-
UPDATE
- update
k8s_worker_release
to1.30.5
- update
-
OTHER CHANGES
- support Ubuntu 24.04
- update
.yamllint
- OTHER CHANGES
- fix download URLs for Kubernetes binaries (see: Download Kubernetes - Binaries
- UPDATE
- update
k8s_worker_release
to1.29.9
- update
-
PLEASE READ CAREFULLY
Version
24.0.0+1.27.8
had a lot of potential breaking changes. So if you upgrade from a version <24.0.0+1.27.8
please read the CHANGELOG of that version too! -
UPDATE
- update
k8s_worker_release
to1.29.4
- update
-
MOLECULE
- use
alvistack
instead ofgeneric
Vagrant boxes
- use
- UPDATE
- update
k8s_worker_release
to1.28.8
- update
-
PLEASE READ CAREFULLY
Version
24.0.0+1.27.8
had a lot of potential breaking changes. So if you upgrade from a version <24.0.0+1.27.8
please read the CHANGELOG of that version too! -
UPDATE
- update
k8s_worker_release
to1.28.5
- update
-
OTHER CHANGES
- adjust Github action because of Ansible Galaxy changes
.yamllint
: extend max line length from 200 to 300
-
MOLECULE
- change to Ubuntu 22.04 for test-assets VM
- change IP addresses
- adjust common names for certificates / change algo to ecdsa and algo size
- remove `collections.yml"
-
PLEASE READ CAREFULLY
This release contains quite a few potential breaking changes! So review carefully before rolling out the new version of this role! A bigger part of the whole changes are related to increase security. While most of the new variables and defaults should be just fine and should just work out of the box side effects might occur.
All the newly introduced or changed variables have detailed comments in README. So please read them carefully!
This refactoring was needed to make it possible to have
githubixx.kubernetes_controller
andgithubixx.kubernetes_worker
deployed on the same host e.g. They were some intersections between the two roles that had to be fixed. -
UPDATE
- update
k8s_worker_release
to1.27.8
- update
-
BREAKING
- Rename variable
k8s_conf_dir
tok8s_worker_conf_dir
. Additionally the default value changed from/usr/lib/kubernetes
to/etc/kubernetes/worker
. - Rename variable
k8s_bin_dir
tok8s_worker_bin_dir
. k8s_worker_binaries
variable is no longer defined indefaults/main.yml
but invars/main.yml
. Since this list is fixed anyways it makes no sense to allow to modify this list.k8s_worker_certificates
variable is no longer defined indefaults/main.yml
but invars/main.yml
. Since this list is fixed anyways it makes no sense to allow to modify this list.- Introduce variable
k8s_worker_pki_dir
. All certificate files specified ink8s_worker_certificates
(seevars/main.yml
) will be stored here. Related to this: Certificate related settings ink8s_worker_kubelet_conf_yaml
usedk8s_conf_dir
before and now usek8s_ctl_pki_dir
. That'sclientCAFile
,tlsCertFile
andtlsPrivateKeyFile
. - The default value for
k8s_interface
changed fromtap0
toeth0
. - The variable
k8s_config_directory
is gone. It's no longer in use. After the upgrade to this release you can delete this directory (if you accept the new default!) and it's content (make a backup esp. ofadmin.kubeconfig
file - just in case!) - Remove variable
k8s_worker_download_dir
(no longer needed). - Change default value of
k8s_worker_kubelet_conf_dir
to{{ k8s_worker_conf_dir }}/kubelet
. - Change default value of
k8s_worker_kubeproxy_conf_dir
to{{ k8s_worker_conf_dir }}/kube-proxy
.
- Rename variable
-
FEATURE
- When downloading the Kubernetes binaries the task checks the SHA512 checksum.
- Introduce
k8s_worker_api_endpoint_host
andk8s_worker_api_endpoint_port
variables. Previouslykubelet
andkube-proxy
where configured to connect to the first host in the Ansiblek8s_controller
group and communicate with thekube-apiserver
that was running there. This was hard-coded and couldn't be changed. If that host was down the K8s worker nodes didn't receive any updates. Now one can install and use a load balancer likehaproxy
e.g. that distributes requests between allkube-apiserver
's and takes akube-apiserver
out of rotation if that one is down (also see my Ansible haproxy role for that use case). The default is still to use the first host/kube-apiserver in the Ansiblek8s_controller
group. So behaviorwise nothing changed basically. - Add task to generate
kubeconfig
forkubelet
service (previously this was a separate playbook). - Add task to generate
kubeconfig
forkube-proxy
service (previously this was a separate playbook).
