9 changed files with 46 additions and 92 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -5,5 +5,5 @@ kubernetes_server: false
 # value for kuberntes_network: flannel, calico, weave-net
 #kubernetes_network: weave-net
 kubernetes_kubeproxy_mode: ipvs
-kubernetes_version: 1.20.6
+kubernetes_version: 1.20.2
 kubernetes_pods_network: "10.244.0.0/16"
--- a/tasks/cluster_k3s.yml
+++ b/tasks/cluster_k3s.yml
@ -29,7 +29,7 @@
 - name: retreive k3s binary for x86_64
  get_url:
-    url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s"
+    url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s"
    dest: "/usr/local/bin/k3s"
    group: root
    owner: root
@ -40,7 +40,7 @@
 - name: retreive k3s binary for arm64
  get_url:
-    url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-arm64"
+    url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s-arm64"
    dest: "/usr/local/bin/k3s"
    group: root
    owner: root
@ -51,7 +51,7 @@
 - name: retreive k3s binary for armv6/armv7
  get_url:
-    url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-armhf"
+    url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s-armhf"
    dest: "/usr/local/bin/k3s"
    group: root
    owner: root
--- a/tasks/cluster_kubeadm.yml
+++ b/tasks/cluster_kubeadm.yml
@ -168,10 +168,6 @@
  when:
    - kubernetes_master|bool
 # https://v1-17.docs.kubernetes.io/docs/tasks/debug-application-cluster/falco/
 # https://github.com/falcosecurity/falco/blob/master/rules/k8s_audit_rules.yaml
 # Ou récupération de ces règles pour une utilisation avec falco
 - name: Configure audit policy
  copy:
    src: "etc/kubernetes/policies/audit-policy.yaml"
--- a/tasks/install_server.yml
+++ b/tasks/install_server.yml
@ -1,10 +1,4 @@
 ---
 - name: Include vars for not taint Kubernetes masters
  include_vars: masters.yml
  when:
    - kubernetes_master|bool
    - not kubernetes_master_taint|bool
 - name: Add master to KubernetesMasters_ClusterName group
  group_by:
    key: KubernetesMasters_{{ kubernetes_cluster_name }}
@ -32,7 +26,7 @@
  lvol:
    vg: vg_sys
    thinpool: kubernetes
-    size: "{{ lv_kubernetes_size | default('20g') }}"
+    size: 20g
 ## Install API loadbalancer
 #- include_tasks: "load_balancer.yml"
--- a/templates/etc/firewalld/services/kubernetes.xml.j2
+++ b/templates/etc/firewalld/services/kubernetes.xml.j2
@ -25,7 +25,7 @@
 # kube-controler-manager, used by self
  <port protocol="tcp" port="10252"/>
 # Read-only Kubelet API (Deprecated)
-#  <port protocol="tcp" port="10255"/>
+  <port protocol="tcp" port="10255"/>
 {% else %}
  <port protocol="tcp" port="10250"/>
 {% endif %}
--- a/templates/etc/kubernetes/audit-webhook-kubeconfig.j2
+++ b/templates/etc/kubernetes/audit-webhook-kubeconfig.j2
@ -1,14 +0,0 @@
 apiVersion: v1
 kind: Config
 clusters:
 - cluster:
    server: http://<ip_of_falco>:8765/k8s_audit
  name: falco
 contexts:
 - context:
    cluster: falco
    user: ""
  name: default-context
 current-context: default-context
 preferences: {}
 users: []
--- a/templates/kubeadm-config.yaml.j2
+++ b/templates/kubeadm-config.yaml.j2
@ -33,12 +33,9 @@ nodeRegistration:
    container-runtime-endpoint: "unix:///var/run/crio/crio.sock"
 {% endif %}
    node-ip: {{ ansible_default_ipv4.address }}
-#    read-only-port: "10255"
+    read-only-port: "10255"
  ignorePreflightErrors:
  - SystemVerification
 {% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
  - NumCPU
 {% endif %}
 {% if true == false %}
  - IsPrivilegedUser
 {% endif %}
@ -48,51 +45,6 @@ localAPIEndpoint:
 {% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
 certificateKey: "{{ kubernetes_certificateKey.stdout }}"
 {% endif %}
