kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11521 from VannTen/cleanup/deduplicate_kubeadm_control_plane 

Use in inventory variables rather than patch files for kubeadm_patches
pull/11540/head
Kubernetes Prow Robot 2024-09-20 01:05:14 +01:00 committed by GitHub
parent 4323e5d039 d54356e113
commit 93ee1226eb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 92 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/ansible/vars.md
View File

@ -337,6 +337,13 @@ in the form of dicts of key-value pairs of configuration parameters that will be
* *kube_kubeadm_controller_extra_args* * *kube_kubeadm_controller_extra_args*
* *kube_kubeadm_scheduler_extra_args* * *kube_kubeadm_scheduler_extra_args*
### Kubeadm patches
When extra flags are not sufficient and there is a need to further customize kubernetes components,
[kubeadm patches](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/#patches)
can be used.
You should use the [`kubeadm_patches` variable](../../roles/kubernetes/kubeadm_common/defaults/main.yml) for that purpose.
## App variables ## App variables
* *helm_version* - Only supports v3.x. Existing v2 installs (with Tiller) will not be modified and need to be removed manually. * *helm_version* - Only supports v3.x. Existing v2 installs (with Tiller) will not be modified and need to be removed manually.

24
inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
View File

@ -366,11 +366,25 @@ auto_renew_certificates: false
# First Monday of each month # First Monday of each month
# auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:{{ groups['kube_control_plane'].index(inventory_hostname) }}0:00" # auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:{{ groups['kube_control_plane'].index(inventory_hostname) }}0:00"
# kubeadm patches path kubeadm_patches_dir: "{{ kube_config_dir }}/patches"
kubeadm_patches: kubeadm_patches: []
enabled: false # See https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/#patches
source_dir: "{{ inventory_dir }}/patches" # Correspondance with this link
dest_dir: "{{ kube_config_dir }}/patches" # patchtype = type
# target = target
# suffix -> managed automatically
# extension -> always "yaml"
# kubeadm_patches:
# - target: kube-apiserver|kube-controller-manager|kube-scheduler|etcd|kubeletconfiguration
# type: strategic(default)|json|merge
# patch:
# metadata:
# annotations:
# example.com/test: "true"
# labels:
# example.com/prod_level: "{{ prod_level }}"
# - ...
# Patches are applied in the order they are specified.
# Set to true to remove the role binding to anonymous users created by kubeadm # Set to true to remove the role binding to anonymous users created by kubeadm
remove_anonymous_access: false remove_anonymous_access: false

8
inventory/sample/patches/kube-controller-manager+merge.yaml
View File

@ -1,8 +0,0 @@
---
apiVersion: v1
kind: Pod
metadata:
name: kube-controller-manager
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '10257'

8
inventory/sample/patches/kube-scheduler+merge.yaml
View File

@ -1,8 +0,0 @@
---
apiVersion: v1
kind: Pod
metadata:
name: kube-scheduler
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '10259'

1
roles/kubernetes/control-plane/meta/main.yml
View File

@ -1,5 +1,6 @@
--- ---
dependencies: dependencies:
- role: kubernetes/kubeadm_common
- role: kubernetes/tokens - role: kubernetes/tokens
when: kube_token_auth when: kube_token_auth
tags: tags:

15
roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
View File

@ -167,21 +167,6 @@
- apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed - apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed
- not kube_external_ca_mode - not kube_external_ca_mode
- name: Kubeadm | Create directory to store kubeadm patches
file:
path: "{{ kubeadm_patches.dest_dir }}"
state: directory
mode: "0640"
when: kubeadm_patches is defined and kubeadm_patches.enabled
- name: Kubeadm | Copy kubeadm patches from inventory files
copy:
src: "{{ kubeadm_patches.source_dir }}/"
dest: "{{ kubeadm_patches.dest_dir }}"
owner: "root"
mode: "0644"
when: kubeadm_patches is defined and kubeadm_patches.enabled
- name: Kubeadm | Initialize first control plane node - name: Kubeadm | Initialize first control plane node
command: >- command: >-
timeout -k {{ kubeadm_init_timeout }} {{ kubeadm_init_timeout }} timeout -k {{ kubeadm_init_timeout }} {{ kubeadm_init_timeout }}

4
roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml
View File

@ -18,7 +18,7 @@
--ignore-preflight-errors=all --ignore-preflight-errors=all
--allow-experimental-upgrades --allow-experimental-upgrades
--etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | bool | lower }} --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | bool | lower }}
{% if kubeadm_patches is defined and kubeadm_patches.enabled %}--patches={{ kubeadm_patches.dest_dir }}{% endif %} {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
--force --force
register: kubeadm_upgrade register: kubeadm_upgrade
# Retry is because upload config sometimes fails # Retry is because upload config sometimes fails
@ -39,7 +39,7 @@
--ignore-preflight-errors=all --ignore-preflight-errors=all
--allow-experimental-upgrades --allow-experimental-upgrades
--etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | bool | lower }} --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | bool | lower }}
{% if kubeadm_patches is defined and kubeadm_patches.enabled %}--patches={{ kubeadm_patches.dest_dir }}{% endif %} {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
--force --force
register: kubeadm_upgrade register: kubeadm_upgrade
# Retry is because upload config sometimes fails # Retry is because upload config sometimes fails

