richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6466 Commits
33 Branches
82 Tags
153 MiB
Tree: 593359ec77
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '593359ec77'
${ noResults }
kubespray/roles/kubernetes/node/tasks/main.yml

193 lines
4.8 KiB
Raw Normal View History

Initial commit
9 years ago
Use include/import tasks (#2192) import_tasks will consume far less memory, so it should be used whenever it is compatible.
7 years ago
Normalize tags in all places to prepare for tag fixing in future (#1739)
7 years ago
Address standalone kubelet config case Also place in global vars and do not repeat the kube_*_config_dir and kube_namespace vars for better code maintainability and UX. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Use include/import tasks (#2192) import_tasks will consume far less memory, so it should be used whenever it is compatible.
7 years ago
Normalize tags in all places to prepare for tag fixing in future (#1739)
7 years ago
Add /var/lib/cni to kubelet Necessary to persist this directory for host-local IPAM used by Canal Add pre-upgrade task to copy /var/lib/cni out of old kubelet.
8 years ago
Explicitly create cni bin dir If this path doesnt exist, it will cause kubelet to fail to start when using rkt
7 years ago
Use include/import tasks (#2192) import_tasks will consume far less memory, so it should be used whenever it is compatible.
7 years ago
Normalize tags in all places to prepare for tag fixing in future (#1739)
7 years ago
generate secrets on deployment machine test travis with sudo=true instead of required
9 years ago
Add support for kube-vip (#8669) Signed-off-by: Mathieu Parent <math.parent@gmail.com>
2 years ago
Add Kubelet config, remove deprecated flags and fix minor bugs (#4724) * Add kubelet config * Change kubelet_authorization_mode_webhook to true * Fix lint * Sync env file * Refactor the kubernetes node folder * Remove deprecated flag and fix lint
5 years ago
ansible-lint: Don’t compare to literal True/False (#4499)
5 years ago
Fix if bind-address is not set to 0.0.0.0 (#8262) * if bind-address is not set to 0.0.0.0 * Update docs and left comments * fix yamllist check: remove space
3 years ago
ansible-lint: Don’t compare to literal True/False (#4499)
5 years ago
Normalize tags in all places to prepare for tag fixing in future (#1739)
7 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Add Kubelet config, remove deprecated flags and fix minor bugs (#4724) * Add kubelet config * Change kubelet_authorization_mode_webhook to true * Fix lint * Sync env file * Refactor the kubernetes node folder * Remove deprecated flag and fix lint
5 years ago
ansible-lint: Don’t compare to literal True/False (#4499)
5 years ago
Fix if bind-address is not set to 0.0.0.0 (#8262) * if bind-address is not set to 0.0.0.0 * Update docs and left comments * fix yamllist check: remove space
3 years ago
ansible-lint: Don’t compare to literal True/False (#4499)
5 years ago
Add HAProxy as internal loadbalancer (#4480)
5 years ago
Prevent dynamic port allocation in nodePort range kube_apiserver_node_port_range should be accessible only to kube-proxy and not be taken by a dynamic port allocation. Potentially temporary if https://github.com/kubernetes/kubernetes/issues/40920 gets fixed.
8 years ago
sysctl file should be in defaults so that it can be overriden (#2475) * sysctl file should be in defaults so that it can be overriden * Change sysctl_file_path to be consistent with roles/kubernetes/preinstall/defaults/main.yml
6 years ago
Prevent dynamic port allocation in nodePort range kube_apiserver_node_port_range should be accessible only to kube-proxy and not be taken by a dynamic port allocation. Potentially temporary if https://github.com/kubernetes/kubernetes/issues/40920 gets fixed.
8 years ago
Normalize tags in all places to prepare for tag fixing in future (#1739)
7 years ago
Prevent dynamic port allocation in nodePort range kube_apiserver_node_port_range should be accessible only to kube-proxy and not be taken by a dynamic port allocation. Potentially temporary if https://github.com/kubernetes/kubernetes/issues/40920 gets fixed.
