Merge pull request #166 from vivian-hafener/master

Moves apiversions for kubeadm, kubelet, and kubeproxy from kubeadm-kubelet-config.j2 into defaults/main.yml

.ansible-lint

@@ -0,0 +1,4 @@
+skip_list:
+  - 'yaml'
+  - 'risky-shell-pipe'
+  - 'role-name'

.github/FUNDING.yml

@@ -0,0 +1,4 @@
+# These are supported funding model platforms
+---
+github: geerlingguy
+patreon: geerlingguy

.github/workflows/ci.yml

@@ -0,0 +1,74 @@
+---
+name: CI
+'on':
+  pull_request:
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: "0 4 * * 3"
+
+defaults:
+  run:
+    working-directory: 'geerlingguy.kubernetes'
+
+jobs:
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v4
+        with:
+          path: 'geerlingguy.kubernetes'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install yamllint
+
+      - name: Lint code.
+        run: |
+          yamllint .
+
+  molecule:
+    name: Molecule
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - distro: rockylinux9
+            playbook: converge.yml
+          - distro: ubuntu2004
+            playbook: converge.yml
+          - distro: debian11
+            playbook: converge.yml
+
+          - distro: debian11
+            playbook: calico.yml
+
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v4
+        with:
+          path: 'geerlingguy.kubernetes'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install ansible molecule molecule-plugins[docker] docker
+
+      - name: Run Molecule tests.
+        run: molecule test
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          MOLECULE_DISTRO: ${{ matrix.distro }}
+          MOLECULE_PLAYBOOK: ${{ matrix.playbook }}

.github/workflows/release.yml

@@ -0,0 +1,40 @@
+---
+# This workflow requires a GALAXY_API_KEY secret present in the GitHub
+# repository or organization.
+#
+# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
+# See: https://github.com/ansible/galaxy/issues/46
+
+name: Release
+'on':
+  push:
+    tags:
+      - '*'
+
+defaults:
+  run:
+    working-directory: 'geerlingguy.kubernetes'
+
+jobs:
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v4
+        with:
+          path: 'geerlingguy.kubernetes'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install Ansible.
+        run: pip3 install ansible-core
+
+      - name: Trigger a new import on Galaxy.
+        run: >-
+          ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}
+          $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

.github/workflows/stale.yml

@@ -0,0 +1,34 @@
+---
+name: Close inactive issues
+'on':
+  schedule:
+    - cron: "55 3 * * 0"  # semi-random time
+
+jobs:
+  close-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v8
+        with:
+          days-before-stale: 120
+          days-before-close: 60
+          exempt-issue-labels: bug,pinned,security,planned
+          exempt-pr-labels: bug,pinned,security,planned
+          stale-issue-label: "stale"
+          stale-pr-label: "stale"
+          stale-issue-message: |
+            This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
+            
+            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
+          close-issue-message: |
+            This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
+          stale-pr-message: |
+            This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
+            
+            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
+          close-pr-message: |
+            This pr has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -1,2 +1,5 @@
 *.retry
-tests/test.sh
+*/__pycache__
+*.pyc
+.cache
+

.travis.yml

@@ -1,29 +0,0 @@
----
-services: docker
-
-env:
-  - distro: centos7
-  - distro: ubuntu1604
-  - distro: debian9
-
-matrix:
-  allow_failures:
-    - env: distro=centos7
-
-script:
-  # Configure test script so we can run extra tests after playbook is run.
-  - export container_id=$(date +%s)
-  - export cleanup=false
-
-  # Download test shim.
-  - wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/geerlingguy/73ef1e5ee45d8694570f334be385e181/raw/
-  - chmod +x ${PWD}/tests/test.sh
-
-  # Run tests.
-  - ${PWD}/tests/test.sh
-
-  # Test whether Kubernetes is running correctly.
-  # - docker exec --tty ${container_id} command-goes-here
-
-notifications:
-  webhooks: https://galaxy.ansible.com/api/v1/notifications/

.yamllint

@@ -0,0 +1,10 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 150
+    level: warning
+
+ignore: |
+  .github/workflows/stale.yml

README.md

@@ -1,74 +1,220 @@
 # Ansible Role: Kubernetes
 
-[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-kubernetes.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-kubernetes)
+[![CI](https://github.com/geerlingguy/ansible-role-kubernetes/actions/workflows/ci.yml/badge.svg)](https://github.com/geerlingguy/ansible-role-kubernetes/actions/workflows/ci.yml)
 
 An Ansible Role that installs [Kubernetes](https://kubernetes.io) on Linux.
 
