See #9035

* Add the option to enable default Pod Security Configuration

Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.

* Fix the PR according to code review comments

* Revert the latest changes

- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration

Signed-off-by: Massimiliano Giovagnoli <me@maxgio.it>

Signed-off-by: Massimiliano Giovagnoli <me@maxgio.it>

* update calico rr

* fix bgppeer conf

* fix yamllint

* fix ansible lint

* fix calico deploy

* fix yamllint

* fix some typo

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

* docs(hardening): add SeccompDefault admission plugin to kubelet feature gates

* fix(kubelet-config): enable config through kubelet_feature_gates

* feat(kubelet): add kubelet_seccomp_default variable

To test Kubespray on Rocky Linux 8 with vagrant, this adds it to
the Vagrantfile.

* `ansible.builtin.include` removed in version 2.16

Read the `ansible.builtin.include DEPRECATED` doc:

 https://docs.ansible.com/ansible/latest/collections/ansible/builtin/include_module.html#deprecated

* Update integration.md

* feat: make kubernetes owner parametrized

* docs: update hardening guide with configuration for CIS 1.1.19

* fix: set etcd data directory permissions to be compliant to CIS 1.1.12

[docker] use cri-dockerd instead of dockershim for any kubernetes version deployed with docker as the container_manager

Ansible v2.9 and v2.10 are EOL as [1].
This drops those version supports by following the upstream Ansible.

This sets use_ssh_args true always because that is required to use
ssh_args on ansible.cfg on Ansible v2.11 or later[2].

ansible_ssh_host is replaced with ansible_host because ansible_ssh_host
has been deprecated already and cenots7 jobs were failed due to the
deprecated ansible_ssh_host.

[1]: https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-changelogs
[2]: https://docs.ansible.com/ansible/latest/collections/ansible/posix/synchronize_module.html#parameter-use_ssh_args

* Allow disabling calico CNI logs with calico_cni_log_file_path

Calico CNI logs up to 1G if it log a lot with current default settings:
log_file_max_size	100	Max file size in MB log files can reach before they are rotated.
log_file_max_age	30	Max age in days that old log files will be kept on the host before they are removed.
log_file_max_count	10	Max number of rotated log files allowed on the host before they are cleaned up.

See https://projectcalico.docs.tigera.io/reference/cni-plugin/configuration#logging



To save disk space, make the path configurable and allow disabling this log by setting
`calico_cni_log_file_path: false`

* Fix markdown

* Update roles/network_plugin/canal/templates/cni-canal.conflist.j2

Co-authored-by: Kenichi Omichi <ken1ohmichi@gmail.com>

Co-authored-by: Kenichi Omichi <ken1ohmichi@gmail.com>

* fix dir error

* the command line should align

Due many patterns of Linux distributions, it is difficult to install
ansible dependencies as system-wide stably.
Apart of Kubespray doc[1] recommends to use venv to avoid such issue,
and this applies venv usage to the other parts of the doc.

[1]: https://github.com/kubernetes-sigs/kubespray/blob/master/docs/setting-up-your-first-cluster.md#set-up-kubespray

drop note about not supporting ansible 2.9 since we still cover it in
nightly CI

kata-container is not used by default even if enabling kata_containers_enabled.
This updates the doc for writing how to do that.

* support metallb peer password

* add MetalLB BGP password example

* [cilium] Separate templates for cilium, cilium-operator, and hubble installations

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Update cilium-operator templates

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Allow using custom args and mounting extra volumes for the Cilium Operator

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Update the cilium configmap to filter out the deprecated variables, and add the new variables

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Add an option to use Wireguard encryption on Cilium 1.10 and up

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Update cilium-agent templates

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [cilium] Bump Cilium version to 1.11.3

Signed-off-by: necatican <necaticanyildirim@gmail.com>

when cilium v1.10 , it is ok to support arm64
https://cilium.io/blog/2021/05/20/cilium-110



Signed-off-by: weizhou.lan@daocloud.io <weizhou.lan@daocloud.io>

feat: add variables to manage makeIPTablesUtilChains and streamingConnectionIdleTimeout kubelet parameters (#8796)

* feat: add variable to manage service-account-lookup on kube-apiserver

* docs: add documentation about service-account-lookup variable

* feat: add support for EventRateLimit admission plugin

* docs: add documentation about admission_control_config_file and EventRateLimit configuration

Since https://github.com/kubernetes-sigs/kubespray/pull/8434

* kata container related options exist in k8s-cluster.yml,
  not k8s_cluster.yml

* https://github.com/kata-containers/runtime has been archived and
  https://github.com/kata-containers/kata-containers is used today.