-
OTHER CHANGES
- Use
kubernetes.core.*
modules instead ofkubectl
binary - Fix some
ansible-lint
issues
- Use
-
MOLECULE
- Updated all files to reflect the changes introduces with this version
- Tasks for creating
kubeconfig
forkubelet
andkube-proxy
are no longer needed as they're now part ofkubernetes_worker
role - Add
haproxy
to Ubuntu 22 hosts to test newk8s_worker_api_endpoint_host
andk8s_worker_api_endpoint_port
settings - Add tasks to install ansible-role-cni and ansible-role-runc
- Use
kubernetes.core.k8s_info
module instead of callingkubectl
binary
- rename
githubixx.harden-linux
togithubixx.harden_linux
- rename
githubixx.kubernetes-ca
togithubixx.kubernetes_ca
- add support for Ubuntu 22.04
molecule/default/group_vars/all.yml
: Removedcontainer-runtime-endpoint
setting fromk8s_worker_kubelet_settings
(/etc/systemd/system/kubelet.service). It was moved tok8s_worker_kubelet_conf_yaml
(kubelet-config.yaml)
- BREAKING:
meta/main.yml
: change role_name fromkubernetes-worker
tokubernetes_worker
. This is a requirement since quite some time for Ansible Galaxy. But the requirement was introduced after this role already existed for quite some time. So please update the name of the role in your playbook accordingly! - rename
kubernetes-controller
tokubernetes_controller
as role name changed (requirement as before) - update
k8s_release
to1.27.5
meta/main.yml
: remove Ubuntu 18.04 as supported OS (reached EOL)- moved
container-runtime-endpoint
setting fromk8s_worker_kubelet_settings
variable (/etc/systemd/system/kubelet.service
) tok8s_worker_kubelet_conf_yaml
variable (kubelet-config.yaml
). The name changed fromcontainer-runtime-endpoint
tocontainerRuntimeEndpoint
. For more information see pull request kubelet: migrate container runtime endpoint flag to config. - remove
Install some network packages
task for Red Hat based OSes (was actually never officially supported)
- update
k8s_release
to1.26.8
kube-proxy
needs to have network-online.target readykubelet
needs to have network-online.target ready
- update
k8s_release
to1.26.4
- add Molecule test
- add Github workflow
- update
k8s_release
to1.25.9
- move kubelet parameter
--register-node
tokubelet.conf
(using the option as parameter is deprected) tasks/main.yml
: addchanged_when: false
toDisable swap
tasktasks/main.yml
: useansible.posix.mount
instead ofansible.builtin.mount
kubelet
: remove--container-runtime
(Flag--container-runtime
has been deprecated, will be removed in 1.27 as the only valid value isremote
)kubelet
: update information aboutseccomp-default
/ removeSeccompDefault
feature gate (now beta and enabled by default)
- update
k8s_release
to1.25.5
- update
k8s_release
to1.24.9
update k8s_release
to 1.24.4
- update
k8s_release
to1.23.10
- update
k8s_release
to1.23.3
- this role now requires Ansible >= 2.9
- update
k8s_release
to1.22.6
- update
k8s_release
to1.22.5
- default the
cgroupDriver
value in theKubeletConfiguration
tosystemd
askubelet
runs as asystemd
service. See configure-cgroup-driver for more details. Before that the default wascgroupfs
. Also see Migrating to the systemd driver
- BREAKING: This role no longer installs
CNI plugins
. So the variablesk8s_cni_dir
,k8s_cni_bin_dir
,k8s_cni_conf_dir
,k8s_cni_plugin_version
andk8s_cni_plugin_checksum
are no longer relevant and are ignored. Please use Ansible role containerd to installcontainerd
,runc
andCNI plugins
before installing this role. Also see Kubernetes: Replace dockershim with containerd and runc - BREAKING: containerd is a new dependency
- BREAKING: This role version no longer uses
Docker/dockershim
. Instead containerd is used. - BREAKING: Content of
k8s_worker_kubelet_settings
variable changed: The previous settingsimage-pull-progress-deadline
,network-plugin
,cni-conf-dir
andcni-bin-dir
will all be removed with the dockershim removal.cloud-provider
will be removed in Kubernetesv1.23
, in favor of removing cloud provider code from Kubelet.container-runtime
has only two possible values and changed fromdocker
toremote
. And finally one new setting is needed which iscontainer-runtime-endpoint
which points tocontainerd's
