Define ostree variable for runc (#9417 )

The ostree variable is not defined previously raising an error when the runtime tries to read it. Co-authored-by: Victor Morales <chipahuac@hotmail.com>
[2.19] preinstall: Add nodelocaldns to supersede_nameserver if enabled (#9324 )
2022-10-23 21:22:25 -07:00 · 2022-09-27 00:07:51 -07:00 · 2022-09-05 18:48:55 -07:00 · 2022-08-31 02:55:00 -07:00 · 2022-08-30 10:02:55 -07:00 · 2022-08-24 09:08:03 -07:00
15 changed files with 37 additions and 13 deletions
--- a/README.md
+++ b/README.md
@ -57,10 +57,10 @@ A simple way to ensure you get all the correct version of Ansible is to use the
 You will then need to use [bind mounts](https://docs.docker.com/storage/bind-mounts/) to get the inventory and ssh key into the container, like this:

 ```ShellSession
-docker pull quay.io/kubespray/kubespray:v2.18.1
+docker pull quay.io/kubespray/kubespray:v2.19.1
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
  --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.18.1 bash
+  quay.io/kubespray/kubespray:v2.19.1 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```
--- a/docs/hardening.md
+++ b/docs/hardening.md
@ -74,7 +74,6 @@ kube_kubeadm_scheduler_extra_args:
 etcd_deployment_type: kubeadm

 ## kubelet
-kubelet_authorization_mode_webhook: true
 kubelet_authentication_token_webhook: true
 kube_read_only_port: 0
 kubelet_rotate_server_certificates: true
--- a/roles/container-engine/runc/tasks/main.yml
+++ b/roles/container-engine/runc/tasks/main.yml
@ -1,4 +1,12 @@
 ---
+- name: runc | check if fedora coreos
+  stat:
+    path: /run/ostree-booted
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
+  register: ostree
+
 - name: runc | set is_ostree
  set_fact:
    is_ostree: "{{ ostree.stat.exists }}"
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@ -142,8 +142,8 @@ kubectl_download_url: "https://storage.googleapis.com/kubernetes-release/release
 kubeadm_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/{{ image_arch }}/kubeadm"
 etcd_download_url: "https://github.com/etcd-io/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-{{ image_arch }}.tar.gz"
 cni_download_url: "https://github.com/containernetworking/plugins/releases/download/{{ cni_version }}/cni-plugins-linux-{{ image_arch }}-{{ cni_version }}.tgz"
-calicoctl_download_url: "https://github.com/projectcalico/calicoctl/releases/download/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
-calicoctl_alternate_download_url: "https://github.com/projectcalico/calico/releases/download/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
+calicoctl_download_url: "https://github.com/projectcalico/calico/releases/download/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
+calicoctl_alternate_download_url: "https://github.com/projectcalico/calicoctl/releases/download/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 calico_crds_download_url: "https://github.com/projectcalico/calico/archive/{{ calico_version }}.tar.gz"
 crictl_download_url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/{{ crictl_version }}/crictl-{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
 helm_download_url: "https://get.helm.sh/helm-{{ helm_version }}-linux-{{ image_arch }}.tar.gz"
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@ -26,6 +26,7 @@ nodelocaldns_secondary_prometheus_port: 9255
 dns_autoscaler_cpu_requests: 20m
 dns_autoscaler_memory_requests: 10Mi
 dns_autoscaler_deployment_nodeselector: "kubernetes.io/os: linux"
+# dns_autoscaler_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]

 # etcd metrics
 # etcd_metrics_service_labels:
@ -83,3 +84,6 @@ dashboard_master_toleration: true
 # Override dashboard default settings
 dashboard_token_ttl: 900
 dashboard_skip_login: false
+
+# Policy Controllers
+# policy_controller_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
--- a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
@ -34,7 +34,7 @@ spec:
          effect: NoSchedule
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
-{% if dns_extra_tolerations | default(None) %}
+{% if dns_extra_tolerations is defined %}
