From 0cc5e3ef0331ac2d9d89adb337c4e62f6688eeae Mon Sep 17 00:00:00 2001
From: Hans Feldt <2808287+hafe@users.noreply.github.com>
Date: Thu, 17 Sep 2020 13:30:45 +0200
Subject: [PATCH] Remove workaround with kube_proxy_remove (#6512)

* kube-proxy never gets deployed so need to remove it
---
 roles/kubernetes/kubeadm/tasks/main.yml       | 17 +-------
 .../kubernetes/master/tasks/kubeadm-setup.yml |  2 +-
 roles/kubernetes/node/tasks/main.yml          | 39 -------------------
 .../preinstall/tasks/0040-set_facts.yml       |  9 -----
 roles/kubespray-defaults/defaults/main.yaml   | 19 +++++----
 roles/kubespray-defaults/vars/main.yml        |  2 +
 .../win_nodes/kubernetes_patch/tasks/main.yml |  2 +-
 7 files changed, 18 insertions(+), 72 deletions(-)
 create mode 100644 roles/kubespray-defaults/vars/main.yml

diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
index cd11b7018..ae2c0484e 100644
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -123,7 +123,7 @@
     - inventory_hostname in groups['kube-master']
     - kubeadm_config_api_fqdn is not defined
     - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "")
-    - not kube_proxy_remove
+    - kube_proxy_deployed
     - loadbalancer_apiserver_localhost
   tags:
     - kube-proxy
@@ -144,7 +144,7 @@
     - inventory_hostname in groups['kube-master']
     - kubeadm_config_api_fqdn is not defined
     - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "")
-    - not kube_proxy_remove
+    - kube_proxy_deployed
   tags:
     - kube-proxy
 
@@ -159,19 +159,6 @@
     - kube_network_plugin in ['calico','canal']
     - calico_version is version('v3.3.0', '<')
 
-# FIXME(jjo): need to post-remove kube-proxy until https://github.com/kubernetes/kubeadm/issues/776
-# is fixed
-- name: Delete kube-proxy daemonset if kube_proxy_remove set, e.g. kube_network_plugin providing proxy services
-  command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf delete daemonset -n kube-system kube-proxy"
-  run_once: true
-  delegate_to: "{{ groups['kube-master']|first }}"
-  when:
-    - kube_proxy_remove
-  # When scaling/adding nodes in the existing k8s cluster, kube-proxy wouldn't be created, as `kubeadm init` wouldn't run.
-  ignore_errors: true
-  tags:
-    - kube-proxy
-
 - name: Extract etcd certs from control plane if using etcd kubeadm mode
   include_tasks: kubeadm_etcd_node.yml
   when:
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index d37cfd361..fc442b3be 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -148,7 +148,7 @@
     {{ bin_dir }}/kubeadm init
     --config={{ kube_config_dir }}/kubeadm-config.yaml
     --ignore-preflight-errors=all
-    --skip-phases=addon/coredns
+    --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
     --upload-certs
   register: kubeadm_init
   # Retry is because upload config sometimes fails
diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml
index 8c1659f76..46e5d5e77 100644
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -141,45 +141,6 @@
   tags:
     - kube-proxy
 
-- name: Purge proxy manifest for kubeadm or if proxy services being provided by other means, e.g. network_plugin
-  file:
-    path: "{{ kube_manifest_dir }}/kube-proxy.manifest"
-    state: absent
-  when:
-    - kube_proxy_remove
-  tags:
-    - kube-proxy
-
-- name: Set command for kube-proxy cleanup
-  set_fact:
-    kube_proxy_cleanup_command: >-
-      {%- if container_manager in ['docker', 'crio'] %}
-      {{ docker_bin_dir }}/docker run --rm --privileged -v /lib/modules:/lib/modules {{ kube_proxy_image_repo }}:{{ kube_version }} kube-proxy --cleanup
-      {%- elif container_manager == "containerd" %}
-      ctr run --rm --mount type=bind,src=/lib/modules,dst=/lib/modules,options=rbind:rw {{ kube_proxy_image_repo }}:{{ kube_version }} kube-proxy --cleanup
-      {%- endif %}
-  when:
-    - kube_proxy_remove
-  tags:
-    - kube-proxy
-
-- name: Ensure kube-proxy container is pulled for containerd
-  command: "{{ bin_dir }}/crictl pull {{ kube_proxy_image_repo }}:{{ kube_version }}"
-  when:
-    - kube_proxy_remove
-    - container_manager == "containerd"
-  tags:
-    - kube-proxy
-
-- name: Cleanup kube-proxy leftovers from node
-  command: "{{ kube_proxy_cleanup_command }}"
-  # `kube-proxy --cleanup`, being Ok as per shown WARNING, still returns 255 from above run (?)
-  ignore_errors: true
-  when:
-    - kube_proxy_remove
-  tags:
-    - kube-proxy
-
 - include_tasks: "cloud-credentials/{{ cloud_provider }}-credential-check.yml"
   when:
     - cloud_provider is defined
diff --git a/roles/kubernetes/preinstall/tasks/0040-set_facts.yml b/roles/kubernetes/preinstall/tasks/0040-set_facts.yml
index a8133a5db..79485b127 100644
--- a/roles/kubernetes/preinstall/tasks/0040-set_facts.yml
+++ b/roles/kubernetes/preinstall/tasks/0040-set_facts.yml
@@ -156,15 +156,6 @@
         - ../vars
       skip: true
 
