richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5416 Commits
29 Branches
81 Tags
147 MiB
Tree: 91f1edbdd4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '91f1edbdd4'
${ noResults }
kubespray/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml

293 lines
10 KiB
Raw Normal View History

Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
allow non existing etcd group (#6797) When using kubeadm managed etcd, configuring an etcd group can now be skipped.
4 years ago
Add check that kube-master, kube-node and etcd groups are not empty.
6 years ago
allow non existing etcd group (#6797) When using kubeadm managed etcd, configuring an etcd group can now be skipped.
4 years ago
Add check that kube-master, kube-node and etcd groups are not empty.
6 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Add check that kube-master, kube-node and etcd groups are not empty.
6 years ago
allow non existing etcd group (#6797) When using kubeadm managed etcd, configuring an etcd group can now be skipped.
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Remove support for CoreOS Container Linux (#6576)
4 years ago
Add support to Ansible 2.9 (#5361)
4 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
adding ovn4nfv in kubespray (#6381) Signed-off-by: Kuralamudhan Ramakrishnan <kuralamudhan.ramakrishnan@intel.com>
4 years ago
Add support to Ansible 2.9 (#5361)
4 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Fixes #2800
6 years ago
Fix error for azure+calico assert (#1717) Fixes #1716
7 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Require min version of Kubernetes (#4860) * Require minimum version of Kubernetes * Remove checksums for kubernetes version 1.12 * Add kube_version to precheck output and add min required version to README * Fix merge * Fix defaults * Fix typo in precheck
5 years ago
fix-typo (#5199)
5 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Require min version of Kubernetes (#4860) * Require minimum version of Kubernetes * Remove checksums for kubernetes version 1.12 * Add kube_version to precheck output and add min required version to README * Fix merge * Fix defaults * Fix typo in precheck
5 years ago
Workaround ansible bug where access var via dict doesn't get real value (#1912) * Change deprecated vagrant ansible flag 'sudo' to 'become' * Workaround ansible bug where access var via dict doesn't get real value When accessing a variable via it's name "{{ foo }}" its value is retrieved. But when the variable value is retrieved via the vars-dict "{{ vars['foo'] }}" this doesn't resolve the expression of the variable any more due to a bug. So e.g. a expression foo="{{ 1 == 1 }}" isn't longer resolved but just returned as string "1 == 1". * Make file yamllint complient
7 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Workaround ansible bug where access var via dict doesn't get real value (#1912) * Change deprecated vagrant ansible flag 'sudo' to 'become' * Workaround ansible bug where access var via dict doesn't get real value When accessing a variable via it's name "{{ foo }}" its value is retrieved. But when the variable value is retrieved via the vars-dict "{{ vars['foo'] }}" this doesn't resolve the expression of the variable any more due to a bug. So e.g. a expression foo="{{ 1 == 1 }}" isn't longer resolved but just returned as string "1 == 1". * Make file yamllint complient
7 years ago
ansible-lint: add spaces around variables [E206] (#4699)
5 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Workaround ansible bug where access var via dict doesn't get real value (#1912) * Change deprecated vagrant ansible flag 'sudo' to 'become' * Workaround ansible bug where access var via dict doesn't get real value When accessing a variable via it's name "{{ foo }}" its value is retrieved. But when the variable value is retrieved via the vars-dict "{{ vars['foo'] }}" this doesn't resolve the expression of the variable any more due to a bug. So e.g. a expression foo="{{ 1 == 1 }}" isn't longer resolved but just returned as string "1 == 1". * Make file yamllint complient
7 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
allow non existing etcd group (#6797) When using kubeadm managed etcd, configuring an etcd group can now be skipped.
4 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Added configurable min memory assertions (#4307)
5 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Added configurable min memory assertions (#4307)
5 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
assert that number of pods on node does not exceed CIDR address range The number of pods on a given node is determined by the --max-pods=k directive. When the address space is exhausted, no more pods can be scheduled even if from the --max-pods-perspective, the node still has capacity. The special case that a pod is scheduled and uses the node IP in the host network namespace is too "soft" to derive a guarantee. Comparing kubelet_max_pods with kube_network_node_prefix when given allows to assert that pod limits match the CIDR address space.
