disable kubelet_authorization_mode_webhook by default

Aligned existing handling of extra DNS tolerations
Signed-off-by: Sébastien Masset <smt.masset@gmail.com>
2026-02-01 17:48:12 -03:30 · 2022-08-31 11:44:14 +02:00 · 2022-07-12 09:24:39 +02:00 · 2022-07-12 09:24:39 +02:00 · 2022-07-12 09:24:39 +02:00 · 2022-04-09 11:02:04 -07:00
14 changed files with 27 additions and 57 deletions
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@@ -134,6 +134,7 @@ cert_manager_enabled: false
 #   -----BEGIN CERTIFICATE-----
 #   [REPLACE with your CA certificate]
 #   -----END CERTIFICATE-----
 # cert_manager_leader_election_namespace: kube-system
 # MetalLB deployment
 metallb_enabled: false
--- a/roles/container-engine/cri-o/molecule/default/molecule.yml
+++ b/roles/container-engine/cri-o/molecule/default/molecule.yml
@@ -13,12 +13,6 @@ platforms:
    memory: 1024
    groups:
      - kube_control_plane
  - name: centos7
    box: centos/7
    cpus: 2
    memory: 1024
    groups:
      - kube_control_plane
  - name: almalinux8
    box: almalinux/8
    cpus: 2
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -49,7 +49,7 @@ download_delegate: "{% if download_localhost %}localhost{% else %}{{ groups['kub
 docker_image_pull_command: "{{ docker_bin_dir }}/docker pull"
 docker_image_info_command: "{{ docker_bin_dir }}/docker images -q | xargs -i {{ '{{' }} docker_bin_dir }}/docker inspect -f {% raw %}'{{ '{{' }} if .RepoTags }}{{ '{{' }} join .RepoTags \",\" }}{{ '{{' }} end }}{{ '{{' }} if .RepoDigests }},{{ '{{' }} join .RepoDigests \",\" }}{{ '{{' }} end }}' {% endraw %} {} | tr '\n' ','"
 nerdctl_image_info_command: "{{ bin_dir }}/nerdctl -n k8s.io images --format '{% raw %}{{ '{{' }} .Repository {{ '}}' }}:{{ '{{' }} .Tag {{ '}}' }}{% endraw %}' 2>/dev/null | grep -v ^:$ | tr '\n' ','"
-nerdctl_image_pull_command: "{{ bin_dir }}/nerdctl -n k8s.io pull --quiet"
+nerdctl_image_pull_command: "{{ bin_dir }}/nerdctl -n k8s.io pull --quiet {{ nerdctl_extra_flags }}"
 crictl_image_info_command: "{{ bin_dir }}/crictl images --verbose | awk -F ': ' '/RepoTags|RepoDigests/ {print $2}' | tr '\n' ','"
 crictl_image_pull_command: "{{ bin_dir }}/crictl pull"
@@ -65,7 +65,7 @@ image_info_command_on_localhost: "{{ lookup('vars', image_command_tool_on_localh
 image_arch: "{{host_architecture | default('amd64')}}"
 # Nerdctl insecure flag set
-nerdctl_extra_flags: '{%- if containerd_insecure_registries is defined and containerd_insecure_registries|length>0 -%}\" --insecure-registry"{%- else -%}{%- endif -%}'
+nerdctl_extra_flags: '{%- if containerd_insecure_registries is defined and containerd_insecure_registries|length>0 -%}--insecure-registry{%- else -%}{%- endif -%}'
 # Versions
 kubeadm_version: "{{ kube_version }}"
--- a/roles/download/tasks/prep_download.yml
+++ b/roles/download/tasks/prep_download.yml
@@ -5,44 +5,6 @@
  tags:
    - facts
 # The docker image_info_command might seems weird but we are using raw/endraw and `{{ `{{` }}` to manage the double jinja2 processing
 # done here and when `image_info_command` is used (first the raw/endraw allow to store the command, then the second processing replace `{{`
 - name: prep_download | Set image pull/info command for docker
  set_fact:
    image_pull_command: "{{ docker_bin_dir }}/docker pull"
    image_info_command: "{{ docker_bin_dir }}/docker images -q | xargs -i {{ '{{' }} docker_bin_dir }}/docker inspect -f {% raw %}'{{ '{{' }} if .RepoTags }}{{ '{{' }} join .RepoTags \",\" }}{{ '{{' }} end }}{{ '{{' }} if .RepoDigests }},{{ '{{' }} join .RepoDigests \",\" }}{{ '{{' }} end }}' {% endraw %} {} | tr '\n' ','"
