous_auth: true
24 # Users to create for basic auth in Kubernetes API via HTTP
25 # Optionally add groups for user
26 kube_api_pwd: "secret"
29 pass: "{{kube_api_pwd}}"
34 ## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
35 #kube_oidc_auth: false
39 # Choose network plugin (calico, contiv, weave or flannel)
40 # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
41 kube_network_plugin: flannel
43 # Make a copy of kubeconfig (admin.conf) on the host that runs Ansible to inventory/artifacts
44 kubeconfig_localhost: true
45 # Copy kubectl binary on the host that runs Ansible to inventory/artifacts
46 kubectl_localhost: true
47 # Disable nodelocal dns cache
48 enable_nodelocaldns: false
49 # Enable MountPropagation gate feature
50 local_volumes_enabled: true
51 local_volume_provisioner_enabled: true
56 # Kube-proxy proxyMode configuration.
57 # NOTE: Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and
58 # works in the kernel space
59 # https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs
60 #kube_proxy_mode: ipvs
62 # Download container images only once then push to cluster nodes in batches
63 download_run_once: True
65 # Where the binaries will be downloaded.
66 # Note: ensure that you've enough disk space (about 1G)
67 local_release_dir: "/tmp/releases"
69 #Set download_localhost: True to make localhost the download delegate. This can be useful if
70 #cluster nodes cannot access external addresses. To use this requires that docker is installed
71 #and running on the ansible master and that the current user is either in the docker group or
72 #can do passwordless sudo, to be able to access docker.
73 download_localhost: True
75 # Subnet for cluster IPs
76 kube_service_addresses: 10.244.0.0/18
78 kube_pods_subnet: 10.244.64.0/18
80 # pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
81 podsecuritypolicy_enabled: true
82 # The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of
83 # allowedCapabilities:
86 # requiredDropCapabilities:
88 podsecuritypolicy_restricted_spec:
90 allowPrivilegeEscalation: true
99 requiredDropCapabilities:
109 readOnlyRootFilesystem: false
110 # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
111 allowedUnsafeSysctls: