From 52a8de84bcd8fe9e3f04bfdebbc1d883c4ac4bdd Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 27 Jan 2021 00:08:51 +0100 Subject: [PATCH 01/99] Fix k3s deployment --- tasks/cluster_k3s.yml | 90 +++++++++++++++---- .../etc/firewalld/services/kubernetes.xml.j2 | 7 ++ templates/etc/systemd/system/k3s.service.j2 | 6 +- 3 files changed, 87 insertions(+), 16 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 9727eb0..1814932 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -56,21 +56,6 @@ - "crictl" - "ctr" -# Manque kubernetes_server_token, kubernetes_master url - -- name: Deploy systemd service - template: - src: "etc/systemd/system/{{ item }}.j2" - dest: "/etc/systemd/system/{{ item }}" - owner: root - group: root - mode: 0600 - with_items: - - "k3s.service" - - "k3s.service.env" - when: - - ansible_service_mgr == "systemd" - - name: Create thin volumes for k3s lvol: vg: "{{ item.vg }}" @@ -97,6 +82,81 @@ with_items: - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} + +# Check controlers +- name: Check if /etc/rancher/k3s/k3s.yaml already existe + stat: + path: /etc/rancher/k3s/k3s.yaml + register: st + changed_when: False + when: + - kubernetes_master|bool + +- name: Create KubernetesMasterConfigured group + group_by: + key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} + when: + - kubernetes_master|bool + - st.stat.exists + +# First controler +- name: Configure first controler +# run_once: true + block: + - name: Deploy systemd service + template: + src: "etc/systemd/system/{{ item }}.j2" + dest: "/etc/systemd/system/{{ item }}" + owner: root + group: root + mode: 0600 + with_items: + - "k3s.service" + - "k3s.service.env" + when: + - ansible_service_mgr == "systemd" + + - name: Enable k3s on boot + service: + name: k3s + state: started + enabled: yes + + - name: Wait for k3s.yaml + wait_for: + path: /etc/rancher/k3s/k3s.yaml + + - name: Wait for node-token + wait_for: + path: /var/lib/rancher/k3s/server/node-token + + - name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group + group_by: + key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} + + when: + - kubernetes_master|bool + - vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined + + + +# Manque kubernetes_server_token, kubernetes_master url + +#- name: Deploy systemd service +# template: +# src: "etc/systemd/system/{{ item }}.j2" +# dest: "/etc/systemd/system/{{ item }}" +# owner: root +# group: root +# mode: 0600 +# with_items: +# - "k3s.service" +# - "k3s.service.env" +# when: +# - ansible_service_mgr == "systemd" + + + - name: Enable k3s on boot service: name: k3s diff --git a/templates/etc/firewalld/services/kubernetes.xml.j2 b/templates/etc/firewalld/services/kubernetes.xml.j2 index d4d0a53..4cd8035 100644 --- a/templates/etc/firewalld/services/kubernetes.xml.j2 +++ b/templates/etc/firewalld/services/kubernetes.xml.j2 @@ -9,6 +9,12 @@ {% if kubernetes_master == true %} # Kubernetes API server, used by all +{% endif %} +{% if kubernetes_cri == "k3s" %} +# K3S with flannel and wireguard + +{% else %} +{% if kubernetes_master == true %} # etcd server client API, used by kube-apiserver and etcd @@ -35,4 +41,5 @@ {% endif %} +{% endif %} diff --git a/templates/etc/systemd/system/k3s.service.j2 b/templates/etc/systemd/system/k3s.service.j2 index 95ac5ae..0ac1a83 100644 --- a/templates/etc/systemd/system/k3s.service.j2 +++ b/templates/etc/systemd/system/k3s.service.j2 @@ -7,7 +7,11 @@ After=network-online.target Type=notify EnvironmentFile=/etc/systemd/system/k3s.service.env {% if kubernetes_master|bool %} -ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption +{% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %} +ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --cluster-init +{% else %} +ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} +{% endif %} {% else %} ExecStart=/usr/local/bin/k3s agent --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} {% endif %} From d43e295f30e99b9ebc6807998aa60b7504eb3b5e Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 30 Jan 2021 11:02:22 +0100 Subject: [PATCH 02/99] Update name --- tasks/cluster_k3s.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 1814932..9318b77 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -126,9 +126,9 @@ wait_for: path: /etc/rancher/k3s/k3s.yaml - - name: Wait for node-token + - name: Wait for token wait_for: - path: /var/lib/rancher/k3s/server/node-token + path: /var/lib/rancher/k3s/server/token - name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group group_by: From 6fa60172dfff997ad8bde64d1b3ded3570bb949d Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 31 Jan 2021 14:19:00 +0100 Subject: [PATCH 03/99] Add selinux for k3s --- tasks/cluster_k3s.yml | 16 ++++++++++++++++ templates/etc/systemd/system/k3s.service.j2 | 6 +++--- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 9318b77..cb4e527 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -5,6 +5,22 @@ # when: # - kubernetes_cni == "wireguard" +- name: Install the k3s-selinux rpm from a remote repo for yum distro + yum: + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v0.2.stable.1/k3s-selinux-0.2-1.el7_8.noarch.rpm" + state: present + disable_gpg_check: yes + when: + - ansible_pkg_mgr == "yum" + +- name: Install the k3s-selinux rpm from a remote repo for dnf distro + dnf: + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v0.2.stable.1/k3s-selinux-0.2-1.el7_8.noarch.rpm" + state: present + disable_gpg_check: yes + when: + - ansible_pkg_mgr == "dnf" + - name: Check if /usr/local/bin/k3s already existe stat: path: /usr/local/bin/k3s diff --git a/templates/etc/systemd/system/k3s.service.j2 b/templates/etc/systemd/system/k3s.service.j2 index 0ac1a83..03f00a5 100644 --- a/templates/etc/systemd/system/k3s.service.j2 +++ b/templates/etc/systemd/system/k3s.service.j2 @@ -8,12 +8,12 @@ Type=notify EnvironmentFile=/etc/systemd/system/k3s.service.env {% if kubernetes_master|bool %} {% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %} -ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --cluster-init +ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --cluster-init --selinux {% else %} -ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} +ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} --selinux {% endif %} {% else %} -ExecStart=/usr/local/bin/k3s agent --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} +ExecStart=/usr/local/bin/k3s agent --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} --selinux {% endif %} KillMode=process Delegate=yes From 1e4d82d403bcd58f376535e0923e719f2b9c935f Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 31 Jan 2021 14:19:30 +0100 Subject: [PATCH 04/99] Fix dnf warning by k8s tools --- tasks/RedHat.yml | 22 ++++++++++++++++++++ tasks/main.yml | 16 +++++++------- templates/etc/yum.repos.d/kubernetes.repo.j2 | 2 +- 3 files changed, 31 insertions(+), 9 deletions(-) diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index 7eaf639..be10842 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -57,3 +57,25 @@ # - need_firewall|bool # - firewall_name == "firewalld" - kubernetes_server|bool + +- name: Install kubernetes tools + dnf: + name: "{{ kubernetes_package_name }}" + enablerepo: "kubernetes" + state: present + update_cache: yes +# notify: Restart kubelet + when: + - ansible_pkg_mgr == "dnf" + - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") + +- name: Install kubernetes tools + yum: + name: "{{ kubernetes_package_name }}" + enablerepo: "kubernetes" + state: present + update_cache: yes +# notify: Restart kubelet + when: + - ansible_pkg_mgr == "yum" + - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") diff --git a/tasks/main.yml b/tasks/main.yml index b57a12b..5fe21e7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -39,14 +39,14 @@ - name: Install kubernetes rules for {{ ansible_os_family }} OS family include_tasks: "{{ ansible_os_family }}.yml" -- name: Install kubernetes tools - package: - name: "{{ kubernetes_package_name }}" - state: present - update_cache: yes -# notify: Restart kubelet - when: - - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") +#- name: Install kubernetes tools +# package: +# name: "{{ kubernetes_package_name }}" +# state: present +# update_cache: yes +## notify: Restart kubelet +# when: +# - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") - name: Include kubernetes server rules include_tasks: "install_server.yml" diff --git a/templates/etc/yum.repos.d/kubernetes.repo.j2 b/templates/etc/yum.repos.d/kubernetes.repo.j2 index 7ac0fdb..b04037a 100644 --- a/templates/etc/yum.repos.d/kubernetes.repo.j2 +++ b/templates/etc/yum.repos.d/kubernetes.repo.j2 @@ -1,7 +1,7 @@ [kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-{{ ansible_machine }} -enabled=1 +enabled=0 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg From 7f36b6eae63364c2f726a9ae3a1b6875c2aef1e0 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 6 Feb 2021 14:17:40 +0100 Subject: [PATCH 05/99] Fix FS mount bug order --- tasks/cluster_k3s.yml | 19 +++++++++++++++++++ tasks/cluster_kubeadm.yml | 20 ++++++++++++++++++++ tasks/install_server.yml | 20 -------------------- 3 files changed, 39 insertions(+), 20 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index cb4e527..de195e9 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -98,6 +98,25 @@ with_items: - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} +- name: Audit policies directory + file: + path: "/etc/kubernetes/policies" + state: directory + owner: root + group: root + mode: 0700 + when: + - kubernetes_master|bool + +- name: Configure audit policy + copy: + src: "etc/kubernetes/policies/audit-policy.yaml" + dest: "/etc/kubernetes/policies/audit-policy.yaml" + group: root + owner: root + mode: 0644 + when: + - kubernetes_master|bool # Check controlers - name: Check if /etc/rancher/k3s/k3s.yaml already existe diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index c15325d..f7e254f 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -158,6 +158,26 @@ state: started enabled: yes +- name: Audit policies directory + file: + path: "/etc/kubernetes/policies" + state: directory + owner: root + group: root + mode: 0700 + when: + - kubernetes_master|bool + +- name: Configure audit policy + copy: + src: "etc/kubernetes/policies/audit-policy.yaml" + dest: "/etc/kubernetes/policies/audit-policy.yaml" + group: root + owner: root + mode: 0644 + when: + - kubernetes_master|bool + # First controler - name: Check if /etc/kubernetes/admin.conf already existe stat: diff --git a/tasks/install_server.yml b/tasks/install_server.yml index 0dac5ad..79ec6c8 100644 --- a/tasks/install_server.yml +++ b/tasks/install_server.yml @@ -21,26 +21,6 @@ - kubernetes_master|bool - groups['KubernetesMasters'] | length > 1 -- name: Audit policies directory - file: - path: "/etc/kubernetes/policies" - state: directory - owner: root - group: root - mode: 0700 - when: - - kubernetes_master|bool - -- name: Configure audit policy - copy: - src: "etc/kubernetes/policies/audit-policy.yaml" - dest: "/etc/kubernetes/policies/audit-policy.yaml" - group: root - owner: root - mode: 0644 - when: - - kubernetes_master|bool - - name: Kubernetes cluster with kubeadm include_tasks: "cluster_kubeadm.yml" when: From 2ce6678959565414f95edc3de950ca5af47281d5 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 6 Feb 2021 15:22:17 +0100 Subject: [PATCH 06/99] Deploy multiple clusters in one time --- tasks/cluster_kubeadm.yml | 49 ++++++++++++++++++--------------------- tasks/install_server.yml | 26 ++++++++++++++++----- 2 files changed, 43 insertions(+), 32 deletions(-) diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index f7e254f..d3afe88 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -187,7 +187,7 @@ - name: Create KubernetesMasterConfigured group group_by: - key: KubernetesMasterConfigured + key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} when: - st.stat.exists @@ -209,28 +209,25 @@ # - groups['KubernetesMasters'] | length > 1 changed_when: False -- name: Deploy initial kubeadm config - template: - src: kubeadm-config.yaml.j2 - dest: /root/kubeadm-config.yaml - owner: root - group: root - mode: 0600 - when: - - groups['KubernetesMasterConfigured'] is not defined - - groups['KubernetesMasters'][0] == ansible_hostname +- name: Deploy First controler + block: + - name: Deploy initial kubeadm config + template: + src: kubeadm-config.yaml.j2 + dest: /root/kubeadm-config.yaml + owner: root + group: root + mode: 0600 -- name: Init Kubernetes on {{ groups['KubernetesMasters'][0] }} - command: kubeadm init --config=/root/kubeadm-config.yaml - when: - - groups['KubernetesMasterConfigured'] is not defined - - groups['KubernetesMasters'][0] == ansible_hostname + - name: Init Kubernetes on {{ groups['KubernetesMasters'][0] }} + command: kubeadm init --config=/root/kubeadm-config.yaml + + - name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group + group_by: + key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} -- name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group - group_by: - key: KubernetesMasterConfigured when: - - groups['KubernetesMasterConfigured'] is not defined + - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - groups['KubernetesMasters'][0] == ansible_hostname # End of first controler @@ -242,7 +239,7 @@ changed_when: False ignore_errors: yes when: - - groups['KubernetesMasterConfigured'] is not defined + - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined #- name: Deploy kubeadm config # template: @@ -260,7 +257,7 @@ register: kubernetes_certificateKey delegate_to: "{{ lb_kubemaster }}" when: - - groups['KubernetesMasterConfigured'] is not defined + - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - server_enrolled.rc == 1 - kubernetes_master|bool @@ -269,7 +266,7 @@ register: kubetoken delegate_to: "{{ lb_kubemaster }}" when: - - groups['KubernetesMasterConfigured'] is not defined + - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - server_enrolled.rc == 1 - name: Retreive hash certificat @@ -282,7 +279,7 @@ register: cacerthash delegate_to: "{{ lb_kubemaster }}" when: - - groups['KubernetesMasterConfigured'] is not defined + - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - server_enrolled.rc == 1 - name: Deploy kubeadm config @@ -293,11 +290,11 @@ group: root mode: 0600 when: - - groups['KubernetesMasterConfigured'] is not defined + - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - server_enrolled.rc == 1 - name: Join '{{ ansible_hostname }}' to Kubernetes cluster command: kubeadm join --config=/root/kubeadm-config.yaml when: - - groups['KubernetesMasterConfigured'] is not defined + - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - server_enrolled.rc == 1 diff --git a/tasks/install_server.yml b/tasks/install_server.yml index 79ec6c8..89dd6c9 100644 --- a/tasks/install_server.yml +++ b/tasks/install_server.yml @@ -1,4 +1,17 @@ --- +- name: Add master to KubernetesMasters_ClusterName group + group_by: + key: KubernetesMasters_{{ kubernetes_cluster_name }} + when: + - "'KubernetesMasters' in group_names" + +- name: Add node to KubernetesNodes_ClusterName group + group_by: + key: KubernetesNodes_{{ kubernetes_cluster_name }} + when: + - "'KubernetesNodes' in group_names" + + - name: Disable SWAP since kubernetes can't work with swap enabled (1/2) command: swapoff -a changed_when: false @@ -15,11 +28,11 @@ thinpool: kubernetes size: 20g -# Install API loadbalancer -- include_tasks: "load_balancer.yml" - when: - - kubernetes_master|bool - - groups['KubernetesMasters'] | length > 1 +## Install API loadbalancer +#- include_tasks: "load_balancer.yml" +# when: +# - kubernetes_master|bool +# - groups['KubernetesMasters'] | length > 1 - name: Kubernetes cluster with kubeadm include_tasks: "cluster_kubeadm.yml" @@ -82,12 +95,13 @@ - name: Check if a node is still tainted command: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes '{{ ansible_hostname | lower }}' -o jsonpath='{.spec.taints}' register: current_taint + check_mode: no when: - kubernetes_master_taint|bool - name: taint the machine if needed # command: kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes --all node-role.kubernetes.io/master- - command: kubectl taint nodes '{{ ansible_hostname | lower }}' node-role.kubernetes.io/master- + command: kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes '{{ ansible_hostname | lower }}' node-role.kubernetes.io/master- when: - kubernetes_master_taint|bool - current_taint.stdout From 8bbd3fa11cf84cb34094bed3d278a269cbeb7cc2 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 7 Feb 2021 01:36:50 +0100 Subject: [PATCH 07/99] Fix deployment on multiple kubernetes clusters --- tasks/cluster_kubeadm.yml | 9 +-------- templates/kubeadm-config.yaml.j2 | 6 +++--- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index d3afe88..c6fad27 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -228,7 +228,7 @@ when: - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - - groups['KubernetesMasters'][0] == ansible_hostname + - groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] == ansible_hostname # End of first controler @@ -238,8 +238,6 @@ register: server_enrolled changed_when: False ignore_errors: yes - when: - - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined #- name: Deploy kubeadm config # template: @@ -257,7 +255,6 @@ register: kubernetes_certificateKey delegate_to: "{{ lb_kubemaster }}" when: - - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - server_enrolled.rc == 1 - kubernetes_master|bool @@ -266,7 +263,6 @@ register: kubetoken delegate_to: "{{ lb_kubemaster }}" when: - - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - server_enrolled.rc == 1 - name: Retreive hash certificat @@ -279,7 +275,6 @@ register: cacerthash delegate_to: "{{ lb_kubemaster }}" when: - - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - server_enrolled.rc == 1 - name: Deploy kubeadm config @@ -290,11 +285,9 @@ group: root mode: 0600 when: - - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - server_enrolled.rc == 1 - name: Join '{{ ansible_hostname }}' to Kubernetes cluster command: kubeadm join --config=/root/kubeadm-config.yaml when: - - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - server_enrolled.rc == 1 diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index 9a95c08..bb99625 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -42,7 +42,7 @@ nodeRegistration: localAPIEndpoint: advertiseAddress: "{{ ansible_default_ipv4.address }}" bindPort: 6443 -{% if kubernetes_master|bool and groups['KubernetesMasterConfigured'] is defined %} +{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %} certificateKey: "{{ kubernetes_certificateKey.stdout }}" {% endif %} --- @@ -53,14 +53,14 @@ controlPlane: localAPIEndpoint: advertiseAddress: "{{ ansible_default_ipv4.address }}" bindPort: 6443 -{% if groups['KubernetesMasterConfigured'] is defined %} +{% if groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %} certificateKey: "{{ kubernetes_certificateKey.stdout }}" {% endif %} {% endif %} discovery: bootstrapToken: apiServerEndpoint: "{{ lb_kubemaster }}:6443" -{% if groups['KubernetesMasterConfigured'] is defined %} +{% if groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %} caCertHashes: - sha256:{{ cacerthash.stdout }} token: "{{ kubetoken.stdout }}" From 39c5ef5e82126de30c9c648d1a666fc320553782 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 16 Feb 2021 00:47:08 +0100 Subject: [PATCH 08/99] Fix network coherence & firewall --- defaults/main.yml | 3 +- tasks/RedHat.yml | 47 ++++++++++++++----- .../etc/firewalld/services/kubernetes.xml.j2 | 2 +- templates/kubeadm-config.yaml.j2 | 12 ++--- vars/RedHat.yml | 1 + 5 files changed, 44 insertions(+), 21 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3bbf3a5..d041f2a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,4 +5,5 @@ kubernetes_server: false # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.20.1 +kubernetes_version: 1.20.2 +kubernetes_pods_network: "10.244.0.0/16" \ No newline at end of file diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index be10842..1db8527 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -32,19 +32,20 @@ when: - kubernetes_server|bool -#- name: Reload firewalld configuration -# service: -# name: firewalld -# state: reloaded -# enabled: yes -# when: -# - kubernetes_server|bool - -- name: reload firewalld to refresh service list - command: firewall-cmd --reload +- name: Reload firewalld configuration + service: + name: firewalld + state: reloaded + enabled: yes when: - - need_firewalld_reload is changed - kubernetes_server|bool + - need_firewalld_reload is changed + +#- name: reload firewalld to refresh service list +# command: firewall-cmd --reload +# when: +# - need_firewalld_reload is changed +# - kubernetes_server|bool # Définir interface - name: Open Firewalld @@ -58,6 +59,30 @@ # - firewall_name == "firewalld" - kubernetes_server|bool +- name: Create kubernetes firewalld zone + firewalld: + zone: kubernetes + permanent: true + state: present + when: + - kubernetes_server|bool +- name: Add PODs network to kubernetes firewalld zone + firewalld: + zone: kubernetes + permanent: true + state: enabled + source: "{{ kubernetes_pods_network }}" + when: + - kubernetes_server|bool +- name: Add Services network to kubernetes firewalld zone + firewalld: + zone: kubernetes + permanent: true + state: enabled + source: "10.96.0.0/12" + when: + - kubernetes_server|bool + - name: Install kubernetes tools dnf: name: "{{ kubernetes_package_name }}" diff --git a/templates/etc/firewalld/services/kubernetes.xml.j2 b/templates/etc/firewalld/services/kubernetes.xml.j2 index 4cd8035..e5ec9c5 100644 --- a/templates/etc/firewalld/services/kubernetes.xml.j2 +++ b/templates/etc/firewalld/services/kubernetes.xml.j2 @@ -24,7 +24,7 @@ # kube-controler-manager, used by self -# ??? +# Read-only Kubelet API (Deprecated) {% else %} diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index bb99625..2d69675 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -96,21 +96,17 @@ apiServer: readOnly: false pathType: DirectoryOrCreate - name: "audit-policies" - hostPath: "/etc/kubernetes/policies" - mountPath: "/etc/kubernetes/policies" + hostPath: "/etc/kubernetes/policies/audit-policy.yaml" + mountPath: "/etc/kubernetes/policies/audit-policy.yaml" readOnly: false - pathType: DirectoryOrCreate + pathType: File {% if lb_kubemaster is defined %} certSANs: - "{{ lb_kubemaster }}" {% endif %} {% if kubernetes_network == "flannel" or kubernetes_network == "calico" %} networking: -{% if kubernetes_network == "flannel" %} - podSubnet: "10.244.0.0/16" -{% elif kubernetes_network == "calico" %} - podSubnet: "192.168.0.0/16" -{% endif %} + podSubnet: "{{ kubernetes_pods_network }}" {% endif %} --- apiVersion: kubeproxy.config.k8s.io/v1alpha1 diff --git a/vars/RedHat.yml b/vars/RedHat.yml index a5905f3..beb4337 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -4,5 +4,6 @@ kubernetes_package_name: - kubelet - kubeadm - iproute-tc + - ipvsadm #kubernetes_remove_packages_name: # - kubernetes.io From fa4679acdd0ee2aca196a1d32f56b00ae67fa300 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 19 Feb 2021 22:07:41 +0100 Subject: [PATCH 09/99] Fix nodes registration in multi-clusters config --- tasks/cluster_kubeadm.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index c6fad27..1d496ae 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -203,7 +203,7 @@ - name: Defined a default lb_kubemaster set_fact: - lb_kubemaster: "{{ groups['KubernetesMasters'][0] }}" + lb_kubemaster: "{{ groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] }}" when: - lb_kubemaster is undefined # - groups['KubernetesMasters'] | length > 1 @@ -219,7 +219,7 @@ group: root mode: 0600 - - name: Init Kubernetes on {{ groups['KubernetesMasters'][0] }} + - name: Init Kubernetes on {{ groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] }} command: kubeadm init --config=/root/kubeadm-config.yaml - name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group From 91a200ae098fd3ffbdb7475a337f14ed2925eea1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 20 Feb 2021 01:09:58 +0100 Subject: [PATCH 10/99] Fix Firewalld pb --- tasks/RedHat.yml | 76 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 52 insertions(+), 24 deletions(-) diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index 1db8527..a75a704 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -9,18 +9,48 @@ # gpgkey: https://packages.cloud.google.com/yum/doc/yum-key.gpg # state: present +#- name: Add Official kubernetes's repo +# template: +# src: "etc/yum.repos.d/kubernetes.repo.j2" +# dest: "/etc/yum.repos.d/kubernetes.repo" +# group: root +# owner: root +# mode: 0644 +# when: +# - not ansible_machine == "armv7l" +# - not ansible_machine == "armv6l" +# - kubernetes_cri != "k3s" + - name: Add Official kubernetes's repo - template: - src: "etc/yum.repos.d/kubernetes.repo.j2" - dest: "/etc/yum.repos.d/kubernetes.repo" - group: root - owner: root - mode: 0644 + yum_repository: + name: kubernetes + description: Kubernetes + baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch + enabled: true + gpgcheck: true + repo_gpgcheck: true + gpgkey: https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg + exclude: kubelet kubeadm kubectl + become: true when: - not ansible_machine == "armv7l" - not ansible_machine == "armv6l" - kubernetes_cri != "k3s" +#- name: redhat | Installing K8s Packages +# package: +# name: +# - kubectl +# - kubelet +# - kubeadm +# - iproute-tc +# - ipvsadm +# state: present +# disable_excludes: kubernetes +# become: true +# register: result +# until: result is successful + - name: Register kubernetes firewalld service template: src: "etc/firewalld/services/kubernetes.xml.j2" @@ -50,6 +80,7 @@ # Définir interface - name: Open Firewalld firewalld: + zone: external service: kubernetes permanent: true state: enabled @@ -59,29 +90,25 @@ # - firewall_name == "firewalld" - kubernetes_server|bool -- name: Create kubernetes firewalld zone +#- name: Create kubernetes firewalld zone +# firewalld: +# zone: kubernetes +# permanent: true +# state: present +# when: +# - kubernetes_server|bool +- name: Add kubernetes networks to trusted firewalld zone firewalld: - zone: kubernetes - permanent: true - state: present - when: - - kubernetes_server|bool -- name: Add PODs network to kubernetes firewalld zone - firewalld: - zone: kubernetes +# zone: kubernetes + zone: trusted permanent: true state: enabled - source: "{{ kubernetes_pods_network }}" - when: - - kubernetes_server|bool -- name: Add Services network to kubernetes firewalld zone - firewalld: - zone: kubernetes - permanent: true - state: enabled - source: "10.96.0.0/12" + source: "{{ item }}" when: - kubernetes_server|bool + with_items: + - "{{ kubernetes_pods_network }}" + - "10.96.0.0/12" - name: Install kubernetes tools dnf: @@ -89,6 +116,7 @@ enablerepo: "kubernetes" state: present update_cache: yes + disable_excludes: kubernetes # notify: Restart kubelet when: - ansible_pkg_mgr == "dnf" From b5eb9971656007cc887a28ed46c3134dbf7f49b1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 7 May 2021 23:51:52 +0200 Subject: [PATCH 11/99] Comment deprecated port --- templates/etc/firewalld/services/kubernetes.xml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/etc/firewalld/services/kubernetes.xml.j2 b/templates/etc/firewalld/services/kubernetes.xml.j2 index e5ec9c5..95f0583 100644 --- a/templates/etc/firewalld/services/kubernetes.xml.j2 +++ b/templates/etc/firewalld/services/kubernetes.xml.j2 @@ -25,7 +25,7 @@ # kube-controler-manager, used by self # Read-only Kubelet API (Deprecated) - +# {% else %} {% endif %} From 361895d43db00e4c4e1b56ea8a02b734602684a1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 7 May 2021 23:55:15 +0200 Subject: [PATCH 12/99] Preparing for falco --- tasks/cluster_kubeadm.yml | 4 + .../kubernetes/audit-webhook-kubeconfig.j2 | 14 +++ templates/kubeadm-config.yaml.j2 | 93 +++++++++++-------- 3 files changed, 74 insertions(+), 37 deletions(-) create mode 100644 templates/etc/kubernetes/audit-webhook-kubeconfig.j2 diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index 1d496ae..74f6ec2 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -168,6 +168,10 @@ when: - kubernetes_master|bool +# https://v1-17.docs.kubernetes.io/docs/tasks/debug-application-cluster/falco/ +# https://github.com/falcosecurity/falco/blob/master/rules/k8s_audit_rules.yaml +# Ou récupération de ces règles pour une utilisation avec falco + - name: Configure audit policy copy: src: "etc/kubernetes/policies/audit-policy.yaml" diff --git a/templates/etc/kubernetes/audit-webhook-kubeconfig.j2 b/templates/etc/kubernetes/audit-webhook-kubeconfig.j2 new file mode 100644 index 0000000..7cc1cb4 --- /dev/null +++ b/templates/etc/kubernetes/audit-webhook-kubeconfig.j2 @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Config +clusters: +- cluster: + server: http://:8765/k8s_audit + name: falco +contexts: +- context: + cluster: falco + user: "" + name: default-context +current-context: default-context +preferences: {} +users: [] \ No newline at end of file diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index 2d69675..826a541 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -33,9 +33,12 @@ nodeRegistration: container-runtime-endpoint: "unix:///var/run/crio/crio.sock" {% endif %} node-ip: {{ ansible_default_ipv4.address }} - read-only-port: "10255" +# read-only-port: "10255" ignorePreflightErrors: - SystemVerification +{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %} + - NumCPU +{% endif %} {% if true == false %} - IsPrivilegedUser {% endif %} @@ -45,6 +48,51 @@ localAPIEndpoint: {% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %} certificateKey: "{{ kubernetes_certificateKey.stdout }}" {% endif %} +{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %} +--- +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +kubernetesVersion: stable +{% if lbip_kubeapiserver is defined %} +controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443" +{% else %} +controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443" +{% endif %} +apiServer: + extraArgs: + enable-admission-plugins: NodeRestriction,PodSecurityPolicy + authorization-mode: "Node,RBAC" + audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml" + audit-log-path: "/var/log/apiserver/audit.log" + audit-log-maxage: "30" + audit-log-maxbackup: "10" + audit-log-maxsize: "100" +{% if false %} +# Falco + audit-policy-file: "/etc/kubernetes/policies/k8s_audit_rules.yaml" + audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig" +{% endif %} + extraVolumes: + - name: "audit-log" + hostPath: "/var/log/apiserver" + mountPath: "/var/log/apiserver" + readOnly: false + pathType: DirectoryOrCreate + - name: "audit-policies" + hostPath: "/etc/kubernetes/policies/audit-policy.yaml" + mountPath: "/etc/kubernetes/policies/audit-policy.yaml" + readOnly: false + pathType: File +{% if lb_kubemaster is defined %} + certSANs: + - "{{ lb_kubemaster }}" +{% endif %} +{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %} +networking: + podSubnet: "{{ kubernetes_pods_network }}" +{% endif %} +{% endif %} +{% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %} --- apiVersion: kubeadm.k8s.io/v1beta2 kind: JoinConfiguration @@ -68,51 +116,22 @@ discovery: nodeRegistration: kubeletExtraArgs: node-ip: {{ ansible_default_ipv4.address }} - read-only-port: "10255" +# read-only-port: "10255" ignorePreflightErrors: - SystemVerification ---- -apiVersion: kubeadm.k8s.io/v1beta2 -kind: ClusterConfiguration -kubernetesVersion: stable -{% if lbip_kubeapiserver is defined %} -controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443" -{% else %} -controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443" +{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %} + - NumCPU {% endif %} -apiServer: - extraArgs: - enable-admission-plugins: NodeRestriction,PodSecurityPolicy - authorization-mode: "Node,RBAC" - audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml" - audit-log-path: "/var/log/apiserver/audit.log" - audit-log-maxage: "30" - audit-log-maxbackup: "10" - audit-log-maxsize: "100" - extraVolumes: - - name: "audit-log" - hostPath: "/var/log/apiserver" - mountPath: "/var/log/apiserver" - readOnly: false - pathType: DirectoryOrCreate - - name: "audit-policies" - hostPath: "/etc/kubernetes/policies/audit-policy.yaml" - mountPath: "/etc/kubernetes/policies/audit-policy.yaml" - readOnly: false - pathType: File -{% if lb_kubemaster is defined %} - certSANs: - - "{{ lb_kubemaster }}" -{% endif %} -{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %} -networking: - podSubnet: "{{ kubernetes_pods_network }}" {% endif %} --- apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration {% if kubernetes_kubeproxy_mode is defined %} mode: {{ kubernetes_kubeproxy_mode }} +{% if kubernetes_kubeproxy_mode == "ipvs" %} +ipvs: + strictARP: true +{% endif %} {% endif %} --- apiVersion: kubelet.config.k8s.io/v1beta1 From 7309d7e559815d8d4f8d4219ebb344371b2c1e85 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 7 May 2021 23:55:50 +0200 Subject: [PATCH 13/99] Update kubernetes & k3s version to 1.20.6 --- defaults/main.yml | 2 +- tasks/cluster_k3s.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d041f2a..89b601b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,5 +5,5 @@ kubernetes_server: false # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.20.2 +kubernetes_version: 1.20.6 kubernetes_pods_network: "10.244.0.0/16" \ No newline at end of file diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index de195e9..fd986a3 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -29,7 +29,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -40,7 +40,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -51,7 +51,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From fe14247baa053967546f32340258532a72f3f2c4 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 7 May 2021 23:56:20 +0200 Subject: [PATCH 14/99] Set packages version --- vars/RedHat.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vars/RedHat.yml b/vars/RedHat.yml index beb4337..4eecd17 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,8 +1,8 @@ --- kubernetes_package_name: - - kubectl - - kubelet - - kubeadm + - kubectl-{{ kubernetes_version }} + - kubelet-{{ kubernetes_version }} + - kubeadm-{{ kubernetes_version }} - iproute-tc - ipvsadm #kubernetes_remove_packages_name: From 84aa6f023f2e5f534deb9592afcc2c9037ae2d39 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 7 May 2021 23:57:04 +0200 Subject: [PATCH 15/99] Define LV size for master --- tasks/install_server.yml | 8 +++++++- vars/masters.yml | 3 +++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 vars/masters.yml diff --git a/tasks/install_server.yml b/tasks/install_server.yml index 89dd6c9..c50cc8c 100644 --- a/tasks/install_server.yml +++ b/tasks/install_server.yml @@ -1,4 +1,10 @@ --- +- name: Include vars for not taint Kubernetes masters + include_vars: masters.yml + when: + - kubernetes_master|bool + - not kubernetes_master_taint|bool + - name: Add master to KubernetesMasters_ClusterName group group_by: key: KubernetesMasters_{{ kubernetes_cluster_name }} @@ -26,7 +32,7 @@ lvol: vg: vg_sys thinpool: kubernetes - size: 20g + size: "{{ lv_kubernetes_size | default('20g') }}" ## Install API loadbalancer #- include_tasks: "load_balancer.yml" diff --git a/vars/masters.yml b/vars/masters.yml new file mode 100644 index 0000000..4a03a33 --- /dev/null +++ b/vars/masters.yml @@ -0,0 +1,3 @@ +--- +lv_containers_size: 2g +lv_kubernetes_size: 8g \ No newline at end of file From 1e17bc731755fb38047ab729d600d5158cc8c677 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 1 Jun 2021 19:01:01 +0200 Subject: [PATCH 16/99] Update template for kube-prometheus-stack --- templates/kubeadm-config.yaml.j2 | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index 826a541..8395875 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -91,6 +91,16 @@ apiServer: networking: podSubnet: "{{ kubernetes_pods_network }}" {% endif %} +controllerManager: + extraArgs: + bind-address: 0.0.0.0 +scheduler: + extraArgs: + bind-address: 0.0.0.0 +etcd: + local: + extraArgs: + listen-metrics-urls: http://0.0.0.0:2381 {% endif %} {% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %} --- @@ -126,6 +136,7 @@ nodeRegistration: --- apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration +metricsBindAddress: "0.0.0.0:10249" {% if kubernetes_kubeproxy_mode is defined %} mode: {{ kubernetes_kubeproxy_mode }} {% if kubernetes_kubeproxy_mode == "ipvs" %} From d18ccea7705129e8988fc20e558cc4c23a4b2bcb Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 2 Jun 2021 15:46:58 +0200 Subject: [PATCH 17/99] Update audit policies file --- .../etc/kubernetes/policies/audit-policy.yaml | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/files/etc/kubernetes/policies/audit-policy.yaml b/files/etc/kubernetes/policies/audit-policy.yaml index 25b8fd0..9067920 100644 --- a/files/etc/kubernetes/policies/audit-policy.yaml +++ b/files/etc/kubernetes/policies/audit-policy.yaml @@ -10,7 +10,15 @@ rules: - group: "" # Resource "pods" doesn't match requests to any subresource of pods, # which is consistent with the RBAC policy. - resources: ["pods"] + resources: ["pods", "deployments"] + + - level: RequestResponse + resources: + - group: "rbac.authorization.k8s.io" + # Resource "pods" doesn't match requests to any subresource of pods, + # which is consistent with the RBAC policy. + resources: ["clusterroles", "clusterrolebindings"] + # Log "pods/log", "pods/status" at Metadata level - level: Metadata resources: @@ -48,11 +56,17 @@ rules: # The empty string "" can be used to select non-namespaced resources. namespaces: ["kube-system"] - # Log configmap and secret changes in all other namespaces at the Metadata level. + # Log configmap changes in all other namespaces at the RequestResponse level. + - level: RequestResponse + resources: + - group: "" # core API group + resources: ["configmaps"] + + # Log secret changes in all other namespaces at the Metadata level. - level: Metadata resources: - group: "" # core API group - resources: ["secrets", "configmaps"] + resources: ["secrets"] # Log all other resources in core and extensions at the Request level. - level: Request From 738896b356c4c246f307aa2e1fdfdf2838f494f8 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 5 Jun 2021 10:51:19 +0200 Subject: [PATCH 18/99] Update for falco --- tasks/cluster_kubeadm.yml | 1 + templates/etc/kubernetes/audit-webhook-kubeconfig.j2 | 6 +++--- templates/kubeadm-config.yaml.j2 | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index 74f6ec2..a6fbc51 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -136,6 +136,7 @@ mode: 0644 with_items: - "systemd/system/kubelet.service.d/0-kubelet-extra-args.conf" + - "systemd/system/kubelet.service.d/11-cgroups.conf" - "sysconfig/kubelet" when: - ansible_service_mgr == "systemd" diff --git a/templates/etc/kubernetes/audit-webhook-kubeconfig.j2 b/templates/etc/kubernetes/audit-webhook-kubeconfig.j2 index 7cc1cb4..781d08c 100644 --- a/templates/etc/kubernetes/audit-webhook-kubeconfig.j2 +++ b/templates/etc/kubernetes/audit-webhook-kubeconfig.j2 @@ -1,9 +1,9 @@ apiVersion: v1 kind: Config clusters: -- cluster: - server: http://:8765/k8s_audit - name: falco +- name: falco + cluster: + server: http://$FALCO_SERVICE_CLUSTERIP:8765/k8s-audit contexts: - context: cluster: falco diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index 8395875..905d188 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -69,8 +69,8 @@ apiServer: audit-log-maxsize: "100" {% if false %} # Falco - audit-policy-file: "/etc/kubernetes/policies/k8s_audit_rules.yaml" audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig" + audit-webhook-batch-max-wait: "5s" {% endif %} extraVolumes: - name: "audit-log" From 1b665fa94cb4596798708b9f7f3e9fa86107dd08 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 27 Jun 2021 02:49:55 +0200 Subject: [PATCH 19/99] Update k8s version & can chose network interface --- defaults/main.yml | 3 ++- tasks/cluster_kubeadm.yml | 14 +++++++++++++- .../kubelet.service.d/0-kubelet-extra-args.conf.j2 | 2 +- .../system/kubelet.service.d/11-cgroups.conf.j2 | 5 +++++ templates/kubeadm-config.yaml.j2 | 12 ++++++------ 5 files changed, 27 insertions(+), 9 deletions(-) create mode 100644 templates/etc/systemd/system/kubelet.service.d/11-cgroups.