* docs(hardening): add SeccompDefault admission plugin to kubelet feature gates

* fix(kubelet-config): enable config through kubelet_feature_gates

* feat(kubelet): add kubelet_seccomp_default variable

The commit 1ce2f04f tried to merge multiple SUSE OS checks including
"openSUSE Leap" and "openSUSE Tumbleweed" into a single SUSE, but
that was a perfect change.
Then the commit c16efc9a tried to fix it for "openSUSE Leap", but it
didn't take care of "openSUSE Tumbleweed".
Then this adds "openSUSE Tumbleweed" to the OS check.

Co-authored-by: Kenichi Omichi <ken1ohmichi@gmail.com>

* feat: make kubernetes owner parametrized

* docs: update hardening guide with configuration for CIS 1.1.19

* fix: set etcd data directory permissions to be compliant to CIS 1.1.12

* extra admission controls now don't have a version in their file names
  eventratelimit.v1beta2.yaml.j2 -> eventratelimit.yaml.j2
* cri_socket variable includes the unix:// prefix to be conformat with
  upstream

[docker] use cri-dockerd instead of dockershim for any kubernetes version deployed with docker as the container_manager

[kubeconfig] generate admin kube config from /etc/kubernetes/admin.conf instead of the workaround of using kubeadm init phase kubeadm admin which fails with cri-dockerd

* Fix: set fallback value of kubelet ip6 (#8858)

* Prune the spurious comma in the end of kubelet_address

- Update `roles/kubernetes/node/defaults/main.yml`

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* Fix: set fallback value of kubelet ip6 (#8858)

- Apply the lint: https://github.com/kubernetes-sigs/kubespray/pull/8926/commits/132606368e31bdb992fe45df80bd74d524b8ed89



Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

This reverts commit e3756786.

The workaround of explicitly specifying root for the kubelet unit was
for pulling images from private registry. Kubernetes now have a
dedicated mechanism with imagePullSecret.

Current Kubespray supports the Kubernetes version 1.21 or upper with
`kube_version_min_required: v1.21.0`

Then kube_version v1.20- related code is not used at all.
This deletes those code for cleanup.

* [etcd] Add extra documentation for `etcd_memory_limit` and `etcd_quota_backend_bytes`

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* [etcd] Add support for setting ETCD_MAX_REQUEST_BYTES

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* add Feature synchronized time checking

* fix-invalid-kube-vip-manifest

feat: add variables to manage makeIPTablesUtilChains and streamingConnectionIdleTimeout kubelet parameters (#8796)

* feat: add variable to manage service-account-lookup on kube-apiserver

* docs: add documentation about service-account-lookup variable

* Add optional setting for ca data in auth webhook

* add webhook token auth variables to sample inventory

* Assert that IP range is enough for the nodes 

Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com>

* Fixed whitespace

* Fixed errors

* Fixed errors

Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com>

* feat: add support for EventRateLimit admission plugin

* docs: add documentation about admission_control_config_file and EventRateLimit configuration

aufs-tools was required for docker.io package originally,
but Kubespray installs docker-ce package instead today.
In addition, Ubuntu 20.04 doesn't provide aufs-tools as [1].
Then this removes aufs-tools from Ubuntu requirement.

[1]: https://bugs.launchpad.net/ubuntu/+source/aufs-tools/+bug/1947004

* [etcd] ensure etcd is properly upgraded when managed by kubeadm

* [CI] add periodic job to test upgrade of etcd managed by kubeadm

* [upcloud] add upcloud csi-driver

* Option to use ansible_host as api ip for kubueconfig

Signed-off-by: Mathieu Parent <math.parent@gmail.com>

Ensure all Kubelet required kernel values are configured when enabling protectKernelDefaults (#8692)