You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

307 lines
18 KiB

2 years ago
7 years ago
  1. # Ansible
  2. ## Installing Ansible
  3. Kubespray supports multiple ansible versions and ships different `requirements.txt` files for them.
  4. Depending on your available python version you may be limited in choosing which ansible version to use.
  5. It is recommended to deploy the ansible version used by kubespray into a python virtual environment.
  6. ```ShellSession
  7. VENVDIR=kubespray-venv
  8. KUBESPRAYDIR=kubespray
  9. python3 -m venv $VENVDIR
  10. source $VENVDIR/bin/activate
  11. cd $KUBESPRAYDIR
  12. pip install -U -r requirements.txt
  13. ```
  14. In case you have a similar message when installing the requirements:
  15. ```ShellSession
  16. ERROR: Could not find a version that satisfies the requirement ansible==7.6.0 (from -r requirements.txt (line 1)) (from versions: [...], 6.7.0)
  17. ERROR: No matching distribution found for ansible==7.6.0 (from -r requirements.txt (line 1))
  18. ```
  19. It means that the version of Python you are running is not compatible with the version of Ansible that Kubespray supports.
  20. If the latest version supported according to pip is 6.7.0 it means you are running Python 3.8 or lower while you need at least Python 3.9 (see the table below).
  21. ### Ansible Python Compatibility
  22. Based on the table below and the available python version for your ansible host you should choose the appropriate ansible version to use with kubespray.
  23. | Ansible Version | Python Version |
  24. |-----------------|----------------|
  25. | >= 2.15.5 | 3.9-3.11 |
  26. ## Inventory
  27. The inventory is composed of 3 groups:
  28. * **kube_node** : list of kubernetes nodes where the pods will run.
  29. * **kube_control_plane** : list of servers where kubernetes control plane components (apiserver, scheduler, controller) will run.
  30. * **etcd**: list of servers to compose the etcd server. You should have at least 3 servers for failover purpose.
  31. Note: do not modify the children of _k8s_cluster_, like putting
  32. the _etcd_ group into the _k8s_cluster_, unless you are certain
  33. to do that and you have it fully contained in the latter:
  34. ```ShellSession
  35. etcd ⊂ k8s_cluster => kube_node ∩ etcd = etcd
  36. ```
  37. When _kube_node_ contains _etcd_, you define your etcd cluster to be as well schedulable for Kubernetes workloads.
  38. If you want it a standalone, make sure those groups do not intersect.
  39. If you want the server to act both as control-plane and node, the server must be defined
  40. on both groups _kube_control_plane_ and _kube_node_. If you want a standalone and
  41. unschedulable control plane, the server must be defined only in the _kube_control_plane_ and
  42. not _kube_node_.
  43. There are also two special groups:
  44. * **calico_rr** : explained for [advanced Calico networking cases](/docs/calico.md)
  45. * **bastion** : configure a bastion host if your nodes are not directly reachable
  46. Below is a complete inventory example:
  47. ```ini
  48. ## Configure 'ip' variable to bind kubernetes services on a
  49. ## different ip than the default iface
  50. node1 ansible_host=95.54.0.12 ip=10.3.0.1
  51. node2 ansible_host=95.54.0.13 ip=10.3.0.2
  52. node3 ansible_host=95.54.0.14 ip=10.3.0.3
  53. node4 ansible_host=95.54.0.15 ip=10.3.0.4
  54. node5 ansible_host=95.54.0.16 ip=10.3.0.5
  55. node6 ansible_host=95.54.0.17 ip=10.3.0.6
  56. [kube_control_plane]
  57. node1
  58. node2
  59. [etcd]
  60. node1
  61. node2
  62. node3
  63. [kube_node]
  64. node2
  65. node3
  66. node4
  67. node5
  68. node6
  69. [k8s_cluster:children]
  70. kube_node
  71. kube_control_plane
  72. ```
  73. ## Group vars and overriding variables precedence
  74. The group variables to control main deployment options are located in the directory ``inventory/sample/group_vars``.
  75. Optional variables are located in the `inventory/sample/group_vars/all.yml`.
  76. Mandatory variables that are common for at least one role (or a node group) can be found in the
  77. `inventory/sample/group_vars/k8s_cluster.yml`.
  78. There are also role vars for docker, kubernetes preinstall and control plane roles.
  79. According to the [ansible docs](https://docs.ansible.com/ansible/latest/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable),
  80. those cannot be overridden from the group vars. In order to override, one should use
  81. the `-e` runtime flags (most simple way) or other layers described in the docs.
