Günther Grill
0d55ed3600
Avoid that some read-only tasks cause an ansible-change ( #1910 )
2017-11-06 13:51:07 +00:00
Haiwei Liu
ad0cd6939a
Add support cAdvisor ( #1908 )
...
Signed-off-by: Haiwei Liu <carllhw@gmail.com>
2017-11-06 13:50:28 +00:00
Stanislav Makar
33adb334cd
Fix openstack tenant id variable name ( #1932 )
2017-11-05 08:40:41 +00:00
Spencer Smith
ef87a8a1f0
Merge pull request #1916 from vtomasr5/master
...
Fix bad handler directory name in kubeadm role
2017-11-03 18:14:48 -04:00
Matthew Mosesohn
ab3832f3e7
Set host IP for kubelet always ( #1924 )
...
* Set host IP for kubelet always
Use ansible default IP if ip var is not set.
* Update main.yml
2017-11-03 10:19:37 +00:00
Günther Grill
0195725563
Workaround ansible bug where access var via dict doesn't get real value ( #1912 )
...
* Change deprecated vagrant ansible flag 'sudo' to 'become'
* Workaround ansible bug where access var via dict doesn't get real value
When accessing a variable via it's name "{{ foo }}" its value is
retrieved. But when the variable value is retrieved via the vars-dict
"{{ vars['foo'] }}" this doesn't resolve the expression of the variable
any more due to a bug. So e.g. a expression foo="{{ 1 == 1 }}" isn't
longer resolved but just returned as string "1 == 1".
* Make file yamllint complient
2017-11-03 07:11:14 +00:00
Spencer Smith
ec1170bd37
only mount volumes if local_volumes_enabled is true. fix mount flags in rkt. ( #1923 )
2017-11-03 07:10:37 +00:00
Spencer Smith
4771716ab2
Merge pull request #1907 from mattymo/disable_anon_auth
...
Block anonymous auth requests to kubelet
2017-11-02 12:01:39 -04:00
Spencer Smith
b156585739
Merge pull request #1917 from chadswen/docker-daemon-graph
...
Fix kubelet container with alternate Docker data paths
2017-11-02 11:58:55 -04:00
Matthew Mosesohn
3e3787de15
Fix local volume provisioner mount point for rkt
2017-11-02 09:45:26 +00:00
Chad Swenson
0c824d5ef1
Fix kubelet container with alternate Docker data paths
...
Some time ago I think the hardcoded `/var/lib/docker` was required, but kubelet running in a container has been aware of the Docker path since at least as far back as k8s 1.6.
Without this change, you see a large number of errors in the kubelet logs if you installed with a non-default `docker_daemon_graph`
2017-11-01 13:25:15 -05:00
Matthew Mosesohn
c0e989b17c
New addon: local_volume_provisioner ( #1909 )
2017-11-01 14:25:35 +00:00
Vicenç Juan Tomàs Montserrat
5218b3af82
Fix bad handler directory name in kubeadm role
2017-11-01 14:36:28 +01:00
Spencer Smith
ef0a91da27
Merge pull request #1891 from rsmitty/proxy-fixes
...
Improved proxy support
2017-10-31 14:32:12 -04:00
Spencer Smith
19962f6b6a
fix indentation for master template ( #1906 )
2017-10-31 06:43:54 +00:00
Matthew Mosesohn
f7703dbca3
Block anonymous auth requests to kubelet
2017-10-30 19:06:54 +00:00
Spencer Smith
b27453d8d8
improved proxy support
2017-10-30 11:42:14 -04:00
Spencer Smith
4470ee4ccf
Merge pull request #1887 from mattymo/fix_indent_apiserver
...
fix indentation for network policy option
2017-10-30 11:33:13 -04:00
abelgana
d738acf638
Update kubelet.kubeadm.env.j2 ( #1901 )
2017-10-30 11:33:02 +00:00
tanshanshan
84d92aa3c7
fix-bug ( #1900 )
2017-10-30 11:23:24 +00:00
Spencer Smith
591941bd39
Merge pull request #1884 from abelgana/master
...
Sysctl reload if needed after IP forward enabling
2017-10-27 15:12:08 -04:00
Spencer Smith
e90769c869
Merge pull request #1888 from chapsuk/issue_1885
...
Disable swap in vagrant vms
2017-10-27 15:10:16 -04:00
mkrasilnikov
2c7c956be9
Disable swap in vagrant vms
2017-10-27 19:57:54 +03:00
Matthew Mosesohn
fe81bba08d
Force kubelet certificates to be generated as lowercase ( #1886 )
...