 ## Requirements
 
-Requires Docker; recommended role for Docker installation: `geerlingguy.docker`.
+Requires a compatible [Container Runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes); recommended role for CRI installation: `geerlingguy.containerd`.
 
 ## Role Variables
 
 Available variables are listed below, along with default values (see `defaults/main.yml`):
 
-    kubernetes_packages:
-      - name: kubelet
-        state: present
-      - name: kubeadm
-        state: present
-      - name: kubernetes-cni
-        state: present
+```yaml
+kubernetes_packages:
+  - name: kubelet
+    state: present
+  - name: kubectl
+    state: present
+  - name: kubeadm
+    state: present
+  - name: kubernetes-cni
+    state: present
+```
 
 Kubernetes packages to be installed on the server. You can either provide a list of package names, or set `name` and `state` to have more control over whether the package is `present`, `absent`, `latest`, etc.
 
-    kubernetes_kubelet_extra_args: ""
+```yaml
+kubernetes_version: '1.32'
+kubernetes_version_rhel_package: '1.32'
+```
 
-Extra args to pass to `kubelet` during startup. E.g. to allow `kubelet` to start up even if there is swap is enabled on your server, set this to: `"--fail-swap-on=false"`.
+The minor version of Kubernetes to install. The plain `kubernetes_version` is used to pin an apt package version on Debian, and as the Kubernetes version passed into the `kubeadm init` command (see `kubernetes_version_kubeadm`). The `kubernetes_version_rhel_package` variable must be a specific Kubernetes release, and is used to pin the version on Red Hat / CentOS servers.
 
-    kubernetes_allow_pods_on_master: True
+```yaml
+kubernetes_role: control_plane
+```
 
-Whether to remove the taint that denies pods from being deployed to the Kubernetes master. If you have a single-node cluster, this should definitely be `True`. Otherwise, set to `False` if you want a dedicated Kubernetes master which doesn't run any other pods.
+Whether the particular server will serve as a Kubernetes `control_plane` (default) or `node`. The control plane will have `kubeadm init` run on it to intialize the entire K8s control plane, while `node`s will have `kubeadm join` run on them to join them to the `control_plane`.
 
-    kubernetes_enable_web_ui: False
+### Variables to configure kubeadm and kubelet with `kubeadm init` through a config file (recommended)
 
-Whether to enable the Kubernetes web dashboard UI (only accessible on the master itself, or proxied).
+With this role, `kubeadm init` will be run with `--config <FILE>`.
 
-    kubernetes_pod_network_cidr: '10.0.1.0/16'
-    kubernetes_version: 'stable-1.10'
-    kubernetes_ignore_preflight_errors: 'all'
+```yaml
+kubernetes_kubeadm_kubelet_config_file_path: '/etc/kubernetes/kubeadm-kubelet-config.yaml'
+```
 
-Options passed to `kubeadm init` when initializing the Kubernetes master.
+Path for `<FILE>`. If the directory does not exist, this role will create it.
 