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 89b601b..0af1c65 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,8 +2,9 @@ # value for kubernetes_cri: containerd, cri-o #kubernetes_cri: "containerd" kubernetes_server: false +kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.20.6 +kubernetes_version: 1.21.2 kubernetes_pods_network: "10.244.0.0/16" \ No newline at end of file diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index a6fbc51..6ebe66e 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -136,11 +136,23 @@ mode: 0644 with_items: - "systemd/system/kubelet.service.d/0-kubelet-extra-args.conf" - - "systemd/system/kubelet.service.d/11-cgroups.conf" - "sysconfig/kubelet" when: - ansible_service_mgr == "systemd" +- name: Configure kubelet service for CRI-O + template: + src: "etc/{{ item }}.j2" + dest: "/etc/{{ item }}" + group: root + owner: root + mode: 0644 + with_items: + - "systemd/system/kubelet.service.d/11-cgroups.conf" + when: + - ansible_service_mgr == "systemd" + - kubernetes_cri == "cri-o" + - name: Configure kubelet service template: src: "etc/{{ item }}.j2" diff --git a/templates/etc/systemd/system/kubelet.service.d/0-kubelet-extra-args.conf.j2 b/templates/etc/systemd/system/kubelet.service.d/0-kubelet-extra-args.conf.j2 index e6f3596..fde66b0 100644 --- a/templates/etc/systemd/system/kubelet.service.d/0-kubelet-extra-args.conf.j2 +++ b/templates/etc/systemd/system/kubelet.service.d/0-kubelet-extra-args.conf.j2 @@ -1,2 +1,2 @@ [Service] -Environment=KUBELET_EXTRA_ARGS="--container-runtime=remote --container-runtime-endpoint={% if kubernetes_cri == "containerd" %}unix:///run/containerd/containerd.sock{% elif kubernetes_cri == "cri-o" %}unix:///var/run/crio/crio.sock{% endif %} --node-ip={{ ansible_default_ipv4.address }}" +Environment=KUBELET_EXTRA_ARGS="--container-runtime=remote --container-runtime-endpoint={% if kubernetes_cri == "containerd" %}unix:///run/containerd/containerd.sock{% elif kubernetes_cri == "cri-o" %}unix:///var/run/crio/crio.sock{% endif %} --node-ip={{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}" diff --git a/templates/etc/systemd/system/kubelet.service.d/11-cgroups.conf.j2 b/templates/etc/systemd/system/kubelet.service.d/11-cgroups.conf.j2 new file mode 100644 index 0000000..403ae0e --- /dev/null +++ b/templates/etc/systemd/system/kubelet.service.d/11-cgroups.conf.j2 @@ -0,0 +1,5 @@ +# https://stackoverflow.com/a/57456786 +# https://stackoverflow.com/questions/57456667/failed-to-get-kubelets-cgroup +[Service] +CPUAccounting=true +MemoryAccounting=true diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index 905d188..e9d5596 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -32,7 +32,7 @@ nodeRegistration: {% elif kubernetes_cri == "cri-o" %} container-runtime-endpoint: "unix:///var/run/crio/crio.sock" {% endif %} - node-ip: {{ ansible_default_ipv4.address }} + node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }} # read-only-port: "10255" ignorePreflightErrors: - SystemVerification @@ -43,7 +43,7 @@ nodeRegistration: - IsPrivilegedUser {% endif %} localAPIEndpoint: - advertiseAddress: "{{ ansible_default_ipv4.address }}" + advertiseAddress: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}" bindPort: 6443 {% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %} certificateKey: "{{ kubernetes_certificateKey.stdout }}" @@ -56,11 +56,11 @@ kubernetesVersion: stable {% if lbip_kubeapiserver is defined %} controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443" {% else %} -controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443" +controlPlaneEndpoint: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}:6443" {% endif %} apiServer: extraArgs: - enable-admission-plugins: NodeRestriction,PodSecurityPolicy + enable-admission-plugins: NodeRestriction authorization-mode: "Node,RBAC" audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml" audit-log-path: "/var/log/apiserver/audit.log" @@ -109,7 +109,7 @@ kind: JoinConfiguration {% if kubernetes_master|bool %} controlPlane: localAPIEndpoint: - advertiseAddress: "{{ ansible_default_ipv4.address }}" + advertiseAddress: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}" bindPort: 6443 {% if groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %} certificateKey: "{{ kubernetes_certificateKey.stdout }}" @@ -125,7 +125,7 @@ discovery: {% endif %} nodeRegistration: kubeletExtraArgs: - node-ip: {{ ansible_default_ipv4.address }} + node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }} # read-only-port: "10255" ignorePreflightErrors: - SystemVerification From 1008484e4679f9a86dac7275db6ba1807aa8d1cb Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 27 Jun 2021 12:21:08 +0200 Subject: [PATCH 20/99] Update forgoten template --- templates/etc/sysconfig/kubelet.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/etc/sysconfig/kubelet.j2 b/templates/etc/sysconfig/kubelet.j2 index b02129d..92eaebd 100644 --- a/templates/etc/sysconfig/kubelet.j2 +++ b/templates/etc/sysconfig/kubelet.j2 @@ -1,2 +1,2 @@ #https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates -KUBELET_EXTRA_ARGS="--container-runtime=remote --container-runtime-endpoint={% if kubernetes_cri == "containerd" %}unix:///run/containerd/containerd.sock{% elif kubernetes_cri == "cri-o" %}unix:///var/run/crio/crio.sock{% endif %} --node-ip={{ ansible_default_ipv4.address }}" +KUBELET_EXTRA_ARGS="--container-runtime=remote --container-runtime-endpoint={% if kubernetes_cri == "containerd" %}unix:///run/containerd/containerd.sock{% elif kubernetes_cri == "cri-o" %}unix:///var/run/crio/crio.sock{% endif %} --node-ip={{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}" From 0c02bc3a32f38020eabfd6e75e583b46f901ea59 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 10 Jul 2021 00:04:39 +0200 Subject: [PATCH 21/99] Update deployment --- tasks/RedHat.yml | 67 ++++++++++++++++++++++-------------------------- 1 file changed, 31 insertions(+), 36 deletions(-) diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index a75a704..fec66e8 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -51,44 +51,38 @@ # register: result # until: result is successful -- name: Register kubernetes firewalld service - template: - src: "etc/firewalld/services/kubernetes.xml.j2" - dest: "/etc/firewalld/services/kubernetes.xml" - group: root - owner: root - mode: 0644 - register: need_firewalld_reload - when: - - kubernetes_server|bool - -- name: Reload firewalld configuration - service: - name: firewalld - state: reloaded - enabled: yes - when: - - kubernetes_server|bool - - need_firewalld_reload is changed - -#- name: reload firewalld to refresh service list -# command: firewall-cmd --reload +#- name: Register kubernetes firewalld service +# template: +# src: "etc/firewalld/services/kubernetes.xml.j2" +# dest: "/etc/firewalld/services/kubernetes.xml" +# group: root +# owner: root +# mode: 0644 +# register: need_firewalld_reload # when: -# - need_firewalld_reload is changed # - kubernetes_server|bool - -# Définir interface -- name: Open Firewalld - firewalld: - zone: external - service: kubernetes - permanent: true - state: enabled - immediate: true - when: -# - need_firewall|bool -# - firewall_name == "firewalld" - - kubernetes_server|bool +# +#- name: Reload firewalld configuration +# service: +# name: firewalld +# state: reloaded +# enabled: yes +# when: +# - kubernetes_server|bool +# - need_firewalld_reload is changed +# +## Définir interface +#- name: Open Firewalld +# firewalld: +# zone: external +# service: kubernetes +# permanent: true +# state: enabled +# immediate: true +# when: +## - need_firewall|bool +## - firewall_name == "firewalld" +# - kubernetes_server|bool #- name: Create kubernetes firewalld zone # firewalld: @@ -107,6 +101,7 @@ when: - kubernetes_server|bool with_items: + - "{{ (lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.network + '/' + lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.netmask) | ipaddr('net') }}" - "{{ kubernetes_pods_network }}" - "10.96.0.0/12" From 2b1fe56b47a1277c47d537f681b5b902c20fee83 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 16 Aug 2021 00:08:21 +0200 Subject: [PATCH 22/99] Update default kubernetes version to 1.21.4 & add --- defaults/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0af1c65..c0af613 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,5 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.21.2 -kubernetes_pods_network: "10.244.0.0/16" \ No newline at end of file +kubernetes_version: 1.21.4 +kubernetes_pods_network: "10.244.0.0/16" +lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From a16013a8a19f1a27998df23c4179404fabd6cd71 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 16 Aug 2021 00:09:00 +0200 Subject: [PATCH 23/99] Update version of k3s & add restart service --- tasks/cluster_k3s.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index fd986a3..dd0fe42 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -29,7 +29,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.21.4%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -40,7 +40,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.21.4%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -51,7 +51,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.21.4%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root @@ -151,6 +151,10 @@ when: - ansible_service_mgr == "systemd" + - name: Reload systemd + ansible.builtin.systemd: + daemon_reload: yes + - name: Enable k3s on boot service: name: k3s From cfa8180c1882b7946c3a5b6773176ce4f116cf12 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 16 Aug 2021 00:09:14 +0200 Subject: [PATCH 24/99] Update loadbalancer deployment --- tasks/load_balancer.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tasks/load_balancer.yml b/tasks/load_balancer.yml index aa9413d..8b6765c 100644 --- a/tasks/load_balancer.yml +++ b/tasks/load_balancer.yml @@ -1,12 +1,11 @@ --- - name: Install needed packages package: - name: "{{ item }}" + name: + - keepalived + - curl state: present update_cache: yes - with_items: - - keepalived - - curl notify: Restart keepalived - name: Install check_apiserver.sh script for keepalived template: @@ -39,3 +38,6 @@ when: - not groups['KubernetesMasters'][0] == ansible_hostname notify: Restart keepalived + + - name: Flush handlers + meta: flush_handlers From ea47d112e83945155ea905d729fafb4a6c632670 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 26 Sep 2021 16:56:45 +0200 Subject: [PATCH 25/99] Update version & fix desktop deployment tools --- defaults/main.yml | 2 +- tasks/RedHat.yml | 18 +++++++- tasks/cluster_k3s.yml | 6 +-- tasks/main.yml | 100 ++++++++++++++++++++++-------------------- 4 files changed, 73 insertions(+), 53 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c0af613..5446569 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.21.4 +kubernetes_version: 1.22.2 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index fec66e8..4c469ed 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -21,7 +21,7 @@ # - not ansible_machine == "armv6l" # - kubernetes_cri != "k3s" -- name: Add Official kubernetes's repo +- name: Add Official kubernetes's repo on servers yum_repository: name: kubernetes description: Kubernetes @@ -35,8 +35,24 @@ when: - not ansible_machine == "armv7l" - not ansible_machine == "armv6l" + - kubernetes_server|bool - kubernetes_cri != "k3s" +- name: Add Official kubernetes's repo for Desktop + yum_repository: + name: kubernetes + description: Kubernetes + baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch + enabled: true + gpgcheck: true + repo_gpgcheck: true + gpgkey: https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg + become: true + when: + - not ansible_machine == "armv7l" + - not ansible_machine == "armv6l" + - not kubernetes_server|bool + #- name: redhat | Installing K8s Packages # package: # name: diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index dd0fe42..c5fd4b4 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -29,7 +29,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.21.4%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -40,7 +40,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.21.4%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -51,7 +51,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.21.4%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root diff --git a/tasks/main.yml b/tasks/main.yml index 5fe21e7..c13136d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,57 +1,61 @@ --- -- name: Include vars for {{ ansible_os_family }} - include_vars: "{{ ansible_os_family }}.yml" +- name: Kubernetes Install + tags: + - kubernetes + block: + - name: Include vars for {{ ansible_os_family }} + include_vars: "{{ ansible_os_family }}.yml" -- name: Define vars for master - set_fact: - kubernetes_server: true - kubernetes_master: true - kubernetes_master_taint: false - when: - - "'KubernetesMasters' in group_names" - - "'KubernetesNodes' not in group_names" + - name: Define vars for master + set_fact: + kubernetes_server: true + kubernetes_master: true + kubernetes_master_taint: false + when: + - "'KubernetesMasters' in group_names" + - "'KubernetesNodes' not in group_names" -- name: Define vars for node - set_fact: - kubernetes_server: true - kubernetes_master: false - kubernetes_master_taint: false - when: - - "'KubernetesNodes' in group_names" - - "'KubernetesMasters' not in group_names" + - name: Define vars for node + set_fact: + kubernetes_server: true + kubernetes_master: false + kubernetes_master_taint: false + when: + - "'KubernetesNodes' in group_names" + - "'KubernetesMasters' not in group_names" -- name: Define vars for taint master - set_fact: - kubernetes_server: true - kubernetes_master: true - kubernetes_master_taint: true - when: - - "'KubernetesNodes' in group_names" - - "'KubernetesMasters' in group_names" + - name: Define vars for taint master + set_fact: + kubernetes_server: true + kubernetes_master: true + kubernetes_master_taint: true + when: + - "'KubernetesNodes' in group_names" + - "'KubernetesMasters' in group_names" -- name: Define vars for tooling - set_fact: - kubernetes_sever: false - when: - - "'KubernetesMasters' not in group_names" - - "'KubernetesNodes' not in group_names" + - name: Define vars for tooling + set_fact: + kubernetes_sever: false + when: + - "'KubernetesMasters' not in group_names" + - "'KubernetesNodes' not in group_names" -- name: Install kubernetes rules for {{ ansible_os_family }} OS family - include_tasks: "{{ ansible_os_family }}.yml" + - name: Install kubernetes rules for {{ ansible_os_family }} OS family + include_tasks: "{{ ansible_os_family }}.yml" -#- name: Install kubernetes tools -# package: -# name: "{{ kubernetes_package_name }}" -# state: present -# update_cache: yes -## notify: Restart kubelet -# when: -# - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") + #- name: Install kubernetes tools + # package: + # name: "{{ kubernetes_package_name }}" + # state: present + # update_cache: yes + ## notify: Restart kubelet + # when: + # - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") -- name: Include kubernetes server rules - include_tasks: "install_server.yml" - when: - - kubernetes_server|bool + - name: Include kubernetes server rules + include_tasks: "install_server.yml" + when: + - kubernetes_server|bool -#- name: Install python library for docker -# package: name="{{ python_openshift_lib }}" state=latest update_cache=yes + #- name: Install python library for docker + # package: name="{{ python_openshift_lib }}" state=latest update_cache=yes From 4c1342467502ab578267a8c64b3eeeaf3695348c Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 5 Oct 2021 22:36:00 +0200 Subject: [PATCH 26/99] Update k3s version --- tasks/cluster_k3s.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index c5fd4b4..3e13ba0 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -29,7 +29,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s2/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -40,7 +40,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s2/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -51,7 +51,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s2/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From 36149cf532e906e72eb1125ecabe1aed5aba140c Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 20 Oct 2021 17:10:43 +0200 Subject: [PATCH 27/99] Update template --- templates/kubeadm-config.yaml.j2 | 75 +++++++++++++++++++++++++++++++- 1 file changed, 74 insertions(+), 1 deletion(-) diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index e9d5596..0dcf866 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -147,10 +147,83 @@ ipvs: --- apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration -runtimeRequestTimeout: 5m +#authentication: +# anonymous: +# enabled: false +# webhook: +# cacheTTL: 2m0s +# enabled: true +# x509: +# clientCAFile: /etc/kubernetes/pki/ca.crt +#authorization: +# mode: Webhook +# webhook: +# cacheAuthorizedTTL: 5m0s +# cacheUnauthorizedTTL: 30s {% if ansible_service_mgr == "systemd" %} cgroupDriver: systemd {% endif %} +#cgroupsPerQOS: true +#clusterDNS: +#- 10.96.0.10 +#clusterDomain: cluster.local +#configMapAndSecretChangeDetectionStrategy: Watch +#containerLogMaxFiles: 5 +#containerLogMaxSize: 10Mi +#contentType: application/vnd.kubernetes.protobuf +#cpuCFSQuota: true +#cpuCFSQuotaPeriod: 100ms +#cpuManagerPolicy: none +#cpuManagerReconcilePeriod: 10s +#enableControllerAttachDetach: true +#enableDebuggingHandlers: true +#enforceNodeAllocatable: +#- pods +#eventBurst: 10 +#eventRecordQPS: 5 +#evictionHard: +# imagefs.available: 15% +# memory.available: 500Mi +# nodefs.available: 10% +# nodefs.inodesFree: 5% +#evictionPressureTransitionPeriod: 5m0s +#failSwapOn: true +#fileCheckFrequency: 20s +#hairpinMode: promiscuous-bridge +#healthzBindAddress: 127.0.0.1 +#healthzPort: 10248 +#httpCheckFrequency: 20s +#imageGCHighThresholdPercent: 85 +#imageGCLowThresholdPercent: 80 +#imageMinimumGCAge: 2m0s +#iptablesDropBit: 15 +#iptablesMasqueradeBit: 14 +#kubeAPIBurst: 10 +#kubeAPIQPS: 5 +#logging: {} +#makeIPTablesUtilChains: true +#maxOpenFiles: 1000000 +#maxPods: 110 +#memorySwap: {} +#nodeLeaseDurationSeconds: 40 +#nodeStatusReportFrequency: 1m0s +#nodeStatusUpdateFrequency: 10s +#oomScoreAdj: -999 +#podPidsLimit: -1 +#port: 10250 +#registryBurst: 10 +#registryPullQPS: 5 +#resolvConf: /etc/resolv.conf +#rotateCertificates: true +runtimeRequestTimeout: 5m +#serializeImagePulls: true +#shutdownGracePeriod: 0s +#shutdownGracePeriodCriticalPods: 0s +#staticPodPath: /etc/kubernetes/manifests +#streamingConnectionIdleTimeout: 4h0m0s +#syncFrequency: 1m0s +#topologyManagerPolicy: none +#volumeStatsAggPeriod: 1m0s {% if false %} readOnlyPort: 1 From 15e88a727e2d5027404ef6ffc81d04ca872a0e21 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 17 Dec 2021 21:01:58 +0100 Subject: [PATCH 28/99] Update k3s version --- tasks/cluster_k3s.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 3e13ba0..0e0a2f9 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -29,7 +29,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s2/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.22.4%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -40,7 +40,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s2/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.22.4%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -51,7 +51,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.22.2%2Bk3s2/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.22.4%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From bacbb04cc39abaac6497238d51ba469b154c859e Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Thu, 6 Jan 2022 07:56:26 +0100 Subject: [PATCH 29/99] Update k3s version --- tasks/cluster_k3s.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 0e0a2f9..30df03e 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -29,7 +29,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.22.4%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -40,7 +40,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.22.4%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -51,7 +51,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.22.4%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From ba4600add3e8a8a9090ac8c3f0219fb18f4c6dca Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 14 Jan 2022 10:05:26 +0100 Subject: [PATCH 30/99] Update k3s version to 1.23.1+k3s2 --- tasks/cluster_k3s.