-- name: override kube_proxy_mode to ipvs if kube_proxy_remove is set, as ipvs won't require kube-proxy cleanup when kube-proxy daemonset gets deleted
-  set_fact:
-    kube_proxy_mode: 'ipvs'
-  when:
-    - kube_proxy_remove
-  tags:
-    - facts
-    - kube-proxy
-
 - name: set etcd vars if using kubeadm mode
   set_fact:
     etcd_cert_dir: "{{ kube_cert_dir }}"
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 095bc36fc..fcfa6d53c 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -26,14 +26,19 @@ kubeadm_use_hyperkube_image: False
 ## Kube Proxy mode One of ['iptables','ipvs']
 kube_proxy_mode: ipvs
 
-## Delete kube-proxy daemonset if kube_proxy_remove set, e.g. kube_network_plugin providing proxy services
-kube_proxy_remove: >-
-  {%- if kube_network_plugin == 'kube-router' -%}
-  {{ (kube_router_run_service_proxy is defined and kube_router_run_service_proxy)| bool }}
-  {%- elif kube_network_plugin == 'cilium' -%}
-  {{ (cilium_kube_proxy_replacement is defined and cilium_kube_proxy_replacement == 'strict')| bool }}
+## List of kubeadm init phases that should be skipped during control plane setup
+## By default 'addon/coredns' is skipped
+## 'addon/kube-proxy' gets skipped for some network plugins
+kubeadm_init_phases_skip_default: [ "addon/coredns" ]
+kubeadm_init_phases_skip: >-
+  {%- if kube_network_plugin == 'kube-router' and (kube_router_run_service_proxy is defined and kube_router_run_service_proxy) -%}
+  {{ kubeadm_init_phases_skip_default }} + [ "addon/kube-proxy" ]
+  {%- elif kube_network_plugin == 'cilium' and (cilium_kube_proxy_replacement is defined and cilium_kube_proxy_replacement == 'strict') -%}
+  {{ kubeadm_init_phases_skip_default }} + [ "addon/kube-proxy" ]
+  {%- elif kube_proxy_remove is defined and kube_proxy_remove -%}
+  {{ kubeadm_init_phases_skip_default }} + [ "addon/kube-proxy" ]
   {%- else -%}
-  false
+  {{ kubeadm_init_phases_skip_default }}
   {%- endif -%}
 
 # A string slice of values which specify the addresses to use for NodePorts.
diff --git a/roles/kubespray-defaults/vars/main.yml b/roles/kubespray-defaults/vars/main.yml
new file mode 100644
index 000000000..903e02a66
--- /dev/null
+++ b/roles/kubespray-defaults/vars/main.yml
@@ -0,0 +1,2 @@
+---
+kube_proxy_deployed: "{{ 'addon/kube-proxy' not in kubeadm_init_phases_skip }}"
diff --git a/roles/win_nodes/kubernetes_patch/tasks/main.yml b/roles/win_nodes/kubernetes_patch/tasks/main.yml
index ada163451..32f511a4e 100644
--- a/roles/win_nodes/kubernetes_patch/tasks/main.yml
+++ b/roles/win_nodes/kubernetes_patch/tasks/main.yml
@@ -36,4 +36,4 @@
       when: patch_kube_proxy_state is not skipped
   tags: init
   when:
-    - not kube_proxy_remove
+    - kube_proxy_deployed
-- 
GitLab