kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,180 Commits
29 Branches
81 Tags
158 MiB
Commit Graph

1717 Commits (ce18b0f22d51aca43b883b5c0decc31cbafaf736)

Author SHA1 Message Date
Kay Yan 4db5e663c3
fix-mistake-regex-for-resolv-conf (#9523) 2022-11-30 03:48:56 -08:00
ERIK b9a690463d
Add docker support for openEuler linux (#9498) 
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
 2022-11-17 18:18:30 -08:00
ERIK 8795cf6494
Add support for the OpenEuler Linux (#9494) 
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
 2022-11-16 00:48:49 -08:00
ERIK 40261fdf14
Fix iputils install failure in Kylin OS (#9453) 
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
 2022-11-06 17:54:16 -08:00
Jiffs Maverick 4aa1ef28ea
Don't use coredns_server in dhclient.conf if nodelocaldns is enabled (#9392) 2022-11-03 02:45:36 -07:00
lijin-union c272421910
Add UOS linux support (#9432) 2022-10-30 17:16:43 -07:00
蒋航 990f87acc8
Update kube-vip to v0.5.5 (#9437) 
Signed-off-by: hang.jiang <hang.jiang@daocloud.io>

Signed-off-by: hang.jiang <hang.jiang@daocloud.io>
 2022-10-26 19:28:32 -07:00
William Turner eeb376460d
Fix inconsistent handling of admission plugin list (#9407) 
* Fix inconsistent handling of admission plugin list

* Adjust hardening doc with the normalized admission plugin list

* Add pre-check for admission plugins format change

* Ignore checking admission plugins value when variable is not defined
 2022-10-26 00:28:37 -07:00
Wouter Goedhart 1901b512d2
Make the port of kube-vip dynamic based on the kube_apiserver_port (#9414) 
variable

Fix wrong referenced variable on bgp_peers

Fix bgp_peeras field to be a string

Set default value for bgp_peeras
 2022-10-23 18:00:24 -07:00
ERIK 9fdda7eca8
Fix iputils install failure in Kylin OS (#9416) 
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
 2022-10-21 04:53:51 -07:00
Cristian Calin 1530411218
use cri-o from upstream instead of kubic/OBS (#9374) 
* [cri-o] use cri-o from upstream instead of kubic/OBS

* [cri-o] add proper molecule coverage

* [skopeo] download skopeo from upstream build

* [cri-o] clean up legacy deployments

* disable cri-o per-distribution variables
 2022-10-19 05:47:05 -07:00
Cristian Calin 23716b0eff
don't define kubeadm_patches by default (#9372) 2022-10-14 01:20:46 -07:00
Kay Yan 131bd933a6
Fix ensure ping package error in fedora CoreOS & Flatcar (#9370) 
* fix-ensure-package-in-coreos

* clean blank line
 2022-10-13 16:54:46 -07:00
Kenichi Omichi 24632ae81b
Add check_typo job (#9361) 
To block merging pull requests which contain typo automatically.
 2022-10-07 02:21:53 -07:00
Huang Chen-Yi d689f57c94
Features/support kubeadm patches v1beta3 (#9326) 
* Support kubeadm patches in v1beta3

* Update kubeadm patches sample files in inventory

* Fix pre-commit syntax

* Set kubeadm_patches  enabled to false in sample inventory
 2022-10-06 00:39:52 -07:00
William Turner ad3f503c0c
Fix default value for kubelet_secure_addresses (#9355) 2022-10-06 00:35:51 -07:00
Eugene Artemenko 8b9cd3959a
Add possibility to skip adding load balancer name in the hosts file (#9331) 2022-10-04 06:26:16 -07:00
Emin AKTAS dffeab320e
feat: add a paramater to disable host nameservers (#9357) 
Signed-off-by: eminaktas <eminaktas34@gmail.com>

Signed-off-by: eminaktas <eminaktas34@gmail.com>
 2022-10-04 06:22:17 -07:00
Kay Yan 999586a110
sysctl_additional (#9351) 2022-10-02 23:06:14 -07:00
Florian Ruynat 841e2f44c0
Remove references to 1.22 (#9342) 2022-09-28 14:10:29 -07:00
Zhong Jianxin 6dff39344b
preinstall: Add nodelocaldns to supersede_nameserver if enabled (#9282) 
When a machine that use dhclient and resolvconf reboots, this will make /etc/resolv.conf
remain close to the one before reboot
 2022-09-25 20:19:44 -07:00
Kei Kori 467dc19cbd
support removing options in resolvconf with tab separator (#9304) 2022-09-23 10:42:27 -07:00
Emin AKTAS 9468642269
feat: allows users to have more control on DNS (#9270) 
Signed-off-by: eminaktas <eminaktas34@gmail.com>

