diff --git a/defaults/main.yml b/defaults/main.yml
index 89b601b..d041f2a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,5 +5,5 @@ kubernetes_server: false
# value for kuberntes_network: flannel, calico, weave-net
#kubernetes_network: weave-net
kubernetes_kubeproxy_mode: ipvs
-kubernetes_version: 1.20.6
+kubernetes_version: 1.20.2
kubernetes_pods_network: "10.244.0.0/16"
\ No newline at end of file
diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml
index fd986a3..de195e9 100644
--- a/tasks/cluster_k3s.yml
+++ b/tasks/cluster_k3s.yml
@@ -29,7 +29,7 @@
- name: retreive k3s binary for x86_64
get_url:
- url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s"
+ url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s"
dest: "/usr/local/bin/k3s"
group: root
owner: root
@@ -40,7 +40,7 @@
- name: retreive k3s binary for arm64
get_url:
- url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-arm64"
+ url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s-arm64"
dest: "/usr/local/bin/k3s"
group: root
owner: root
@@ -51,7 +51,7 @@
- name: retreive k3s binary for armv6/armv7
get_url:
- url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-armhf"
+ url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s-armhf"
dest: "/usr/local/bin/k3s"
group: root
owner: root
diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml
index 74f6ec2..1d496ae 100644
--- a/tasks/cluster_kubeadm.yml
+++ b/tasks/cluster_kubeadm.yml
@@ -168,10 +168,6 @@
when:
- kubernetes_master|bool
-# https://v1-17.docs.kubernetes.io/docs/tasks/debug-application-cluster/falco/
-# https://github.com/falcosecurity/falco/blob/master/rules/k8s_audit_rules.yaml
-# Ou récupération de ces règles pour une utilisation avec falco
-
- name: Configure audit policy
copy:
src: "etc/kubernetes/policies/audit-policy.yaml"
diff --git a/tasks/install_server.yml b/tasks/install_server.yml
index c50cc8c..89dd6c9 100644
--- a/tasks/install_server.yml
+++ b/tasks/install_server.yml
@@ -1,10 +1,4 @@
---
-- name: Include vars for not taint Kubernetes masters
- include_vars: masters.yml
- when:
- - kubernetes_master|bool
- - not kubernetes_master_taint|bool
-
- name: Add master to KubernetesMasters_ClusterName group
group_by:
key: KubernetesMasters_{{ kubernetes_cluster_name }}
@@ -32,7 +26,7 @@
lvol:
vg: vg_sys
thinpool: kubernetes
- size: "{{ lv_kubernetes_size | default('20g') }}"
+ size: 20g
## Install API loadbalancer
#- include_tasks: "load_balancer.yml"
diff --git a/templates/etc/firewalld/services/kubernetes.xml.j2 b/templates/etc/firewalld/services/kubernetes.xml.j2
index 95f0583..e5ec9c5 100644
--- a/templates/etc/firewalld/services/kubernetes.xml.j2
+++ b/templates/etc/firewalld/services/kubernetes.xml.j2
@@ -25,7 +25,7 @@
# kube-controler-manager, used by self
# Read-only Kubelet API (Deprecated)
-#
+
{% else %}
{% endif %}
diff --git a/templates/etc/kubernetes/audit-webhook-kubeconfig.j2 b/templates/etc/kubernetes/audit-webhook-kubeconfig.j2
deleted file mode 100644
index 7cc1cb4..0000000
--- a/templates/etc/kubernetes/audit-webhook-kubeconfig.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Config
-clusters:
-- cluster:
- server: http://:8765/k8s_audit
- name: falco
-contexts:
-- context:
- cluster: falco
- user: ""
- name: default-context
-current-context: default-context
-preferences: {}
-users: []
\ No newline at end of file
diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2
index 826a541..2d69675 100644
--- a/templates/kubeadm-config.yaml.j2
+++ b/templates/kubeadm-config.yaml.j2
@@ -33,12 +33,9 @@ nodeRegistration:
container-runtime-endpoint: "unix:///var/run/crio/crio.sock"
{% endif %}
node-ip: {{ ansible_default_ipv4.address }}
-# read-only-port: "10255"
+ read-only-port: "10255"
ignorePreflightErrors:
- SystemVerification
-{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
- - NumCPU
-{% endif %}
{% if true == false %}
- IsPrivilegedUser
{% endif %}
@@ -48,51 +45,6 @@ localAPIEndpoint:
