Use K8s 1.15 (#4905)

* Use K8s 1.15

* Use Kubernetes 1.15 and use kubeadm.k8s.io/v1beta2 for
  InitConfiguration.
* bump to v1.15.0

* Remove k8s 1.13 checksums.

* Update README kubernetes version 1.15.0.

* Update metrics server 0.3.3 for k8s 1.15

* Remove less than k8s 1.14 related code

* Use kubeadm with --upload-certs instead of --experimental-upload-certs due to depricate

* Update dnsautoscaler 1.6.0

* Skip certificateKey if it's not defined

* Add kubeadm-conftolplane.v2beta2 for k8s 1.15 or later

* Support kubeadm control plane for k8s 1.15

* Update sonobuoy version 0.15.0 for k8s 1.15

README.md

@@ -108,7 +108,7 @@ Supported Components
 --------------------
 
 -   Core
-    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.14.3
+    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.15.0
     -   [etcd](https://github.com/coreos/etcd) v3.3.10
     -   [docker](https://www.docker.com/) v18.06 (see note)
     -   [cri-o](http://cri-o.io/) v1.11.5 (experimental: see [CRI-O Note](docs/cri-o.md). Only on centos based OS)

inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml

@@ -20,7 +20,7 @@ kube_users_dir: "{{ kube_config_dir }}/users"
 kube_api_anonymous_auth: true
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.14.3
+kube_version: v1.15.0
 
 # kubernetes image repo define
 kube_image_repo: "gcr.io/google-containers"

roles/download/defaults/main.yml

@@ -48,7 +48,7 @@ download_delegate: "{% if download_localhost %}localhost{% else %}{{ groups['kub
 image_arch: "{{host_architecture | default('amd64')}}"
 
 # Versions
-kube_version: v1.14.3
+kube_version: v1.15.0
 kubeadm_version: "{{ kube_version }}"
 etcd_version: v3.3.10
 
@@ -100,84 +100,42 @@ crictl_checksums:
 # Checksums
 hyperkube_checksums:
   arm:
+    v1.15.0: d923c781031bfd97d0fbe50311e4d7c3616aa5b6d466b99049931f09d73d07b9
     v1.14.3: 3fac785261bcf79f7a80b12c4a1dda893ce8c0879caf57b36d4701730671b574
     v1.14.2: 6929a59850c8702c04d62cd343d1143b17456da040f32317e09f8c25a08d2346
     v1.14.1: 839a4abfeafbd5f5ab057ad0e8a0b0b488b3cde14a646eba040a7f579875f565
     v1.14.0: d090b1da23564a7e9bb8f1f4264f2116536c52611ae203fe2ca13eaad0a8003e
-    v1.13.7: 48e0b381b8a01580dc0627dc52f67617c54c7b78451b46b4cc86d5fa0d5ee1f2
-    v1.13.6: ec8dcfeb11e5ff9cb30873a0c2f0c75274eff5c916623ccdbb64533a1f0d3d67
-    v1.13.5: 0bc1ecec81f94212a44427a8d9e717a523ea09d45886e641796fb20f41028b2f
-    v1.13.4: 2530212d807b00c94109b84be42a7baaea97ba91e6bb6c8bca03ab3d5c343c4c
-    v1.13.3: 4051e88174fedc0ea643466081ca461d9d175f714594dbe5208559fed0c4ae49
-    v1.13.2: a981aa0950e86a4380526a3a53f465ce013b95f6d9d8139a9df4a6406b67316f
-    v1.13.1: 1880ba36aae85474bcea42be0bf37dfa70eb23dd71eb8e956c474e004343f5a4
-    v1.13.0: 41c05bf9b0272322fc947760030c21907c21dd8a88576b20cdb110003e818b8f
   arm64:
+    v1.15.0: 824af7d925b87a5ade63575b98b59ee81005fc76eac1dc399602308d7a60bc3c
     v1.14.3: f29211d668cbcf1aa415dfa64aad95ffc53b5410482a23cddb680caec4e907a3
     v1.14.2: 959fb7d9c17fc8f7cb1a69920aaf08aefd62c0fbf6b5bdc46250f147ea6a5cd4
     v1.14.1: d5236efc2547fd07c7cc2ed9345dfbcd1204385847ca686cf1c62d15056de399
     v1.14.0: 708e00a41f6516d525dee00c91ebe3c3bf2feaf9b7f0af7689487e3e17e356c2
-    v1.13.7: 5fc44231eb96d3a30c9001c6c64b28efb8db9015dcec1baf5032272cc6b674ca
-    v1.13.6: 71cef67197517e22ee0cba1ca047905b9578e2cb1f6b7e43cefbf15d14ac3099
-    v1.13.5: 8ffd84ba0cb6382a0ff96000458db8a83c92cac09458defe8496f0f0e155a6a8
-    v1.13.4: b9e909e388634d103fe5376aafa313bed5e69293383b0c740de4fe8e18d42d12
-    v1.13.3: 588037923b7f4090f5f7a3de23ea49a10345295f0b39bd0c1ebdaa24eaa76731
-    v1.13.2: 7f2c2b0c6dcc81102a89fa41957db214416fc8a0cfae664fc0e150a7d3ad337b
-    v1.13.1: 66205d99ec93090c6d814ab1de7c38cd84257d3dcf3a957618fad5878caea13d
-    v1.13.0: 4391ea0d8d472c1737f1ce945756bf2a11395c708824c780d1a44fbddf031e59
   amd64:
+    v1.15.0: 3cc72cc58517b97c608c7a59a20255675bc70f07217c9e11e58cac7746139283
     v1.14.3: 6c6cb5c118b2129ba4e56697f42567be3587eb636a477cd342b69f87b3b049d1
     v1.14.2: 05546057f2053e085fa8387ab82581c95fe4195cd783408ccbb4fc3487c50176
     v1.14.1: fb34b98da9325feca8daa09bb934dbe6a533aad69c2a5599bbed81b99bb9c267
     v1.14.0: af8b04504365dbe4ce6a1772f42eb390d4221a21149b522fc8a0c4b1cd3d97aa
-    v1.13.7: 972cb9424d7d83660ea96e572520ecb76baecca0dacf61ed8896bcf46a9f63c9
-    v1.13.6: 66ea574972d8b7dbe637e2f435f6b881895bc300fb532302587c0da30e47f2ae
-    v1.13.5: 1a8a357ebfeab8ec62d0c6f11b59df1a93d6711c3a16e1501da32b55c144c73a
-    v1.13.4: 6f2d755a350efec8b3b29e0ddf8362f60475cc10d42dea37f8f2159f7776867b
-    v1.13.3: b238c772b5e4b9deed0cdc695fe86324660d037b38c6d6d7eeae7d7a657840c7
-    v1.13.2: f159b587ec80ad03bf3b9bb09de5d64b773d01b0e34f2a4f1c816879c56aae6d
-    v1.13.1: f64c4328d3853f3e5680e7d296b0f3ed25e67ff98321867309edea100ebb4fd7
-    v1.13.0: 754f1baae5dc2ba29afc66e1f5d3b676ee59cd5c40ccce813092408d53bde3d9
 kubeadm_checksums:
   arm:
+    v1.15.0: 9464030a1d4e101de5f47348f3514d5a9eb95cbce2e5e31f53ada1ca485cf75e
     v1.14.3: 270b8c346aeaa309d11d65695c4a90f6bff5b1ea14bdec3c417ca2dfb3de0db3
     v1.14.2: d2a59269aa68a4bace2a80b247b6f9a82f0542ec3004185fb0ba86e181fdfb29
     v1.14.1: 4bd111411208f1270ed3af8780b87d24a3c17c9fdbe4b0f8c7a9a21cd765543e
     v1.14.0: 11f2cfa8bf7ee177dbac8073ab0f039dc265536baaa8dc0c4dea699f981f6fd1
-    v1.13.7: 13f6cac67616c2a0d54cb8ae46df67e98d0beab0633ff1f6a9188cb07eaf1b7a
-    v1.13.6: 0e56c8b804263b0fca1ad2de06e6f0da3471e43f9839702564fa39c415badf74
-    v1.13.5: 3eb413c6e7f3fc84ca81de2f725bae8618c65d92a50c6e1e89ce157828ca588c
-    v1.13.4: 9281b57f0e62330b3905774e38dfad7430d0d54c50cd2a0f87e6c993bb784b17
-    v1.13.3: 77afb511c895bc6fb0d2ee3198a0c15d89c0f19bf91fb1fb6274634e3e147d4a
-    v1.13.2: 5bf5d766050245abde802fdea77a85586ce1477e538bcc4fa618bba854c18980
-    v1.13.1: c92bc8672a31158e33489ec9285d0a5546cb5be5bdfdb8cd424fff08439fff9c
-    v1.13.0: a35e9248fccddb3f2381fd3695c889a576e9ecc63f2b3c9bb0e8daf0308427ef
   arm64:
+    v1.15.0: fe3c79070814fe847a23209b1027672fe5c5e7e5c9611e329225058926836f96
     v1.14.3: 8edcc07c65f81eea3fc47cd237dd6560c6907c5e0ca52d71eab53ca1164e7d01
     v1.14.2: bff0712b87796509129aa802ad3ac25b8cc83af01762b22b4dcca8dbdb26b520
     v1.14.1: 5cf05464168e45ee4719264a267c65f9319fae1ceb9923fedab97a9d6a629e0b
     v1.14.0: 7ed9d706e50cd6d3fc618a7af3d19b691b8a5343ddedaeccb4ea09af3ecfae2c
-    v1.13.7: 372b33754f4dea201b9db559b2178a833dccd3393cd1a2beefd56ee761a5548d
-    v1.13.6: 62ae7f2ad28026d4bd006b0307820db08b99e28787ec46641361be281d3f381f
-    v1.13.5: 59a1995c171e5c1e74f5d02657eb2c155706f2d159ec1847b64dc866228c40d2
-    v1.13.4: 4de71d4cfa4dc64127148d48f3a1a1fa7ea24cf0c4fa42957459d0e7f9c03799
-    v1.13.3: bef1cbc2d199d32a1a31e70b864dc539b24e3c1cb87b50a1295cf03bec4832b0
-    v1.13.2: 08279a3bfeff8c4f6768d6fd92ceff8276a555f9e81bf9d541112fc8eb29963e
-    v1.13.1: 0f5c2c8a1ffe235785c0a38c9a6530d3d9e67b00e9a07c9d5dca4c36ede2e078
-    v1.13.0: efc2669952b05161e181f0805bb0647308891259528a4868e69f4b1b68c70489
   amd64:
+    v1.15.0: fc4aa44b96dc143d7c3062124e25fed671cab884ebb8b2446edd10abb45e88c2
     v1.14.3: 026700dfff3c78be1295417e96d882136e5e1f095eb843e6575e57ef9930b5d3
     v1.14.2: 77510f61352bb6e537e70730b670627963f2c314fbd36a644b0c435b97e9705a
     v1.14.1: c4fc478572b5623857f5d820e1c107ae02049ca02cf2993e512a091a0196957b
     v1.14.0: 03678f49ee4737f8b8c4f59ace0d140a36ffbc4f6035c59561f59f45b57d0c93
-    v1.13.7: f591b4d9aade0ed9c54d097caad5c9a936b78fef7180d6436d3595fe6a984a7b
-    v1.13.6: 347a84461040ea9898ef1e12813abc22c4259b78ac27a87f64908bceca50dbb4
-    v1.13.5: 274bf887039a9993e30f96047a4a474c39e8471c4094acb75aea6beed793f079
-    v1.13.4: c4300d1f3ebccad48c8e267e45a736c7d227b0e45ef36582fa8dcfe2ef7b1b10
-    v1.13.3: ab767ea53e45aceba628977ef6c8c62eace72d6d232efeaf35ac50cbea5f3739
-    v1.13.2: 7cb0ce57c1e6e2d85e05de3780a2f35a191fe93f89cfc5816b424efcf39834b9
-    v1.13.1: 438173bfa0b7014ecae994c5b9e1f27e1328ab971a3fdb06a393a8095a176ba0
-    v1.13.0: f5366206416dc4cfc840a7add2289957b56ccc479cc1b74f7397a4df995d6b06
 crictl_binary_checksums:
   amd64:
     v1.14.0: 483c90a9fe679590df4332ba807991c49232e8cd326c307c575ecef7fe22327b
@@ -282,7 +240,7 @@ nodelocaldns_version: "1.15.1"
 nodelocaldns_image_repo: "k8s.gcr.io/k8s-dns-node-cache"
 nodelocaldns_image_tag: "{{ nodelocaldns_version }}"
 
