add-managed-ntp-support (#9027)

roles/kubernetes/preinstall/templates/chrony.conf.j2

@@ -0,0 +1,27 @@
+# {{ ansible_managed }}
+
+# Specify one or more NTP servers.
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+{% for server in ntp_servers %}
+server {{ server }}
+{% endfor %}
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+{% if ntp_tinker_panic is sameas true %}
+# Force time sync if the drift exceeds the threshold specified
+# Usefull for VMs that can be paused and much later resumed.
+makestep 1.0 -1
+{% else %}
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep 1.0 3
+{% endif %}
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Specify directory for log files.
+logdir /var/log/chrony

roles/kubernetes/preinstall/templates/ntp.conf.j2

@@ -0,0 +1,45 @@
+# {{ ansible_managed }}
+
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile {{ ntp_driftfile }}
+
+{% if ntp_tinker_panic is sameas true %}
+# Always reset the clock, even if the new time is more than 1000s away
+# from the current system time. Usefull for VMs that can be paused
+# and much later resumed.
+tinker panic 0
+{% endif %}
+
+# Specify one or more NTP servers.
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+{% for item in ntp_servers %}
+pool {{ item }}
+{% endfor %}
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery limited
+restrict -6 default kod notrap nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+{% for item in ntp_restrict %}
+restrict {{ item }}
+{% endfor %}
+
+# Needed for adding pool entries
+restrict source notrap nomodify noquery
+
+# Disable the monitoring facility to prevent amplification attacks using ntpdc
+# monlist command when default restrict does not include the noquery flag. See
+# CVE-2013-5211 for more details.
+# Note: Monitoring will not be disabled with the limited restriction flag.
+disable monitor