2017-09-27 21:47:47 +08:00
---
2024-10-04 15:46:30 +08:00
- name : Stop if any host not in '--limit' does not have a fact cache
vars :
uncached_hosts : "{{ (hostvars | selectattr('ansible_default_ipv4', 'undefined')).keys() }}"
excluded_hosts : "{{ hostvars.keys() | difference(lookup('inventory_hostnames', ansible_limit)) }}"
assert :
that : uncached_hosts | intersect(excluded_hosts) == 0
fail_msg : |
Kubespray does not support '--limit' without a populated facts cache for the excluded hosts.
Please run the facts.yml playbook first without '--limit'.
The following excluded hosts are not cached : {{ uncached_hosts | intersect(excluded_hosts) }}
run_once : true
when :
- ansible_limit is defined
- not ignore_assert_errors
2024-08-28 13:35:02 +08:00
- name : Stop if kube_control_plane group is empty
2018-09-20 21:09:25 +08:00
assert :
2024-05-30 18:01:38 +08:00
that : groups.get( 'kube_control_plane' )
2018-09-20 21:09:25 +08:00
run_once : true
2020-03-10 23:09:36 +08:00
when : not ignore_assert_errors
2018-09-20 21:09:25 +08:00
2020-10-21 22:32:20 +08:00
- name : Stop if etcd group is empty in external etcd mode
assert :
that : groups.get('etcd')
fail_msg : "Group 'etcd' cannot be empty in external etcd mode"
run_once : true
when :
- not ignore_assert_errors
2022-02-23 00:53:16 +08:00
- etcd_deployment_type != "kubeadm"
2020-10-21 22:32:20 +08:00
2017-09-27 21:47:47 +08:00
- name : Stop if non systemd OS type
assert :
that : ansible_service_mgr == "systemd"
2020-03-10 23:09:36 +08:00
when : not ignore_assert_errors
2017-09-27 21:47:47 +08:00
2023-03-10 14:00:39 +08:00
- name : Stop if the os does not support
2017-09-27 21:47:47 +08:00
assert :
2023-03-21 16:35:09 +08:00
that : (allow_unsupported_distribution_setup | default(false)) or ansible_distribution in supported_os_distributions
2021-04-23 14:50:03 +08:00
msg : "{{ ansible_distribution }} is not a known OS"
2020-03-10 23:09:36 +08:00
when : not ignore_assert_errors
2017-09-27 21:47:47 +08:00
- name : Stop if unknown network plugin
assert :
2023-05-18 18:40:33 +08:00
that : kube_network_plugin in ['calico', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'kube-ovn', 'kube-router', 'macvlan', 'custom_cni']
2019-12-05 23:24:32 +08:00
msg : "{{ kube_network_plugin }} is not supported"
2020-03-10 23:09:36 +08:00
when :
- kube_network_plugin is defined
- not ignore_assert_errors
2017-09-27 21:47:47 +08:00
2019-06-11 14:18:15 +08:00
- name : Stop if unsupported version of Kubernetes
assert :
that : kube_version is version(kube_version_min_required, '>=')
2019-09-25 19:04:00 +08:00
msg : "The current release of Kubespray only support newer version of Kubernetes than {{ kube_version_min_required }} - You are trying to apply {{ kube_version }}"
2020-03-10 23:09:36 +08:00
when : not ignore_assert_errors
2019-06-11 14:18:15 +08:00
2017-11-03 15:11:14 +08:00
# simplify this items-list when https://github.com/ansible/ansible/issues/15753 is resolved
2017-09-27 21:47:47 +08:00
- name : "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
assert :
2023-07-05 11:36:54 +08:00
that : item.value | type_debug == 'bool'
2019-05-03 05:24:21 +08:00
msg : "{{ item.value }} isn't a bool"
2024-08-28 13:30:56 +08:00
run_once : true
2017-09-27 21:47:47 +08:00
with_items :
2017-11-03 15:11:14 +08:00
- { name: download_run_once, value : "{{ download_run_once }}" }
- { name: deploy_netchecker, value : "{{ deploy_netchecker }}" }
- { name: download_always_pull, value : "{{ download_always_pull }}" }
