2017-09-27 13:47:47 +00:00
---
2021-04-29 12:20:50 +00:00
- name : Stop if either kube_control_plane or kube_node group is empty
2018-09-20 13:09:25 +00:00
assert :
2020-10-21 14:32:20 +00:00
that : "groups.get('{{ item }}')"
2018-09-20 13:09:25 +00:00
with_items :
2021-03-24 00:26:05 +00:00
- kube_control_plane
2021-04-29 12:20:50 +00:00
- kube_node
2018-09-20 13:09:25 +00:00
run_once : true
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2018-09-20 13:09:25 +00:00
2020-10-21 14:32:20 +00:00
- name : Stop if etcd group is empty in external etcd mode
assert :
that : groups.get('etcd')
fail_msg : "Group 'etcd' cannot be empty in external etcd mode"
run_once : true
when :
- not ignore_assert_errors
2022-02-22 16:53:16 +00:00
- etcd_deployment_type != "kubeadm"
2020-10-21 14:32:20 +00:00
2017-09-27 13:47:47 +00:00
- name : Stop if non systemd OS type
assert :
that : ansible_service_mgr == "systemd"
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2017-09-27 13:47:47 +00:00
- name : Stop if unknown OS
assert :
2021-10-19 15:29:04 +00:00
that : ansible_distribution in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'Flatcar', 'Flatcar Container Linux by Kinvolk', 'Suse', 'openSUSE Leap', 'ClearLinux', 'OracleLinux', 'AlmaLinux', 'Rocky', 'Amazon']
2021-04-23 06:50:03 +00:00
msg : "{{ ansible_distribution }} is not a known OS"
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2017-09-27 13:47:47 +00:00
- name : Stop if unknown network plugin
assert :
2021-12-03 19:56:35 +00:00
that : kube_network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud', 'cilium', 'cni','kube-ovn', 'kube-router', 'macvlan']
2019-12-05 15:24:32 +00:00
msg : "{{ kube_network_plugin }} is not supported"
2020-03-10 15:09:36 +00:00
when :
- kube_network_plugin is defined
- not ignore_assert_errors
2017-09-27 13:47:47 +00:00
2019-06-11 06:18:15 +00:00
- name : Stop if unsupported version of Kubernetes
assert :
that : kube_version is version(kube_version_min_required, '>=')
2019-09-25 11:04:00 +00:00
msg : "The current release of Kubespray only support newer version of Kubernetes than {{ kube_version_min_required }} - You are trying to apply {{ kube_version }}"
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2019-06-11 06:18:15 +00:00
2017-11-03 07:11:14 +00:00
# simplify this items-list when https://github.com/ansible/ansible/issues/15753 is resolved
2017-09-27 13:47:47 +00:00
- name : "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
assert :
2017-11-03 07:11:14 +00:00
that : item.value|type_debug == 'bool'
2019-05-02 21:24:21 +00:00
msg : "{{ item.value }} isn't a bool"
2017-09-27 13:47:47 +00:00
run_once : yes
with_items :
2017-11-03 07:11:14 +00:00
- { name: download_run_once, value : "{{ download_run_once }}" }
- { name: deploy_netchecker, value : "{{ deploy_netchecker }}" }
- { name: download_always_pull, value : "{{ download_always_pull }}" }
- { name: helm_enabled, value : "{{ helm_enabled }}" }
- { name: openstack_lbaas_enabled, value : "{{ openstack_lbaas_enabled }}" }
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2017-09-27 13:47:47 +00:00
- name : Stop if even number of etcd hosts
assert :
that : groups.etcd|length is not divisibleby 2
2020-03-10 15:09:36 +00:00
when :
- not ignore_assert_errors
2021-01-21 22:31:02 +00:00
- inventory_hostname in groups.get('etcd',[])
2017-09-27 13:47:47 +00:00
- name : Stop if memory is too small for masters
assert :
2019-06-11 06:22:15 +00:00
that : ansible_memtotal_mb >= minimal_master_memory_mb
2020-03-10 15:09:36 +00:00
when :
- not ignore_assert_errors
2021-03-24 00:26:05 +00:00
- inventory_hostname in groups['kube_control_plane']
2017-09-27 13:47:47 +00:00
- name : Stop if memory is too small for nodes
assert :
2019-06-11 06:22:15 +00:00
that : ansible_memtotal_mb >= minimal_node_memory_mb
2020-03-10 15:09:36 +00:00
when :
- not ignore_assert_errors
2021-04-29 12:20:50 +00:00
- inventory_hostname in groups['kube_node']
2017-09-27 13:47:47 +00:00
2021-09-07 17:47:16 +00:00
- name : Stop when dynamic_kubelet_configuration enabled for kubernetes >= 1.22
assert :
that : not dynamic_kubelet_configuration
msg : >
Feature DynamicKubeletConfig is deprecated in 1.22 and will not move to GA.
