kubespray/roles/kubernetes-apps/cluster_roles/tasks/main.yml

---
- name: Kubernetes Apps | Wait for kube-apiserver
  uri:
    url: "{{ kube_apiserver_endpoint }}/healthz"
    validate_certs: no
    client_cert: "{{ kube_apiserver_client_cert }}"
    client_key: "{{ kube_apiserver_client_key }}"
  register: result
  until: result.status == 200
  retries: 10
  delay: 6
  when: inventory_hostname == groups['kube_control_plane'][0]

- name: Kubernetes Apps | Add ClusterRoleBinding to admit nodes
  template:
    src: "node-crb.yml.j2"
    dest: "{{ kube_config_dir }}/node-crb.yml"
    mode: 0640
  register: node_crb_manifest
  when:
    - rbac_enabled
    - inventory_hostname == groups['kube_control_plane'][0]

- name: Apply workaround to allow all nodes with cert O=system:nodes to register
  kube:
    name: "kubespray:system:node"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "clusterrolebinding"
    filename: "{{ kube_config_dir }}/node-crb.yml"
    state: latest
  register: result
  until: result is succeeded
  retries: 10
  delay: 6
  when:
    - rbac_enabled
    - node_crb_manifest.changed
    - inventory_hostname == groups['kube_control_plane'][0]

- name: Kubernetes Apps | Remove old webhook ClusterRole
  kube:
    name: "system:node-webhook"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "clusterrole"
    state: absent
  when:
    - rbac_enabled
    - inventory_hostname == groups['kube_control_plane'][0]
  tags: node-webhook

- name: Kubernetes Apps | Remove old webhook ClusterRoleBinding
  kube:
    name: "system:node-webhook"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "clusterrolebinding"
    state: absent
  when:
    - rbac_enabled
    - inventory_hostname == groups['kube_control_plane'][0]
  tags: node-webhook

- include_tasks: oci.yml
  tags: oci
  when:
    - cloud_provider is defined
    - cloud_provider == 'oci'

- name: PriorityClass | Copy k8s-cluster-critical-pc.yml file
  copy:
    src: k8s-cluster-critical-pc.yml
    dest: "{{ kube_config_dir }}/k8s-cluster-critical-pc.yml"
    mode: 0640
  when: inventory_hostname == groups['kube_control_plane']|last

- name: PriorityClass | Create k8s-cluster-critical
  kube:
    name: k8s-cluster-critical
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "PriorityClass"
    filename: "{{ kube_config_dir }}/k8s-cluster-critical-pc.yml"
    state: latest
  when: inventory_hostname == groups['kube_control_plane']|last