- { name: helm_enabled, value : "{{ helm_enabled }}" }
- { name: openstack_lbaas_enabled, value : "{{ openstack_lbaas_enabled }}" }
2020-03-10 23:09:36 +08:00
when : not ignore_assert_errors
2017-09-27 21:47:47 +08:00
- name : Stop if even number of etcd hosts
assert :
2023-07-05 11:36:54 +08:00
that : groups.etcd | length is not divisibleby 2
2020-03-10 23:09:36 +08:00
when :
- not ignore_assert_errors
2021-01-22 06:31:02 +08:00
- inventory_hostname in groups.get('etcd',[])
2017-09-27 21:47:47 +08:00
2024-09-06 14:56:19 +08:00
- name : Stop if memory is too small for control plane nodes
2017-09-27 21:47:47 +08:00
assert :
2019-06-11 14:22:15 +08:00
that : ansible_memtotal_mb >= minimal_master_memory_mb
2020-03-10 23:09:36 +08:00
when :
- not ignore_assert_errors
2024-09-21 20:09:09 +08:00
- ('kube_control_plane' in group_names)
2017-09-27 21:47:47 +08:00
- name : Stop if memory is too small for nodes
assert :
2019-06-11 14:22:15 +08:00
that : ansible_memtotal_mb >= minimal_node_memory_mb
2020-03-10 23:09:36 +08:00
when :
- not ignore_assert_errors
2024-09-21 20:09:09 +08:00
- ('kube_node' in group_names)
2017-09-27 21:47:47 +08:00
2024-05-09 20:40:03 +08:00
# This command will fail if cgroups are not enabled on the node.
# For reference: https://kubernetes.io/docs/concepts/architecture/cgroups/#check-cgroup-version
- name : Stop if cgroups are not enabled on nodes
command : stat -fc %T /sys/fs/cgroup/
changed_when : false
when : not ignore_assert_errors
2018-05-15 22:34:03 +08:00
# This assertion will fail on the safe side: One can indeed schedule more pods
# on a node than the CIDR-range has space for when additional pods use the host
# network namespace. It is impossible to ascertain the number of such pods at
# provisioning time, so to establish a guarantee, we factor these out.
# NOTICE: the check blatantly ignores the inet6-case
- name : Guarantee that enough network address space is available for all pods
assert :
2018-12-27 05:58:53 +08:00
that : "{{ (kubelet_max_pods | default(110)) | int <= (2 ** (32 - kube_network_node_prefix | int)) - 2 }}"
2018-05-15 22:34:03 +08:00
msg : "Do not schedule more pods on a node than inet addresses are available."
when :
2020-03-10 23:09:36 +08:00
- not ignore_assert_errors
2024-09-21 20:09:09 +08:00
- ('k8s_cluster' in group_names)
2018-05-15 22:34:03 +08:00
- kube_network_node_prefix is defined
2020-02-20 16:39:03 +08:00
- kube_network_plugin != 'calico'
2018-05-15 22:34:03 +08:00
2017-09-27 21:47:47 +08:00
- name : Stop if ip var does not match local ips
assert :
2022-06-08 23:37:48 +08:00
that : (ip in ansible_all_ipv4_addresses) or (ip in ansible_all_ipv6_addresses)
msg : "IPv4: '{{ ansible_all_ipv4_addresses }}' and IPv6: '{{ ansible_all_ipv6_addresses }}' do not contain '{{ ip }}'"
2020-03-10 23:09:36 +08:00
when :
- not ignore_assert_errors
- ip is defined
2017-09-27 21:47:47 +08:00
2022-09-22 14:55:05 +08:00
- name : Ensure ping package
package :
2023-07-05 11:36:54 +08:00
# noqa: jinja[spacing]
2022-09-22 14:55:05 +08:00
name : >-
2022-11-07 09:54:16 +08:00
{%- if ansible_os_family == 'Debian' -%}
2022-09-22 14:55:05 +08:00
iputils-ping
2022-11-07 09:54:16 +08:00
{%- else -%}
iputils
2022-09-22 14:55:05 +08:00
{%- endif -%}
state : present
when :
- access_ip is defined
- not ignore_assert_errors
- ping_access_ip
2022-10-14 07:54:46 +08:00
- not is_fedora_coreos
- not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
2022-09-22 14:55:05 +08:00
2017-09-27 21:47:47 +08:00
