k-space/ansible
11
0
Fork 0
Code Issues Pull Requests Packages Activity
Files
5b90cd27cd14abf1312ccf1f28335e94ddab6f93
ansible/kubernetes-nodes.yaml

233 lines
8.1 KiB
YAML
Raw Blame History

# This playbook sets up dependencies for the Kubernetes cluster nodes
---
- name: coral drivers
hosts: coralworkers
tasks:
- name: install generic kernel
apt:
state: latest
pkg: linux-image-amd64
- name: remove cloud kernel
apt:
state: absent
force: true
pkg: linux-image-cloud-amd64
- name: apt signing key
get_url:
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
dest: /usr/share/keyrings/coral.asc
mode: ugo+rw
- name: apt repo
ansible.builtin.apt_repository:
repo: "deb [signed-by=/usr/share/keyrings/coral.asc] https://packages.cloud.google.com/apt coral-edgetpu-stable main"
state: present
filename: coral
- name: install coral driver
apt:
state: latest
pkg: libedgetpu1-std
- name: Reconfigure Kubernetes nodes
hosts: kubelets
gather_facts: true
vars:
KUBERNETES_VERSION: v1.33.3 # https://kubernetes.io/releases/patch-releases/
CRIO_VERSION: v1.33 # https://github.com/cri-o/cri-o/releases
CALICOCTL_VERSION: v3.29.3 # https://github.com/projectcalico/calico/releases
CRICTL_VERSION: v1.32.5 # https://github.com/kubernetes-sigs/cri-tools/releases/
IP: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
tasks:
- name: Add cri-o apt signing key
get_url:
url: https://download.opensuse.org/repositories/isv:/cri-o:/stable:/{{ CRIO_VERSION }}/deb/Release.key
dest: /usr/share/keyrings/cri-o.asc
mode: ugo+rw
- name: Add cri-o apt repo
ansible.builtin.apt_repository:
repo: "deb [signed-by=/usr/share/keyrings/cri-o.asc] https://download.opensuse.org/repositories/isv:/cri-o:/stable:/{{ CRIO_VERSION }}/deb/ /"
state: present
filename: cri-o
- name: Install cri-o and conntrack
ansible.builtin.apt:
name: "{{ item }}"
state: latest
loop:
- cri-o
- conntrack
- name: Enable crio service
ansible.builtin.systemd_service:
name: crio
enabled: yes
- name: Download kubectl, kubeadm, kubelet
ansible.builtin.get_url:
url: "https://cdn.dl.k8s.io/release/{{ KUBERNETES_VERSION }}/bin/linux/{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}/{{ item }}"
dest: "/usr/bin/{{ item }}-{{ KUBERNETES_VERSION }}"
mode: '0755'
loop:
- kubelet
- kubectl
- kubeadm
- name: Create symlinks for kubectl, kubeadm, kubelet
ansible.builtin.file:
src: "/usr/bin/{{ item }}-{{ KUBERNETES_VERSION }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- kubelet
- kubectl
- kubeadm
register: kubelet
notify: restart kubelet
- name: Download calicoctl
ansible.builtin.get_url:
url: "https://github.com/projectcalico/calico/releases/download/{{ CALICOCTL_VERSION }}/calicoctl-linux-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
dest: "/usr/bin/calicoctl"
mode: '0755'
- name: Install crictl
ansible.builtin.shell: |
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/{{ CRICTL_VERSION }}/crictl-$VERSION-linux-amd64.tar.gz
sudo tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin
rm -f crictl-$VERSION-linux-amd64.tar.gz
- name: Create /etc/systemd/system/kubelet.service
ansible.builtin.copy:
content: |
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=https://kubernetes.io/docs/home/
Wants=network-online.target
After=network-online.target
[Service]
ExecStart=/usr/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10
[Install]
WantedBy=multi-user.target
dest: /etc/systemd/system/kubelet.service
notify: restart kubelet
- name: Create /etc/systemd/system/kubelet.service.d
ansible.builtin.file:
state: directory
path: /etc/systemd/system/kubelet.service.d
notify: restart kubelet
- name: Create /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
ansible.builtin.copy:
content: |
# Note: This dropin only works with kubeadm and kubelet v1.11+
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
EnvironmentFile=-/etc/default/kubelet
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
dest: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
notify: restart kubelet
- name: Reconfigure shutdownGracePeriod
ansible.builtin.lineinfile:
path: /var/lib/kubelet/config.yaml
regexp: '^shutdownGracePeriod:'
line: 'shutdownGracePeriod: 5m'
ignore_errors: true
- name: Reconfigure shutdownGracePeriodCriticalPods
ansible.builtin.lineinfile:
path: /var/lib/kubelet/config.yaml
regexp: '^shutdownGracePeriodCriticalPods:'
line: 'shutdownGracePeriodCriticalPods: 5m'
ignore_errors: true
# https://github.com/kubernetes/kubernetes/issues/102818#issuecomment-2974774103
- name: Work around unattended-upgrades
file:
path: /etc/systemd/logind.conf.d/unattended-upgrades-logind-maxdelay.conf
src: /dev/null
state: link
- name: Disable unneccesary services
ignore_errors: true
loop:
- snapd
- multipathd
service:
name: "{{item}}"
state: stopped
enabled: false
- name: Reset /etc/containers/registries.conf
ansible.builtin.copy:
content: "unqualified-search-registries = [\"docker.io\"]\n"
dest: /etc/containers/registries.conf
register: registries
- name: Restart CRI-O
service:
name: cri-o
state: restarted
when: registries.changed
- name: Reset /etc/modules
ansible.builtin.copy:
content: |
overlay
br_netfilter
dest: /etc/modules
register: kernel_modules
- name: Load kernel modules
ansible.builtin.shell: "cat /etc/modules | xargs -L 1 -t modprobe"
when: kernel_modules.changed
- name: Reset /etc/sysctl.d/99-k8s.conf
ansible.builtin.copy:
content: |
net.ipv4.conf.all.accept_redirects = 0
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
vm.max_map_count = 524288
fs.inotify.max_user_instances = 1280
fs.inotify.max_user_watches = 655360
dest: /etc/sysctl.d/99-k8s.conf
register: sysctl
- name: Reload sysctl config
ansible.builtin.shell: "sysctl --system"
when: sysctl.changed
- name: Reconfigure kube-apiserver to use Passmower OIDC endpoint
ansible.builtin.template:
src: kube-apiserver.j2
dest: /etc/kubernetes/manifests/kube-apiserver.yaml
mode: 600
notify: restart kubelet
when:
- inventory_hostname in groups["masters"]
- name: Enable kubelet service
ansible.builtin.systemd_service:
name: kubelet
enabled: yes
daemon_reload: true
notify: restart kubelet
handlers:
- name: restart kubelet
ansible.builtin.systemd_service:
name: kubelet.service
state: restarted
View Git Blame Copy Permalink