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 30df03e..05fa996 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -29,7 +29,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s2/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -40,7 +40,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s2/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -51,7 +51,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s2/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From 607840c88da3164be0f38cfc80465e2af29892dc Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 25 Jan 2022 07:03:29 +0100 Subject: [PATCH 31/99] Update k3s version --- tasks/cluster_k3s.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 05fa996..58aa51f 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -29,7 +29,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s2/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.23.2%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -40,7 +40,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s2/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.23.2%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -51,7 +51,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.1%2Bk3s2/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.23.2%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From 39d7aec1b14dc2b150e6ee0291175d073e1959df Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 9 Apr 2022 17:00:54 +0200 Subject: [PATCH 32/99] Update to version 1.23.5 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5446569..ae62123 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.22.2 +kubernetes_version: 1.23.5 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From f67d9d80299b00cdd9909cbbbdee8e5215ccff1f Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 15 Apr 2022 11:03:44 +0200 Subject: [PATCH 33/99] Exclude calico management from NetworkManager --- files/etc/NetworkManager/conf.d/calico.conf | 2 ++ tasks/cluster_kubeadm.yml | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 files/etc/NetworkManager/conf.d/calico.conf diff --git a/files/etc/NetworkManager/conf.d/calico.conf b/files/etc/NetworkManager/conf.d/calico.conf new file mode 100644 index 0000000..490d153 --- /dev/null +++ b/files/etc/NetworkManager/conf.d/calico.conf @@ -0,0 +1,2 @@ +[keyfile] +unmanaged-devices=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:wireguard.cali \ No newline at end of file diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index 6ebe66e..be4af53 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -20,6 +20,25 @@ # when: # - kubernetes_cri_changed is changed +- name: Configure NetworkManager for Calico + file: + src: "etc/NetworkManager/conf.d/calico.conf" + dest: "/etc/NetworkManager/conf.d/calico.conf" + group: root + owner: root + mode: 0644 + when: + - kubernetes_network == "calico" + - ansible_os_family == "RedHat" + register: kubernetes_network_networkmanager_changed + +- name: Restart kubelet after kubernetes cri installation + service: + name: NetworkManager + status: reload + when: + - kubernetes_network_networkmanager_changed is changed + - name: Configuring IPVS kernel module to be load on boot template: src: "etc/modules-load.d/ipvs.conf.j2" From 18c9c7556954981f797da55acd299f5940f1f421 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 15 Apr 2022 15:43:39 +0200 Subject: [PATCH 34/99] Fix module name --- tasks/cluster_kubeadm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index be4af53..8c6969c 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -21,7 +21,7 @@ # - kubernetes_cri_changed is changed - name: Configure NetworkManager for Calico - file: + copy: src: "etc/NetworkManager/conf.d/calico.conf" dest: "/etc/NetworkManager/conf.d/calico.conf" group: root From ecc2c41afe4936b4f21cbc733c3487da11828c8b Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 4 May 2022 00:06:49 +0200 Subject: [PATCH 35/99] Update k3s deployment --- defaults/main.yml | 2 +- tasks/cluster_k3s.yml | 32 ++++++++++++++------- templates/etc/rancher/k3s/config.yaml.j2 | 21 ++++++++++++++ templates/etc/systemd/system/k3s.service.j2 | 8 ++---- 4 files changed, 45 insertions(+), 18 deletions(-) create mode 100644 templates/etc/rancher/k3s/config.yaml.j2 diff --git a/defaults/main.yml b/defaults/main.yml index ae62123..a6702a2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.23.5 +kubernetes_version: 1.23.6 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 58aa51f..a1ad874 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -5,21 +5,30 @@ # when: # - kubernetes_cni == "wireguard" +- name: Import Rancher key + ansible.builtin.rpm_key: + state: present + key: https://rpm.rancher.io/public.key + when: + - ansible_os_family == "RedHat" + - name: Install the k3s-selinux rpm from a remote repo for yum distro yum: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v0.2.stable.1/k3s-selinux-0.2-1.el7_8.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.1.stable.1/k3s-selinux-1.1-1.el7.noarch.rpm" state: present - disable_gpg_check: yes when: - ansible_pkg_mgr == "yum" + - ansible_os_family == "RedHat" + - ansible_distribution_major_version == '7' - name: Install the k3s-selinux rpm from a remote repo for dnf distro dnf: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v0.2.stable.1/k3s-selinux-0.2-1.el7_8.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.1.stable.1/k3s-selinux-1.1-1.el8.noarch.rpm" state: present - disable_gpg_check: yes when: - ansible_pkg_mgr == "dnf" + - ansible_os_family == "RedHat" + - ansible_distribution_major_version == '8' - name: Check if /usr/local/bin/k3s already existe stat: @@ -29,7 +38,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.2%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.23.6%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -40,7 +49,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.2%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.23.6%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -51,7 +60,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.2%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.23.6%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root @@ -140,14 +149,15 @@ block: - name: Deploy systemd service template: - src: "etc/systemd/system/{{ item }}.j2" - dest: "/etc/systemd/system/{{ item }}" + src: "{{ item }}.j2" + dest: "{{ item }}" owner: root group: root mode: 0600 with_items: - - "k3s.service" - - "k3s.service.env" + - "etc/systemd/system/k3s.service" + - "etc/systemd/system/k3s.service.env" + - "etc/rancher/k3s/config.yaml" when: - ansible_service_mgr == "systemd" diff --git a/templates/etc/rancher/k3s/config.yaml.j2 b/templates/etc/rancher/k3s/config.yaml.j2 new file mode 100644 index 0000000..ae8b6f3 --- /dev/null +++ b/templates/etc/rancher/k3s/config.yaml.j2 @@ -0,0 +1,21 @@ +flannel-backend: wireguard +{% if kubernetes_master|bool %} +{% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %} +cluster-init: true +{% else %} +server: https://{{ kubernetes_master }}:6443 +token: ${NODE_TOKEN} +{% endif %} +{% else %} +server: https://{{ kubernetes_master }}:6443 +token: ${NODE_TOKEN} +{% endif %} +#node-label: +# - "foo=bar" +# - "something=amazing" +{% if ansible_os_family == "RedHat" %} +selinux: true +{% endif %} +secrets-encryption: true +disable: + - traefik diff --git a/templates/etc/systemd/system/k3s.service.j2 b/templates/etc/systemd/system/k3s.service.j2 index 03f00a5..206c539 100644 --- a/templates/etc/systemd/system/k3s.service.j2 +++ b/templates/etc/systemd/system/k3s.service.j2 @@ -7,13 +7,9 @@ After=network-online.target Type=notify EnvironmentFile=/etc/systemd/system/k3s.service.env {% if kubernetes_master|bool %} -{% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %} -ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --cluster-init --selinux +ExecStart=/usr/local/bin/k3s server {% else %} -ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} --selinux -{% endif %} -{% else %} -ExecStart=/usr/local/bin/k3s agent --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} --selinux +ExecStart=/usr/local/bin/k3s agent {% endif %} KillMode=process Delegate=yes From a46b0346da00d4c4549d085ba2d929e9929fc1ff Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 28 Jun 2022 00:15:58 +0200 Subject: [PATCH 36/99] Update kubernetes version to 1.24.2 --- defaults/main.yml | 2 +- tasks/cluster_k3s.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a6702a2..c25fe17 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.23.6 +kubernetes_version: 1.24.2 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index a1ad874..28defc1 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -38,7 +38,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.6%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -49,7 +49,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.6%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -60,7 +60,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.23.6%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From ae44b2baffc9378174d519008d5f860cce7fa432 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 16 Jul 2022 12:52:01 +0200 Subject: [PATCH 37/99] Update k3s to version v1.24.2-k3s2 --- tasks/cluster_k3s.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 28defc1..db77b0d 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -38,7 +38,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s2/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -49,7 +49,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s2/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -60,7 +60,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s2/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root @@ -163,13 +163,13 @@ - name: Reload systemd ansible.builtin.systemd: - daemon_reload: yes + daemon_reload: true - name: Enable k3s on boot service: name: k3s state: started - enabled: yes + enabled: true - name: Wait for k3s.yaml wait_for: @@ -210,4 +210,4 @@ service: name: k3s state: started - enabled: yes + enabled: true From 62d4a6013e4943f5cac3627ed87ebc1e145cccfa Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 19 Jul 2022 09:05:42 +0200 Subject: [PATCH 38/99] Update kubernetes to version 1.24.3 --- defaults/main.yml | 2 +- tasks/cluster_k3s.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c25fe17..ff94c81 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.24.2 +kubernetes_version: 1.24.3 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index db77b0d..5c318ef 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -38,7 +38,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s2/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.24.3%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -49,7 +49,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s2/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.24.3%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -60,7 +60,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.2%2Bk3s2/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.24.3%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From 2185662cd401e228c7bb209cea7aaacc487a2fc7 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 16 Aug 2022 11:34:44 +0200 Subject: [PATCH 39/99] Update k3s(selinux package to version 1.2-2 --- tasks/cluster_k3s.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 5c318ef..0f37b01 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -14,7 +14,7 @@ - name: Install the k3s-selinux rpm from a remote repo for yum distro yum: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.1.stable.1/k3s-selinux-1.1-1.el7.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el7.noarch.rpm" state: present when: - ansible_pkg_mgr == "yum" @@ -23,7 +23,7 @@ - name: Install the k3s-selinux rpm from a remote repo for dnf distro dnf: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.1.stable.1/k3s-selinux-1.1-1.el8.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el8.noarch.rpm" state: present when: - ansible_pkg_mgr == "dnf" From 8234690fdc62f0489696e30b9be7dd7ab1efd350 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 27 Aug 2022 00:57:27 +0200 Subject: [PATCH 40/99] Update k3s to version 1.24.4-k3s1 --- tasks/cluster_k3s.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 0f37b01..c960bf9 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -38,7 +38,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.3%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.24.4%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -49,7 +49,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.3%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.24.4%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -60,7 +60,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.3%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.24.4%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From fc33afe9160684a16d097db487d103bc98989eb1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 13 Sep 2022 08:25:08 +0200 Subject: [PATCH 41/99] Update kubernetes to version 1.25.0 --- defaults/main.yml | 2 +- tasks/cluster_k3s.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ff94c81..819e7d2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.24.3 +kubernetes_version: 1.25.0 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index c960bf9..c403c95 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -38,7 +38,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.4%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.25.0%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -49,7 +49,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.4%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.25.0%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -60,7 +60,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.24.4%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.25.0%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From c22964d87c384e7f697847077a82b4d7dcaed400 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 28 Sep 2022 22:47:16 +0200 Subject: [PATCH 42/99] Update kubernetes to version 1.25.2 --- defaults/main.yml | 2 +- tasks/cluster_k3s.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 819e7d2..22939ef 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.25.0 +kubernetes_version: 1.25.2 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index c403c95..14ca735 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -38,7 +38,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.0%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.25.2%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -49,7 +49,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.0%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.25.2%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -60,7 +60,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.0%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.25.2%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From 48e99ac551c4d2334cf6d8335b4c7d8daa0279a4 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 17 Oct 2022 23:45:15 +0200 Subject: [PATCH 43/99] Update kubernetes to version 1.25.3 --- defaults/main.yml | 2 +- tasks/cluster_k3s.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 22939ef..d964dfe 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.25.2 +kubernetes_version: 1.25.3 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 14ca735..32aa7f6 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -38,7 +38,7 @@ - name: retreive k3s binary for x86_64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.2%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.25.3%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -49,7 +49,7 @@ - name: retreive k3s binary for arm64 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.2%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.25.3%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -60,7 +60,7 @@ - name: retreive k3s binary for armv6/armv7 get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.2%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.25.3%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From d4dac488f980c31460aa1e26ce22f5329b04f28d Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Thu, 27 Oct 2022 23:38:04 +0200 Subject: [PATCH 44/99] Update role --- tasks/Debian.yml | 30 ++++---- tasks/RedHat.yml | 158 +++++++++++++++++++------------------- tasks/cluster_k3s.yml | 76 +++++++++--------- tasks/cluster_kubeadm.yml | 142 ++++++++++++++++++---------------- tasks/install_server.yml | 59 +++++++------- tasks/load_balancer.yml | 12 +-- tasks/main.yml | 100 ++++++++++++------------ 7 files changed, 298 insertions(+), 279 deletions(-) diff --git a/tasks/Debian.yml b/tasks/Debian.yml index 9952f0a..c4b91da 100644 --- a/tasks/Debian.yml +++ b/tasks/Debian.yml @@ -1,21 +1,21 @@ --- -- name: add docker apt key - apt_key: +- name: Add docker apt key + ansible.builtin.apt_key: url: https://download.docker.com/linux/ubuntu/gpg state: present when: - docker_ver == "docker_ce" -- name: add docker repository - apt_repository: +- name: Add docker repository + ansible.builtin.apt_repository: repo: 'deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable' state: present - update_cache: yes + update_cache: true when: - docker_ver == "docker_ce" - name: "Ensure GRUB_CMDLINE_LINUX is updated" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=".*)"$' line: '\1 cgroup_enable=memory swapaccount=1"' @@ -24,12 +24,12 @@ - not docker_installed.stat.exists - name: "Update grub.conf" - command: update-grub + ansible.builtin.command: update-grub when: - not docker_installed.stat.exists - name: "Ensure DEFAULT_FORWARD_POLICY in /etc/default/ufw is updated" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/ufw regexp: '^(DEFAULT_FORWARD_POLICY=").