        {{ dns_extra_tolerations | list | to_nice_yaml(indent=2) | indent(8) }}
 {% endif %}
      affinity:
--- a/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2
@ -45,6 +45,9 @@ spec:
          key: node-role.kubernetes.io/master
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
+{% if dns_autoscaler_extra_tolerations is defined %}
+        {{ dns_autoscaler_extra_tolerations | list | to_nice_yaml(indent=2) | indent(8) }}
+{% endif %}
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
@ -28,6 +28,9 @@ spec:
          effect: NoSchedule
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
+{% if policy_controller_extra_tolerations is defined %}
+        {{ policy_controller_extra_tolerations | list | to_nice_yaml(indent=2) | indent(8) }}
+{% endif %}
      priorityClassName: system-cluster-critical
      containers:
        - name: calico-kube-controllers
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@ -3,7 +3,7 @@
 kube_apiserver_insecure_bind_address: 127.0.0.1

 # advertised host IP for kubelet. This affects network plugin config. Take caution
-kubelet_address: "{{ ip | default(fallback_ips[inventory_hostname]) }}{{ ',' + ip6 if enable_dual_stack_networks and ip6 is defined }}"
+kubelet_address: "{{ ip | default(fallback_ips[inventory_hostname]) }}{{ (',' + ip6) if enable_dual_stack_networks and ip6 is defined else '' }}"

 # bind address for kubelet. Set to 0.0.0.0 to listen on all interfaces
 kubelet_bind_address: "{{ ip | default('0.0.0.0') }}"
--- a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
@ -24,7 +24,7 @@

 - name: Stop if unknown OS
  assert:
-    that: ansible_distribution in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'Flatcar', 'Flatcar Container Linux by Kinvolk', 'Suse', 'openSUSE Leap', 'ClearLinux', 'OracleLinux', 'AlmaLinux', 'Rocky', 'Amazon']
+    that: ansible_distribution in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'Flatcar', 'Flatcar Container Linux by Kinvolk', 'Suse', 'openSUSE Leap', 'openSUSE Tumbleweed', 'ClearLinux', 'OracleLinux', 'AlmaLinux', 'Rocky', 'Amazon']
    msg: "{{ ansible_distribution }} is not a known OS"
  when: not ignore_assert_errors

--- a/roles/kubernetes/preinstall/tasks/0040-set_facts.yml
+++ b/roles/kubernetes/preinstall/tasks/0040-set_facts.yml
@ -190,7 +190,7 @@
    nameserverentries: |-
      {{ ( ( [nodelocaldns_ip] if enable_nodelocaldns else []) + coredns_server|d([]) + nameservers|d([]) + cloud_resolver|d([]) + configured_nameservers|d([])) | unique | join(',') }}
    supersede_nameserver:
-      supersede domain-name-servers {{ ( coredns_server|d([]) + nameservers|d([]) + cloud_resolver|d([])) | unique | join(', ') }};
+      supersede domain-name-servers {{ ( ( [nodelocaldns_ip] if enable_nodelocaldns else []) + coredns_server|d([]) + nameservers|d([]) + cloud_resolver|d([])) | unique | join(', ') }};
  when: not dns_early or dns_late

 # This task should run instead of the above task when cluster/nodelocal DNS hasn't
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@ -484,7 +484,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
 kubelet_authentication_token_webhook: true

 # When enabled, access to the kubelet API requires authorization by delegation to the API server
-kubelet_authorization_mode_webhook: true
+kubelet_authorization_mode_webhook: false

 # kubelet uses certificates for authenticating to the Kubernetes API
 # Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@ -582,6 +582,7 @@
    - {name: calico, file: calico-ipamconfig.yml, type: ipam}
  when:
    - inventory_hostname in groups['kube_control_plane']
+    - calico_datastore == "kdd"

 - name: Calico | Create ipamconfig resources
  kube:
@ -590,3 +591,4 @@
    state: "latest"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
+    - calico_datastore == "kdd"
--- a/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/ds.yml.j2
@ -186,7 +186,7 @@ spec:
        - mountPath: /tmp/cilium/config-map
          name: cilium-config-path
          readOnly: true
-{% if not cilium_ip_masq_agent_enable %}
+{% if cilium_ip_masq_agent_enable %}
        - name: ip-masq-agent
          mountPath: /etc/config
