From 6fa60172dfff997ad8bde64d1b3ded3570bb949d Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 31 Jan 2021 14:19:00 +0100 Subject: [PATCH 1/2] Add selinux for k3s --- tasks/cluster_k3s.yml | 16 ++++++++++++++++ templates/etc/systemd/system/k3s.service.j2 | 6 +++--- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 9318b77..cb4e527 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -5,6 +5,22 @@ # when: # - kubernetes_cni == "wireguard" +- name: Install the k3s-selinux rpm from a remote repo for yum distro + yum: + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v0.2.stable.1/k3s-selinux-0.2-1.el7_8.noarch.rpm" + state: present + disable_gpg_check: yes + when: + - ansible_pkg_mgr == "yum" + +- name: Install the k3s-selinux rpm from a remote repo for dnf distro + dnf: + name: "https://github.com/k3s-io/k3s-selinux/releases/download/v0.2.stable.1/k3s-selinux-0.2-1.el7_8.noarch.rpm" + state: present + disable_gpg_check: yes + when: + - ansible_pkg_mgr == "dnf" + - name: Check if /usr/local/bin/k3s already existe stat: path: /usr/local/bin/k3s diff --git a/templates/etc/systemd/system/k3s.service.j2 b/templates/etc/systemd/system/k3s.service.j2 index 0ac1a83..03f00a5 100644 --- a/templates/etc/systemd/system/k3s.service.j2 +++ b/templates/etc/systemd/system/k3s.service.j2 @@ -8,12 +8,12 @@ Type=notify EnvironmentFile=/etc/systemd/system/k3s.service.env {% if kubernetes_master|bool %} {% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %} -ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --cluster-init +ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --cluster-init --selinux {% else %} -ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} +ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} --selinux {% endif %} {% else %} -ExecStart=/usr/local/bin/k3s agent --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} +ExecStart=/usr/local/bin/k3s agent --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} --selinux {% endif %} KillMode=process Delegate=yes From 1e4d82d403bcd58f376535e0923e719f2b9c935f Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 31 Jan 2021 14:19:30 +0100 Subject: [PATCH 2/2] Fix dnf warning by k8s tools --- tasks/RedHat.yml | 22 ++++++++++++++++++++ tasks/main.yml | 16 +++++++------- templates/etc/yum.repos.d/kubernetes.repo.j2 | 2 +- 3 files changed, 31 insertions(+), 9 deletions(-) diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index 7eaf639..be10842 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -57,3 +57,25 @@ # - need_firewall|bool # - firewall_name == "firewalld" - kubernetes_server|bool + +- name: Install kubernetes tools + dnf: + name: "{{ kubernetes_package_name }}" + enablerepo: "kubernetes" + state: present + update_cache: yes +# notify: Restart kubelet + when: + - ansible_pkg_mgr == "dnf" + - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") + +- name: Install kubernetes tools + yum: + name: "{{ kubernetes_package_name }}" + enablerepo: "kubernetes" + state: present + update_cache: yes +# notify: Restart kubelet + when: + - ansible_pkg_mgr == "yum" + - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") diff --git a/tasks/main.yml b/tasks/main.yml index b57a12b..5fe21e7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -39,14 +39,14 @@ - name: Install kubernetes rules for {{ ansible_os_family }} OS family include_tasks: "{{ ansible_os_family }}.yml" -- name: Install kubernetes tools - package: - name: "{{ kubernetes_package_name }}" - state: present - update_cache: yes -# notify: Restart kubelet - when: - - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") +#- name: Install kubernetes tools +# package: +# name: "{{ kubernetes_package_name }}" +# state: present +# update_cache: yes +## notify: Restart kubelet +# when: +# - (not kubernetes_server|bool) or ( kubernetes_server|bool and kubernetes_cri != "k3s") - name: Include kubernetes server rules include_tasks: "install_server.yml" diff --git a/templates/etc/yum.repos.d/kubernetes.repo.j2 b/templates/etc/yum.repos.d/kubernetes.repo.j2 index 7ac0fdb..b04037a 100644 --- a/templates/etc/yum.repos.d/kubernetes.repo.j2 +++ b/templates/etc/yum.repos.d/kubernetes.repo.j2 @@ -1,7 +1,7 @@ [kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-{{ ansible_machine }} -enabled=1 +enabled=0 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg