kubespray/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml

---
# Todo : selinux configuration
- name: Confirm selinux deployed
  stat:
    path: /etc/selinux/config
  when:
    - ansible_os_family == "RedHat"
    - "'Amazon' not in ansible_distribution"
  register: slc

- name: Set selinux policy
  selinux:
    policy: targeted
    state: "{{ preinstall_selinux_state }}"
  when:
    - ansible_os_family == "RedHat"
    - "'Amazon' not in ansible_distribution"
    - slc.stat.exists
  changed_when: False
  tags:
    - bootstrap-os

- name: Disable IPv6 DNS lookup
  lineinfile:
    dest: /etc/gai.conf
    line: "precedence ::ffff:0:0/96  100"
    state: present
    create: yes
    backup: yes
  when:
    - disable_ipv6_dns
    - not ansible_os_family in ["Flatcar Container Linux by Kinvolk"]
  tags:
    - bootstrap-os

- name: Stat sysctl file configuration
  stat:
    path: "{{ sysctl_file_path }}"
  register: sysctl_file_stat
  tags:
    - bootstrap-os

- name: Change sysctl file path to link source if linked
  set_fact:
    sysctl_file_path: "{{ sysctl_file_stat.stat.lnk_source }}"
  when:
    - sysctl_file_stat.stat.islnk is defined
    - sysctl_file_stat.stat.islnk
  tags:
    - bootstrap-os

- name: Make sure sysctl file path folder exists
  file:
    name: "{{ sysctl_file_path | dirname }}"
    state: directory

- name: Enable ip forwarding
  sysctl:
    sysctl_file: "{{ sysctl_file_path }}"
    name: net.ipv4.ip_forward
    value: 1
    state: present
    reload: yes

- name: Ensure kube-bench parameters are set
  sysctl:
    sysctl_file: /etc/sysctl.d/bridge-nf-call.conf
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    state: present
    reload: yes
  with_items:
    - { name: vm.overcommit_memory, value: 1 }
    - { name: kernel.panic, value: 10 }
    - { name: kernel.panic_on_oops, value: 1 }
  when: kubelet_protect_kernel_defaults|bool