This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 2. Master and Node Configuration
2.1. Overview
The master and node configuration files determine the make-up of your OpenShift Container Platform cluster, and define a range of options. These include overriding the default plug-ins, connecting to etcd, automatically creating service accounts, building image names, customizing project requests, configuring volume plug-ins, and much more.
This topic covers the many options available for customizing your OpenShift Container Platform masters and nodes, and shows you how to make changes to the configuration after installation.
The /etc/origin/master/master-config.yaml and /etc/origin/node/node-config.yaml files define a wide range of options that can be configured on the OpenShift master and nodes. These options include overriding the default plug-ins, connecting to etcd, automatically creating service accounts, building image names, customizing project requests, configuring volume plug-ins, and much more.
2.2. Prerequisites
For testing environments deployed via the quick install, one master should be sufficient. The quick installation method should not be used for production environments.
Production environments should be installed using the advanced install. In production environments, it is a good idea to use multiple masters for the purposes of high availability (HA). A cluster architecture of three masters is recommended, and HAproxy is the recommended solution for this.
If etcd is being installed on the master hosts, you must configure your cluster to use at least three masters. It cannot use only two masters, because etcd would not be able to decide which one is authoritative. The only way to successfully run only two masters is if you install etcd on hosts other than the masters.
2.3. Configuring Masters and Nodes
The method you use to configure your master and node configuration files must match the method that was used to install your OpenShift cluster. If you followed the:
- Advanced installation method using Ansible, then make your configuration changes in the Ansible playbook.
- Quick installation method, then make your changes manually in the configuration files themselves.
2.3.1. Making Configuration Changes Using Ansible
For this section, familiarity with Ansible is assumed.
Only a portion of the available host configuration options are exposed to Ansible. After an OpenShift Container Platform install, Ansible creates an inventory file with some substituted values. Modifying this inventory file and re-running the Ansible installer playbook is how you customize your OpenShift Container Platform cluster.
While OpenShift supports using Ansible as the advanced install method, using an Ansible playbook and inventory file, you can also use other management tools, such as Puppet, Chef, Salt).
Use Case: Configure the cluster to use HTPasswd authentication
- This use case assumes you have already set up SSH keys to all the nodes referenced in the playbook.
- The - htpasswdutility is in the- httpd-toolspackage:- yum install httpd-tools - # yum install httpd-tools- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
To modify the Ansible inventory and make configuration changes:
- Open the ./hosts inventory file: - Example 2.1. Sample inventory file: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the following new variables to the - [OSEv3:vars]section of the file:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For HTPasswd authentication, you can use either the - openshift_master_htpasswd_usersvariable to create the specified user(s) and password(s) or the- openshift_master_htpasswd_filevariable to specify a pre-generated flat file (the htpasswd file) with the users and passwords already created.- Because OpenShift Container Platform requires a hashed password to configure HTPasswd authentication, you can use the - htpasswdcommand, as shown in the following section, to generate the hashed password(s) for your user(s) or to create the flat file with the users and associated hashed passwords.- The following example changes the authentication method from the default - deny allsetting to- htpasswdand use the specified file to generate user IDs and passwords for the- jsmithand- bloblawusers.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Re-run the ansible playbook for these modifications to take effect: - ansible-playbook -b -i ./hosts ~/src/openshift-ansible/playbooks/byo/config.yml - $ ansible-playbook -b -i ./hosts ~/src/openshift-ansible/playbooks/byo/config.yml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The playbook updates the configuration, and restarts the OpenShift master service to apply the changes. 
You have now modified the master and node configuration files using Ansible, but this is just a simple use case. From here you can see which master and node configuration options are exposed to Ansible and customize your own Ansible inventory.
2.3.1.1. Using the htpasswd commmand
To configure the OpenShift Container Platform cluster to use HTPasswd authentication, you need at least one user with a hashed password to include in the inventory file.
You can:
- Generate the username and password to add directly to the ./hosts inventory file.