Signed-off-by: eminaktas <eminaktas34@gmail.com>
 2022-09-23 10:28:26 -07:00
Kay Yan 5d3326b93f
add-ping-package (#9284) 2022-09-21 23:55:05 -07:00
Kay Yan 97ca2f3c78
add-timezone-support (#9263) 2022-09-14 21:11:22 -07:00
cleverhu fc57c0b27e
fix number node name can't be added (#9266) 
Signed-off-by: cleverhu <shouping.hu@daocloud.io>

Signed-off-by: cleverhu <shouping.hu@daocloud.io>
 2022-09-13 00:09:05 -07:00
Krystian Młynek 6386ec029c
add retries for restart of kube-apiserver (#9256) 
* add retries for restart of kube-apiserver

* change var name
 2022-09-07 16:48:49 -07:00
Alessio Greggi acb6f243fd
feat: add kubelet systemd service hardening option (#9194) 
* feat: add kubelet systemd service hardening option

* refactor: move variable name to kubelet_secure_addresses

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* docs: add diagram about kubelet_secure_addresses variable

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
 2022-08-30 11:18:55 -07:00
Kay Yan b46ddf35fc
kube-vip shoud fail if kube_proxy_strict_arp is false in arp mod (#9223) 
* fix-kube-vip-strict-arp

* fix-kube-vip-strict-arp
 2022-08-30 00:21:02 -07:00
Shelming.Song c8a61ec98c
optimize the format of evictionHard in kubelet-config.yaml template (#9204) 2022-08-23 01:55:24 -07:00
Tomas Zvala 30c77ea4c1
Add the option to enable default Pod Security Configuration (#9017) 
* Add the option to enable default Pod Security Configuration

Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.

* Fix the PR according to code review comments

* Revert the latest changes

- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
 2022-08-18 01:16:36 -07:00
Ho Kim be5fdab3aa
Disable DNSStubListener for Flatcar Linux (#9160) 
* Disable DNSStubListener for Flatcar Linux

* Fix missing "Flatcar" condition of os_family
 2022-08-18 00:56:49 -07:00
Kay Yan 0088fe0ab7
add-tar-in-common-package (#9184) 2022-08-16 05:17:18 -07:00
ERIK 47050003a0
Add docker support for Kylin V10 (#9144) 
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
 2022-08-03 15:03:46 -07:00
ERIK f2f9f1d377
Add kylin OS support (#9078) 
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
 2022-08-01 10:44:29 -07:00
Samuel Liu e73803c72c
pid reserved must be str (#9124) 2022-07-30 20:14:27 -07:00
Kay Yan f592fa1235
add kube-vip sans (#9099) 2022-07-19 13:11:28 -07:00
Alessio Greggi 3ce5458f32
hardening: Add `SeccompDefault` admission plugin for kubelet (#9074) 
* docs(hardening): add SeccompDefault admission plugin to kubelet feature gates

* fix(kubelet-config): enable config through kubelet_feature_gates

* feat(kubelet): add kubelet_seccomp_default variable
 2022-07-19 00:50:07 -07:00
Kenichi Omichi c01656b1e3
Allow "openSUSE Tumbleweed" to be run (#9072) 
The commit 1ce2f04 tried to merge multiple SUSE OS checks including
"openSUSE Leap" and "openSUSE Tumbleweed" into a single SUSE, but
that was a perfect change.
Then the commit c16efc9 tried to fix it for "openSUSE Leap", but it
didn't take care of "openSUSE Tumbleweed".
Then this adds "openSUSE Tumbleweed" to the OS check.
 2022-07-08 04:55:47 -07:00
h9-HSFRQDH 3bb9542606
Adding support for node & pod pid limit (#9038) 2022-07-05 00:20:48 -07:00
Kay Yan 1d0b3829ed
remove-etcd-unsupported-arch (#9049) 2022-07-04 05:39:24 -07:00
Kay Yan 4b03f6c20f
add-managed-ntp-support (#9027) 2022-06-28 13:15:34 -07:00
Kay Yan d4de9d096f
fix-the-issue-of-miss-the-etcd-user (#9016) 2022-06-28 09:13:58 -07:00
Florian Ruynat 6bf3306401
Fixed concatenate str & int in auto_renew_certificates_systemd_calendar var (#8979) 2022-06-22 11:55:43 -07:00
Citrullin e7729daefc Add assertion for IPv6 in verify settings 
Co-authored-by: Kenichi Omichi <ken1ohmichi@gmail.com>
 2022-06-17 10:36:43 +02:00
Alessio Greggi 97b4d79ed5
feat: make kubernetes owner parametrized (#8952) 
* feat: make kubernetes owner parametrized