  82. Kubespray uses only a few layers to override things (or expect them to
  83. be overridden for roles):
  84. | Layer | Comment |
  85. |----------------------------------------|------------------------------------------------------------------------------|
  86. | **role defaults** | provides best UX to override things for Kubespray deployments |
  87. | inventory vars | Unused |
  88. | **inventory group_vars** | Expects users to use ``all.yml``,``k8s_cluster.yml`` etc. to override things |
  89. | inventory host_vars | Unused |
  90. | playbook group_vars | Unused |
  91. | playbook host_vars | Unused |
  92. | **host facts** | Kubespray overrides for internal roles' logic, like state flags |
  93. | play vars | Unused |
  94. | play vars_prompt | Unused |
  95. | play vars_files | Unused |
  96. | registered vars | Unused |
  97. | set_facts | Kubespray overrides those, for some places |
  98. | **role and include vars** | Provides bad UX to override things! Use extra vars to enforce |
  99. | block vars (only for tasks in block) | Kubespray overrides for internal roles' logic |
  100. | task vars (only for the task) | Unused for roles, but only for helper scripts |
  101. | **extra vars** (always win precedence) | override with ``ansible-playbook -e @foo.yml`` |
  102. ## Ansible tags
  103. The following tags are defined in playbooks:
  104. | Tag name | Used for |
  105. |--------------------------------|-------------------------------------------------------|
  106. | annotate | Create kube-router annotation |
  107. | apps | K8s apps definitions |
  108. | asserts | Check tasks for download role |
  109. | aws-ebs-csi-driver | Configuring csi driver: aws-ebs |
  110. | azure-csi-driver | Configuring csi driver: azure |
  111. | bastion | Setup ssh config for bastion |
  112. | bootstrap-os | Anything related to host OS configuration |
  113. | calico | Network plugin Calico |
  114. | calico_rr | Configuring Calico route reflector |
  115. | cephfs-provisioner | Configuring CephFS |
  116. | cert-manager | Configuring certificate manager for K8s |
  117. | cilium | Network plugin Cilium |
  118. | cinder-csi-driver | Configuring csi driver: cinder |
  119. | client | Kubernetes clients role |
  120. | cloud-provider | Cloud-provider related tasks |
  121. | cluster-roles | Configuring cluster wide application (psp ...) |
  122. | cni | CNI plugins for Network Plugins |
  123. | containerd | Configuring containerd engine runtime for hosts |
  124. | container_engine_accelerator | Enable nvidia accelerator for runtimes |
  125. | container-engine | Configuring container engines |
  126. | container-runtimes | Configuring container runtimes |
  127. | coredns | Configuring coredns deployment |
  128. | crio | Configuring crio container engine for hosts |
  129. | crun | Configuring crun runtime |
  130. | csi-driver | Configuring csi driver |
  131. | dashboard | Installing and configuring the Kubernetes Dashboard |
  132. | dns | Remove dns entries when resetting |
  133. | docker | Configuring docker engine runtime for hosts |
  134. | download | Fetching container images to a delegate host |
  135. | etcd | Configuring etcd cluster |
  136. | etcd-secrets | Configuring etcd certs/keys |
  137. | etchosts | Configuring /etc/hosts entries for hosts |
  138. | external-cloud-controller | Configure cloud controllers |
  139. | external-openstack | Cloud controller : openstack |
  140. | external-provisioner | Configure external provisioners |
  141. | external-vsphere | Cloud controller : vsphere |
  142. | facts | Gathering facts and misc check results |
  143. | files | Remove files when resetting |
  144. | flannel | Network plugin flannel |
  145. | gce | Cloud-provider GCP |
  146. | gcp-pd-csi-driver | Configuring csi driver: gcp-pd |
  147. | gvisor | Configuring gvisor runtime |
  148. | helm | Installing and configuring Helm |
  149. | ingress-controller | Configure ingress controllers |
  150. | ingress_alb | AWS ALB Ingress Controller |
  151. | init | Windows kubernetes init nodes |
  152. | iptables | Flush and clear iptable when resetting |
  153. | k8s-pre-upgrade | Upgrading K8s cluster |
  154. | k8s-secrets | Configuring K8s certs/keys |
  155. | k8s-gen-tokens | Configuring K8s tokens |
  156. | kata-containers | Configuring kata-containers runtime |
  157. | krew | Install and manage krew |
  158. | kubeadm | Roles linked to kubeadm tasks |
  159. | kube-apiserver | Configuring static pod kube-apiserver |
  160. | kube-controller-manager | Configuring static pod kube-controller-manager |
  161. | kube-vip | Installing and configuring kube-vip |
  162. | kubectl | Installing kubectl and bash completion |
  163. | kubelet | Configuring kubelet service |
  164. | kube-ovn | Network plugin kube-ovn |
  165. | kube-router | Network plugin kube-router |
  166. | kube-proxy | Configuring static pod kube-proxy |
  167. | localhost | Special steps for the localhost (ansible runner) |
  168. | local-path-provisioner | Configure External provisioner: local-path |
  169. | local-volume-provisioner | Configure External provisioner: local-volume |
  170. | macvlan | Network plugin macvlan |