6 years ago
Added filters for integer conversion of kubelet_max_pods and kube_network_node_prefix (#3857)
5 years ago
assert that number of pods on node does not exceed CIDR address range The number of pods on a given node is determined by the --max-pods=k directive. When the address space is exhausted, no more pods can be scheduled even if from the --max-pods-perspective, the node still has capacity. The special case that a pod is scheduled and uses the node IP in the host network namespace is too "soft" to derive a guarantee. Comparing kubelet_max_pods with kube_network_node_prefix when given allows to assert that pod limits match the CIDR address space.
6 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
check on all cluster node - kubelet_max_pods <= (2 ** (32 - kube_network_node_prefix | int)) - 2 (#5279)
5 years ago
assert that number of pods on node does not exceed CIDR address range The number of pods on a given node is determined by the --max-pods=k directive. When the address space is exhausted, no more pods can be scheduled even if from the --max-pods-perspective, the node still has capacity. The special case that a pod is scheduled and uses the node IP in the host network namespace is too "soft" to derive a guarantee. Comparing kubelet_max_pods with kube_network_node_prefix when given allows to assert that pod limits match the CIDR address space.
6 years ago
Ignore assertion comparison for kube_network_node_prefix when using calico (#5632) * Fix incorrect assertion comparison for kube_network_node_prefix * Ignore assertion comparison for kube_network_node_prefix when using calico * Adding more var docs description for kube_network_node_prefix * Fixing trailing whitespaces
4 years ago
assert that number of pods on node does not exceed CIDR address range The number of pods on a given node is determined by the --max-pods=k directive. When the address space is exhausted, no more pods can be scheduled even if from the --max-pods-perspective, the node still has capacity. The special case that a pod is scheduled and uses the node IP in the host network namespace is too "soft" to derive a guarantee. Comparing kubelet_max_pods with kube_network_node_prefix when given allows to assert that pod limits match the CIDR address space.
6 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
Add error msg for check of local ip (#6761) When stopping at the check of "Stop if ip var does not match local ips" the error message is like: fatal: [single-k8s]: FAILED! => { "assertion": "ip in ansible_all_ipv4_addresses", "changed": false, "evaluated_to": false, "msg": "Assertion failed" } That doesn't contain actual IP addresses and it is difficult to understand what was wrong. This adds the error message which contain actual IP addresses to investigate the issue if happens.
4 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Verify valid settings before deploy (#1705) Also fix yaml lint issues Fixes #1703
7 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Disable swap in vagrant vms
7 years ago
Kubernetes Dashboard v1.7.1 Refactor This version required changing the previous access model for dashboard completely but it's a change for the better. Docs were updated. * New login/auth options that use apiserver auth proxying by default * Requires RBAC in `authorization_modes` * Only serves over https * No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL: * Can access from https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login you will be prompted for credentials * Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ * It is recommended to access dashboard from behind a gateway that enforces an authentication token, details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
7 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Support for disabling apiserver insecure port This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). Rework of #1937 with kubeadm support Also, fixed an issue in `kubeadm-migrate-certs` where the old apiserver cert was copied as the kubeadm key
7 years ago
Cloud provider support for OCI (Oracle Cloud Infrastructure) Signed-off-by: Jeff Bornemann <jeff.bornemann@oracle.com>
6 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Cloud provider support for OCI (Oracle Cloud Infrastructure) Signed-off-by: Jeff Bornemann <jeff.bornemann@oracle.com>
6 years ago
Support for disabling apiserver insecure port This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). Rework of #1937 with kubeadm support Also, fixed an issue in `kubeadm-migrate-certs` where the old apiserver cert was copied as the kubeadm key
7 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Added cilium support (#2236) * Added cilium support * Fix typo in debian test config * Remove empty lines * Changed cilium version from <latest> to <v1.0.0-rc3> * Add missing changes for cilium * Add cilium to CI pipeline * Fix wrong file name * Check kernel version for cilium * fixed ci error * fixed cilium-ds.j2 template * added waiting for cilium pods to run * Fixed missing EOF * Fixed trailing spaces * Fixed trailing spaces * Fixed trailing spaces * Fixed too many blank lines * Updated tolerations,annotations in cilium DS template * Set cilium_version to iptables-1.9 to see if bug is fixed in CI * Update cilium image tag to v1.0.0-rc4 * Update Cilium test case CI vars filenames * Add optional prometheus flag, adjust initial readiness delay * Update README.md with cilium info
6 years ago
Update cilium minimum kernel preinstall check (#6376) Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
4 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Add a way to deploy cilium alongside another CNI (#6373) Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
4 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Add bad hostname preflight check Hostname must be a valid DNS name, which is checked as https://github.com/kubernetes/apimachinery/blob/master/pkg/util/validation/validation.go#L115 The situation I have encountered is that my hostname contained underscore which is disallowed and apiserver refused to start.