  when: container_manager == 'docker'
 - name: prep_download | Set image pull/info command for containerd
  set_fact:
    image_info_command: "{{ bin_dir }}/nerdctl -n k8s.io images --format '{% raw %}{{ '{{' }} .Repository {{ '}}' }}:{{ '{{' }} .Tag {{ '}}' }}{% endraw %}' 2>/dev/null | grep -v ^:$ | tr '\n' ','"
    image_pull_command: "{{ bin_dir }}/nerdctl -n k8s.io pull --quiet{{ nerdctl_extra_flags }}"
  when: container_manager == 'containerd'
 - name: prep_download | Set image pull/info command for crio
  set_fact:
    image_info_command: "{{ bin_dir }}/crictl images --verbose | awk -F ': ' '/RepoTags|RepoDigests/ {print $2}' | tr '\n' ','"
    image_pull_command: "{{ bin_dir }}/crictl pull"
  when: container_manager == 'crio'
 - name: prep_download | Set image pull/info command for docker on localhost
  set_fact:
    image_pull_command_on_localhost: "{{ docker_bin_dir }}/docker pull"
    image_info_command_on_localhost: "{{ docker_bin_dir }}/docker images"
  when: container_manager_on_localhost == 'docker'
 - name: prep_download | Set image pull/info command for containerd on localhost
  set_fact:
    image_info_command_on_localhost: "{{ bin_dir }}/nerdctl -n k8s.io images --format '{% raw %}{{ '{{' }} .Repository {{ '}}' }}:{{ '{{' }} .Tag {{ '}}' }}{% endraw %}' 2>/dev/null | grep -v ^:$ | tr '\n' ','"
    image_pull_command_on_localhost: "{{ bin_dir }}/nerdctl -n k8s.io pull --quiet{{ nerdctl_extra_flags }}"
  when: container_manager_on_localhost == 'containerd'
 - name: prep_download | Set image pull/info command for crio on localhost
  set_fact:
    image_info_command_on_localhost: "{{ bin_dir }}/crictl images --verbose | awk -F ': ' '/RepoTags|RepoDigests/ {print $2}' | tr '\n' ','"
    image_pull_command_on_localhost: "{{ bin_dir }}/crictl pull"
  when: container_manager_on_localhost == 'crio'
 - name: prep_download | On localhost, check if passwordless root is possible
  command: "true"
  delegate_to: localhost
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -24,6 +24,7 @@ nodelocaldns_secondary_prometheus_port: 9255
 dns_autoscaler_cpu_requests: 20m
 dns_autoscaler_memory_requests: 10Mi
 dns_autoscaler_deployment_nodeselector: "kubernetes.io/os: linux"
 # dns_autoscaler_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
 # etcd metrics
 # etcd_metrics_service_labels:
@@ -81,3 +82,6 @@ dashboard_master_toleration: true
 # Override dashboard default settings
 dashboard_token_ttl: 900
 dashboard_skip_login: false
 # Policy Controllers
 # policy_controller_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
--- a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
@@ -34,7 +34,7 @@ spec:
          effect: NoSchedule
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
-{% if dns_extra_tolerations | default(None) %}
+{% if dns_extra_tolerations is defined %}
        {{ dns_extra_tolerations | list | to_nice_yaml(indent=2) | indent(8) }}
 {% endif %}
      affinity:
--- a/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2
@@ -45,6 +45,9 @@ spec:
          key: node-role.kubernetes.io/master
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
 {% if dns_autoscaler_extra_tolerations is defined %}
        {{ dns_autoscaler_extra_tolerations | list | to_nice_yaml(indent=2) | indent(8) }}
 {% endif %}
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
@@ -1,3 +1,7 @@
 ---
 cert_manager_namespace: "cert-manager"
