Merge "Fix the nodeSelector indent and define name"

[multicloud/k8s.git] / kud / hosting_providers / vagrant / inventory / group_vars / k8s-cluster.yml

# SPDX-license-identifier: Apache-2.0
##############################################################################
# Copyright (c) 2018
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Apache License, Version 2.0
# which accompanies this distribution, and is available at
# http://www.apache.org/licenses/LICENSE-2.0
##############################################################################

# Kubernetes configuration dirs and system namespace.
# Those are where all the additional config stuff goes
# kubernetes normally puts in /srv/kubernetes.
# This puts them in a sane location and namespace.
# Editing those values will almost surely break something.
system_namespace: kube-system

docker_version: 'latest'

# Logging directory (sysvinit systems)
kube_log_dir: "/var/log/kubernetes"

kube_api_anonymous_auth: true

# Users to create for basic auth in Kubernetes API via HTTP
# Optionally add groups for user
kube_api_pwd: "secret"
kube_users:
  kube:
    pass: "{{kube_api_pwd}}"
    role: admin
    groups:
      - system:masters

## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
#kube_oidc_auth: false
kube_basic_auth: true
kube_token_auth: true

# Choose network plugin (calico, contiv, weave or flannel)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: flannel

# Make a copy of kubeconfig (admin.conf) on the host that runs Ansible to inventory/artifacts
kubeconfig_localhost: true
# Copy kubectl binary on the host that runs Ansible to inventory/artifacts
kubectl_localhost: true
# Disable nodelocal dns cache
enable_nodelocaldns: false
# Enable MountPropagation gate feature
local_volumes_enabled: true
local_volume_provisioner_enabled: true

# Helm deployment
helm_enabled: true

# Kube-proxy proxyMode configuration.
# NOTE: Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and
# works in the kernel space
# https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs
#kube_proxy_mode: ipvs

# Download container images only once then push to cluster nodes in batches
download_run_once: True

# Where the binaries will be downloaded.
# Note: ensure that you've enough disk space (about 1G)
local_release_dir: "/tmp/releases"

#Set download_localhost: True to make localhost the download delegate. This can be useful if 
#cluster nodes cannot access external addresses. To use this requires that docker is installed 
#and running on the ansible master and that the current user is either in the docker group or 
#can do passwordless sudo, to be able to access docker. 
download_localhost: True

# Subnet for cluster IPs
kube_service_addresses: 10.244.0.0/18
# Subnet for Pod IPs
kube_pods_subnet: 10.244.64.0/18

# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
podsecuritypolicy_enabled: true
# The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of
#   allowedCapabilities:
#     - '*'
# by
#   requiredDropCapabilities:
#    - NET_RAW
podsecuritypolicy_restricted_spec:
  privileged: true
  allowPrivilegeEscalation: true
  volumes:
    - '*'
  hostNetwork: true
  hostPorts:
    - min: 0
      max: 65535
  hostIPC: true
  hostPID: true
  requiredDropCapabilities:
    - NET_RAW
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false
  # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
  allowedUnsafeSysctls:
    - '*'