8 years ago
Fix ansible-lint E305 (#6459)
4 years ago
Fix #2261 by supporting Red Hat's limited PATH Red Hat has this theory that binaries in sbin are too dangerous to be on the default path, but we need them anyway. RH7 has /sbin and /usr/sbin as symlinks, so that is no longer important. I'm adding it to the `PATH` instead of making the path to `modinfo` absolute because I am worried about breaking support for other distributions.
6 years ago
ansible-lint: add spaces around variables [E206] (#4699)
5 years ago
Consolidate kube-proxy module and sysctl loading (#1586) This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
7 years ago
missing "check_mode: no"s for several read-only tasks (#8584) this is not complete -- there are almost certainly more instances of this issue
3 years ago
Consolidate kube-proxy module and sysctl loading (#1586) This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
7 years ago
Enable ClearLinux as a distro in kubespray (#3855) Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
6 years ago
Move to Ansible 3.4.0 (#7672) * Ansible: move to Ansible 3.4.0 which uses ansible-base 2.10.10 * Docs: add a note about ansible upgrade post 2.9.x * CI: ensure ansible is removed before ansible 3.x is installed to avoid pip failures * Ansible: use newer ansible-lint * Fix ansible-lint 5.0.11 found issues * syntax issues * risky-file-permissions * var-naming * role-name * molecule tests * Mitogen: use 0.3.0rc1 which adds support for ansible 2.10+ * Pin ansible-base to 2.10.11 to get package fix on RHEL8
3 years ago
Enable ClearLinux as a distro in kubespray (#3855) Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
6 years ago
Consolidate kube-proxy module and sysctl loading (#1586) This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
7 years ago
Persist br_netfilter module loading (#1760)
7 years ago
Move to Ansible 3.4.0 (#7672) * Ansible: move to Ansible 3.4.0 which uses ansible-base 2.10.10 * Docs: add a note about ansible upgrade post 2.9.x * CI: ensure ansible is removed before ansible 3.x is installed to avoid pip failures * Ansible: use newer ansible-lint * Fix ansible-lint 5.0.11 found issues * syntax issues * risky-file-permissions * var-naming * role-name * molecule tests * Mitogen: use 0.3.0rc1 which adds support for ansible 2.10+ * Pin ansible-base to 2.10.11 to get package fix on RHEL8
3 years ago
Persist br_netfilter module loading (#1760)
7 years ago
Consolidate kube-proxy module and sysctl loading (#1586) This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
7 years ago
missing "check_mode: no"s for several read-only tasks (#8584) this is not complete -- there are almost certainly more instances of this issue
3 years ago
Consolidate kube-proxy module and sysctl loading (#1586) This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
7 years ago
sysctl file should be in defaults so that it can be overriden (#2475) * sysctl file should be in defaults so that it can be overriden * Change sysctl_file_path to be consistent with roles/kubernetes/preinstall/defaults/main.yml
6 years ago
Add Kubelet config, remove deprecated flags and fix minor bugs (#4724) * Add kubelet config * Change kubelet_authorization_mode_webhook to true * Fix lint * Sync env file * Refactor the kubernetes node folder * Remove deprecated flag and fix lint
5 years ago
Consolidate kube-proxy module and sysctl loading (#1586) This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
7 years ago
Always set net.bridge.bridge-nf-call-* sysctl
7 years ago
Consolidate kube-proxy module and sysctl loading (#1586) This sets br_netfilter and net.bridge.bridge-nf-call-iptables sysctl from a single play before kube-proxy is first ran instead of from the flannel and weave network_plugin roles after kube-proxy is started
7 years ago
Fix typo: Modprode -> Modprobe (#6429)
4 years ago
Support ipvs mode for kube-proxy Support ipvs mode for kube-proxy
7 years ago
Upgrade kubernetes to V1.11.x (#3078) Upgrade Kubernetes to V1.11.2 The kubeadm configuration file version has been upgraded from v1alpha1 to v1alpha2 Add bootstrap kubeadm-config.yaml with external etcd
