Skip to content
0020-verify-settings.yml 8.66 KiB
Newer Older
- name: Stop if either kube-master, kube-node or etcd is empty
  assert:
    that: groups.get('{{ item }}')
  with_items:
    - kube-master
    - kube-node
    - etcd
  run_once: true
  ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if non systemd OS type
  assert:
    that: ansible_service_mgr == "systemd"
  ignore_errors: "{{ ignore_assert_errors }}"

- name: Stop if unknown OS
  assert:
    that: ansible_os_family in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Container Linux by CoreOS', 'Suse', 'ClearLinux', 'OracleLinux']
  ignore_errors: "{{ ignore_assert_errors }}"

- name: Stop if unknown network plugin
  assert:
    that: kube_network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'contiv', 'kube-ovn', 'kube-router', 'macvlan']
dvazar's avatar
dvazar committed
  when: kube_network_plugin is defined
  ignore_errors: "{{ ignore_assert_errors }}"

- name: Stop if incompatible network plugin and cloudprovider
  assert:
dvazar's avatar
dvazar committed
    that: kube_network_plugin != 'calico'
    msg: "Azure and Calico are not compatible. See https://github.com/projectcalico/calicoctl/issues/949 for details."
  when: cloud_provider is defined and cloud_provider == 'azure'
  ignore_errors: "{{ ignore_assert_errors }}"

- name: Stop if unsupported version of Kubernetes
  assert:
    that: kube_version is version(kube_version_min_required, '>=')
    msg: "The current release of Kubespray only support newer vesion of Kubernetes than {{ kube_version_min_required }} - You are trying to apply {{ kube_version }}"
  ignore_errors: "{{ ignore_assert_errors }}"

# simplify this items-list when   https://github.com/ansible/ansible/issues/15753  is resolved
- name: "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
  assert:
    msg: "{{ item.value }} isn't a bool"
  run_once: yes
  with_items:
    - { name: download_run_once, value: "{{ download_run_once }}" }
    - { name: deploy_netchecker, value: "{{ deploy_netchecker }}" }
    - { name: download_always_pull, value: "{{ download_always_pull }}" }
    - { name: helm_enabled, value: "{{ helm_enabled }}" }
    - { name: openstack_lbaas_enabled, value: "{{ openstack_lbaas_enabled }}" }
  ignore_errors: "{{ ignore_assert_errors }}"

- name: Stop if even number of etcd hosts
  assert:
    that: groups.etcd|length is not divisibleby 2
  ignore_errors: "{{ ignore_assert_errors }}"
  when: inventory_hostname in groups['etcd']

- name: Stop if memory is too small for masters
  assert:
    that: ansible_memtotal_mb >= minimal_master_memory_mb
  ignore_errors: "{{ ignore_assert_errors }}"
  when: inventory_hostname in groups['kube-master']

- name: Stop if memory is too small for nodes
  assert:
    that: ansible_memtotal_mb >= minimal_node_memory_mb
  ignore_errors: "{{ ignore_assert_errors }}"
  when: inventory_hostname in groups['kube-node']

# This assertion will fail on the safe side: One can indeed schedule more pods
# on a node than the CIDR-range has space for when additional pods use the host
# network namespace. It is impossible to ascertain the number of such pods at
# provisioning time, so to establish a guarantee, we factor these out.
# NOTICE: the check blatantly ignores the inet6-case
- name: Guarantee that enough network address space is available for all pods
  assert:
    that: "{{ (kubelet_max_pods | default(110)) | int <= (2 ** (32 - kube_network_node_prefix | int)) - 2 }}"
    msg: "Do not schedule more pods on a node than inet addresses are available."
  ignore_errors: "{{ ignore_assert_errors }}"
  when:
    - inventory_hostname in groups['kube-node']
    - kube_network_node_prefix is defined

- name: Stop if ip var does not match local ips
  assert:
    that: ip in ansible_all_ipv4_addresses
  ignore_errors: "{{ ignore_assert_errors }}"
  when: ip is defined

- name: Stop if access_ip is not pingable
  command: ping -c1 {{ access_ip }}
  when: access_ip is defined
  ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if RBAC is not enabled when dashboard is enabled
  assert:
    that: rbac_enabled
  when: dashboard_enabled
  ignore_errors: "{{ ignore_assert_errors }}"

- name: Stop if RBAC is not enabled when OCI cloud controller is enabled
  assert:
    that: rbac_enabled
  when: cloud_provider is defined and cloud_provider == "oci"
  ignore_errors: "{{ ignore_assert_errors }}"

- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
  assert:
    that: rbac_enabled and kube_api_anonymous_auth
  when: kube_apiserver_insecure_port == 0 and inventory_hostname in groups['kube-master']
melkosoft's avatar
melkosoft committed
  ignore_errors: "{{ ignore_assert_errors }}"

- name: Stop if kernel version is too low
  assert:
    that: ansible_kernel.split('-')[0] is version('4.8', '>=')
melkosoft's avatar
melkosoft committed
  when: kube_network_plugin == 'cilium'
  ignore_errors: "{{ ignore_assert_errors }}"

- name: Stop if bad hostname
  assert:
    that: inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
    msg: "Hostname must consist of lower case alphanumeric characters, '.' or '-', and must start and end with an alphanumeric character"
  ignore_errors: "{{ ignore_assert_errors }}"
Antoine Legrand's avatar
Antoine Legrand committed

- name: check cloud_provider value
  assert:
    that: cloud_provider in ['generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external']
    msg: "If set the 'cloud_provider' var must be set either to 'generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', or external"
  when:
    - cloud_provider is defined

  ignore_errors: "{{ ignore_assert_errors }}"
  tags:
    - cloud-provider
    - facts
- name: Ensure minimum calico version
  assert:
    that: calico_version is version('v3.0.0', '>=')
    msg: "calico_version is too low. Minimum version v3.0.0"
  run_once: yes
  when:
    - kube_network_plugin == 'calico'

- name: "Get current version of calico cluster version"
  shell: "{{ bin_dir }}/calicoctl.sh version  | grep 'Cluster Version:' | awk '{ print $3}'"
  register: calico_version_on_server
  run_once: yes
hikoz's avatar
hikoz committed
  changed_when: false
  when:
    - kube_network_plugin == 'calico'
Louis's avatar
Louis committed
- name: "Check that calico version is enough for upgrade"
      - calico_version_on_server.stdout is version('v2.6.5', '>=')
    msg: "Your version of calico is not fresh enough for upgrade. Minimum version v2.6.5"
  when:
    - kube_network_plugin == 'calico'
    - 'calico_version_on_server.stdout is defined'
    - calico_version_on_server.stdout
    - inventory_hostname == groups['kube-master'][0]
  run_once: yes

- name: "Check that kube_service_addresses is a network range"
  assert:
    that:
      - kube_service_addresses | ipaddr('net')
    msg: "kube_service_addresses = '{{ kube_service_addresses }}' is not a valid network range"
  run_once: yes

- name: "Check that kube_pods_subnet is a network range"
  assert:
    that:
      - kube_pods_subnet | ipaddr('net')
    msg: "kube_pods_subnet = '{{ kube_pods_subnet }}' is not a valid network range"
  run_once: yes

- name: "Check that kube_pods_subnet does not collide with kube_service_addresses"
  assert:
    that:
      - kube_pods_subnet | ipaddr(kube_service_addresses) | string == 'None'
    msg: "kube_pods_subnet cannot be the same network segment as kube_service_addresses"
  run_once: yes

- name: Stop if unknown dns mode
  assert:
    that: dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
    msg: "dns_mode can only be 'coredns', 'coredns_dual', 'manual' or 'none'"
  when: dns_mode is defined
  run_once: true

- name: Stop if unknown kube proxy mode
  assert:
    that: kube_proxy_mode in ['iptables', 'ipvs']
    msg: "kube_proxy_mode can only be 'iptables' or 'ipvs'"
  when: kube_proxy_mode is defined
  run_once: true

Antoine Legrand's avatar
Antoine Legrand committed
- name: Stop if vault is chose
Antoine Legrand's avatar
Antoine Legrand committed
    that: cert_management != 'vault'
    msg: "Support for vault have been removed, please use 'script' or 'none'"
  when: cert_management is defined
  run_once: true

Antoine Legrand's avatar
Antoine Legrand committed
- name: Stop if unknown cert_management
  assert:
    that: cert_management|d('script') in ['script', 'none']
    msg: "cert_management can only be 'script' or 'none'"
  run_once: true

- name: Stop if unknown resolvconf_mode
  assert:
    that: resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
    msg: "resolvconf_mode can only be 'docker_dns', 'host_resolvconf' or 'none'"
  when: resolvconf_mode is defined
  run_once: true

- name: Stop if k8s version is too low for kubeadm etcd mode
  assert:
    that: kube_version is version('v1.14.0', '>=')
    msg: "kubeadm etcd mode requires k8s version >= v1.14.0"
  when: etcd_kubeadm_enabled

- name: Stop if kubeadm etcd mode is enabled but experimental control plane is not
  assert:
    that: kubeadm_control_plane
    msg: "kubeadm etcd mode requires experimental control plane"
  when: etcd_kubeadm_enabled