You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This document summarizes all available parameters in KubeKey's built-in default configuration files.
These defaults are located in the builtin/core/roles/defaults/defaults/main/ directory.
You can refer to this document when writing or modifying your own cluster configuration file.
Main Configuration (01-main.yaml)
Default Configuration
# KubeKey working directorywork_dir: /root/kubekey# KubeKey binary file storage directorybinary_dir: >- {{ .work_dir }}/kubekey# Scripts storage directoryscripts_dir: >- {{ .work_dir }}/scripts# Artifacts storage directoryartifact_dir: >- {{ .work_dir }}/artifact# Temporary directorytmp_dir: /tmp/kubekey# Map common machine architecture names to standard formstransform_architectures:
amd64:
- amd64
- x86_64arm64:
- arm64
- aarch64# If set to "cn", online downloads will use available domestic sources whenever possiblezone: ""# Enable enhanced security features to meet stricter cluster security requirementssecurity_enhancement: false# Enable Kubernetes audit logs# Audit logs record and track critical operations within the cluster, helping administrators monitor security events, troubleshoot issues, and meet compliance requirements (e.g., SOC2, ISO 27001)audit: falsedelete:
# When removing a node, also uninstall the node's container runtime (CRI), such as Docker or containerd# deleteCRI: truecri: false# When removing a node, also uninstall etcd from the node# deleteETCD: trueetcd: false# When removing a node, restore the node's DNS configuration# deleteDNS: truedns: false# When removing a node, also uninstall any private image registry (such as Harbor or registry) installed on the node# Typically used in conjunction with nodes defined in inventory.groups.image_registry# deleteImageRegistry: falseimage_registry: false# When removing a node, also delete data directories (harbor data, registry data, etc.)# Typically used with the --with-data flag or delete.data: true# deleteData: falsedata: false# List of container images to be synchronized to the private registryimage_manifests: []
Parameter Descriptions
Parameter
Description
work_dir
Root working directory used by KubeKey during installation and operation.
binary_dir
Directory for KubeKey binaries and related tools, auto-generated based on work_dir.
scripts_dir
Directory for scripts required during installation, auto-generated based on work_dir.
artifact_dir
Directory for offline packages (artifact), auto-generated based on work_dir.
tmp_dir
Directory for temporary files during installation.
transform_architectures
Machine architecture name standardization mapping, used to unify amd64/x86_64, arm64/aarch64, etc.
zone
Region setting. Set to "cn" to prioritize domestic download acceleration sources.
security_enhancement
Whether to enable cluster enhanced security features.
audit
Whether to enable Kubernetes audit logging.
delete
Resource cleanup switches when removing nodes. Includes cri, etcd, dns, image_registry, data.
image_manifests
Custom container image list for synchronizing to a private image registry.
Whether to allow installation on unsupported operating system distributions.
cluster_require.supported_os_distributions
List of explicitly supported operating system distributions by KubeKey.
cluster_require.require_network_plugin
List of supported network plugins. The selected plugin will be validated against this list during deployment.
cluster_require.kube_version_min_required
Minimum Kubernetes version allowed for installation.
cluster_require.minimal_master_memory_mb
Minimum memory required for each control plane node (MB).
cluster_require.minimal_node_memory_mb
Minimum memory required for each worker node (MB).
cluster_require.require_etcd_deployment_type
Supported etcd deployment methods: internal (deployed within cluster) or external (existing external cluster).
cluster_require.require_container_manager
List of supported container runtimes: docker, containerd.
cluster_require.containerd_min_version_required
Minimum required version when using containerd.
cluster_require.supported_architectures
List of supported CPU architectures.
cluster_require.min_kernel_version
Minimum required Linux kernel version for nodes.
cluster_require.calico_allowed_versions
Compatible Kubernetes version matrix by Calico version.
cluster_require.cilium_allowed_versions
Compatible Kubernetes version matrix by Cilium version.
cluster_require.kubeovn_allowed_versions
Compatible Kubernetes version matrix by kube-ovn version.
cluster_require.etcd_min_versions
Minimum compatible etcd version matrix by Kubernetes version.