socket. - BREAKING:
kubelet.service
has now a dependency oncontainerd.service
instead ofdocker.service
. kubelet.service
is now enabled and started after Ansible'sflush_handlers
was run.- update
k8s_release
to1.21.8
- update
k8s_release
to1.21.4
- remove Ubuntu 16.04 support
- update
k8s_release
to1.20.10
- update
k8s_release
to1.20.8
- update
k8s_release
to1.19.12
- update
k8s_release
to1.19.4
- update
k8s_release
to1.18.12
- update
k8s_cni_plugin_version
to0.8.7
- update
k8s_cni_plugin_checksum
value
- update
k8s_release
to1.18.6
- CNI plugins download location changed
- added Ubuntu 20.04 (Focal Fossa) as supported platform
- update
k8s_release
to1.18.5
- update
k8s_cni_plugin_version
to0.8.6
- update
k8s_release
to1.17.4
- update
k8s_release
to1.16.8
tlsCertFile
andtlsPrivateKeyFile
options inkubelet-config.yaml
used wrong certificate files
- update
k8s_release
to1.16.3
- update
k8s_release
to1.15.6
- update
k8s_release
to1.15.3
- removed deprecated
--allow-privileged
kubelet flag (see Node in K8s changelog)
- update
k8s_release
to1.14.6
- update
k8s_release
to1.14.2
- update
k8s_cni_plugin_version
to0.7.5
- introduce
k8s_cni_plugin_checksum
variable to determine if CNI plugin tarball has changed and needs to be unarchived
- update
k8s_release
to1.13.5
- update
k8s_release
to1.13.2
- use correct semantic versioning as described in semver. Needed for Ansible Galaxy importer as it now insists on using semantic versioning.
- make Ansible linter happy
- update
k8s_release
to `1.12.3'
- update
k8s_release
to1.11.3
- update
k8s_release
to1.10.8
- add task to disable swap in /etc/fstab and execute swapoff.
- switch service routing from
iptables
toipvs
. IPVS (IP Virtual Server) is built on top of the Netfilter and implements transport-layer load balancing as part of the Linux kernel. Besides it increases scalability it's way easier to debug Kubernetes networking. Instead of having a look at hundreds or more iptables rules you just runipvsadm -Ln
and have a fast overview what Kubernetes service IP get's load balanced to which pod IPs. And if you have the pod IPs you can have a quick look withip route
about what routes exist and to figure out how packets for this service are handled. For further information see IPVS-Based In-Cluster Load Balancing Deep Dive.
- install
socat
andnetbase
packages
- support Ubuntu 18.04
- update README
- fix iptables bug in
k8s_worker_kubeproxy_conf_yaml
- update
k8s_release
to1.10.4
- introduce
k8s_worker_kubelet_conf_yaml
variable - removed deprecated setttings in
k8s_worker_kubelet_settings
- moved settings in
k8s_worker_kubelet_settings
tok8s_worker_kubelet_conf_yaml
: see kubelet-config-file see types.go - introduce
k8s_worker_kubeproxy_conf_yaml
variable - removed deprecated settings in
k8s_worker_kubeproxy_settings
- moved settings in
k8s_worker_kubeproxy_settings
tok8s_worker_kubeproxy_conf_yaml
: see: types.go - remove cert-k8s-proxy... entries from
k8s_worker_certificates
because no longer needed
- set
k8s_release
to1.9.8
- changed deprecated Ansible state
- remove obsolet kubeconfig.j2 template
- set
k8s_release
to1.9.3
- move bind-address,healthz-bind-address out of kube-proxy.service.j2
- remove unneeded macro from kubelet.service.j2 / move address,node-ip,healthz-bind-address out of kubelet.service.j2
- restart kube-proxy/kubelet after service file change
- update to Kubernetes v1.9.1
- Disable fail-swap-on to evict fail when running kubelet on a machine with swap. With this option disabled, only show a warning in log files
- update to Kubernetes v1.9.0
- change defaults for
k8s_ca_conf_directory
andk8s_config_directory
- more documentation for defaults
- introduce flexible parameter settings for kubelet via
k8s_worker_kubelet_settings
andk8s_worker_kubelet_settings_user
- introduce flexible parameter settings for kube-proxy vi
k8s_worker_kubeproxy_settings
andk8s_worker_kubeproxy_settings_user
- add kube-proxy healthz-bind-address setting
- remove
k8s_api_server/k8s_api_server_ip
variables from kube-proxy.service.j2 (no longer needed)
No changelog for releases < r3.0.0_v1.9.0 (see commit history if needed)