*"$' line: '\1ACCEPT"' @@ -38,11 +38,11 @@ tags: [docker,firewall] # Need Certificat ? Only in local -#- name: "Add docker port 2376/TCP " -# ufw: rule=allow port=2376 proto=tcp -# notify: reload ufw -# tags: [docker,firewall] +# - name: "Add docker port 2376/TCP " +# ufw: rule=allow port=2376 proto=tcp +# notify: reload ufw +# tags: [docker,firewall] -#- name: "Start UFW rules" -# service: name=ufw state=started -# tags: [docker,firewall] +# - name: "Start UFW rules" +# service: name=ufw state=started +# tags: [docker,firewall] diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index 4c469ed..2494722 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -1,28 +1,28 @@ --- -#- name: Add kubernetes repository -# yumrepo: -# name: kubernetes -# description: "Kubernetes Repository" -# baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-$releasever-x86_64 -# gpgcheck: yes -# enabled: yes -# gpgkey: https://packages.cloud.google.com/yum/doc/yum-key.gpg -# state: present +# - name: Add kubernetes repository +# yumrepo: +# name: kubernetes +# description: "Kubernetes Repository" +# baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-$releasever-x86_64 +# gpgcheck: yes +# enabled: true +# gpgkey: https://packages.cloud.google.com/yum/doc/yum-key.gpg +# state: present -#- name: Add Official kubernetes's repo -# template: -# src: "etc/yum.repos.d/kubernetes.repo.j2" -# dest: "/etc/yum.repos.d/kubernetes.repo" -# group: root -# owner: root -# mode: 0644 -# when: -# - not ansible_machine == "armv7l" -# - not ansible_machine == "armv6l" -# - kubernetes_cri != "k3s" +# - name: Add Official kubernetes's repo +# ansible.builtin.template: +# src: "etc/yum.repos.d/kubernetes.repo.j2" +# dest: "/etc/yum.repos.d/kubernetes.repo" +# group: root +# owner: root +# mode: 0644 +# when: +# - not ansible_machine == "armv7l" +# - not ansible_machine == "armv6l" +# - kubernetes_cri != "k3s" - name: Add Official kubernetes's repo on servers - yum_repository: + ansible.builtin.yum_repository: name: kubernetes description: Kubernetes baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch @@ -39,7 +39,7 @@ - kubernetes_cri != "k3s" - name: Add Official kubernetes's repo for Desktop - yum_repository: + ansible.builtin.yum_repository: name: kubernetes description: Kubernetes baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch @@ -53,62 +53,62 @@ - not ansible_machine == "armv6l" - not kubernetes_server|bool -#- name: redhat | Installing K8s Packages -# package: -# name: -# - kubectl -# - kubelet -# - kubeadm -# - iproute-tc -# - ipvsadm -# state: present -# disable_excludes: kubernetes -# become: true -# register: result -# until: result is successful +# - name: Redhat | Installing K8s Packages +# ansible.builtin.package: +# name: +# - kubectl +# - kubelet +# - kubeadm +# - iproute-tc +# - ipvsadm +# state: present +# disable_excludes: kubernetes +# become: true +# register: result +# until: result is successful -#- name: Register kubernetes firewalld service -# template: -# src: "etc/firewalld/services/kubernetes.xml.j2" -# dest: "/etc/firewalld/services/kubernetes.xml" -# group: root -# owner: root -# mode: 0644 -# register: need_firewalld_reload -# when: -# - kubernetes_server|bool -# -#- name: Reload firewalld configuration -# service: -# name: firewalld -# state: reloaded -# enabled: yes -# when: -# - kubernetes_server|bool -# - need_firewalld_reload is changed -# -## Définir interface -#- name: Open Firewalld -# firewalld: -# zone: external -# service: kubernetes -# permanent: true -# state: enabled -# immediate: true -# when: -## - need_firewall|bool -## - firewall_name == "firewalld" -# - kubernetes_server|bool +# - name: Register kubernetes firewalld service +# ansible.builtin.template: +# src: "etc/firewalld/services/kubernetes.xml.j2" +# dest: "/etc/firewalld/services/kubernetes.xml" +# group: root +# owner: root +# mode: 0644 +# register: need_firewalld_reload +# when: +# - kubernetes_server|bool +# +# - name: Reload firewalld configuration +# ansible.builtin.service: +# name: firewalld +# state: reloaded +# enabled: true +# when: +# - kubernetes_server|bool +# - need_firewalld_reload is changed +# +## Définir interface +# - name: Open Firewalld +# ansible.posix.firewalld: +# zone: external +# service: kubernetes +# permanent: true +# state: enabled +# immediate: true +# when: +## - need_firewall|bool +## - firewall_name == "firewalld" +# - kubernetes_server|bool -#- name: Create kubernetes firewalld zone -# firewalld: -# zone: kubernetes -# permanent: true -# state: present -# when: -# - kubernetes_server|bool +# - name: Create kubernetes firewalld zone +# ansible.posix.firewalld: +# zone: kubernetes +# permanent: true +# state: present +# when: +# - kubernetes_server|bool - name: Add kubernetes networks to trusted firewalld zone - firewalld: + ansible.posix.firewalld: # zone: kubernetes zone: trusted permanent: true @@ -122,11 +122,11 @@ - "10.96.0.0/12" - name: Install kubernetes tools - dnf: + ansible.builtin.dnf: name: "{{ kubernetes_package_name }}" enablerepo: "kubernetes" state: present - update_cache: yes + update_cache: true disable_excludes: kubernetes # notify: Restart kubelet when: @@ -134,11 +134,11 @@ - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") - name: Install kubernetes tools - yum: + ansible.builtin.yum: name: "{{ kubernetes_package_name }}" enablerepo: "kubernetes" state: present - update_cache: yes + update_cache: true # notify: Restart kubelet when: - ansible_pkg_mgr == "yum" diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 32aa7f6..ce10294 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -1,6 +1,6 @@ --- - name: Install Wireguard - include_role: + ansible.builtin.include_role: name: wireguard # when: # - kubernetes_cni == "wireguard" @@ -13,7 +13,7 @@ - ansible_os_family == "RedHat" - name: Install the k3s-selinux rpm from a remote repo for yum distro - yum: + ansible.builtin.yum: name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el7.noarch.rpm" state: present when: @@ -22,7 +22,7 @@ - ansible_distribution_major_version == '7' - name: Install the k3s-selinux rpm from a remote repo for dnf distro - dnf: + ansible.builtin.dnf: name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el8.noarch.rpm" state: present when: @@ -31,13 +31,14 @@ - ansible_distribution_major_version == '8' - name: Check if /usr/local/bin/k3s already existe - stat: + ansible.builtin.stat: path: /usr/local/bin/k3s register: k3s_bin + check_mode: false changed_when: False -- name: retreive k3s binary for x86_64 - get_url: +- name: Retreive k3s binary for x86_64 + ansible.builtin.get_url: url: "https://github.com/rancher/k3s/releases/download/v1.25.3%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root @@ -47,8 +48,8 @@ - not k3s_bin.stat.exists - ansible_machine == "x86_64" -- name: retreive k3s binary for arm64 - get_url: +- name: Retreive k3s binary for arm64 + ansible.builtin.get_url: url: "https://github.com/rancher/k3s/releases/download/v1.25.3%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root @@ -58,8 +59,8 @@ - not k3s_bin.stat.exists - ansible_machine == "arm64" -- name: retreive k3s binary for armv6/armv7 - get_url: +- name: Retreive k3s binary for armv6/armv7 + ansible.builtin.get_url: url: "https://github.com/rancher/k3s/releases/download/v1.25.3%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root @@ -70,7 +71,7 @@ - (ansible_machine == "armv7l") or (ansible_machine == "armv6l") - name: Create tools link - file: + ansible.builtin.file: src: "k3s" dest: "/usr/local/bin/{{ item }}" owner: root @@ -82,7 +83,7 @@ - "ctr" - name: Create thin volumes for k3s - lvol: + community.general.lvol: vg: "{{ item.vg }}" lv: "{{ item.name }}" thinpool: kubernetes @@ -90,15 +91,15 @@ with_items: - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} -- name: create file system on containerd lv - filesystem: +- name: Create file system on containerd lv + community.general.filesystem: fstype: ext4 dev: "/dev/{{ item.vg }}/{{ item.name }}" with_items: - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} -- name: mount logical volumes - mount: +- name: Mount logical volumes + ansible.posix.mount: name: "{{ item.mount_point }}" src: "/dev/{{ item.vg }}/{{ item.name }}" fstype: ext4 @@ -108,7 +109,7 @@ - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} - name: Audit policies directory - file: + ansible.builtin.file: path: "/etc/kubernetes/policies" state: directory owner: root @@ -118,7 +119,7 @@ - kubernetes_master|bool - name: Configure audit policy - copy: + ansible.builtin.copy: src: "etc/kubernetes/policies/audit-policy.yaml" dest: "/etc/kubernetes/policies/audit-policy.yaml" group: root @@ -129,16 +130,18 @@ # Check controlers - name: Check if /etc/rancher/k3s/k3s.yaml already existe - stat: + ansible.builtin.stat: path: /etc/rancher/k3s/k3s.yaml register: st + check_mode: false changed_when: False when: - kubernetes_master|bool - name: Create KubernetesMasterConfigured group - group_by: + ansible.builtin.group_by: key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} + check_mode: false when: - kubernetes_master|bool - st.stat.exists @@ -148,7 +151,7 @@ # run_once: true block: - name: Deploy systemd service - template: + ansible.builtin.template: src: "{{ item }}.j2" dest: "{{ item }}" owner: root @@ -166,7 +169,7 @@ daemon_reload: true - name: Enable k3s on boot - service: + ansible.builtin.service: name: k3s state: started enabled: true @@ -180,8 +183,9 @@ path: /var/lib/rancher/k3s/server/token - name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group - group_by: + ansible.builtin.group_by: key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} + check_mode: false when: - kubernetes_master|bool @@ -191,23 +195,23 @@ # Manque kubernetes_server_token, kubernetes_master url -#- name: Deploy systemd service -# template: -# src: "etc/systemd/system/{{ item }}.j2" -# dest: "/etc/systemd/system/{{ item }}" -# owner: root -# group: root -# mode: 0600 -# with_items: -# - "k3s.service" -# - "k3s.service.env" -# when: -# - ansible_service_mgr == "systemd" +# - name: Deploy systemd service +# ansible.builtin.template: +# src: "etc/systemd/system/{{ item }}.j2" +# dest: "/etc/systemd/system/{{ item }}" +# owner: root +# group: root +# mode: 0600 +# with_items: +# - "k3s.service" +# - "k3s.service.env" +# when: +# - ansible_service_mgr == "systemd" - name: Enable k3s on boot - service: + ansible.builtin.service: name: k3s state: started enabled: true diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index 8c6969c..22ccc9a 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -1,27 +1,27 @@ --- - name: Install Containerd - include_role: + ansible.builtin.include_role: name: containerd when: - kubernetes_cri == "containerd" - #register: kubernetes_cri_changed + # register: kubernetes_cri_changed - name: Install CRI-O - include_role: + ansible.builtin.include_role: name: cri-o when: - kubernetes_cri == "cri-o" - #register: kubernetes_cri_changed + # register: kubernetes_cri_changed -#- name: Restart kubelet after kubernetes cri installation -# service: -# name: kubelet -# status: restarted -# when: -# - kubernetes_cri_changed is changed +# - name: Restart kubelet after kubernetes cri installation +# ansible.builtin.service: +# name: kubelet +# status: restarted +# when: +# - kubernetes_cri_changed is changed - name: Configure NetworkManager for Calico - copy: + ansible.builtin.copy: src: "etc/NetworkManager/conf.d/calico.conf" dest: "/etc/NetworkManager/conf.d/calico.conf" group: root @@ -33,14 +33,14 @@ register: kubernetes_network_networkmanager_changed - name: Restart kubelet after kubernetes cri installation - service: + ansible.builtin.service: name: NetworkManager status: reload when: - kubernetes_network_networkmanager_changed is changed - name: Configuring IPVS kernel module to be load on boot - template: + ansible.builtin.template: src: "etc/modules-load.d/ipvs.conf.j2" dest: "/etc/modules-load.d/ipvs.conf" group: root @@ -50,7 +50,7 @@ - kubernetes_kubeproxy_mode == "ipvs" - name: Load IPVS kernel module for EL7 - modprobe: + community.general.modprobe: name: "{{ item }}" state: present with_items: @@ -66,7 +66,7 @@ - ansible_distribution_major_version == '7' - name: Load IPVS kernel module for EL8 - modprobe: + community.general.modprobe: name: "{{ item }}" state: present with_items: @@ -81,7 +81,7 @@ - ansible_distribution_major_version == '8' - name: Create thin volumes for kubernetes - lvol: + community.general.lvol: vg: "{{ item.vg }}" lv: "{{ item.name }}" thinpool: kubernetes @@ -93,8 +93,8 @@ when: - kubernetes_master|bool -- name: create file system on containerd lv - filesystem: +- name: Create file system on containerd lv + community.general.filesystem: fstype: ext4 dev: "/dev/{{ item.vg }}/{{ item.name }}" with_items: @@ -104,8 +104,8 @@ when: - kubernetes_master|bool -- name: mount logical volumes - mount: +- name: Mount logical volumes + ansible.posix.mount: name: "{{ item.mount_point }}" src: "/dev/{{ item.vg }}/{{ item.name }}" fstype: ext4 @@ -120,14 +120,14 @@ - kubernetes_master|bool - name: Ensuring /var/lib/etcd/lost+found Folder does not exists - file: + ansible.builtin.file: path: "/var/lib/etcd/lost+found" state: "absent" when: - partition_formated is changed - name: Secure etcd directory - file: + ansible.builtin.file: path: "/var/lib/etcd" state: directory owner: root @@ -137,7 +137,7 @@ - kubernetes_master|bool - name: Ensuring /etc/systemd/system/kubelet.service.d Folder Exists - file: + ansible.builtin.file: path: "/etc/systemd/system/kubelet.service.d" state: "directory" group: root @@ -147,7 +147,7 @@ - ansible_service_mgr == "systemd" - name: Configure kubelet service - template: + ansible.builtin.template: src: "etc/{{ item }}.j2" dest: "/etc/{{ item }}" group: root @@ -160,7 +160,7 @@ - ansible_service_mgr == "systemd" - name: Configure kubelet service for CRI-O - template: + ansible.builtin.template: src: "etc/{{ item }}.j2" dest: "/etc/{{ item }}" group: root @@ -173,7 +173,7 @@ - kubernetes_cri == "cri-o" - name: Configure kubelet service - template: + ansible.builtin.template: src: "etc/{{ item }}.j2" dest: "/etc/{{ item }}" group: root @@ -185,13 +185,13 @@ - not ansible_service_mgr == "systemd" - name: Enable kubelet on boot - service: + ansible.builtin.service: name: kubelet state: started - enabled: yes + enabled: true - name: Audit policies directory - file: + ansible.builtin.file: path: "/etc/kubernetes/policies" state: directory owner: root @@ -205,7 +205,7 @@ # Ou récupération de ces règles pour une utilisation avec falco - name: Configure audit policy - copy: + ansible.builtin.copy: src: "etc/kubernetes/policies/audit-policy.yaml" dest: "/etc/kubernetes/policies/audit-policy.yaml" group: root @@ -216,93 +216,102 @@ # First controler - name: Check if /etc/kubernetes/admin.conf already existe - stat: + ansible.builtin.stat: path: /etc/kubernetes/admin.conf register: st + check_mode: false changed_when: False - name: Create KubernetesMasterConfigured group - group_by: + ansible.builtin.group_by: key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} + check_mode: false when: - st.stat.exists - name: Retreive kubeadm Major version - shell: set -o pipefail && kubeadm version | sed 's/.*{Major:"\([0-9]\)".*/\1/' + ansible.builtin.shell: set -o pipefail && kubeadm version | sed 's/.*{Major:"\([0-9]\)".*/\1/' register: kubeadm_version_major + check_mode: false changed_when: False - name: Retreive kubeadm Minor version - shell: set -o pipefail && kubeadm version | sed -e 's/.* Minor:"\([0-9]*\)".*/\1/' + ansible.builtin.shell: set -o pipefail && kubeadm version | sed -e 's/.* Minor:"\([0-9]*\)".*/\1/' register: kubeadm_version_minor + check_mode: false changed_when: False - name: Defined a default lb_kubemaster - set_fact: + ansible.builtin.set_fact: lb_kubemaster: "{{ groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] }}" when: - lb_kubemaster is undefined # - groups['KubernetesMasters'] | length > 1 changed_when: False + check_mode: false - name: Deploy First controler block: - - name: Deploy initial kubeadm config - template: - src: kubeadm-config.yaml.j2 - dest: /root/kubeadm-config.yaml - owner: root - group: root - mode: 0600 + - name: Deploy initial kubeadm config + ansible.builtin.template: + src: kubeadm-config.yaml.j2 + dest: /root/kubeadm-config.yaml + owner: root + group: root + mode: 0600 - - name: Init Kubernetes on {{ groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] }} - command: kubeadm init --config=/root/kubeadm-config.yaml + - name: Init Kubernetes on {{ groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] }} + ansible.builtin.command: kubeadm init --config=/root/kubeadm-config.yaml - - name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group - group_by: - key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} + - name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group + ansible.builtin.group_by: + key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} + check_mode: false - when: - - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - - groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] == ansible_hostname + when: + - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined + - groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] == ansible_hostname # End of first controler - name: Test if server node already included - command: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes {{ ansible_hostname | lower }} + ansible.builtin.command: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes {{ ansible_hostname | lower }} delegate_to: "{{ lb_kubemaster }}" register: server_enrolled changed_when: False ignore_errors: yes + check_mode: false -#- name: Deploy kubeadm config -# template: -# src: kubeadm-config.yaml.j2 -# dest: /root/kubeadm-config.yaml -# owner: root -# group: root -# mode: 600 -# when: -# - not groups['KubernetesMasters'][0] == ansible_hostname -# - server_enrolled.rc == 1 +# - name: Deploy kubeadm config +# ansible.builtin.template: +# src: kubeadm-config.yaml.j2 +# dest: /root/kubeadm-config.yaml +# owner: root +# group: root +# mode: 600 +# when: +# - not groups['KubernetesMasters'][0] == ansible_hostname +# - server_enrolled.rc == 1 - name: Retreive certificats key on {{ lb_kubemaster }} - shell: set -o pipefail && kubeadm init phase upload-certs --upload-certs | grep -v upload-certs + ansible.builtin.shell: set -o pipefail && kubeadm init phase upload-certs --upload-certs | grep -v upload-certs register: kubernetes_certificateKey + check_mode: false delegate_to: "{{ lb_kubemaster }}" when: - server_enrolled.rc == 1 - kubernetes_master|bool - name: Retreive token on "{{ lb_kubemaster }}" - command: kubeadm token create + ansible.builtin.command: kubeadm token create register: kubetoken delegate_to: "{{ lb_kubemaster }}" + check_mode: false when: - server_enrolled.rc == 1 - name: Retreive hash certificat - shell: > + ansible.builtin.shell: > set -o pipefail && openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | @@ -310,11 +319,12 @@ sed 's/^.* //' register: cacerthash delegate_to: "{{ lb_kubemaster }}" + check_mode: false when: - server_enrolled.rc == 1 - name: Deploy kubeadm config - template: + ansible.builtin.template: src: kubeadm-config.yaml.j2 dest: /root/kubeadm-config.yaml owner: root @@ -324,6 +334,6 @@ - server_enrolled.rc == 1 - name: Join '{{ ansible_hostname }}' to Kubernetes cluster - command: kubeadm join --config=/root/kubeadm-config.yaml + ansible.builtin.command: kubeadm join --config=/root/kubeadm-config.yaml when: - server_enrolled.rc == 1 diff --git a/tasks/install_server.yml b/tasks/install_server.yml index c50cc8c..1d53902 100644 --- a/tasks/install_server.yml +++ b/tasks/install_server.yml @@ -1,51 +1,53 @@ --- - name: Include vars for not taint Kubernetes masters - include_vars: masters.yml + ansible.builtin.include_vars: masters.yml when: - kubernetes_master|bool - not kubernetes_master_taint|bool - name: Add master to KubernetesMasters_ClusterName group - group_by: + ansible.builtin.group_by: key: KubernetesMasters_{{ kubernetes_cluster_name }} + check_mode: false when: - "'KubernetesMasters' in group_names" - name: Add node to KubernetesNodes_ClusterName group - group_by: + ansible.builtin.group_by: key: KubernetesNodes_{{ kubernetes_cluster_name }} + check_mode: false when: - "'KubernetesNodes' in group_names" - name: Disable SWAP since kubernetes can't work with swap enabled (1/2) - command: swapoff -a + ansible.builtin.command: swapoff -a changed_when: false - name: Remove swapfile from /etc/fstab (2/2) - mount: + ansible.posix.mount: name: swap fstype: swap state: absent - name: Create a thin pool for kubernetes - lvol: + community.general.lvol: vg: vg_sys thinpool: kubernetes size: "{{ lv_kubernetes_size | default('20g') }}" ## Install API loadbalancer -#- include_tasks: "load_balancer.yml" -# when: -# - kubernetes_master|bool -# - groups['KubernetesMasters'] | length > 1 +# - ansible.builtin.include_tasks: "load_balancer.yml" +# when: +# - kubernetes_master|bool +# - groups['KubernetesMasters'] | length > 1 - name: Kubernetes cluster with kubeadm - include_tasks: "cluster_kubeadm.yml" + ansible.builtin.include_tasks: "cluster_kubeadm.yml" when: - kubernetes_cri != "k3s" - name: Kubernetes cluster with k3s - include_tasks: "cluster_k3s.yml" + ansible.builtin.include_tasks: "cluster_k3s.yml" when: - kubernetes_cri == "k3s" @@ -54,7 +56,7 @@ # - name: Make /root/.kube directory - file: + ansible.builtin.file: path: "/root/.kube" owner: root group: root @@ -64,10 +66,10 @@ - kubernetes_master|bool - name: Copy kubeconfig file from /etc/kubernetes/admin.conf - copy: + ansible.builtin.copy: src: "/etc/kubernetes/admin.conf" dest: /root/.kube/config - remote_src: yes + remote_src: true owner: root group: root mode: 0600 @@ -76,10 +78,10 @@ - kubernetes_cri != "k3s" - name: Copy kubeconfig file from /etc/rancher/k3s/k3s.yaml - copy: + ansible.builtin.copy: src: "/etc/rancher/k3s/k3s.yaml" dest: /root/.kube/config - remote_src: yes + remote_src: true owner: root group: root mode: 0600 @@ -91,24 +93,23 @@ # Manque autoconfig de .kube/config local # -#- name: Fetching CA certificat -# copy: -# src: /etc/kubernetes/pki/ca.crt -# dest: /root/.kube/{{ kubernetes_cluster_name }}/ca.crt -# when: -# - kubernetes_master|bigip_pool +# - name: Fetching CA certificat +# ansible.builtin.copy: +# src: /etc/kubernetes/pki/ca.crt +# dest: /root/.kube/{{ kubernetes_cluster_name }}/ca.crt +# when: +# - kubernetes_master|bigip_pool - name: Check if a node is still tainted - command: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes '{{ ansible_hostname | lower }}' -o jsonpath='{.spec.taints}' + ansible.builtin.command: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes '{{ ansible_hostname | lower }}' -o jsonpath='{.spec.taints}' register: current_taint - check_mode: no + check_mode: false when: - kubernetes_master_taint|bool -- name: taint the machine if needed -# command: kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes --all node-role.kubernetes.io/master- - command: kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes '{{ ansible_hostname | lower }}' node-role.kubernetes.io/master- +- name: Taint the machine if needed +# ansible.builtin.command: kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes --all node-role.kubernetes.io/master- + ansible.builtin.command: kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes '{{ ansible_hostname | lower }}' node-role.kubernetes.io/master- when: - kubernetes_master_taint|bool - current_taint.stdout - diff --git a/tasks/load_balancer.yml b/tasks/load_balancer.yml index 8b6765c..d557058 100644 --- a/tasks/load_balancer.yml +++ b/tasks/load_balancer.yml @@ -1,21 +1,21 @@ --- - name: Install needed packages - package: + ansible.builtin.package: name: - keepalived - curl state: present - update_cache: yes + update_cache: true notify: Restart keepalived - name: Install check_apiserver.sh script for keepalived - template: + ansible.builtin.template: src: etc/keepalived/check_apiserver.sh.j2 dest: /etc/keepalived/check_apiserver.sh owner: root group: root mode: 0755 - name: Install keepalived config file - template: + ansible.builtin.template: src: etc/keepalived/keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf owner: root @@ -27,7 +27,7 @@ - groups['KubernetesMasters'][0] == ansible_hostname notify: Restart keepalived - name: Install keepalived config file - template: + ansible.builtin.template: src: etc/keepalived/keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf owner: root @@ -40,4 +40,4 @@ notify: Restart keepalived - name: Flush handlers - meta: flush_handlers + ansible.builtin.meta: flush_handlers diff --git a/tasks/main.yml b/tasks/main.yml index c13136d..9283b29 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,59 +3,63 @@ tags: - kubernetes block: - - name: Include vars for {{ ansible_os_family }} - include_vars: "{{ ansible_os_family }}.yml" + - name: Include vars for {{ ansible_os_family }} + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" - - name: Define vars for master - set_fact: - kubernetes_server: true - kubernetes_master: true - kubernetes_master_taint: false - when: - - "'KubernetesMasters' in group_names" - - "'KubernetesNodes' not in group_names" + - name: Define vars for master + ansible.builtin.set_fact: + kubernetes_server: true + kubernetes_master: true + kubernetes_master_taint: false + check_mode: false + when: + - "'KubernetesMasters' in group_names" + - "'KubernetesNodes' not in group_names" - - name: Define vars for node - set_fact: - kubernetes_server: true - kubernetes_master: false - kubernetes_master_taint: false - when: - - "'KubernetesNodes' in group_names" - - "'KubernetesMasters' not in group_names" + - name: Define vars for node + ansible.builtin.set_fact: + kubernetes_server: true + kubernetes_master: false + kubernetes_master_taint: false + check_mode: false + when: + - "'KubernetesNodes' in group_names" + - "'KubernetesMasters' not in group_names" - - name: Define vars for taint master - set_fact: - kubernetes_server: true - kubernetes_master: true - kubernetes_master_taint: true - when: - - "'KubernetesNodes' in group_names" - - "'KubernetesMasters' in group_names" + - name: Define vars for taint master + ansible.builtin.set_fact: + kubernetes_server: true + kubernetes_master: true + kubernetes_master_taint: true + check_mode: false + when: + - "'KubernetesNodes' in group_names" + - "'KubernetesMasters' in group_names" - - name: Define vars for tooling - set_fact: - kubernetes_sever: false - when: - - "'KubernetesMasters' not in group_names" - - "'KubernetesNodes' not in group_names" + - name: Define vars for tooling + ansible.builtin.set_fact: + kubernetes_sever: false + check_mode: false + when: + - "'KubernetesMasters' not in group_names" + - "'KubernetesNodes' not in group_names" - - name: Install kubernetes rules for {{ ansible_os_family }} OS family - include_tasks: "{{ ansible_os_family }}.yml" + - name: Install kubernetes rules for {{ ansible_os_family }} OS family + ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml" - #- name: Install kubernetes tools - # package: - # name: "{{ kubernetes_package_name }}" - # state: present - # update_cache: yes - ## notify: Restart kubelet - # when: - # - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") + # - name: Install kubernetes tools + # ansible.builtin.package: + # name: "{{ kubernetes_package_name }}" + # state: present + # update_cache: true + ## notify: Restart kubelet + # when: + # - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") - - name: Include kubernetes server rules - include_tasks: "install_server.yml" - when: - - kubernetes_server|bool + - name: Include kubernetes server rules + ansible.builtin.include_tasks: "install_server.yml" + when: + - kubernetes_server|bool - #- name: Install python library for docker - # package: name="{{ python_openshift_lib }}" state=latest update_cache=yes + # - name: Install python library for docker + # package: name="{{ python_openshift_lib }}" state=latest update_cache=yes From ae5337271b88df65a8c26945c34230a9d97af358 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 18 Nov 2022 19:00:52 +0100 Subject: [PATCH 45/99] Update kubernetes to version 1.25.4 --- defaults/main.yml | 2 +- tasks/cluster_k3s.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d964dfe..f0f0b59 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.25.3 +kubernetes_version: 1.25.4 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index ce10294..4063e86 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -39,7 +39,7 @@ - name: Retreive k3s binary for x86_64 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.3%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v1.25.4%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -50,7 +50,7 @@ - name: Retreive k3s binary for arm64 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.3%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v1.25.4%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -61,7 +61,7 @@ - name: Retreive k3s binary for armv6/armv7 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.3%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v1.25.4%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From ef754b75eb0b4509a979904f2944da84e9421e5f Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 9 Dec 2022 17:07:39 +0100 Subject: [PATCH 46/99] Update kubernetes to version 1.25.5 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index f0f0b59..6982086 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.25.4 +kubernetes_version: 1.25.5 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From 5fe7a7eec68c24eae62aa067783cfbefb7754d8e Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 14 Dec 2022 09:12:52 +0100 Subject: [PATCH 47/99] Update meta --- meta/main.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index 5968623..ad6ee72 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,11 +6,13 @@ galaxy_info: galaxy_tags: [] license: GPL2 platforms: - - name: CentOS - version: - - 7 - - 8 - - name: RedHat - version: - - 7 - - 8 + - name: CentOS + version: + - 7 + - 8 + - 9 + - name: RedHat + version: + - 7 + - 8 + - 9 From faa40488613d842e5860eafdc679efc82bcaaa75 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 25 Dec 2022 20:40:12 +0100 Subject: [PATCH 48/99] Update kubernetes to version 1.26.0 --- defaults/main.yml | 3 ++- tasks/cluster_k3s.yml | 8 ++++---- tasks/cluster_kubeadm.yml | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6982086..f3ded6b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.25.5 +kubernetes_version: 1.26.0 +kubernetes_k3s_version: 1.26.0 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 4063e86..fdd20f8 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -28,7 +28,7 @@ when: - ansible_pkg_mgr == "dnf" - ansible_os_family == "RedHat" - - ansible_distribution_major_version == '8' + - ansible_distribution_major_version >= '8' - name: Check if /usr/local/bin/k3s already existe ansible.builtin.stat: @@ -39,7 +39,7 @@ - name: Retreive k3s binary for x86_64 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.4%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s1/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -50,7 +50,7 @@ - name: Retreive k3s binary for arm64 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.4%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s1/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -61,7 +61,7 @@ - name: Retreive k3s binary for armv6/armv7 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v1.25.4%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s1/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index 22ccc9a..b9ba75c 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -78,7 +78,7 @@ when: - kubernetes_kubeproxy_mode == "ipvs" - ansible_os_family == "RedHat" - - ansible_distribution_major_version == '8' + - ansible_distribution_major_version >= '8' - name: Create thin volumes for kubernetes community.general.lvol: From bc6998794d1aacd7931877c7a2cc0a743eb5ad62 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 5 Mar 2023 10:43:13 +0100 Subject: [PATCH 49/99] Update k3s version --- tasks/cluster_k3s.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index fdd20f8..cef912e 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -39,7 +39,7 @@ - name: Retreive k3s binary for x86_64 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s1/k3s" + url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s2/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -50,7 +50,7 @@ - name: Retreive k3s binary for arm64 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s1/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s2/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -61,7 +61,7 @@ - name: Retreive k3s binary for armv6/armv7 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s1/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s2/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root From bfa0928b5036fc92b904a2fac13ef170136a294b Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 30 May 2023 11:25:26 +0200 Subject: [PATCH 50/99] Update kubernetes to version 1.27.2 --- defaults/main.yml | 4 ++-- tasks/cluster_k3s.yml | 6 +++--- templates/etc/rancher/k3s/config.yaml.j2 | 5 ++++- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f3ded6b..db529a6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.26.0 -kubernetes_k3s_version: 1.26.0 +kubernetes_version: 1.27.2 +kubernetes_k3s_version: 1.27.2+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index cef912e..9d9de49 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -39,7 +39,7 @@ - name: Retreive k3s binary for x86_64 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s2/k3s" + url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version | urlencode }}/k3s" dest: "/usr/local/bin/k3s" group: root owner: root @@ -50,7 +50,7 @@ - name: Retreive k3s binary for arm64 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s2/k3s-arm64" + url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version | urlencode }}/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root @@ -61,7 +61,7 @@ - name: Retreive k3s binary for armv6/armv7 ansible.builtin.get_url: - url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version }}%2Bk3s2/k3s-armhf" + url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version | urlencode }}/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root diff --git a/templates/etc/rancher/k3s/config.yaml.j2 b/templates/etc/rancher/k3s/config.yaml.j2 index ae8b6f3..a27e263 100644 --- a/templates/etc/rancher/k3s/config.yaml.j2 +++ b/templates/etc/rancher/k3s/config.yaml.j2 @@ -1,4 +1,4 @@ -flannel-backend: wireguard +flannel-backend: wireguard-native {% if kubernetes_master|bool %} {% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %} cluster-init: true @@ -19,3 +19,6 @@ selinux: true secrets-encryption: true disable: - traefik +{% if false %} +# node-external-ip: 1.2.3.4 +{% endif %} From 032f8df146ffe8d9ddb74bd319799059a20b1d21 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 31 May 2023 12:10:04 +0200 Subject: [PATCH 51/99] Update k3s-selinux package version --- tasks/cluster_k3s.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 9d9de49..fc61a82 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -14,7 +14,7 @@ - name: Install the k3s-selinux rpm from a remote repo for yum distro ansible.builtin.yum: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el7.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.3.stable.1/k3s-selinux-1.3-1.el7.noarch.rpm" state: present when: - ansible_pkg_mgr == "yum" @@ -23,7 +23,7 @@ - name: Install the k3s-selinux rpm from a remote repo for dnf distro ansible.builtin.dnf: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el8.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.3.stable.1/k3s-selinux-1.3-1.el{{ ansible_distribution_major_version }}.noarch.rpm" state: present when: - ansible_pkg_mgr == "dnf" From b2e635467fa4627980953e82e791d10f88c5af78 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 3 Jun 2023 11:32:45 +0200 Subject: [PATCH 52/99] Update k3s-selinux package to version 1.4.stable.1 --- tasks/cluster_k3s.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index fc61a82..c27a755 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -14,7 +14,7 @@ - name: Install the k3s-selinux rpm from a remote repo for yum distro ansible.builtin.yum: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.3.stable.1/k3s-selinux-1.3-1.el7.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el7.noarch.rpm" state: present when: - ansible_pkg_mgr == "yum" @@ -23,7 +23,7 @@ - name: Install the k3s-selinux rpm from a remote repo for dnf distro ansible.builtin.dnf: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.3.stable.1/k3s-selinux-1.3-1.el{{ ansible_distribution_major_version }}.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el{{ ansible_distribution_major_version }}.noarch.rpm" state: present when: - ansible_pkg_mgr == "dnf" From 6b2514190c426e610023552607b109089db624c7 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 10 Sep 2023 16:58:52 +0200 Subject: [PATCH 53/99] Update kubernetes to version 1.28.1 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index db529a6..80df57c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.27.2 -kubernetes_k3s_version: 1.27.2+k3s1 +kubernetes_version: 1.28.1 +kubernetes_k3s_version: 1.28.1+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From 15367bb0882325e7512879fdfd36dbe115c5cf59 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 27 Sep 2023 13:42:33 +0200 Subject: [PATCH 54/99] Update kubernetes to version 1.28.2 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 80df57c..1e98754 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.28.1 -kubernetes_k3s_version: 1.28.1+k3s1 +kubernetes_version: 1.28.2 +kubernetes_k3s_version: 1.28.2+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From e18d436a37683234198d0994b296f4f1a7b59152 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 15 Nov 2023 18:50:38 +0100 Subject: [PATCH 55/99] Update version --- defaults/main.yml | 4 ++-- tasks/RedHat.yml | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1e98754..62543c8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.28.2 -kubernetes_k3s_version: 1.28.2+k3s1 +kubernetes_version: 1.28.3 +kubernetes_k3s_version: 1.28.3+k3s2 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index 2494722..5709b61 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -25,12 +25,12 @@ ansible.builtin.yum_repository: name: kubernetes description: Kubernetes - baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch + baseurl: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}/rpm/" enabled: true gpgcheck: true repo_gpgcheck: true - gpgkey: https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg - exclude: kubelet kubeadm kubectl + gpgkey: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}/rpm/repodata/repomd.xml.key" + exclude: kubelet kubeadm become: true when: - not ansible_machine == "armv7l" @@ -42,11 +42,12 @@ ansible.builtin.yum_repository: name: kubernetes description: Kubernetes - baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch + baseurl: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}/rpm/" enabled: true gpgcheck: true repo_gpgcheck: true - gpgkey: https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg + gpgkey: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}/rpm/repodata/repomd.xml.key" + exclude: kubelet kubeadm kubectl become: true when: - not ansible_machine == "armv7l" From a62ebfb33639aca547dc98f7866d9995b15c9313 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 18 Nov 2023 09:51:32 +0100 Subject: [PATCH 56/99] Update kubernetes to version 1.28.4 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 62543c8..c8dd4e0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.28.3 +kubernetes_version: 1.28.4 kubernetes_k3s_version: 1.28.3+k3s2 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From 6d91f75029a6ae397b95a669da571a0f040945af Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 6 Dec 2023 18:50:03 +0100 Subject: [PATCH 57/99] Update k3s to version 1.28.4+k3s1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index c8dd4e0..1b2a941 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,6 +7,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs kubernetes_version: 1.28.4 -kubernetes_k3s_version: 1.28.3+k3s2 +kubernetes_k3s_version: 1.28.4+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From 84ece19c0a542a0cb9912364f238b8f637887017 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Thu, 7 Dec 2023 08:42:09 +0100 Subject: [PATCH 58/99] Update k3s to version 1.28.4+k3s2 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1b2a941..ee0b147 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,6 +7,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs kubernetes_version: 1.28.4 -kubernetes_k3s_version: 1.28.4+k3s1 +kubernetes_k3s_version: 1.28.4+k3s2 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From 2cfe25c7b8e9cace6efb55f7b5de11103c6e68a4 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 22 Dec 2023 07:36:01 +0100 Subject: [PATCH 59/99] Update kubernetes to version 1.29.0 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ee0b147..9b6c820 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.28.4 -kubernetes_k3s_version: 1.28.4+k3s2 +kubernetes_version: 1.29.0 +kubernetes_k3s_version: 1.29.0+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From a27773f0ada6309174a3744539c2ff2caa102d9c Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 10 Feb 2024 12:55:18 +0100 Subject: [PATCH 60/99] Update kubernetes to version 1.29.1 --- defaults/main.yml | 4 ++-- tasks/cluster_k3s.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9b6c820..fac0935 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.29.0 -kubernetes_k3s_version: 1.29.0+k3s1 +kubernetes_version: 1.29.1 +kubernetes_k3s_version: 1.29.1+k3s2 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index c27a755..1a38ca7 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -14,7 +14,7 @@ - name: Install the k3s-selinux rpm from a remote repo for yum distro ansible.builtin.yum: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el7.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.5.stable.1/k3s-selinux-1.5-1.el7.noarch.rpm" state: present when: - ansible_pkg_mgr == "yum" @@ -23,7 +23,7 @@ - name: Install the k3s-selinux rpm from a remote repo for dnf distro ansible.builtin.dnf: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el{{ ansible_distribution_major_version }}.