3ad9e9c5eb
Red Hat has this theory that binaries in sbin are too dangerous to be on the default path, but we need them anyway. RH7 has /sbin and /usr/sbin as symlinks, so that is no longer important. I'm adding it to the `PATH` instead of making the path to `modinfo` absolute because I am worried about breaking support for other distributions.
185 lines
4.2 KiB
YAML
185 lines
4.2 KiB
YAML
---
|
|
- import_tasks: facts.yml
|
|
tags:
|
|
- facts
|
|
|
|
- import_tasks: pre_upgrade.yml
|
|
tags:
|
|
- kubelet
|
|
|
|
- name: Ensure /var/lib/cni exists
|
|
file:
|
|
path: /var/lib/cni
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- import_tasks: install.yml
|
|
tags:
|
|
- kubelet
|
|
|
|
- import_tasks: nginx-proxy.yml
|
|
when: is_kube_master == false and loadbalancer_apiserver_localhost
|
|
tags:
|
|
- nginx
|
|
|
|
- name: Write kubelet config file (non-kubeadm)
|
|
template:
|
|
src: kubelet.standard.env.j2
|
|
dest: "{{ kube_config_dir }}/kubelet.env"
|
|
backup: yes
|
|
when: not kubeadm_enabled
|
|
notify: restart kubelet
|
|
tags:
|
|
- kubelet
|
|
|
|
- name: Write kubelet config file (kubeadm)
|
|
template:
|
|
src: kubelet.kubeadm.env.j2
|
|
dest: "{{ kube_config_dir }}/kubelet.env"
|
|
backup: yes
|
|
when: kubeadm_enabled
|
|
notify: restart kubelet
|
|
tags:
|
|
- kubelet
|
|
- kubeadm
|
|
|
|
- name: write the kubecfg (auth) file for kubelet
|
|
template:
|
|
src: "{{ item }}-kubeconfig.yaml.j2"
|
|
dest: "{{ kube_config_dir }}/{{ item }}-kubeconfig.yaml"
|
|
backup: yes
|
|
with_items:
|
|
- node
|
|
- kube-proxy
|
|
when: not kubeadm_enabled
|
|
notify: restart kubelet
|
|
tags:
|
|
- kubelet
|
|
|
|
- name: Ensure nodePort range is reserved
|
|
sysctl:
|
|
name: net.ipv4.ip_local_reserved_ports
|
|
value: "{{ kube_apiserver_node_port_range }}"
|
|
sysctl_set: yes
|
|
sysctl_file: "{{ sysctl_file_path }}"
|
|
state: present
|
|
reload: yes
|
|
when: kube_apiserver_node_port_range is defined
|
|
tags:
|
|
- kube-proxy
|
|
|
|
- name: Verify if br_netfilter module exists
|
|
shell: "modinfo br_netfilter"
|
|
environment:
|
|
PATH: "{{ ansible_env.PATH}}:/sbin" # Make sure we can workaround RH's conservative path management
|
|
register: modinfo_br_netfilter
|
|
failed_when: modinfo_br_netfilter.rc not in [0, 1]
|
|
changed_when: false
|
|
|
|
- name: Enable br_netfilter module
|
|
modprobe:
|
|
name: br_netfilter
|
|
state: present
|
|
when: modinfo_br_netfilter.rc == 0
|
|
|
|
- name: Persist br_netfilter module
|
|
copy:
|
|
dest: /etc/modules-load.d/kubespray-br_netfilter.conf
|
|
content: br_netfilter
|
|
when: modinfo_br_netfilter.rc == 0
|
|
|
|
# kube-proxy needs net.bridge.bridge-nf-call-iptables enabled when found if br_netfilter is not a module
|
|
- name: Check if bridge-nf-call-iptables key exists
|
|
command: "sysctl net.bridge.bridge-nf-call-iptables"
|
|
failed_when: false
|
|
changed_when: false
|
|
register: sysctl_bridge_nf_call_iptables
|
|
|
|
- name: Enable bridge-nf-call tables
|
|
sysctl:
|
|
name: "{{ item }}"
|
|
state: present
|
|
sysctl_file: "{{ sysctl_file_path }}"
|
|
value: 1
|
|
reload: yes
|
|
when: sysctl_bridge_nf_call_iptables.rc == 0
|
|
with_items:
|
|
- net.bridge.bridge-nf-call-iptables
|
|
- net.bridge.bridge-nf-call-arptables
|
|
- net.bridge.bridge-nf-call-ip6tables
|
|
|
|
- name: Modprode Kernel Module for IPVS
|
|
modprobe:
|
|
name: "{{ item }}"
|
|
state: present
|
|
when: kube_proxy_mode == 'ipvs'
|
|
with_items:
|
|
- ip_vs
|
|
- ip_vs_rr
|
|
- ip_vs_wrr
|
|
- ip_vs_sh
|
|
- nf_conntrack_ipv4
|
|
tags:
|
|
- kube-proxy
|
|
|
|
- name: Persist ip_vs modules
|
|
copy:
|
|
dest: /etc/modules-load.d/kube_proxy-ipvs.conf
|
|
content: |
|
|
ip_vs
|
|
ip_vs_rr
|
|
ip_vs_wrr
|
|
ip_vs_sh
|
|
nf_conntrack_ipv4
|
|
when: kube_proxy_mode == 'ipvs'
|
|
tags:
|
|
- kube-proxy
|
|
|
|
- name: Write proxy manifest
|
|
template:
|
|
src: manifests/kube-proxy.manifest.j2
|
|
dest: "{{ kube_manifest_dir }}/kube-proxy.manifest"
|
|
when: not kubeadm_enabled
|
|
tags:
|
|
- kube-proxy
|
|
|
|
- name: Purge proxy manifest for kubeadm
|
|
file:
|
|
path: "{{ kube_manifest_dir }}/kube-proxy.manifest"
|
|
state: absent
|
|
when: kubeadm_enabled
|
|
tags:
|
|
- kube-proxy
|
|
|
|
- include_tasks: "{{ cloud_provider }}-credential-check.yml"
|
|
when:
|
|
- cloud_provider is defined
|
|
- cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
|
|
tags:
|
|
- cloud-provider
|
|
- facts
|
|
|
|
- name: Write cloud-config
|
|
template:
|
|
src: "{{ cloud_provider }}-cloud-config.j2"
|
|
dest: "{{ kube_config_dir }}/cloud_config"
|
|
group: "{{ kube_cert_group }}"
|
|
mode: 0640
|
|
when:
|
|
- cloud_provider is defined
|
|
- cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
|
|
notify: restart kubelet
|
|
tags:
|
|
- cloud-provider
|
|
|
|
# reload-systemd
|
|
- meta: flush_handlers
|
|
|
|
- name: Enable kubelet
|
|
service:
|
|
name: kubelet
|
|
enabled: yes
|
|
state: started
|
|
tags:
|
|
- kubelet
|