2017-10-26 16:10:33 +08:00
|
|
|
---
|
|
|
|
- name: Kubernetes Apps | Wait for kube-apiserver
|
|
|
|
uri:
|
2017-11-07 04:01:10 +08:00
|
|
|
url: "{{ kube_apiserver_endpoint }}/healthz"
|
|
|
|
validate_certs: no
|
|
|
|
client_cert: "{{ kube_apiserver_client_cert }}"
|
|
|
|
client_key: "{{ kube_apiserver_client_key }}"
|
2017-10-26 16:10:33 +08:00
|
|
|
register: result
|
|
|
|
until: result.status == 200
|
|
|
|
retries: 10
|
|
|
|
delay: 6
|
|
|
|
when: inventory_hostname == groups['kube-master'][0]
|
|
|
|
|
2018-08-23 00:16:13 +08:00
|
|
|
- name: Kubernetes Apps | Check AppArmor status
|
|
|
|
command: which apparmor_parser
|
|
|
|
register: apparmor_status
|
|
|
|
when:
|
|
|
|
- podsecuritypolicy_enabled
|
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
|
|
|
failed_when: false
|
|
|
|
|
|
|
|
- name: Kubernetes Apps | Set apparmor_enabled
|
|
|
|
set_fact:
|
|
|
|
apparmor_enabled: "{{ apparmor_status.rc == 0 }}"
|
|
|
|
when:
|
|
|
|
- podsecuritypolicy_enabled
|
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
|
|
|
|
|
|
|
- name: Kubernetes Apps | Render templates for PodSecurityPolicy
|
|
|
|
template:
|
|
|
|
src: "{{ item.file }}.j2"
|
|
|
|
dest: "{{ kube_config_dir }}/{{ item.file }}"
|
|
|
|
register: psp_manifests
|
|
|
|
with_items:
|
|
|
|
- {file: psp.yml, type: psp, name: psp}
|
|
|
|
- {file: psp-cr.yml, type: clusterrole, name: psp-cr}
|
|
|
|
- {file: psp-crb.yml, type: rolebinding, name: psp-crb}
|
|
|
|
when:
|
|
|
|
- podsecuritypolicy_enabled
|
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
|
|
|
|
|
|
|
- name: Kubernetes Apps | Add policies, roles, bindings for PodSecurityPolicy
|
|
|
|
kube:
|
|
|
|
kubectl: "{{bin_dir}}/kubectl"
|
2019-04-23 14:34:10 +08:00
|
|
|
filename: "{{ psp_manifests.results | selectattr('skipped', 'undefined') | map(attribute='item') | map(attribute='file') | map('regex_replace', '^(.*)$', kube_config_dir+'/\\1') | list }}"
|
2018-08-23 00:16:13 +08:00
|
|
|
state: "latest"
|
2019-02-25 14:50:55 +08:00
|
|
|
register: result
|
|
|
|
until: result is succeeded
|
|
|
|
retries: 10
|
|
|
|
delay: 6
|
2018-08-23 00:16:13 +08:00
|
|
|
when:
|
2019-04-23 14:34:10 +08:00
|
|
|
- podsecuritypolicy_enabled
|
2018-08-23 00:16:13 +08:00
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
|
|
|
|
2017-10-26 16:10:33 +08:00
|
|
|
- name: Kubernetes Apps | Add ClusterRoleBinding to admit nodes
|
|
|
|
template:
|
|
|
|
src: "node-crb.yml.j2"
|
|
|
|
dest: "{{ kube_config_dir }}/node-crb.yml"
|
|
|
|
register: node_crb_manifest
|
2018-03-18 23:15:00 +08:00
|
|
|
when:
|
|
|
|
- rbac_enabled
|
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
2017-10-26 16:10:33 +08:00
|
|
|
|
|
|
|
- name: Apply workaround to allow all nodes with cert O=system:nodes to register
|
|
|
|
kube:
|
2018-03-09 13:56:46 +08:00
|
|
|
name: "kubespray:system:node"
