-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkubeone.yaml
212 lines (193 loc) · 8.26 KB
/
kubeone.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
apiVersion: kubeone.k8c.io/v1beta2
kind: KubeOneCluster
name: demo-cluster
versions:
kubernetes: "v1.27.5"
clusterNetwork:
podSubnet: "10.244.0.0/16"
serviceSubnet: "10.96.0.0/12"
serviceDomainName: "cluster.local"
# a nodePort range to reserve for services (default: 30000-32767)
nodePortRange: "30000-32767"
kubeProxy:
iptables: {}
# CNI plugin of choice. CNI can not be changed later at upgrade time.
cni:
canal:
# MTU represents the maximum transmission unit.
mtu: 1450
# cilium:
# # enableHubble to deploy Hubble relay and UI
# enableHubble: true
# # kubeProxyReplacement defines weather cilium relies on underlying Kernel support to replace kube-proxy functionality by eBPF (strict),
# # or disables a subset of those features so cilium does not bail out if the kernel support is missing (disabled).
# kubeProxyReplacement: "disabled"
# weaveNet:
# # When true is set, secret will be automatically generated and
# # referenced in appropriate manifests. Currently only weave-net
# # supports encryption.
# encrypted: true
# external: {}
cloudProvider:
none: {}
external: false
cloudConfig: ""
csiConfig: ""
containerRuntime:
features:
# Configure the CoreDNS deployment
coreDNS:
replicas: 2
deployPodDisruptionBudget: true
imageRepository: ""
# nodeLocalDNS allows disabling deployment of node local DNS
nodeLocalDNS:
deploy: true
# Enable the PodNodeSelector admission plugin in API server.
# More info: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podnodeselector
podNodeSelector:
enable: false
config:
# configFilePath is a path on a local file system to the podNodeSelector
# plugin config, which defines default and allowed node selectors.
# configFilePath is is a required field.
# More info: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#configuration-file-format-1
configFilePath: ""
podSecurityPolicy:
enable: false
# Enables and configures audit log backend.
# More info: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#log-backend
staticAuditLog:
enable: false
config:
# PolicyFilePath is a path on local file system to the audit policy manifest
# which defines what events should be recorded and what data they should include.
# PolicyFilePath is a required field.
# More info: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy
policyFilePath: ""
# LogPath is path on control plane instances where audit log files are stored
logPath: "/var/log/kubernetes/audit.log"
# LogMaxAge is maximum number of days to retain old audit log files
logMaxAge: 30
# LogMaxBackup is maximum number of audit log files to retain
logMaxBackup: 3
# LogMaxSize is maximum size in megabytes of audit log file before it gets rotated
logMaxSize: 100
# Enables dynamic audit logs.
# After enablig this, operator should create auditregistration.k8s.io/v1alpha1
# AuditSink object.
# More info: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#dynamic-backend
dynamicAuditLog:
enable: false
# Opt-out from deploying metrics-server
# more info: https://github.com/kubernetes-incubator/metrics-server
metricsServer:
enable: true
# Enable OpenID-Connect support in API server
# More info: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
openidConnect:
enable: false
config:
# The URL of the OpenID issuer, only HTTPS scheme will be accepted. If
# set, it will be used to verify the OIDC JSON Web Token (JWT).
issuerUrl: "http://192.168.56.11:9090/auth/realms/kubernete"
# The client ID for the OpenID Connect client, must be set if
# issuer_url is set.
clientId: "kubernetes"
# The OpenID claim to use as the user name. Note that claims other than
# the default ('sub') is not guaranteed to be unique and immutable. This
# flag is experimental in kubernetes, please see the kubernetes
# authentication documentation for further details.
usernameClaim: "sub"
# If provided, all usernames will be prefixed with this value. If not
# provided, username claims other than 'email' are prefixed by the issuer
# URL to avoid clashes. To skip any prefixing, provide the value '-'.
usernamePrefix: "keycloak:"
# If provided, the name of a custom OpenID Connect claim for specifying
# user groups. The claim value is expected to be a string or array of
# strings. This flag is experimental in kubernetes, please see the
# kubernetes authentication documentation for further details.
groupsClaim: "groups"
# If provided, all groups will be prefixed with this value to prevent
# conflicts with other authentication strategies.
groupsPrefix: "keycloak:"
# Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs
# with a 'alg' header value not in this list will be rejected. Values are
# defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1.
signingAlgs: "RS256"
# A key=value pair that describes a required claim in the ID Token. If
# set, the claim is verified to be present in the ID Token with a matching
# value. Only single pair is currently supported.
requiredClaim: ""
# If set, the OpenID server's certificate will be verified by one of the
# authorities in the oidc-ca-file, otherwise the host's root CA set will
# be used.
caFile: ""
# Enable Kubernetes Encryption Providers
# For more information: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
encryptionProviders:
# disabled by default
enable: false
# inline string
customEncryptionConfiguration: ""
## Bundle of Root CA Certificates extracted from Mozilla
## can be found here: https://curl.se/ca/cacert.pem
## caBundle should be empty for default root CAs to be used
caBundle: ""
systemPackages:
# will add Docker and Kubernetes repositories to OS package manager
configureRepositories: true # it's true by default
# registryConfiguration controls how images used for components deployed by
# KubeOne and kubeadm are pulled from an image registry
registryConfiguration:
# overwriteRegistry specifies a custom Docker registry which will be used
# for all images required for KubeOne and kubeadm. This also applies to
# addons deployed by KubeOne.
# This field doesn't modify the user/organization part of the image. For example,
# if overwriteRegistry is set to 127.0.0.1:5000/example, image called
# calico/cni would translate to 127.0.0.1:5000/example/calico/cni.
overwriteRegistry: ""
# InsecureRegistry configures Docker to threat the registry specified
# in OverwriteRegistry as an insecure registry. This is also propagated
# to the worker nodes managed by machine-controller and/or KubeOne.
insecureRegistry: false
# Addons are Kubernetes manifests to be deployed after provisioning the cluster
addons:
enable: false
controlPlane:
hosts:
- privateAddress: '192.168.56.12'
sshUsername: user
sshPrivateKeyFile: '/home/fedora/.ssh/id_rsa'
taints:
- key: "node-role.kubernetes.io/control-plane"
effect: "NoSchedule"
- privateAddress: '192.168.56.13'
sshUsername: user
sshPrivateKeyFile: '/home/fedora/.ssh/id_rsa'
taints:
- key: "node-role.kubernetes.io/control-plane"
effect: "NoSchedule"
staticWorkers:
hosts:
- privateAddress: '192.168.56.14'
sshUsername: user
sshPrivateKeyFile: '/home/fedora/.ssh/id_rsa'
- privateAddress: '192.168.56.15'
sshUsername: user
sshPrivateKeyFile: '/home/fedora/.ssh/id_rsa'
- privateAddress: '192.168.56.16'
sshUsername: user
sshPrivateKeyFile: '/home/fedora/.ssh/id_rsa'
apiEndpoint:
host: '192.168.56.11'
port: 6443
alternativeNames: []
# If the cluster runs on bare metal or an unsupported cloud provider,
# you can disable the machine-controller deployment entirely. In this
# case, anything you configure in your "workers" sections is ignored.
machineController:
deploy: false
loggingConfig:
containerLogMaxSize: "100Mi"
containerLogMaxFiles: 5