 {% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
 ---
 apiVersion: kubeadm.k8s.io/v1beta2
 kind: ClusterConfiguration
 kubernetesVersion: stable
 {% if lbip_kubeapiserver is defined %}
 controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
 {% else %}
 controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
 {% endif %}
 apiServer:
  extraArgs:
    enable-admission-plugins: NodeRestriction,PodSecurityPolicy
    authorization-mode: "Node,RBAC"
    audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
    audit-log-path: "/var/log/apiserver/audit.log"
    audit-log-maxage: "30"
    audit-log-maxbackup: "10"
    audit-log-maxsize: "100"
 {% if false %}
 # Falco
    audit-policy-file: "/etc/kubernetes/policies/k8s_audit_rules.yaml"
    audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig"
 {% endif %}
  extraVolumes:
  - name: "audit-log"
    hostPath: "/var/log/apiserver"
    mountPath: "/var/log/apiserver"
    readOnly: false
    pathType: DirectoryOrCreate
  - name: "audit-policies"
    hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
    mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
    readOnly: false
    pathType: File
 {% if lb_kubemaster is defined %}
  certSANs:
  - "{{ lb_kubemaster }}"
 {% endif %}
 {% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
 networking:
  podSubnet: "{{ kubernetes_pods_network }}"
 {% endif %}
 {% endif %}
 {% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
 ---
 apiVersion: kubeadm.k8s.io/v1beta2
 kind: JoinConfiguration
@ -116,22 +68,51 @@ discovery:
 nodeRegistration:
  kubeletExtraArgs:
    node-ip: {{ ansible_default_ipv4.address }}
-#    read-only-port: "10255"
+    read-only-port: "10255"
  ignorePreflightErrors:
  - SystemVerification
-{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
+---
-  - NumCPU
+apiVersion: kubeadm.k8s.io/v1beta2
 kind: ClusterConfiguration
 kubernetesVersion: stable
 {% if lbip_kubeapiserver is defined %}
 controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
 {% else %}
 controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
 {% endif %}
 apiServer:
  extraArgs:
    enable-admission-plugins: NodeRestriction,PodSecurityPolicy
    authorization-mode: "Node,RBAC"
    audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
    audit-log-path: "/var/log/apiserver/audit.log"
    audit-log-maxage: "30"
    audit-log-maxbackup: "10"
    audit-log-maxsize: "100"
  extraVolumes:
  - name: "audit-log"
    hostPath: "/var/log/apiserver"
    mountPath: "/var/log/apiserver"
    readOnly: false
    pathType: DirectoryOrCreate
  - name: "audit-policies"
    hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
    mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
    readOnly: false
    pathType: File
 {% if lb_kubemaster is defined %}
  certSANs:
  - "{{ lb_kubemaster }}"
 {% endif %}
 {% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
 networking:
  podSubnet: "{{ kubernetes_pods_network }}"
 {% endif %}
 ---
 apiVersion: kubeproxy.config.k8s.io/v1alpha1
 kind: KubeProxyConfiguration
 {% if kubernetes_kubeproxy_mode is defined %}
 mode: {{ kubernetes_kubeproxy_mode }}
 {% if kubernetes_kubeproxy_mode == "ipvs" %}
 ipvs:
  strictARP: true
 {% endif %}
 {% endif %}
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -1,8 +1,8 @@
 ---
 kubernetes_package_name: 
-  - kubectl-{{ kubernetes_version }}
+  - kubectl
-  - kubelet-{{ kubernetes_version }}
+  - kubelet
-  - kubeadm-{{ kubernetes_version }}
+  - kubeadm
  - iproute-tc
  - ipvsadm
 #kubernetes_remove_packages_name:
--- a/vars/masters.yml
+++ b/vars/masters.yml
@ -1,3 +0,0 @@
 ---
 lv_containers_size: 2g
 lv_kubernetes_size: 8g