- Create a flat file to pass the credentials to the ./hosts inventory file.
To create a user and hashed password:
- Run the following command to add the specified user: - htpasswd -n <user_name> - $ htpasswd -n <user_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- You can include the - -boption to supply the password on the command line:- htpasswd -nb <user_name> <password> - $ htpasswd -nb <user_name> <password>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enter and confirm a clear-text password for the user. - For example: - htpasswd -n myuser - $ htpasswd -n myuser New password: Re-type new password: myuser:$apr1$vdW.cI3j$WSKIOzUPs6Q- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The command generates a hashed version of the password. 
						You can then use the hashed password when configuring HTPasswd authentication. The hashed password is the string after the :. In the above example,you would enter:
					
openshift_master_htpasswd_users={'myuser': '$apr1$wIwXkFLI$bAygtISk2eKGmqaJftB'}
openshift_master_htpasswd_users={'myuser': '$apr1$wIwXkFLI$bAygtISk2eKGmqaJftB'}To create a flat file with a user name and hashed password:
- Execute the following command: - htpasswd -c </path/to/users.htpasswd> <user_name> - $ htpasswd -c </path/to/users.htpasswd> <user_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- You can include the - -boption to supply the password on the command line:- htpasswd -c -b <user_name> <password> - $ htpasswd -c -b <user_name> <password>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enter and confirm a clear-text password for the user. - For example: - htpasswd -c users.htpasswd user1 New password: Re-type new password: Adding password for user user1 - htpasswd -c users.htpasswd user1 New password: Re-type new password: Adding password for user user1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The command generates a file that includes the user name and a hashed version of the user’s password. 
You can then use the password file when configuring HTPasswd authentication.
							For more information on the htpasswd command, see HTPasswd Identity Provider.
						
2.3.2. Making Manual Configuration Changes
After installing OpenShift Container Platform using the quick install, you can make modifications to the master and node configuration files to customize your cluster.
Use Case: Configure the cluster to use HTPasswd authentication
To manually modify a configuration file:
- Open the configuration file you want to modify, which in this case is the /etc/origin/master/master-config.yaml file:
- Add the following new variables to the - identityProvidersstanza of the file:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save your changes and close the file.
- Restart the master for the changes to take effect: - systemctl restart atomic-openshift-master - $ systemctl restart atomic-openshift-master- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
You have now manually modified the master and node configuration files, but this is just a simple use case. From here you can see all the master and node configuration options, and further customize your own cluster by making further modifications.
2.4. Configuration Options
2.4.1. Master Configuration File Options
The table below contains the options available for configuring your OpenShift Container Platform master-config.yaml file. Use this table as a reference, and then follow the section on making manual configuration changes and substitute in whatever values you want to change.
| Option | Description | 
|---|---|
| 
									 | Describes how to start serving. For example: | 
| 
									 | Specifies the host name to use to access the API server from a web application. | 
| 
									 | 
									A list of API levels that should be enabled on startup; for example,  | 
| 
									 | Contains key value pairs that match the API server’s command-line arguments and are passed directly to the Kubernetes API server. These are not migrated, but if you reference a value that does not exist, then the server will not start. apiServerArguments: event-ttl: - "15m"  | 
| 
									 | If present, then the asset server starts based on the defined parameters. For example: | 
| 
									 | 
									A list of the controllers that should be started. If set to  | 
| 
									 | 
									When set to  | 
| 
									 | 
									Enables controller election, instructing the master to attempt to acquire a lease before controllers start, and renewing it within a number of seconds defined by this value. Setting this value as a non-negative forces  | 
| 
									 | Contains admission control plug-in configuration. OpenShift has a configurable list of admission controller plug-ins that are triggered whenever API objects are created or modified. This option allows you to override the default list of plug-ins; for example, disabling some plug-ins, adding others, changing the ordering, and specifying configuration. Both the list of plug-ins and their configuration can be controlled from Ansible. | 