It is planned to be removed from Kubernetes in the version 1.23.
Please use alternative ways to update kubelet configuration.
when :
- kube_version is version('v1.22.0', '>=')
2018-05-15 14:34:03 +00:00
# This assertion will fail on the safe side: One can indeed schedule more pods
# on a node than the CIDR-range has space for when additional pods use the host
# network namespace. It is impossible to ascertain the number of such pods at
# provisioning time, so to establish a guarantee, we factor these out.
# NOTICE: the check blatantly ignores the inet6-case
- name : Guarantee that enough network address space is available for all pods
assert :
2018-12-26 21:58:53 +00:00
that : "{{ (kubelet_max_pods | default(110)) | int <= (2 ** (32 - kube_network_node_prefix | int)) - 2 }}"
2018-05-15 14:34:03 +00:00
msg : "Do not schedule more pods on a node than inet addresses are available."
when :
2020-03-10 15:09:36 +00:00
- not ignore_assert_errors
2021-04-29 12:20:50 +00:00
- inventory_hostname in groups['k8s_cluster']
2018-05-15 14:34:03 +00:00
- kube_network_node_prefix is defined
2020-02-20 08:39:03 +00:00
- kube_network_plugin != 'calico'
2018-05-15 14:34:03 +00:00
2017-09-27 13:47:47 +00:00
- name : Stop if ip var does not match local ips
assert :
that : ip in ansible_all_ipv4_addresses
2020-09-29 13:29:27 +00:00
msg : "'{{ ansible_all_ipv4_addresses }}' do not contain '{{ ip }}'"
2020-03-10 15:09:36 +00:00
when :
- not ignore_assert_errors
- ip is defined
2017-09-27 13:47:47 +00:00
- name : Stop if access_ip is not pingable
command : ping -c1 {{ access_ip }}
2020-03-10 15:09:36 +00:00
when :
- access_ip is defined
- not ignore_assert_errors
2021-01-11 14:15:08 +00:00
- ping_access_ip
2017-10-27 16:57:12 +00:00
2017-11-09 21:59:30 +00:00
- name : Stop if RBAC is not enabled when dashboard is enabled
assert :
that : rbac_enabled
2020-03-10 15:09:36 +00:00
when :
- dashboard_enabled
- not ignore_assert_errors
2017-11-06 20:01:10 +00:00
2018-07-20 14:56:38 +00:00
- name : Stop if RBAC is not enabled when OCI cloud controller is enabled
assert :
that : rbac_enabled
2020-03-10 15:09:36 +00:00
when :
- cloud_provider is defined and cloud_provider == "oci"
- not ignore_assert_errors
2018-07-20 14:56:38 +00:00
2017-11-06 20:01:10 +00:00
- name : Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
assert :
that : rbac_enabled and kube_api_anonymous_auth
2020-03-10 15:09:36 +00:00
when :
2021-03-24 00:26:05 +00:00
- kube_apiserver_insecure_port == 0 and inventory_hostname in groups['kube_control_plane']
2020-03-10 15:09:36 +00:00
- not ignore_assert_errors
2018-02-17 03:37:47 +00:00
- name : Stop if kernel version is too low
assert :
2020-07-13 11:44:32 +00:00
that : ansible_kernel.split('-')[0] is version('4.9.17', '>=')
2020-03-10 15:09:36 +00:00
when :
2020-07-17 12:57:01 +00:00
- kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
2020-03-10 15:09:36 +00:00
- not ignore_assert_errors
2018-08-19 15:20:36 +00:00
- name : Stop if bad hostname
assert :
2018-10-17 19:27:11 +00:00
that : inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
2018-08-20 13:06:52 +00:00
msg : "Hostname must consist of lower case alphanumeric characters, '.' or '-', and must start and end with an alphanumeric character"
2020-03-10 15:09:36 +00:00
when : not ignore_assert_errors
2018-08-23 14:51:52 +00:00
- name : check cloud_provider value
assert :
2021-11-08 07:48:52 +00:00
that : cloud_provider in ['gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external']
msg : "If set the 'cloud_provider' var must be set either to 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci' or 'external'"
2018-08-23 14:51:52 +00:00
when :
- cloud_provider is defined
2020-03-10 15:09:36 +00:00
- not ignore_assert_errors
2018-08-23 14:51:52 +00:00
tags :
- cloud-provider
- facts
2018-09-18 20:13:15 +00:00
