diff --git a/roles/kubernetes-apps/metallb/tasks/main.yml b/roles/kubernetes-apps/metallb/tasks/main.yml index 5e6757b3d..866982734 100644 --- a/roles/kubernetes-apps/metallb/tasks/main.yml +++ b/roles/kubernetes-apps/metallb/tasks/main.yml @@ -3,7 +3,8 @@ fail: msg: "MetalLB require kube_proxy_strict_arp = true, see https://github.com/danderson/metallb/issues/153#issuecomment-518651132" when: - - "kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp" + - kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp + - not kube_proxy_remove - name: Kubernetes Apps | Check that the deprecated 'matallb_auto_assign' variable is not used anymore fail: diff --git a/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml b/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml index 942262e3d..fb8e915db 100644 --- a/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml +++ b/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml @@ -4,6 +4,7 @@ msg: "kube-vip require kube_proxy_strict_arp = true, see https://github.com/kube-vip/kube-vip/blob/main/docs/kubernetes/arp/index.md" when: - kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp + - not kube_proxy_remove - kube_vip_arp_enabled - name: Kube-vip | Check mutually exclusive BGP source settings diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml index 55f506d62..58ae0dabe 100644 --- a/roles/kubernetes/node/tasks/main.yml +++ b/roles/kubernetes/node/tasks/main.yml @@ -114,7 +114,9 @@ state: present persistent: present loop: "{{ kube_proxy_ipvs_modules }}" - when: kube_proxy_mode == 'ipvs' + when: + - kube_proxy_mode == 'ipvs' + - not kube_proxy_remove tags: - kube-proxy @@ -130,6 +132,7 @@ - nf_conntrack_ipv4 when: - kube_proxy_mode == 'ipvs' + - not kube_proxy_remove - modprobe_conntrack_module is not defined or modprobe_conntrack_module is ansible.builtin.failed # loop until first success tags: - kube-proxy @@ -139,7 +142,9 @@ name: "nf_tables" state: present persistent: present - when: kube_proxy_mode == 'nftables' + when: + - kube_proxy_mode == 'nftables' + - not kube_proxy_remove tags: - kube-proxy diff --git a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml index 186a46c03..bdfb69e83 100644 --- a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml +++ b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml @@ -73,6 +73,7 @@ that: ansible_kernel.split('-')[0] is version('5.13', '>=') when: - kube_proxy_mode == 'nftables' + - not kube_proxy_remove - not ignore_assert_errors - name: Stop if bad hostname diff --git a/roles/kubespray_defaults/defaults/main/main.yml b/roles/kubespray_defaults/defaults/main/main.yml index 6743077f5..1f9afa149 100644 --- a/roles/kubespray_defaults/defaults/main/main.yml +++ b/roles/kubespray_defaults/defaults/main/main.yml @@ -33,6 +33,10 @@ kube_version_min_required: "{{ (kubelet_checksums['amd64'] | dict2items)[-1].key ## Kube Proxy mode One of ['ipvs', 'iptables', 'nftables'] kube_proxy_mode: ipvs +# When true, kubeadm skips the kube-proxy addon (for example Cilium kube-proxy replacement). +# Node and package tasks that exist only for kube-proxy also honor this (IPVS/nftables modules, ipvsadm, strict_arp checks). +kube_proxy_remove: false + # Debugging option for the kubeadm config validate command # Set to false only for development and testing scenarios where validation is expected to fail (pre-release Kubernetes versions, etc.) kubeadm_config_validate_enabled: true diff --git a/roles/system_packages/vars/main.yml b/roles/system_packages/vars/main.yml index 2f08279e2..a0cda8fd2 100644 --- a/roles/system_packages/vars/main.yml +++ b/roles/system_packages/vars/main.yml @@ -65,6 +65,7 @@ pkgs: - "{{ ping_access_ip }}" ipvsadm: - "{{ kube_proxy_mode == 'ipvs' }}" + - "{{ not kube_proxy_remove }}" - "{{ 'k8s_cluster' in group_names }}" libseccomp: - "{{ ansible_os_family == 'RedHat' }}" @@ -80,6 +81,7 @@ pkgs: - "{{ ansible_distribution_major_version == '12' }}" nftables: - "{{ kube_proxy_mode == 'nftables' }}" + - "{{ not kube_proxy_remove }}" - "{{ 'k8s_cluster' in group_names }}" nss: - "{{ ansible_os_family == 'RedHat' }}"