Matthew Mosesohn
7 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with
12 additions and
7 deletions
-
cluster.yml
-
roles/kubernetes-apps/rotate_tokens/tasks/main.yml
-
upgrade-cluster.yml
|
|
|
@ -82,11 +82,16 @@ |
|
|
|
- { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" } |
|
|
|
- { role: network_plugin, tags: network } |
|
|
|
|
|
|
|
- hosts: kube-master |
|
|
|
- hosts: kube-master[0] |
|
|
|
any_errors_fatal: "{{ any_errors_fatal | default(true) }}" |
|
|
|
roles: |
|
|
|
- { role: kubespray-defaults} |
|
|
|
- { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" } |
|
|
|
|
|
|
|
- hosts: kube-master |
|
|
|
any_errors_fatal: "{{ any_errors_fatal | default(true) }}" |
|
|
|
roles: |
|
|
|
- { role: kubespray-defaults} |
|
|
|
- { role: kubernetes-apps/network_plugin, tags: network } |
|
|
|
- { role: kubernetes-apps/policy_controller, tags: policy-controller } |
|
|
|
|
|
|
|
|
|
|
|
@ -8,7 +8,6 @@ |
|
|
|
command: "{{ bin_dir }}/kubectl get secrets {{ default_token.stdout }} -ojson" |
|
|
|
register: default_token_data |
|
|
|
changed_when: false |
|
|
|
run_once: true |
|
|
|
|
|
|
|
- name: Rotate Tokens | Test if default certificate is expired |
|
|
|
uri: |
|
|
|
@ -19,7 +18,6 @@ |
|
|
|
headers: |
|
|
|
Authorization: "Bearer {{ (default_token_data.stdout|from_json)['data']['token']|b64decode }}" |
|
|
|
register: check_secret |
|
|
|
run_once: true |
|
|
|
failed_when: false |
|
|
|
|
|
|
|
- name: Rotate Tokens | Determine if certificate is expired |
|
|
|
@ -35,16 +33,13 @@ |
|
|
|
| grep kubernetes.io/service-account-token |
|
|
|
| egrep 'default-token|kube-proxy|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller' |
|
|
|
register: tokens_to_delete |
|
|
|
run_once: true |
|
|
|
when: needs_rotation |
|
|
|
|
|
|
|
- name: Rotate Tokens | Delete expired tokens |
|
|
|
command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}" |
|
|
|
with_items: "{{ tokens_to_delete.stdout_lines }}" |
|
|
|
run_once: true |
|
|
|
when: needs_rotation |
|
|
|
|
|
|
|
- name: Rotate Tokens | Delete pods in system namespace |
|
|
|
command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all" |
|
|
|
run_once: true |
|
|
|
when: needs_rotation |
|
|
|
@ -85,11 +85,16 @@ |
|
|
|
- { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" } |
|
|
|
- { role: kubespray-defaults} |
|
|
|
|
|
|
|
- hosts: kube-master |
|
|
|
- hosts: kube-master[0] |
|
|
|
any_errors_fatal: true |
|
|
|
roles: |
|
|
|
- { role: kubespray-defaults} |
|
|
|
- { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" } |
|
|
|
|
|
|
|
- hosts: kube-master |
|
|
|
any_errors_fatal: true |
|
|
|
roles: |
|
|
|
- { role: kubespray-defaults} |
|
|
|
- { role: kubernetes-apps/network_plugin, tags: network } |
|
|
|
- { role: kubernetes-apps/policy_controller, tags: policy-controller } |
|
|
|
- { role: kubernetes/client, tags: client } |
|
|
|
|