2018-10-11 13:28:21 +00:00
- name : "Check that kube_service_addresses is a network range"
assert :
that :
2019-02-11 22:12:06 +00:00
- kube_service_addresses | ipaddr('net')
msg : "kube_service_addresses = '{{ kube_service_addresses }}' is not a valid network range"
2018-10-11 13:28:21 +00:00
run_once : yes
- name : "Check that kube_pods_subnet is a network range"
assert :
that :
2019-02-11 22:12:06 +00:00
- kube_pods_subnet | ipaddr('net')
msg : "kube_pods_subnet = '{{ kube_pods_subnet }}' is not a valid network range"
2018-10-11 13:28:21 +00:00
run_once : yes
- name : "Check that kube_pods_subnet does not collide with kube_service_addresses"
assert :
that :
- kube_pods_subnet | ipaddr(kube_service_addresses) | string == 'None'
msg : "kube_pods_subnet cannot be the same network segment as kube_service_addresses"
run_once : yes
2022-05-05 15:48:20 +00:00
- name : "Check that IP range is enough for the nodes"
assert :
that :
- 2 ** (kube_network_node_prefix - kube_pods_subnet | ipaddr('prefix')) >= groups['k8s_cluster'] | length
msg : "Not enough IPs are available for the desired node count."
run_once : yes
2018-10-11 13:28:21 +00:00
- name : Stop if unknown dns mode
assert :
2019-04-01 19:32:34 +00:00
that : dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
msg : "dns_mode can only be 'coredns', 'coredns_dual', 'manual' or 'none'"
2018-10-11 13:28:21 +00:00
when : dns_mode is defined
run_once : true
- name : Stop if unknown kube proxy mode
assert :
that : kube_proxy_mode in ['iptables', 'ipvs']
msg : "kube_proxy_mode can only be 'iptables' or 'ipvs'"
when : kube_proxy_mode is defined
run_once : true
2018-11-10 16:51:24 +00:00
- name : Stop if unknown cert_management
assert :
that : cert_management|d('script') in ['script', 'none']
msg : "cert_management can only be 'script' or 'none'"
run_once : true
2018-10-11 13:28:21 +00:00
- name : Stop if unknown resolvconf_mode
assert :
that : resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
msg : "resolvconf_mode can only be 'docker_dns', 'host_resolvconf' or 'none'"
when : resolvconf_mode is defined
run_once : true
2019-06-20 18:12:51 +00:00
2022-02-22 16:53:16 +00:00
- name : Stop if etcd deployment type is not host, docker or kubeadm
2020-03-24 15:12:47 +00:00
assert :
2022-02-22 16:53:16 +00:00
that : etcd_deployment_type in ['host', 'docker', 'kubeadm']
msg : "The etcd deployment type, 'etcd_deployment_type', must be host, docker or kubeadm"
2021-01-14 14:53:05 +00:00
when :
2021-01-21 22:31:02 +00:00
- inventory_hostname in groups.get('etcd',[])
2020-03-24 15:12:47 +00:00
2022-05-05 06:58:19 +00:00
- name : Stop if container manager is not docker, crio or containerd
assert :
that : container_manager in ['docker', 'crio', 'containerd']
msg : "The container manager, 'container_manager', must be docker, crio or containerd"
run_once : true
2022-02-22 16:53:16 +00:00
- name : Stop if etcd deployment type is not host or kubeadm when container_manager != docker
2021-01-13 22:19:03 +00:00
assert :
2022-02-22 16:53:16 +00:00
that : etcd_deployment_type in ['host', 'kubeadm']
msg : "The etcd deployment type, 'etcd_deployment_type', must be host or kubeadm when container_manager is not docker"
2021-01-14 14:53:05 +00:00
when :
2021-01-21 22:31:02 +00:00
- inventory_hostname in groups.get('etcd',[])
2021-01-14 14:53:05 +00:00
- container_manager != 'docker'
2021-01-13 22:19:03 +00:00
2022-02-22 16:53:16 +00:00
# TODO: Clean this task up when we drop backward compatibility support for `etcd_kubeadm_enabled`
- name : Stop if etcd deployment type is not host or kubeadm when container_manager != docker and etcd_kubeadm_enabled is not defined
block :
- name : Warn the user if they are still using `etcd_kubeadm_enabled`
debug :
msg : >
"WARNING! => `etcd_kubeadm_enabled` is deprecated and will be removed in a future release.