 cert_manager_user: 1001
 ## Change leader election namespace when deploying on GKE Autopilot that forbid the changes on kube-system namespace.
 ## See https://github.com/jetstack/cert-manager/issues/3717
 cert_manager_leader_election_namespace: kube-system
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@@ -630,7 +630,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: cert-manager-cainjector:leaderelection
-  namespace: {{ cert_manager_namespace }}
+  namespace: {{ cert_manager_leader_election_namespace }}
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
@@ -664,7 +664,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: cert-manager:leaderelection
-  namespace: {{ cert_manager_namespace }}
+  namespace: {{ cert_manager_leader_election_namespace }}
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
@@ -719,7 +719,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: cert-manager-cainjector:leaderelection
-  namespace: {{ cert_manager_namespace }}
+  namespace: {{ cert_manager_leader_election_namespace }}
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
@@ -742,7 +742,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: cert-manager:leaderelection
-  namespace: {{ cert_manager_namespace }}
+  namespace: {{ cert_manager_leader_election_namespace }}
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
@@ -866,7 +866,7 @@ spec:
          imagePullPolicy: {{ k8s_image_pull_policy }}
          args:
          - --v=2
-          - --leader-election-namespace=kube-system
+          - --leader-election-namespace={{ cert_manager_leader_election_namespace }}
          env:
          - name: POD_NAMESPACE
            valueFrom:
@@ -928,7 +928,7 @@ spec:
          args:
          - --v=2
          - --cluster-resource-namespace=$(POD_NAMESPACE)
-          - --leader-election-namespace=kube-system
+          - --leader-election-namespace={{ cert_manager_leader_election_namespace }}
          ports:
          - containerPort: 9402
            protocol: TCP
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
@@ -28,6 +28,9 @@ spec:
          effect: NoSchedule
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
 {% if policy_controller_extra_tolerations is defined %}
        {{ policy_controller_extra_tolerations | list | to_nice_yaml(indent=2) | indent(8) }}
 {% endif %}
      priorityClassName: system-cluster-critical
      containers:
        - name: calico-kube-controllers
--- a/roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml
+++ b/roles/kubernetes/preinstall/tasks/0100-dhclient-hooks.yml
@@ -13,7 +13,6 @@
    marker: "# Ansible entries {mark}"
    mode: 0644
  notify: Preinstall | propagate resolvconf to k8s components
  when: dhclientconffile is defined
 - name: Configure dhclient hooks for resolv.conf (non-RH)
  template:
--- a/roles/kubernetes/preinstall/tasks/0110-dhclient-hooks-undo.yml
+++ b/roles/kubernetes/preinstall/tasks/0110-dhclient-hooks-undo.yml
@@ -9,12 +9,10 @@
    state: absent
    backup: yes
    marker: "# Ansible entries {mark}"
  when: dhclientconffile is defined
  notify: Preinstall | propagate resolvconf to k8s components
 - name: Remove kubespray specific dhclient hook
  file:
    path: "{{ dhclienthookfile }}"
    state: absent
  when: dhclienthookfile is defined
  notify: Preinstall | propagate resolvconf to k8s components
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -75,6 +75,7 @@
  when:
    - dns_mode != 'none'
    - resolvconf_mode == 'host_resolvconf'
    - dhclientconffile is defined
    - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
  tags:
    - bootstrap-os
@@ -84,6 +85,7 @@
  when:
    - dns_mode != 'none'
    - resolvconf_mode != 'host_resolvconf'
