Move to Ansible 3.4.0 (#7672)

* Ansible: move to Ansible 3.4.0 which uses ansible-base 2.10.10 * Docs: add a note about ansible upgrade post 2.9.x * CI: ensure ansible is removed before ansible 3.x is installed to avoid pip failures * Ansible: use newer ansible-lint * Fix ansible-lint 5.0.11 found issues * syntax issues * risky-file-permissions * var-naming * role-name * molecule tests * Mitogen: use 0.3.0rc1 which adds support for ansible 2.10+ * Pin ansible-base to 2.10.11 to get package fix on RHEL8
2026-04-08 03:29:23 -02:30 · 2021-07-12 10:00:47 +03:00
parent b0e4c375a7
commit 7516fe142f
103 changed files with 298 additions and 129 deletions
--- a/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
@@ -12,7 +12,7 @@
    - apiserver-kubelet-client.key
    - front-proxy-client.crt
    - front-proxy-client.key
-  ignore_errors: yes
+  ignore_errors: true  # noqa ignore-errors

 - name: Backup old confs
  copy:
@@ -25,4 +25,4 @@
    - controller-manager.conf
    - kubelet.conf
    - scheduler.conf
-  ignore_errors: yes
+  ignore_errors: true  # noqa ignore-errors
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -50,18 +50,21 @@
  file:
    path: "{{ audit_policy_file | dirname }}"
    state: directory
+    mode: 0640
  when: kubernetes_audit|default(false) or kubernetes_audit_webhook|default(false)

 - name: Write api audit policy yaml
  template:
    src: apiserver-audit-policy.yaml.j2
    dest: "{{ audit_policy_file }}"
+    mode: 0640
  when: kubernetes_audit|default(false) or kubernetes_audit_webhook|default(false)

 - name: Write api audit webhook config yaml
  template:
    src: apiserver-audit-webhook-config.yaml.j2
    dest: "{{ audit_webhook_config_file }}"
+    mode: 0640
  when: kubernetes_audit_webhook|default(false)

 # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -7,12 +7,14 @@
  template:
    src: webhook-token-auth-config.yaml.j2
    dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
+    mode: 0640
  when: kube_webhook_token_auth|default(false)

 - name: Create webhook authorization config
  template:
    src: webhook-authorization-config.yaml.j2
    dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
+    mode: 0640
  when: kube_webhook_authorization|default(false)

 - name: Create kube-scheduler config
@@ -40,7 +42,7 @@
  when: ansible_os_family in ["Debian","RedHat"]
  tags:
    - kubectl
-  ignore_errors: True
+  ignore_errors: true  # noqa ignore-errors

 - name: Set kubectl bash completion file permissions
  file:
@@ -52,7 +54,7 @@
  tags:
    - kubectl
    - upgrade
-  ignore_errors: True
+  ignore_errors: true  # noqa ignore-errors

 - name: Disable SecurityContextDeny admission-controller and enable PodSecurityPolicy
  set_fact:
@@ -77,12 +79,13 @@
  template:
    src: k8s-certs-renew.sh.j2
    dest: "{{ bin_dir }}/k8s-certs-renew.sh"
-    mode: '755'
+    mode: 0755

 - name: Renew K8S control plane certificates monthly 1/2
  template:
    src: "{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
+    mode: 0644
  with_items:
    - k8s-certs-renew.service
    - k8s-certs-renew.timer
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -61,6 +61,7 @@
    src: "kubeadm-client.conf.{{ kubeadmConfig_api_version }}.j2"
    dest: "{{ kube_config_dir }}/kubeadm-client.conf"
    backup: yes
+    mode: 0640
  when: not is_kube_master

 - name: Join to cluster if needed
--- a/roles/kubernetes/node-label/tasks/main.yml
+++ b/roles/kubernetes/node-label/tasks/main.yml
@@ -35,8 +35,10 @@
    - node_labels is defined
    - node_labels is mapping

- debug: var=role_node_labels
- debug: var=inventory_node_labels
+- debug:  # noqa unnamed-task
+    var: role_node_labels
+- debug:  # noqa unnamed-task
+    var: inventory_node_labels

 - name: Set label to node
  command: >-
--- a/roles/kubernetes/node/tasks/kubelet.yml
+++ b/roles/kubernetes/node/tasks/kubelet.yml
@@ -18,6 +18,7 @@
    src: "kubelet.env.{{ kubeletConfig_api_version }}.j2"
    dest: "{{ kube_config_dir }}/kubelet.env"
    backup: yes
+    mode: 0640
  notify: Node | restart kubelet
  tags:
    - kubelet
@@ -27,6 +28,7 @@
  template:
    src: "kubelet-config.{{ kubeletConfig_api_version }}.yaml.j2"
    dest: "{{ kube_config_dir }}/kubelet-config.yaml"
+    mode: 0640
  notify: Kubelet | restart kubelet
  tags:
    - kubelet
@@ -37,6 +39,7 @@
    src: "kubelet.service.j2"
    dest: "/etc/systemd/system/kubelet.service"
    backup: "yes"
+    mode: 0644
  notify: Node | restart kubelet
  tags:
    - kubelet
--- a/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml
+++ b/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml
@@ -31,3 +31,4 @@
  template:
    src: manifests/haproxy.manifest.j2
    dest: "{{ kube_manifest_dir }}/haproxy.yml"
+    mode: 0640
--- a/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml
+++ b/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml
@@ -31,3 +31,4 @@
  template:
    src: manifests/nginx-proxy.manifest.j2
    dest: "{{ kube_manifest_dir }}/nginx-proxy.yml"
+    mode: 0640
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -57,6 +57,7 @@
  file:
    path: /etc/modules-load.d
    state: directory
+    mode: 0755

