Newer
Older
---
- name: Stop if ansible version is too low
assert:
that:
- ansible_version.full|version_compare('2.3.0', '>=')
- name: Stop if either kube-master, kube-node or etcd is empty
assert:
that: groups.get('{{ item }}')
with_items:
- kube-master
- kube-node
- etcd
run_once: true
- name: Stop if non systemd OS type
assert:
that: ansible_service_mgr == "systemd"
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if unknown OS
assert:
that: ansible_distribution in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Container Linux by CoreOS', 'openSUSE Leap', 'openSUSE Tumbleweed']
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if unknown network plugin
assert:
that: kube_network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud', 'cilium', 'contiv', 'kube-router']
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if incompatible network plugin and cloudprovider
assert:
msg: "Azure and Calico are not compatible. See https://github.com/projectcalico/calicoctl/issues/949 for details."
when: cloud_provider is defined and cloud_provider == 'azure'
ignore_errors: "{{ ignore_assert_errors }}"
Günther Grill
committed
# simplify this items-list when https://github.com/ansible/ansible/issues/15753 is resolved
- name: "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
assert:
Günther Grill
committed
that: item.value|type_debug == 'bool'
msg: "{{item.value}} isn't a bool"
run_once: yes
with_items:
Günther Grill
committed
- { name: kubeadm_enabled, value: "{{ kubeadm_enabled }}" }
- { name: download_run_once, value: "{{ download_run_once }}" }
- { name: deploy_netchecker, value: "{{ deploy_netchecker }}" }
- { name: download_always_pull, value: "{{ download_always_pull }}" }
- { name: helm_enabled, value: "{{ helm_enabled }}" }
- { name: openstack_lbaas_enabled, value: "{{ openstack_lbaas_enabled }}" }
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if even number of etcd hosts
assert:
that: groups.etcd|length is not divisibleby 2
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if memory is too small for masters
assert:
that: ansible_memtotal_mb >= 1500
ignore_errors: "{{ ignore_assert_errors }}"
when: inventory_hostname in groups['kube-master']
- name: Stop if memory is too small for nodes
assert:
that: ansible_memtotal_mb >= 1024
ignore_errors: "{{ ignore_assert_errors }}"
when: inventory_hostname in groups['kube-node']
# This assertion will fail on the safe side: One can indeed schedule more pods
# on a node than the CIDR-range has space for when additional pods use the host
# network namespace. It is impossible to ascertain the number of such pods at
# provisioning time, so to establish a guarantee, we factor these out.
# NOTICE: the check blatantly ignores the inet6-case
- name: Guarantee that enough network address space is available for all pods
assert:
that: "{{ kubelet_max_pods | default(110) <= (2 ** (32 - kube_network_node_prefix)) - 2 }}"
msg: "Do not schedule more pods on a node than inet addresses are available."
ignore_errors: "{{ ignore_assert_errors }}"
when:
- inventory_hostname in groups['kube-node']
- kube_network_node_prefix is defined
- name: Stop if ip var does not match local ips
assert:
that: ip in ansible_all_ipv4_addresses
ignore_errors: "{{ ignore_assert_errors }}"
when: ip is defined
- name: Stop if access_ip is not pingable
command: ping -c1 {{ access_ip }}
when: access_ip is defined
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if RBAC is not enabled when dashboard is enabled
assert:
that: rbac_enabled
when: dashboard_enabled
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if RBAC is not enabled when OCI cloud controller is enabled
assert:
that: rbac_enabled
when: cloud_provider is defined and cloud_provider == "oci"
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
assert:
that: rbac_enabled and kube_api_anonymous_auth
when: kube_apiserver_insecure_port == 0
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if kernel version is too low
assert:
that: ansible_kernel.split('-')[0]|version_compare('4.8', '>=')
when: kube_network_plugin == 'cilium'
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if bad hostname
assert:
that: inventory_hostname | match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
msg: "Hostname must consist of lower case alphanumeric characters, '.' or '-', and must start and end with an alphanumeric character"
ignore_errors: "{{ ignore_assert_errors }}"
- name: check cloud_provider value
assert:
that: cloud_provider in ['generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external']
msg: "If set the 'cloud_provider' var must be set either to 'generic', 'gce', 'aws', 'azure', 'openstack', 'vsphere', or external"
when:
- cloud_provider is defined
ignore_errors: "{{ ignore_assert_errors }}"
tags:
- cloud-provider
- facts
- name: "Get current version of calico cluster version"
shell: "{{ bin_dir }}/calicoctl version | grep 'Cluster Version' | awk '{ print $3}'"
register: calico_version_on_server
run_once: yes
delegate_to: "{{ groups['kube-master'][0] }}"
- name: "Check that calico version is enought for upgrade"
assert:
that:
- calico_version_on_server.stdout|version_compare('v2.6.5', '>=')
msg: "Your version of calico is not fresh enough for upgrade. Minimum version v2.6.5"
when:
- 'calico_version_on_server.stdout is defined'
- 'calico_version_on_server.stdout != ""'
- inventory_hostname == groups['kube-master'][0]
run_once: yes
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
- name: "Check that kube_service_addresses is a network range"
assert:
that:
- kube_service_addresses | ipaddr
msg: "kube_service_addresses is not a valid network range"
run_once: yes
- name: "Check that kube_pods_subnet is a network range"
assert:
that:
- kube_pods_subnet | ipaddr
msg: "kube_pods_subnet is not a valid network range"
run_once: yes
- name: "Check that kube_pods_subnet does not collide with kube_service_addresses"
assert:
that:
- kube_pods_subnet | ipaddr(kube_service_addresses) | string == 'None'
msg: "kube_pods_subnet cannot be the same network segment as kube_service_addresses"
run_once: yes
- name: Stop if unknown dns mode
assert:
that: dns_mode in ['dnsmasq_kubedns', 'kubedns', 'coredns', 'coredns_dual', 'manual', 'none']
msg: "dns_mode can only be 'dnsmasq_kubedns', 'kubedns', 'coredns', 'coredns_dual', 'manual' or 'none'"
when: dns_mode is defined
run_once: true
- name: Stop if unknown kube proxy mode
assert:
that: kube_proxy_mode in ['iptables', 'ipvs']
msg: "kube_proxy_mode can only be 'iptables' or 'ipvs'"
when: kube_proxy_mode is defined
run_once: true
- name: Stop if unknown cert_management
assert:
that: cert_management in ['script', 'vault']
msg: "cert_management can only be 'script' or 'vault'"
when: cert_management is defined
run_once: true
- name: Stop if unknown resolvconf_mode
assert:
that: resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
msg: "resolvconf_mode can only be 'docker_dns', 'host_resolvconf' or 'none'"
when: resolvconf_mode is defined
run_once: true