* docs: update hardening guide with configuration for CIS 1.1.19

* fix: set etcd data directory permissions to be compliant to CIS 1.1.12
 2022-06-17 01:34:32 -07:00
Calin Cristian Andrei 24c8ba832a [kubernetes] drop support for configuring insecure apiserver 2022-06-15 00:57:20 -07:00
Calin Cristian Andrei 2cd8c51a07 [kubeadm] use v1beta3 configuration version 
* extra admission controls now don't have a version in their file names
  eventratelimit.v1beta2.yaml.j2 -> eventratelimit.yaml.j2
* cri_socket variable includes the unix:// prefix to be conformat with
  upstream
 2022-06-15 00:57:20 -07:00
Calin Cristian Andrei 589823bdc1 [CI] remove docker stand-alone molecule test 2022-06-15 00:57:20 -07:00
Calin Cristian Andrei fad296616c [docker] use cri-dockerd instead of dockershim for any kubernetes version deployed with docker as the container_manager 2022-06-15 00:57:20 -07:00
Calin Cristian Andrei 6380483e8b [kubeconfig] generate admin kube config from /etc/kubernetes/admin.conf instead of the workaround of using kubeadm init phase kubeadm admin which fails with cri-dockerd 2022-06-15 00:57:20 -07:00
Calin Cristian Andrei ae1dcb031f [kubernetes] drop pre 1.22.0 workarounds 2022-06-15 00:57:20 -07:00
Calin Cristian Andrei d69d4a8303 [kubernetes] make 1.24.1 the new default 2022-06-15 00:57:20 -07:00
Ho Kim 7d3e59cf2e
Remove unneeded socat installation for Flatcar (#8970) 2022-06-14 02:23:34 -07:00
Ho Kim 77f436fa39
Fix: set fallback value of kubelet ip6 (#8858) (#8926) 
* Fix: set fallback value of kubelet ip6 (#8858)

* Prune the spurious comma in the end of kubelet_address

- Update `roles/kubernetes/node/defaults/main.yml`

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* Fix: set fallback value of kubelet ip6 (#8858)

- Apply the lint: 132606368e

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
 2022-06-06 10:08:21 -07:00
Thearas 01ca7293f5
support reserve ephemeral-storage (#8895) 2022-06-06 07:34:26 -07:00
Max Gautier 5512465b34
Revert "Set exact user for Kubelet services" (#8872) 
This reverts commit e375678674.

The workaround of explicitly specifying root for the kubelet unit was
for pulling images from private registry. Kubernetes now have a
dedicated mechanism with imagePullSecret.
 2022-06-01 00:19:02 -07:00
Kenichi Omichi 73fc70dbe8
Delete kube_version v1.20- related code (#8869) 
Current Kubespray supports the Kubernetes version 1.21 or upper with
`kube_version_min_required: v1.21.0`

Then kube_version v1.20- related code is not used at all.
This deletes those code for cleanup.
 2022-05-25 21:31:22 -07:00
Necatican Yıldırım dc1af5a9c5
[etcd] Add support for setting the request size limit (#8849) 
* [etcd] Add extra documentation for `etcd_memory_limit` and `etcd_quota_backend_bytes`

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [etcd] Add support for setting ETCD_MAX_REQUEST_BYTES

Signed-off-by: necatican <necaticanyildirim@gmail.com>
 2022-05-23 09:36:03 -07:00
Kay Yan 3d8f3bc0b7
Fix the invalid kube vip manifest (#8831) 
* add Feature synchronized time checking

* fix-invalid-kube-vip-manifest
 2022-05-17 23:48:55 -07:00
emiran-orange 8f618ab408
Fix condition on kata_containers_version/kube_version when kata_containers_enabled is false (#8804) 2022-05-09 14:56:32 -07:00
Alessio Greggi 37a5271f5a
feat: add variables to manage makeIPTablesUtilChains and streamingConnectionIdleTimeout kubelet parameters (#8796) 2022-05-09 09:25:19 -07:00
Robin Wallace 42fc71fafa
[PodSecurityPolicy] Move the install of psp (#8744) 2022-05-09 09:21:19 -07:00
Andy 323a111362
[kubelet] set correct resolv.conf for Ubuntu 22.04 (#8795) 2022-05-06 16:31:04 -07:00
Alessio Greggi e7df4d3dd9
add support for `service-account-lookup` parameter (#8781) 
* feat: add variable to manage service-account-lookup on kube-apiserver

