Skip to content
  1. Apr 11, 2024
  2. Apr 03, 2024
    • Nicolas Goudry's avatar
      Remove access to cluster from anonymous users (#11016) · c6fcbf6e
      Nicolas Goudry authored
      * feat: add user facing variable with default
      
      * feat: remove rolebinding to anonymous users after init and upgrade
      
      * feat: use file discovery for secondary control plane nodes
      
      * feat: use file discovery for nodes
      
      * fix: do not fail if rolebinding does not exist
      
      * docs: add warning about kube_api_anonymous_auth
      
      * style: improve readability of delegate_to parameter
      
      * refactor: rename discovery kubeconfig file
      
      * test: enable new variable in hardening and upgrade test cases
      
      * docs: add option to config parameters
      
      * test: multiple instances and upgrade
      c6fcbf6e
  3. Mar 29, 2024
  4. Mar 25, 2024
  5. Mar 22, 2024
  6. Mar 11, 2024
  7. Feb 18, 2024
  8. Jan 31, 2024
  9. Jan 30, 2024
  10. Jan 25, 2024
  11. Jan 24, 2024
  12. Jan 23, 2024
  13. Jan 22, 2024
  14. Jan 12, 2024
  15. Jan 09, 2024
  16. Jan 08, 2024
  17. Dec 21, 2023
  18. Dec 18, 2023
  19. Dec 12, 2023
    • jandres - moscardo's avatar
      New PR default node selector (#10607) · cb848fa7
      jandres - moscardo authored
      cb848fa7
    • Max Gautier's avatar
      Disable podCIDR allocation from control-plane when using calico (#10639) · 8abf49ae
      Max Gautier authored
      * Disable control plane allocating podCIDR for nodes when using calico
      
      Calico does not use the .spec.podCIDR field for its IP address
      management.
      Furthermore, it can false positives from the kube controller manager if
      kube_network_node_prefix and calico_pool_blocksize are unaligned, which
      is the case with the default shipped by kubespray.
      
      If the subnets obtained from using kube_network_node_prefix are bigger,
      this would result at some point in the control plane thinking it does
      not have subnets left for a new node, while calico will work without
      problems.
      
      Explicitely set a default value of false for calico_ipam_host_local to
      facilitate its use in templates.
      
      * Don't default to kube_network_node_prefix for calico_pool_blocksize
      
      They have different semantics: kube_network_node_prefix is intended to
      be the size of the subnet for all pods on a node, while there can be
      more than on calico block of the specified size (they are allocated on
      demand).
      
      Besides, this commit does not actually change anything, because the
      current code is buggy: we don't ever default to
      kube_network_node_prefix, since the variable is defined in the role
      defaults.
      8abf49ae
    • Max Gautier's avatar
      Revert "Update etcd-servers for apiserver (#8253)" (#10652) · 81a3f81a
      Max Gautier authored
      This reverts commit ee0f1e9d.
      
      Avoid restarting all api servers at once by changing their config.
      81a3f81a
  20. Dec 11, 2023
  21. Dec 07, 2023
    • Max Gautier's avatar
      Use systemd for disabling swap when it's used (#10587) · 2c3ea84e
      Max Gautier authored
      * Mask systemd swap.target do disable swap
      
      This is a more generic way to disable swap, since it pulls .swap units
      in systemd distributions; fstab is only one way to generate .swap units.
      
      * Unconditionally disable swap
      
      We only care to disable it (the "swapon" registered variable is not used
      anywhere else.
      This allows to get rid of the ignore_errors, since this was added
      because swapon.stdout does not exist in check_mode (see issue #6642).
      
      * Don't explicitly disable swapOnZram
      
      We're already masking the swap.target, which would pull the zram unit,
      hence no need to handle zram-generator specifically.
      2c3ea84e
  22. Nov 28, 2023
    • Max Gautier's avatar
      Check conntrack module presence instead of kernel version (#10662) · 612cfdce
      Max Gautier authored
      * Try both conntrack modules instead of checking kernel version
      
      Depending on kernel distributor, the kernel version might not be a
      correct indicator of the conntrack module use.
      Instead, we check both (and use the first found).
      
      * Use modproble.persistent rather than manual persistence
      612cfdce
  23. Nov 27, 2023
  24. Nov 20, 2023
  25. Nov 17, 2023
    • Max Gautier's avatar
      Validate systemd unit files (#10597) · 0d4f57aa
      Max Gautier authored
      * Validate systemd unit files
      
      This ensure that we fail early if we have a bad systemd unit file
      (syntax error, using a version not available in the local version, etc)
      
      * Hack to check systemd version for service files validation
      
      factory-reset.target was introduced in system 250, same version as the
      aliasing feature we need for verifying systemd services with ansible.
      So we only actually executes the validation if that target is present.
      
      This is an horrible hack which should be reverted as soon as we drop
      support for distributions with systemd<250.
      0d4f57aa
  26. Nov 08, 2023
    • Samuel Mutel's avatar
    • borgiacis's avatar
      Create variables for ipvs kernel modules (#10580) · 802da0bc
      borgiacis authored
      * Create variables for ipvs kernel modules
      
      * Corrected kubernetes role node task missing name
      
      * Added changes as suggested during review by VannTen
      802da0bc
    • Max Gautier's avatar
      Move control plane certs renewal "spread out" into the systemd timer (#10596) · b3f6d051
      Max Gautier authored
      * Use RandomizedDelaySec to spread out control certificates renewal plane
      
      If the number of control plane node is superior to 6, using (index * 10
      minutes) will fail (03:60:00 is not a valid timestamp).
      
      Compared to just fixing the jinja expression (to use a modulo for
      example), this should avoid having two control planes certificates
      update node being triggered at the same time.
      
      * Make k8s-certs-renew.timer Persistent
      
      If the control plane happens to be offline during the scheduled
      certificates renewal (node failure or anything like that), we still want
      the renewal to happen.
      b3f6d051
    • Max Gautier's avatar
      Refactor "multi" handlers to use listen (#10542) · 8ebeb88e
      Max Gautier authored
      * containerd: refactor handlers to use 'listen'
      
      * cri-dockerd: refactor handlers to use 'listen'
      
      * cri-o: refactor handlers to use 'listen'
      
      * docker: refactor handlers to use 'listen'
      
      * etcd: refactor handlers to use 'listen'
      
      * control-plane: refactor handlers to use 'listen'
      
      * kubeadm: refactor handlers to use 'listen'
      
      * node: refactor handlers to use 'listen'
      
      * preinstall: refactor handlers to use 'listen'
      
      * calico: refactor handlers to use 'listen'
      
      * kube-router: refactor handlers to use 'listen'
      
      * macvlan: refactor handlers to use 'listen'
      8ebeb88e
  27. Nov 01, 2023
  28. Oct 30, 2023
  29. Oct 17, 2023
Loading