6 years ago
Fix ansible syntax to avoid ansible warnings (one more) (#3536) * warning on meta flush_handlers * avoid rm * avoid "Module remote_tmp /root/.ansible/tmp did not exist and was created with a mode of 0700, this may cause issues when running as another user. To avoid this, create the remote_tmp dir with the correct permissions manually" warning on subsequent tasks using blockinfile * is match
6 years ago
allow '.' in hostnames we use FQDN as inventory_hostname
6 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Update dir list
6 years ago
change ignore_errors: to when: in assert tasks (#5716)
4 years ago
Update dir list
6 years ago
Instead of doc update, change the verify step
6 years ago
remove support for calico v2.x (#4974) * Remove support for calico below version v3.0.0 Change-Id: If8fe3036b9e054901a8b2c48516eff1e1271970f * Update main.yml * fixup node peering Change-Id: Ifac4d363deba826f0c80e390ce80a28df9827323 * fixups Change-Id: Ic35417330af6741962003b3930604393c90804d1 * fixups Change-Id: I0ea82d634bb0c81d9b7dc50569c70988bc8d3a3b
5 years ago
Calico upgrade path validation and old version cleanup (#6733) * calico: add constant calico_min_version_required and verify current deployed version against it. * calico: remove upgrade support with data migration The tool was used pre v3.0.0 and is no longer needed. * calico: remove old version support from tasks * calico: remove old ver support from policy ctrl * calico: remove old ver support from node * canal: remove old ver support * remove unused calicoctl download checksums calico_min_version_required is the oldest version that can be installed Older versions can be removed.
4 years ago
remove support for calico v2.x (#4974) * Remove support for calico below version v3.0.0 Change-Id: If8fe3036b9e054901a8b2c48516eff1e1271970f * Update main.yml * fixup node peering Change-Id: Ifac4d363deba826f0c80e390ce80a28df9827323 * fixups Change-Id: Ic35417330af6741962003b3930604393c90804d1 * fixups Change-Id: I0ea82d634bb0c81d9b7dc50569c70988bc8d3a3b
5 years ago
Calico upgrade path validation and old version cleanup (#6733) * calico: add constant calico_min_version_required and verify current deployed version against it. * calico: remove upgrade support with data migration The tool was used pre v3.0.0 and is no longer needed. * calico: remove old version support from tasks * calico: remove old ver support from policy ctrl * calico: remove old ver support from node * canal: remove old ver support * remove unused calicoctl download checksums calico_min_version_required is the oldest version that can be installed Older versions can be removed.