|
2017-10-26 16:10:33 +08:00
|
|
|
kubectl: "{{bin_dir}}/kubectl"
|
|
|
|
resource: "clusterrolebinding"
|
|
|
|
filename: "{{ kube_config_dir }}/node-crb.yml"
|
|
|
|
state: latest
|
2019-02-25 14:50:55 +08:00
|
|
|
register: result
|
|
|
|
until: result is succeeded
|
|
|
|
retries: 10
|
|
|
|
delay: 6
|
2017-10-26 16:10:33 +08:00
|
|
|
when:
|
|
|
|
- rbac_enabled
|
|
|
|
- node_crb_manifest.changed
|
2018-03-18 23:15:00 +08:00
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
2017-10-26 16:10:33 +08:00
|
|
|
|
2018-01-21 18:34:37 +08:00
|
|
|
- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet
|
|
|
|
template:
|
|
|
|
src: "node-webhook-cr.yml.j2"
|
|
|
|
dest: "{{ kube_config_dir }}/node-webhook-cr.yml"
|
|
|
|
register: node_webhook_cr_manifest
|
|
|
|
when:
|
|
|
|
- rbac_enabled
|
|
|
|
- kubelet_authorization_mode_webhook
|
2018-03-18 23:15:00 +08:00
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
2018-01-21 18:34:37 +08:00
|
|
|
tags: node-webhook
|
|
|
|
|
|
|
|
- name: Apply webhook ClusterRole
|
|
|
|
kube:
|
|
|
|
name: "system:node-webhook"
|
|
|
|
kubectl: "{{bin_dir}}/kubectl"
|
|
|
|
resource: "clusterrole"
|
|
|
|
filename: "{{ kube_config_dir }}/node-webhook-cr.yml"
|
|
|
|
state: latest
|
|
|
|
when:
|
|
|
|
- rbac_enabled
|
|
|
|
- kubelet_authorization_mode_webhook
|
|
|
|
- node_webhook_cr_manifest.changed
|
2018-03-18 23:15:00 +08:00
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
2018-01-21 18:34:37 +08:00
|
|
|
tags: node-webhook
|
|
|
|
|
|
|
|
- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole
|
|
|
|
template:
|
|
|
|
src: "node-webhook-crb.yml.j2"
|
|
|
|
dest: "{{ kube_config_dir }}/node-webhook-crb.yml"
|
|
|
|
register: node_webhook_crb_manifest
|
|
|
|
when:
|
|
|
|
- rbac_enabled
|
|
|
|
- kubelet_authorization_mode_webhook
|
2018-03-18 23:15:00 +08:00
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
2018-01-21 18:34:37 +08:00
|
|
|
tags: node-webhook
|
|
|
|
|
|
|
|
- name: Grant system:nodes the webhook ClusterRole
|
|
|
|
kube:
|
|
|
|
name: "system:node-webhook"
|
|
|
|
kubectl: "{{bin_dir}}/kubectl"
|
|
|
|
resource: "clusterrolebinding"
|
|
|
|
filename: "{{ kube_config_dir }}/node-webhook-crb.yml"
|
|
|
|
state: latest
|
|
|
|
when:
|
|
|
|
- rbac_enabled
|
|
|
|
- kubelet_authorization_mode_webhook
|
|
|
|
- node_webhook_crb_manifest.changed
|
2018-03-18 23:15:00 +08:00
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
2018-01-21 18:34:37 +08:00
|
|
|
tags: node-webhook
|
|
|
|
|
2018-03-14 19:23:22 +08:00
|
|
|
- name: Check if vsphere-cloud-provider ClusterRole exists
|
|
|
|
command: "{{ bin_dir }}/kubectl get clusterroles system:vsphere-cloud-provider"
|
|
|
|
register: vsphere_cloud_provider
|
|
|
|
ignore_errors: true
|
|
|
|
when:
|
|
|
|
- rbac_enabled
|
|
|
|
- cloud_provider is defined
|
|
|
|
- cloud_provider == 'vsphere'
