Fix network coherence & firewall

defaults/main.yml

@@ -5,4 +5,5 @@ kubernetes_server: false
 # value for kuberntes_network: flannel, calico, weave-net
 #kubernetes_network: weave-net
 kubernetes_kubeproxy_mode: ipvs
-kubernetes_version: 1.20.1
+kubernetes_version: 1.20.2
+kubernetes_pods_network: "10.244.0.0/16"

tasks/RedHat.yml

@@ -32,19 +32,20 @@
   when:
     - kubernetes_server|bool
 
-#- name: Reload firewalld configuration
-#  service:
-#    name: firewalld
-#    state: reloaded
-#    enabled: yes
-#  when:
-#    - kubernetes_server|bool
-
-- name: reload firewalld to refresh service list
-  command: firewall-cmd --reload
+- name: Reload firewalld configuration
+  service:
+    name: firewalld
+    state: reloaded
+    enabled: yes
   when:
-    - need_firewalld_reload is changed
     - kubernetes_server|bool
+    - need_firewalld_reload is changed
+
+#- name: reload firewalld to refresh service list
+#  command: firewall-cmd --reload
+#  when:
+#    - need_firewalld_reload is changed
+#    - kubernetes_server|bool
 
 # Définir interface
 - name: Open Firewalld
@@ -58,6 +59,30 @@
 #    - firewall_name == "firewalld"
     - kubernetes_server|bool
 
+- name: Create kubernetes firewalld zone
+  firewalld:
+    zone: kubernetes
+    permanent: true
+    state: present
+  when:
+    - kubernetes_server|bool
+- name: Add PODs network to kubernetes firewalld zone
+  firewalld:
+    zone: kubernetes
+    permanent: true
+    state: enabled
+    source: "{{ kubernetes_pods_network }}"
+  when:
+    - kubernetes_server|bool
+- name: Add Services network to kubernetes firewalld zone
+  firewalld:
+    zone: kubernetes
+    permanent: true
+    state: enabled
+    source: "10.96.0.0/12"
+  when:
+    - kubernetes_server|bool
+
 - name: Install kubernetes tools
   dnf:
     name: "{{ kubernetes_package_name }}"

templates/etc/firewalld/services/kubernetes.xml.j2

@@ -24,7 +24,7 @@
   <port protocol="tcp" port="10251"/>
 # kube-controler-manager, used by self
   <port protocol="tcp" port="10252"/>
-# ???
+# Read-only Kubelet API (Deprecated)
   <port protocol="tcp" port="10255"/>
 {% else %}
   <port protocol="tcp" port="10250"/>

templates/kubeadm-config.yaml.j2

@@ -96,21 +96,17 @@ apiServer:
     readOnly: false
     pathType: DirectoryOrCreate
   - name: "audit-policies"
-    hostPath: "/etc/kubernetes/policies"
-    mountPath: "/etc/kubernetes/policies"
+    hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
+    mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
     readOnly: false
-    pathType: DirectoryOrCreate
+    pathType: File
 {% if lb_kubemaster is defined %}
   certSANs:
   - "{{ lb_kubemaster }}"
 {% endif %}
 {% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
 networking:
-{% if kubernetes_network == "flannel" %}
-  podSubnet: "10.244.0.0/16"
-{% elif kubernetes_network == "calico" %}
-  podSubnet: "192.168.0.0/16"
-{% endif %}
+  podSubnet: "{{ kubernetes_pods_network }}"
 {% endif %}
 ---
 apiVersion: kubeproxy.config.k8s.io/v1alpha1

vars/RedHat.yml

@@ -4,5 +4,6 @@ kubernetes_package_name:
   - kubelet
   - kubeadm
   - iproute-tc
+  - ipvsadm
 #kubernetes_remove_packages_name:
 #  - kubernetes.io