Certificate Configuration (02-certs.yaml)
Default Configuration
# Certificate generation configuration# The following certificates will be generated:# - etcd certificates# - Kubernetes cluster certificates (replacing the CA certificate generated by kubeadm, which is limited to a 10-year validity)# - Image registry certificates (for Harbor and similar registries)# Certificate chain structure:# CA (self-signed or provided)# |- etcd.cert# |- etcd.key# |- etcd-client.cert# |- etcd-client.key# |# |- image_registry.cert# |- image_registry.key# |- image-registry-client.cert# |- image-registry-client.key# |# |- kubernetes.cert# |- kubernetes.key# | |- kubeadm uses this to generate server certificates (kube-apiserver certificate)# |- front-proxy.cert# |- front-proxy.key# |# |- image-registry.cert# |- image-registry.keycerts:
# CA certificate settingsca:
# CA certificate expiration timedate: 87600h# Certificate generation policy:# IfNotPresent: Validate the certificate if it exists; generate a self-signed certificate only if it does not existgen_cert_policy: IfNotPresentkubernetes_ca:
date: 87600h# How to generate the certificate file. Supported values: IfNotPresent, Alwaysgen_cert_policy: IfNotPresentfront_proxy_ca:
date: 87600h# How to generate the certificate file. Supported values: IfNotPresent, Alwaysgen_cert_policy: IfNotPresent# etcd certificateetcd:
date: 87600h# How to generate the certificate file. Supported values: IfNotPresent, Alwaysgen_cert_policy: IfNotPresent# image_registry certificateimage_registry:
date: 87600h# How to generate the certificate file. Supported values: IfNotPresent, Alwaysgen_cert_policy: IfNotPresent
Parameter Descriptions
Parameter
Description
certs
Defines all certificates that KubeKey needs to generate or manage.
certs.ca
Cluster root CA certificate configuration, affecting CA for etcd, kubernetes, and image registry services.
certs.ca.date
CA certificate validity period, e.g., 87600h represents 10 years.
certs.ca.gen_cert_policy
CA certificate generation policy. IfNotPresent means generate only if missing; Always means regenerate every time.
certs.kubernetes_ca
Kubernetes cluster CA certificate configuration.
certs.front_proxy_ca
Kubernetes front-proxy CA certificate configuration, used for the aggregation layer (e.g., metrics-server).
certs.etcd
CA and node certificate configuration for the etcd cluster.
certs.image_registry
TLS certificate configuration for the private image registry (e.g., Harbor).
# In an online environment (when image_registry.auth.registry is empty), images are pulled directly from their original registries to the cluster.# In an offline environment (when image_registry.auth.registry is set), images are first pulled from the source registry, cached locally,# then pushed to a private registry (such as Harbor), and then used by the cluster.image_registry:
# Specify which image registry to install. Supported values: harbor, docker-registry# If left empty, no image registry will be installed (assumes an existing registry is already available).type: ""# Virtual IP (VIP) for high availability of the image registryha_vip: ""# Image registry authentication settingsauth:
registry: >- {{- if .image_registry.type | empty | not -}} {{- if .image_registry.ha_vip | empty | not -}} {{ .image_registry.ha_vip }} {{- else if .groups.image_registry | default list | empty | not -}} {{- $internalIPv4 := index .hostvars (.groups.image_registry | default list | first) "internal_ipv4" | default "" -}} {{- $internalIPv6 := index .hostvars (.groups.image_registry | default list | first) "internal_ipv6" | default "" -}} {{- if $internalIPv4 | empty | not -}} {{ $internalIPv4 }} {{- else if $internalIPv6 | empty | not -}} {{ $internalIPv6 }} {{- end -}} {{- end -}} {{- else -}} {{- if .zone | eq "cn" -}} hub.kubesphere.com.cn {{- end -}} {{- end -}}username: >- {{- if .image_registry.type | empty | not -}} admin {{- end }}password: >- {{- if .image_registry.type | empty | not -}} Harbor12345 {{- end }}skip_tls_verify: >- {{- .image_registry.type | empty -}}ca_file: >- {{- if .groups.image_registry | default list | empty | not -}} {{ .binary_dir }}/pki/root.crt {{- end -}}cert_file: >- {{- if .groups.image_registry | default list | empty | not -}} {{ .binary_dir }}/pki/image-registry-client.crt {{- end -}}key_file: >- {{- if .groups.image_registry | default list | empty | not -}} {{ .binary_dir }}/pki/image-registry-client.key {{- end -}}# Registry endpoint for images from docker.iodockerio_registry: >- {{- .image_registry.auth.registry | empty | ternary "docker.io" .image_registry.auth.registry -}}# Registry endpoint for images from quay.ioquayio_registry: >- {{- .image_registry.auth.registry | empty | ternary "quay.io" .image_registry.auth.registry -}}# Registry endpoint for images from ghcr.ioghcrio_registry: >- {{- .image_registry.auth.registry | empty | ternary "ghcr.io" .image_registry.auth.registry -}}# Registry endpoint for images from registry.k8s.iok8sio_registry: >- {{- .image_registry.auth.registry | empty | ternary "registry.k8s.io" .image_registry.auth.registry -}}
Parameter Descriptions
Parameter
Description
image_registry.type
Type of image registry to deploy: harbor, docker-registry, or "" (use existing registry).
