9 changed files with 46 additions and 92 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -5,5 +5,5 @@ kubernetes_server: false
 # value for kuberntes_network: flannel, calico, weave-net
 #kubernetes_network: weave-net
 kubernetes_kubeproxy_mode: ipvs
-kubernetes_version: 1.20.6
+kubernetes_version: 1.20.2
 kubernetes_pods_network: "10.244.0.0/16"
--- a/tasks/cluster_k3s.yml
+++ b/tasks/cluster_k3s.yml
@ -29,7 +29,7 @@

 - name: retreive k3s binary for x86_64
  get_url:
-    url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s"
+    url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s"
    dest: "/usr/local/bin/k3s"
    group: root
    owner: root
@ -40,7 +40,7 @@

 - name: retreive k3s binary for arm64
  get_url:
-    url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-arm64"
+    url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s-arm64"
    dest: "/usr/local/bin/k3s"
    group: root
    owner: root
@ -51,7 +51,7 @@

 - name: retreive k3s binary for armv6/armv7
  get_url:
-    url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-armhf"
+    url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s-armhf"
    dest: "/usr/local/bin/k3s"
    group: root
    owner: root
--- a/tasks/cluster_kubeadm.yml
+++ b/tasks/cluster_kubeadm.yml
@ -168,10 +168,6 @@
  when:
    - kubernetes_master|bool

-# https://v1-17.docs.kubernetes.io/docs/tasks/debug-application-cluster/falco/
-# https://github.com/falcosecurity/falco/blob/master/rules/k8s_audit_rules.yaml
-# Ou récupération de ces règles pour une utilisation avec falco
-
 - name: Configure audit policy
  copy:
    src: "etc/kubernetes/policies/audit-policy.yaml"
--- a/tasks/install_server.yml
+++ b/tasks/install_server.yml
@ -1,10 +1,4 @@
 ---
- name: Include vars for not taint Kubernetes masters
-  include_vars: masters.yml
-  when:
-    - kubernetes_master|bool
-    - not kubernetes_master_taint|bool
-
 - name: Add master to KubernetesMasters_ClusterName group
  group_by:
    key: KubernetesMasters_{{ kubernetes_cluster_name }}
@ -32,7 +26,7 @@
  lvol:
    vg: vg_sys
    thinpool: kubernetes
-    size: "{{ lv_kubernetes_size | default('20g') }}"
+    size: 20g

