cb2e5ac776
* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
73 lines
2.3 KiB
YAML
73 lines
2.3 KiB
YAML
---
|
|
- include: pre-upgrade.yml
|
|
tags: k8s-pre-upgrade
|
|
|
|
- include: set_facts.yml
|
|
tags: facts
|
|
|
|
- name: Copy kubectl from hyperkube container
|
|
command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp /hyperkube /systembindir/kubectl"
|
|
register: kube_task_result
|
|
until: kube_task_result.rc == 0
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
changed_when: false
|
|
tags: [hyperkube, kubectl, upgrade]
|
|
|
|
- name: Install kubectl bash completion
|
|
shell: "{{ bin_dir }}/kubectl completion bash >/etc/bash_completion.d/kubectl.sh"
|
|
#no_log: true
|
|
when: ansible_os_family in ["Debian","RedHat"]
|
|
tags: kubectl
|
|
|
|
- name: Set kubectl bash completion file
|
|
file:
|
|
path: /etc/bash_completion.d/kubectl.sh
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
when: ansible_os_family in ["Debian","RedHat"]
|
|
tags: [kubectl, upgrade]
|
|
|
|
- name: Write kube-apiserver manifest
|
|
template:
|
|
src: manifests/kube-apiserver.manifest.j2
|
|
dest: "{{ kube_manifest_dir }}/kube-apiserver.manifest"
|
|
notify: Master | wait for the apiserver to be running
|
|
tags: kube-apiserver
|
|
|
|
- meta: flush_handlers
|
|
|
|
- name: copy kube system namespace manifest
|
|
copy: src=namespace.yml dest={{kube_config_dir}}/{{system_namespace}}-ns.yml
|
|
run_once: yes
|
|
when: inventory_hostname == groups['kube-master'][0]
|
|
tags: apps
|
|
|
|
- name: Check if kube system namespace exists
|
|
command: "{{ bin_dir }}/kubectl get ns {{system_namespace}}"
|
|
register: 'kubesystem'
|
|
changed_when: False
|
|
failed_when: False
|
|
run_once: yes
|
|
tags: apps
|
|
|
|
- name: Create kube system namespace
|
|
command: "{{ bin_dir }}/kubectl create -f {{kube_config_dir}}/{{system_namespace}}-ns.yml"
|
|
changed_when: False
|
|
when: kubesystem|failed and inventory_hostname == groups['kube-master'][0]
|
|
tags: apps
|
|
|
|
- name: Write kube-controller-manager manifest
|
|
template:
|
|
src: manifests/kube-controller-manager.manifest.j2
|
|
dest: "{{ kube_manifest_dir }}/kube-controller-manager.manifest"
|
|
notify: Master | wait for kube-controller-manager
|
|
tags: kube-controller-manager
|
|
|
|
- name: Write kube-scheduler manifest
|
|
template:
|
|
src: manifests/kube-scheduler.manifest.j2
|
|
dest: "{{ kube_manifest_dir }}/kube-scheduler.manifest"
|
|
notify: Master | wait for kube-scheduler
|
|
tags: kube-scheduler
|