c12s-kubespray/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
Cristian Klein b9077d3ea2
Add ping_access_ip; allows to disable ping test (#7020)
In some environments, it might not be possible to ping the IP address
of the nodes, e.g., because ICMP echo is blocked.

This commit allows kubespray to be configured to disable the ping
check, while performing all other checks.
2021-01-11 06:15:08 -08:00

294 lines
10 KiB
YAML

---
- name: Stop if either kube-master or kube-node group is empty
assert:
that: "groups.get('{{ item }}')"
with_items:
- kube-master
- kube-node
run_once: true
when: not ignore_assert_errors
- name: Stop if etcd group is empty in external etcd mode
assert:
that: groups.get('etcd')
fail_msg: "Group 'etcd' cannot be empty in external etcd mode"
run_once: true
when:
- not ignore_assert_errors
- not etcd_kubeadm_enabled
- name: Stop if non systemd OS type
assert:
that: ansible_service_mgr == "systemd"
when: not ignore_assert_errors
- name: Stop if unknown OS
assert:
that: ansible_os_family in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'Flatcar Container Linux by Kinvolk', 'Suse', 'ClearLinux', 'OracleLinux']
msg: "{{ ansible_os_family }} is not a known OS"
when: not ignore_assert_errors
- name: Stop if unknown network plugin
assert:
that: kube_network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'ovn4nfv','kube-ovn', 'kube-router', 'macvlan']
msg: "{{ kube_network_plugin }} is not supported"
when:
- kube_network_plugin is defined
- not ignore_assert_errors
- name: Stop if incompatible network plugin and cloudprovider
assert:
that: kube_network_plugin != 'calico'
msg: "Azure and Calico are not compatible. See https://github.com/projectcalico/calicoctl/issues/949 for details."
when:
- cloud_provider is defined and cloud_provider == 'azure'
- not ignore_assert_errors
- name: Stop if unsupported version of Kubernetes
assert:
that: kube_version is version(kube_version_min_required, '>=')
msg: "The current release of Kubespray only support newer version of Kubernetes than {{ kube_version_min_required }} - You are trying to apply {{ kube_version }}"
when: not ignore_assert_errors
# simplify this items-list when https://github.com/ansible/ansible/issues/15753 is resolved
- name: "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
assert:
that: item.value|type_debug == 'bool'
msg: "{{ item.value }} isn't a bool"
run_once: yes
with_items:
- { name: download_run_once, value: "{{ download_run_once }}" }
- { name: deploy_netchecker, value: "{{ deploy_netchecker }}" }
- { name: download_always_pull, value: "{{ download_always_pull }}" }
- { name: helm_enabled, value: "{{ helm_enabled }}" }
- { name: openstack_lbaas_enabled, value: "{{ openstack_lbaas_enabled }}" }
when: not ignore_assert_errors
- name: Stop if even number of etcd hosts
assert:
that: groups.etcd|length is not divisibleby 2
when:
- not ignore_assert_errors
- groups.get('etcd')
- inventory_hostname in groups['etcd']
- name: Stop if memory is too small for masters
assert:
that: ansible_memtotal_mb >= minimal_master_memory_mb
when:
- not ignore_assert_errors
- inventory_hostname in groups['kube-master']
- name: Stop if memory is too small for nodes
assert:
that: ansible_memtotal_mb >= minimal_node_memory_mb
when:
- not ignore_assert_errors
- inventory_hostname in groups['kube-node']
# This assertion will fail on the safe side: One can indeed schedule more pods
# on a node than the CIDR-range has space for when additional pods use the host
# network namespace. It is impossible to ascertain the number of such pods at
# provisioning time, so to establish a guarantee, we factor these out.
# NOTICE: the check blatantly ignores the inet6-case
- name: Guarantee that enough network address space is available for all pods
assert:
that: "{{ (kubelet_max_pods | default(110)) | int <= (2 ** (32 - kube_network_node_prefix | int)) - 2 }}"
msg: "Do not schedule more pods on a node than inet addresses are available."
when:
- not ignore_assert_errors
- inventory_hostname in groups['k8s-cluster']
- kube_network_node_prefix is defined
- kube_network_plugin != 'calico'
- name: Stop if ip var does not match local ips
assert:
that: ip in ansible_all_ipv4_addresses
msg: "'{{ ansible_all_ipv4_addresses }}' do not contain '{{ ip }}'"
when:
- not ignore_assert_errors
- ip is defined
- name: Stop if access_ip is not pingable
command: ping -c1 {{ access_ip }}
when:
- access_ip is defined
- not ignore_assert_errors
- ping_access_ip
- name: Stop if RBAC is not enabled when dashboard is enabled
assert:
that: rbac_enabled
when:
- dashboard_enabled
- not ignore_assert_errors
- name: Stop if RBAC is not enabled when OCI cloud controller is enabled
assert:
that: rbac_enabled
when:
- cloud_provider is defined and cloud_provider == "oci"
- not ignore_assert_errors
- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
assert:
that: rbac_enabled and kube_api_anonymous_auth
when:
- kube_apiserver_insecure_port == 0 and inventory_hostname in groups['kube-master']
- not ignore_assert_errors
- name: Stop if kernel version is too low