- name : Stop if access_ip is not pingable
command : ping -c1 {{ access_ip }}
2020-03-10 23:09:36 +08:00
when :
- access_ip is defined
- not ignore_assert_errors
2021-01-11 22:15:08 +08:00
- ping_access_ip
2023-05-31 16:29:46 +08:00
changed_when : false
2017-10-28 00:57:12 +08:00
2017-11-10 05:59:30 +08:00
- name : Stop if RBAC is not enabled when dashboard is enabled
assert :
that : rbac_enabled
2020-03-10 23:09:36 +08:00
when :
- dashboard_enabled
- not ignore_assert_errors
2017-11-07 04:01:10 +08:00
2018-07-20 22:56:38 +08:00
- name : Stop if RBAC is not enabled when OCI cloud controller is enabled
assert :
that : rbac_enabled
2020-03-10 23:09:36 +08:00
when :
- cloud_provider is defined and cloud_provider == "oci"
- not ignore_assert_errors
2018-02-17 11:37:47 +08:00
- name : Stop if kernel version is too low
assert :
2020-07-13 19:44:32 +08:00
that : ansible_kernel.split('-')[0] is version('4.9.17', '>=')
2020-03-10 23:09:36 +08:00
when :
2020-07-17 20:57:01 +08:00
- kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
2020-03-10 23:09:36 +08:00
- not ignore_assert_errors
2018-08-19 23:20:36 +08:00
- name : Stop if bad hostname
assert :
2018-10-18 03:27:11 +08:00
that : inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
2018-08-20 21:06:52 +08:00
msg : "Hostname must consist of lower case alphanumeric characters, '.' or '-', and must start and end with an alphanumeric character"
2020-03-10 23:09:36 +08:00
when : not ignore_assert_errors
2018-08-23 22:51:52 +08:00
2023-07-26 22:36:22 +08:00
- name : Check cloud_provider value
2018-08-23 22:51:52 +08:00
assert :
2021-11-08 15:48:52 +08:00
that : cloud_provider in ['gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external']
msg : "If set the 'cloud_provider' var must be set either to 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci' or 'external'"
2018-08-23 22:51:52 +08:00
when :
- cloud_provider is defined
2020-03-10 23:09:36 +08:00
- not ignore_assert_errors
2018-08-23 22:51:52 +08:00
tags :
- cloud-provider
- facts
2018-09-19 04:13:15 +08:00
2018-10-11 21:28:21 +08:00
- name : "Check that kube_service_addresses is a network range"
assert :
that :
2023-10-17 15:45:11 +08:00
- kube_service_addresses | ansible.utils.ipaddr('net')
2019-02-12 06:12:06 +08:00
msg : "kube_service_addresses = '{{ kube_service_addresses }}' is not a valid network range"
2024-08-28 13:30:56 +08:00
run_once : true
2018-10-11 21:28:21 +08:00
- name : "Check that kube_pods_subnet is a network range"
assert :
that :
2023-10-17 15:45:11 +08:00
- kube_pods_subnet | ansible.utils.ipaddr('net')
2019-02-12 06:12:06 +08:00
msg : "kube_pods_subnet = '{{ kube_pods_subnet }}' is not a valid network range"
2024-08-28 13:30:56 +08:00
run_once : true
2018-10-11 21:28:21 +08:00
- name : "Check that kube_pods_subnet does not collide with kube_service_addresses"
assert :
that :
2023-10-17 15:45:11 +08:00
- kube_pods_subnet | ansible.utils.ipaddr(kube_service_addresses) | string == 'None'
2018-10-11 21:28:21 +08:00
msg : "kube_pods_subnet cannot be the same network segment as kube_service_addresses"
2024-08-28 13:30:56 +08:00
run_once : true
2018-10-11 21:28:21 +08:00
2022-05-05 23:48:20 +08:00
- name : "Check that IP range is enough for the nodes"
assert :
that :
2023-10-17 15:45:11 +08:00
- 2 ** (kube_network_node_prefix - kube_pods_subnet | ansible.utils.ipaddr('prefix')) >= groups['k8s_cluster'] | length
2022-05-05 23:48:20 +08:00
msg : "Not enough IPs are available for the desired node count."