  171. | master | Configuring K8s master node role |
  172. | metallb | Installing and configuring metallb |
  173. | metrics_server | Configuring metrics_server |
  174. | netchecker | Installing netchecker K8s app |
  175. | network | Configuring networking plugins for K8s |
  176. | mounts | Umount kubelet dirs when reseting |
  177. | multus | Network plugin multus |
  178. | nginx | Configuring LB for kube-apiserver instances |
  179. | node | Configuring K8s minion (compute) node role |
  180. | nodelocaldns | Configuring nodelocaldns daemonset |
  181. | node-label | Tasks linked to labeling of nodes |
  182. | node-webhook | Tasks linked to webhook (grating access to resources) |
  183. | nvidia_gpu | Enable nvidia accelerator for runtimes |
  184. | oci | Cloud provider: oci |
  185. | persistent_volumes | Configure csi volumes |
  186. | persistent_volumes_aws_ebs_csi | Configuring csi driver: aws-ebs |
  187. | persistent_volumes_cinder_csi | Configuring csi driver: cinder |
  188. | persistent_volumes_gcp_pd_csi | Configuring csi driver: gcp-pd |
  189. | persistent_volumes_openstack | Configuring csi driver: openstack |
  190. | policy-controller | Configuring Calico policy controller |
  191. | post-remove | Tasks running post-remove operation |
  192. | post-upgrade | Tasks running post-upgrade operation |
  193. | pre-remove | Tasks running pre-remove operation |
  194. | pre-upgrade | Tasks running pre-upgrade operation |
  195. | preinstall | Preliminary configuration steps |
  196. | registry | Configuring local docker registry |
  197. | reset | Tasks running doing the node reset |
  198. | resolvconf | Configuring /etc/resolv.conf for hosts/apps |
  199. | rbd-provisioner | Configure External provisioner: rdb |
  200. | services | Remove services (etcd, kubelet etc...) when resetting |
  201. | snapshot | Enabling csi snapshot |
  202. | snapshot-controller | Configuring csi snapshot controller |
  203. | upgrade | Upgrading, f.e. container images/binaries |
  204. | upload | Distributing images/binaries across hosts |
  205. | vsphere-csi-driver | Configuring csi driver: vsphere |
  206. | weave | Network plugin Weave |
  207. | win_nodes | Running windows specific tasks |
  208. | youki | Configuring youki runtime |
  209. Note: Use the ``bash scripts/gen_tags.sh`` command to generate a list of all
  210. tags found in the codebase. New tags will be listed with the empty "Used for"
  211. field.
  212. ## Example commands
  213. Example command to filter and apply only DNS configuration tasks and skip
  214. everything else related to host OS configuration and downloading images of containers:
  215. ```ShellSession
  216. ansible-playbook -i inventory/sample/hosts.ini cluster.yml --tags preinstall,facts --skip-tags=download,bootstrap-os
  217. ```
  218. And this play only removes the K8s cluster DNS resolver IP from hosts' /etc/resolv.conf files:
  219. ```ShellSession
  220. ansible-playbook -i inventory/sample/hosts.ini -e dns_mode='none' cluster.yml --tags resolvconf
  221. ```
  222. And this prepares all container images locally (at the ansible runner node) without installing
  223. or upgrading related stuff or trying to upload container to K8s cluster nodes:
  224. ```ShellSession
  225. ansible-playbook -i inventory/sample/hosts.ini cluster.yml \
  226. -e download_run_once=true -e download_localhost=true \
  227. --tags download --skip-tags upload,upgrade
  228. ```
  229. Note: use `--tags` and `--skip-tags` wise and only if you're 100% sure what you're doing.
  230. ## Bastion host
  231. If you prefer to not make your nodes publicly accessible (nodes with private IPs only),
  232. you can use a so-called _bastion_ host to connect to your nodes. To specify and use a bastion,
  233. simply add a line to your inventory, where you have to replace x.x.x.x with the public IP of the
  234. bastion host.
  235. ```ShellSession
  236. [bastion]
  237. bastion ansible_host=x.x.x.x
  238. ```
  239. For more information about Ansible and bastion hosts, read
  240. [Running Ansible Through an SSH Bastion Host](https://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host/)
  241. ## Mitogen
  242. Mitogen support is deprecated, please see [mitogen related docs](/docs/mitogen.md) for usage and reasons for deprecation.
  243. ## Beyond ansible 2.9
  244. Ansible project has decided, in order to ease their maintenance burden, to split between
  245. two projects which are now joined under the Ansible umbrella.
  246. Ansible-base (2.10.x branch) will contain just the ansible language implementation while
  247. ansible modules that were previously bundled into a single repository will be part of the
  248. ansible 3.x package. Please see [this blog post](https://blog.while-true-do.io/ansible-release-3-0-0/)
  249. that explains in detail the need and the evolution plan.
  250. **Note:** this change means that ansible virtual envs cannot be upgraded with `pip install -U`.
  251. You first need to uninstall your old ansible (pre 2.10) version and install the new one.
  252. ```ShellSession
  253. pip uninstall ansible ansible-base ansible-core
  254. cd kubespray/
  255. pip install -U .
  256. ```