Merge branch 'master' of https://github.com/kubernetes-incubator/kubespray into etcd-fix-4

2026-05-19 23:07:47 -02:30 · 2018-05-02 13:37:15 +02:00
parent 32a8ea8094 223ed98828
commit 4c81cd2a71
104 changed files with 663 additions and 294 deletions
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -52,7 +52,7 @@ kube_apiserver_admission_control:
      {%- if kube_version | version_compare('v1.9', '<') -%}
      GenericAdmissionWebhook
      {%- else -%}
-      ValidatingAdmissionWebhook
+      MutatingAdmissionWebhook,ValidatingAdmissionWebhook
      {%- endif -%}
  - ResourceQuota

@@ -73,7 +73,9 @@ kube_oidc_auth: false
 ## Optional settings for OIDC
 # kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
 # kube_oidc_username_claim: sub
+# kube_oidc_username_prefix: oidc:
 # kube_oidc_groups_claim: groups
+# kube_oidc_groups_prefix: oidc:

 ## Variables for custom flags
 apiserver_custom_flags: []
--- a/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
@@ -9,6 +9,10 @@
    - {src: apiserver-key.pem, dest: apiserver.key}
    - {src: ca.pem, dest: ca.crt}
    - {src: ca-key.pem, dest: ca.key}
+    - {src: front-proxy-ca.pem, dest: front-proxy-ca.crt}
+    - {src: front-proxy-ca-key.pem, dest: front-proxy-ca.key}
+    - {src: front-proxy-client.pem, dest: front-proxy-client.crt}
+    - {src: front-proxy-client-key.pem, dest: front-proxy-client.key}
    - {src: service-account-key.pem, dest: sa.pub}
    - {src: service-account-key.pem, dest: sa.key}
  register: kubeadm_copy_old_certs
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -73,9 +73,15 @@ spec:
 {%   if kube_oidc_username_claim is defined %}
    - --oidc-username-claim={{ kube_oidc_username_claim }}
 {%   endif %}
+{%   if kube_oidc_username_prefix is defined %}
+    - "--oidc-username-prefix={{ kube_oidc_username_prefix }}"
+{%   endif %}
 {%   if kube_oidc_groups_claim is defined %}
    - --oidc-groups-claim={{ kube_oidc_groups_claim }}
 {%   endif %}
+{%   if kube_oidc_groups_prefix is defined %}
+    - "--oidc-groups-prefix={{ kube_oidc_groups_prefix }}"
+{%   endif %}
 {% endif %}
    - --secure-port={{ kube_apiserver_port }}
    - --insecure-port={{ kube_apiserver_insecure_port }}
@@ -111,7 +117,7 @@ spec:
    - --feature-gates={{ kube_feature_gates|join(',') }}
 {% endif %}
 {% if kube_version | version_compare('v1.9', '>=') %}
-    - --requestheader-client-ca-file={{ kube_cert_dir }}/ca.pem
+    - --requestheader-client-ca-file={{ kube_cert_dir }}/front-proxy-ca.pem
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
--- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
@@ -29,6 +29,7 @@ spec:
    - --leader-elect=true
    - --kubeconfig={{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml
 {% if volume_cross_zone_attachment %}
+    - --use-legacy-policy-config
    - --policy-config-file={{ kube_config_dir }}/kube-scheduler-policy.yaml
 {% endif %}
    - --profiling=false