-dnsautoscaler_version: 1.4.0
+dnsautoscaler_version: 1.6.0
 dnsautoscaler_image_repo: "k8s.gcr.io/cluster-proportional-autoscaler-{{ image_arch }}"
 dnsautoscaler_image_tag: "{{ dnsautoscaler_version }}"
 test_image_repo: docker.io/busybox
@@ -299,7 +257,7 @@ registry_image_repo: "docker.io/registry"
 registry_image_tag: "2.6"
 registry_proxy_image_repo: "gcr.io/google_containers/kube-registry-proxy"
 registry_proxy_image_tag: "0.4"
-metrics_server_version: "v0.3.2"
+metrics_server_version: "v0.3.3"
 metrics_server_image_repo: "gcr.io/google_containers/metrics-server-amd64"
 metrics_server_image_tag: "{{ metrics_server_version }}"
 local_volume_provisioner_image_repo: "quay.io/external_storage/local-volume-provisioner"

roles/download/templates/kubeadm-images.yaml.j2

@@ -1,28 +1,10 @@
-{% if kube_version is version('v1.12.0', '>=') %}
-{% if kube_version is version('v1.12.0', '>=') and kube_version is version('v1.13.0', '<') %}
-apiVersion: kubeadm.k8s.io/v1alpha3
-{% else %}
 apiVersion: kubeadm.k8s.io/v1beta1
-{% endif %}
 kind: InitConfiguration
 nodeRegistration:
   criSocket: {{ cri_socket }}
 ---
-{% endif %}
-{% if kube_version is version('v1.11.0', '<') %}
-apiVersion: kubeadm.k8s.io/v1alpha1
-{% elif kube_version is version('v1.11.0', '>=') and kube_version is version('v1.12.0', '<') %}
-apiVersion: kubeadm.k8s.io/v1alpha2
-{% elif kube_version is version('v1.12.0', '>=') and kube_version is version('v1.13.0', '<') %}
-apiVersion: kubeadm.k8s.io/v1alpha3
-{% else %}
 apiVersion: kubeadm.k8s.io/v1beta1
-{% endif %}
-{% if kube_version is version('v1.12.0', '<') %}
-kind: MasterConfiguration
-{% else %}
 kind: ClusterConfiguration
-{% endif %}
 imageRepository: {{ kube_image_repo }}
 kubernetesVersion: {{ kube_version }}
 etcd:
@@ -31,7 +13,3 @@ etcd:
 {% for endpoint in etcd_access_addresses.split(',') %}
       - {{ endpoint }}
 {% endfor %}
-{% if kube_version is version('v1.12.0', '<') %}
-nodeRegistration:
-  criSocket: {{ cri_socket }}
-{% endif %}

roles/kubernetes-apps/cluster_roles/tasks/main.yml

@@ -132,53 +132,6 @@
     - inventory_hostname == groups['kube-master'][0]
   tags: node-webhook
 