6 years ago
Support ipvs mode for kube-proxy Support ipvs mode for kube-proxy
7 years ago
Fix nf_conntrack_ipv4 modprobe (#6988) RedHat 8.3 merged nf_conntrack_ipv4 in nf_conntrack but still advertise 4.18 so just try to modprobe and decide depending on the success Also nf_conntrack is a dependency of ip_vs, so no need to care about it Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
Load nf_conntrack module if nf_conntrack_ipv4 failed (#3764)
6 years ago
Fix nf_conntrack_ipv4 modprobe (#6988) RedHat 8.3 merged nf_conntrack_ipv4 in nf_conntrack but still advertise 4.18 so just try to modprobe and decide depending on the success Also nf_conntrack is a dependency of ip_vs, so no need to care about it Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
Move to Ansible 3.4.0 (#7672) * Ansible: move to Ansible 3.4.0 which uses ansible-base 2.10.10 * Docs: add a note about ansible upgrade post 2.9.x * CI: ensure ansible is removed before ansible 3.x is installed to avoid pip failures * Ansible: use newer ansible-lint * Fix ansible-lint 5.0.11 found issues * syntax issues * risky-file-permissions * var-naming * role-name * molecule tests * Mitogen: use 0.3.0rc1 which adds support for ansible 2.10+ * Pin ansible-base to 2.10.11 to get package fix on RHEL8
3 years ago
make better condition for applying nf_conntrack kernel tweak (#6267) * MINOR: Check kernel version before enable modprobe nf_conntrack * CLEANUP: no more need to ignore error of this task * MINOR: Fixing yaml and ansible lint error - remove trailling-space
4 years ago
Load nf_conntrack module if nf_conntrack_ipv4 failed (#3764)
6 years ago
Added tag kube-proxy (#4272) Signed-off-by: André R. de Miranda <andre@miranda.work>
5 years ago
Load nf_conntrack module if nf_conntrack_ipv4 failed (#3764)
6 years ago
Persist ip_vs modules
6 years ago
Move to Ansible 3.4.0 (#7672) * Ansible: move to Ansible 3.4.0 which uses ansible-base 2.10.10 * Docs: add a note about ansible upgrade post 2.9.x * CI: ensure ansible is removed before ansible 3.x is installed to avoid pip failures * Ansible: use newer ansible-lint * Fix ansible-lint 5.0.11 found issues * syntax issues * risky-file-permissions * var-naming * role-name * molecule tests * Mitogen: use 0.3.0rc1 which adds support for ansible 2.10+ * Pin ansible-base to 2.10.11 to get package fix on RHEL8
3 years ago
content: |
6 years ago
Fix nf_conntrack_ipv4 modprobe (#6988) RedHat 8.3 merged nf_conntrack_ipv4 in nf_conntrack but still advertise 4.18 so just try to modprobe and decide depending on the success Also nf_conntrack is a dependency of ip_vs, so no need to care about it Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
content: |
6 years ago
Load nf_conntrack module if nf_conntrack_ipv4 failed (#3764)
6 years ago
Persist ip_vs modules
6 years ago
Add Kubelet config, remove deprecated flags and fix minor bugs (#4724) * Add kubelet config * Change kubelet_authorization_mode_webhook to true * Fix lint * Sync env file * Refactor the kubernetes node folder * Remove deprecated flag and fix lint
5 years ago
Move credentials pre-check
7 years ago
Enable openstack_cacert to be either file or base64 string (#5243)
5 years ago
change `|` to `is` (#6991) Since ansible 2.9 search cannot be used as filter after a pipe but after `is` Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
4 years ago
Enable openstack_cacert to be either file or base64 string (#5243)
5 years ago
resolve issues with new cacert feature
6 years ago
Enable openstack_cacert to be either file or base64 string (#5243)
5 years ago
resolve issues with new cacert feature
6 years ago
Fix openstack cacert task
6 years ago
resolve issues with new cacert feature
6 years ago
fix openstack_cacert conditional (#5078)
5 years ago
resolve issues with new cacert feature
6 years ago
Write cloud-config during kubelet configuration This file should only be updated during kubelet upgrade so that master components are not accidentally restarted first during preinstall stage.
