kubespray/roles/kubernetes-apps/cluster_roles/tasks/main.yml

---
- name: Kubernetes Apps | Wait for kube-apiserver
  uri:
    url: "{{ kube_apiserver_endpoint }}/healthz"
    validate_certs: no
    client_cert: "{{ kube_apiserver_client_cert }}"
    client_key: "{{ kube_apiserver_client_key }}"
  register: result
  until: result.status == 200
  retries: 10
  delay: 6
  when: inventory_hostname == groups['kube-master'][0]

- name: Kubernetes Apps | Add ClusterRoleBinding to admit nodes
  template:
    src: "node-crb.yml.j2"
    dest: "{{ kube_config_dir }}/node-crb.yml"
  register: node_crb_manifest
  when: rbac_enabled

- name: Apply workaround to allow all nodes with cert O=system:nodes to register
  kube:
    name: "kubespray:system:node"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "clusterrolebinding"
    filename: "{{ kube_config_dir }}/node-crb.yml"
    state: latest
  when:
    - rbac_enabled
    - node_crb_manifest.changed

- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet
  template:
    src: "node-webhook-cr.yml.j2"
    dest: "{{ kube_config_dir }}/node-webhook-cr.yml"
  register: node_webhook_cr_manifest
  when:
    - rbac_enabled
    - kubelet_authorization_mode_webhook
  tags: node-webhook

- name: Apply webhook ClusterRole
  kube:
    name: "system:node-webhook"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "clusterrole"
    filename: "{{ kube_config_dir }}/node-webhook-cr.yml"
    state: latest
  when:
    - rbac_enabled
    - kubelet_authorization_mode_webhook
    - node_webhook_cr_manifest.changed
  tags: node-webhook

- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole
  template:
    src: "node-webhook-crb.yml.j2"
    dest: "{{ kube_config_dir }}/node-webhook-crb.yml"
  register: node_webhook_crb_manifest
  when:
    - rbac_enabled
    - kubelet_authorization_mode_webhook
  tags: node-webhook

- name: Grant system:nodes the webhook ClusterRole
  kube:
    name: "system:node-webhook"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "clusterrolebinding"
    filename: "{{ kube_config_dir }}/node-webhook-crb.yml"
    state: latest
  when:
    - rbac_enabled
    - kubelet_authorization_mode_webhook
    - node_webhook_crb_manifest.changed
  tags: node-webhook

# This is not a cluster role, but should be run after kubeconfig is set on master
- name: Write kube system namespace manifest
  template:
    src: namespace.j2
    dest: "{{kube_config_dir}}/{{system_namespace}}-ns.yml"
  when: inventory_hostname == groups['kube-master'][0]
  tags:
    - apps

- name: Check if kube system namespace exists
  command: "{{ bin_dir }}/kubectl get ns {{system_namespace}}"
  register: 'kubesystem'
  changed_when: False
  failed_when: False
  when: inventory_hostname == groups['kube-master'][0]
  tags:
    - apps

- name: Create kube system namespace
  command: "{{ bin_dir }}/kubectl create -f {{kube_config_dir}}/{{system_namespace}}-ns.yml"
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  register: create_system_ns
  until: create_system_ns.rc == 0
  changed_when: False
  when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0
  tags:
    - apps