 - name: Enable br_netfilter module
  modprobe:
@@ -68,6 +69,7 @@
  copy:
    dest: /etc/modules-load.d/kubespray-br_netfilter.conf
    content: br_netfilter
+    mode: 0644
  when: modinfo_br_netfilter.rc == 0

 # kube-proxy needs net.bridge.bridge-nf-call-iptables enabled when found if br_netfilter is not a module
@@ -108,7 +110,7 @@
    name: nf_conntrack_ipv4
    state: present
  register: modprobe_nf_conntrack_ipv4
-  ignore_errors: yes
+  ignore_errors: true  # noqa ignore-errors
  when:
    - kube_proxy_mode == 'ipvs'
  tags:
@@ -117,6 +119,7 @@
 - name: Persist ip_vs modules
  copy:
    dest: /etc/modules-load.d/kube_proxy-ipvs.conf
+    mode: 0644
    content: |
      ip_vs
      ip_vs_rr
--- a/roles/kubernetes/preinstall/tasks/0010-swapoff.yml
+++ b/roles/kubernetes/preinstall/tasks/0010-swapoff.yml
@@ -16,4 +16,4 @@
 - name: Disable swap
  command: /sbin/swapoff -a
  when: swapon.stdout
-  ignore_errors: "{{ ansible_check_mode }}"
+  ignore_errors: "{{ ansible_check_mode }}"  # noqa ignore-errors
--- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
+++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
@@ -4,6 +4,7 @@
    path: "{{ item }}"
    state: directory
    owner: kube
+    mode: 0755
  when: inventory_hostname in groups['k8s_cluster']
  become: true
  tags:
@@ -28,6 +29,7 @@
    path: "{{ item }}"
    state: directory
    owner: root
+    mode: 0755
  when: inventory_hostname in groups['k8s_cluster']
  become: true
  tags:
@@ -59,6 +61,7 @@
    src: "{{ kube_cert_dir }}"
    dest: "{{ kube_cert_compat_dir }}"
    state: link
+    mode: 0755
  when:
    - inventory_hostname in groups['k8s_cluster']
    - kube_cert_dir != kube_cert_compat_dir
@@ -69,6 +72,7 @@
    path: "{{ item }}"
    state: directory
    owner: kube
+    mode: 0755
  with_items:
    - "/etc/cni/net.d"
    - "/opt/cni/bin"
--- a/roles/kubernetes/preinstall/tasks/0060-resolvconf.yml
+++ b/roles/kubernetes/preinstall/tasks/0060-resolvconf.yml
@@ -18,6 +18,7 @@
    create: yes
    backup: yes
    marker: "# Ansible entries {mark}"
+    mode: 0644
  notify: Preinstall | propagate resolvconf to k8s components

 - name: Remove search/domain/nameserver options before block
--- a/roles/kubernetes/preinstall/tasks/0062-networkmanager-unmanaged-devices.yml
+++ b/roles/kubernetes/preinstall/tasks/0062-networkmanager-unmanaged-devices.yml
@@ -19,6 +19,7 @@
      [keyfile]
      unmanaged-devices+=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico
    dest: /etc/NetworkManager/conf.d/calico.conf
+    mode: 0644
  when:
    - nm_check.rc == 0
    - kube_network_plugin == "calico"
@@ -32,5 +33,6 @@
      [keyfile]
      unmanaged-devices+=interface-name:kube-ipvs0;interface-name:nodelocaldns
    dest: /etc/NetworkManager/conf.d/k8s.conf
+    mode: 0644
  when: nm_check.rc == 0
  notify: Preinstall | reload NetworkManager
--- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
+++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
@@ -30,6 +30,7 @@
    state: present
    create: yes
    backup: yes
+    mode: 0644
  when:
    - disable_ipv6_dns
    - not ansible_os_family in ["Flatcar Container Linux by Kinvolk"]
@@ -59,6 +60,7 @@
  file:
    name: "{{ sysctl_file_path | dirname }}"
    state: directory
+    mode: 0755

 - name: Enable ip forwarding
  sysctl:
--- a/roles/kubernetes/preinstall/tasks/0090-etchosts.yml
+++ b/roles/kubernetes/preinstall/tasks/0090-etchosts.yml
@@ -22,6 +22,7 @@
    backup: yes
    unsafe_writes: yes
    marker: "# Ansible inventory hosts {mark}"
+    mode: 0644
  when: populate_inventory_to_hosts_file

 - name: Hosts | populate kubernetes loadbalancer address into hosts file
--- a/roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml
+++ b/roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml
@@ -11,6 +11,7 @@
    insertbefore: BOF
    backup: yes
    marker: "# Ansible entries {mark}"
+    mode: 0644
  notify: Preinstall | propagate resolvconf to k8s components
  when: dhclientconffile is defined

--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -91,7 +91,8 @@

 # We need to make sure the network is restarted early enough so that docker can later pick up the correct system
 # nameservers and search domains
- meta: flush_handlers
+- name: Flush handlers
+  meta: flush_handlers

 - name: Check if we are running inside a Azure VM
  stat: