2017-09-27 13:47:47 +00:00
---
2018-09-20 13:09:25 +00:00
- name : Stop if either kube-master, kube-node or etcd is empty
assert :
that : groups.get('{{ item }}')
with_items :
- kube-master
- kube-node
- etcd
run_once : true
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2018-09-20 13:09:25 +00:00
2017-09-27 13:47:47 +00:00
- name : Stop if non systemd OS type
assert :
that : ansible_service_mgr == "systemd"
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2017-09-27 13:47:47 +00:00
- name : Stop if unknown OS
assert :
2020-02-18 08:15:29 +00:00
that : ansible_os_family in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Coreos', 'Container Linux by CoreOS', 'Flatcar', 'Flatcar Container Linux by Kinvolk', 'Suse', 'ClearLinux', 'OracleLinux']
2019-12-05 15:24:32 +00:00
msg : "{{ ansible_os_family }} is not a known OS"
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2017-09-27 13:47:47 +00:00
- name : Stop if unknown network plugin
assert :
2019-07-31 03:10:20 +00:00
that : kube_network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'contiv', 'kube-ovn', 'kube-router', 'macvlan']
2019-12-05 15:24:32 +00:00
msg : "{{ kube_network_plugin }} is not supported"
2020-03-10 15:09:36 +00:00
when :
- kube_network_plugin is defined
- not ignore_assert_errors
2017-09-27 13:47:47 +00:00
- name : Stop if incompatible network plugin and cloudprovider
assert :
2018-05-18 17:57:09 +00:00
that : kube_network_plugin != 'calico'
2017-09-29 07:17:18 +00:00
msg : "Azure and Calico are not compatible. See https://github.com/projectcalico/calicoctl/issues/949 for details."
2020-03-10 15:09:36 +00:00
when :
- cloud_provider is defined and cloud_provider == 'azure'
- not ignore_assert_errors
2017-09-27 13:47:47 +00:00
2019-06-11 06:18:15 +00:00
- name : Stop if unsupported version of Kubernetes
assert :
that : kube_version is version(kube_version_min_required, '>=')
2019-09-25 11:04:00 +00:00
msg : "The current release of Kubespray only support newer version of Kubernetes than {{ kube_version_min_required }} - You are trying to apply {{ kube_version }}"
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2019-06-11 06:18:15 +00:00
2017-11-03 07:11:14 +00:00
# simplify this items-list when https://github.com/ansible/ansible/issues/15753 is resolved
2017-09-27 13:47:47 +00:00
- name : "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
assert :
2017-11-03 07:11:14 +00:00
that : item.value|type_debug == 'bool'
2019-05-02 21:24:21 +00:00
msg : "{{ item.value }} isn't a bool"
2017-09-27 13:47:47 +00:00
run_once : yes
with_items :
2017-11-03 07:11:14 +00:00
- { name: download_run_once, value : "{{ download_run_once }}" }
- { name: deploy_netchecker, value : "{{ deploy_netchecker }}" }
- { name: download_always_pull, value : "{{ download_always_pull }}" }
- { name: helm_enabled, value : "{{ helm_enabled }}" }
- { name: openstack_lbaas_enabled, value : "{{ openstack_lbaas_enabled }}" }
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2017-09-27 13:47:47 +00:00
- name : Stop if even number of etcd hosts
assert :
that : groups.etcd|length is not divisibleby 2
2020-03-10 15:09:36 +00:00
when :
- not ignore_assert_errors
- inventory_hostname in groups['etcd']
2017-09-27 13:47:47 +00:00
- name : Stop if memory is too small for masters
assert :
2019-06-11 06:22:15 +00:00
that : ansible_memtotal_mb >= minimal_master_memory_mb
2020-03-10 15:09:36 +00:00
when :
- not ignore_assert_errors
- inventory_hostname in groups['kube-master']
2017-09-27 13:47:47 +00:00
- name : Stop if memory is too small for nodes
assert :
2019-06-11 06:22:15 +00:00
that : ansible_memtotal_mb >= minimal_node_memory_mb
2020-03-10 15:09:36 +00:00
when :
- not ignore_assert_errors
- inventory_hostname in groups['kube-node']
2017-09-27 13:47:47 +00:00
2018-05-15 14:34:03 +00:00
# This assertion will fail on the safe side: One can indeed schedule more pods
# on a node than the CIDR-range has space for when additional pods use the host
# network namespace. It is impossible to ascertain the number of such pods at
# provisioning time, so to establish a guarantee, we factor these out.
# NOTICE: the check blatantly ignores the inet6-case
- name : Guarantee that enough network address space is available for all pods
assert :
2018-12-26 21:58:53 +00:00
that : "{{ (kubelet_max_pods | default(110)) | int <= (2 ** (32 - kube_network_node_prefix | int)) - 2 }}"
2018-05-15 14:34:03 +00:00
msg : "Do not schedule more pods on a node than inet addresses are available."