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.5.stable.1/k3s-selinux-1.5-1.el{{ ansible_distribution_major_version }}.noarch.rpm" state: present when: - ansible_pkg_mgr == "dnf" From db74c39b5a4cced6ddbbe3398fa8f9f1ab0fde95 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 27 Mar 2024 16:59:13 +0100 Subject: [PATCH 61/99] Update kubernetes to version 1.29.3 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fac0935..c4dfe4a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.29.1 -kubernetes_k3s_version: 1.29.1+k3s2 +kubernetes_version: 1.29.3 +kubernetes_k3s_version: 1.29.3+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From 8e2462f3889aa9e79d7479310ae770c1c1393800 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 16 Apr 2024 08:18:51 +0200 Subject: [PATCH 62/99] Update kubeadm template --- templates/kubeadm-config.yaml.j2 | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index 0dcf866..8dc8a7e 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -1,4 +1,4 @@ -apiVersion: kubeadm.k8s.io/v1beta2 +apiVersion: kubeadm.k8s.io/v1beta3 kind: InitConfiguration {% if kubetoken is defined %} bootstrapTokens: @@ -14,8 +14,9 @@ nodeRegistration: {% elif kubernetes_cri == "docker" %} criSocket: "/var/run/docker.sock" {% endif %} + name: {{ ansible_hostname }} {% if false %} - name: "ec2-10-100-0-1" + imagePullPolicy: IfNotPresent taints: - key: "kubeadmNode" value: "master" @@ -33,7 +34,7 @@ nodeRegistration: container-runtime-endpoint: "unix:///var/run/crio/crio.sock" {% endif %} node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }} -# read-only-port: "10255" + read-only-port: "10255" ignorePreflightErrors: - SystemVerification {% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %} @@ -50,7 +51,7 @@ certificateKey: "{{ kubernetes_certificateKey.stdout }}" {% endif %} {% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %} --- -apiVersion: kubeadm.k8s.io/v1beta2 +apiVersion: kubeadm.k8s.io/v1beta3 kind: ClusterConfiguration kubernetesVersion: stable {% if lbip_kubeapiserver is defined %} @@ -99,12 +100,13 @@ scheduler: bind-address: 0.0.0.0 etcd: local: + dataDir: /var/lib/etcd extraArgs: listen-metrics-urls: http://0.0.0.0:2381 {% endif %} {% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %} --- -apiVersion: kubeadm.k8s.io/v1beta2 +apiVersion: kubeadm.k8s.io/v1beta3 kind: JoinConfiguration {% if kubernetes_master|bool %} controlPlane: From 34889ccaac50efd7031360fcd7b26c64d80ba952 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 16 Apr 2024 08:19:08 +0200 Subject: [PATCH 63/99] Add useful link into readme file --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 2b6dc5f..abaa25b 100644 --- a/README.md +++ b/README.md @@ -9,3 +9,5 @@ Deploy kubernetes https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2?tab=doc https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/ + +https://github.com/XenitAB/spegel From bd2a60fa449fbb5f3c6f16a6c35a4425f3abb0bf Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 4 May 2024 13:31:02 +0200 Subject: [PATCH 64/99] Update kubernetes to version 1.29.4 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c4dfe4a..904511c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.29.3 -kubernetes_k3s_version: 1.29.3+k3s1 +kubernetes_version: 1.29.4 +kubernetes_k3s_version: 1.29.4+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From b60a176cff025261ff0e9930821f79f46e583f5b Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 4 May 2024 13:31:31 +0200 Subject: [PATCH 65/99] Make some update on kubeadm config template --- templates/kubeadm-config.yaml.j2 | 6 ------ 1 file changed, 6 deletions(-) diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index 8dc8a7e..f9f84dd 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -26,13 +26,7 @@ nodeRegistration: {% if ansible_service_mgr == "systemd" %} cgroup-driver: "systemd" {% endif %} - container-runtime: "remote" runtime-request-timeout: "5m" -{% if kubernetes_cri == "containerd" %} - container-runtime-endpoint: "unix:///run/containerd/containerd.sock" -{% elif kubernetes_cri == "cri-o" %} - container-runtime-endpoint: "unix:///var/run/crio/crio.sock" -{% endif %} node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }} read-only-port: "10255" ignorePreflightErrors: From 987cb320cdf951078d557c8ffe2faaef417cff33 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 11 May 2024 11:26:05 +0200 Subject: [PATCH 66/99] Update kubernetes to version 1.30.0 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 904511c..bd8f102 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.29.4 -kubernetes_k3s_version: 1.29.4+k3s1 +kubernetes_version: 1.30.0 +kubernetes_k3s_version: 1.30.0+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From 26738bf3133c8d119de9cd9234af54c9578368c0 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 21 May 2024 12:44:40 +0200 Subject: [PATCH 67/99] Add swap support --- defaults/main.yml | 1 + templates/kubeadm-config.yaml.j2 | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index bd8f102..64ab05c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,3 +10,4 @@ kubernetes_version: 1.30.0 kubernetes_k3s_version: 1.30.0+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 +kubernetes_swap_enabled: false diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index f9f84dd..adf6639 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -183,7 +183,14 @@ cgroupDriver: systemd # nodefs.available: 10% # nodefs.inodesFree: 5% #evictionPressureTransitionPeriod: 5m0s -#failSwapOn: true +{% if kubernetes_swap_enabled is defined and kubernetes_swap_enabled|bool %} +# Activation du swap +failSwapOn: false +featureGates: + NodeSwap: true +memorySwap: + swapBehavior: UnlimitedSwap +{% endif %} #fileCheckFrequency: 20s #hairpinMode: promiscuous-bridge #healthzBindAddress: 127.0.0.1 From 39bc7e86d49fb73e1ec57adbe5cdb1a20da66419 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 29 May 2024 00:27:26 +0200 Subject: [PATCH 68/99] Update kubernetes to version 1.30.1 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 64ab05c..33f04fa 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.30.0 -kubernetes_k3s_version: 1.30.0+k3s1 +kubernetes_version: 1.30.1 +kubernetes_k3s_version: 1.30.1+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 kubernetes_swap_enabled: false From e2fdb2d3ef821f6ecccec2bfcecf0c00ee482c6d Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 15 Jun 2024 11:54:52 +0200 Subject: [PATCH 69/99] Update kubernetes to version 1.30.2 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 33f04fa..29eb6cd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.30.1 +kubernetes_version: 1.30.2 kubernetes_k3s_version: 1.30.1+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 From 7d8a38e528a80c3c09d8451ebaec2038b2bf1e97 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 29 Jun 2024 10:26:31 +0200 Subject: [PATCH 70/99] Update k3s to version 1.30.2 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 29eb6cd..d7518be 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs kubernetes_version: 1.30.2 -kubernetes_k3s_version: 1.30.1+k3s1 +kubernetes_k3s_version: 1.30.2+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 kubernetes_swap_enabled: false From 4e9dc784e33e77a7052caa5a7f0127511e87dd3f Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 5 Jul 2024 00:10:06 +0200 Subject: [PATCH 71/99] Update k3s to version 1.30.2 k3s2 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index d7518be..e49ea5f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs kubernetes_version: 1.30.2 -kubernetes_k3s_version: 1.30.2+k3s1 +kubernetes_k3s_version: 1.30.2+k3s2 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 kubernetes_swap_enabled: false From 88de685393c45c22351579af2c6b69720b259ead Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Thu, 1 Aug 2024 00:11:43 +0200 Subject: [PATCH 72/99] Update kubernetes to version 1.30.3 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e49ea5f..5c5ba5c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.30.2 -kubernetes_k3s_version: 1.30.2+k3s2 +kubernetes_version: 1.30.3 +kubernetes_k3s_version: 1.30.3+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 kubernetes_swap_enabled: false From 3c077f7bafa4cf8f439d6357b198780cf20d5e64 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 23 Aug 2024 17:30:30 +0200 Subject: [PATCH 73/99] Update kubernetes to verson 1.30.4 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5c5ba5c..f4322eb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.30.3 -kubernetes_k3s_version: 1.30.3+k3s1 +kubernetes_version: 1.30.4 +kubernetes_k3s_version: 1.30.4+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 kubernetes_swap_enabled: false From b45abf84be5da89853b0a38716a936c66a3c645b Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 31 Aug 2024 11:17:00 +0200 Subject: [PATCH 74/99] Add more security to k3s installation --- tasks/cluster_k3s.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 1a38ca7..763e946 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -108,6 +108,20 @@ with_items: - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} +- name: Ensure protect-kernel-defaults is set + ansible.posix.sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + sysctl_file: /etc/sysctl.d/90-kubelet.conf + reload: true + with_items: + - { name: "vm.panic_on_oom", value: "0" } + - { name: "vm.overcommit_memory", value: "1" } + - { name: "kernel.panic", value: "10" } + - { name: "kernel.panic_on_oops", value: "1" } + when: + - kubernetes_server|bool + - name: Audit policies directory ansible.builtin.file: path: "/etc/kubernetes/policies" From 3fd4c7dee01d59ce55db2a6f2ab6219e9726cf68 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 1 Sep 2024 13:44:57 +0200 Subject: [PATCH 75/99] Fix indentation --- tasks/cluster_kubeadm.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index b9ba75c..830bd2d 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -268,9 +268,9 @@ key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} check_mode: false - when: - - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - - groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] == ansible_hostname + when: + - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined + - groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] == ansible_hostname # End of first controler From 5717cca04d73f2aee4f4404c00216fe9b3e1e3d1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 1 Sep 2024 14:36:15 +0200 Subject: [PATCH 76/99] Securing k3s deployment --- files/etc/kubernetes/psa.yaml | 18 ++++++++ tasks/cluster_k3s.yml | 44 ++++++++++++++++++- templates/etc/rancher/k3s/config.yaml.j2 | 24 ++++++++-- templates/kubeadm-config.yaml.j2 | 2 +- .../manifests/np-00-intra-namespace.yaml.j2 | 12 +++++ .../np-01-default-network-dns-policy.yaml.j2 | 17 +++++++ .../np-03-metrics-server-traefik.yaml.j2 | 42 ++++++++++++++++++ 7 files changed, 153 insertions(+), 6 deletions(-) create mode 100644 files/etc/kubernetes/psa.yaml create mode 100644 templates/var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2 create mode 100644 templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2 create mode 100644 templates/var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2 diff --git a/files/etc/kubernetes/psa.yaml b/files/etc/kubernetes/psa.yaml new file mode 100644 index 0000000..9072c55 --- /dev/null +++ b/files/etc/kubernetes/psa.yaml @@ -0,0 +1,18 @@ +apiVersion: apiserver.config.k8s.io/v1 +kind: AdmissionConfiguration +plugins: +- name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1beta1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [kube-system, cis-operator-system] diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 763e946..c501724 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -122,6 +122,16 @@ when: - kubernetes_server|bool +- name: Configure Pod Security + ansible.builtin.copy: + src: "etc/kubernetes/psa.yaml" + dest: "/etc/kubernetes/psa.yaml" + group: root + owner: root + mode: 0644 + when: + - kubernetes_master|bool + - name: Audit policies directory ansible.builtin.file: path: "/etc/kubernetes/policies" @@ -164,6 +174,38 @@ - name: Configure first controler # run_once: true block: + - name: Create k3s directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: root + group: root + mode: 0700 + with_items: + - "/etc/rancher" + - "/etc/rancher/k3s" + - "/etc/rancher/k3s/config.yaml.d" + - "/var/lib/rancher" + - "/var/lib/rancher/k3s" + - "/var/lib/rancher/k3s/server" + - "/var/lib/rancher/k3s/server/manifests" + when: + - kubernetes_master|bool + + - name: Deploy Network Policies + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "{{ item }}" + owner: root + group: root + mode: 0600 + with_items: + - "var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2" + - "var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2" + - "var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2" + when: + - kubernetes_master|bool + - name: Deploy systemd service ansible.builtin.template: src: "{{ item }}.j2" @@ -205,7 +247,7 @@ - kubernetes_master|bool - vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - +# chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt # Manque kubernetes_server_token, kubernetes_master url diff --git a/templates/etc/rancher/k3s/config.yaml.j2 b/templates/etc/rancher/k3s/config.yaml.j2 index a27e263..fb504b7 100644 --- a/templates/etc/rancher/k3s/config.yaml.j2 +++ b/templates/etc/rancher/k3s/config.yaml.j2 @@ -1,5 +1,18 @@ flannel-backend: wireguard-native +protect-kernel-defaults: true {% if kubernetes_master|bool %} +secrets-encryption: true +kube-apiserver-arg: + - "enable-admission-plugins=NodeRestriction,AlwaysPullImages,EventRateLimit" + - 'admission-control-config-file=/etc/kubernetes/psa.yaml' + - 'audit-log-path=/var/log/apiserver/audit.log' + - 'audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml' + - 'audit-log-maxage=30' + - 'audit-log-maxbackup=10' + - 'audit-log-maxsize=100' +# - "request-timeout=300s" +kube-controller-manager-arg: + - 'terminated-pod-gc-threshold=10' {% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %} cluster-init: true {% else %} @@ -10,15 +23,18 @@ token: ${NODE_TOKEN} server: https://{{ kubernetes_master }}:6443 token: ${NODE_TOKEN} {% endif %} -#node-label: -# - "foo=bar" -# - "something=amazing" +kubelet-arg: + - 'streaming-connection-idle-timeout=5m' + - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" {% if ansible_os_family == "RedHat" %} selinux: true {% endif %} -secrets-encryption: true +#embedded-registry: true disable: - traefik {% if false %} # node-external-ip: 1.2.3.4 +#node-label: +# - "foo=bar" +# - "something=amazing" {% endif %} diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index adf6639..00ee1b7 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -55,7 +55,7 @@ controlPlaneEndpoint: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv {% endif %} apiServer: extraArgs: - enable-admission-plugins: NodeRestriction + enable-admission-plugins: NodeRestriction,AlwaysPullImages,EventRateLimit authorization-mode: "Node,RBAC" audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml" audit-log-path: "/var/log/apiserver/audit.log" diff --git a/templates/var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2 b/templates/var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2 new file mode 100644 index 0000000..8775180 --- /dev/null +++ b/templates/var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2 @@ -0,0 +1,12 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: intra-namespace + namespace: kube-system +spec: + podSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + name: kube-system diff --git a/templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2 b/templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2 new file mode 100644 index 0000000..e0c00b8 --- /dev/null +++ b/templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2 @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-network-dns-policy + namespace: +spec: + ingress: + - ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + podSelector: + matchLabels: + k8s-app: kube-dns + policyTypes: + - Ingress diff --git a/templates/var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2 b/templates/var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2 new file mode 100644 index 0000000..e7b8621 --- /dev/null +++ b/templates/var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2 @@ -0,0 +1,42 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-metrics-server + namespace: kube-system +spec: + podSelector: + matchLabels: + k8s-app: metrics-server + ingress: + - {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-svclbtraefik-ingress + namespace: kube-system +spec: + podSelector: + matchLabels: + svccontroller.k3s.cattle.io/svcname: traefik + ingress: + - {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-traefik-v121-ingress + namespace: kube-system +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + ingress: + - {} + policyTypes: + - Ingress +--- From 82c63c2628c07c17c05935c66b451fbced025d4f Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 4 Sep 2024 09:55:57 +0200 Subject: [PATCH 77/99] Update kubernetes to version 1.31.0 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f4322eb..6ab8d9e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.30.4 -kubernetes_k3s_version: 1.30.4+k3s1 +kubernetes_version: 1.31.0 +kubernetes_k3s_version: 1.31.0+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 kubernetes_swap_enabled: false From 2b560deaada60f3a6a14e44f7d992bab2f7c564e Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 10 Sep 2024 19:41:34 +0200 Subject: [PATCH 78/99] I should install k3s without lvm --- defaults/main.yml | 1 + tasks/cluster_k3s.yml | 50 +++++++++++++++++++++++-------------------- 2 files changed, 28 insertions(+), 23 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6ab8d9e..d6fb683 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,3 +11,4 @@ kubernetes_k3s_version: 1.31.0+k3s1 kubernetes_pods_network: "10.244.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 kubernetes_swap_enabled: false +kubernetes_lvm: true diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index c501724..6f7bac8 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -82,31 +82,35 @@ - "crictl" - "ctr" -- name: Create thin volumes for k3s - community.general.lvol: - vg: "{{ item.vg }}" - lv: "{{ item.name }}" - thinpool: kubernetes - size: "{{ item.size }}" - with_items: - - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} +- name: Create logical volume for k3s + when: + - kubernetes_lvm|bool + block: + - name: Create thin volumes for k3s + community.general.lvol: + vg: "{{ item.vg }}" + lv: "{{ item.name }}" + thinpool: kubernetes + size: "{{ item.size }}" + with_items: + - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} -- name: Create file system on containerd lv - community.general.filesystem: - fstype: ext4 - dev: "/dev/{{ item.vg }}/{{ item.name }}" - with_items: - - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} + - name: Create file system on containerd lv + community.general.filesystem: + fstype: ext4 + dev: "/dev/{{ item.vg }}/{{ item.name }}" + with_items: + - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} -- name: Mount logical volumes - ansible.posix.mount: - name: "{{ item.mount_point }}" - src: "/dev/{{ item.vg }}/{{ item.name }}" - fstype: ext4 - opts: "{{ item.mount_opts }}" - state: mounted - with_items: - - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} + - name: Mount logical volumes + ansible.posix.mount: + name: "{{ item.mount_point }}" + src: "/dev/{{ item.vg }}/{{ item.name }}" + fstype: ext4 + opts: "{{ item.mount_opts }}" + state: mounted + with_items: + - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} - name: Ensure protect-kernel-defaults is set ansible.posix.sysctl: From be494c827c784821ae41a00bc8cb434458793748 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 11 Sep 2024 15:38:43 +0200 Subject: [PATCH 79/99] fix fqn --- tasks/RedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index 5709b61..027e91f 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -118,7 +118,7 @@ when: - kubernetes_server|bool with_items: - - "{{ (lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.network + '/' + lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.netmask) | ipaddr('net') }}" + - "{{ (lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.network + '/' + lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.netmask) | ansible.utils.ipaddr('net') }}" - "{{ kubernetes_pods_network }}" - "10.96.0.0/12" From 43353b130b88920a8221e0ad4265358045088406 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 14 Sep 2024 10:29:48 +0200 Subject: [PATCH 80/99] Update firewall configuration --- tasks/RedHat.