4 years ago
Fix E306 in roles/kubernetes (#6500)
4 years ago
Instead of doc update, change the verify step
6 years ago
Add timeout to Get current version of calico cluster version, again (#6493)
4 years ago
Instead of doc update, change the verify step
6 years ago
changed_when:false (#4189)
5 years ago
Switch calicoctl from a container to a binary (#4524)
5 years ago
Remove non-kubeadm deployment (#3811) * Remove non-kubeadm deployment * More cleanup * More cleanup * More cleanup * More cleanup * Fix gitlab * Try stop gce first before absent to make the delete process work * More cleanup * Fix bug with checking if kubeadm has already run * Fix bug with checking if kubeadm has already run * More fixes * Fix test * fix * Fix gitlab checkout untill kubespray 2.8 is on quay * Fixed * Add upgrade path from non-kubeadm to kubeadm. Revert ssl path * Readd secret checking * Do gitlab checks from v2.7.0 test upgrade path to 2.8.0 * fix typo * Fix CI jobs to kubeadm again. Fix broken hyperkube path * Fix gitlab * Fix rotate tokens * More fixes * More fixes * Fix tokens
6 years ago
Instead of doc update, change the verify step
6 years ago
Calico upgrade path validation and old version cleanup (#6733) * calico: add constant calico_min_version_required and verify current deployed version against it. * calico: remove upgrade support with data migration The tool was used pre v3.0.0 and is no longer needed. * calico: remove old version support from tasks * calico: remove old ver support from policy ctrl * calico: remove old ver support from node * canal: remove old ver support * remove unused calicoctl download checksums calico_min_version_required is the oldest version that can be installed Older versions can be removed.
4 years ago
Instead of doc update, change the verify step
6 years ago
Calico upgrade path validation and old version cleanup (#6733) * calico: add constant calico_min_version_required and verify current deployed version against it. * calico: remove upgrade support with data migration The tool was used pre v3.0.0 and is no longer needed. * calico: remove old version support from tasks * calico: remove old ver support from policy ctrl * calico: remove old ver support from node * canal: remove old ver support * remove unused calicoctl download checksums calico_min_version_required is the oldest version that can be installed Older versions can be removed.
4 years ago
Instead of doc update, change the verify step
6 years ago
Remove non-kubeadm deployment (#3811) * Remove non-kubeadm deployment * More cleanup * More cleanup * More cleanup * More cleanup * Fix gitlab * Try stop gce first before absent to make the delete process work * More cleanup * Fix bug with checking if kubeadm has already run * Fix bug with checking if kubeadm has already run * More fixes * Fix test * fix * Fix gitlab checkout untill kubespray 2.8 is on quay * Fixed * Add upgrade path from non-kubeadm to kubeadm. Revert ssl path * Readd secret checking * Do gitlab checks from v2.7.0 test upgrade path to 2.8.0 * fix typo * Fix CI jobs to kubeadm again. Fix broken hyperkube path * Fix gitlab * Fix rotate tokens * More fixes * More fixes * Fix tokens
6 years ago
Instead of doc update, change the verify step
6 years ago
ansible-lint: don't compare to empty string [E602] (#4665)
5 years ago
Instead of doc update, change the verify step
6 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Refactor calico route reflector to run in k8s cluster (#4975) * Refactor calico-rr to run in k8s cluster with taint Change-Id: I75a3169ff5b36ce8302fc7ef1c32d3eb697b5afa * add preinstall checks * rework calico/rr role Change-Id: I2f0a7e6cb77cf91ad4a615923680760d2e5d9ca8 * add empty calico-rr group Change-Id: I006c0a60db9b72d02245bf8fdfabcf982144a5ad
5 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
check kube_pods_subnet and kube_service_addresses to valid ip network range, not single ip address (#4188)
5 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
check kube_pods_subnet and kube_service_addresses to valid ip network range, not single ip address (#4188)
5 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Remove kubedns and dnsmasq. Move dns_late phase after apps (#4406) Both kubedns and dnsmasq modes are long not maintained. We should run dns_late steps at the end because sshd makes DNS lookups during Ansible run and has 2s timeouts for each failed lookup trying to connect to coredns before it is ready.