-- name: Check if vsphere-cloud-provider ClusterRole exists
-  command: "{{ bin_dir }}/kubectl get clusterroles system:vsphere-cloud-provider"
-  register: vsphere_cloud_provider
-  ignore_errors: true
-  when:
-    - rbac_enabled
-    - cloud_provider is defined
-    - cloud_provider == 'vsphere'
-    - kube_version is version('v1.9.0', '>=')
-    - kube_version is version('v1.9.3', '<=')
-    - inventory_hostname == groups['kube-master'][0]
-  tags: vsphere
-
-- name: Write vsphere-cloud-provider ClusterRole manifest
-  template:
-    src: "vsphere-rbac.yml.j2"
-    dest: "{{ kube_config_dir }}/vsphere-rbac.yml"
-  register: vsphere_rbac_manifest
-  when:
-    - rbac_enabled
-    - cloud_provider is defined
-    - cloud_provider == 'vsphere'
-    - vsphere_cloud_provider.rc is defined
-    - vsphere_cloud_provider.rc != 0
-    - kube_version is version('v1.9.0', '>=')
-    - kube_version is version('v1.9.3', '<=')
-    - inventory_hostname == groups['kube-master'][0]
-  tags: vsphere
-
-- name: Apply vsphere-cloud-provider ClusterRole
-  kube:
-    name: "system:vsphere-cloud-provider"
-    kubectl: "{{ bin_dir }}/kubectl"
-    resource: "clusterrolebinding"
-    filename: "{{ kube_config_dir }}/vsphere-rbac.yml"
-    state: latest
-  when:
-    - rbac_enabled
-    - cloud_provider is defined
-    - cloud_provider == 'vsphere'
-    - vsphere_cloud_provider.rc is defined
-    - vsphere_cloud_provider.rc != 0
-    - kube_version is version('v1.9.0', '>=')
-    - kube_version is version('v1.9.3', '<=')
-    - inventory_hostname == groups['kube-master'][0]
-  tags: vsphere
-
 - include_tasks: oci.yml
   tags: oci
   when:

roles/kubernetes/kubeadm/tasks/main.yml

@@ -38,25 +38,6 @@
   command: "{{ bin_dir }}/kubeadm version -o short"
   register: kubeadm_output
 
-- name: sets kubeadm api version to v1alpha1
-  set_fact:
-    kubeadmConfig_api_version: v1alpha1
-  when: kubeadm_output.stdout is version('v1.11.0', '<')
-
-- name: sets kubeadm api version to v1alpha2
-  set_fact:
-    kubeadmConfig_api_version: v1alpha2
-  when:
-    - kubeadm_output.stdout is version('v1.11.0', '>=')
-    - kubeadm_output.stdout is version('v1.12.0', '<')
-
-- name: sets kubeadm api version to v1alpha3
-  set_fact:
-    kubeadmConfig_api_version: v1alpha3
-  when:
-    - kubeadm_output.stdout is version('v1.12.0', '>=')
-    - kubeadm_output.stdout is version('v1.13.0', '<')
-
 - name: sets kubeadm api version to v1beta1
   set_fact:
     kubeadmConfig_api_version: v1beta1

roles/kubernetes/master/defaults/main/main.yml

@@ -96,12 +96,8 @@ kube_apiserver_admission_control:
   - ServiceAccount
   - DefaultStorageClass
   - PersistentVolumeClaimResize
-  - >-
-      {%- if kube_version is version('v1.9', '<') -%}
-      GenericAdmissionWebhook
-      {%- else -%}
-      MutatingAdmissionWebhook,ValidatingAdmissionWebhook
-      {%- endif -%}
+  - MutatingAdmissionWebhook
+  - ValidatingAdmissionWebhook
   - ResourceQuota
 
 # 1.10+ admission plugins

roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml

@@ -30,8 +30,13 @@
   command: >-
     {{ bin_dir }}/kubeadm init phase
     --config {{ kube_config_dir }}/kubeadm-config.yaml
-    upload-certs --experimental-upload-certs
-    {% if kubeadm_certificate_key is defined %}
+    upload-certs
+    {% if kubeadm_version is version('v1.15.0', '<') %}
+    --experimental-upload-certs
+    {% else %}
+    --upload-certs
+    {% endif %}
+    {% if kubeadm_certificate_key is defined and kubeadm_version is version('v1.15.0', '<') %}
     --certificate-key={{ kubeadm_certificate_key }}
     {% endif %}
   register: kubeadm_upload_cert
@@ -52,7 +57,7 @@
     {{ bin_dir }}/kubeadm join
     --config {{ kube_config_dir }}/kubeadm-controlplane.yaml
     --ignore-preflight-errors=all
-    {% if kubeadm_certificate_key is defined %}
+    {% if kubeadm_certificate_key is defined and kubeadm_version is version('v1.15.0', '<') %}
     --certificate-key={{ kubeadm_certificate_key }}
     {% endif %}
   register: kubeadm_join_control_plane

roles/kubernetes/master/tasks/kubeadm-setup.yml

@@ -109,10 +109,14 @@
     --ignore-preflight-errors=all
     --skip-phases=addon/coredns
     {% if kubeadm_version is version('v1.14.0', '>=') %}
+    {% if kubeadm_version is version('v1.15.0', '<') %}
     --experimental-upload-certs
     {% if kubeadm_certificate_key is defined %}
     --certificate-key={{ kubeadm_certificate_key }}
     {% endif %}
+    {% else %}
+    --upload-certs
+    {% endif %}
     {% endif %}
   register: kubeadm_init
   # Retry is because upload config sometimes fails

roles/kubernetes/master/tasks/kubeadm-version.yml

@@ -3,25 +3,16 @@
   command: "{{ bin_dir }}/kubeadm version -o short"
   register: kubeadm_output
 
-- name: sets kubeadm api version to v1alpha2
-  set_fact:
-    kubeadmConfig_api_version: v1alpha2
-  when:
-    - kubeadm_output.stdout is version('v1.11.0', '>=')
-    - kubeadm_output.stdout is version('v1.12.0', '<')
-
-- name: sets kubeadm api version to v1alpha3
-  set_fact:
-    kubeadmConfig_api_version: v1alpha3
-  when:
-    - kubeadm_output.stdout is version('v1.12.0', '>=')
-    - kubeadm_output.stdout is version('v1.13.0', '<')
-
 - name: sets kubeadm api version to v1beta1
   set_fact:
     kubeadmConfig_api_version: v1beta1
   when: kubeadm_output.stdout is version('v1.13.0', '>=')
 
+- name: sets kubeadm api version to v1beta2
+  set_fact:
+    kubeadmConfig_api_version: v1beta2
+  when: kubeadm_output.stdout is version('v1.15.0', '>=')
+
 - name: kubeadm | Create kubeadm config
   template:
     src: "kubeadm-config.{{ kubeadmConfig_api_version }}.yaml.j2"

roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2

@@ -1,235 +0,0 @@
-apiVersion: kubeadm.k8s.io/v1alpha2
-kind: MasterConfiguration
-api:
-{% if kubeadm_config_api_fqdn is defined %}
-  controlPlaneEndpoint: {{ kubeadm_config_api_fqdn }}
-  bindPort: {{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
-{% else %}
-  advertiseAddress: {{ ip | default(fallback_ips[inventory_hostname]) }}
-  bindPort: {{ kube_apiserver_port }}
-{% endif %}
-etcd:
-  external:
-      endpoints:
-{% for endpoint in etcd_access_addresses.split(',') %}
-      - {{ endpoint }}
-{% endfor %}
-      caFile: {{ etcd_cert_dir }}/{{ kube_etcd_cacert_file }}
-      certFile: {{ etcd_cert_dir }}/{{ kube_etcd_cert_file }}
-      keyFile: {{ etcd_cert_dir }}/{{ kube_etcd_key_file }}
-networking:
-  dnsDomain: {{ dns_domain }}
-  serviceSubnet: {{ kube_service_addresses }}
-  podSubnet: {{ kube_pods_subnet }}
-kubernetesVersion: {{ kube_version }}
-kubeProxy:
-  config:
-    mode: {{ kube_proxy_mode }}
-{% if kube_proxy_nodeport_addresses %}
-    nodePortAddresses: {{ kube_proxy_nodeport_addresses }}
-{% endif %}
-    resourceContainer: ""
-authorizationModes:
-{% for mode in authorization_modes %}
-- {{ mode }}
-{% endfor %}
-apiServerExtraArgs:
-  bind-address: {{ kube_apiserver_bind_address }}
-{% if kube_apiserver_insecure_port|string != "0" %}
-  insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
-{% endif %}
-  insecure-port: "{{ kube_apiserver_insecure_port }}"
-{% if kube_version is version('v1.10', '<') %}
-  admission-control: {{ kube_apiserver_admission_control | join(',') }}
-{% else %}
-{% if kube_apiserver_enable_admission_plugins|length > 0 %}
-  enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
-{% endif %}
-{% if kube_apiserver_disable_admission_plugins|length > 0 %}
-  disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
-{% endif %}
-{% endif %}
-  apiserver-count: "{{ kube_apiserver_count }}"
-{% if kube_version is version('v1.9', '>=') %}
-  endpoint-reconciler-type: lease
-{% endif %}
-{% if etcd_events_cluster_enabled %}
-  etcd-servers-overrides: "/events#{{ etcd_events_access_addresses_semicolon }}"
-{% endif %}
-  service-node-port-range: {{ kube_apiserver_node_port_range }}
-  kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
-  profiling: "{{ kube_profiling }}"
-  request-timeout: "{{ kube_apiserver_request_timeout }}"
-  repair-malformed-updates: "false"
-  enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
-{% if kube_api_anonymous_auth is defined and kube_version is version('v1.5', '>=')  %}
-  anonymous-auth: "{{ kube_api_anonymous_auth }}"
-{% endif %}
-{% if kube_basic_auth|default(true) %}
-  basic-auth-file: {{ kube_users_dir }}/known_users.csv
-{% endif %}
-{% if kube_token_auth|default(true) %}
-  token-auth-file: {{ kube_token_dir }}/known_tokens.csv
-{% endif %}
-{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
-  oidc-issuer-url: {{ kube_oidc_url }}
-  oidc-client-id: {{ kube_oidc_client_id }}
-{%   if kube_oidc_ca_file is defined %}
-  oidc-ca-file: {{ kube_oidc_ca_file }}
-{%   endif %}
-{%   if kube_oidc_username_claim is defined %}
-  oidc-username-claim: {{ kube_oidc_username_claim }}
-{%   endif %}
-{%   if kube_oidc_groups_claim is defined %}
-  oidc-groups-claim: {{ kube_oidc_groups_claim }}
-{%   endif %}
-{%   if kube_oidc_username_prefix is defined %}
-  oidc-username-prefix: "{{ kube_oidc_username_prefix }}"
-{%   endif %}
-{%   if kube_oidc_groups_prefix is defined %}
-  oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
-{%   endif %}
-{% endif %}
-{% if kube_webhook_token_auth|default(false) %}
-  authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-{% endif %}
-{% if kube_encrypt_secret_data %}
-  experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
-{% endif %}
-  storage-backend: {{ kube_apiserver_storage_backend }}
-{% if kube_api_runtime_config is defined %}
-  runtime-config: {{ kube_api_runtime_config | join(',') }}
-{% endif %}
-  allow-privileged: "true"
-{% if kubernetes_audit %}
-  audit-log-path: "{{ audit_log_path }}"
-  audit-log-maxage: "{{ audit_log_maxage }}"
-  audit-log-maxbackup: "{{ audit_log_maxbackups }}"
-  audit-log-maxsize: "{{ audit_log_maxsize }}"
-  audit-policy-file: {{ audit_policy_file }}
-{% endif %}
-{% for key in kube_kubeadm_apiserver_extra_args %}
-  {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
-{% endfor %}
-{% if kube_feature_gates %}
-  feature-gates: {{ kube_feature_gates|join(',') }}
-{% endif %}
-{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
-  cloud-provider: {{cloud_provider}}
-  cloud-config: {{ kube_config_dir }}/cloud_config
-{% elif cloud_provider is defined and cloud_provider in ["external"] %}
-  cloud-config: {{ kube_config_dir }}/cloud_config
-{% endif %}
-{% if kube_network_plugin is defined and kube_network_plugin == 'cloud' %}
-  configure-cloud-routes: "true"
-{% endif %}
-controllerManagerExtraArgs:
-  node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
-  node-monitor-period: {{ kube_controller_node_monitor_period }}
-  pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
-  node-cidr-mask-size: "{{ kube_network_node_prefix }}"
-  profiling: "{{ kube_profiling }}"
-  terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
-{% if kube_feature_gates %}
-  feature-gates: {{ kube_feature_gates|join(',') }}
-{% endif %}
-{% for key in kube_kubeadm_controller_extra_args %}
-  {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
-{% endfor %}
-{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
-  cloud-provider: {{cloud_provider}}
-  cloud-config: {{ kube_config_dir }}/cloud_config
-{% elif cloud_provider is defined and cloud_provider in ["external"] %}
-  cloud-config: {{ kube_config_dir }}/cloud_config
-{% endif %}
-{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
-controllerManagerExtraVolumes:
-{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined and openstack_cacert != "" %}
-- name: openstackcacert
-  hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
-  mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
-{% endif %}
-{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
-- name: cloud-config
-  hostPath: {{ kube_config_dir }}/cloud_config
-  mountPath: {{ kube_config_dir }}/cloud_config
-{% endif %}
-{% endif %}
-{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ssl_ca_dirs|length %}
-apiServerExtraVolumes:
-{% if kube_basic_auth|default(true) %}
-- name: basic-auth-config
-  hostPath: {{ kube_users_dir }}
-  mountPath: {{ kube_users_dir }}
-{% endif %}
-{% if kube_token_auth|default(true) %}
-- name: token-auth-config
-  hostPath: {{ kube_token_dir }}
-  mountPath: {{ kube_token_dir }}
-{% endif %}
-{% if kube_webhook_token_auth|default(false) %}
-- name: webhook-token-auth-config
-  hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-  mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-{% endif %}
-{% if kubernetes_audit %}
-- name: {{ audit_policy_name }}
-  hostPath: {{ audit_policy_hostpath }}
-  mountPath: {{ audit_policy_mountpath }}
-{% if audit_log_path != "-" %}
-- name: {{ audit_log_name }}
-  hostPath: {{ audit_log_hostpath }}
-  mountPath: {{ audit_log_mountpath }}
-  writable: true
-{% endif %}
-{% endif %}
-{% if ssl_ca_dirs|length %}
-{% for dir in ssl_ca_dirs %}
-- name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
-  hostPath: {{ dir }}
-  mountPath: {{ dir }}
-  writable: false
-{% endfor %}
-{% endif %}
-{% endif %}
-{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
-- name: cloud-config
-  hostPath: {{ kube_config_dir }}/cloud_config
-  mountPath: {{ kube_config_dir }}/cloud_config
-{% endif %}
-schedulerExtraArgs:
-  profiling: "{{ kube_profiling }}"
-{% if kube_feature_gates %}
-  feature-gates: {{ kube_feature_gates|join(',') }}
-{% endif %}
-{% if volume_cross_zone_attachment %}
-  policy-config-file: {{ kube_config_dir }}/kube-scheduler-policy.yaml
-{% endif %}
-{% if kube_kubeadm_scheduler_extra_args|length > 0 %}
-{% for key in kube_kubeadm_scheduler_extra_args %}
-  {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
-{% endfor %}
-{% endif %}
-apiServerCertSANs:
-{% for san in apiserver_sans %}
-  - {{ san }}
-{% endfor %}
-certificatesDir: {{ kube_cert_dir }}
-imageRepository: {{ kube_image_repo }}
-unifiedControlPlaneImage: ""
-nodeRegistration:
-{% if kube_override_hostname|default('') %}
-  name: {{ kube_override_hostname }}
-{% endif %}
-{% if inventory_hostname not in groups['kube-node'] %}
-  taints:
-  - effect: NoSchedule
-    key: node-role.kubernetes.io/master
-{% else %}
-  taints: {}
-{% endif %}
-  criSocket: {{ cri_socket }}
-{% if dynamic_kubelet_configuration %}
-featureGates:
-  DynamicKubeletConfig: true
-{% endif %}

roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2

@@ -93,15 +93,11 @@ apiServer:
     insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
 {% endif %}
     insecure-port: "{{ kube_apiserver_insecure_port }}"
-{% if kube_version is version('v1.10', '<') %}
-    admission-control: {{ kube_apiserver_admission_control | join(',') }}
-{% else %}
 {% if kube_apiserver_enable_admission_plugins|length > 0 %}
     enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
 {% endif %}
 {% if kube_apiserver_disable_admission_plugins|length > 0 %}
     disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
-{% endif %}
 {% endif %}
     apiserver-count: "{{ kube_apiserver_count }}"
 {% if kube_version is version('v1.9', '>=') %}
@@ -231,11 +227,7 @@ controllerManager:
     node-cidr-mask-size: "{{ kube_network_node_prefix }}"
     profiling: "{{ kube_profiling }}"
     terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
-{% if kube_version is version('v1.14', '<') %}
-    address: {{ kube_controller_manager_bind_address }}
-{% else %}
     bind-address: {{ kube_controller_manager_bind_address }}
-{% endif %}
 {% if kube_feature_gates %}
     feature-gates: {{ kube_feature_gates|join(',') }}
 {% endif %}
@@ -272,11 +264,7 @@ controllerManager:
 {% endif %}
 scheduler:
   extraArgs:
-{% if kube_version is version('v1.14', '<') %}
-    address: {{ kube_scheduler_bind_address }}
-{% else %}
     bind-address: {{ kube_scheduler_bind_address }}
-{% endif %}
 {% if kube_feature_gates %}
     feature-gates: {{ kube_feature_gates|join(',') }}
 {% endif %}

roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2

@@ -1,22 +1,29 @@
-apiVersion: kubeadm.k8s.io/v1alpha3
+apiVersion: kubeadm.k8s.io/v1beta2
 kind: InitConfiguration
-apiEndpoint:
+localAPIEndpoint:
   advertiseAddress: {{ ip | default(fallback_ips[inventory_hostname]) }}
   bindPort: {{ kube_apiserver_port }}
+{% if kubeadm_certificate_key is defined %}
+certificateKey: {{ kubeadm_certificate_key }}
+{% endif %}
 nodeRegistration:
 {% if kube_override_hostname|default('') %}
   name: {{ kube_override_hostname }}
 {% endif %}
-{% if inventory_hostname not in groups['kube-node'] %}
+{% if inventory_hostname in groups['kube-master'] and inventory_hostname not in groups['kube-node'] %}
   taints:
   - effect: NoSchedule
     key: node-role.kubernetes.io/master
 {% else %}
-  taints: {}
+  taints: []
+{% endif %}
+{% if container_manager == 'crio' %}
+  criSocket: /var/run/crio/crio.sock
+{% else %}
+  criSocket: /var/run/dockershim.sock
 {% endif %}
-  criSocket: {{ cri_socket }}
 ---
-apiVersion: kubeadm.k8s.io/v1alpha3
+apiVersion: kubeadm.k8s.io/v1beta2
 kind: ClusterConfiguration
 clusterName: {{ cluster_name }}
 etcd:
@@ -38,212 +45,208 @@ controlPlaneEndpoint: {{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.po
 {% else %}
 controlPlaneEndpoint: {{ ip | default(fallback_ips[inventory_hostname]) }}:{{ kube_apiserver_port }}
 {% endif %}
-apiServerCertSANs:
-{% for san in apiserver_sans %}
-  - {{ san }}
-{% endfor %}
 certificatesDir: {{ kube_cert_dir }}
 imageRepository: {{ kube_image_repo }}
-unifiedControlPlaneImage: ""
-apiServerExtraArgs:
+useHyperKubeImage: false
+apiServer:
+  extraArgs:
 {% if kube_api_anonymous_auth is defined and kube_version is version('v1.5', '>=')  %}
-  anonymous-auth: "{{ kube_api_anonymous_auth }}"
+    anonymous-auth: "{{ kube_api_anonymous_auth }}"
 {% endif %}
-  authorization-mode: {{ authorization_modes | join(',') }}
-  bind-address: {{ kube_apiserver_bind_address }}
+    authorization-mode: {{ authorization_modes | join(',') }}
+    bind-address: {{ kube_apiserver_bind_address }}
 {% if kube_apiserver_insecure_port|string != "0" %}
-  insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
+    insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
 {% endif %}
-  insecure-port: "{{ kube_apiserver_insecure_port }}"
-{% if kube_version is version('v1.10', '<') %}
-  admission-control: {{ kube_apiserver_admission_control | join(',') }}
-{% else %}
+    insecure-port: "{{ kube_apiserver_insecure_port }}"
 {% if kube_apiserver_enable_admission_plugins|length > 0 %}
-  enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
+    enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
 {% endif %}
 {% if kube_apiserver_disable_admission_plugins|length > 0 %}
-  disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
+    disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
 {% endif %}
-{% endif %}
-  apiserver-count: "{{ kube_apiserver_count }}"
+    apiserver-count: "{{ kube_apiserver_count }}"
 {% if kube_version is version('v1.9', '>=') %}
-  endpoint-reconciler-type: lease
+    endpoint-reconciler-type: lease
 {% endif %}
 {% if etcd_events_cluster_enabled %}
-  etcd-servers-overrides: "/events#{{ etcd_events_access_addresses_semicolon }}"
+    etcd-servers-overrides: "/events#{{ etcd_events_access_addresses_semicolon }}"
 {% endif %}
-  service-node-port-range: {{ kube_apiserver_node_port_range }}
-  kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
-  profiling: "{{ kube_profiling }}"
-  request-timeout: "{{ kube_apiserver_request_timeout }}"
+    service-node-port-range: {{ kube_apiserver_node_port_range }}
+    kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
+    profiling: "{{ kube_profiling }}"
+    request-timeout: "{{ kube_apiserver_request_timeout }}"
+    enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
 {% if kube_basic_auth|default(true) %}
-  basic-auth-file: {{ kube_users_dir }}/known_users.csv
+    basic-auth-file: {{ kube_users_dir }}/known_users.csv
 {% endif %}
 {% if kube_token_auth|default(true) %}
-  token-auth-file: {{ kube_token_dir }}/known_tokens.csv
+    token-auth-file: {{ kube_token_dir }}/known_tokens.csv
 {% endif %}
 {% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
-  oidc-issuer-url: {{ kube_oidc_url }}
-  oidc-client-id: {{ kube_oidc_client_id }}
+    oidc-issuer-url: {{ kube_oidc_url }}
+    oidc-client-id: {{ kube_oidc_client_id }}
 {%   if kube_oidc_ca_file is defined %}
-  oidc-ca-file: {{ kube_oidc_ca_file }}
+    oidc-ca-file: {{ kube_oidc_ca_file }}
 {%   endif %}
 {%   if kube_oidc_username_claim is defined %}
-  oidc-username-claim: {{ kube_oidc_username_claim }}
+    oidc-username-claim: {{ kube_oidc_username_claim }}
 {%   endif %}
 {%   if kube_oidc_groups_claim is defined %}
-  oidc-groups-claim: {{ kube_oidc_groups_claim }}
+    oidc-groups-claim: {{ kube_oidc_groups_claim }}
 {%   endif %}
 {%   if kube_oidc_username_prefix is defined %}
-  oidc-username-prefix: "{{ kube_oidc_username_prefix }}"
+    oidc-username-prefix: "{{ kube_oidc_username_prefix }}"
 {%   endif %}
 {%   if kube_oidc_groups_prefix is defined %}
-  oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
+    oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
 {%   endif %}
 {% endif %}
 {% if kube_webhook_token_auth|default(false) %}
-  authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+    authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
 {% endif %}
 {% if kube_encrypt_secret_data %}
-  experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
+    encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
-  storage-backend: {{ kube_apiserver_storage_backend }}
+    storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}
-  runtime-config: {{ kube_api_runtime_config | join(',') }}
+    runtime-config: {{ kube_api_runtime_config | join(',') }}
 {% endif %}
-  allow-privileged: "true"
+    allow-privileged: "true"
 {% if kubernetes_audit %}
-  audit-log-path: "{{ audit_log_path }}"
-  audit-log-maxage: "{{ audit_log_maxage }}"
-  audit-log-maxbackup: "{{ audit_log_maxbackups }}"
-  audit-log-maxsize: "{{ audit_log_maxsize }}"
-  audit-policy-file: {{ audit_policy_file }}
+    audit-log-path: "{{ audit_log_path }}"
+    audit-log-maxage: "{{ audit_log_maxage }}"
+    audit-log-maxbackup: "{{ audit_log_maxbackups }}"
+    audit-log-maxsize: "{{ audit_log_maxsize }}"
+    audit-policy-file: {{ audit_policy_file }}
 {% endif %}
 {% for key in kube_kubeadm_apiserver_extra_args %}
-  {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
+    {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
 {% endfor %}
 {% if kube_feature_gates %}
-  feature-gates: {{ kube_feature_gates|join(',') }}
+    feature-gates: {{ kube_feature_gates|join(',') }}
 {% endif %}
 {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
-  cloud-provider: {{cloud_provider}}
-  cloud-config: {{ kube_config_dir }}/cloud_config
+    cloud-provider: {{cloud_provider}}
+    cloud-config: {{ kube_config_dir }}/cloud_config
 {% elif cloud_provider is defined and cloud_provider in ["external"] %}
-  cloud-config: {{ kube_config_dir }}/cloud_config
-{% endif %}
-controllerManagerExtraArgs:
-  node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
-  node-monitor-period: {{ kube_controller_node_monitor_period }}
-  pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
-  node-cidr-mask-size: "{{ kube_network_node_prefix }}"
-  profiling: "{{ kube_profiling }}"
-  terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
-  enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
-{% if kube_version is version('v1.14', '<') %}
-  address: {{ kube_controller_manager_bind_address }}
-{% else %}
-  bind-address: {{ kube_controller_manager_bind_address }}
-{% endif %}
-{% if kube_feature_gates %}
-  feature-gates: {{ kube_feature_gates|join(',') }}
-{% endif %}
-{% for key in kube_kubeadm_controller_extra_args %}
-  {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
-{% endfor %}
-{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
-  cloud-provider: {{cloud_provider}}
-  cloud-config: {{ kube_config_dir }}/cloud_config
-{% elif cloud_provider is defined and cloud_provider in ["external"] %}
-  cloud-config: {{ kube_config_dir }}/cloud_config
-{% endif %}
-schedulerExtraArgs:
-{% if kube_version is version('v1.14', '<') %}
-  address: {{ kube_scheduler_bind_address }}
-{% else %}
-  bind-address: {{ kube_scheduler_bind_address }}
-{% endif %}
-{% if kube_feature_gates %}
-  feature-gates: {{ kube_feature_gates|join(',') }}
-{% endif %}
-{% if kube_kubeadm_scheduler_extra_args|length > 0 %}
-{% for key in kube_kubeadm_scheduler_extra_args %}
-  {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
-{% endfor %}
+    cloud-config: {{ kube_config_dir }}/cloud_config
 {% endif %}
 {% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes or ssl_ca_dirs|length %}
-apiServerExtraVolumes:
+  extraVolumes:
 {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
-- name: cloud-config
-  hostPath: {{ kube_config_dir }}/cloud_config
-  mountPath: {{ kube_config_dir }}/cloud_config
+  - name: cloud-config
+    hostPath: {{ kube_config_dir }}/cloud_config
+    mountPath: {{ kube_config_dir }}/cloud_config
 {% endif %}
 {% if kube_basic_auth|default(true) %}
-- name: basic-auth-config
-  hostPath: {{ kube_users_dir }}
-  mountPath: {{ kube_users_dir }}
+  - name: basic-auth-config
+    hostPath: {{ kube_users_dir }}
+    mountPath: {{ kube_users_dir }}
 {% endif %}
 {% if kube_token_auth|default(true) %}
-- name: token-auth-config
-  hostPath: {{ kube_token_dir }}
-  mountPath: {{ kube_token_dir }}
+  - name: token-auth-config
+    hostPath: {{ kube_token_dir }}
+    mountPath: {{ kube_token_dir }}
 {% endif %}
 {% if kube_webhook_token_auth|default(false) %}
-- name: webhook-token-auth-config
-  hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-  mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+  - name: webhook-token-auth-config
+    hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+    mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
 {% endif %}
 {% if kubernetes_audit %}
-- name: {{ audit_policy_name }}
-  hostPath: {{ audit_policy_hostpath }}
-  mountPath: {{ audit_policy_mountpath }}
+  - name: {{ audit_policy_name }}
+    hostPath: {{ audit_policy_hostpath }}
+    mountPath: {{ audit_policy_mountpath }}
 {% if audit_log_path != "-" %}
-- name: {{ audit_log_name }}
-  hostPath: {{ audit_log_hostpath }}
-  mountPath: {{ audit_log_mountpath }}
-  writable: true
+  - name: {{ audit_log_name }}
+    hostPath: {{ audit_log_hostpath }}
+    mountPath: {{ audit_log_mountpath }}
+    readOnly: false
 {% endif %}
 {% endif %}
 {% for volume in apiserver_extra_volumes %}
-- name: {{ volume.name }}
-  hostPath: {{ volume.hostPath }}
-  mountPath: {{ volume.mountPath }}
-  writable: {{ volume.writable | default(false)}}
+  - name: {{ volume.name }}
+    hostPath: {{ volume.hostPath }}
+    mountPath: {{ volume.mountPath }}
+    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
 {% endfor %}
 {% if ssl_ca_dirs|length %}
 {% for dir in ssl_ca_dirs %}
-- name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
-  hostPath: {{ dir }}
-  mountPath: {{ dir }}
-  writable: false
+  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+    hostPath: {{ dir }}
+    mountPath: {{ dir }}
+    readOnly: true
 {% endfor %}
 {% endif %}
+{% endif %}
+  certSANs:
+{% for san in apiserver_sans %}
+  - {{ san }}
+{% endfor %}
+  timeoutForControlPlane: 5m0s
+controllerManager:
+  extraArgs:
+    node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
+    node-monitor-period: {{ kube_controller_node_monitor_period }}
+    pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
+    node-cidr-mask-size: "{{ kube_network_node_prefix }}"
+    profiling: "{{ kube_profiling }}"
+    terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
+    bind-address: {{ kube_controller_manager_bind_address }}
+{% if kube_feature_gates %}
+    feature-gates: {{ kube_feature_gates|join(',') }}
+{% endif %}
+{% for key in kube_kubeadm_controller_extra_args %}
+    {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
+{% endfor %}
+{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
+    cloud-provider: {{cloud_provider}}
+    cloud-config: {{ kube_config_dir }}/cloud_config
+{% elif cloud_provider is defined and cloud_provider in ["external"] %}
+    cloud-config: {{ kube_config_dir }}/cloud_config
+{% endif %}
+{% if kube_network_plugin is defined and kube_network_plugin not in ["cloud"] %}
+    configure-cloud-routes: "false"
 {% endif %}
 {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] or controller_manager_extra_volumes %}
-controllerManagerExtraVolumes:
+  extraVolumes:
 {% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
-- name: openstackcacert
-  hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
-  mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
+  - name: openstackcacert
+    hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
+    mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
 {% endif %}
 {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
-- name: cloud-config
-  hostPath: {{ kube_config_dir }}/cloud_config
-  mountPath: {{ kube_config_dir }}/cloud_config
+  - name: cloud-config
+    hostPath: {{ kube_config_dir }}/cloud_config
+    mountPath: {{ kube_config_dir }}/cloud_config
 {% endif %}
 {% for volume in controller_manager_extra_volumes %}
-- name: {{ volume.name }}
-  hostPath: {{ volume.hostPath }}
-  mountPath: {{ volume.mountPath }}
-  writable: {{ volume.writable | default(false)}}
+  - name: {{ volume.name }}
+    hostPath: {{ volume.hostPath }}
+    mountPath: {{ volume.mountPath }}
+    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
 {% endfor %}
 {% endif %}
+scheduler:
+  extraArgs:
+    bind-address: {{ kube_scheduler_bind_address }}
+{% if kube_feature_gates %}
+    feature-gates: {{ kube_feature_gates|join(',') }}
+{% endif %}
+{% if kube_kubeadm_scheduler_extra_args|length > 0 %}
+{% for key in kube_kubeadm_scheduler_extra_args %}
+    {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
+{% endfor %}
+{% endif %}
+  extraVolumes:
 {% if scheduler_extra_volumes %}
-schedulerExtraVolumes:
+  extraVolumes:
 {% for volume in scheduler_extra_volumes %}
-- name: {{ volume.name }}
-  hostPath: {{ volume.hostPath }}
-  mountPath: {{ volume.mountPath }}
-  writable: {{ volume.writable | default(false)}}
+  - name: {{ volume.name }}
+    hostPath: {{ volume.hostPath }}
+    mountPath: {{ volume.mountPath }}
+    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
 {% endfor %}
 {% endif %}
 ---
@@ -259,7 +262,6 @@ clientConnection:
 clusterCIDR: {{ kube_pods_subnet }}
 configSyncPeriod: {{ kube_proxy_config_sync_period }}
 conntrack:
- max: {{ kube_proxy_conntrack_max }}
  maxPerCore: {{ kube_proxy_conntrack_max_per_core }}
  min: {{ kube_proxy_conntrack_min }}
  tcpCloseWaitTimeout: {{ kube_proxy_conntrack_tcp_close_wait_timeout }}
@@ -273,7 +275,7 @@ iptables:
  minSyncPeriod: {{ kube_proxy_min_sync_period }}
  syncPeriod: {{ kube_proxy_sync_period }}
 ipvs:
- excludeCIDRs: {{ "[]" if kube_proxy_exclude_cidrs is not defined or kube_proxy_exclude_cidrs == "null" or kube_proxy_exclude_cidrs | length == 0 else (kube_proxy_exclude_cidrs if kube_proxy_exclude_cidrs[0] == '[' else ("[" + kube_proxy_exclude_cidrs + "]" if (kube_proxy_exclude_cidrs[0] | length) == 1 else "[" + kube_proxy_exclude_cidrs | join(",") + "]")) }}
+ excludeCIDRs: {{ kube_proxy_exclude_cidrs }}
  minSyncPeriod: {{ kube_proxy_min_sync_period }}
  scheduler: {{ kube_proxy_scheduler }}
  syncPeriod: {{ kube_proxy_sync_period }}