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index 027e91f..cae93ba 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -118,10 +118,23 @@ when: - kubernetes_server|bool with_items: - - "{{ (lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.network + '/' + lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.netmask) | ansible.utils.ipaddr('net') }}" - "{{ kubernetes_pods_network }}" - "10.96.0.0/12" +- name: Add kubernetes networks to trusted firewalld zone + ansible.posix.firewalld: +# zone: kubernetes + zone: trusted + permanent: true + state: enabled + source: "{{ item }}" + when: + - kubernetes_server|bool + - kubernetes_interface is defined +# - false + with_items: + - "{{ (lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.network + '/' + lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.netmask) | ansible.utils.ipaddr('net') }}" + - name: Install kubernetes tools ansible.builtin.dnf: name: "{{ kubernetes_package_name }}" From 6772711145528a5eeef5d49b11aba58876e2fceb Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 15 Sep 2024 17:12:31 +0200 Subject: [PATCH 81/99] Fix k3s deployment --- tasks/cluster_k3s.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 6f7bac8..03ec670 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -2,8 +2,9 @@ - name: Install Wireguard ansible.builtin.include_role: name: wireguard -# when: + when: # - kubernetes_cni == "wireguard" + - "'Vpn' not in group_names" - name: Import Rancher key ansible.builtin.rpm_key: @@ -126,6 +127,16 @@ when: - kubernetes_server|bool +- name: /etc/kubernetes directory + ansible.builtin.file: + path: "/etc/kubernetes" + state: directory + owner: root + group: root + mode: 0755 + when: + - kubernetes_master|bool + - name: Configure Pod Security ansible.builtin.copy: src: "etc/kubernetes/psa.yaml" @@ -199,21 +210,21 @@ - name: Deploy Network Policies ansible.builtin.template: src: "{{ item }}.j2" - dest: "{{ item }}" + dest: "/{{ item }}" owner: root group: root mode: 0600 with_items: - - "var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2" - - "var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2" - - "var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2" + - "var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml" + - "var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml" + - "var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml" when: - kubernetes_master|bool - name: Deploy systemd service ansible.builtin.template: src: "{{ item }}.j2" - dest: "{{ item }}" + dest: "/{{ item }}" owner: root group: root mode: 0600 From e6206ca9297d94b57d1f81815a1c3d6d1891b200 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 16 Sep 2024 16:46:19 +0200 Subject: [PATCH 82/99] Fix pod & svc network --- defaults/main.yml | 5 ++++- tasks/RedHat.yml | 2 +- templates/kubeadm-config.yaml.j2 | 1 + 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d6fb683..49d542c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,7 +8,10 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' kubernetes_kubeproxy_mode: ipvs kubernetes_version: 1.31.0 kubernetes_k3s_version: 1.31.0+k3s1 -kubernetes_pods_network: "10.244.0.0/16" +#kubernetes_pods_network: "10.244.0.0/16" +#kubernetes_svc_network: "10.96.0.0/12" +kubernetes_pods_network: "10.42.0.0/16" +kubernetes_svc_network: "10.43.0.0/16" lb_auth_pass: 1be344d62acc46c6858ae8475668a245 kubernetes_swap_enabled: false kubernetes_lvm: true diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index cae93ba..bcbf718 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -119,7 +119,7 @@ - kubernetes_server|bool with_items: - "{{ kubernetes_pods_network }}" - - "10.96.0.0/12" + - "{{ kubernetes_svc_network }}" - name: Add kubernetes networks to trusted firewalld zone ansible.posix.firewalld: diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index 00ee1b7..7d833b5 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -85,6 +85,7 @@ apiServer: {% if kubernetes_network == "flannel" or kubernetes_network == "calico" %} networking: podSubnet: "{{ kubernetes_pods_network }}" + serviceSubnet: "{{ kubernetes_svc_network }}" {% endif %} controllerManager: extraArgs: From 453ed3df657e20eabf35149f163b59ac54c601b4 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Mon, 16 Sep 2024 16:46:57 +0200 Subject: [PATCH 83/99] Add forgoten file --- templates/etc/rancher/k3s/config.yaml.j2 | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/templates/etc/rancher/k3s/config.yaml.j2 b/templates/etc/rancher/k3s/config.yaml.j2 index fb504b7..bed1d77 100644 --- a/templates/etc/rancher/k3s/config.yaml.j2 +++ b/templates/etc/rancher/k3s/config.yaml.j2 @@ -1,4 +1,8 @@ +{% if 'Vpn' in group_names %} +flannel-backend: vxlan +{% else %} flannel-backend: wireguard-native +{% endif %} protect-kernel-defaults: true {% if kubernetes_master|bool %} secrets-encryption: true @@ -13,6 +17,10 @@ kube-apiserver-arg: # - "request-timeout=300s" kube-controller-manager-arg: - 'terminated-pod-gc-threshold=10' +cluster-cidr: + - {{ kubernetes_pods_network }} +service-cidr: + - {{ kubernetes_svc_network }} {% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %} cluster-init: true {% else %} @@ -32,6 +40,11 @@ selinux: true #embedded-registry: true disable: - traefik +{% if kubernetes_interface is defined %} +node-ip: {{ kubernetes_interface.address }} +#node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }} +{% endif %} +node-external-ip: {{ ansible_host }} {% if false %} # node-external-ip: 1.2.3.4 #node-label: From 9862658cc2c58f5588aaaed73ff5322b57c77380 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 17 Sep 2024 00:00:07 +0200 Subject: [PATCH 84/99] Update k3s-selinux to version 1.6.stable.1 --- tasks/cluster_k3s.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 03ec670..928ec39 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -15,7 +15,7 @@ - name: Install the k3s-selinux rpm from a remote repo for yum distro ansible.builtin.yum: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.5.stable.1/k3s-selinux-1.5-1.el7.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.6.stable.1/k3s-selinux-1.6-1.el7.noarch.rpm" state: present when: - ansible_pkg_mgr == "yum" @@ -24,7 +24,7 @@ - name: Install the k3s-selinux rpm from a remote repo for dnf distro ansible.builtin.dnf: - name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.5.stable.1/k3s-selinux-1.5-1.el{{ ansible_distribution_major_version }}.noarch.rpm" + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.6.stable.1/k3s-selinux-1.6-1.el{{ ansible_distribution_major_version }}.noarch.rpm" state: present when: - ansible_pkg_mgr == "dnf" From 345cf8020b92c016b7d5f467a2eaa2422ca44110 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 21 Sep 2024 14:26:46 +0200 Subject: [PATCH 85/99] Update kubernetes to versoin 1.31.1 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 49d542c..3dca922 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.31.0 -kubernetes_k3s_version: 1.31.0+k3s1 +kubernetes_version: 1.31.1 +kubernetes_k3s_version: 1.31.1+k3s1 #kubernetes_pods_network: "10.244.0.0/16" #kubernetes_svc_network: "10.96.0.0/12" kubernetes_pods_network: "10.42.0.0/16" From e047229a8b2f9cfc68e4210be656f12d71a058c8 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 28 Sep 2024 18:52:40 +0200 Subject: [PATCH 86/99] Fix NetworkPolicies --- .../server/manifests/np-01-default-network-dns-policy.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2 b/templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2 index e0c00b8..9357b4f 100644 --- a/templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2 +++ b/templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2 @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-network-dns-policy - namespace: + namespace: kube-system spec: ingress: - ports: From 7e78625cffc7d8d245f202436a2ddcd56d5b346c Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 28 Sep 2024 18:53:03 +0200 Subject: [PATCH 87/99] Add EventRateLimit admission configuration --- files/etc/kubernetes/psa.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/files/etc/kubernetes/psa.yaml b/files/etc/kubernetes/psa.yaml index 9072c55..fe13d52 100644 --- a/files/etc/kubernetes/psa.yaml +++ b/files/etc/kubernetes/psa.yaml @@ -16,3 +16,12 @@ plugins: usernames: [] runtimeClasses: [] namespaces: [kube-system, cis-operator-system] +- name: EventRateLimit + configuration: + apiVersion: eventratelimit.admission.k8s.io/v1alpha1 + kind: Configuration + limits: + - burst: 20000 + qps: 5000 + type: Server + path: "" From 21f4c81832ef678ff2cb2dee66c1720919f0b721 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 2 Oct 2024 09:11:23 +0200 Subject: [PATCH 88/99] Fix SELinux context for local-path provisioner --- tasks/cluster_k3s.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 928ec39..51e19ae 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -204,9 +204,19 @@ - "/var/lib/rancher/k3s" - "/var/lib/rancher/k3s/server" - "/var/lib/rancher/k3s/server/manifests" + - "/var/lib/rancher/k3s/storage" when: - kubernetes_master|bool +# semanage fcontext -a -t container_file_t "/var/lib/rancher/k3s/storage(/.*)?" + - name: Allow K3S local-path provisioner to create directories in /var/lib/rancher/k3s/storage + community.general.sefcontext: + target: '/var/lib/rancher/k3s/storage(/.*)?' + setype: container_file_t + state: present + - name: Apply new SELinux file context to filesystem + ansible.builtin.command: restorecon -R /var/lib/rancher/k3s/storage/ + - name: Deploy Network Policies ansible.builtin.template: src: "{{ item }}.j2" From 1611c091e66703ac628889148474f2942b5452c3 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 2 Oct 2024 15:51:34 +0200 Subject: [PATCH 89/99] Fix directories creation --- tasks/cluster_k3s.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 51e19ae..afe4024 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -189,7 +189,7 @@ - name: Configure first controler # run_once: true block: - - name: Create k3s directories + - name: Create k3s directories on master nodes ansible.builtin.file: path: "{{ item }}" state: directory @@ -204,10 +204,19 @@ - "/var/lib/rancher/k3s" - "/var/lib/rancher/k3s/server" - "/var/lib/rancher/k3s/server/manifests" - - "/var/lib/rancher/k3s/storage" when: - kubernetes_master|bool + - name: Create k3s directories on all nodes + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: root + group: root + mode: 0700 + with_items: + - "/var/lib/rancher/k3s/storage" + # semanage fcontext -a -t container_file_t "/var/lib/rancher/k3s/storage(/.*)?" - name: Allow K3S local-path provisioner to create directories in /var/lib/rancher/k3s/storage community.general.sefcontext: From b9802106c9a7b997b93a072635858c3c883efaa3 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 26 Oct 2024 09:52:07 +0200 Subject: [PATCH 90/99] Update kubernetes to version 1.31.2 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3dca922..18b21d7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.31.1 -kubernetes_k3s_version: 1.31.1+k3s1 +kubernetes_version: 1.31.2 +kubernetes_k3s_version: 1.31.2+k3s1 #kubernetes_pods_network: "10.244.0.0/16" #kubernetes_svc_network: "10.96.0.0/12" kubernetes_pods_network: "10.42.0.0/16" From 1f757d778262f295cf3300829bf42587edfc5a7c Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 26 Oct 2024 10:20:40 +0200 Subject: [PATCH 91/99] Add system-upgrade namespace exception in psa.yaml file --- files/etc/kubernetes/psa.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/etc/kubernetes/psa.yaml b/files/etc/kubernetes/psa.yaml index fe13d52..b2c6f65 100644 --- a/files/etc/kubernetes/psa.yaml +++ b/files/etc/kubernetes/psa.yaml @@ -15,7 +15,7 @@ plugins: exemptions: usernames: [] runtimeClasses: [] - namespaces: [kube-system, cis-operator-system] + namespaces: [kube-system, system-upgrade, cis-operator-system] - name: EventRateLimit configuration: apiVersion: eventratelimit.admission.k8s.io/v1alpha1 From b23028a3367578284a27045370bb9a18ebf947f1 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 1 Nov 2024 15:10:03 +0100 Subject: [PATCH 92/99] Finaly no need to exclude system-upgrade namespace in psa.yml file --- files/etc/kubernetes/psa.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/etc/kubernetes/psa.yaml b/files/etc/kubernetes/psa.yaml index b2c6f65..fe13d52 100644 --- a/files/etc/kubernetes/psa.yaml +++ b/files/etc/kubernetes/psa.yaml @@ -15,7 +15,7 @@ plugins: exemptions: usernames: [] runtimeClasses: [] - namespaces: [kube-system, system-upgrade, cis-operator-system] + namespaces: [kube-system, cis-operator-system] - name: EventRateLimit configuration: apiVersion: eventratelimit.admission.k8s.io/v1alpha1 From e4fb1642e5216f08e1d4affdc7ace6fc68214979 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 1 Nov 2024 15:10:26 +0100 Subject: [PATCH 93/99] Add link for the documentation --- files/etc/NetworkManager/conf.d/calico.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/files/etc/NetworkManager/conf.d/calico.conf b/files/etc/NetworkManager/conf.d/calico.conf index 490d153..b4ac62a 100644 --- a/files/etc/NetworkManager/conf.d/calico.conf +++ b/files/etc/NetworkManager/conf.d/calico.conf @@ -1,2 +1,3 @@ +# https://docs.tigera.io/calico/latest/operations/troubleshoot/troubleshooting#configure-networkmanager [keyfile] -unmanaged-devices=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:wireguard.cali \ No newline at end of file +unmanaged-devices=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:wireguard.cali From 2c69995cf9e63cd02ea2fb7f0d7640e665d17272 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 1 Nov 2024 15:12:21 +0100 Subject: [PATCH 94/99] Update k3s config file --- templates/etc/rancher/k3s/config.yaml.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/templates/etc/rancher/k3s/config.yaml.j2 b/templates/etc/rancher/k3s/config.yaml.j2 index bed1d77..2c7c64f 100644 --- a/templates/etc/rancher/k3s/config.yaml.j2 +++ b/templates/etc/rancher/k3s/config.yaml.j2 @@ -40,11 +40,10 @@ selinux: true #embedded-registry: true disable: - traefik -{% if kubernetes_interface is defined %} -node-ip: {{ kubernetes_interface.address }} -#node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }} -{% endif %} +{% if lookup('vars', 'ansible_' + kubernetes_interface ) != ansible_host %} node-external-ip: {{ ansible_host }} +{% endif %} +node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }} {% if false %} # node-external-ip: 1.2.3.4 #node-label: From 714868ab71f2676a47167207df27982ec536c191 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 1 Nov 2024 15:15:46 +0100 Subject: [PATCH 95/99] Fix file /etc/kubernetes/admin.conf absent with k3s --- tasks/install_server.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tasks/install_server.yml b/tasks/install_server.yml index 1d53902..a9d0b9e 100644 --- a/tasks/install_server.yml +++ b/tasks/install_server.yml @@ -89,6 +89,18 @@ - kubernetes_master|bool - kubernetes_cri == "k3s" +- name: Make link from /etc/rancher/k3s/k3s.yaml to /etc/kubernetes/admin.conf + file: + src: "/etc/rancher/k3s/k3s.yaml" + state: link + dest: "/etc/kubernetes/admin.conf" + force: yes + owner: root + group: root + when: + - kubernetes_master|bool + - kubernetes_cri == "k3s" + # # Manque autoconfig de .kube/config local # @@ -100,6 +112,7 @@ # when: # - kubernetes_master|bigip_pool +# kubectl get nodes -o custom-columns=NAME:.metadata.name,TAINTS:.spec.taints --no-headers - name: Check if a node is still tainted ansible.builtin.command: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes '{{ ansible_hostname | lower }}' -o jsonpath='{.spec.taints}' register: current_taint From c58515cbced124f5fd22542a16c683f3a2827ef9 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 1 Dec 2024 11:30:24 +0100 Subject: [PATCH 96/99] Add more configuration to enable swap --- tasks/cluster_kubeadm.yml | 14 ++++++++++++++ templates/etc/rancher/k3s/config.yaml.j2 | 3 +++ .../system/kubelet.service.d/20-allow-swap.conf.j2 | 1 + templates/kubeadm-config.yaml.j2 | 3 +++ 4 files changed, 21 insertions(+) create mode 100644 templates/etc/systemd/system/kubelet.service.d/20-allow-swap.conf.j2 diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml index 830bd2d..c11bf3a 100644 --- a/tasks/cluster_kubeadm.yml +++ b/tasks/cluster_kubeadm.yml @@ -172,6 +172,20 @@ - ansible_service_mgr == "systemd" - kubernetes_cri == "cri-o" +- name: Enable Swap for kubelet service + ansible.builtin.template: + src: "etc/{{ item }}.j2" + dest: "/etc/{{ item }}" + group: root + owner: root + mode: 0644 + with_items: + - "systemd/system/kubelet.service.d/20-allow-swap.conf" + when: + - ansible_service_mgr == "systemd" + - kubernetes_swap_enabled is defined + - kubernetes_swap_enabled|bool + - name: Configure kubelet service ansible.builtin.template: src: "etc/{{ item }}.j2" diff --git a/templates/etc/rancher/k3s/config.yaml.j2 b/templates/etc/rancher/k3s/config.yaml.j2 index 2c7c64f..e55fb12 100644 --- a/templates/etc/rancher/k3s/config.yaml.j2 +++ b/templates/etc/rancher/k3s/config.yaml.j2 @@ -34,6 +34,9 @@ token: ${NODE_TOKEN} kubelet-arg: - 'streaming-connection-idle-timeout=5m' - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" +{% if false %} + - 'feature-gates=NodeSwap=true,CloudDualStackNodeIPs=true' +{% endif %} {% if ansible_os_family == "RedHat" %} selinux: true {% endif %} diff --git a/templates/etc/systemd/system/kubelet.service.d/20-allow-swap.conf.j2 b/templates/etc/systemd/system/kubelet.service.d/20-allow-swap.conf.j2 new file mode 100644 index 0000000..3f54876 --- /dev/null +++ b/templates/etc/systemd/system/kubelet.service.d/20-allow-swap.conf.j2 @@ -0,0 +1 @@ +[Service] Environment="KUBELET_EXTRA_ARGS=--fail-swap-on=false" diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index 7d833b5..2adf101 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -126,6 +126,9 @@ nodeRegistration: # read-only-port: "10255" ignorePreflightErrors: - SystemVerification +{% if kubernetes_swap_enabled is defined and kubernetes_swap_enabled|bool %} + - Swap +{% endif %} {% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %} - NumCPU {% endif %} From 3688fdb5d2cbb4b9da2cca8201b26f228c299cd2 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Thu, 5 Dec 2024 09:24:56 +0100 Subject: [PATCH 97/99] Update kubernetes to version 1.31.3 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 18b21d7..ffea4be 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.31.2 -kubernetes_k3s_version: 1.31.2+k3s1 +kubernetes_version: 1.31.3 +kubernetes_k3s_version: 1.31.3+k3s1 #kubernetes_pods_network: "10.244.0.0/16" #kubernetes_svc_network: "10.96.0.0/12" kubernetes_pods_network: "10.42.0.0/16" From 012f324d1105e59ad6ac732387def08d435e0c42 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 21 Dec 2024 12:19:58 +0100 Subject: [PATCH 98/99] Updat ekubernetes to version 1.31.4 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ffea4be..f2dabdf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.31.3 -kubernetes_k3s_version: 1.31.3+k3s1 +kubernetes_version: 1.31.4 +kubernetes_k3s_version: 1.31.4+k3s1 #kubernetes_pods_network: "10.244.0.0/16" #kubernetes_svc_network: "10.96.0.0/12" kubernetes_pods_network: "10.42.0.0/16" From 3281379c4c2a10d1a0ec6534532b536bea0276bf Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 8 Feb 2025 13:51:27 +0100 Subject: [PATCH 99/99] Update kubernetes to versoin 1.31.5 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f2dabdf..1a656c5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}' # value for kuberntes_network: flannel, calico, weave-net #kubernetes_network: weave-net kubernetes_kubeproxy_mode: ipvs -kubernetes_version: 1.31.4 -kubernetes_k3s_version: 1.31.4+k3s1 +kubernetes_version: 1.31.5 +kubernetes_k3s_version: 1.31.5+k3s1 #kubernetes_pods_network: "10.244.0.0/16" #kubernetes_svc_network: "10.96.0.0/12" kubernetes_pods_network: "10.42.0.0/16"