2022-12-09 02:44:23 +08:00
when : kube_network_plugin != 'calico'
2024-08-28 13:30:56 +08:00
run_once : true
2022-05-05 23:48:20 +08:00
2018-10-11 21:28:21 +08:00
- name : Stop if unknown dns mode
assert :
2019-04-02 03:32:34 +08:00
that : dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
msg : "dns_mode can only be 'coredns', 'coredns_dual', 'manual' or 'none'"
2018-10-11 21:28:21 +08:00
when : dns_mode is defined
run_once : true
- name : Stop if unknown kube proxy mode
assert :
that : kube_proxy_mode in ['iptables', 'ipvs']
msg : "kube_proxy_mode can only be 'iptables' or 'ipvs'"
when : kube_proxy_mode is defined
run_once : true
2018-11-11 00:51:24 +08:00
- name : Stop if unknown cert_management
assert :
2023-07-05 11:36:54 +08:00
that : cert_management | d('script') in ['script', 'none']
2018-11-11 00:51:24 +08:00
msg : "cert_management can only be 'script' or 'none'"
run_once : true
2018-10-11 21:28:21 +08:00
- name : Stop if unknown resolvconf_mode
assert :
that : resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
msg : "resolvconf_mode can only be 'docker_dns', 'host_resolvconf' or 'none'"
when : resolvconf_mode is defined
run_once : true
2019-06-21 02:12:51 +08:00
2022-02-23 00:53:16 +08:00
- name : Stop if etcd deployment type is not host, docker or kubeadm
2020-03-24 23:12:47 +08:00
assert :
2022-02-23 00:53:16 +08:00
that : etcd_deployment_type in ['host', 'docker', 'kubeadm']
msg : "The etcd deployment type, 'etcd_deployment_type', must be host, docker or kubeadm"
2021-01-14 22:53:05 +08:00
when :
2021-01-22 06:31:02 +08:00
- inventory_hostname in groups.get('etcd',[])
2020-03-24 23:12:47 +08:00
2022-05-05 14:58:19 +08:00
- name : Stop if container manager is not docker, crio or containerd
assert :
that : container_manager in ['docker', 'crio', 'containerd']
msg : "The container manager, 'container_manager', must be docker, crio or containerd"
run_once : true
2022-02-23 00:53:16 +08:00
- name : Stop if etcd deployment type is not host or kubeadm when container_manager != docker
2021-01-14 06:19:03 +08:00
assert :
2022-02-23 00:53:16 +08:00
that : etcd_deployment_type in ['host', 'kubeadm']
msg : "The etcd deployment type, 'etcd_deployment_type', must be host or kubeadm when container_manager is not docker"
2021-01-14 22:53:05 +08:00
when :
2021-01-22 06:31:02 +08:00
- inventory_hostname in groups.get('etcd',[])
2021-01-14 22:53:05 +08:00
- container_manager != 'docker'
2021-01-14 06:19:03 +08:00
2022-02-23 00:53:16 +08:00
# TODO: Clean this task up when we drop backward compatibility support for `etcd_kubeadm_enabled`
- name : Stop if etcd deployment type is not host or kubeadm when container_manager != docker and etcd_kubeadm_enabled is not defined
2024-08-28 13:30:56 +08:00
run_once : true
2023-08-10 15:57:27 +08:00
when : etcd_kubeadm_enabled is defined
2022-02-23 00:53:16 +08:00
block :
- name : Warn the user if they are still using `etcd_kubeadm_enabled`
debug :
msg : >
"WARNING! => `etcd_kubeadm_enabled` is deprecated and will be removed in a future release.