* docs: add documentation about service-account-lookup variable
 2022-05-06 00:39:07 -07:00
David Louks 3e52a0db95
Add optional setting for ca data in auth webhook (#8777) 
* Add optional setting for ca data in auth webhook

* add webhook token auth variables to sample inventory
 2022-05-05 14:52:43 -07:00
Elif Akyıldırım 0d6ea85167
Assert that IP range is enough for the nodes (#8720) 
* Assert that IP range is enough for the nodes 

Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com>

* Fixed whitespace

* Fixed errors

* Fixed errors

Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com>
 2022-05-05 08:48:20 -07:00
Victor Morales e7e5037a86
Add a container_manager validation (#8785) 2022-05-04 23:58:19 -07:00
Alessio Greggi fa1d222eee
add support for `EventRateLimit` plugin configuration (#8711) 
* feat: add support for EventRateLimit admission plugin

* docs: add documentation about admission_control_config_file and EventRateLimit configuration
 2022-05-02 11:03:15 -07:00
Kenichi Omichi eb566ca626
Remove aufs-tools from Ubuntu requirement (#8754) 
aufs-tools was required for docker.io package originally,
but Kubespray installs docker-ce package instead today.
In addition, Ubuntu 20.04 doesn't provide aufs-tools as [1].
Then this removes aufs-tools from Ubuntu requirement.

[1]: https://bugs.launchpad.net/ubuntu/+source/aufs-tools/+bug/1947004
 2022-04-27 23:04:55 -07:00
Cristian Calin 3261d26181
[etcd] ensure etcd is properly upgraded when managed by kubeadm (#8722) 
* [etcd] ensure etcd is properly upgraded when managed by kubeadm

* [CI] add periodic job to test upgrade of etcd managed by kubeadm
 2022-04-17 10:32:41 -07:00
Cristian Calin 45262da726
[calico] call calico checks early on to prevent altering the cluster with bad configuration (#8707) 2022-04-14 01:08:46 -07:00
Julien Le Fur 30306d6ec7
Enable external CA mode for control-plane deployment (#8620) 2022-04-12 05:47:23 -07:00
Robin Wallace d7254eead6
UpCloud integration (#8653) 
* [upcloud] add upcloud csi-driver

* Option to use ansible_host as api ip for kubueconfig
 2022-04-11 15:13:23 -07:00
Mathieu Parent 996ef98b87
Add support for kube-vip (#8669) 
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
 2022-04-07 10:37:57 -07:00
Unai Arríen 19d5a1c7c3
Ensure all Kubelet required kernel values are configured when enabling protectKernelDefaults (#8692) 2022-04-07 08:33:59 -07:00
Alessio Greggi bba91a7524
split kube_feature_gates variable for different kubernetes components (#8677) 
* feat: split kube_feature_gates variable for different kubernetes components

* docs: add kube_feaute_gates componet variables
 2022-04-05 05:39:37 -07:00
Kenichi Omichi 503ab0f722
Run 0100-dhclient-hooks if dhcpclient is enabled (#8658) 
If running Kubespray on static IP environments, a task was failed like:

  TASK [kubernetes/preinstall : Configure dhclient hooks for resolv.conf (RH-only)]
  fatal: [ak8s2]: FAILED! => {
    "changed": false, "checksum": "..",
    "msg": "Destination directory /etc/dhcp/dhclient.d does not exist"}

This adds a check for dhclientconffile for running 0100-dhclient-hooks to
run the task only if dhcpclient is enabled.
 2022-03-29 00:11:11 -07:00
Cristian Calin fa9f85c7e9
[sysctl] set fs.may_detach_mounts=1 even when CRIs don't set it themselves (#8635) 2022-03-21 17:36:13 -07:00
Cristian Calin dd2d95ecdf
[calico] don't enable ipip encapsulation by default and use vxlan in CI (#8434) 
* [calico] make vxlan encapsulation the default

* don't enable ipip encapsulation by default
* set calico_network_backend by default to vxlan
* update sample inventory and documentation

* [CI] pin default calico parameters for upgrade tests to ensure proper upgrade

* [CI] improve netchecker connectivity testing

* [CI] show logs for tests

* [calico] tweak task name

* [CI] Don't run the provisioner from vagrant since we run it in testcases_run.sh

* [CI] move kube-router tests to vagrant to avoid network connectivity issues during netchecker check