All nodes get converted to lowercase, so certs should set
CN with lowercase as well.
2017-10-27 15:58:25 +01:00
Matthew Mosesohn
564de07963
fix indentation for network policy option
2017-10-27 14:56:22 +01:00
abelgana
d9160f19c0
Sysctl reload if needed after IP forward enabling
...
Add reload yes to reload sysctl if the value of net.ipv4.ip_forward changes.
- name: Enable ip forwarding
sysctl:
sysctl_file: "{{sysctl_file_path}}"
name: net.ipv4.ip_forward
value: 1
state: present
reload: yes
tags:
- bootstrap-os
2017-10-26 13:06:21 -04:00
Brad Beam
ba0a03a8ba
Merge pull request #1880 from mattymo/node_auth_fixes2
...
Move cluster roles and system namespace to new role
2017-10-26 10:02:24 -05:00
Matthew Mosesohn
b0f04d925a
Update network policy setting for Kubernetes 1.8 ( #1879 )
...
It is now enabled by default in 1.8 with the api changed
to networking.k8s.io/v1 instead of extensions/v1beta1.
2017-10-26 15:35:26 +01:00
Matthew Mosesohn
ec53b8b66a
Move cluster roles and system namespace to new role
...
This should be done after kubeconfig is set for admin and
before network plugins are up.
2017-10-26 14:36:05 +01:00
Matthew Mosesohn
86fb669fd3
Idempotency fixes ( #1838 )
2017-10-25 21:19:40 +01:00
Chiang Fong Lee
5dc56df64e
Fix ordering of kube-apiserver admission control plug-ins ( #1841 )
2017-10-24 17:28:07 +01:00
Haiwei Liu
cfea99c4ee
Fix scale.yml to supoort kubeadm ( #1863 )
...
Signed-off-by: Haiwei Liu <carllhw@gmail.com>
2017-10-24 16:08:48 +01:00
Matthew Mosesohn
0b4fcc83bd
Fix up warnings and deprecations ( #1848 )
2017-10-20 08:25:57 +01:00
Matthew Mosesohn
fc9a65be2b
Refactor downloads to use download role directly ( #1824 )
...
* Refactor downloads to use download role directly
Also disable fact delegation so download delegate works acros OSes.
* clean up bools and ansible_os_family conditionals
2017-10-19 09:17:11 +01:00
Jan Jungnickel
49dff97d9c
Relabel controler-manager to kube-controller-manager ( #1830 )
...
Fixes #1129
2017-10-18 17:29:18 +01:00
Hassan Zamani
c9fe8fde59
Use fail-swap-on flag only for kube_version >= 1.8 ( #1829 )
2017-10-18 16:32:38 +01:00
Matthew Mosesohn
16462292e1
Properly skip extra SANs when not specified for kubeadm ( #1831 )
2017-10-18 12:04:13 +01:00
pmontanari
20d80311f0
Update main.yml ( #1822 )
...
* Update main.yml
Needs to set up resolv.conf before updating Yum cache otherwise no name resolution available (resolv.conf empty).
* Update main.yml
Removing trailing spaces
2017-10-18 11:42:00 +01:00
Tennis Smith
54320c5b09
set to 3 digit version number ( #1817 )
2017-10-17 11:14:29 +01:00
Rémi de Passmoilesel
356515222a
Add possibility to insert more ip adresses in certificates ( #1678 )
...
* Add possibility to insert more ip adresses in certificates
* Add newline at end of files
* Move supp ip parameters to k8s-cluster group file
* Add supplementary addresses in kubeadm master role
* Improve openssl indexes
2017-10-17 11:06:07 +01:00
neith00
77f1d4b0f1
Revert "Update roadmap" ( #1809 )
...
* Revert "Debian jessie docs (#1806 )"
This reverts commit d78577c810
.
* Revert "[contrib/network-storage/glusterfs] adds service for glusterfs endpoint (#1800 )"
This reverts commit 5fb6b2eaf7
.
* Revert "[contrib/network-storage/glusterfs] bootstrap for glusterfs nodes (#1799 )"
This reverts commit 404caa111a
.
* Revert "Fixed kubelet standard log environment (#1780 )"
This reverts commit b838468500
.
* Revert "Add support for fedora atomic host (#1779 )"
This reverts commit f2235be1d3
.
* Revert "Update network-plugins to use portmap plugin (#1763 )"
This reverts commit 6ec45b10f1
.
