116 lines
4.8 KiB
YAML
116 lines
4.8 KiB
YAML
KubernetesPodSubnet: 10.85.0.0/16
|
|
KubernetesServiceSubnet: 10.86.0.0/16
|
|
|
|
|
|
Kubernetes_Prime: false # Optional, Boolean. Is the current host the Prime master?
|
|
Kubernetes_Master: false # Optional, Boolean. Is the current host a master host?
|
|
|
|
ContainerDioVersion: 1.6.20-1
|
|
KubernetesVersion: '1.26.2' # must match the repository release version
|
|
kubernetes_version_olm: '0.26.0'
|
|
|
|
KubernetesVersion_k8s_prefix: '-00'
|
|
KubernetesVersion_k3s_prefix: '+k3s1'
|
|
|
|
kubernetes_private_container_registry: [] # Optional, Array. if none use `[]`
|
|
|
|
kubernetes_etcd_snapshot_cron_schedule: '0 */12 * * *'
|
|
kubernetes_etcd_snapshot_retention: 5
|
|
|
|
# host_external_ip: '' # Optional, String. External IP Address for host.
|
|
|
|
kubernetes_type: k8s # Mandatory, String. choice K8s | k3s
|
|
|
|
kube_apiserver_arg_audit_log_maxbackup: 2
|
|
|
|
kubelet_arg_system_reserved_cpu: 450m
|
|
kubelet_arg_system_reserved_memory: 512Mi
|
|
kubelet_arg_system_reserved_storage: 8Gi
|
|
|
|
# kubernetes_olm_install: true # optional, boolean. default=true
|
|
|
|
|
|
nfc_kubernetes:
|
|
enable_firewall: true # Optional, bool enable firewall rules from role 'nfc_firewall'
|
|
|
|
|
|
k3s:
|
|
files:
|
|
|
|
- name: audit.yaml
|
|
path: /var/lib/rancher/k3s/server
|
|
content: |
|
|
apiVersion: audit.k8s.io/v1
|
|
kind: Policy
|
|
rules:
|
|
- level: Request
|
|
when: "{{ Kubernetes_Master | default(false) }}"
|
|
|
|
- name: 90-kubelet.conf
|
|
path: /etc/sysctl.d
|
|
content: |
|
|
vm.panic_on_oom=0
|
|
vm.overcommit_memory=1
|
|
kernel.panic=10
|
|
kernel.panic_on_oops=1
|
|
kernel.keys.root_maxbytes=25000000
|
|
|
|
- name: psa.yaml
|
|
path: /var/lib/rancher/k3s/server
|
|
content: ""
|
|
# apiVersion: apiserver.conf0 */12 * * *ig.k8s.io/v1
|
|
# kind: AdmissionConfiguration
|
|
# plugins:
|
|
# - name: PodSecurity
|
|
# configuration:
|
|
# apiVersion: pod-security.admission.config.k8s.io/v1beta1
|
|
# kind: PodSecurityConfiguration
|
|
# defaults:
|
|
# enforce: "restricted"
|
|
# enforce-version: "latest"
|
|
# audit: "restricted"
|
|
# audit-version: "latest"
|
|
# warn: "restricted"
|
|
# warn-version: "latest"
|
|
# exemptions:
|
|
# usernames: []
|
|
# runtimeClasses: []
|
|
# namespaces: [kube-system]
|
|
when: "{{ kubernetes_config.cluster.prime.name == inventory_hostname }}"
|
|
|
|
|
|
#############################################################################################
|
|
# Cluster Config when stored in Inventory
|
|
#
|
|
# One required per cluster. recommend creating one ansible host group per cluster.
|
|
#############################################################################################
|
|
# kubernetes_config: # Dict. Cluster Config
|
|
# cluster:
|
|
# access: # Mandatory. List, DNS host name or IPv4/IPv6 Address.
|
|
# # if none use '[]'
|
|
# - 'my.dnshostname.com'
|
|
# - '2001:4860:4860::8888'
|
|
# - '192.168.1.1'
|
|
# Name: earth # Mandatory, String. Cluster Name
|
|
# group_name: # Mandatory, String. name of the ansible inventory group containg all cluster hosts
|
|
# prime:
|
|
# name: k3s-prod # Mandatory, String. Ansible inventory_host that will
|
|
# # act as the prime master node.
|
|
# networking:
|
|
# encrypt: true # Optional, Boolean. default `false`. Install wireguard for inter-node encryption
|
|
# podSubnet: 172.16.70.0/24 # Mandatory, String. CIDR
|
|
# ServiceSubnet: 172.16.72.0/24 # Mandatory, String. CIDR
|
|
# # Mandatory, String. Token to join nodes to the cluster
|
|
# node_token: !vault |
|
|
# $ANSIBLE_VAULT;1.2;AES256;kubernetes/cluster/production
|
|
# {rest_of encrypted key}
|
|
# oidc: # Used to configure Kubernetes with OIDC Authentication.
|
|
# enabled: true # Mandatory, boolen. speaks for itself.
|
|
# issuer_url: https://domainname.com/realms/realm-name # Mandatory, String. URL of OIDC Provider
|
|
# client_id: kubernetes-test # Mandatory, string. OIDC Client ID
|
|
# username_claim: preferred_username # Mandatory, String. Claim name containing username.
|
|
# username_prefix: oidc # Optional, String. What to prefix to username
|
|
# groups_claim: roles # Mandatory, String. Claim name containing groups
|
|
# groups_prefix: '' # Optional, String. string to append to groups
|
|
|