From 0bde57da9f9d2fe91e4ba7ae41161cccbe10a60a Mon Sep 17 00:00:00 2001 From: gadgieOps Date: Wed, 7 Dec 2022 11:19:23 +0000 Subject: [PATCH] add dynamic tainting logic --- tasks/control-plane-setup.yml | 36 +++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/tasks/control-plane-setup.yml b/tasks/control-plane-setup.yml index 347e5cc..c6b462e 100644 --- a/tasks/control-plane-setup.yml +++ b/tasks/control-plane-setup.yml @@ -71,10 +71,34 @@ changed_when: "'created' in weave_result.stdout" when: kubernetes_pod_network.cni == 'weave' -# TODO: Check if taint exists with something like `kubectl describe nodes` -# instead of using kubernetes_init_stat.stat.exists check. -- name: Allow pods on control plane (if configured). - command: "kubectl taint nodes --all node-role.kubernetes.io/control-plane-" +# Get the current taint status from the control-plane node +# add/remove the taint according to kubernetes_allow_pods_on_control_plane + +- name: Get node spec + command: kubectl get nodes {{ ansible_hostname }} -o=jsonpath='{.spec}' + register: node_spec + +- name: Store node spec as JSON + set_fact: + node_spec_json: "{{ node_spec.stdout | from_json }}" + +- name: Get current taint status + set_fact: + taint_status: true + when: + - node_spec_json.taints is defined + - item.effect == "NoSchedule" + - item.key == "node-role.kubernetes.io/control-plane" + with_items: "{{ node_spec_json.taints }}" + +- name: Allow pods on the control plane + command: kubectl taint nodes {{ ansible_hostname }} node-role.kubernetes.io/control-plane- + when: + - kubernetes_allow_pods_on_control_plane | bool + - taint_status is defined + +- name: Deny pods on the control plane + command: kubectl taint nodes {{ ansible_hostname }} node-role.kubernetes.io/control-plane:NoSchedule when: - - kubernetes_allow_pods_on_control_plane | bool - - not kubernetes_init_stat.stat.exists + - not kubernetes_allow_pods_on_control_plane | bool + - taint_status is not defined