 ## Install API loadbalancer
 #- include_tasks: "load_balancer.yml"
--- a/templates/etc/firewalld/services/kubernetes.xml.j2
+++ b/templates/etc/firewalld/services/kubernetes.xml.j2
@ -25,7 +25,7 @@
 # kube-controler-manager, used by self
  <port protocol="tcp" port="10252"/>
 # Read-only Kubelet API (Deprecated)
-#  <port protocol="tcp" port="10255"/>
+  <port protocol="tcp" port="10255"/>
 {% else %}
  <port protocol="tcp" port="10250"/>
 {% endif %}
--- a/templates/etc/kubernetes/audit-webhook-kubeconfig.j2
+++ b/templates/etc/kubernetes/audit-webhook-kubeconfig.j2
@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Config
-clusters:
- cluster:
-    server: http://<ip_of_falco>:8765/k8s_audit
-  name: falco
-contexts:
- context:
-    cluster: falco
-    user: ""
-  name: default-context
-current-context: default-context
-preferences: {}
-users: []
--- a/templates/kubeadm-config.yaml.j2
+++ b/templates/kubeadm-config.yaml.j2
@ -33,12 +33,9 @@ nodeRegistration:
    container-runtime-endpoint: "unix:///var/run/crio/crio.sock"
 {% endif %}
    node-ip: {{ ansible_default_ipv4.address }}
-#    read-only-port: "10255"
+    read-only-port: "10255"
  ignorePreflightErrors:
  - SystemVerification
-{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
-  - NumCPU
-{% endif %}
 {% if true == false %}
  - IsPrivilegedUser
 {% endif %}
@ -48,51 +45,6 @@ localAPIEndpoint:
 {% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
 certificateKey: "{{ kubernetes_certificateKey.stdout }}"
 {% endif %}
-{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
---
-apiVersion: kubeadm.k8s.io/v1beta2
-kind: ClusterConfiguration
-kubernetesVersion: stable
-{% if lbip_kubeapiserver is defined %}
-controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
-{% else %}
-controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
-{% endif %}
-apiServer:
-  extraArgs:
-    enable-admission-plugins: NodeRestriction,PodSecurityPolicy
-    authorization-mode: "Node,RBAC"
-    audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
-    audit-log-path: "/var/log/apiserver/audit.log"
-    audit-log-maxage: "30"
-    audit-log-maxbackup: "10"
-    audit-log-maxsize: "100"
-{% if false %}
-# Falco
-    audit-policy-file: "/etc/kubernetes/policies/k8s_audit_rules.yaml"
-    audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig"
-{% endif %}
-  extraVolumes:
-  - name: "audit-log"
-    hostPath: "/var/log/apiserver"
-    mountPath: "/var/log/apiserver"
-    readOnly: false
-    pathType: DirectoryOrCreate
-  - name: "audit-policies"
-    hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
-    mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
-    readOnly: false
-    pathType: File
-{% if lb_kubemaster is defined %}
-  certSANs:
-  - "{{ lb_kubemaster }}"
-{% endif %}
-{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
-networking:
-  podSubnet: "{{ kubernetes_pods_network }}"
-{% endif %}
-{% endif %}
-{% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
 ---
 apiVersion: kubeadm.k8s.io/v1beta2
 kind: JoinConfiguration
@ -116,22 +68,51 @@ discovery:
 nodeRegistration:
  kubeletExtraArgs:
    node-ip: {{ ansible_default_ipv4.address }}
-#    read-only-port: "10255"
+    read-only-port: "10255"
  ignorePreflightErrors:
  - SystemVerification
-{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
-  - NumCPU
+---
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: ClusterConfiguration
+kubernetesVersion: stable
+{% if lbip_kubeapiserver is defined %}
+controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
+{% else %}
+controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
 {% endif %}
+apiServer:
+  extraArgs:
+    enable-admission-plugins: NodeRestriction,PodSecurityPolicy
+    authorization-mode: "Node,RBAC"
+    audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
+    audit-log-path: "/var/log/apiserver/audit.log"
+    audit-log-maxage: "30"
+    audit-log-maxbackup: "10"
+    audit-log-maxsize: "100"
+  extraVolumes:
+  - name: "audit-log"
+    hostPath: "/var/log/apiserver"
+    mountPath: "/var/log/apiserver"
+    readOnly: false
+    pathType: DirectoryOrCreate
+  - name: "audit-policies"
+    hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
+    mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
+    readOnly: false
+    pathType: File
+{% if lb_kubemaster is defined %}
+  certSANs:
+  - "{{ lb_kubemaster }}"
+{% endif %}
+{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
+networking:
+  podSubnet: "{{ kubernetes_pods_network }}"
 {% endif %}
 ---
 apiVersion: kubeproxy.config.k8s.io/v1alpha1
 kind: KubeProxyConfiguration
 {% if kubernetes_kubeproxy_mode is defined %}
 mode: {{ kubernetes_kubeproxy_mode }}
-{% if kubernetes_kubeproxy_mode == "ipvs" %}
-ipvs:
-  strictARP: true
-{% endif %}
 {% endif %}
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -1,8 +1,8 @@
 ---
 kubernetes_package_name: 
-  - kubectl-{{ kubernetes_version }}
-  - kubelet-{{ kubernetes_version }}
-  - kubeadm-{{ kubernetes_version }}
+  - kubectl
+  - kubelet
+  - kubeadm
  - iproute-tc
  - ipvsadm
 #kubernetes_remove_packages_name:
--- a/vars/masters.yml
+++ b/vars/masters.yml
@ -1,3 +0,0 @@
---
-lv_containers_size: 2g
-lv_kubernetes_size: 8g