-    kubernetes_apt_release_channel: main
-    kubernetes_apt_repository: "deb http://apt.kubernetes.io/ kubernetes-xenial {{ kubernetes_apt_release_channel }}"
-    kubernetes_apt_ignore_key_error: False
+The following variables are parsed as options to <FILE>. To understand its syntax, see [kubelet-integration](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration) and [kubeadm-config-file](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file) . The skeleton (`apiVersion`, `kind`) of the config file will be created by this role, so do not define them within the variables. (See `templates/kubeadm-kubelet-config.j2`).
+
+```yaml
+kubernetes_config_init_configuration:
+  localAPIEndpoint:
+    advertiseAddress: "{{ kubernetes_apiserver_advertise_address | default(ansible_default_ipv4.address, true) }}"
+```
+
+Defines the options under `kind: InitConfiguration`. Including `kubernetes_apiserver_advertise_address` here is for backward-compatibilty to older versions of this role, where `kubernetes_apiserver_advertise_address` was used with a command-line-option.
+
+```yaml
+kubernetes_config_cluster_configuration:
+  networking:
+    podSubnet: "{{ kubernetes_pod_network.cidr }}"
+  kubernetesVersion: "{{ kubernetes_version_kubeadm }}"
+```
+
+Options under `kind: ClusterConfiguration`. Including `kubernetes_pod_network.cidr` and `kubernetes_version_kubeadm` here are for backward-compatibilty to older versions of this role, where they were used with command-line-options.
+
+```yaml
+kubernetes_config_kubelet_configuration:
+  cgroupDriver: systemd
+```
+
+Options to configure kubelet on any nodes in your cluster through the `kubeadm init` process. For syntax options read the [kubelet config file](https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file) and [kubelet integration](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration) documentation.
+
+NOTE: This is the recommended way to do the kubelet-configuration. Most command-line-options are deprecated.
+
+NOTE: The recommended cgroupDriver depends on your [Container Runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes). When using this role with Docker instead of containerd, this value should be changed to `cgroupfs`.
+
+```yaml
+kubernetes_config_kube_proxy_configuration: {}
+```
+
+Options to configure kubelet's proxy configuration in the `KubeProxyConfiguration` section of the kubelet configuration.
+
+### Variables to configure kubeadm and kubelet through command-line-options
+
+```yaml
+kubernetes_kubelet_extra_args: ""
+kubernetes_kubelet_extra_args_config_file: /etc/default/kubelet
+```
+
+Extra args to pass to `kubelet` during startup. E.g. to allow `kubelet` to start up even if there is swap is enabled on your server, set this to: `"--fail-swap-on=false"`. Or to specify the node-ip advertised by `kubelet`, set this to `"--node-ip={{ ansible_host }}"`. **This option is deprecated. Please use `kubernetes_config_kubelet_configuration` instead.**
+
+```yaml
+kubernetes_kubeadm_init_extra_opts: ""
+```
+
+Extra args to pass to `kubeadm init` during K8s control plane initialization. E.g. to specify extra Subject Alternative Names for API server certificate, set this to: `"--apiserver-cert-extra-sans my-custom.host"`
+
+```yaml
+kubernetes_join_command_extra_opts: ""
+```
+
+Extra args to pass to the generated `kubeadm join` command during K8s node initialization. E.g. to ignore certain preflight errors like swap being enabled, set this to: `--ignore-preflight-errors=Swap`
+
+### Additional variables
+
+```yaml
+kubernetes_allow_pods_on_control_plane: true
+```
+
+Whether to remove the taint that denies pods from being deployed to the Kubernetes control plane. If you have a single-node cluster, this should definitely be `True`. Otherwise, set to `False` if you want a dedicated Kubernetes control plane which doesn't run any other pods.
+
+```yaml
+kubernetes_pod_network:
+  # Flannel CNI.
+  cni: 'flannel'
+  cidr: '10.244.0.0/16'
+  #
+  # Calico CNI.
+  # cni: 'calico'
+  # cidr: '192.168.0.0/16'
+  #
+  # Weave CNI.
+  # cni: 'weave'
+  # cidr: '192.168.0.0/16'
+```
+
+This role currently supports `flannel` (default), `calico` or `weave` for cluster pod networking. Choose only one for your cluster; converting between them is not done automatically and could result in broken networking; if you need to switch from one to another, it should be done outside of this role.
+
+```yaml
+kubernetes_apiserver_advertise_address: ''`
+kubernetes_version_kubeadm: 'stable-{{ kubernetes_version }}'`
+kubernetes_ignore_preflight_errors: 'all'
+```
+
+Options passed to `kubeadm init` when initializing the Kubernetes control plane. The `kubernetes_apiserver_advertise_address` defaults to `ansible_default_ipv4.address` if it's left empty.
+
+```yaml
+kubernetes_apt_release_channel: "stable"
+kubernetes_apt_repository: "https://pkgs.k8s.io/core:/{{ kubernetes_apt_release_channel }}:/v{{ kubernetes_version }}/deb/"
+```
 
 Apt repository options for Kubernetes installation.
 