4
roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
View File

@ -28,9 +28,9 @@ nodeRegistration:
kubeletExtraArgs: kubeletExtraArgs:
cloud-provider: external cloud-provider: external
{% endif %} {% endif %}
{% if kubeadm_patches is defined and kubeadm_patches.enabled %} {% if kubeadm_patches | length > 0 %}
patches: patches:
directory: {{ kubeadm_patches.dest_dir }} directory: {{ kubeadm_patches_dir }}
{% endif %} {% endif %}
--- ---
apiVersion: kubeadm.k8s.io/v1beta3 apiVersion: kubeadm.k8s.io/v1beta3

4
roles/kubernetes/control-plane/templates/kubeadm-controlplane.v1beta3.yaml.j2
View File

@ -31,7 +31,7 @@ nodeRegistration:
{% else %} {% else %}
taints: [] taints: []
{% endif %} {% endif %}
{% if kubeadm_patches is defined and kubeadm_patches.enabled %} {% if kubeadm_patches | length > 0 %}
patches: patches:
directory: {{ kubeadm_patches.dest_dir }} directory: {{ kubeadm_patches_dir }}
{% endif %} {% endif %}

3
roles/kubernetes/kubeadm/meta/main.yml 100644
View File

@ -0,0 +1,3 @@
---
dependencies:
- role: kubernetes/kubeadm_common

15
roles/kubernetes/kubeadm/tasks/main.yml
View File

@ -83,21 +83,6 @@
mode: "0640" mode: "0640"
when: ('kube_control_plane' not in group_names) when: ('kube_control_plane' not in group_names)
- name: Kubeadm | Create directory to store kubeadm patches
file:
path: "{{ kubeadm_patches.dest_dir }}"
state: directory
mode: "0640"
when: kubeadm_patches is defined and kubeadm_patches.enabled
- name: Kubeadm | Copy kubeadm patches from inventory files
copy:
src: "{{ kubeadm_patches.source_dir }}/"
dest: "{{ kubeadm_patches.dest_dir }}"
owner: "root"
mode: "0644"
when: kubeadm_patches is defined and kubeadm_patches.enabled
- name: Join to cluster if needed - name: Join to cluster if needed
environment: environment:
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}:/sbin" PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}:/sbin"

4
roles/kubernetes/kubeadm/templates/kubeadm-client.conf.v1beta3.j2
View File

@ -38,7 +38,7 @@ nodeRegistration:
- effect: NoSchedule - effect: NoSchedule
key: node-role.kubernetes.io/calico-rr key: node-role.kubernetes.io/calico-rr
{% endif %} {% endif %}
{% if kubeadm_patches is defined and kubeadm_patches.enabled %} {% if kubeadm_patches | length > 0 %}
patches: patches:
directory: {{ kubeadm_patches.dest_dir }} directory: {{ kubeadm_patches_dir }}
{% endif %} {% endif %}

20
roles/kubernetes/kubeadm_common/defaults/main.yml 100644
View File

@ -0,0 +1,20 @@
---
kubeadm_patches_dir: "{{ kube_config_dir }}/patches"
kubeadm_patches: []
# See https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/#patches
# Correspondance with this link
# patchtype = type
# target = target
# suffix -> managed automatically
# extension -> always "yaml"
# kubeadm_patches:
# - target: kube-apiserver|kube-controller-manager|kube-scheduler|etcd|kubeletconfiguration
# type: strategic(default)|json|merge
# patch:
# metadata:
# annotations:
# example.com/test: "true"
# labels:
# example.com/prod_level: "{{ prod_level }}"
# - ...
# Patches are applied in the order they are specified.

17
roles/kubernetes/kubeadm_common/tasks/main.yml 100644
View File

@ -0,0 +1,17 @@
---
- name: Kubeadm | Create directory to store kubeadm patches
file:
path: "{{ kubeadm_patches_dir }}"
state: directory
mode: "0640"
when: kubeadm_patches | length > 0
- name: Kubeadm | Copy kubeadm patches from inventory files
copy:
content: "{{ item.patch | to_yaml }}"
dest: "{{ kubeadm_patches_dir }}/{{ item.target }}{{ suffix }}+{{ item.type | d('strategic') }}.yaml"
owner: "root"
mode: "0644"
loop: "{{ kubeadm_patches }}"
loop_control:
index_var: suffix

17
tests/files/packet_ubuntu24-calico-etcd-datastore.yml
View File

@ -27,3 +27,20 @@ containerd_registries_mirrors:
skip_verify: true skip_verify: true
calico_datastore: "etcd" calico_datastore: "etcd"
# Test kubeadm patches
kubeadm_patches:
- target: kube-apiserver
patch:
metadata:
annotations:
example.com/test: "true"
labels:
example.com/prod_level: "prep"
- target: kube-controller-manager
patch:
metadata:
annotations:
example.com/test: "false"
labels:
example.com/prod_level: "prep"