7 years ago
Add Kubelet config, remove deprecated flags and fix minor bugs (#4724) * Add kubelet config * Change kubelet_authorization_mode_webhook to true * Fix lint * Sync env file * Refactor the kubernetes node folder * Remove deprecated flag and fix lint
5 years ago
Write cloud-config during kubelet configuration This file should only be updated during kubelet upgrade so that master components are not accidentally restarted first during preinstall stage.
7 years ago
add gce support (#8179) Author: lmercl <lubos.mercl@gmail.com> Date: Wed Nov 10 15:30:04 2021 +0000 fix markdown
3 years ago
rename handler to fix ansible 2.8 issue (#5801)
5 years ago
Write cloud-config during kubelet configuration This file should only be updated during kubelet upgrade so that master components are not accidentally restarted first during preinstall stage.
7 years ago
Add Kubelet config, remove deprecated flags and fix minor bugs (#4724) * Add kubelet config * Change kubelet_authorization_mode_webhook to true * Fix lint * Sync env file * Refactor the kubernetes node folder * Remove deprecated flag and fix lint
5 years ago
Normalize tags in all places to prepare for tag fixing in future (#1739)
7 years ago
Enable openstack_cacert to be either file or base64 string (#5243)
5 years ago
  1. ---
  2. - import_tasks: facts.yml
  3. tags:
  4. - facts
  6. - import_tasks: pre_upgrade.yml
  7. tags:
  8. - kubelet
  10. - name: Ensure /var/lib/cni exists
  11. file:
  12. path: /var/lib/cni
  13. state: directory
  14. mode: 0755
  16. - import_tasks: install.yml
  17. tags:
  18. - kubelet
  20. - import_tasks: loadbalancer/kube-vip.yml
  21. when:
  22. - is_kube_master
  23. - kube_vip_enabled
  24. tags:
  25. - kube-vip
  27. - import_tasks: loadbalancer/nginx-proxy.yml
  28. when:
  29. - not is_kube_master or kube_apiserver_bind_address != '0.0.0.0'
  30. - loadbalancer_apiserver_localhost
  31. - loadbalancer_apiserver_type == 'nginx'
  32. tags:
  33. - nginx
  35. - import_tasks: loadbalancer/haproxy.yml
  36. when:
  37. - not is_kube_master or kube_apiserver_bind_address != '0.0.0.0'
  38. - loadbalancer_apiserver_localhost
  39. - loadbalancer_apiserver_type == 'haproxy'
  40. tags:
  41. - haproxy
  43. - name: Ensure nodePort range is reserved
  44. sysctl:
  45. name: net.ipv4.ip_local_reserved_ports
  46. value: "{{ kube_apiserver_node_port_range }}"
  47. sysctl_set: yes
  48. sysctl_file: "{{ sysctl_file_path }}"
  49. state: present
  50. reload: yes
  51. when: kube_apiserver_node_port_range is defined
  52. tags:
  53. - kube-proxy
  55. - name: Verify if br_netfilter module exists
  56. command: "modinfo br_netfilter"
  57. environment:
  58. PATH: "{{ ansible_env.PATH }}:/sbin" # Make sure we can workaround RH's conservative path management
  59. register: modinfo_br_netfilter
  60. failed_when: modinfo_br_netfilter.rc not in [0, 1]
  61. changed_when: false
  62. check_mode: no
  64. - name: Verify br_netfilter module path exists
  65. file:
  66. path: /etc/modules-load.d
  67. state: directory
  68. mode: 0755
  70. - name: Enable br_netfilter module
  71. modprobe:
  72. name: br_netfilter
  73. state: present
  74. when: modinfo_br_netfilter.rc == 0
  76. - name: Persist br_netfilter module
  77. copy:
  78. dest: /etc/modules-load.d/kubespray-br_netfilter.conf
  79. content: br_netfilter
  80. mode: 0644