          readOnly: true
@ -370,7 +370,7 @@ spec:
      - configMap:
          name: cilium-config
        name: cilium-config-path
-{% if not cilium_ip_masq_agent_enable %}
+{% if cilium_ip_masq_agent_enable %}
      - configMap:
          name: ip-masq-agent
          items:
--- a/scale.yml
+++ b/scale.yml
@ -33,7 +33,12 @@
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
-    - { role: etcd, tags: etcd, etcd_cluster_setup: false }
+    - role: etcd
+      tags: etcd
+      vars:
+        etcd_cluster_setup: false
+        etcd_events_cluster_setup: false
+      when: etcd_deployment_type != "kubeadm"

 - name: Download images to ansible host cache via first kube_control_plane node
  hosts: kube_control_plane[0]
Author	SHA1	Message	Date
Jeroen	b75ee0b111	Define ostree variable for runc (#9417 ) The ostree variable is not defined previously raising an error when the runtime tries to read it. Co-authored-by: Victor Morales <chipahuac@hotmail.com>	2022-10-23 21:22:25 -07:00
Zhong Jianxin	63e3f4dea9	[2.19] preinstall: Add nodelocaldns to supersede_nameserver if enabled (#9324 ) When a machine that use dhclient and resolvconf reboots, this will make /etc/resolv.conf remain close to the one before reboot	2022-09-27 00:07:51 -07:00
ERIK	1026b5974f	Update kubespray version to v2.19.1 (#9241 ) (#9253 ) Signed-off-by: bo.jiang <bo.jiang@daocloud.io> Signed-off-by: bo.jiang <bo.jiang@daocloud.io>	2022-09-05 18:48:55 -07:00
Cristian Calin	453dbcef1d	disable kubelet_authorization_mode_webhook by default (#9239 )	2022-08-31 02:55:00 -07:00
Chad Swenson	4a6600002f	Fixes for calico etcd mode (2.19 backport) (#9234 ) release-2.19 backport of #9228 It seems that PR #8839 broke `calico_datastore: etcd` when it removed ipamconfig support for etcd mode. This PR fixes some failing tasks when calico_datastore == etcd, but it does not restore ipamconfig support for calico in etcd mode. If someone wants to restore ipamconfig support for calico_datastore: etcd please submit a follow up PR for that.	2022-08-30 10:02:55 -07:00
Sergey	6eb313584e	do not run etcd role in scale.yml playbook when etcd installed by kubeadm (#9210 ) (#9216 )	2022-08-24 09:08:03 -07:00
Kenichi Omichi	a270632466	Allow "openSUSE Tumbleweed" to be run (#9072 ) (#9082 ) The commit `1ce2f04` tried to merge multiple SUSE OS checks including "openSUSE Leap" and "openSUSE Tumbleweed" into a single SUSE, but that was a perfect change. Then the commit `c16efc9` tried to fix it for "openSUSE Leap", but it didn't take care of "openSUSE Tumbleweed". Then this adds "openSUSE Tumbleweed" to the OS check.	2022-07-12 00:24:51 -07:00
Sébastien Masset	00550ba832	[2.19] Add missing configuration for extra tolerations (#8999 ) * Added new configuration item for extra tolerations in policy controllers Signed-off-by: Sébastien Masset <smt.masset@gmail.com> * Added new configuration item for extra tolerations in DNS autoscaler Signed-off-by: Sébastien Masset <smt.masset@gmail.com> * Aligned existing handling of extra DNS tolerations Signed-off-by: Sébastien Masset <smt.masset@gmail.com>	2022-06-23 01:41:44 -07:00
Kenichi Omichi	b4951da405	calicoctl repo has been merged in calico (#8920 ) (#8972 ) Co-authored-by: Mathieu Parent <mathieu.parent@insee.fr>	2022-06-14 02:07:33 -07:00
Chinthiti Wisetsombat	cd93d10688	Fix: set fallback value of kubelet ip6 (#8858 ) (#8926 ) (#8942 ) * Fix: set fallback value of kubelet ip6 (#8858) * Prune the spurious comma in the end of kubelet_address - Update `roles/kubernetes/node/defaults/main.yml` Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com> * Fix: set fallback value of kubelet ip6 (#8858) - Apply the lint: `132606368e` Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com> Co-authored-by: Ho Kim <ho.kim@ulagbulag.io> Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>	2022-06-08 10:08:22 -07:00
ERIK	e6940d8a7b	update kubespray image tag in readme to v2.19.0 (#8938 ) Signed-off-by: bo.jiang <bo.jiang@daocloud.io>	2022-06-07 09:22:56 -07:00
mahjonp	dca5cde493	fix 8893#issuecomment-1147154353 (#8933 ) (#8939 ) Signed-off-by: mahjonp <junpeng.man@gmail.com>	2022-06-07 09:18:56 -07:00