| 
									 | 
									Lists features that should not be started. This is defined as  | 
| 
									 | Contains information about how API resources are stored in etcd. These values are only relevant when etcd is the backing store for the cluster. | 
| 
									 | Contains information about how to connect to etcd. Specifies if etcd is run as embedded or non-embedded, and the hosts. The rest of the configuration is handled by the Ansible inventory. For example: | 
| 
									 | Contains information about how to connect to kubelet’s KubernetesMasterConfig. If present, then start the kubernetes master in this process. | 
| 
									 | If present, then etcd starts based on the defined parameters. For example: | 
| 
									 | If present, then the /oauth endpoint starts based on the defined parameters. For example: | 
| 
									 | If present, then the asset server starts based on the defined parameters. For example: | 
| 
									 | If present, then start the DNS server based on the defined parameters. For example: dnsConfig: bindAddress: 0.0.0.0:8053 bindNetwork: tcp4  | 
| 
									 | Holds options related to service accounts: 
 | 
| 
									 | Holds all the client connection information for controllers and other system components: 
 | 
| 
									 | Holds options that describe how to build image names for system components: 
 | 
| 
									 | Controls limits and behavior for importing images: 
 | 
| 
									 | Holds information about where to locate critical pieces of bootstrapping policy. This is controlled by Ansible, so you may not need to modify this: 
 | 
| 
									 | Holds information about project creation and defaults: 
 | 
| 
									 | Holds information about routing and route generation: 
 | 
| 
									 | To be passed to the compiled-in-network plug-in. Many of the options here can be controlled in the Ansible inventory. 
 For Example: | 
| 
									 | Contains options for configuring volume plug-ins in the master node: 
 | 
2.4.2. Node Configuration File Options
The table below contains the options available for configuring your OpenShift Container Platform node-config.yaml file. Use this table as a reference, and then follow the section on making manual configuration changes and substitute in whatever values you want to change.
| Option | Description | 
|---|---|
| 
									 | 
									The value of the  | 
| 
									 | A node may have multiple IPs. This specifies the IP to use for pod traffic routing. If left unspecified, a network look-up is performed on the nodeName, and the first non-loopback address is used. | 
| 
									 | Describes how to start serving. | 
| 
									 | The filename for the .kubeconfig file that describes how to connect this node to the master. | 
| 
									 | Holds the domain suffix. | 
| 
									 | 
									(string) Contains the IP. Can be controlled with  | 
| 
									 | Holds Docker-related configuration options. | 
| 
									 | Holds options that describe how to build image names for system components. | 
| 
									 | 
									(string) How often iptables rules are refreshed. This can be controlled with  | 
| 
									 | Key-value pairs that are passed directly to the Kubelet that matches the Kubelet’s command line arguments. These are not migrated or validated, so if you use them, then they may become invalid. Use caution, because these values override other settings in the node configuration that may cause invalid configurations. | 
| 
									 | The filename for the .kubeconfig file that describes how to connect this node to the master. | 
| 
									 | 
									Deprecated and maintained for backward compatibility, use  | 
| 
									 | Provides network options for the node: 
 | 
| 
									 | The directory that volumes will be stored under. | 
| 
									 | Holds options that describe how to build image names for system components. | 
| 
									 | 
									If this is set to  | 
| 
									 | Holds the configuration for enabling the Kubelet to create pods based from a manifest file or files placed locally on the node. | 
| 
									 | Holds authn/authz configuration options. | 
| 
									 | Holds Docker-related configuration options. | 
| 
									 | Key-value pairs that are passed directly to the Kubelet that matches the Kubelet’s command line arguments. These are not migrated or validated, so if you use them, then they may become invalid. Use caution, because these values override other settings in the node configuration that may cause invalid configurations. | 
| 
									 | 
									 | 
| 
									 | 
									(string) How often iptables rules are refreshed. This can be controlled with  | 
| 
									 | Contains options for configuring volumes on the node. It can be used to apply a filesystem quota if the underlying volume directory is on XFS with grpquota enabled. |