From fa9f85c7e95516f3f06b9c9e5c3934ec9c4ae3ac Mon Sep 17 00:00:00 2001 From: Cristian Calin <6627509+cristicalin@users.noreply.github.com> Date: Tue, 22 Mar 2022 02:36:13 +0200 Subject: [PATCH] [sysctl] set fs.may_detach_mounts=1 even when CRIs don't set it themselves (#8635) --- .../tasks/0080-system-configurations.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml index f88944d02..a1c5e97ce 100644 --- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml +++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml @@ -87,6 +87,24 @@ reload: yes when: enable_dual_stack_networks | bool +- name: Check if we need to set fs.may_detach_mounts + stat: + path: /proc/sys/fs/may_detach_mounts + get_attributes: no + get_checksum: no + get_mime: no + register: fs_may_detach_mounts + ignore_errors: true # noqa ignore-errors + +- name: Set fs.may_detach_mounts if needed + sysctl: + sysctl_file: "{{ sysctl_file_path }}" + name: fs.may_detach_mounts + value: 1 + state: present + reload: yes + when: fs_may_detach_mounts.stat.exists | d(false) + - name: Ensure kube-bench parameters are set sysctl: sysctl_file: "{{ sysctl_file_path }}"