-    kubernetes_yum_arch: x86_64
+```yaml
+kubernetes_yum_base_url: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/"
+kubernetes_yum_gpg_key: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/repodata/repomd.xml.key"
+kubernetes_yum_gpg_check: true
+kubernetes_yum_repo_gpg_check: true
+```
 
-Yum repository options for Kubernetes installation.
+Yum repository options for Kubernetes installation. You can change `kubernete_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. Usually in combination with changing `kubernetes_yum_base_url` as well.
+
+```yaml
+kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
+```
+
+Flannel manifest file to apply to the Kubernetes cluster to enable networking. You can copy your own files to your server and apply them instead, if you need to customize the Flannel networking configuration.
+
+```yaml
+kubernetes_calico_manifest_file: https://projectcalico.docs.tigera.io/manifests/calico.yaml
+```
+
+Calico manifest file to apply to the Kubernetes cluster (if using Calico instead of Flannel).
 
 ## Dependencies
 
 None.
 
-## Example Playbook
+## Example Playbooks
 
-For a single node (master) Kubernetes cluster:
+### Single node (control-plane-only) cluster
 
 ```yaml
 - hosts: all
 
   vars:
-    kubernetes_allow_pods_on_master: True
+    kubernetes_allow_pods_on_control_plane: true
 
   roles:
     - geerlingguy.docker
     - geerlingguy.kubernetes
 ```
 
+### Two or more nodes (single control-plane) cluster
+
+Control plane inventory vars:
+
+```yaml
+kubernetes_role: "control_plane"
+```
+
+Node(s) inventory vars:
+
+```yaml
+kubernetes_role: "node"
+```
+
+Playbook:
+
+```yaml
+- hosts: all
+
+  vars:
+    kubernetes_allow_pods_on_control_plane: true
+
+  roles:
+    - geerlingguy.docker
+    - geerlingguy.kubernetes
+```
+
+Then, log into the Kubernetes control plane, and run `kubectl get nodes` as root, and you should see a list of all the servers.
+
 ## License
 
 MIT / BSD

defaults/main.yml

@@ -2,25 +2,70 @@
 kubernetes_packages:
   - name: kubelet
     state: present
-  - name: kubeadm
-    state: present
   - name: kubectl
     state: present
+  - name: kubeadm
+    state: present
   - name: kubernetes-cni
     state: present
 
+kubernetes_version: '1.32'
+kubernetes_version_rhel_package: '1.32'
+
+kubernetes_role: control_plane
+
+# This is deprecated. Please use kubernetes_config_kubelet_configuration instead.
 kubernetes_kubelet_extra_args: ""
 
-kubernetes_allow_pods_on_master: True
-kubernetes_enable_web_ui: True
+kubernetes_kubeadm_init_extra_opts: ""
+kubernetes_join_command_extra_opts: ""
+kubernetes_allow_pods_on_control_plane: true
+kubernetes_pod_network:
+  # Flannel CNI.
+  cni: 'flannel'
+  cidr: '10.244.0.0/16'
+  # Calico CNI.
+  # cni: 'calico'
+  # cidr: '192.168.0.0/16'
 
-kubernetes_pod_network_cidr: '10.0.1.0/16'
-kubernetes_version: 'stable-1.10'
+kubernetes_kubeadm_kubelet_config_file_path: '/etc/kubernetes/kubeadm-kubelet-config.yaml'
+
+kubernetes_config_kubeadm_apiversion: v1beta3
+kubenetes_config_kubelet_apiversion: v1beta1
+kubernetes_config_kubeproxy_apiversion: v1alpha1
+
+kubernetes_config_kubelet_configuration:
+  cgroupDriver: "systemd"
+
+kubernetes_config_init_configuration:
+  localAPIEndpoint:
+    advertiseAddress: "{{ kubernetes_apiserver_advertise_address | default(ansible_default_ipv4.address, true) }}"
+# if you use the next lines, remove the command line argument below
+# nodeRegistration:
+#    ignorePreflightErrors:
+#      - all
+
+kubernetes_config_cluster_configuration:
+  networking:
+    podSubnet: "{{ kubernetes_pod_network.cidr }}"
+  kubernetesVersion: "{{ kubernetes_version_kubeadm }}"
+
+kubernetes_config_kube_proxy_configuration: {}
+
+kubernetes_apiserver_advertise_address: ''
+kubernetes_version_kubeadm: 'stable-{{ kubernetes_version }}'
 kubernetes_ignore_preflight_errors: 'all'
 
-kubernetes_apt_release_channel: main
-# Note that xenial repo is used for all Debian derivatives at this time.
-kubernetes_apt_repository: "deb http://apt.kubernetes.io/ kubernetes-xenial {{ kubernetes_apt_release_channel }}"
-kubernetes_apt_ignore_key_error: False
+kubernetes_apt_release_channel: "stable"
+kubernetes_apt_repository: "https://pkgs.k8s.io/core:/{{ kubernetes_apt_release_channel }}:/v{{ kubernetes_version }}/deb/"
 
-kubernetes_yum_arch: x86_64
+kubernetes_yum_base_url: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/"
+kubernetes_yum_gpg_key: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/repodata/repomd.xml.key"
+kubernetes_yum_gpg_check: true
+kubernetes_yum_repo_gpg_check: true
+
+# Flannel config file.
+kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml
+
+# Calico config file.
+kubernetes_calico_manifest_file: https://projectcalico.docs.tigera.io/manifests/calico.yaml

meta/main.yml

@@ -2,22 +2,24 @@
 dependencies: []
 
 galaxy_info:
+  role_name: kubernetes
   author: geerlingguy
   description: Kubernetes for Linux.
   company: "Midwestern Mac, LLC"
   license: "license (BSD, MIT)"
-  min_ansible_version: 2.4
+  min_ansible_version: 2.10
   platforms:
-  - name: EL
-    versions:
-    - 7
-  - name: Debian
-    versions:
-    - stretch
-  - name: Ubuntu
-    versions:
-    - xenial
-    - bionic
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+        - bullseye
+    - name: Ubuntu
+      versions:
+        - xenial
+        - bionic
+        - focal
+        - jammy
   galaxy_tags:
     - system
     - containers

molecule/default/calico.yml

@@ -0,0 +1,54 @@
+---
+- name: Converge
+  hosts: all
+  #become: true
+
+  vars:
+    kubernetes_pod_network:
+      cni: 'calico'
+      cidr: '192.168.0.0/16'
+
+    # Allow swap in test environments (hard to control in some envs).
+    kubernetes_config_kubelet_configuration:
+      cgroupDriver: "systemd"
+      failSwapOn: false
+      cgroupsPerQOS: true
+      enforceNodeAllocatable: ['pods']
+    containerd_config_cgroup_driver_systemd: true
+
+  pre_tasks:
+    - name: Update apt cache.
+      apt: update_cache=true cache_valid_time=600
+      when: ansible_os_family == 'Debian'
+
+    - name: Ensure test dependencies are installed (RedHat).
+      package: name=iproute state=present
+      when: ansible_os_family == 'RedHat'
+
+    - name: Ensure test dependencies are installed (Debian).
+      package: name=iproute2 state=present
+      when: ansible_os_family == 'Debian'
+
+    - name: Gather facts.
+      action: setup
+
+  roles:
+    - role: geerlingguy.containerd
+    - role: geerlingguy.kubernetes
+
+  post_tasks:
+    - name: Get cluster info.
+      command: kubectl cluster-info
+      changed_when: false
+      register: kubernetes_info
+
+    - name: Print cluster info.
+      debug: var=kubernetes_info.stdout
+
+    - name: Get all running pods.
+      command: kubectl get pods --all-namespaces
+      changed_when: false
+      register: kubernetes_pods
+
+    - name: Print list of running pods.
+      debug: var=kubernetes_pods.stdout