* Revert "Update roadmap (#1795 )"
This reverts commit d9879d8026
.
2017-10-16 14:09:24 +01:00
Seungkyu Ahn
b838468500
Fixed kubelet standard log environment ( #1780 )
...
Change KUBE_LOGGING to KUBE_LOGTOSTDERR, when installing kubelet
as host type.
2017-10-16 08:22:54 +01:00
Jason Brooks
f2235be1d3
Add support for fedora atomic host ( #1779 )
...
* don't try to install this rpm on fedora atomic
* add docker 1.13.1 for fedora
* built-in docker unit file is sufficient, as tested on both fedora and centos atomic
2017-10-16 08:03:33 +01:00
Matthew Mosesohn
d9879d8026
Update roadmap ( #1795 )
2017-10-16 07:06:06 +01:00
Matthew Mosesohn
d487b2f927
Security best practice fixes ( #1783 )
...
* Disable basic and token auth by default
* Add recommended security params
* allow basic auth to fail in tests
* Enable TLS authentication for kubelet
2017-10-15 20:41:17 +01:00
Julian Poschmann
66e5e14bac
Restart kubelet on update in deployment-type host on update ( #1759 )
...
* Restart kubelet on update in deployment-type host on update
* Update install_host.yml
* Update install_host.yml
* Update install_host.yml
2017-10-15 20:22:17 +01:00
Matthew Mosesohn
7e4668859b
Change file used to check kubeadm upgrade method ( #1784 )
...
* Change file used to check kubeadm upgrade method
Test for ca.crt instead of admin.conf because admin.conf
is created during normal deployment.
* more fixes for upgrade
2017-10-15 10:33:22 +01:00
Matthew Mosesohn
ef47a73382
Add new addon Istio ( #1744 )
...
* add istio addon
* add addons to a ci job
2017-10-13 15:42:54 +01:00
Julian Poschmann
56763d4288
Persist br_netfilter module loading ( #1760 )
2017-10-13 10:50:29 +01:00
Matthew Mosesohn
ee83e874a8
Clear admin kubeconfig when rotating certs ( #1772 )
...
* Clear admin kubeconfig when rotating certs
* Update main.yml
2017-10-12 09:55:46 +01:00
Vijay Katam
27ed73e3e3
Rename dns_server, add var for selinux. ( #1572 )
...
* Rename dns_server to dnsmasq_dns_server so that it includes role prefix
as the var name is generic and conflicts when integrating with existing ansible automation.
* Enable selinux state to be configurable with new var preinstall_selinux_state
2017-10-11 20:40:21 +01:00
Aivars Sterns
e41c0532e3
add possibility to disable fail with swap ( #1773 )
2017-10-11 19:49:31 +01:00
Matthew Mosesohn
eeb7274d65
Adjust memory reservation for master nodes ( #1769 )
2017-10-11 19:47:42 +01:00
Matthew Mosesohn
eb0dcf6063
Improve proxy ( #1771 )
...
* Set no_proxy to all local ips
* Use proxy settings on all necessary tasks
2017-10-11 19:47:27 +01:00
Matthew Mosesohn
fe4ba51d1a
Set node IP correctly ( #1770 )
...
Fixes #1741
2017-10-11 15:28:42 +01:00
Hyunsun Moon
adf575b75e
Set default value for disable_shared_pid ( #1710 )
...
PID namespace sharing is disabled only in Kubernetes 1.7.
Explicitily enabling it by default could help reduce unexpected
results when upgrading to or downgrading from 1.7.
2017-10-11 14:55:51 +01:00
Spencer Smith
3d09c4be75
Merge pull request #1756 from kubernetes-incubator/fix_bool_assert
...
Fix bool check assert
2017-10-10 10:38:53 -04:00
Spencer Smith
f2db15873d
Merge pull request #1754 from ArchiFleKs/rkt-kubelet-fix
...
add hosts to rkt kubelet
2017-10-10 10:37:36 -04:00
ArchiFleKs
7c663de6c9
add /etc/hosts volume to rkt templates
2017-10-09 16:41:51 +02:00
ant31
1be4c1935a
Fix bool check assert
2017-10-06 17:02:38 +00:00
Matthew Mosesohn
f14f04c5ea
Upgrade to kubernetes v1.8.0 ( #1730 )
...