You can set `etcd_deployment_type` to `kubeadm` instead of setting `etcd_kubeadm_enabled` to `true`."
changed_when : true
- name : Stop if `etcd_kubeadm_enabled` is defined and `etcd_deployment_type` is not `kubadm` or `host`
assert :
that : etcd_deployment_type == 'kubeadm'
msg : >
It is not possible to use `etcd_kubeadm_enabled` when `etcd_deployment_type` is set to {{ etcd_deployment_type }}.
Unset the `etcd_kubeadm_enabled` variable and set `etcd_deployment_type` to desired deployment type (`host`, `kubeadm`, `docker`) instead."
when : etcd_kubeadm_enabled
run_once : yes
when : etcd_kubeadm_enabled is defined
2020-03-05 15:31:39 +00:00
- name : Stop if download_localhost is enabled but download_run_once is not
assert :
that : download_run_once
msg : "download_localhost requires enable download_run_once"
when : download_localhost
2020-10-23 10:07:46 +00:00
- name : Stop if kata_containers_enabled is enabled when container_manager is docker
assert :
that : container_manager != 'docker'
msg : "kata_containers_enabled support only for containerd and crio-o. See https://github.com/kata-containers/documentation/blob/1.11.4/how-to/run-kata-with-k8s.md#install-a-cri-implementation for details"
when : kata_containers_enabled
2021-12-07 16:18:08 +00:00
- name : Stop if kata_containers_version is >= 2.3.0 and kube_version < 1.22.0
assert :
that : kube_version is version('v1.22.0', '>')
msg : "Kata containers version 2.3.0 is compatible with Kubernetes 1.22.0+"
when : kata_containers_version is version ('2.3.0', '>=')
2021-06-21 12:18:51 +00:00
- name : Stop if gvisor_enabled is enabled when container_manager is not containerd
assert :
that : container_manager == 'containerd'
msg : "gvisor_enabled support only compatible with containerd. See https://github.com/kubernetes-sigs/kubespray/issues/7650 for details"
when : gvisor_enabled
2020-08-28 09:28:53 +00:00
- name : Stop if download_localhost is enabled for Flatcar Container Linux
2020-03-05 15:31:39 +00:00
assert :
2021-10-01 16:11:23 +00:00
that : ansible_os_family not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
2020-08-28 09:28:53 +00:00
msg : "download_run_once not supported for Flatcar Container Linux"
2020-03-05 15:31:39 +00:00
when : download_run_once or download_force_cache
2021-04-02 06:20:11 +00:00
- name : Ensure minimum containerd version
assert :
that : containerd_version is version(containerd_min_version_required, '>=')
msg : "containerd_version is too low. Minimum version {{ containerd_min_version_required }}"
run_once : yes
when :
2021-09-27 15:11:35 +00:00
- containerd_version not in ['latest', 'edge', 'stable']
2021-04-02 06:20:11 +00:00
- container_manager == 'containerd'
- name : Stop if using deprecated containerd_config variable
assert :
that : containerd_config is not defined
msg : "Variable containerd_config is now deprecated. See https://github.com/kubernetes-sigs/kubespray/blob/master/inventory/sample/group_vars/all/containerd.yml for details."
when :
- containerd_config is defined
- not ignore_assert_errors
2022-04-12 12:47:23 +00:00
- name : Stop if auto_renew_certificates is enabled when certificates are managed externally (kube_external_ca_mode is true)
assert :
that : not auto_renew_certificates
msg : "Variable auto_renew_certificates must be disabled when CA are managed externally: kube_external_ca_mode = true"
when :
- kube_external_ca_mode
- not ignore_assert_errors