* service proxy mode still fails connectivity tests so keeping it manual mode

* [kube-router] account for containerd use-case
 2022-03-17 18:05:39 -07:00
Cristian Calin 394857b5ce
[docker] add support for cri-dockerd as a replacement for dockershim (#8623) 2022-03-16 16:28:11 -07:00
onock d444a2fb83
[systemd-resolved] Fix DNS configuration according to docs/dns-stack.md and during reset of cluster (#8560) (#8561) 2022-03-14 02:08:22 -07:00
kakkotetsu 58b2f39ce5
add IPv6 listen directive to nginx if enable_dual_stack_networks (#8596) 2022-03-07 05:39:00 -08:00
Takuya Murakami 39acb2b84d
Update ansible-lint to 5.4.0 (#8607) (#8608) 
* Update ansible-lint to 5.4.0 (#8607)

It seems that the Rich version 11.0.0 has a breaking change.
So need to update ansible-lint to 5.3.2 or later.

* Fix for ansible-lint no-changed-when rule (#8607)
 2022-03-07 05:35:55 -08:00
Tom Janson ddef7e1139
missing "check_mode: no"s for several read-only tasks (#8584) 
this is not complete -- there are almost certainly more instances of
this issue
 2022-03-02 09:29:14 -08:00
Mac Chaffee b554246502
Fix host DNS config 1) being edited too soon and 2) not working with NM (#8575) 
Signed-off-by: Mac Chaffee <me@macchaffee.com>
 2022-02-26 10:29:23 -08:00
Nicolas Goudry ee079f4740
fix(coredns): make sure to keep coredns repository namespace (#8572) 
fix: regex

fix: wrong regex_replace usage
 2022-02-24 01:01:33 -08:00
Alex 36393d77d3
Encrypting Secret Data at Rest (#8574) 
* change default value for Encrypting Secret Data at Rest to secretbox, remove experimental flag and add documentation

* fix MD012/no-multiple-blanks
 2022-02-23 03:04:18 -08:00
Necatican Yıldırım e9c8913248
Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable (#8317) 
* Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* Add etcd kubeadm deployment documentation

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* Refactor warning for the deprecated 'etcd_kubeadm_enabled' variable

Signed-off-by: necatican <necaticanyildirim@gmail.com>
 2022-02-22 08:53:16 -08:00
kakkotetsu 98d5d0cdd5
add support for Dual Stack node InternalIP (#8542) 2022-02-15 00:28:02 -08:00
Ilya Margolin aed187e56c
Fix kubelet_kubelet_cgroups_cgroupfs (#8500) 
If kubelet is run with systemd (as it always is when using kubespray),
it starts in systemd's /system.slice/kubelet.service cgroup.

This commit prevents a creation and usage of a second unrelated cgroup.
 2022-02-02 00:50:22 -08:00
Michael Schmitz eacd55fbca
Use sysctl_file_path variable for all sysctl_file locations (#8395) 
* Use sysctl_file_path variable for all sysctl_file locations

* Add sysctl_file_path variable to kubespay-defaults

* Remove previously used sysctl file locations if present

* Use explicit filename in roles/kubernetes/node/defaults/main.yml

* Defaults: use explicit value
 2022-02-01 08:12:10 -08:00
华忠啊 52f221f976
Adaptive Kube-ovn (#8454) 2022-01-27 01:08:10 -08:00
cyril-corbon 575e0ca457
feat: add eviction hard to kubelet config (#8421) 
Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
 2022-01-24 00:13:57 -08:00
Florian Ruynat 7c67ec4976
Fix kubectl call before installing it (#8412) 2022-01-12 23:12:29 -08:00
Samuel Liu b2b95cc8f9
fix 0090-etchosts (#7634) 2022-01-11 01:03:16 -08:00
Unai Arríen 57a1d18db3
Improve first_kube_control_plane variable management to avoid installation failures due to variable overlapping (#8388) 2022-01-10 01:35:19 -08:00
Unai Arríen 92abf26d29
Ensure taint configuration for secondary control-plane nodes (#8363) 2022-01-05 23:56:28 -08:00
Max Gautier cb54eb40ce
Use a variable for standardizing kubectl invocation (#8329) 
* Add kubectl variable

* Replace kubectl usage by kubectl variable in roles

* Remove redundant --kubeconfig on kubectl usage

* Replace unecessary shell usage with command
 2022-01-05 02:26:32 -08:00
Romain ALBON 63a53c79d0
Fix - Search root filesystem device (#8366) 2022-01-04 06:48:52 -08:00