5 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Remove Vault (#3684) * Remove Vault * Remove reference to 'kargo' in the doc * change check order
6 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Remove Vault (#3684) * Remove Vault * Remove reference to 'kargo' in the doc * change check order
6 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Remove Vault (#3684) * Remove Vault * Remove reference to 'kargo' in the doc * change check order
6 years ago
Update pre-install verify settings with network checks and etc. (#3504) * Update pre-install verify settings with network checks and etc. * Remove upstream dns server check. It's bogus
6 years ago
Enable kubeadm etcd mode (#4818) * Enable kubeadm etcd mode Uses cert commands from kubeadm experimental control plane to enable non-master nodes to obtain etcd certs. Related story: PROD-29434 Change-Id: Idafa1d223e5c6ceadf819b6f9c06adf4c4f74178 * Add validation checks and exclude calico kdd mode Change-Id: Ic234f5e71261d33191376e70d438f9f6d35f358c * Move etcd mode test to ubuntu flannel HA job Change-Id: I9af6fd80a1bbb1692ab10d6da095eb368f6bc732 * rename etcd_mode to etcd_kubeadm_enabled Change-Id: Ib196d6c8a52f48cae370b026f7687ff9ca69c172
5 years ago
Fix etcd install with docker and etcd_kubeadm_enabled (#5777) - This solves issue #5721 & #5713 (dupes) - Provide a cleaner default usage pattern for the download role around etcd that supports 'host' and 'docker' properly - Extract the 'etcdctl' as a separate task install piece and reuse it where appropriate - Update the kubeadm-etcd task to reflect the above change
4 years ago
Refactor download role (#5697) * download file * download containers * fix push image to nodes * pull if none image on host * fix * improve docker image tag checks. do not pull already cached images * rebase fix merge conflict * add support download_run_once when upgrade and scale cluster add some test with download_run_once * set default values to temp flag for every download cycle * add save,load abilty for containerd and crio when download_run_once=true * return redefine image save/load command to set_docker_image_facts.yml * move set command to set_container_facts * ctr in containerd_bin_dir * fix order of ctr image export arguments * temporary disable download_run_once for containerd and crio due https://github.com/containerd/containerd/issues/4075 * remove unused files * fix strict yaml linter warning and errors * refactor logical conditions to pull and cache container images * remove comment due lint check * document role * remove image_load_on_localhost, because cached images are always loaded to docker on remote sites * remove XXX from debug output
4 years ago
Remove support for CoreOS Container Linux (#6576)
4 years ago
Refactor download role (#5697) * download file * download containers * fix push image to nodes * pull if none image on host * fix * improve docker image tag checks. do not pull already cached images * rebase fix merge conflict * add support download_run_once when upgrade and scale cluster add some test with download_run_once * set default values to temp flag for every download cycle * add save,load abilty for containerd and crio when download_run_once=true * return redefine image save/load command to set_docker_image_facts.yml * move set command to set_container_facts * ctr in containerd_bin_dir * fix order of ctr image export arguments * temporary disable download_run_once for containerd and crio due https://github.com/containerd/containerd/issues/4075 * remove unused files * fix strict yaml linter warning and errors * refactor logical conditions to pull and cache container images * remove comment due lint check * document role * remove image_load_on_localhost, because cached images are always loaded to docker on remote sites * remove XXX from debug output
4 years ago
Remove support for CoreOS Container Linux (#6576)
4 years ago
