106 lines
3.1 KiB
YAML
106 lines
3.1 KiB
YAML
---
|
|
- name: Kubernetes Apps | Wait for kube-apiserver
|
|
uri:
|
|
url: "{{ kube_apiserver_endpoint }}/healthz"
|
|
validate_certs: no
|
|
client_cert: "{{ kube_apiserver_client_cert }}"
|
|
client_key: "{{ kube_apiserver_client_key }}"
|
|
register: result
|
|
until: result.status == 200
|
|
retries: 10
|
|
delay: 6
|
|
when: inventory_hostname == groups['kube-master'][0]
|
|
|
|
- name: Kubernetes Apps | Add ClusterRoleBinding to admit nodes
|
|
template:
|
|
src: "node-crb.yml.j2"
|
|
dest: "{{ kube_config_dir }}/node-crb.yml"
|
|
register: node_crb_manifest
|
|
when: rbac_enabled
|
|
|
|
- name: Apply workaround to allow all nodes with cert O=system:nodes to register
|
|
kube:
|
|
name: "system:node"
|
|
kubectl: "{{bin_dir}}/kubectl"
|
|
resource: "clusterrolebinding"
|
|
filename: "{{ kube_config_dir }}/node-crb.yml"
|
|
state: latest
|
|
when:
|
|
- rbac_enabled
|
|
- node_crb_manifest.changed
|
|
|
|
- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet
|
|
template:
|
|
src: "node-webhook-cr.yml.j2"
|
|
dest: "{{ kube_config_dir }}/node-webhook-cr.yml"
|
|
register: node_webhook_cr_manifest
|
|
when:
|
|
- rbac_enabled
|
|
- kubelet_authorization_mode_webhook
|
|
tags: node-webhook
|
|
|
|
- name: Apply webhook ClusterRole
|
|
kube:
|
|
name: "system:node-webhook"
|
|
kubectl: "{{bin_dir}}/kubectl"
|
|
resource: "clusterrole"
|
|
filename: "{{ kube_config_dir }}/node-webhook-cr.yml"
|
|
state: latest
|
|
when:
|
|
- rbac_enabled
|
|
- kubelet_authorization_mode_webhook
|
|
- node_webhook_cr_manifest.changed
|
|
tags: node-webhook
|
|
|
|
- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole
|
|
template:
|
|
src: "node-webhook-crb.yml.j2"
|
|
dest: "{{ kube_config_dir }}/node-webhook-crb.yml"
|
|
register: node_webhook_crb_manifest
|
|
when:
|
|
- rbac_enabled
|
|
- kubelet_authorization_mode_webhook
|
|
tags: node-webhook
|
|
|
|
- name: Grant system:nodes the webhook ClusterRole
|
|
kube:
|
|
name: "system:node-webhook"
|
|
kubectl: "{{bin_dir}}/kubectl"
|
|
resource: "clusterrolebinding"
|
|
filename: "{{ kube_config_dir }}/node-webhook-crb.yml"
|
|
state: latest
|
|
when:
|
|
- rbac_enabled
|
|
- kubelet_authorization_mode_webhook
|
|
- node_webhook_crb_manifest.changed
|
|
tags: node-webhook
|
|
|
|
# This is not a cluster role, but should be run after kubeconfig is set on master
|
|
- name: Write kube system namespace manifest
|
|
template:
|
|
src: namespace.j2
|
|
dest: "{{kube_config_dir}}/{{system_namespace}}-ns.yml"
|
|
when: inventory_hostname == groups['kube-master'][0]
|
|
tags:
|
|
- apps
|
|
|
|
- name: Check if kube system namespace exists
|
|
command: "{{ bin_dir }}/kubectl get ns {{system_namespace}}"
|
|
register: 'kubesystem'
|
|
changed_when: False
|
|
failed_when: False
|
|
when: inventory_hostname == groups['kube-master'][0]
|
|
tags:
|
|
- apps
|
|
|
|
- name: Create kube system namespace
|
|
command: "{{ bin_dir }}/kubectl create -f {{kube_config_dir}}/{{system_namespace}}-ns.yml"
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
register: create_system_ns
|
|
until: create_system_ns.rc == 0
|
|
changed_when: False
|
|
when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0
|
|
tags:
|
|
- apps
|