image_registry.ha_vip
Virtual IP used when deploying high-availability registries such as Harbor.
image_registry.auth.registry
Actual image registry address used by the cluster. If a registry is deployed, it is automatically rendered based on ha_vip or node IP; empty in online mode; if zone is cn, defaults to hub.kubesphere.com.cn.
image_registry.auth.username
Username for logging into the image registry. Defaults to admin when deploying Harbor.
image_registry.auth.password
Password for logging into the image registry. Defaults to Harbor12345 when deploying Harbor.
image_registry.auth.skip_tls_verify
Whether to skip TLS certificate verification. Defaults to false when deploying Harbor.
image_registry.auth.ca_file
Image registry CA certificate path.
image_registry.auth.cert_file
Client certificate path.
image_registry.auth.key_file
Client private key path.
image_registry.dockerio_registry
Image registry endpoint to replace docker.io. Defaults to docker.io if no private registry is configured.
image_registry.quayio_registry
Image registry endpoint to replace quay.io.
image_registry.ghcrio_registry
Image registry endpoint to replace ghcr.io.
image_registry.k8sio_registry
Image registry endpoint to replace registry.k8s.io.
Native Mode Configuration (02-native.yaml)
Default Configuration
# Basic operating system configuration settingsnative:
ntp:
# List of NTP server addresses used for time synchronizationservers:
- "cn.pool.ntp.org"# Whether to enable the NTP serviceenabled: true# System timezone configurationtimezone: Asia/Shanghai# NFS service configuration for nodes assigned the 'nfs' role in the inventorynfs:
# Directories to be shared via NFSshare_dir:
- /share/# Whether to set the node's hostname to the value defined in inventory.hostsset_hostname: true# List of DNS configuration files to update on each node# This ensures that, during cluster installation, critical hostnames can be resolved locally even if no DNS service is available# For example:# [control plane endpoint] -> master node IP# [hostname of the node being installed] -> corresponding node IPlocalDNS:
- /etc/hosts
Parameter Descriptions
Parameter
Description
native.ntp.servers
List of NTP server addresses used for time synchronization.
native.ntp.enabled
Whether to enable the NTP service to maintain consistent time across nodes.
native.timezone
System timezone of the node, e.g., Asia/Shanghai.
native.nfs.share_dir
NFS shared directories, used by nodes marked with the nfs role.
native.set_hostname
Whether to automatically set the node hostname according to the inventory definition during installation.
native.localDNS
List of local DNS resolution files (e.g., /etc/hosts), used to provide temporary domain name resolution during installation.