assert:
that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
when:
- kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
- not ignore_assert_errors
- name: Stop if bad hostname
assert:
that: inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
msg: "Hostname must consist of lower case alphanumeric characters, '.' or '-', and must start and end with an alphanumeric character"
when: not ignore_assert_errors
- name: check cloud_provider value
assert:
that: cloud_provider in ['generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external']
msg: "If set the 'cloud_provider' var must be set either to 'generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', or external"
when:
- cloud_provider is defined
- not ignore_assert_errors
tags:
- cloud-provider
- facts
- name: Ensure minimum calico version
assert:
that: calico_version is version(calico_min_version_required, '>=')
msg: "calico_version is too low. Minimum version {{ calico_min_version_required }}"
run_once: yes
when:
- kube_network_plugin == 'calico'
- name: Get current calico cluster version
shell: "set -o pipefail && {{ bin_dir }}/calicoctl.sh version | grep 'Cluster Version:' | awk '{ print $3}'"
args:
executable: /bin/bash
register: calico_version_on_server
async: 10
poll: 3
run_once: yes
changed_when: false
failed_when: false
when:
- kube_network_plugin == 'calico'
- name: Check that current calico version is enough for upgrade
assert:
that:
- calico_version_on_server.stdout is version(calico_min_version_required, '>=')
msg: "Your version of calico is not fresh enough for upgrade. Minimum version {{ calico_min_version_required }}"
when:
- kube_network_plugin == 'calico'
- 'calico_version_on_server.stdout is defined'
- calico_version_on_server.stdout
- inventory_hostname == groups['kube-master'][0]
run_once: yes
- name: "Check that cluster_id is set if calico_rr enabled"
assert:
that:
- cluster_id is defined
msg: "A unique cluster_id is required if using calico_rr"
when:
- kube_network_plugin == 'calico'
- peer_with_calico_rr
- inventory_hostname == groups['kube-master'][0]
run_once: yes
- name: "Check that calico_rr nodes are in k8s-cluster group"
assert:
that:
- '"k8s-cluster" in group_names'
msg: "calico-rr must be a child group of k8s-cluster group"
when:
- kube_network_plugin == 'calico'
- '"calico-rr" in group_names'
- name: "Check that kube_service_addresses is a network range"
assert:
that:
- kube_service_addresses | ipaddr('net')
msg: "kube_service_addresses = '{{ kube_service_addresses }}' is not a valid network range"
run_once: yes
- name: "Check that kube_pods_subnet is a network range"
assert:
that:
- kube_pods_subnet | ipaddr('net')
msg: "kube_pods_subnet = '{{ kube_pods_subnet }}' is not a valid network range"
run_once: yes
- name: "Check that kube_pods_subnet does not collide with kube_service_addresses"
assert:
that:
- kube_pods_subnet | ipaddr(kube_service_addresses) | string == 'None'
msg: "kube_pods_subnet cannot be the same network segment as kube_service_addresses"
run_once: yes
- name: Stop if unknown dns mode
assert:
that: dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
msg: "dns_mode can only be 'coredns', 'coredns_dual', 'manual' or 'none'"
when: dns_mode is defined
run_once: true
- name: Stop if unknown kube proxy mode
assert:
that: kube_proxy_mode in ['iptables', 'ipvs']
msg: "kube_proxy_mode can only be 'iptables' or 'ipvs'"
when: kube_proxy_mode is defined
run_once: true
- name: Stop if vault is chose
assert:
that: cert_management != 'vault'
msg: "Support for vault have been removed, please use 'script' or 'none'"
when: cert_management is defined
run_once: true
- name: Stop if unknown cert_management
assert:
that: cert_management|d('script') in ['script', 'none']
msg: "cert_management can only be 'script' or 'none'"
run_once: true
- name: Stop if unknown resolvconf_mode
assert:
that: resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
msg: "resolvconf_mode can only be 'docker_dns', 'host_resolvconf' or 'none'"
when: resolvconf_mode is defined
run_once: true
- name: Stop if etcd deployment type is not host or docker
assert:
that: etcd_deployment_type in ['host', 'docker']
msg: "The etcd deployment type, 'etcd_deployment_type', must be host or docker"
run_once: true
- name: Stop if download_localhost is enabled but download_run_once is not
assert:
that: download_run_once
msg: "download_localhost requires enable download_run_once"
when: download_localhost
- name: Stop if kata_containers_enabled is enabled when container_manager is docker
assert:
that: container_manager != 'docker'
msg: "kata_containers_enabled support only for containerd and crio-o. See https://github.com/kata-containers/documentation/blob/1.11.4/how-to/run-kata-with-k8s.md#install-a-cri-implementation for details"
when: kata_containers_enabled
- name: Stop if download_localhost is enabled for Flatcar Container Linux
assert:
that: ansible_os_family not in ["Flatcar Container Linux by Kinvolk"]
msg: "download_run_once not supported for Flatcar Container Linux"
when: download_run_once or download_force_cache