--- - name: Install Containerd ansible.builtin.include_role: name: containerd when: - kubernetes_cri == "containerd" # register: kubernetes_cri_changed - name: Install CRI-O ansible.builtin.include_role: name: cri-o when: - kubernetes_cri == "cri-o" # register: kubernetes_cri_changed # - name: Restart kubelet after kubernetes cri installation # ansible.builtin.service: # name: kubelet # status: restarted # when: # - kubernetes_cri_changed is changed - name: Configure NetworkManager for Calico ansible.builtin.copy: src: "etc/NetworkManager/conf.d/calico.conf" dest: "/etc/NetworkManager/conf.d/calico.conf" group: root owner: root mode: 0644 when: - kubernetes_network == "calico" - ansible_os_family == "RedHat" register: kubernetes_network_networkmanager_changed - name: Restart kubelet after kubernetes cri installation ansible.builtin.service: name: NetworkManager status: reload when: - kubernetes_network_networkmanager_changed is changed - name: Configuring IPVS kernel module to be load on boot ansible.builtin.template: src: "etc/modules-load.d/ipvs.conf.j2" dest: "/etc/modules-load.d/ipvs.conf" group: root owner: root mode: 0644 when: - kubernetes_kubeproxy_mode == "ipvs" - name: Load IPVS kernel module for EL7 community.general.modprobe: name: "{{ item }}" state: present with_items: - ip_vs - ip_vs_rr - ip_vs_wrr - ip_vs_sh - nf_conntrack_ipv4 - nf_conntrack_ipv6 when: - kubernetes_kubeproxy_mode == "ipvs" - ansible_os_family == "RedHat" - ansible_distribution_major_version == '7' - name: Load IPVS kernel module for EL8 community.general.modprobe: name: "{{ item }}" state: present with_items: - ip_vs - ip_vs_rr - ip_vs_wrr - ip_vs_sh - nf_conntrack when: - kubernetes_kubeproxy_mode == "ipvs" - ansible_os_family == "RedHat" - ansible_distribution_major_version >= '8' - name: Create thin volumes for kubernetes community.general.lvol: vg: "{{ item.vg }}" lv: "{{ item.name }}" thinpool: kubernetes size: "{{ item.size }}" with_items: - { name: var_lib_etcd, vg: vg_sys, size: 1g, mount_point: /var/lib/etcd, mount_opts: "nodev,noexec,nosuid,discard"} - { name: etc_kubernetes, vg: vg_sys, size: 1g, mount_point: /etc/kubernetes, mount_opts: "nodev,noexec,nosuid,discard"} # - { name: var_lib_kubelet, vg: vg_sys, size: 128m, mount_point: /var/lib/kubelet, mount_opts: "discard"} when: - kubernetes_master|bool - name: Create file system on containerd lv community.general.filesystem: fstype: ext4 dev: "/dev/{{ item.vg }}/{{ item.name }}" with_items: - { name: var_lib_etcd, vg: vg_sys, size: 1g, mount_point: /var/lib/etcd, mount_opts: "nodev,noexec,nosuid,discard"} - { name: etc_kubernetes, vg: vg_sys, size: 1g, mount_point: /etc/kubernetes, mount_opts: "nodev,noexec,nosuid,discard"} # - { name: var_lib_kubelet, vg: vg_sys, size: 128m, mount_point: /var/lib/kubelet, mount_opts: "discard"} when: - kubernetes_master|bool - name: Mount logical volumes ansible.posix.mount: name: "{{ item.mount_point }}" src: "/dev/{{ item.vg }}/{{ item.name }}" fstype: ext4 opts: "{{ item.mount_opts }}" state: mounted register: partition_formated with_items: - { name: var_lib_etcd, vg: vg_sys, size: 1g, mount_point: /var/lib/etcd, mount_opts: "nodev,noexec,nosuid,discard"} - { name: etc_kubernetes, vg: vg_sys, size: 1g, mount_point: /etc/kubernetes, mount_opts: "nodev,noexec,nosuid,discard"} # - { name: var_lib_kubelet, vg: vg_sys, size: 128m, mount_point: /var/lib/kubelet, mount_opts: "discard"} when: - kubernetes_master|bool - name: Ensuring /var/lib/etcd/lost+found Folder does not exists ansible.builtin.file: path: "/var/lib/etcd/lost+found" state: "absent" when: - partition_formated is changed - name: Secure etcd directory ansible.builtin.file: path: "/var/lib/etcd" state: directory owner: root group: root mode: 0700 when: - kubernetes_master|bool - name: Ensuring /etc/systemd/system/kubelet.service.d Folder Exists ansible.builtin.file: path: "/etc/systemd/system/kubelet.service.d" state: "directory" group: root owner: root mode: 0755 when: - ansible_service_mgr == "systemd" - name: Configure kubelet service ansible.builtin.template: src: "etc/{{ item }}.j2" dest: "/etc/{{ item }}" group: root owner: root mode: 0644 with_items: - "systemd/system/kubelet.service.d/0-kubelet-extra-args.conf" - "sysconfig/kubelet" when: - ansible_service_mgr == "systemd" - name: Configure kubelet service for CRI-O ansible.builtin.template: src: "etc/{{ item }}.j2" dest: "/etc/{{ item }}" group: root owner: root