diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml index cd11b7018..ae2c0484e 100644 --- a/roles/kubernetes/kubeadm/tasks/main.yml +++ b/roles/kubernetes/kubeadm/tasks/main.yml @@ -123,7 +123,7 @@ - inventory_hostname in groups['kube-master'] - kubeadm_config_api_fqdn is not defined - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "") - - not kube_proxy_remove + - kube_proxy_deployed - loadbalancer_apiserver_localhost tags: - kube-proxy @@ -144,7 +144,7 @@ - inventory_hostname in groups['kube-master'] - kubeadm_config_api_fqdn is not defined - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "") - - not kube_proxy_remove + - kube_proxy_deployed tags: - kube-proxy @@ -159,19 +159,6 @@ - kube_network_plugin in ['calico','canal'] - calico_version is version('v3.3.0', '<') -# FIXME(jjo): need to post-remove kube-proxy until https://github.com/kubernetes/kubeadm/issues/776 -# is fixed -- name: Delete kube-proxy daemonset if kube_proxy_remove set, e.g. kube_network_plugin providing proxy services - command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf delete daemonset -n kube-system kube-proxy" - run_once: true - delegate_to: "{{ groups['kube-master']|first }}" - when: - - kube_proxy_remove - # When scaling/adding nodes in the existing k8s cluster, kube-proxy wouldn't be created, as `kubeadm init` wouldn't run. - ignore_errors: true - tags: - - kube-proxy - - name: Extract etcd certs from control plane if using etcd kubeadm mode include_tasks: kubeadm_etcd_node.yml when: diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml index d37cfd361..fc442b3be 100644 --- a/roles/kubernetes/master/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml @@ -148,7 +148,7 @@ {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all - --skip-phases=addon/coredns + --skip-phases={{ kubeadm_init_phases_skip | join(',') }} --upload-certs register: kubeadm_init # Retry is because upload config sometimes fails diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml index 8c1659f76..46e5d5e77 100644 --- a/roles/kubernetes/node/tasks/main.yml +++ b/roles/kubernetes/node/tasks/main.yml @@ -141,45 +141,6 @@ tags: - kube-proxy -- name: Purge proxy manifest for kubeadm or if proxy services being provided by other means, e.g. network_plugin - file: - path: "{{ kube_manifest_dir }}/kube-proxy.manifest" - state: absent - when: - - kube_proxy_remove - tags: - - kube-proxy - -- name: Set command for kube-proxy cleanup - set_fact: - kube_proxy_cleanup_command: >- - {%- if container_manager in ['docker', 'crio'] %} - {{ docker_bin_dir }}/docker run --rm --privileged -v /lib/modules:/lib/modules {{ kube_proxy_image_repo }}:{{ kube_version }} kube-proxy --cleanup - {%- elif container_manager == "containerd" %} - ctr run --rm --mount type=bind,src=/lib/modules,dst=/lib/modules,options=rbind:rw {{ kube_proxy_image_repo }}:{{ kube_version }} kube-proxy --cleanup - {%- endif %} - when: - - kube_proxy_remove - tags: - - kube-proxy - -- name: Ensure kube-proxy container is pulled for containerd - command: "{{ bin_dir }}/crictl pull {{ kube_proxy_image_repo }}:{{ kube_version }}" - when: - - kube_proxy_remove - - container_manager == "containerd" - tags: - - kube-proxy - -- name: Cleanup kube-proxy leftovers from node - command: "{{ kube_proxy_cleanup_command }}" - # `kube-proxy --cleanup`, being Ok as per shown WARNING, still returns 255 from above run (?) - ignore_errors: true - when: - - kube_proxy_remove - tags: - - kube-proxy - - include_tasks: "cloud-credentials/{{ cloud_provider }}-credential-check.yml" when: - cloud_provider is defined diff --git a/roles/kubernetes/preinstall/tasks/0040-set_facts.yml b/roles/kubernetes/preinstall/tasks/0040-set_facts.yml index a8133a5db..79485b127 100644 --- a/roles/kubernetes/preinstall/tasks/0040-set_facts.yml +++ b/roles/kubernetes/preinstall/tasks/0040-set_facts.yml @@ -156,15 +156,6 @@ - ../vars skip: true -- name: override kube_proxy_mode to ipvs if kube_proxy_remove is set, as ipvs won't require kube-proxy cleanup when kube-proxy daemonset gets deleted - set_fact: - kube_proxy_mode: 'ipvs' - when: - - kube_proxy_remove - tags: - - facts - - kube-proxy - - name: set etcd vars if using kubeadm mode set_fact: etcd_cert_dir: "{{ kube_cert_dir }}" diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 095bc36fc..fcfa6d53c 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -26,14 +26,19 @@ kubeadm_use_hyperkube_image: False ## Kube Proxy mode One of ['iptables','ipvs'] kube_proxy_mode: ipvs -## Delete kube-proxy daemonset if kube_proxy_remove set, e.g. kube_network_plugin providing proxy services -kube_proxy_remove: >- - {%- if kube_network_plugin == 'kube-router' -%} - {{ (kube_router_run_service_proxy is defined and kube_router_run_service_proxy)| bool }} - {%- elif kube_network_plugin == 'cilium' -%} - {{ (cilium_kube_proxy_replacement is defined and cilium_kube_proxy_replacement == 'strict')| bool }} +## List of kubeadm init phases that should be skipped during control plane setup +## By default 'addon/coredns' is skipped +## 'addon/kube-proxy' gets skipped for some network plugins +kubeadm_init_phases_skip_default: [ "addon/coredns" ] +kubeadm_init_phases_skip: >- + {%- if kube_network_plugin == 'kube-router' and (kube_router_run_service_proxy is defined and kube_router_run_service_proxy) -%} + {{ kubeadm_init_phases_skip_default }} + [ "addon/kube-proxy" ] + {%- elif kube_network_plugin == 'cilium' and (cilium_kube_proxy_replacement is defined and cilium_kube_proxy_replacement == 'strict') -%} + {{ kubeadm_init_phases_skip_default }} + [ "addon/kube-proxy" ] + {%- elif kube_proxy_remove is defined and kube_proxy_remove -%} + {{ kubeadm_init_phases_skip_default }} + [ "addon/kube-proxy" ] {%- else -%} - false + {{ kubeadm_init_phases_skip_default }} {%- endif -%} # A string slice of values which specify the addresses to use for NodePorts. diff --git a/roles/kubespray-defaults/vars/main.yml b/roles/kubespray-defaults/vars/main.yml new file mode 100644 index 000000000..903e02a66 --- /dev/null +++ b/roles/kubespray-defaults/vars/main.yml @@ -0,0 +1,2 @@ +--- +kube_proxy_deployed: "{{ 'addon/kube-proxy' not in kubeadm_init_phases_skip }}" diff --git a/roles/win_nodes/kubernetes_patch/tasks/main.yml b/roles/win_nodes/kubernetes_patch/tasks/main.yml index ada163451..32f511a4e 100644 --- a/roles/win_nodes/kubernetes_patch/tasks/main.yml +++ b/roles/win_nodes/kubernetes_patch/tasks/main.yml @@ -36,4 +36,4 @@ when: patch_kube_proxy_state is not skipped tags: init when: - - not kube_proxy_remove + - kube_proxy_deployed