c12s-kubespray/roles/kubernetes/preinstall/tasks/verify-settings.yml

86 lines
3.1 KiB
YAML
Raw Normal View History

---
- name: Stop if ansible version is too low
assert:
that:
2017-10-17 10:14:29 +00:00
- ansible_version.full|version_compare('2.3.0', '>=')
run_once: yes
- name: Stop if non systemd OS type
assert:
that: ansible_service_mgr == "systemd"
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if unknown OS
assert:
that: ansible_distribution in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Container Linux by CoreOS']
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if unknown network plugin
assert:
that: network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud']
when: network_plugin is defined
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if incompatible network plugin and cloudprovider
assert:
that: network_plugin != 'calico'
msg: "Azure and Calico are not compatible. See https://github.com/projectcalico/calicoctl/issues/949 for details."
when: cloud_provider is defined and cloud_provider == 'azure'
ignore_errors: "{{ ignore_assert_errors }}"
# simplify this items-list when https://github.com/ansible/ansible/issues/15753 is resolved
- name: "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
assert:
that: item.value|type_debug == 'bool'
msg: "{{item.value}} isn't a bool"
run_once: yes
with_items:
- { name: kubeadm_enabled, value: "{{ kubeadm_enabled }}" }
- { name: download_run_once, value: "{{ download_run_once }}" }
- { name: deploy_netchecker, value: "{{ deploy_netchecker }}" }
- { name: download_always_pull, value: "{{ download_always_pull }}" }
- { name: efk_enabled, value: "{{ efk_enabled }}" }
- { name: helm_enabled, value: "{{ helm_enabled }}" }
- { name: openstack_lbaas_enabled, value: "{{ openstack_lbaas_enabled }}" }
- { name: rbac_enabled, value: "{{ rbac_enabled }}" }
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if even number of etcd hosts
assert:
that: groups.etcd|length is not divisibleby 2
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if memory is too small for masters
assert:
that: ansible_memtotal_mb >= 1500
ignore_errors: "{{ ignore_assert_errors }}"
when: inventory_hostname in groups['kube-master']
- name: Stop if memory is too small for nodes
assert:
that: ansible_memtotal_mb >= 1024
ignore_errors: "{{ ignore_assert_errors }}"
when: inventory_hostname in groups['kube-node']
- name: Stop if ip var does not match local ips
assert:
that: ip in ansible_all_ipv4_addresses
ignore_errors: "{{ ignore_assert_errors }}"
when: ip is defined
- name: Stop if access_ip is not pingable
command: ping -c1 {{ access_ip }}
when: access_ip is defined
ignore_errors: "{{ ignore_assert_errors }}"
2017-10-27 16:57:12 +00:00
- name: Stop if swap enabled
assert:
that: ansible_swaptotal_mb == 0
when: kubelet_fail_swap_on|default(true)
ignore_errors: "{{ ignore_assert_errors }}"
Support for disabling apiserver insecure port This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to: 1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS) 2. Add apiserver client cert/key to the "Wait for apiserver up" checks 3. Update apiserver liveness probe to use HTTPS ports 4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately) 5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well. Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check. Options: 1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not. 2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port) 3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest) Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
2017-11-06 20:01:10 +00:00
- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
assert:
that: rbac_enabled and kube_api_anonymous_auth
when: kube_apiserver_insecure_port == 0
ignore_errors: "{{ ignore_assert_errors }}"