Kubernetes Configuration (03-kubernetes.yaml)
Default Configuration
kubernetes:
# Name of the cluster to be installedcluster_name: kubekey# Image repository for built-in Kubernetes imagesimage_repository: >- {{ .image_registry.k8sio_registry }}{{ if .image_registry.auth.registry | empty | not }}/kubernetes{{ end }}# Pause/Sandbox image configurationsandbox_image:
# Pause image registry addressregistry: >- {{ .image_registry.k8sio_registry }}# Pause image repository pathrepository: >- {{- .image_registry.auth.registry | empty | ternary "pause" "kubernetes/pause" -}}# Kubernetes network configuration# kube-apiserver parametersapiserver:
# kube-apiserver listening portport: 6443# List of additional SANs to be added to the apiserver certificatecertSANs: []# Extra startup arguments for kube-apiserverextra_args:
# Example: feature-gates: ExpandCSIVolumes=true,CSIStorageCapacity=true,RotateKubeletServerCertificate=true# kube-controller-manager parameterscontroller_manager:
# Extra startup arguments for kube-controller-managerextra_args:
# Cluster certificate signing validity periodcluster-signing-duration: 87600h# Example: feature-gates: ExpandCSIVolumes=true,CSIStorageCapacity=true,RotateKubeletServerCertificate=true# kube-scheduler parametersscheduler:
# Extra startup arguments for kube-schedulerextra_args:
# Example: feature-gates: ExpandCSIVolumes=true,CSIStorageCapacity=true,RotateKubeletServerCertificate=true# kube-proxy parameterskube_proxy:
# Whether to take over the deployment of kube-proxymanage:
enabled: false# affinity:# nodeAffinity:# requiredDuringSchedulingIgnoredDuringExecution:# nodeSelectorTerms:# - matchExpressions:# - key: kubernetes.io/os# operator: In# values:# - linux# kube-proxy proxy mode: ipvs, iptablesmode: "ipvs"# kube-proxy configurationconfig:
iptables:
masqueradeAll: falsemasqueradeBit: 14minSyncPeriod: 0ssyncPeriod: 30s# kubelet service parameterskubelet:
# Maximum number of Pods per nodemax_pods: 110# PID limit per Podpod_pids_limit: 10000# feature_gates:# Maximum size of container log filescontainer_log_max_size: 5Mi# Number of container log files to retaincontainer_log_max_files: 3# extra_args:# Specify a stable IP address or DNS name for the control plane# For high availability, it is recommended to set control_plane_endpoint to a DNS name# Configuration guidance:# 1. If a DNS name is available:# - Set control_plane_endpoint to that DNS name and ensure it resolves to all control plane node IPs# 2. If no DNS name is available:# - You can set a DNS name now and add the resolution later# - Add the resolution to each node's local DNS file, for example:# {{ vip }} {{ control_plane_endpoint }}# - If you have a VIP (Virtual IP):# Deploy kube-vip on control plane nodes to map the VIP to the actual node IPs# - If you do not have a VIP:# Deploy HAProxy on worker nodes, use a fixed IP (such as 127.0.0.2) as the VIP, and forward to all control plane node IPs## For non-HA scenarios (manual configuration only, not automatically installed):# You can set the VIP to the IP of a single control plane nodecontrol_plane_endpoint:
# Control plane endpoint hostname or IPhost: lb.kubesphere.local# Control plane endpoint port, defaults to the apiserver portport: "{{ .kubernetes.apiserver.port }}"# Load balancing type: local, kube-vip, haproxy# When type is local, configure as follows:# - On control-plane nodes: 127.0.0.1 {{ .kubernetes.control_plane_endpoint.host }}# - On worker nodes: {{ .init_kubernetes_node }} {{ .kubernetes.control_plane_endpoint.host }}type: locallocal:
# When using local load balancing, you can specify an external load balancer address here# Note: You must set up the actual load balancing yourself; this setting is only for DNS resolutionaddress: ""kube_vip:
# The IP address of the node's network interface (e.g., "eth0")address: ""# Supported modes: ARP, BGPmode: ARPimage:
# kube-vip image registryregistry: >- {{ .image_registry.dockerio_registry }}# kube-vip image repository pathrepository: plndr/kube-vip# kube-vip image tagtag: v0.7.2haproxy:
# The IP address on the node's "lo" (loopback) interfaceaddress: 127.0.0.1# HAProxy health check porthealth_port: 8081image:
# HAProxy image registryregistry: >- {{ .image_registry.dockerio_registry }}# HAProxy image repository pathrepository: library/haproxy# HAProxy image tagtag: 2.9.6-alpine# Whether to automatically renew Kubernetes certificatescerts:
# There are three ways to provide the Kubernetes CA (Certificate Authority) files:# 1. kubeadm: Leave ca_cert and ca_key empty, and kubeadm will generate them automatically. These certificates are valid for 10 years and will not change.