when :
2020-03-10 15:09:36 +00:00
- not ignore_assert_errors
2019-10-17 12:48:38 +00:00
- inventory_hostname in groups['k8s-cluster']
2018-05-15 14:34:03 +00:00
- kube_network_node_prefix is defined
2020-02-20 08:39:03 +00:00
- kube_network_plugin != 'calico'
2018-05-15 14:34:03 +00:00
2017-09-27 13:47:47 +00:00
- name : Stop if ip var does not match local ips
assert :
that : ip in ansible_all_ipv4_addresses
2020-03-10 15:09:36 +00:00
when :
- not ignore_assert_errors
- ip is defined
2017-09-27 13:47:47 +00:00
- name : Stop if access_ip is not pingable
command : ping -c1 {{ access_ip }}
2020-03-10 15:09:36 +00:00
when :
- access_ip is defined
- not ignore_assert_errors
2017-10-27 16:57:12 +00:00
2017-11-09 21:59:30 +00:00
- name : Stop if RBAC is not enabled when dashboard is enabled
assert :
that : rbac_enabled
2020-03-10 15:09:36 +00:00
when :
- dashboard_enabled
- not ignore_assert_errors
2017-11-06 20:01:10 +00:00
2018-07-20 14:56:38 +00:00
- name : Stop if RBAC is not enabled when OCI cloud controller is enabled
assert :
that : rbac_enabled
2020-03-10 15:09:36 +00:00
when :
- cloud_provider is defined and cloud_provider == "oci"
- not ignore_assert_errors
2018-07-20 14:56:38 +00:00
2017-11-06 20:01:10 +00:00
- name : Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
assert :
that : rbac_enabled and kube_api_anonymous_auth
2020-03-10 15:09:36 +00:00
when :
- kube_apiserver_insecure_port == 0 and inventory_hostname in groups['kube-master']
- not ignore_assert_errors
2018-02-17 03:37:47 +00:00
- name : Stop if kernel version is too low
assert :
2018-10-16 22:33:30 +00:00
that : ansible_kernel.split('-')[0] is version('4.8', '>=')
2020-03-10 15:09:36 +00:00
when :
- kube_network_plugin == 'cilium'
- not ignore_assert_errors
2018-08-19 15:20:36 +00:00
- name : Stop if bad hostname
assert :
2018-10-17 19:27:11 +00:00
that : inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
2018-08-20 13:06:52 +00:00
msg : "Hostname must consist of lower case alphanumeric characters, '.' or '-', and must start and end with an alphanumeric character"
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2018-08-23 14:51:52 +00:00
- name : check cloud_provider value
assert :
that : cloud_provider in ['generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external']
msg : "If set the 'cloud_provider' var must be set either to 'generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', or external"
when :
- cloud_provider is defined
2020-03-10 15:09:36 +00:00
- not ignore_assert_errors
2018-08-23 14:51:52 +00:00
tags :
- cloud-provider
- facts
2018-09-18 20:13:15 +00:00
2019-07-15 14:47:09 +00:00
- name : Ensure minimum calico version
assert :
that : calico_version is version('v3.0.0', '>=')
msg : "calico_version is too low. Minimum version v3.0.0"
run_once : yes
when :
- kube_network_plugin == 'calico'
2018-09-18 20:13:15 +00:00
- name : "Get current version of calico cluster version"
2019-04-15 11:24:04 +00:00
shell : "{{ bin_dir }}/calicoctl.sh version | grep 'Cluster Version:' | awk '{ print $3}'"
2018-09-18 20:13:15 +00:00
register : calico_version_on_server
run_once : yes
2019-02-26 04:09:30 +00:00
changed_when : false
2019-04-15 11:24:04 +00:00
failed_when : false
2018-12-06 10:33:38 +00:00
when :
- kube_network_plugin == 'calico'
2018-09-18 20:13:15 +00:00
2018-10-24 03:39:15 +00:00
- name : "Check that calico version is enough for upgrade"
2018-09-18 20:13:15 +00:00
assert :
that :
2018-10-16 22:33:30 +00:00
- calico_version_on_server.stdout is version('v2.6.5', '>=')
2018-09-18 20:13:15 +00:00
msg : "Your version of calico is not fresh enough for upgrade. Minimum version v2.6.5"
when :
2018-12-06 10:33:38 +00:00
- kube_network_plugin == 'calico'
2018-09-18 20:13:15 +00:00
- 'calico_version_on_server.stdout is defined'
2019-04-29 06:00:20 +00:00
