c12s-kubespray/roles/kubernetes/control-plane/tasks/main.yml
Maciej Wereski 771a5e26bb
Add KubeSchedulerConfiguration for k8s 1.19 and up (#7351)
* Add KubeSchedulerConfiguration for k8s 1.19 and up

With release of version 1.19.0 of kubernetes KubeSchedulerConfiguration
was graduated to beta. It allows to extend different stages of
scheduling with profiles. Such effect is achieved by using plugins and
extensions.

This patch adds KubeSchedulerConfiguration for versions 1.19 and later.
Configuration is set to k8s defaults or to kubespray vars. Moving those
defaults to new vars will be done in following patch.

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>

* KubeSchedulerConfiguration: add defaults

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
2021-04-06 00:35:35 -07:00

100 lines
2.8 KiB
YAML

---
- import_tasks: pre-upgrade.yml
tags:
- k8s-pre-upgrade
- name: Create webhook token auth config
template:
src: webhook-token-auth-config.yaml.j2
dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
when: kube_webhook_token_auth|default(false)
- name: Create webhook authorization config
template:
src: webhook-authorization-config.yaml.j2
dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
when: kube_webhook_authorization|default(false)
- name: Create kube-scheduler config
template:
src: kubescheduler-config.v1beta1.yaml.j2
dest: "{{ kube_config_dir }}/kubescheduler-config.yaml"
mode: 0644
when: kube_version is version('v1.19.0', '>=')
- import_tasks: encrypt-at-rest.yml
when:
- kube_encrypt_secret_data
- name: Install | Copy kubectl binary from download dir
copy:
src: "{{ local_release_dir }}/kubectl-{{ kube_version }}-{{ image_arch }}"
dest: "{{ bin_dir }}/kubectl"
mode: 0755
remote_src: true
tags:
- kubectl
- upgrade
- name: Install kubectl bash completion
shell: "{{ bin_dir }}/kubectl completion bash >/etc/bash_completion.d/kubectl.sh"
when: ansible_os_family in ["Debian","RedHat"]
tags:
- kubectl
ignore_errors: True
- name: Set kubectl bash completion file permissions
file:
path: /etc/bash_completion.d/kubectl.sh
owner: root
group: root
mode: 0755
when: ansible_os_family in ["Debian","RedHat"]
tags:
- kubectl
- upgrade
ignore_errors: True
- name: Disable SecurityContextDeny admission-controller and enable PodSecurityPolicy
set_fact:
kube_apiserver_enable_admission_plugins: "{{ kube_apiserver_enable_admission_plugins | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}"
when: podsecuritypolicy_enabled
- name: Include kubeadm setup
import_tasks: kubeadm-setup.yml
- name: Include kubeadm etcd extra tasks
include_tasks: kubeadm-etcd.yml
when: etcd_kubeadm_enabled
- name: Include kubeadm secondary server apiserver fixes
include_tasks: kubeadm-fix-apiserver.yml
- name: Include kubelet client cert rotation fixes
include_tasks: kubelet-fix-client-cert-rotation.yml
when: kubelet_rotate_certificates
- name: Install script to renew K8S control plane certificates
template:
src: k8s-certs-renew.sh.j2
dest: "{{ bin_dir }}/k8s-certs-renew.sh"
mode: '755'
- name: Renew K8S control plane certificates monthly 1/2
template:
src: "{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
with_items:
- k8s-certs-renew.service
- k8s-certs-renew.timer
register: k8s_certs_units
when: auto_renew_certificates
- name: Renew K8S control plane certificates monthly 2/2
systemd:
name: k8s-certs-renew.timer
enabled: yes
state: started
daemon-reload: "{{ k8s_certs_units is changed }}"
when: auto_renew_certificates