# 2. kubekey: Set ca_cert to {{ .binary_dir }}/pki/ca.cert and ca_key to {{ .binary_dir }}/pki/ca.key.# These certificates are generated by kubekey, valid for 10 years, and can be updated via `cert.ca_date`.# 3. Custom: Manually specify the absolute paths for ca_cert and ca_key to use your own CA files.## To use custom CA files, fill in the absolute paths below.# If left empty, the default behavior (kubeadm or kubekey) will be used.ca_cert: ""ca_key: ""# The following fields are for the Kubernetes front-proxy CA certificate and key.# To use custom front-proxy CA files, fill in the absolute paths below.# If left empty, the default behavior will be used.front_proxy_cert: ""front_proxy_key: ""# Automatically renew service certificates (Note: CA certificates cannot be renewed automatically)renew: true# Customize Kubernetes components via patch filespatches: []# Patches are applied via a directory containing patch files.# - name: kube-apiserver0+merge.yaml# path: /etc/kubernetes/kube-apiserver-patch.yaml# content: |# apiVersion: v1# kind: Pod# spec:# containers:# - name: kube-apiserver# command:# - kube-apiserver# - --service-account-issuer=https://kubernetes.default.svc.cluster.local# - --service-account-jwks-uri=https://kubernetes.default.svc.cluster.local/openid/v1/jwks# # The directory contains files named "target[suffix][+patchtype].extension".# # "target" can be one of: kube-apiserver, kube-controller-manager, kube-scheduler,# # etcd, kubeletconfiguration, corednsdeployment# # "patchtype" can be: strategic (default), merge, json# # "extension" can be: yaml or json# # "suffix" (optional) determines apply order (alpha-numeric).# # Examples:# # kube-apiserver+merge.yaml # merge patch for kube-apiserver# # kube-apiserver001+strategic.yaml # strategic patch with ordering suffix# # kube-controller-manager+merge.yaml# # kube-scheduler+json.yaml# # kubeletconfiguration+merge.yaml# Phases to skip during kubeadm initskip_phases: []# - addon/kube-proxy
Parameter Descriptions
Parameter
Description
kubernetes.cluster_name
Name of the Kubernetes cluster.
kubernetes.image_repository
Repository prefix for pulling Kubernetes core component images, automatically calculated from k8sio_registry by default.
kubernetes.sandbox_image
Complete configuration of the pause (sandbox) container image, including registry and repository.
kubernetes.apiserver.port
HTTPS listening port for kube-apiserver, default 6443.
kubernetes.apiserver.certSANs
List of additional addresses to be added to the kube-apiserver certificate Subject Alternative Names.
kubernetes.apiserver.extra_args
Extra command-line arguments passed to kube-apiserver.
kubernetes.controller_manager.extra_args
Extra command-line arguments passed to kube-controller-manager.
kubernetes.scheduler.extra_args
Extra command-line arguments passed to kube-scheduler.
kubernetes.kube_proxy.manage.enabled
Whether KubeKey takes over the deployment of kube-proxy (instead of the default kubeadm deployment).
kubernetes.kube_proxy.mode
Working mode of kube-proxy, ipvs or iptables.
kubernetes.kube_proxy.config.iptables
Detailed configuration items in iptables mode.
kubernetes.kubelet.max_pods
Maximum number of Pods allowed to be scheduled on a single node.
kubernetes.kubelet.pod_pids_limit
Maximum number of PIDs that each Pod can use.
kubernetes.kubelet.container_log_max_size
Maximum size of a single container log file before rotation.
kubernetes.kubelet.container_log_max_files
Number of old container log files to retain.
kubernetes.control_plane_endpoint.host
Stable access address (IP or DNS) for the control plane.
kubernetes.control_plane_endpoint.port
Control plane endpoint port.
kubernetes.control_plane_endpoint.type
Load balancing implementation type: local (local resolution), kube-vip (VIP-based), haproxy.
kubernetes.control_plane_endpoint.local.address
When using local mode, an external load balancer address can be specified for resolution only.