  81. when: modinfo_br_netfilter.rc == 0
  83. # kube-proxy needs net.bridge.bridge-nf-call-iptables enabled when found if br_netfilter is not a module
  84. - name: Check if bridge-nf-call-iptables key exists
  85. command: "sysctl net.bridge.bridge-nf-call-iptables"
  86. failed_when: false
  87. changed_when: false
  88. check_mode: no
  89. register: sysctl_bridge_nf_call_iptables
  91. - name: Enable bridge-nf-call tables
  92. sysctl:
  93. name: "{{ item }}"
  94. state: present
  95. sysctl_file: "{{ sysctl_file_path }}"
  96. value: "1"
  97. reload: yes
  98. when: sysctl_bridge_nf_call_iptables.rc == 0
  99. with_items:
  100. - net.bridge.bridge-nf-call-iptables
  101. - net.bridge.bridge-nf-call-arptables
  102. - net.bridge.bridge-nf-call-ip6tables
  104. - name: Modprobe Kernel Module for IPVS
  105. modprobe:
  106. name: "{{ item }}"
  107. state: present
  108. with_items:
  109. - ip_vs
  110. - ip_vs_rr
  111. - ip_vs_wrr
  112. - ip_vs_sh
  113. when: kube_proxy_mode == 'ipvs'
  114. tags:
  115. - kube-proxy
  117. - name: Modprobe nf_conntrack_ipv4
  118. modprobe:
  119. name: nf_conntrack_ipv4
  120. state: present
  121. register: modprobe_nf_conntrack_ipv4
  122. ignore_errors: true # noqa ignore-errors
  123. when:
  124. - kube_proxy_mode == 'ipvs'
  125. tags:
  126. - kube-proxy
  128. - name: Persist ip_vs modules
  129. copy:
  130. dest: /etc/modules-load.d/kube_proxy-ipvs.conf
  131. mode: 0644
  132. content: |
  133. ip_vs
  134. ip_vs_rr
  135. ip_vs_wrr
  136. ip_vs_sh
  137. {% if modprobe_nf_conntrack_ipv4 is success -%}
  138. nf_conntrack_ipv4
  139. {%- endif -%}
  140. when: kube_proxy_mode == 'ipvs'
  141. tags:
  142. - kube-proxy
  144. - include_tasks: "cloud-credentials/{{ cloud_provider }}-credential-check.yml"
  145. when:
  146. - cloud_provider is defined
  147. - cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
  148. tags:
  149. - cloud-provider
  150. - facts
  152. - name: Test if openstack_cacert is a base64 string
  153. set_fact:
  154. openstack_cacert_is_base64: "{% if openstack_cacert is search ('^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$') %}true{% else %}false{% endif %}"
  155. when:
  156. - cloud_provider is defined
  157. - cloud_provider == 'openstack'
  158. - openstack_cacert is defined
  159. - openstack_cacert | length > 0
  162. - name: Write cacert file
  163. copy:
  164. src: "{{ openstack_cacert if not openstack_cacert_is_base64 else omit }}"
  165. content: "{{ openstack_cacert | b64decode if openstack_cacert_is_base64 else omit }}"
  166. dest: "{{ kube_config_dir }}/openstack-cacert.pem"
  167. group: "{{ kube_cert_group }}"
  168. mode: 0640
  169. when:
  170. - cloud_provider is defined
  171. - cloud_provider == 'openstack'
  172. - openstack_cacert is defined
  173. - openstack_cacert | length > 0
  174. tags:
  175. - cloud-provider
  177. - name: Write cloud-config
  178. template:
  179. src: "cloud-configs/{{ cloud_provider }}-cloud-config.j2"
  180. dest: "{{ kube_config_dir }}/cloud_config"
  181. group: "{{ kube_cert_group }}"
  182. mode: 0640
  183. when:
  184. - cloud_provider is defined
  185. - cloud_provider in [ 'openstack', 'azure', 'vsphere', 'aws', 'gce' ]
  186. notify: Node | restart kubelet
  187. tags:
  188. - cloud-provider
  190. - import_tasks: kubelet.yml
  191. tags:
  192. - kubelet
  193. - kubeadm