|
2018-10-17 06:33:30 +08:00
|
|
|
- kube_version is version('v1.9.0', '>=')
|
|
|
|
- kube_version is version('v1.9.3', '<=')
|
2018-03-18 23:15:00 +08:00
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
2018-03-14 19:23:22 +08:00
|
|
|
tags: vsphere
|
|
|
|
|
2018-03-13 02:07:08 +08:00
|
|
|
- name: Write vsphere-cloud-provider ClusterRole manifest
|
|
|
|
template:
|
|
|
|
src: "vsphere-rbac.yml.j2"
|
|
|
|
dest: "{{ kube_config_dir }}/vsphere-rbac.yml"
|
|
|
|
register: vsphere_rbac_manifest
|
|
|
|
when:
|
|
|
|
- rbac_enabled
|
|
|
|
- cloud_provider is defined
|
|
|
|
- cloud_provider == 'vsphere'
|
2018-04-02 23:45:42 +08:00
|
|
|
- vsphere_cloud_provider.rc is defined
|
2018-03-14 19:23:22 +08:00
|
|
|
- vsphere_cloud_provider.rc != 0
|
2018-10-17 06:33:30 +08:00
|
|
|
- kube_version is version('v1.9.0', '>=')
|
|
|
|
- kube_version is version('v1.9.3', '<=')
|
2018-03-18 23:15:00 +08:00
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
2018-03-13 02:07:08 +08:00
|
|
|
tags: vsphere
|
|
|
|
|
|
|
|
- name: Apply vsphere-cloud-provider ClusterRole
|
|
|
|
kube:
|
|
|
|
name: "system:vsphere-cloud-provider"
|
|
|
|
kubectl: "{{bin_dir}}/kubectl"
|
|
|
|
resource: "clusterrolebinding"
|
|
|
|
filename: "{{ kube_config_dir }}/vsphere-rbac.yml"
|
|
|
|
state: latest
|
|
|
|
when:
|
|
|
|
- rbac_enabled
|
|
|
|
- cloud_provider is defined
|
|
|
|
- cloud_provider == 'vsphere'
|
2018-04-02 23:45:42 +08:00
|
|
|
- vsphere_cloud_provider.rc is defined
|
2018-03-14 19:23:22 +08:00
|
|
|
- vsphere_cloud_provider.rc != 0
|
2018-10-17 06:33:30 +08:00
|
|
|
- kube_version is version('v1.9.0', '>=')
|
|
|
|
- kube_version is version('v1.9.3', '<=')
|
2018-03-18 23:15:00 +08:00
|
|
|
- inventory_hostname == groups['kube-master'][0]
|
2018-03-13 02:07:08 +08:00
|
|
|
tags: vsphere
|
2018-07-20 22:56:38 +08:00
|
|
|
|
|
|
|
- include_tasks: oci.yml
|
|
|
|
tags: oci
|
|
|
|
when:
|
|
|
|
- cloud_provider is defined
|
|
|
|
- cloud_provider == 'oci'
|
2018-09-25 22:50:22 +08:00
|
|
|
|
|
|
|
- name: PriorityClass | Copy k8s-cluster-critical-pc.yml file
|
|
|
|
copy: src=k8s-cluster-critical-pc.yml dest={{ kube_config_dir }}/k8s-cluster-critical-pc.yml
|
|
|
|
when:
|
2018-10-17 06:33:30 +08:00
|
|
|
- kube_version is version('v1.11.1', '>=')
|
2018-11-15 07:59:20 +08:00
|
|
|
- inventory_hostname == groups['kube-master']|last
|
2018-09-25 22:50:22 +08:00
|
|
|
|
|
|
|
- name: PriorityClass | Create k8s-cluster-critical
|
|
|
|
kube:
|
|
|
|
name: k8s-cluster-critical
|
|
|
|
kubectl: "{{bin_dir}}/kubectl"
|
|
|
|
resource: "PriorityClass"
|
|
|
|
filename: "{{ kube_config_dir }}/k8s-cluster-critical-pc.yml"
|
|
|
|
state: latest
|
|
|
|
when:
|
2018-10-17 06:33:30 +08:00
|
|
|
- kube_version is version('v1.11.1', '>=')
|
2018-11-15 07:59:20 +08:00
|
|
|
- inventory_hostname == groups['kube-master']|last
|