Custom Kubernetes CA certificate path (leave empty to use kubeadm/kubekey generated).
kubernetes.certs.ca_key
Custom Kubernetes CA private key path.
kubernetes.certs.front_proxy_cert
Custom front-proxy CA certificate path.
kubernetes.certs.front_proxy_key
Custom front-proxy CA private key path.
kubernetes.certs.renew
Whether to automatically renew service certificates in the cluster (CA itself will not be automatically renewed).
kubernetes.patches
Patch Kubernetes static Pods or component configurations via files or inline content.
kubernetes.skip_phases
List of phases to explicitly skip during kubeadm init execution.
CNI Network Plugin Configuration (04-cni.yaml)
Default Configuration
cni:
# CNI plugin type to use# Specify the network plugin to install for the cluster. Supported: calico, cilium, flannel, hybridnet, kube-ovn, othertype: calico# The complete Pod IP pool for the cluster. Supports IPv4, IPv6, and dual-stackpod_cidr: 10.233.64.0/18# IPv4 subnet mask length for pod allocation per node. Determines the number of Pod IPs each node can allocateipv4_mask_size: 24# IPv6 subnet mask length for pod allocation per nodeipv6_mask_size: 64# The complete Service IP pool for the cluster. Supports IPv4, IPv6, and dual-stackservice_cidr: 10.233.0.0/18# Multi-CNI type configuration. Supported: multus, nonemulti_cni: "none"# Network enhancement plugin (Multus) providing multiple network interfaces for Podsmultus:
image:
# Multus image registryregistry: >- {{ .image_registry.ghcrio_registry }}# Multus image repository pathrepository: k8snetworkplumbingwg/multus-cni# tag: v4.3.0
etcd peer-to-peer communication port, default 2380.
etcd.env.election_timeout
Leader election timeout in milliseconds.
etcd.env.heartbeat_interval
Heartbeat interval between nodes in milliseconds.
etcd.env.compaction_retention
Duration of data history retained by automatic data compaction in hours.
etcd.env.snapshot_count
Number of transactions required to trigger a snapshot.
etcd.env.data_dir
etcd data persistence directory.
etcd.env.token
Shared token for cluster initialization, used for member discovery.
etcd.backup.backup_dir
Directory for etcd backup files.
etcd.backup.keep_backup_number
Number of backup copies retained locally.
etcd.backup.etcd_backup_script
Name of the backup script executed.
etcd.backup.on_calendar
Scheduled backup cycle format based on systemd timer, e.g., every 30 minutes.
etcd.performance
Whether to enable etcd performance tuning parameters.
etcd.traffic_priority
Whether to enable etcd network traffic priority control.
etcd.ca_file
etcd CA certificate file path.
etcd.server_cert_file
etcd server certificate path.
etcd.server_key_file
etcd server private key path.
etcd.client_cert_file
etcd client certificate path.
etcd.client_key_file
etcd client private key path.
DNS Configuration (05-dns.yaml)
Default Configuration
dns:
# ====== In-Cluster DNS Service Configuration ======# DNS domain suffix used for services and pods within the clusterdomain: cluster.local# NodeLocalDNS pod configurationnodelocaldns:
# Whether to enable NodeLocalDNSenabled: true# IP address that NodeLocalDNS binds to on each nodeip: 169.254.25.10# NodeLocalDNS image configurationimage:
# NodeLocalDNS image registryregistry: >- {{ .image_registry.k8sio_registry }}# NodeLocalDNS image repository pathrepository: >- dns/k8s-dns-node-cache# tag: 1.24.0# CoreDNS pod configurationcoredns:
# IP address of the cluster DNS serviceip: >- {{ index (.cni.service_cidr | ipInCIDR) 2 }}# CoreDNS image configurationimage:
# CoreDNS image registryregistry: >- {{ .image_registry.k8sio_registry }}# CoreDNS image repository pathrepository: >- coredns# tag: v1.11.1# Custom hosts entriesdns_etc_hosts: []# DNS zone matching configurationzone_configs:
# Each entry defines which DNS zones to match. The default port is 53# ".": matches all DNS zones# "example.com": matches *.example.com using DNS server on port 53# "example.com:54": matches *.example.com using DNS server on port 54
- zones: [".:53"]additional_configs:
- errors
- ready
- prometheus :9153
- loop
- reload
- loadbalancecache: 30kubernetes:
zones:
- "{{ .dns.domain }}"# If internal DNS message rewriting is needed, configure it here# rewrite:# - rule: continue# field: name# type: exact# value: "example.com example2.com"# options: ""forward:
# DNS query forwarding rules
- from: "."# Forwarding destination endpoints. The 'to' syntax allows protocol specificationto: ["/etc/resolv.conf"]# Domains to exclude from forwardingexcept: []# Use TCP for forwarding, even if the original request was UDPforce_tcp: false# Prefer UDP for forwarding; fallback to TCP if the response is truncatedprefer_udp: false# Maximum consecutive failed health checks before marking upstream as unavailable# max_fails: 2# Cached connection expiration time# expire: 10s# TLS properties for secure connections can be set here# tls:# cert_file: ""# key_file: ""# ca_file: ""# tls_servername: ""# Policy for selecting upstream servers: random (default), round_robin, sequential# policy: "random"# Upstream server health check configuration# health_check: ""# Maximum number of concurrent DNS queries allowedmax_concurrent: 1000
Parameter Descriptions
Parameter
Description
dns.domain
Default DNS domain suffix for the cluster (e.g., cluster.local).