* Upgrade to kubernetes v1.8.0
hyperkube no longer contains rsync, so now use cp
* Enable node authorization mode
* change kube-proxy cert group name
2017-10-05 10:51:21 +01:00
Aivars Sterns
9c86da1403
Normalize tags in all places to prepare for tag fixing in future ( #1739 )
2017-10-05 08:43:04 +01:00
Spencer Smith
cb611b5ed0
Merge pull request #1742 from mattymo/facts_as_vars
...
Move set_facts to kubespray-defaults defaults
2017-10-04 15:46:39 -04:00
Spencer Smith
ab171a1d6d
don't delegate cert slurp
2017-10-04 13:06:51 -04:00
Matthew Mosesohn
a56738324a
Move set_facts to kubespray-defaults defaults
...
These facts can be generated in defaults with a performance
boost.
Also cleaned up duplicate etcd var names.
2017-10-04 14:02:47 +01:00
Matthew Mosesohn
e42cb43ca5
add bootstrap for debian ( #1726 )
2017-10-03 08:30:45 +01:00
Julian Poschmann
8e1210f96e
Fix cluster-network w/ prefix > 25 not possible with CNI ( #1713 )
2017-10-01 10:43:00 +01:00
Peter Slijkhuis
371fa51e82
Make installation of EPEL optional ( #1721 )
2017-09-29 13:44:29 +01:00
Matthew Mosesohn
25dd3d476a
Fix error for azure+calico assert ( #1717 )
...
Fixes #1716
2017-09-29 08:17:18 +01:00
Matthew Mosesohn
3ff5f40bdb
fix graceful upgrade ( #1704 )
...
Fix system namespace creation
Only rotate tokens when necessary
2017-09-27 14:49:20 +01:00
Matthew Mosesohn
689ded0413
Enable kubeadm upgrades to any version ( #1709 )
2017-09-27 14:48:18 +01:00
Matthew Mosesohn
327ed157ef
Verify valid settings before deploy ( #1705 )
...
Also fix yaml lint issues
Fixes #1703
2017-09-27 14:47:47 +01:00
tanshanshan
477afa8711
when and run_once are reduplicative ( #1694 )
2017-09-26 14:48:05 +01:00
Matthew Mosesohn
bd272e0b3c
Upgrade to kubeadm ( #1667 )
...
* Enable upgrade to kubeadm
* fix kubedns upgrade
* try upgrade route
* use init/upgrade strategy for kubeadm and ignore kubedns svc
* Use bin_dir for kubeadm
* delete more secrets
* fix waiting for terminating pods
* Manually enforce kube-proxy for kubeadm deploy
* remove proxy. update to kubeadm 1.8.0rc1
2017-09-26 10:38:58 +01:00
Brad Beam
14c232e3c4
Merge pull request #1663 from foxyriver/fix-shell
...
use command module instead of shell module
2017-09-25 13:24:45 -05:00
Matthew Mosesohn
a1cde03b20
Correct master manifest cleanup logic ( #1693 )
...
Fixes #1666
2017-09-25 12:19:04 +01:00
Bogdan Dobrelya
cfce23950a
Merge pull request #1687 from jistr/cgroup-driver-kubeadm
...
Set correct kubelet cgroup-driver also for kubeadm deployments
2017-09-25 11:16:40 +02:00
Deni Bertovic
64740249ab
Adds tags for asserts ( #1639 )
2017-09-25 08:41:03 +01:00
Jiri Stransky
70d0235770
Set correct kubelet cgroup-driver also for kubeadm deployments
...
This follows pull request #1677 , adding the cgroup-driver
autodetection also for kubeadm way of deploying.
Info about this and the possibility to override is added to the docs.
2017-09-22 13:19:04 +02:00
foxyriver
30b5493fd6
use command module instead of shell module
2017-09-22 15:47:03 +08:00
Jiri Stransky
dbbe9419e5
Allow setting cgroup driver for kubelet
...
Red Hat family platforms run docker daemon with `--exec-opt
native.cgroupdriver=systemd`. When kubespray tried to start kubelet
service, it failed with:
Error: failed to run Kubelet: failed to create kubelet: misconfiguration: kubelet cgroup driver: "cgroupfs" is different from docker cgroup driver: "systemd"
Setting kubelet's cgroup driver to the correct value for the platform
fixes this issue. The code utilizes autodetection of docker's cgroup
driver, as different RPMs for the same distro may vary in that regard.
2017-09-21 11:58:11 +02:00
Matthew Mosesohn
188bae142b
Fix wait for hosts in CI ( #1679 )
...
Also fix usage of failed_when and handling exit code.
