Only apply roles from first master node to fix regression
This commit is contained in:
parent
50e5f0d28b
commit
f1d2f84043
1 changed files with 11 additions and 1 deletions
|
@ -16,7 +16,9 @@
|
||||||
src: "node-crb.yml.j2"
|
src: "node-crb.yml.j2"
|
||||||
dest: "{{ kube_config_dir }}/node-crb.yml"
|
dest: "{{ kube_config_dir }}/node-crb.yml"
|
||||||
register: node_crb_manifest
|
register: node_crb_manifest
|
||||||
when: rbac_enabled
|
when:
|
||||||
|
- rbac_enabled
|
||||||
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
|
|
||||||
- name: Apply workaround to allow all nodes with cert O=system:nodes to register
|
- name: Apply workaround to allow all nodes with cert O=system:nodes to register
|
||||||
kube:
|
kube:
|
||||||
|
@ -28,6 +30,7 @@
|
||||||
when:
|
when:
|
||||||
- rbac_enabled
|
- rbac_enabled
|
||||||
- node_crb_manifest.changed
|
- node_crb_manifest.changed
|
||||||
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
|
|
||||||
- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet
|
- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet
|
||||||
template:
|
template:
|
||||||
|
@ -37,6 +40,7 @@
|
||||||
when:
|
when:
|
||||||
- rbac_enabled
|
- rbac_enabled
|
||||||
- kubelet_authorization_mode_webhook
|
- kubelet_authorization_mode_webhook
|
||||||
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
tags: node-webhook
|
tags: node-webhook
|
||||||
|
|
||||||
- name: Apply webhook ClusterRole
|
- name: Apply webhook ClusterRole
|
||||||
|
@ -50,6 +54,7 @@
|
||||||
- rbac_enabled
|
- rbac_enabled
|
||||||
- kubelet_authorization_mode_webhook
|
- kubelet_authorization_mode_webhook
|
||||||
- node_webhook_cr_manifest.changed
|
- node_webhook_cr_manifest.changed
|
||||||
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
tags: node-webhook
|
tags: node-webhook
|
||||||
|
|
||||||
- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole
|
- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole
|
||||||
|
@ -60,6 +65,7 @@
|
||||||
when:
|
when:
|
||||||
- rbac_enabled
|
- rbac_enabled
|
||||||
- kubelet_authorization_mode_webhook
|
- kubelet_authorization_mode_webhook
|
||||||
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
tags: node-webhook
|
tags: node-webhook
|
||||||
|
|
||||||
- name: Grant system:nodes the webhook ClusterRole
|
- name: Grant system:nodes the webhook ClusterRole
|
||||||
|
@ -73,6 +79,7 @@
|
||||||
- rbac_enabled
|
- rbac_enabled
|
||||||
- kubelet_authorization_mode_webhook
|
- kubelet_authorization_mode_webhook
|
||||||
- node_webhook_crb_manifest.changed
|
- node_webhook_crb_manifest.changed
|
||||||
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
tags: node-webhook
|
tags: node-webhook
|
||||||
|
|
||||||
- name: Check if vsphere-cloud-provider ClusterRole exists
|
- name: Check if vsphere-cloud-provider ClusterRole exists
|
||||||
|
@ -85,6 +92,7 @@
|
||||||
- cloud_provider == 'vsphere'
|
- cloud_provider == 'vsphere'
|
||||||
- kube_version | version_compare('v1.9.0', '>=')
|
- kube_version | version_compare('v1.9.0', '>=')
|
||||||
- kube_version | version_compare('v1.9.3', '<=')
|
- kube_version | version_compare('v1.9.3', '<=')
|
||||||
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
tags: vsphere
|
tags: vsphere
|
||||||
|
|
||||||
- name: Write vsphere-cloud-provider ClusterRole manifest
|
- name: Write vsphere-cloud-provider ClusterRole manifest
|
||||||
|
@ -99,6 +107,7 @@
|
||||||
- vsphere_cloud_provider.rc != 0
|
- vsphere_cloud_provider.rc != 0
|
||||||
- kube_version | version_compare('v1.9.0', '>=')
|
- kube_version | version_compare('v1.9.0', '>=')
|
||||||
- kube_version | version_compare('v1.9.3', '<=')
|
- kube_version | version_compare('v1.9.3', '<=')
|
||||||
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
tags: vsphere
|
tags: vsphere
|
||||||
|
|
||||||
- name: Apply vsphere-cloud-provider ClusterRole
|
- name: Apply vsphere-cloud-provider ClusterRole
|
||||||
|
@ -115,6 +124,7 @@
|
||||||
- vsphere_cloud_provider.rc != 0
|
- vsphere_cloud_provider.rc != 0
|
||||||
- kube_version | version_compare('v1.9.0', '>=')
|
- kube_version | version_compare('v1.9.0', '>=')
|
||||||
- kube_version | version_compare('v1.9.3', '<=')
|
- kube_version | version_compare('v1.9.3', '<=')
|
||||||
|
- inventory_hostname == groups['kube-master'][0]
|
||||||
tags: vsphere
|
tags: vsphere
|
||||||
|
|
||||||
# This is not a cluster role, but should be run after kubeconfig is set on master
|
# This is not a cluster role, but should be run after kubeconfig is set on master
|
||||||
|
|
Loading…
Reference in a new issue