Refactor download role (#5697) * download file * download containers * fix push image to nodes * pull if none image on host * fix * improve docker image tag checks. do not pull already cached images * rebase fix merge conflict * add support download_run_once when upgrade and scale cluster add some test with download_run_once * set default values to temp flag for every download cycle * add save,load abilty for containerd and crio when download_run_once=true * return redefine image save/load command to set_docker_image_facts.yml * move set command to set_container_facts * ctr in containerd_bin_dir * fix order of ctr image export arguments * temporary disable download_run_once for containerd and crio due https://github.com/containerd/containerd/issues/4075 * remove unused files * fix strict yaml linter warning and errors * refactor logical conditions to pull and cache container images * remove comment due lint check * document role * remove image_load_on_localhost, because cached images are always loaded to docker on remote sites * remove XXX from debug output
4 years ago
  1. ---
  2. - name: Stop if either kube-master or kube-node group is empty
  3. assert:
  4. that: "groups.get('{{ item }}')"
  5. with_items:
  6. - kube-master
  7. - kube-node
  8. run_once: true
  9. when: not ignore_assert_errors
  11. - name: Stop if etcd group is empty in external etcd mode
  12. assert:
  13. that: groups.get('etcd')
  14. fail_msg: "Group 'etcd' cannot be empty in external etcd mode"
  15. run_once: true
  16. when:
  17. - not ignore_assert_errors
  18. - not etcd_kubeadm_enabled
  20. - name: Stop if non systemd OS type
  21. assert:
  22. that: ansible_service_mgr == "systemd"
  23. when: not ignore_assert_errors
  25. - name: Stop if unknown OS
  26. assert:
  27. that: ansible_os_family in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'Flatcar Container Linux by Kinvolk', 'Suse', 'ClearLinux', 'OracleLinux']
  28. msg: "{{ ansible_os_family }} is not a known OS"
  29. when: not ignore_assert_errors
  31. - name: Stop if unknown network plugin
  32. assert:
  33. that: kube_network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'contiv', 'ovn4nfv','kube-ovn', 'kube-router', 'macvlan']
  34. msg: "{{ kube_network_plugin }} is not supported"
  35. when:
  36. - kube_network_plugin is defined
  37. - not ignore_assert_errors
  39. - name: Stop if incompatible network plugin and cloudprovider
  40. assert:
  41. that: kube_network_plugin != 'calico'
  42. msg: "Azure and Calico are not compatible. See https://github.com/projectcalico/calicoctl/issues/949 for details."
  43. when:
  44. - cloud_provider is defined and cloud_provider == 'azure'
  45. - not ignore_assert_errors
  47. - name: Stop if unsupported version of Kubernetes
  48. assert:
  49. that: kube_version is version(kube_version_min_required, '>=')
  50. msg: "The current release of Kubespray only support newer version of Kubernetes than {{ kube_version_min_required }} - You are trying to apply {{ kube_version }}"
  51. when: not ignore_assert_errors
  53. # simplify this items-list when https://github.com/ansible/ansible/issues/15753 is resolved
  54. - name: "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
  55. assert:
  56. that: item.value|type_debug == 'bool'
  57. msg: "{{ item.value }} isn't a bool"
  58. run_once: yes
  59. with_items:
  60. - { name: download_run_once, value: "{{ download_run_once }}" }
  61. - { name: deploy_netchecker, value: "{{ deploy_netchecker }}" }
  62. - { name: download_always_pull, value: "{{ download_always_pull }}" }
  63. - { name: helm_enabled, value: "{{ helm_enabled }}" }
  64. - { name: openstack_lbaas_enabled, value: "{{ openstack_lbaas_enabled }}" }
  65. when: not ignore_assert_errors
  67. - name: Stop if even number of etcd hosts
  68. assert:
  69. that: groups.etcd|length is not divisibleby 2
  70. when:
  71. - not ignore_assert_errors
  72. - groups.get('etcd')
  73. - inventory_hostname in groups['etcd']
  75. - name: Stop if memory is too small for masters
  76. assert:
  77. that: ansible_memtotal_mb >= minimal_master_memory_mb
  78. when:
  79. - not ignore_assert_errors
  80. - inventory_hostname in groups['kube-master']
  82. - name: Stop if memory is too small for nodes
  83. assert:
  84. that: ansible_memtotal_mb >= minimal_node_memory_mb
  85. when:
  86. - not ignore_assert_errors
  87. - inventory_hostname in groups['kube-node']
  89. # This assertion will fail on the safe side: One can indeed schedule more pods
  90. # on a node than the CIDR-range has space for when additional pods use the host
  91. # network namespace. It is impossible to ascertain the number of such pods at
  92. # provisioning time, so to establish a guarantee, we factor these out.
