From f832271f5c8331d16dd007ae6ff6f09098c8c512 Mon Sep 17 00:00:00 2001
From: Max Gautier <mg@max.gautier.name>
Date: Mon, 18 Aug 2025 16:05:13 +0000
Subject: [PATCH] Directly list conntrack modules instead of using a variable
 (#12475)

The conntrack kernel modules have no reason to be something else than
those two options, so there is no reason to have a variable.
---
 roles/kubernetes/node/defaults/main.yml | 5 -----
 roles/kubernetes/node/tasks/main.yml    | 4 +++-
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index 59e643568..6e227346c 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -183,11 +183,6 @@ kube_proxy_ipvs_modules:
   - ip_vs_wlc
   - ip_vs_lc
 
-# Kubespray will use the first module of this list which it can successfully modprobe
-conntrack_modules:
-  - nf_conntrack
-  - nf_conntrack_ipv4
-
 # Set this option to "" (empty) to disable staticPodPath (See docs/operations/hardening.md)
 kubelet_static_pod_path: "{{ kube_manifest_dir }}"
 
diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml
index 53b8a7150..b53b2c2b0 100644
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -123,7 +123,9 @@
     persistent: present
   register: modprobe_conntrack_module
   ignore_errors: true  # noqa ignore-errors
-  loop: "{{ conntrack_modules }}"
+  loop:
+    - nf_conntrack
+    - nf_conntrack_ipv4
   when:
     - kube_proxy_mode == 'ipvs'
     - modprobe_conntrack_module is not defined or modprobe_conntrack_module is ansible.builtin.failed  # loop until first success