Merge branch 'master' into reverselookups

docs/aws.md

@@ -1,7 +1,7 @@
 AWS
 ===============
 
-To deploy kubespray on [AWS](https://www.openstack.org/) uncomment the `cloud_provider` option in `group_vars/all.yml` and set it to `'aws'`.
+To deploy kubespray on [AWS](https://aws.amazon.com/) uncomment the `cloud_provider` option in `group_vars/all.yml` and set it to `'aws'`.
 
 Prior to creating your instances, you **must** ensure that you have created IAM roles and policies for both "kubernetes-master" and "kubernetes-node". You can find the IAM policies [here](https://github.com/kubernetes/kubernetes/tree/master/cluster/aws/templates/iam). See the [IAM Documentation](https://aws.amazon.com/documentation/iam/) if guidance is needed on how to set these up. When you bring your instances online, associate them with the respective IAM role. Nodes that are only to be used for Etcd do not need a role.
 

roles/download/tasks/main.yml

@@ -9,8 +9,6 @@
 - name: Create dest directories
   file: path={{local_release_dir}}/{{download.dest|dirname}} state=directory recurse=yes
   when: "{{ download.enabled|bool and not download.container|bool }}"
-  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}"
-  run_once: "{{ download_run_once|bool }}"
 
 - name: Download items
   get_url:
@@ -24,8 +22,6 @@
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
   when: "{{ download.enabled|bool and not download.container|bool }}"
-  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}"
-  run_once: "{{ download_run_once|bool }}"
 
 - name: Extract archives
   unarchive:
@@ -35,8 +31,6 @@
     mode: "{{ download.mode|default(omit) }}"
     copy: no
   when: "{{ download.enabled|bool and not download.container|bool and download.unarchive is defined and download.unarchive == True }}"
-  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}"
-  run_once: "{{ download_run_once|bool }}"
 
 - name: Fix permissions
   file:
@@ -45,8 +39,6 @@
     owner: "{{ download.owner|default(omit) }}"
     mode: "{{ download.mode|default(omit) }}"
   when: "{{ download.enabled|bool and not download.container|bool and (download.unarchive is not defined or download.unarchive == False) }}"
-  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}"
-  run_once: "{{ download_run_once|bool }}"
 
 - name: pulling...
   debug:
@@ -65,7 +57,7 @@
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
   when: "{{ download.enabled|bool and download.container|bool }}"
-  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}"
+  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else inventory_hostname }}"
   run_once: "{{ download_run_once|bool }}"
 
 - set_fact:

roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2

@@ -13,6 +13,7 @@ spec:
     - apiserver
     - --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
     - --etcd-servers={{ etcd_access_endpoint }}
+    - --etcd-quorum-read=true
     - --insecure-bind-address={{ kube_apiserver_insecure_bind_address }}
     - --apiserver-count={{ kube_apiserver_count }}
     - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,ResourceQuota

roles/kubernetes/node/defaults/main.yml

@@ -8,6 +8,9 @@ kube_resolv_conf: "/etc/resolv.conf"
 
 kube_proxy_mode: iptables
 
+# If using the pure iptables proxy, SNAT everything
+kube_proxy_masquerade_all: true
+
 # kube_api_runtime_config:
 #   - extensions/v1beta1/daemonsets=true
 #   - extensions/v1beta1/deployments=true

roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2

@@ -18,6 +18,9 @@ spec:
 {% endif %}
     - --bind-address={{ ip | default(ansible_default_ipv4.address) }}
     - --proxy-mode={{ kube_proxy_mode }}
+{% if kube_proxy_masquerade_all and kube_proxy_mode == "iptables" %}
+    - --masquerade-all
+{% endif %}
     securityContext:
       privileged: true
     volumeMounts:

roles/network_plugin/calico/defaults/main.yml

@@ -5,5 +5,6 @@ nat_outgoing: true
 # Use IP-over-IP encapsulation across hosts
 ipip: false
 
-# cloud_provider can only be set to 'gce' or 'aws'
-# cloud_provider:
+# Set to true if you want your calico cni binaries to overwrite the
+# ones from hyperkube while leaving other cni plugins intact.
+overwrite_hyperkube_cni: false

roles/network_plugin/calico/tasks/main.yml

@@ -32,18 +32,8 @@
     use_hyperkube_cni: true
   when: kube_version | version_compare('v1.3.4','>=')
 
-- name: Calico | Install calico cni bin
-  command: rsync -piu "{{ local_release_dir }}/calico/bin/calico" "/opt/cni/bin/calico"
-  changed_when: false
-  when: "{{ not use_hyperkube_cni|bool }}"
-
-- name: Calico | Install calico-ipam cni bin
-  command: rsync -piu "{{ local_release_dir }}/calico/bin/calico" "/opt/cni/bin/calico-ipam"
-  changed_when: false
-  when: "{{ not use_hyperkube_cni|bool }}"
-
 - name: Calico | Copy cni plugins from hyperkube
-  command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -r /opt/cni/bin/. /cnibindir/"
+  command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -a /opt/cni/bin/ /cnibindir/"
   register: cni_task_result
   until: cni_task_result.rc == 0
   retries: 4
@@ -51,6 +41,16 @@
   changed_when: false
   when: "{{ use_hyperkube_cni|bool }}"
 
+- name: Calico | Install calico cni bin
+  command: rsync -pi "{{ local_release_dir }}/calico/bin/calico" "/opt/cni/bin/calico"
+  changed_when: false
+  when: "{{ not use_hyperkube_cni|bool or overwrite_hyperkube_cni|bool }}"
+
+- name: Calico | Install calico-ipam cni bin
+  command: rsync -pi "{{ local_release_dir }}/calico/bin/calico-ipam" "/opt/cni/bin/calico-ipam"
+  changed_when: false
+  when: "{{ not use_hyperkube_cni|bool or overwrite_hyperkube_cni|bool }}"
+
 - name: Calico | wait for etcd
   uri: url=http://localhost:2379/health
   register: result