Created
June 30, 2020 17:18
-
-
Save koboltmarky/778ec48b04fc7ff863bc7821c93b708a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource rke_cluster "rancher_cluster" { | |
nodes { | |
address = "10.x.x.x" | |
user = var.node_username | |
role = ["controlplane", "worker", "etcd"] | |
hostname_override = "kube01" | |
} | |
nodes { | |
address = "10.x.x.x" | |
user = var.node_username | |
role = ["controlplane", "worker", "etcd"] | |
hostname_override = "kube02" | |
} | |
nodes { | |
address = "10.x.x.x" | |
user = var.node_username | |
role = ["controlplane", "worker", "etcd"] | |
hostname_override = "kube03" | |
} | |
authentication { | |
strategy = "x509" | |
sans = [ | |
var.rancher_admin_url, | |
var.rancher_admin_ip, | |
] | |
} | |
private_registries { | |
url = var.docker_registry_url | |
user = var.docker_registry_user | |
password = var.docker_registry_password | |
is_default = true | |
} | |
ssh_key_path = var.ssh_key_file_name | |
services { | |
etcd { | |
gid = "52034" | |
uid = "52034" | |
extra_args = { | |
"data-dir" = "/var/lib/rancher/etcd/data/" | |
"wal-dir" = "/var/lib/rancher/etcd/wal/wal_dir" | |
"election-timeout" = "5000" | |
"heartbeat-interval" = "500" | |
"listen-metrics-urls" = "http://0.0.0.0:2381" | |
} | |
extra_binds = [ | |
"/var/lib/etcd/data:/var/lib/rancher/etcd/data", | |
"/var/lib/etcd/wal:/var/lib/rancher/etcd/wal", | |
] | |
} | |
kubelet { | |
extra_args = { | |
"feature-gates" = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true,RotateKubeletServerCertificate=true", | |
"protect-kernel-defaults" = true, | |
"tls-cipher-suites" = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256", | |
} | |
cluster_domain = var.cluster_domain | |
} | |
kube_controller { | |
extra_args = { | |
"feature-gates" = "RotateKubeletServerCertificate=true" | |
} | |
} | |
kube_api { | |
extra_args = { | |
"feature-gates" = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true", | |
} | |
secrets_encryption_config { | |
enabled = true | |
} | |
event_rate_limit { | |
enabled = true | |
} | |
pod_security_policy = true | |
audit_log { | |
enabled = true | |
configuration { | |
max_age = 5 | |
max_backup = 5 | |
max_size = 100 | |
path = "-" | |
format = "json" | |
policy = file("${path.module}/files/auditlog_policy.json") | |
} | |
} | |
} | |
} | |
network { | |
plugin = "canal" | |
} | |
addons = <<EOL | |
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: ingress-nginx | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
name: default-psp-role | |
namespace: ingress-nginx | |
rules: | |
- apiGroups: | |
- extensions | |
resourceNames: | |
- default-psp | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: default-psp-rolebinding | |
namespace: ingress-nginx | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: default-psp-role | |
subjects: | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:serviceaccounts | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:authenticated | |
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: cattle-system | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
name: default-psp-role | |
namespace: cattle-system | |
rules: | |
- apiGroups: | |
- extensions | |
resourceNames: | |
- default-psp | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: default-psp-rolebinding | |
namespace: cattle-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: default-psp-role | |
subjects: | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:serviceaccounts | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:authenticated | |
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: cert-manager | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
name: default-psp-role | |
namespace: cert-manager | |
rules: | |
- apiGroups: | |
- extensions | |
resourceNames: | |
- default-psp | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: default-psp-rolebinding | |
namespace: cert-manager | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: default-psp-role | |
subjects: | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:serviceaccounts | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:authenticated | |
--- | |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: restricted | |
spec: | |
requiredDropCapabilities: | |
- NET_RAW | |
privileged: false | |
allowPrivilegeEscalation: false | |
defaultAllowPrivilegeEscalation: false | |
fsGroup: | |
rule: RunAsAny | |
runAsUser: | |
rule: MustRunAsNonRoot | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
rule: RunAsAny | |
volumes: | |
- emptyDir | |
- secret | |
- persistentVolumeClaim | |
- downwardAPI | |
- configMap | |
- projected | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: psp:restricted | |
rules: | |
- apiGroups: | |
- extensions | |
resourceNames: | |
- restricted | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: psp:restricted | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: psp:restricted | |
subjects: | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:serviceaccounts | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:authenticated | |
EOL | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment