richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2455 Commits
29 Branches
81 Tags
149 MiB
Tree: c0a3bcf9b3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c0a3bcf9b3'
${ noResults }
kubespray/roles/kubernetes-apps/cluster_roles/tasks/main.yml

59 lines
1.8 KiB
Raw Normal View History

Move cluster roles and system namespace to new role This should be done after kubeconfig is set for admin and before network plugins are up.
7 years ago
Support for disabling apiserver insecure port This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). Rework of #1937 with kubeadm support Also, fixed an issue in `kubeadm-migrate-certs` where the old apiserver cert was copied as the kubeadm key
7 years ago
Move cluster roles and system namespace to new role This should be done after kubeconfig is set for admin and before network plugins are up.
7 years ago
  1. ---
  2. - name: Kubernetes Apps | Wait for kube-apiserver
  3. uri:
  4. url: "{{ kube_apiserver_endpoint }}/healthz"
  5. validate_certs: no
  6. client_cert: "{{ kube_apiserver_client_cert }}"
  7. client_key: "{{ kube_apiserver_client_key }}"
  8. register: result
  9. until: result.status == 200
  10. retries: 10
  11. delay: 6
  12. when: inventory_hostname == groups['kube-master'][0]
  14. - name: Kubernetes Apps | Add ClusterRoleBinding to admit nodes
  15. template:
  16. src: "node-crb.yml.j2"
  17. dest: "{{ kube_config_dir }}/node-crb.yml"
  18. register: node_crb_manifest
  19. when: rbac_enabled
  21. - name: Apply workaround to allow all nodes with cert O=system:nodes to register
  22. kube:
  23. name: "system:node"
  24. kubectl: "{{bin_dir}}/kubectl"
  25. resource: "clusterrolebinding"
  26. filename: "{{ kube_config_dir }}/node-crb.yml"
  27. state: latest
  28. when:
  29. - rbac_enabled
  30. - node_crb_manifest.changed
  32. # This is not a cluster role, but should be run after kubeconfig is set on master
  33. - name: Write kube system namespace manifest
  34. template:
  35. src: namespace.j2
  36. dest: "{{kube_config_dir}}/{{system_namespace}}-ns.yml"
  37. when: inventory_hostname == groups['kube-master'][0]
  38. tags:
  39. - apps
  41. - name: Check if kube system namespace exists
  42. command: "{{ bin_dir }}/kubectl get ns {{system_namespace}}"
  43. register: 'kubesystem'
  44. changed_when: False
  45. failed_when: False
  46. when: inventory_hostname == groups['kube-master'][0]
  47. tags:
  48. - apps
  50. - name: Create kube system namespace
  51. command: "{{ bin_dir }}/kubectl create -f {{kube_config_dir}}/{{system_namespace}}-ns.yml"
  52. retries: 4
  53. delay: "{{ retry_stagger | random + 3 }}"
  54. register: create_system_ns
  55. until: create_system_ns.rc == 0
  56. changed_when: False
  57. when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0
  58. tags:
  59. - apps