diff --git a/defaults/main.yml b/defaults/main.yml
index d041f2a..89b601b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,5 +5,5 @@ kubernetes_server: false
# value for kuberntes_network: flannel, calico, weave-net
#kubernetes_network: weave-net
kubernetes_kubeproxy_mode: ipvs
-kubernetes_version: 1.20.2
+kubernetes_version: 1.20.6
kubernetes_pods_network: "10.244.0.0/16"
\ No newline at end of file
diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml
index de195e9..fd986a3 100644
--- a/tasks/cluster_k3s.yml
+++ b/tasks/cluster_k3s.yml
@@ -29,7 +29,7 @@
- name: retreive k3s binary for x86_64
get_url:
- url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s"
+ url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s"
dest: "/usr/local/bin/k3s"
group: root
owner: root
@@ -40,7 +40,7 @@
- name: retreive k3s binary for arm64
get_url:
- url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s-arm64"
+ url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-arm64"
dest: "/usr/local/bin/k3s"
group: root
owner: root
@@ -51,7 +51,7 @@
- name: retreive k3s binary for armv6/armv7
get_url:
- url: "https://github.com/rancher/k3s/releases/download/v1.20.2%2Bk3s1/k3s-armhf"
+ url: "https://github.com/rancher/k3s/releases/download/v1.20.6%2Bk3s1/k3s-armhf"
dest: "/usr/local/bin/k3s"
group: root
owner: root
diff --git a/tasks/cluster_kubeadm.yml b/tasks/cluster_kubeadm.yml
index 1d496ae..74f6ec2 100644
--- a/tasks/cluster_kubeadm.yml
+++ b/tasks/cluster_kubeadm.yml
@@ -168,6 +168,10 @@
when:
- kubernetes_master|bool
+# https://v1-17.docs.kubernetes.io/docs/tasks/debug-application-cluster/falco/
+# https://github.com/falcosecurity/falco/blob/master/rules/k8s_audit_rules.yaml
+# Ou récupération de ces règles pour une utilisation avec falco
+
- name: Configure audit policy
copy:
src: "etc/kubernetes/policies/audit-policy.yaml"
diff --git a/tasks/install_server.yml b/tasks/install_server.yml
index 89dd6c9..c50cc8c 100644
--- a/tasks/install_server.yml
+++ b/tasks/install_server.yml
@@ -1,4 +1,10 @@
---
+- name: Include vars for not taint Kubernetes masters
+ include_vars: masters.yml
+ when:
+ - kubernetes_master|bool
+ - not kubernetes_master_taint|bool
+
- name: Add master to KubernetesMasters_ClusterName group
group_by:
key: KubernetesMasters_{{ kubernetes_cluster_name }}
@@ -26,7 +32,7 @@
lvol:
vg: vg_sys
thinpool: kubernetes
- size: 20g
+ size: "{{ lv_kubernetes_size | default('20g') }}"
## Install API loadbalancer
#- include_tasks: "load_balancer.yml"
diff --git a/templates/etc/firewalld/services/kubernetes.xml.j2 b/templates/etc/firewalld/services/kubernetes.xml.j2
index e5ec9c5..95f0583 100644
--- a/templates/etc/firewalld/services/kubernetes.xml.j2
+++ b/templates/etc/firewalld/services/kubernetes.xml.j2
@@ -25,7 +25,7 @@
# kube-controler-manager, used by self
# Read-only Kubelet API (Deprecated)
-
+#
{% else %}
{% endif %}
diff --git a/templates/etc/kubernetes/audit-webhook-kubeconfig.j2 b/templates/etc/kubernetes/audit-webhook-kubeconfig.j2
new file mode 100644
index 0000000..7cc1cb4
--- /dev/null
+++ b/templates/etc/kubernetes/audit-webhook-kubeconfig.j2
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+ server: http://:8765/k8s_audit
+ name: falco
+contexts:
+- context:
+ cluster: falco
+ user: ""
+ name: default-context
+current-context: default-context
+preferences: {}
+users: []
\ No newline at end of file
diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2
index 2d69675..826a541 100644
--- a/templates/kubeadm-config.yaml.j2
+++ b/templates/kubeadm-config.yaml.j2
@@ -33,9 +33,12 @@ nodeRegistration:
container-runtime-endpoint: "unix:///var/run/crio/crio.sock"
{% endif %}
node-ip: {{ ansible_default_ipv4.address }}
- read-only-port: "10255"
+# read-only-port: "10255"
ignorePreflightErrors:
- SystemVerification
+{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
+ - NumCPU
+{% endif %}
{% if true == false %}
- IsPrivilegedUser
{% endif %}