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
certificateKey: "{{ kubernetes_certificateKey.stdout }}"
{% endif %}
-{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
----
-apiVersion: kubeadm.k8s.io/v1beta2
-kind: ClusterConfiguration
-kubernetesVersion: stable
-{% if lbip_kubeapiserver is defined %}
-controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
-{% else %}
-controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
-{% endif %}
-apiServer:
- extraArgs:
- enable-admission-plugins: NodeRestriction,PodSecurityPolicy
- authorization-mode: "Node,RBAC"
- audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
- audit-log-path: "/var/log/apiserver/audit.log"
- audit-log-maxage: "30"
- audit-log-maxbackup: "10"
- audit-log-maxsize: "100"
-{% if false %}
-# Falco
- audit-policy-file: "/etc/kubernetes/policies/k8s_audit_rules.yaml"
- audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig"
-{% endif %}
- extraVolumes:
- - name: "audit-log"
- hostPath: "/var/log/apiserver"
- mountPath: "/var/log/apiserver"
- readOnly: false
- pathType: DirectoryOrCreate
- - name: "audit-policies"
- hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
- mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
- readOnly: false
- pathType: File
-{% if lb_kubemaster is defined %}
- certSANs:
- - "{{ lb_kubemaster }}"
-{% endif %}
-{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
-networking:
- podSubnet: "{{ kubernetes_pods_network }}"
-{% endif %}
-{% endif %}
-{% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
---
apiVersion: kubeadm.k8s.io/v1beta2
kind: JoinConfiguration
@@ -116,22 +68,51 @@ discovery:
nodeRegistration:
kubeletExtraArgs:
node-ip: {{ ansible_default_ipv4.address }}
-# read-only-port: "10255"
+ read-only-port: "10255"
ignorePreflightErrors:
- SystemVerification
-{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
- - NumCPU
+---
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: ClusterConfiguration
+kubernetesVersion: stable
+{% if lbip_kubeapiserver is defined %}
+controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
+{% else %}
+controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
{% endif %}
+apiServer:
+ extraArgs:
+ enable-admission-plugins: NodeRestriction,PodSecurityPolicy
+ authorization-mode: "Node,RBAC"
+ audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
+ audit-log-path: "/var/log/apiserver/audit.log"
+ audit-log-maxage: "30"
+ audit-log-maxbackup: "10"
+ audit-log-maxsize: "100"
+ extraVolumes:
+ - name: "audit-log"
+ hostPath: "/var/log/apiserver"
+ mountPath: "/var/log/apiserver"
+ readOnly: false
+ pathType: DirectoryOrCreate
+ - name: "audit-policies"
+ hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
+ mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
+ readOnly: false
+ pathType: File
+{% if lb_kubemaster is defined %}
+ certSANs:
+ - "{{ lb_kubemaster }}"
+{% endif %}
+{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
+networking:
+ podSubnet: "{{ kubernetes_pods_network }}"
{% endif %}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
{% if kubernetes_kubeproxy_mode is defined %}
mode: {{ kubernetes_kubeproxy_mode }}
-{% if kubernetes_kubeproxy_mode == "ipvs" %}
-ipvs:
- strictARP: true
-{% endif %}
{% endif %}
---
apiVersion: kubelet.config.k8s.io/v1beta1
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
index 4eecd17..beb4337 100644
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@@ -1,8 +1,8 @@
---
kubernetes_package_name:
- - kubectl-{{ kubernetes_version }}
- - kubelet-{{ kubernetes_version }}
- - kubeadm-{{ kubernetes_version }}
+ - kubectl
+ - kubelet
+ - kubeadm
- iproute-tc
- ipvsadm
#kubernetes_remove_packages_name:
diff --git a/vars/masters.yml b/vars/masters.yml
deleted file mode 100644
index 4a03a33..0000000
--- a/vars/masters.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-lv_containers_size: 2g
-lv_kubernetes_size: 8g
\ No newline at end of file