External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-01-28 23:04:43 -03:30
Code Issues Packages Projects Releases Wiki Activity
kubespray/roles/kubernetes/node/defaults/main.yml
Shaleen Bathla 082507cff2
kubelet: conditionalize staticPodPath location (#12433) 
Add variable to set kubelet staticPodPath location.
It can be set to empty so that we can choose to disable it for some nodes.
STIG recommendation is to disable it.

Signed-off-by: Shaleen Bathla <shaleenbathla@gmail.com>
Co-authored-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
2025-08-18 06:51:11 -07:00

201 lines
6.9 KiB
YAML
Raw Blame History

---
# advertised host IP for kubelet. This affects network plugin config. Take caution
# add ipv6 manual for dualstack mode because ipv4 priority in main_ip for dualstack
kubelet_address: "{{ main_ips | join(',') }}"
# bind address for kubelet. Set to :: to listen on all interfaces
kubelet_bind_address: "{{ main_ip | default('::') }}"
# resolv.conf to base dns config
kube_resolv_conf: "/etc/resolv.conf"
# Set to empty to avoid cgroup creation
kubelet_enforce_node_allocatable: "\"\""
# Set runtime and kubelet cgroups when using systemd as cgroup driver (default)
kube_service_cgroups: "{% if kube_reserved %}{{ kube_reserved_cgroups_for_service_slice }}{% else %}system.slice{% endif %}"
kubelet_runtime_cgroups: "/{{ kube_service_cgroups }}/{{ container_manager }}.service"
kubelet_kubelet_cgroups: "/{{ kube_service_cgroups }}/kubelet.service"
# Set runtime and kubelet cgroups when using cgroupfs as cgroup driver
kubelet_runtime_cgroups_cgroupfs: "/system.slice/{{ container_manager }}.service"
kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service"
# Set systemd service hardening features
kubelet_systemd_hardening: false
# Kubelet service dependencies other than container runtime
kubelet_systemd_wants_dependencies: []
# List of secure IPs for kubelet
# don't forget ipv6 addresses for dualstack(because "main_ip" prioritizes ipv4)
kube_node_addresses: >-
{%- for host in (groups['k8s_cluster'] | union(groups['etcd'])) -%}
{{ hostvars[host]['main_ips'] | join(' ') }}{{ ' ' if not loop.last else '' }}
{%- endfor -%}
kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnets | regex_replace(',', ' ') }} {{ kube_node_addresses }}"
# Reserve this space for kube resources
# Whether to run kubelet and container-engine daemons in a dedicated cgroup. (Not required for resource reservations).
kube_reserved: false
kube_reserved_cgroups: "/{{ kube_reserved_cgroups_for_service_slice }}"
kube_memory_reserved: "256Mi"
kube_cpu_reserved: "100m"
kube_ephemeral_storage_reserved: "500Mi"
kube_pid_reserved: "1000"
# Set to true to reserve resources for system daemons
system_reserved: false
system_reserved_cgroups_for_service_slice: system.slice
system_reserved_cgroups: "/{{ system_reserved_cgroups_for_service_slice }}"
system_memory_reserved: "512Mi"
system_cpu_reserved: "500m"
system_ephemeral_storage_reserved: "500Mi"
system_pid_reserved: 1000
## Eviction Thresholds to avoid system OOMs
# https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#eviction-thresholds
eviction_hard: {}
eviction_hard_control_plane: {}
kubelet_status_update_frequency: 10s
# kube-vip
kube_vip_version: 0.8.0
kube_vip_arp_enabled: false
kube_vip_interface:
kube_vip_services_interface:
kube_vip_cidr: 32
kube_vip_dns_mode: first
kube_vip_controlplane_enabled: false
kube_vip_ddns_enabled: false
