From 0bde57da9f9d2fe91e4ba7ae41161cccbe10a60a Mon Sep 17 00:00:00 2001 From: gadgieOps Date: Wed, 7 Dec 2022 11:19:23 +0000 Subject: [PATCH 1/2] add dynamic tainting logic --- tasks/control-plane-setup.yml | 36 +++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/tasks/control-plane-setup.yml b/tasks/control-plane-setup.yml index 347e5cc..c6b462e 100644 --- a/tasks/control-plane-setup.yml +++ b/tasks/control-plane-setup.yml @@ -71,10 +71,34 @@ changed_when: "'created' in weave_result.stdout" when: kubernetes_pod_network.cni == 'weave' -# TODO: Check if taint exists with something like `kubectl describe nodes` -# instead of using kubernetes_init_stat.stat.exists check. -- name: Allow pods on control plane (if configured). - command: "kubectl taint nodes --all node-role.kubernetes.io/control-plane-" +# Get the current taint status from the control-plane node +# add/remove the taint according to kubernetes_allow_pods_on_control_plane + +- name: Get node spec + command: kubectl get nodes {{ ansible_hostname }} -o=jsonpath='{.spec}' + register: node_spec + +- name: Store node spec as JSON + set_fact: + node_spec_json: "{{ node_spec.stdout | from_json }}" + +- name: Get current taint status + set_fact: + taint_status: true + when: + - node_spec_json.taints is defined + - item.effect == "NoSchedule" + - item.key == "node-role.kubernetes.io/control-plane" + with_items: "{{ node_spec_json.taints }}" + +- name: Allow pods on the control plane + command: kubectl taint nodes {{ ansible_hostname }} node-role.kubernetes.io/control-plane- + when: + - kubernetes_allow_pods_on_control_plane | bool + - taint_status is defined + +- name: Deny pods on the control plane + command: kubectl taint nodes {{ ansible_hostname }} node-role.kubernetes.io/control-plane:NoSchedule when: - - kubernetes_allow_pods_on_control_plane | bool - - not kubernetes_init_stat.stat.exists + - not kubernetes_allow_pods_on_control_plane | bool + - taint_status is not defined From 6984d74dd371fa0356c0bd8ac232dfcf9d0e4e38 Mon Sep 17 00:00:00 2001 From: gadgieOps Date: Wed, 7 Dec 2022 13:19:08 +0000 Subject: [PATCH 2/2] removed need for getting node name --- tasks/control-plane-setup.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/control-plane-setup.yml b/tasks/control-plane-setup.yml index c6b462e..4099374 100644 --- a/tasks/control-plane-setup.yml +++ b/tasks/control-plane-setup.yml @@ -75,7 +75,7 @@ # add/remove the taint according to kubernetes_allow_pods_on_control_plane - name: Get node spec - command: kubectl get nodes {{ ansible_hostname }} -o=jsonpath='{.spec}' + command: kubectl get nodes -o=jsonpath='{.items[*].spec}' register: node_spec - name: Store node spec as JSON @@ -92,13 +92,13 @@ with_items: "{{ node_spec_json.taints }}" - name: Allow pods on the control plane - command: kubectl taint nodes {{ ansible_hostname }} node-role.kubernetes.io/control-plane- + command: kubectl taint nodes --all node-role.kubernetes.io/control-plane- when: - kubernetes_allow_pods_on_control_plane | bool - taint_status is defined - name: Deny pods on the control plane - command: kubectl taint nodes {{ ansible_hostname }} node-role.kubernetes.io/control-plane:NoSchedule + command: kubectl taint nodes --all node-role.kubernetes.io/control-plane:NoSchedule when: - not kubernetes_allow_pods_on_control_plane | bool - - taint_status is not defined + - taint_status is not defined \ No newline at end of file