dns.nodelocaldns.enabled
Whether to enable NodeLocalDNS to improve cluster DNS resolution performance and reduce CoreDNS load.
dns.nodelocaldns.ip
Link-local IP that NodeLocalDNS DaemonSet binds on each node, default 169.254.25.10.
dns.nodelocaldns.image
NodeLocalDNS container image configuration.
dns.coredns.ip
CoreDNS cluster service IP, usually the 3rd address in the Service CIDR.
dns.coredns.image
CoreDNS container image configuration.
dns.coredns.dns_etc_hosts
Custom /etc/hosts format entries injected into CoreDNS.
dns.coredns.zone_configs
List of CoreDNS Corefile zone configurations, can define matching domains, cache, rewrite, forwarding, and other rules.
dns.coredns.zone_configs[].zones
List of DNS domains and ports matched by this zone rule.
dns.coredns.zone_configs[].additional_configs
List of additional CoreDNS plugin directives (e.g., errors, ready, prometheus, loop, reload, loadbalance).
dns.coredns.zone_configs[].cache
DNS record cache time (seconds).
dns.coredns.zone_configs[].kubernetes.zones
Cluster DNS domains resolved by the CoreDNS Kubernetes plugin.
dns.coredns.zone_configs[].forward
List of forwarding rules for queries that cannot be resolved locally.
dns.coredns.zone_configs[].forward[].from
Source domain that needs forwarding resolution.
dns.coredns.zone_configs[].forward[].to
List of upstream DNS server or resolution file addresses.
dns.coredns.zone_configs[].forward[].except
List of exception domains that are not forwarded upstream.
dns.coredns.zone_configs[].forward[].force_tcp
Whether to force using TCP to forward queries upstream.
dns.coredns.zone_configs[].forward[].prefer_udp
Whether to prefer using UDP to forward queries upstream.
Maximum number of concurrent queries allowed for this forwarding rule.
Storage Class Configuration (05-storage_class.yaml)
Default Configuration
# Storage class configuration for Kubernetes persistent storage integrationstorage_class:
# Local storage class configurationlocal:
enabled: true # Whether to enable local storage classdefault: true # Whether to set as default storage classpath: /var/openebs/local # Host path for local storage volumes# NFS storage class configurationnfs:
# Ensure nfs-utils is installed on every node in the k8s_cluster groupenabled: false # Whether to enable NFS storage classdefault: false # Whether to set as default storage class# NFS server addressserver: >- {{ .groups.nfs | default list | first }}path: /share/kubernetes # NFS export path for persistent volumes
Parameter Descriptions
Parameter
Description
storage_class.local.enabled
Whether to create and enable a local StorageClass based on node local disks.
storage_class.local.default
Whether to mark the local StorageClass as the cluster default storage class.
storage_class.local.path
Actual host path on the node for local storage volumes.
storage_class.nfs.enabled
Whether to create and enable an NFS-based StorageClass.
storage_class.nfs.default
Whether to mark the NFS StorageClass as the cluster default storage class.
storage_class.nfs.server
NFS server address, defaults to the first node in the nfs group in the inventory.