From eb31653d66ca5429be8c660a324ab13e62f187d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tiago=20Epif=C3=A2nio?= <tiago@arroba.pt>
Date: Sat, 24 Jun 2023 04:49:06 +0100
Subject: [PATCH] Disable fapolicyd service (#10081)

---
 roles/kubernetes/preinstall/defaults/main.yml             | 4 ++++
 .../preinstall/tasks/0080-system-configurations.yml       | 8 ++++++++
 2 files changed, 12 insertions(+)

diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml
index 01ce93f0c..147033f38 100644
--- a/roles/kubernetes/preinstall/defaults/main.yml
+++ b/roles/kubernetes/preinstall/defaults/main.yml
@@ -144,5 +144,9 @@ debian_os_family_extensions:
 # Sets DNSStubListener=no, useful if you get "0.0.0.0:53: bind: address already in use"
 systemd_resolved_disable_stub_listener: "{{ ansible_os_family in ['Flatcar', 'Flatcar Container Linux by Kinvolk'] }}"
 
+# Used to disable File Access Policy Daemon service.
+# If service is enabled, the CNI plugin installation will fail
+disable_fapolicyd: true
+
 # Enable 0120-growpart-azure-centos-7 tasks
 growpart_azure_enabled: true
diff --git a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
index 91a254290..d4fa45b8b 100644
--- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
+++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
@@ -136,3 +136,11 @@
     state: present
     reload: yes
   with_items: "{{ additional_sysctl }}"
+
+- name: Disable fapolicyd service
+  failed_when: false
+  systemd:
+    name: fapolicyd
+    state: stopped
+    enabled: false
+  when: disable_fapolicyd