kube_vip_cp_detect: false
kube_vip_services_enabled: false
kube_vip_leader_election_enabled: "{{ kube_vip_arp_enabled }}"
kube_vip_bgp_enabled: false
kube_vip_bgp_routerid:
kube_vip_local_as: 65000
kube_vip_bgp_peeraddress:
kube_vip_bgp_peerpass:
kube_vip_bgp_peeras: 65000
kube_vip_bgppeers:
kube_vip_address:
kube_vip_enableServicesElection: false
kube_vip_lb_enable: false
kube_vip_leasename: plndr-cp-lock
kube_vip_svc_leasename: plndr-svcs-lock
kube_vip_leaseduration: 5
kube_vip_renewdeadline: 3
kube_vip_retryperiod: 1
kube_vip_enable_node_labeling: false
# Requests for load balancer app
loadbalancer_apiserver_memory_requests: 32M
loadbalancer_apiserver_cpu_requests: 25m
loadbalancer_apiserver_keepalive_timeout: 5m
loadbalancer_apiserver_pod_name: "{% if loadbalancer_apiserver_type == 'nginx' %}nginx-proxy{% else %}haproxy{% endif %}"
# Uncomment if you need to enable deprecated runtimes
# kube_api_runtime_config:
# - apps/v1beta1=true
# - apps/v1beta2=true
# - extensions/v1beta1/daemonsets=true
# - extensions/v1beta1/deployments=true
# - extensions/v1beta1/replicasets=true
# - extensions/v1beta1/networkpolicies=true
# A port range to reserve for services with NodePort visibility.
# Inclusive at both ends of the range.
kube_apiserver_node_port_range: "30000-32767"
# Configure the amount of pods able to run on single node
# default is equal to application default
kubelet_max_pods: 110
# Sets the maximum number of processes running per Pod
# Default value -1 = unlimited
kubelet_pod_pids_limit: -1
## Support parameters to be passed to kubelet via kubelet-config.yaml
kubelet_config_extra_args: {}
## Parameters to be passed to kubelet via kubelet-config.yaml when cgroupfs is used as cgroup driver
kubelet_config_extra_args_cgroupfs:
systemCgroups: /system.slice
cgroupRoot: /
# Maximum number of container log files that can be present for a container.
kubelet_logfiles_max_nr: 5
# Maximum size of the container log file before it is rotated
kubelet_logfiles_max_size: 10Mi
## Support custom flags to be passed to kubelet
kubelet_custom_flags: []
# The read-only port for the Kubelet to serve on with no authentication/authorization.
kube_read_only_port: 0
# Port for healthz for Kubelet
kubelet_healthz_port: 10248
# Bind address for healthz for Kubelet
kubelet_healthz_bind_address: 127.0.0.1
# sysctl_file_path to add sysctl conf to
sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
# tls_min_version: ""
## Support tls cipher suites.
# tls_cipher_suites:
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA256
# - TLS_RSA_WITH_AES_128_GCM_SHA256
# - TLS_RSA_WITH_AES_256_CBC_SHA
# - TLS_RSA_WITH_AES_256_GCM_SHA384
# - TLS_RSA_WITH_RC4_128_SHA
kube_proxy_ipvs_modules:
- ip_vs
- ip_vs_rr
- ip_vs_wrr
- ip_vs_sh
- ip_vs_wlc
- ip_vs_lc
# Kubespray will use the first module of this list which it can successfully modprobe
conntrack_modules:
- nf_conntrack
- nf_conntrack_ipv4
# Set this option to "" (empty) to disable staticPodPath (See docs/operations/hardening.md)
kubelet_static_pod_path: "{{ kube_manifest_dir }}"
## Enable distributed tracing for kubelet
kubelet_tracing: false
kubelet_tracing_endpoint: "[::]:4317"
kubelet_tracing_sampling_rate_per_million: 100
# The maximum number of image pulls in parallel. Set it to a integer great than 1 to enable image pulling in parallel.
kubelet_max_parallel_image_pulls: 1
Reference in New Issue View Git Blame Copy Permalink