You can set `etcd_deployment_type` to `kubeadm` instead of setting `etcd_kubeadm_enabled` to `true`."
changed_when : true
2022-05-10 05:56:32 +08:00
- name : Stop if `etcd_kubeadm_enabled` is defined and `etcd_deployment_type` is not `kubeadm` or `host`
2022-02-23 00:53:16 +08:00
assert :
that : etcd_deployment_type == 'kubeadm'
msg : >
It is not possible to use `etcd_kubeadm_enabled` when `etcd_deployment_type` is set to {{ etcd_deployment_type }}.
Unset the `etcd_kubeadm_enabled` variable and set `etcd_deployment_type` to desired deployment type (`host`, `kubeadm`, `docker`) instead."
when : etcd_kubeadm_enabled
2020-03-05 23:31:39 +08:00
- name : Stop if download_localhost is enabled but download_run_once is not
assert :
that : download_run_once
msg : "download_localhost requires enable download_run_once"
when : download_localhost
2020-10-23 18:07:46 +08:00
- name : Stop if kata_containers_enabled is enabled when container_manager is docker
assert :
that : container_manager != 'docker'
msg : "kata_containers_enabled support only for containerd and crio-o. See https://github.com/kata-containers/documentation/blob/1.11.4/how-to/run-kata-with-k8s.md#install-a-cri-implementation for details"
when : kata_containers_enabled
2021-06-21 20:18:51 +08:00
- name : Stop if gvisor_enabled is enabled when container_manager is not containerd
assert :
that : container_manager == 'containerd'
msg : "gvisor_enabled support only compatible with containerd. See https://github.com/kubernetes-sigs/kubespray/issues/7650 for details"
when : gvisor_enabled
2020-08-28 17:28:53 +08:00
- name : Stop if download_localhost is enabled for Flatcar Container Linux
2020-03-05 23:31:39 +08:00
assert :
2021-10-02 00:11:23 +08:00
that : ansible_os_family not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
2020-08-28 17:28:53 +08:00
msg : "download_run_once not supported for Flatcar Container Linux"
2020-03-05 23:31:39 +08:00
when : download_run_once or download_force_cache
2021-04-02 14:20:11 +08:00
- name : Ensure minimum containerd version
assert :
that : containerd_version is version(containerd_min_version_required, '>=')
msg : "containerd_version is too low. Minimum version {{ containerd_min_version_required }}"
2024-08-28 13:30:56 +08:00
run_once : true
2021-04-02 14:20:11 +08:00
when :
2021-09-27 23:11:35 +08:00
- containerd_version not in ['latest', 'edge', 'stable']
2021-04-02 14:20:11 +08:00
- container_manager == 'containerd'
- name : Stop if using deprecated containerd_config variable
assert :
that : containerd_config is not defined
msg : "Variable containerd_config is now deprecated. See https://github.com/kubernetes-sigs/kubespray/blob/master/inventory/sample/group_vars/all/containerd.yml for details."
when :
- containerd_config is defined
- not ignore_assert_errors
2022-04-12 20:47:23 +08:00
- name : Stop if auto_renew_certificates is enabled when certificates are managed externally (kube_external_ca_mode is true)
assert :
that : not auto_renew_certificates
msg : "Variable auto_renew_certificates must be disabled when CA are managed externally: kube_external_ca_mode = true"
when :
- kube_external_ca_mode
- not ignore_assert_errors
2022-10-26 15:28:37 +08:00
- name : Stop if using deprecated comma separated list for admission plugins
assert :
that : "',' not in kube_apiserver_enable_admission_plugins[0]"
msg : "Comma-separated list for kube_apiserver_enable_admission_plugins is now deprecated, use separate list items for each plugin."
when :
- kube_apiserver_enable_admission_plugins is defined
- kube_apiserver_enable_admission_plugins | length > 0
2024-04-08 16:27:39 +08:00
- name : Verify that the packages list structure is valid
ansible.utils.validate :
criteria : "{{ lookup('file', 'pkgs-schema.json') }}"
data : "{{ pkgs }}"
- name : Verify that the packages list is sorted
vars :
pkgs_lists : "{{ pkgs.keys() | list }}"
assert :
that : "pkgs_lists | sort == pkgs_lists"
fail_msg : "pkgs is not sorted: {{ pkgs_lists | ansible.utils.fact_diff(pkgs_lists | sort) }}"