c12s-kubespray/roles/kubernetes-apps/rotate_tokens/tasks/main.yml

---
#FIXME(mattymo): Exclude built in secrets that were automatically rotated,
#instead of filtering manually
- name: Rotate Tokens | Get all serviceaccount tokens to expire
  shell: >-
    {{ bin_dir }}/kubectl get secrets --all-namespaces
    -o 'jsonpath={range .items[*]}{"\n"}{.metadata.namespace}{" "}{.metadata.name}{" "}{.type}{end}'
    | grep kubernetes.io/service-account-token
    | egrep 'default-token|kube-proxy|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller'
  register: tokens_to_delete
  run_once: true

- name: Rotate Tokens | Delete expired tokens
  command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
  with_items: "{{ tokens_to_delete.stdout_lines }}"
  run_once: true

- name: Rotate Tokens | Delete pods in system namespace
  command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
  run_once: true
Upgrade to kubeadm (#1667) * Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1 2017-09-26 09:38:58 +00:00			`---`
			`#FIXME(mattymo): Exclude built in secrets that were automatically rotated,`
			`#instead of filtering manually`
			`- name: Rotate Tokens \| Get all serviceaccount tokens to expire`
			`shell: >-`
			`{{ bin_dir }}/kubectl get secrets --all-namespaces`
			`-o 'jsonpath={range .items[*]}{"\n"}{.metadata.namespace}{" "}{.metadata.name}{" "}{.type}{end}'`
			`\| grep kubernetes.io/service-account-token`
			`\| egrep 'default-token\|kube-proxy\|kube-dns\|dnsmasq\|netchecker\|weave\|calico\|canal\|flannel\|dashboard\|cluster-proportional-autoscaler\|efk\|tiller'`
			`register: tokens_to_delete`
			`run_once: true`

			`- name: Rotate Tokens \| Delete expired tokens`
			`command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"`
			`with_items: "{{ tokens_to_delete.stdout_lines }}"`
			`run_once: true`

			`- name: Rotate Tokens \| Delete pods in system namespace`
			`command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"`
			`run_once: true`