roles/kubernetes/master/templates/kubeadm-controlplane.v1beta2.yaml.j2

@@ -0,0 +1,25 @@
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: JoinConfiguration
+discovery:
+  bootstrapToken:
+{% if kubeadm_config_api_fqdn is defined %}
+    apiServerEndpoint: {{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
+{% else %}
+    apiServerEndpoint: {{ kubeadm_discovery_address | replace("https://", "")}}
+{% endif %}
+    token: {{ kubeadm_token }}
+    unsafeSkipCAVerification: true
+  timeout: {{ discovery_timeout }}
+  tlsBootstrapToken: {{ kubeadm_token }}
+controlPlane:
+  localAPIEndpoint:
+    advertiseAddress: {{ kube_apiserver_address }}
+    bindPort: {{ kube_apiserver_port }}
+  certificateKey: {{ kubeadm_certificate_key }}
+nodeRegistration:
+  name: {{ kube_override_hostname|default(inventory_hostname) }}
+{% if container_manager == 'crio' %}
+  criSocket: /var/run/crio/crio.sock
+{% else %}
+  criSocket: /var/run/dockershim.sock
+{% endif %}

roles/kubernetes/node/defaults/main.yml

@@ -75,9 +75,6 @@ kube_override_hostname: >-
   {{ inventory_hostname }}
   {%- endif -%}
 
-# cAdvisor port
-kube_cadvisor_port: 0
-
 # The read-only port for the Kubelet to serve on with no authentication/authorization.
 kube_read_only_port: 0
 

roles/kubernetes/node/tasks/kubelet.yml

@@ -29,17 +29,6 @@
     - kubelet
     - kubeadm
 
-- name: Write kubelet environment config file (kubeadm)
-  template:
-    src: "kubelet.env.j2"
-    dest: "{{ kube_config_dir }}/kubelet.env"
-    backup: yes
-  notify: restart kubelet
-  when: kubeadm_output.stdout is version('v1.13.0', '<')
-  tags:
-    - kubelet
-    - kubeadm
-
 - name: Write kubelet config file
   template:
     src: "kubelet-config.{{ kubeadmConfig_api_version }}.yaml.j2"

roles/kubernetes/node/templates/kubelet.env.j2

@@ -1,133 +0,0 @@
-### Upstream source https://github.com/kubernetes/release/blob/master/debian/xenial/kubeadm/channel/stable/etc/systemd/system/kubelet.service.d/
-### All upstream values should be present in this file
-
-# logging to stderr means we get it in the systemd journal
-KUBE_LOGTOSTDERR="--logtostderr=true"
-KUBE_LOG_LEVEL="--v={{ kube_log_level }}"
-# The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
-KUBELET_ADDRESS="--address={{ kubelet_bind_address }} --node-ip={{ kubelet_address }}"
-# The port for the info server to serve on
-# KUBELET_PORT="--port=10250"
-{% if kube_override_hostname|default('') %}
-# You may leave this blank to use the actual hostname
-KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
-{% endif %}
-{# Base kubelet args #}
-{% set kubelet_args_base -%}
-{# start kubeadm specific settings #}
---bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf \
---kubeconfig={{ kube_config_dir }}/kubelet.conf \
-{% if kube_version is version('v1.8', '<') %}
---require-kubeconfig \
-{% endif %}
-{% if kubelet_authentication_token_webhook %}
---authentication-token-webhook \
-{% endif %}
-{% if kubelet_authorization_mode_webhook %}
---authorization-mode=Webhook \
-{% endif %}
---enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} \
---client-ca-file={{ kube_cert_dir }}/ca.crt \
-{% if kubelet_rotate_certificates %}
---rotate-certificates \
-{% endif %}
---pod-manifest-path={{ kube_manifest_dir }} \
-{% if kube_version is version('v1.12.0', '<') %}
---cadvisor-port={{ kube_cadvisor_port }} \
-{% endif %}
-{# end kubeadm specific settings #}
---pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \
---node-status-update-frequency={{ kubelet_status_update_frequency }} \
---cgroup-driver={{ kubelet_cgroup_driver|default(kubelet_cgroup_driver_detected) }} \
---max-pods={{ kubelet_max_pods }} \
-{% if container_manager == 'docker' and kube_version is version('v1.12.0', '<') %}
---docker-disable-shared-pid={{ kubelet_disable_shared_pid }} \
-{% endif %}
-{% if container_manager != 'docker' %}
---container-runtime=remote \
---container-runtime-endpoint={{ cri_socket }} \
-{% endif %}
---anonymous-auth=false \
---read-only-port={{ kube_read_only_port }} \
-{% if kube_version is version('v1.8', '<') %}
---experimental-fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \
-{% else %}
---fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \
-{% endif %}
-{% if dynamic_kubelet_configuration %}
---dynamic-config-dir={{ dynamic_kubelet_configuration_dir }} \
-{% endif %}
---runtime-cgroups={{ kubelet_runtime_cgroups }} --kubelet-cgroups={{ kubelet_kubelet_cgroups }} \
-{% endset %}
-
-{# Node reserved CPU/memory #}
-{% if is_kube_master|bool %}
-{% set kube_reserved %}--kube-reserved cpu={{ kube_master_cpu_reserved }},memory={{ kube_master_memory_reserved|regex_replace('Mi', 'M') }}{% endset %}
-{% else %}
-{% set kube_reserved %}--kube-reserved cpu={{ kube_cpu_reserved }},memory={{ kube_memory_reserved|regex_replace('Mi', 'M') }}{% endset %}
-{% endif %}
-
-{# DNS settings for kubelet #}
-{% if dns_mode == 'coredns' %}
-{% set kubelet_args_cluster_dns %}--cluster-dns={{ skydns_server }}{% endset %}
-{% elif dns_mode == 'coredns_dual' %}
-{% set kubelet_args_cluster_dns %}--cluster-dns={{ skydns_server }},{{ skydns_server_secondary }}{% endset %}
-{% elif dns_mode == 'manual' %}
-{% set kubelet_args_cluster_dns %}--cluster-dns={{ manual_dns_server }}{% endset %}
-{% else %}
-{% set kubelet_args_cluster_dns %}{% endset %}
-{% endif %}
-{% if enable_nodelocaldns %}
-{% set kubelet_args_cluster_dns %}--cluster-dns={{ nodelocaldns_ip }}{% endset %}
-{% endif %}
-{% set kubelet_args_dns %}{{ kubelet_args_cluster_dns }} --cluster-domain={{ dns_domain }} --resolv-conf={{ kube_resolv_conf }}{% endset %}
-
-{# Kubelet node labels #}
-{% set role_node_labels = [] %}
-{% if nvidia_gpu_nodes is defined and nvidia_accelerator_enabled|bool %}
-{%   if inventory_hostname in nvidia_gpu_nodes %}
-{%     set dummy = role_node_labels.append('nvidia.com/gpu=true')  %}
-{%   endif %}
-{% endif %}
-
-{% set inventory_node_labels = [] %}
-{% if node_labels is defined %}
-{%   if node_labels is mapping %}
-{%     for labelname, labelvalue in node_labels.items() %}
-{%       set dummy = inventory_node_labels.append('%s=%s'|format(labelname, labelvalue)) %}
-{%     endfor %}
-{%   else %}
-{%     for label in node_labels.split(",") %}
-{%       set dummy = inventory_node_labels.append(label) %}
-{%     endfor %}
-{%   endif %}
-{% set all_node_labels = role_node_labels + inventory_node_labels %}
-
-{# Kubelet node taints for gpu #}
-{% if nvidia_gpu_nodes is defined and nvidia_accelerator_enabled|bool %}
-{%   if inventory_hostname in nvidia_gpu_nodes and node_taints is defined %}
-{%       set dummy = node_taints.append('nvidia.com/gpu=:NoSchedule') %}
-{%   elif inventory_hostname in nvidia_gpu_nodes and node_taints is not defined %}
-{%       set node_taints = [] %}
-{%       set dummy = node_taints.append('nvidia.com/gpu=:NoSchedule') %}
-{%   endif %}
-{% endif %}
-
-KUBELET_ARGS="{{ kubelet_args_base }} {{ kubelet_args_dns }} {{ kube_reserved }} {% if node_taints|default([]) %}--register-with-taints={{ node_taints | join(',') }} {% endif %}--node-labels={{ all_node_labels | join(',') }} {% if kube_feature_gates %} --feature-gates={{ kube_feature_gates|join(',') }} {% endif %} {% if kubelet_custom_flags is string %} {{kubelet_custom_flags}} {% else %}{% for flag in kubelet_custom_flags %} {{flag}} {% endfor %}{% endif %}{% if inventory_hostname in groups['kube-node'] %}{% if kubelet_node_custom_flags is string %} {{kubelet_node_custom_flags}} {% else %}{% for flag in kubelet_node_custom_flags %} {{flag}} {% endfor %}{% endif %}{% endif %}"
-{% if kube_network_plugin is defined and kube_network_plugin in ["calico", "canal", "cni", "flannel", "weave", "contiv", "cilium", "kube-router", "macvlan"] %}
-KUBELET_NETWORK_PLUGIN="--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
-{% elif kube_network_plugin is defined and kube_network_plugin == "cloud" %}
-KUBELET_NETWORK_PLUGIN="--hairpin-mode=promiscuous-bridge --network-plugin=kubenet"
-{% endif %}
-KUBELET_VOLUME_PLUGIN="--volume-plugin-dir={{ kubelet_flexvolumes_plugins_dir }}"
-# Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=true"
-{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
-KUBELET_CLOUDPROVIDER="--cloud-provider={{ cloud_provider }} --cloud-config={{ kube_config_dir }}/cloud_config"
-{% elif cloud_provider is defined and cloud_provider in ["external"] %}
-KUBELET_CLOUDPROVIDER="--cloud-provider=external --cloud-config={{ kube_config_dir }}/cloud_config"
-{% else %}
-KUBELET_CLOUDPROVIDER=""
-{% endif %}
-
-PATH={{ bin_dir }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

roles/kubernetes/node/templates/kubelet.env.v1beta1.j2

@@ -11,24 +11,12 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf \
 --config={{ kube_config_dir }}/kubelet-config.yaml \
 --kubeconfig={{ kube_config_dir }}/kubelet.conf \
-{% if kube_version is version('v1.8', '<') %}
---require-kubeconfig \
-{% endif %}
-{% if kube_version is version('v1.12.0', '<') %}
---cadvisor-port={{ kube_cadvisor_port }} \
-{% endif %}
 {# end kubeadm specific settings #}
 --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \
-{% if container_manager == 'docker' and kube_version is version('v1.12.0', '<') %}
---docker-disable-shared-pid={{ kubelet_disable_shared_pid }} \
-{% endif %}
 {% if container_manager != 'docker' %}
 --container-runtime=remote \
 --container-runtime-endpoint={{ cri_socket }} \
 {% endif %}
-{% if kube_version is version('v1.8', '<') %}
---experimental-fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \
-{% endif %}
 {% if dynamic_kubelet_configuration %}
 --dynamic-config-dir={{ dynamic_kubelet_configuration_dir }} \
 {% endif %}

roles/kubespray-defaults/defaults/main.yaml

@@ -12,10 +12,10 @@ is_atomic: false
 disable_swap: true
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.14.3
+kube_version: v1.15.0
 
 ## The minimum version working
-kube_version_min_required: v1.13.0
+kube_version_min_required: v1.14.0
 
 ## Kube Proxy mode One of ['iptables','ipvs']
 kube_proxy_mode: ipvs
@@ -344,11 +344,7 @@ feature_gate_v1_12: []
 ## List of key=value pairs that describe feature gates for
 ## the k8s cluster.
 kube_feature_gates: |-
-  {%- if kube_version is version('v1.12.0', '<') -%}
-  {{ feature_gate_v1_11 }}
-  {%- else -%}
   {{ feature_gate_v1_12 }}
-  {%- endif %}
 
 # Enable kubeadm experimental control plane
 kubeadm_control_plane: false

tests/testcases/100_check-k8s-conformance.yml

@@ -1,7 +1,7 @@
 ---
 - hosts: kube-master[0]
   vars:
-    sonobuoy_version: 0.14.1
+    sonobuoy_version: 0.15.0
     sonobuoy_arch: amd64
     sonobuoy_parallel: 30
     sonobuoy_path: /usr/local/bin/sonobuoy