- calico_version_on_server.stdout
2018-09-18 20:13:15 +00:00
- inventory_hostname == groups['kube-master'][0]
run_once : yes
2018-10-11 13:28:21 +00:00
2019-08-08 14:37:22 +00:00
- name : "Check that cluster_id is set if calico_rr enabled"
assert :
that :
- cluster_id is defined
msg : "A unique cluster_id is required if using calico_rr"
when :
- kube_network_plugin == 'calico'
- peer_with_calico_rr
- inventory_hostname == groups['kube-master'][0]
run_once : yes
- name : "Check that calico_rr nodes are in k8s-cluster group"
assert :
that :
- '"k8s-cluster" in group_names'
msg : "calico-rr must be a child group of k8s-cluster group"
when :
- kube_network_plugin == 'calico'
- '"calico-rr" in group_names'
2018-10-11 13:28:21 +00:00
- name : "Check that kube_service_addresses is a network range"
assert :
that :
2019-02-11 22:12:06 +00:00
- kube_service_addresses | ipaddr('net')
msg : "kube_service_addresses = '{{ kube_service_addresses }}' is not a valid network range"
2018-10-11 13:28:21 +00:00
run_once : yes
- name : "Check that kube_pods_subnet is a network range"
assert :
that :
2019-02-11 22:12:06 +00:00
- kube_pods_subnet | ipaddr('net')
msg : "kube_pods_subnet = '{{ kube_pods_subnet }}' is not a valid network range"
2018-10-11 13:28:21 +00:00
run_once : yes
- name : "Check that kube_pods_subnet does not collide with kube_service_addresses"
assert :
that :
- kube_pods_subnet | ipaddr(kube_service_addresses) | string == 'None'
msg : "kube_pods_subnet cannot be the same network segment as kube_service_addresses"
run_once : yes
- name : Stop if unknown dns mode
assert :
2019-04-01 19:32:34 +00:00
that : dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
msg : "dns_mode can only be 'coredns', 'coredns_dual', 'manual' or 'none'"
2018-10-11 13:28:21 +00:00
when : dns_mode is defined
run_once : true
- name : Stop if unknown kube proxy mode
assert :
that : kube_proxy_mode in ['iptables', 'ipvs']
msg : "kube_proxy_mode can only be 'iptables' or 'ipvs'"
when : kube_proxy_mode is defined
run_once : true
2018-11-10 16:51:24 +00:00
- name : Stop if vault is chose
2018-10-11 13:28:21 +00:00
assert :
2018-11-10 16:51:24 +00:00
that : cert_management != 'vault'
msg : "Support for vault have been removed, please use 'script' or 'none'"
2018-10-11 13:28:21 +00:00
when : cert_management is defined
run_once : true
2018-11-10 16:51:24 +00:00
- name : Stop if unknown cert_management
assert :
that : cert_management|d('script') in ['script', 'none']
msg : "cert_management can only be 'script' or 'none'"
run_once : true
2018-10-11 13:28:21 +00:00
- name : Stop if unknown resolvconf_mode
assert :
that : resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
msg : "resolvconf_mode can only be 'docker_dns', 'host_resolvconf' or 'none'"
when : resolvconf_mode is defined
run_once : true
2019-06-20 18:12:51 +00:00
- name : Stop if kubeadm etcd mode is enabled but experimental control plane is not
assert :
that : kubeadm_control_plane
msg : "kubeadm etcd mode requires experimental control plane"
when : etcd_kubeadm_enabled
2020-03-05 15:31:39 +00:00
- name : Stop if download_localhost is enabled but download_run_once is not
assert :
that : download_run_once
msg : "download_localhost requires enable download_run_once"
when : download_localhost
- name : Stop if download_localhost is enabled when container_manager not docker
assert :
that : container_manager == 'docker'
msg : "download_run_once support only for docker. See https://github.com/containerd/containerd/issues/4075 for details"
when : download_run_once or download_force_cache
- name : Stop if download_localhost is enabled for CoreOS or Flatcar
assert :
that : ansible_os_family not in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"]
msg : "download_run_once not support for CoreOS or Flatcar"
when : download_run_once or download_force_cache