  93. # NOTICE: the check blatantly ignores the inet6-case
  94. - name: Guarantee that enough network address space is available for all pods
  95. assert:
  96. that: "{{ (kubelet_max_pods | default(110)) | int <= (2 ** (32 - kube_network_node_prefix | int)) - 2 }}"
  97. msg: "Do not schedule more pods on a node than inet addresses are available."
  98. when:
  99. - not ignore_assert_errors
  100. - inventory_hostname in groups['k8s-cluster']
  101. - kube_network_node_prefix is defined
  102. - kube_network_plugin != 'calico'
  104. - name: Stop if ip var does not match local ips
  105. assert:
  106. that: ip in ansible_all_ipv4_addresses
  107. msg: "'{{ ansible_all_ipv4_addresses }}' do not contain '{{ ip }}'"
  108. when:
  109. - not ignore_assert_errors
  110. - ip is defined
  112. - name: Stop if access_ip is not pingable
  113. command: ping -c1 {{ access_ip }}
  114. when:
  115. - access_ip is defined
  116. - not ignore_assert_errors
  118. - name: Stop if RBAC is not enabled when dashboard is enabled
  119. assert:
  120. that: rbac_enabled
  121. when:
  122. - dashboard_enabled
  123. - not ignore_assert_errors
  125. - name: Stop if RBAC is not enabled when OCI cloud controller is enabled
  126. assert:
  127. that: rbac_enabled
  128. when:
  129. - cloud_provider is defined and cloud_provider == "oci"
  130. - not ignore_assert_errors
  132. - name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
  133. assert:
  134. that: rbac_enabled and kube_api_anonymous_auth
  135. when:
  136. - kube_apiserver_insecure_port == 0 and inventory_hostname in groups['kube-master']
  137. - not ignore_assert_errors
  139. - name: Stop if kernel version is too low
  140. assert:
  141. that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
  142. when:
  143. - kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
  144. - not ignore_assert_errors
  146. - name: Stop if bad hostname
  147. assert:
  148. that: inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
  149. msg: "Hostname must consist of lower case alphanumeric characters, '.' or '-', and must start and end with an alphanumeric character"
  150. when: not ignore_assert_errors
  152. - name: check cloud_provider value
  153. assert:
  154. that: cloud_provider in ['generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external']
  155. msg: "If set the 'cloud_provider' var must be set either to 'generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', or external"
  156. when:
  157. - cloud_provider is defined
  158. - not ignore_assert_errors
  159. tags:
  160. - cloud-provider
  161. - facts
  163. - name: Ensure minimum calico version
  164. assert:
  165. that: calico_version is version(calico_min_version_required, '>=')
  166. msg: "calico_version is too low. Minimum version {{ calico_min_version_required }}"
  167. run_once: yes
  168. when:
  169. - kube_network_plugin == 'calico'
  171. - name: Get current calico cluster version
  172. shell: "set -o pipefail && {{ bin_dir }}/calicoctl.sh version | grep 'Cluster Version:' | awk '{ print $3}'"
  173. args:
  174. executable: /bin/bash
  175. register: calico_version_on_server
  176. async: 10
  177. poll: 3
  178. run_once: yes
  179. changed_when: false
  180. failed_when: false
  181. when:
  182. - kube_network_plugin == 'calico'
  184. - name: Check that current calico version is enough for upgrade
  185. assert:
  186. that:
  187. - calico_version_on_server.stdout is version(calico_min_version_required, '>=')
  188. msg: "Your version of calico is not fresh enough for upgrade. Minimum version {{ calico_min_version_required }}"
  189. when:
  190. - kube_network_plugin == 'calico'
  191. - 'calico_version_on_server.stdout is defined'
  192. - calico_version_on_server.stdout
  193. - inventory_hostname == groups['kube-master'][0]