@@ -45,6 +48,51 @@ localAPIEndpoint:
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
certificateKey: "{{ kubernetes_certificateKey.stdout }}"
{% endif %}
+{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
+---
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: ClusterConfiguration
+kubernetesVersion: stable
+{% if lbip_kubeapiserver is defined %}
+controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
+{% else %}
+controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
+{% endif %}
+apiServer:
+ extraArgs:
+ enable-admission-plugins: NodeRestriction,PodSecurityPolicy
+ authorization-mode: "Node,RBAC"
+ audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
+ audit-log-path: "/var/log/apiserver/audit.log"
+ audit-log-maxage: "30"
+ audit-log-maxbackup: "10"
+ audit-log-maxsize: "100"
+{% if false %}
+# Falco
+ audit-policy-file: "/etc/kubernetes/policies/k8s_audit_rules.yaml"
+ audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig"
+{% endif %}
+ extraVolumes:
+ - name: "audit-log"
+ hostPath: "/var/log/apiserver"
+ mountPath: "/var/log/apiserver"
+ readOnly: false
+ pathType: DirectoryOrCreate
+ - name: "audit-policies"
+ hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
+ mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
+ readOnly: false
+ pathType: File
+{% if lb_kubemaster is defined %}
+ certSANs:
+ - "{{ lb_kubemaster }}"
+{% endif %}
+{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
+networking:
+ podSubnet: "{{ kubernetes_pods_network }}"
+{% endif %}
+{% endif %}
+{% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
---
apiVersion: kubeadm.k8s.io/v1beta2
kind: JoinConfiguration
@@ -68,51 +116,22 @@ discovery:
nodeRegistration:
kubeletExtraArgs:
node-ip: {{ ansible_default_ipv4.address }}
- read-only-port: "10255"
+# read-only-port: "10255"
ignorePreflightErrors:
- SystemVerification
----
-apiVersion: kubeadm.k8s.io/v1beta2
-kind: ClusterConfiguration
-kubernetesVersion: stable
-{% if lbip_kubeapiserver is defined %}
-controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
-{% else %}
-controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
+{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
+ - NumCPU
{% endif %}
-apiServer:
- extraArgs:
- enable-admission-plugins: NodeRestriction,PodSecurityPolicy
- authorization-mode: "Node,RBAC"
- audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
- audit-log-path: "/var/log/apiserver/audit.log"
- audit-log-maxage: "30"
- audit-log-maxbackup: "10"
- audit-log-maxsize: "100"
- extraVolumes:
- - name: "audit-log"
- hostPath: "/var/log/apiserver"
- mountPath: "/var/log/apiserver"
- readOnly: false
- pathType: DirectoryOrCreate
- - name: "audit-policies"
- hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
- mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
- readOnly: false
- pathType: File
-{% if lb_kubemaster is defined %}
- certSANs:
- - "{{ lb_kubemaster }}"
-{% endif %}
-{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
-networking:
- podSubnet: "{{ kubernetes_pods_network }}"
{% endif %}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
{% if kubernetes_kubeproxy_mode is defined %}
mode: {{ kubernetes_kubeproxy_mode }}
+{% if kubernetes_kubeproxy_mode == "ipvs" %}
+ipvs:
+ strictARP: true
+{% endif %}
{% endif %}
---
apiVersion: kubelet.config.k8s.io/v1beta1
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
index beb4337..4eecd17 100644
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@@ -1,8 +1,8 @@
---
kubernetes_package_name:
- - kubectl
- - kubelet
- - kubeadm
+ - kubectl-{{ kubernetes_version }}
+ - kubelet-{{ kubernetes_version }}
+ - kubeadm-{{ kubernetes_version }}
- iproute-tc
- ipvsadm
#kubernetes_remove_packages_name:
diff --git a/vars/masters.yml b/vars/masters.yml
new file mode 100644
index 0000000..4a03a33
--- /dev/null
+++ b/vars/masters.yml
@@ -0,0 +1,3 @@
+---
+lv_containers_size: 2g
+lv_kubernetes_size: 8g
\ No newline at end of file