    - dhclientconffile is defined
    - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
  tags:
    - bootstrap-os
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -444,7 +444,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
 kubelet_authentication_token_webhook: true
 # When enabled, access to the kubelet API requires authorization by delegation to the API server
-kubelet_authorization_mode_webhook: true
+kubelet_authorization_mode_webhook: false
 # kubelet uses certificates for authenticating to the Kubernetes API
 # Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration
Author	SHA1	Message	Date
Cristian Calin	56f9af8668	disable kubelet_authorization_mode_webhook by default	2022-08-31 11:44:14 +02:00
Sébastien Masset	29d81f7617	Aligned existing handling of extra DNS tolerations Signed-off-by: Sébastien Masset <smt.masset@gmail.com>	2022-07-12 09:24:39 +02:00
Sébastien Masset	2546eb2559	Added new configuration item for extra tolerations in DNS autoscaler Signed-off-by: Sébastien Masset <smt.masset@gmail.com>	2022-07-12 09:24:39 +02:00
Sébastien Masset	47af8b7ea5	Added new configuration item for extra tolerations in policy controllers Signed-off-by: Sébastien Masset <smt.masset@gmail.com>	2022-07-12 09:24:39 +02:00
Kenichi Omichi	2cc5f04bad	Removed quotation of nerdctl_extra_flags. (#8699 ) The quotations in the variable nerdctl_extra_flags are not required for the `nerdctl_image_pull_command` and throw the following error when executing the cluster-playbook with `container_insecure_registries` set: unknown flag: --insecure-registry\\\" This happens as the complete nerdctl_image_pull_command string variable gets split into an array string for the cmd task. The escaped quotation doesn't get escaped properly and is added to the cmd-string array as part of the command. This leads to a wrong written insecure-registry flag, which throws this error.	2022-04-09 11:02:04 -07:00
Mathieu Parent	d4d03a01f2	Fix image_command_tool ignored since PR #8601 (#8684 ) Signed-off-by: Mathieu Parent <mathieu.parent@insee.fr>	2022-04-06 02:00:58 -07:00
Kenichi Omichi	bdaa33c3bc	Fix quotation of nerdctl_extra_flags (#8668 ) (#8685 ) Due to missing quotation of nerdctl_extra_flags, ansible-playbook was failed: Using module file /usr/local/lib/python3.6/dist-packages/ansible/modules/command.py Pipelining is enabled. [..] File "/usr/lib/python3.8/shlex.py", line 191, in read_token raise ValueError("No closing quotation") This fixes the issue. T-Eberle investigated the issue and found the solution. Thank you T-Eberle!	2022-04-05 15:25:25 -07:00
rtsp	58bea67b68	[2.18] cert-manager: Backport cert-manager leader election namespace fixes from master (#8681 ) cherry-picked from * `ccd3180` cert-manager: Fix incorrect leader election namespace lead to insufficient permission (#8433) * `e791089` cert-manager: Allow to change leader election namespace for GKE Autopilot support (#8424)	2022-04-04 11:10:11 -07:00
Kenichi Omichi	f091b1cfd7	[2.18] Run 0100-dhclient-hooks if dhcpclient is enabled (#8658 ) (#8661 ) * Run 0100-dhclient-hooks if dhcpclient is enabled (#8658) If running Kubespray on static IP environments, a task was failed like: TASK [kubernetes/preinstall : Configure dhclient hooks for resolv.conf (RH-only)] fatal: [ak8s2]: FAILED! => { "changed": false, "checksum": "..", "msg": "Destination directory /etc/dhcp/dhclient.d does not exist"} This adds a check for dhclientconffile for running 0100-dhclient-hooks to run the task only if dhcpclient is enabled. * Remove centos7 molecule while opensuse mirror is flaky Co-authored-by: Florian Ruynat <16313165+floryut@users.noreply.github.com>	2022-03-30 10:08:25 -07:00