Kubespray is where Kubernetes meets Ansible. It’s a composition of Ansible playbooks, provisioning tools, and domain knowledge for creating production-ready Kubernetes clusters. Kubespray builds on top of kubeadm. To use kubespray with NGINX Service Mesh, you need to enable some extra flags on the Kubernetes API Server to enable Service Account Token Volume Projection. See Service Account Token Volume Projection section to learn why this is needed.

Configuration changes

When creating a new cluster, you need to pass some extra flags to kubespray using group_vars. Add the following to inventory/<your cluster>/group_vars/k8s-cluster/k8s-cluster.yml:

  service-account-issuer: api
  service-account-signing-key-file: /etc/kubernetes/ssl/sa.key
  service-account-api-audiences: api

After making the changes, deploy kubespray as you normally would.

If you have an existing kubespray deployment, you need to create a new cluster. First make the changes in this section and then deploy a new cluster using the same command when you deployed the cluster before. The new cluster will reflect the new configuration. After deploying the new cluster, you can delete the old one.

Persistent storage

Kubespray doesn’t set up any persistent storage for you, but it’s required to run NGINX Service Mesh in a production environment. See Persistent Storage for more information.