From 47c3949477670b0926193d03ac5a6c0776b323c5 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 26 Aug 2024 14:42:04 +0200 Subject: [PATCH 1/3] Change plugins_needs_config list format Makes easier diff when adding or removing plugins. --- roles/kubernetes/control-plane/vars/main.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/kubernetes/control-plane/vars/main.yaml b/roles/kubernetes/control-plane/vars/main.yaml index f888d6b0c..9997472c8 100644 --- a/roles/kubernetes/control-plane/vars/main.yaml +++ b/roles/kubernetes/control-plane/vars/main.yaml @@ -1,3 +1,5 @@ --- # list of admission plugins that needs to be configured -kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit, PodSecurity] +kube_apiserver_admission_plugins_needs_configuration: +- EventRateLimit +- PodSecurity From d3402736d426da3c4ac68e178cc73af89032c9da Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 26 Aug 2024 14:43:00 +0200 Subject: [PATCH 2/3] Remove special case for PodNodeSelector This is already handled by the previous task. --- roles/kubernetes/control-plane/tasks/kubeadm-setup.yml | 9 --------- roles/kubernetes/control-plane/vars/main.yaml | 1 + 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index dfbe604a4..63ed29aaf 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -122,15 +122,6 @@ - item in kube_apiserver_admission_plugins_needs_configuration loop: "{{ kube_apiserver_enable_admission_plugins }}" -- name: Kubeadm | Configure default cluster podnodeslector - template: - src: "podnodeselector.yaml.j2" - dest: "{{ kube_config_dir }}/admission-controls/podnodeselector.yaml" - mode: "0640" - when: - - kube_apiserver_admission_plugins_podnodeselector_default_node_selector is defined - - kube_apiserver_admission_plugins_podnodeselector_default_node_selector | length > 0 - - name: Kubeadm | Check apiserver.crt SANs vars: apiserver_ips: "{{ apiserver_sans | map('ansible.utils.ipaddr') | reject('equalto', False) | list }}" diff --git a/roles/kubernetes/control-plane/vars/main.yaml b/roles/kubernetes/control-plane/vars/main.yaml index 9997472c8..d387a15bc 100644 --- a/roles/kubernetes/control-plane/vars/main.yaml +++ b/roles/kubernetes/control-plane/vars/main.yaml @@ -3,3 +3,4 @@ kube_apiserver_admission_plugins_needs_configuration: - EventRateLimit - PodSecurity +- PodNodeSelector From 5b057c7328ee61b607d3985f93b00af337c344cd Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 26 Aug 2024 14:53:20 +0200 Subject: [PATCH 3/3] Update list of admission plugins with a config file --- roles/kubernetes/control-plane/vars/main.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/kubernetes/control-plane/vars/main.yaml b/roles/kubernetes/control-plane/vars/main.yaml index d387a15bc..3775d253a 100644 --- a/roles/kubernetes/control-plane/vars/main.yaml +++ b/roles/kubernetes/control-plane/vars/main.yaml @@ -1,6 +1,8 @@ --- # list of admission plugins that needs to be configured +# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ kube_apiserver_admission_plugins_needs_configuration: - EventRateLimit +- ImagePolicyWebhook - PodSecurity - PodNodeSelector