diff --git a/roles/kubernetes/master/tasks/pre-upgrade.yml b/roles/kubernetes/master/tasks/pre-upgrade.yml
index 948b944c5e4f2ec02ddcbb2b5ec6e6e23d07d49b..10093a08f8af44c92e4ffa35e39f43fc08926db3 100644
--- a/roles/kubernetes/master/tasks/pre-upgrade.yml
+++ b/roles/kubernetes/master/tasks/pre-upgrade.yml
@@ -55,11 +55,13 @@
set_fact:
needs_etcd_migration: "{{ kube_apiserver_storage_backend == 'etcd3' and data_migrated.stdout_lines|length == 0 and old_data_exists.rc == 0 }}"
-- name: "Pre-upgrade | Write invalid image to kube-apiserver manifest if necessary"
+- name: "Pre-upgrade | Write invalid image to kube-apiserver manifest if necessary on all kube-masters"
replace:
dest: /etc/kubernetes/manifests/kube-apiserver.manifest
regexp: '(\s+)image:\s+.*?$'
replace: '\1image: kill.apiserver.using.fake.image.in:manifest'
+ delegate_to: "{{item}}"
+ with_items: "{{groups['kube-master']}}"
register: kube_apiserver_manifest_replaced
when: (secret_changed|default(false) or etcd_secret_changed|default(false) or needs_etcd_migration|bool) and kube_apiserver_manifest.stat.exists
diff --git a/upgrade-cluster.yml b/upgrade-cluster.yml
index 1f0479200db8e3720eccef257605f06809896a55..4ecc660f906e935721d437349fa808dbd81a2e34 100644
--- a/upgrade-cluster.yml
+++ b/upgrade-cluster.yml
@@ -68,7 +68,6 @@
- { role: kubernetes/master, tags: master }
- { role: network_plugin, tags: network }
- { role: upgrade/post-upgrade, tags: post-upgrade }
- - { role: kubernetes-apps/network_plugin, tags: network }
#Finally handle worker upgrades, based on given batch size
- hosts: kube-node:!kube-master
@@ -80,6 +79,14 @@
- { role: kubernetes/node, tags: node }
- { role: network_plugin, tags: network }
- { role: upgrade/post-upgrade, tags: post-upgrade }
+ - { role: kargo-defaults}
+
+- hosts: kube-master
+ any_errors_fatal: true
+ roles:
+ - { role: kargo-defaults}
+ - { role: kubernetes-apps/network_plugin, tags: network }
+ - { role: kubernetes-apps/policy_controller, tags: policy-controller }
- hosts: calico-rr
any_errors_fatal: true