  194. run_once: yes
  196. - name: "Check that cluster_id is set if calico_rr enabled"
  197. assert:
  198. that:
  199. - cluster_id is defined
  200. msg: "A unique cluster_id is required if using calico_rr"
  201. when:
  202. - kube_network_plugin == 'calico'
  203. - peer_with_calico_rr
  204. - inventory_hostname == groups['kube-master'][0]
  205. run_once: yes
  207. - name: "Check that calico_rr nodes are in k8s-cluster group"
  208. assert:
  209. that:
  210. - '"k8s-cluster" in group_names'
  211. msg: "calico-rr must be a child group of k8s-cluster group"
  212. when:
  213. - kube_network_plugin == 'calico'
  214. - '"calico-rr" in group_names'
  216. - name: "Check that kube_service_addresses is a network range"
  217. assert:
  218. that:
  219. - kube_service_addresses | ipaddr('net')
  220. msg: "kube_service_addresses = '{{ kube_service_addresses }}' is not a valid network range"
  221. run_once: yes
  223. - name: "Check that kube_pods_subnet is a network range"
  224. assert:
  225. that:
  226. - kube_pods_subnet | ipaddr('net')
  227. msg: "kube_pods_subnet = '{{ kube_pods_subnet }}' is not a valid network range"
  228. run_once: yes
  230. - name: "Check that kube_pods_subnet does not collide with kube_service_addresses"
  231. assert:
  232. that:
  233. - kube_pods_subnet | ipaddr(kube_service_addresses) | string == 'None'
  234. msg: "kube_pods_subnet cannot be the same network segment as kube_service_addresses"
  235. run_once: yes
  237. - name: Stop if unknown dns mode
  238. assert:
  239. that: dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
  240. msg: "dns_mode can only be 'coredns', 'coredns_dual', 'manual' or 'none'"
  241. when: dns_mode is defined
  242. run_once: true
  244. - name: Stop if unknown kube proxy mode
  245. assert:
  246. that: kube_proxy_mode in ['iptables', 'ipvs']
  247. msg: "kube_proxy_mode can only be 'iptables' or 'ipvs'"
  248. when: kube_proxy_mode is defined
  249. run_once: true
  251. - name: Stop if vault is chose
  252. assert:
  253. that: cert_management != 'vault'
  254. msg: "Support for vault have been removed, please use 'script' or 'none'"
  255. when: cert_management is defined
  256. run_once: true
  258. - name: Stop if unknown cert_management
  259. assert:
  260. that: cert_management|d('script') in ['script', 'none']
  261. msg: "cert_management can only be 'script' or 'none'"
  262. run_once: true
  264. - name: Stop if unknown resolvconf_mode
  265. assert:
  266. that: resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
  267. msg: "resolvconf_mode can only be 'docker_dns', 'host_resolvconf' or 'none'"
  268. when: resolvconf_mode is defined
  269. run_once: true
  271. - name: Stop if etcd deployment type is not host or docker
  272. assert:
  273. that: etcd_deployment_type in ['host', 'docker']
  274. msg: "The etcd deployment type, 'etcd_deployment_type', must be host or docker"
  275. run_once: true
  277. - name: Stop if download_localhost is enabled but download_run_once is not
  278. assert:
  279. that: download_run_once
  280. msg: "download_localhost requires enable download_run_once"
  281. when: download_localhost
  283. - name: Stop if download_localhost is enabled when container_manager not docker
  284. assert:
  285. that: container_manager == 'docker'
  286. msg: "download_run_once support only for docker. See https://github.com/containerd/containerd/issues/4075 for details"
  287. when: download_run_once or download_force_cache
  289. - name: Stop if download_localhost is enabled for Flatcar Container Linux
  290. assert:
  291. that: ansible_os_family not in ["Flatcar Container Linux by Kinvolk"]
  292. msg: "download_run_once not supported for Flatcar Container Linux"
  293. when: download_run_once or download_force_cache