--- # Todo : selinux configuration - name: Confirm selinux deployed stat: path: /etc/selinux/config get_attributes: no get_checksum: no get_mime: no when: - ansible_os_family == "RedHat" - "'Amazon' not in ansible_distribution" register: slc - name: Set selinux policy selinux: policy: targeted state: "{{ preinstall_selinux_state }}" when: - ansible_os_family == "RedHat" - "'Amazon' not in ansible_distribution" - slc.stat.exists changed_when: False tags: - bootstrap-os - name: Disable IPv6 DNS lookup lineinfile: dest: /etc/gai.conf line: "precedence ::ffff:0:0/96 100" state: present create: yes backup: yes mode: 0644 when: - disable_ipv6_dns - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] tags: - bootstrap-os - name: Clean previously used sysctl file locations file: path: "/etc/sysctl.d/{{ item }}" state: absent with_items: - ipv4-ip_forward.conf - bridge-nf-call.conf - name: Stat sysctl file configuration stat: path: "{{ sysctl_file_path }}" get_attributes: no get_checksum: no get_mime: no register: sysctl_file_stat tags: - bootstrap-os - name: Change sysctl file path to link source if linked set_fact: sysctl_file_path: "{{ sysctl_file_stat.stat.lnk_source }}" when: - sysctl_file_stat.stat.islnk is defined - sysctl_file_stat.stat.islnk tags: - bootstrap-os - name: Make sure sysctl file path folder exists file: name: "{{ sysctl_file_path | dirname }}" state: directory mode: 0755 - name: Enable ip forwarding sysctl: sysctl_file: "{{ sysctl_file_path }}" name: net.ipv4.ip_forward value: "1" state: present reload: yes - name: Enable ipv6 forwarding sysctl: sysctl_file: "{{ sysctl_file_path }}" name: net.ipv6.conf.all.forwarding value: "1" state: present reload: yes when: enable_dual_stack_networks | bool - name: Check if we need to set fs.may_detach_mounts stat: path: /proc/sys/fs/may_detach_mounts get_attributes: no get_checksum: no get_mime: no register: fs_may_detach_mounts ignore_errors: true # noqa ignore-errors - name: Set fs.may_detach_mounts if needed sysctl: sysctl_file: "{{ sysctl_file_path }}" name: fs.may_detach_mounts value: 1 state: present reload: yes when: fs_may_detach_mounts.stat.exists | d(false) - name: Ensure kube-bench parameters are set sysctl: sysctl_file: "{{ sysctl_file_path }}" name: "{{ item.name }}" value: "{{ item.value }}" state: present reload: yes with_items: - { name: kernel.keys.root_maxbytes, value: 25000000 } - { name: kernel.keys.root_maxkeys, value: 1000000 } - { name: kernel.panic, value: 10 } - { name: kernel.panic_on_oops, value: 1 } - { name: vm.overcommit_memory, value: 1 } - { name: vm.panic_on_oom, value: 0 } when: kubelet_protect_kernel_defaults|bool - name: Check dummy module modprobe: name: dummy state: present params: 'numdummies=0' when: enable_nodelocaldns - name: Set additional sysctl variables sysctl: sysctl_file: "{{ sysctl_file_path }}" name: "{{ item.name }}" value: "{{ item.value }}" state: present reload: yes with_items: "{{ additional_sysctl }}" - name: Disable fapolicyd service failed_when: false systemd: name: fapolicyd state: stopped enabled: false when: disable_fapolicyd