mode: 0644 with_items: - "systemd/system/kubelet.service.d/11-cgroups.conf" when: - ansible_service_mgr == "systemd" - kubernetes_cri == "cri-o" - name: Configure kubelet service ansible.builtin.template: src: "etc/{{ item }}.j2" dest: "/etc/{{ item }}" group: root owner: root mode: 0644 with_items: - "sysconfig/kubelet" when: - not ansible_service_mgr == "systemd" - name: Enable kubelet on boot ansible.builtin.service: name: kubelet state: started enabled: true - name: Audit policies directory ansible.builtin.file: path: "/etc/kubernetes/policies" state: directory owner: root group: root mode: 0700 when: - kubernetes_master|bool # https://v1-17.docs.kubernetes.io/docs/tasks/debug-application-cluster/falco/ # https://github.com/falcosecurity/falco/blob/master/rules/k8s_audit_rules.yaml # Ou récupération de ces règles pour une utilisation avec falco - name: Configure audit policy ansible.builtin.copy: src: "etc/kubernetes/policies/audit-policy.yaml" dest: "/etc/kubernetes/policies/audit-policy.yaml" group: root owner: root mode: 0644 when: - kubernetes_master|bool # First controler - name: Check if /etc/kubernetes/admin.conf already existe ansible.builtin.stat: path: /etc/kubernetes/admin.conf register: st check_mode: false changed_when: False - name: Create KubernetesMasterConfigured group ansible.builtin.group_by: key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} check_mode: false when: - st.stat.exists - name: Retreive kubeadm Major version ansible.builtin.shell: set -o pipefail && kubeadm version | sed 's/.*{Major:"\([0-9]\)".*/\1/' register: kubeadm_version_major check_mode: false changed_when: False - name: Retreive kubeadm Minor version ansible.builtin.shell: set -o pipefail && kubeadm version | sed -e 's/.* Minor:"\([0-9]*\)".*/\1/' register: kubeadm_version_minor check_mode: false changed_when: False - name: Defined a default lb_kubemaster ansible.builtin.set_fact: lb_kubemaster: "{{ groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] }}" when: - lb_kubemaster is undefined # - groups['KubernetesMasters'] | length > 1 changed_when: False check_mode: false - name: Deploy First controler block: - name: Deploy initial kubeadm config ansible.builtin.template: src: kubeadm-config.yaml.j2 dest: /root/kubeadm-config.yaml owner: root group: root mode: 0600 - name: Init Kubernetes on {{ groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] }} ansible.builtin.command: kubeadm init --config=/root/kubeadm-config.yaml - name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group ansible.builtin.group_by: key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} check_mode: false when: - groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - groups['KubernetesMasters_' ~ kubernetes_cluster_name][0] == ansible_hostname # End of first controler - name: Test if server node already included ansible.builtin.command: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes {{ ansible_hostname | lower }} delegate_to: "{{ lb_kubemaster }}" register: server_enrolled changed_when: False ignore_errors: yes check_mode: false # - name: Deploy kubeadm config # ansible.builtin.template: # src: kubeadm-config.yaml.j2 # dest: /root/kubeadm-config.yaml # owner: root # group: root # mode: 600 # when: # - not groups['KubernetesMasters'][0] == ansible_hostname # - server_enrolled.rc == 1 - name: Retreive certificats key on {{ lb_kubemaster }} ansible.builtin.shell: set -o pipefail && kubeadm init phase upload-certs --upload-certs | grep -v upload-certs register: kubernetes_certificateKey check_mode: false delegate_to: "{{ lb_kubemaster }}" when: - server_enrolled.rc == 1 - kubernetes_master|bool - name: Retreive token on "{{ lb_kubemaster }}" ansible.builtin.command: kubeadm token create register: kubetoken delegate_to: "{{ lb_kubemaster }}" check_mode: false when: - server_enrolled.rc == 1 - name: Retreive hash certificat ansible.builtin.shell: > set -o pipefail && openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' register: cacerthash delegate_to: "{{ lb_kubemaster }}" check_mode: false when: - server_enrolled.rc == 1 - name: Deploy kubeadm config ansible.builtin.template: src: kubeadm-config.yaml.j2 dest: /root/kubeadm-config.yaml owner: root group: root mode: 0600 when: - server_enrolled.rc == 1 - name: Join '{{ ansible_hostname }}' to Kubernetes cluster ansible.builtin.command: kubeadm join --config=/root/kubeadm-config.yaml when: - server_enrolled.rc == 1