2017-09-20 14:30:09 +01:00
Matthew Mosesohn
ef8e35e39b
Create admin credential kubeconfig ( #1647 )
...
New files: /etc/kubernetes/admin.conf
/root/.kube/config
$GITDIR/artifacts/{kubectl,admin.conf}
Optional method to download kubectl and admin.conf if
kubeconfig_lcoalhost is set to true (default false)
2017-09-18 13:30:57 +01:00
Brad Beam
aaa27d0a34
Adding quotes around parameters in cloud_config ( #1664 )
...
This is to help support escapes and special characters
2017-09-16 08:43:47 +01:00
Kevin Lefevre
9302ce0036
Enhanced OpenStack cloud provider ( #1627 )
...
- Enable Cinder API version for block storage
- Enable floating IP for LBaaS
2017-09-16 08:43:24 +01:00
Matthew Mosesohn
8e731337ba
Enable HA deploy of kubeadm ( #1658 )
...
* Enable HA deploy of kubeadm
* raise delay to 60s for starting gce hosts
2017-09-15 22:28:15 +01:00
Matthew Mosesohn
b294db5aed
fix apply for netchecker upgrade ( #1659 )
...
* fix apply for netchecker upgrade and graceful upgrade
* Speed up daemonset upgrades. Make check wait for ds upgrades.
2017-09-15 13:19:37 +01:00
Brad Beam
ac281476c8
Prune unnecessary certs from vault setup ( #1652 )
...
* Cleaning up cert checks for vault
* Removing all unnecessary etcd certs from each node
* Removing all unnecessary kube certs from each node
2017-09-14 12:28:11 +01:00
Matthew Mosesohn
6744726089
kubeadm support ( #1631 )
...
* kubeadm support
* move k8s master to a subtask
* disable k8s secrets when using kubeadm
* fix etcd cert serial var
* move simple auth users to master role
* make a kubeadm-specific env file for kubelet
* add non-ha CI job
* change ci boolean vars to json format
* fixup
* Update create-gce.yml
* Update create-gce.yml
* Update create-gce.yml
2017-09-13 19:00:51 +01:00
Matthew Mosesohn
75b13caf0b
Fix kube-apiserver status checks when changing insecure bind addr ( #1633 )
2017-09-09 23:41:48 +03:00
Matthew Mosesohn
5d99fa0940
Purge old upgrade hooks and unused tasks ( #1641 )
2017-09-09 23:41:20 +03:00
Maxim Krasilnikov
e16b57aa05
Store vault users passwords to credentials dir. Create vault and etcd roles after start vault cluster ( #1632 )
2017-09-07 23:30:16 +03:00
Chad Swenson
e26aec96b0
Consolidate kube-proxy module and sysctl loading ( #1586 )
...
This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
2017-09-06 15:11:51 +03:00
Brad Beam
a341adb7f3
Updating CN for node certs generated by vault ( #1622 )
...
This allows the node authorization plugin to function correctly
2017-09-06 10:55:08 +03:00
mkrasilnikov
957b7115fe
Remove node name from kube-proxy and admin certificates
2017-09-05 14:40:26 +03:00
mkrasilnikov
bf0af1cd3d
Vault role updates:
...
* using separated vault roles for generate certs with different `O` (Organization) subject field;
* configure vault roles for issuing certificates with different `CN` (Common name) subject field;
* set `CN` and `O` to `kubernetes` and `etcd` certificates;
* vault/defaults vars definition was simplified;
* vault dirs variables defined in kubernetes-defaults foles for using
shared tasks in etcd and kubernetes/secrets roles;
* upgrade vault to 0.8.1;
* generate random vault user password for each role by default;
* fix `serial` file name for vault certs;
* move vault auth request to issue_cert tasks;
* enable `RBAC` in vault CI;
2017-09-05 09:07:35 +03:00
Matthew Mosesohn
fc7905653e
Add socat for CoreOS when using host deploy kubelet ( #1575 )
2017-09-04 11:30:18 +03:00
Matthew Mosesohn
77602dbb93
Move calico to daemonset ( #1605 )
...
* Drop legacy calico logic
* add calico as a daemonset
2017-09-04 11:29:51 +03:00
Brad Beam
8ae77e955e
Adding in certificate serial numbers to manifests ( #1392 )
2017-09-01 09:02:23 +03:00
Brad Beam
7a98ad50b4
Fixing CA certificate locations for k8s components
2017-08-30 15:30:40 -05:00