Clear admin kubeconfig when rotating certs (#1772)

* Clear admin kubeconfig when rotating certs

* Update main.yml

roles/kubernetes/client/tasks/main.yml

@@ -28,6 +28,9 @@
   template:
     src: admin.conf.j2
     dest: "{{ kube_config_dir }}/admin.conf"
+    owner: root
+    group: "{{ kube_cert_group }}"
+    mode: 0640
   when: not kubeadm_enabled|d(false)|bool
 
 - name: Create kube config dir
@@ -50,7 +53,6 @@
     dest: "{{ artifacts_dir }}/admin.conf"
     flat: yes
     validate_checksum: no
-  become: no
   run_once: yes
   when: kubeconfig_localhost|default(false)
 

roles/kubernetes/master/handlers/main.yml

@@ -46,5 +46,16 @@
   delay: 6
 
 - name: Master | set secret_changed
+  command: /bin/true
+  notify:
+    - Master | set secret_changed to true
+    - Master | clear kubeconfig for root user
+
+- name: Master | set secret_changed to true
   set_fact:
     secret_changed: true
+
+- name: Master | clear kubeconfig for root user
+  file:
+    path: /root/.kube/config
+    state: absent

roles/kubernetes/secrets/handlers/main.yml

@@ -1,4 +1,15 @@
 ---
 - name: set secret_changed
+  command: /bin/true
+  notify:
+    - set secret_changed to true
+    - clear kubeconfig for root user
+
+- name: set secret_changed to true
   set_fact:
     secret_changed: true
+
+- name: clear kubeconfig for root user
+  file:
+    path: /root/.kube/config
+    state: absent