molecule/default/converge.yml

@@ -0,0 +1,50 @@
+---
+- name: Converge
+  hosts: all
+  #become: true
+
+  vars:
+    # Allow swap in test environments (hard to control in some envs).
+    kubernetes_config_kubelet_configuration:
+      cgroupDriver: "systemd"
+      failSwapOn: false
+      cgroupsPerQOS: true
+      enforceNodeAllocatable: ['pods']
+    containerd_config_cgroup_driver_systemd: true
+
+  pre_tasks:
+    - name: Update apt cache.
+      apt: update_cache=true cache_valid_time=600
+      when: ansible_os_family == 'Debian'
+
+    - name: Ensure test dependencies are installed (RedHat).
+      package: name=iproute state=present
+      when: ansible_os_family == 'RedHat'
+
+    - name: Ensure test dependencies are installed (Debian).
+      package: name=iproute2 state=present
+      when: ansible_os_family == 'Debian'
+
+    - name: Gather facts.
+      action: setup
+
+  roles:
+    - role: geerlingguy.containerd
+    - role: geerlingguy.kubernetes
+
+  post_tasks:
+    - name: Get cluster info.
+      command: kubectl cluster-info
+      changed_when: false
+      register: kubernetes_info
+
+    - name: Print cluster info.
+      debug: var=kubernetes_info.stdout
+
+    - name: Get all running pods.
+      command: kubectl get pods --all-namespaces
+      changed_when: false
+      register: kubernetes_pods
+
+    - name: Print list of running pods.
+      debug: var=kubernetes_pods.stdout

molecule/default/molecule.yml

@@ -0,0 +1,22 @@
+---
+role_name_check: 1
+dependency:
+  name: galaxy
+  options:
+    ignore-errors: true
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      - /var/lib/containerd
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  playbooks:
+    converge: ${MOLECULE_PLAYBOOK:-converge.yml}

molecule/default/requirements.yml

@@ -0,0 +1,2 @@
+---
+- src: geerlingguy.containerd

tasks/control-plane-setup.yml

@@ -0,0 +1,89 @@
+---
+- name: Create the directory for the kubernetes_config_file
+  file:
+    path: "{{ kubernetes_kubeadm_kubelet_config_file_path | dirname }}"
+    state: directory
+
+- name: Deploy the config-file for kubeadm and kubelet
+  template:
+    src: "kubeadm-kubelet-config.j2"
+    dest: "{{ kubernetes_kubeadm_kubelet_config_file_path }}"
+
+- name: Initialize Kubernetes control plane with kubeadm init
+  command: >
+    kubeadm init
+    --config {{ kubernetes_kubeadm_kubelet_config_file_path }}
+    {{ kubernetes_kubeadm_init_extra_opts }}
+  register: kubeadmin_init
+  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is not defined)
+
+- name: Initialize Kubernetes control plane with kubeadm init and ignore_preflight_errors
+  command: >
+    kubeadm init
+    --config {{ kubernetes_kubeadm_kubelet_config_file_path }}
+    --ignore-preflight-errors={{ kubernetes_ignore_preflight_errors }}
+    {{ kubernetes_kubeadm_init_extra_opts }}
+  register: kubeadmin_init
+  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is defined)
+
+- name: Print the init output to screen.
+  debug:
+    var: kubeadmin_init.stdout
+    verbosity: 2
+  when: not kubernetes_init_stat.stat.exists
+
+- name: Ensure .kube directory exists.
+  file:
+    path: ~/.kube
+    state: directory
+    mode: 0755
+
+- name: Symlink the kubectl admin.conf to ~/.kube/conf.
+  file:
+    src: /etc/kubernetes/admin.conf
+    dest: ~/.kube/config
+    state: link
+    mode: 0644
+
+- name: Configure Flannel networking.
+  command: "kubectl apply -f {{ kubernetes_flannel_manifest_file }}"
+  register: flannel_result
+  changed_when: "'created' in flannel_result.stdout"
+  when: kubernetes_pod_network.cni == 'flannel'
+  until: flannel_result is not failed
+  retries: 12
+  delay: 5
+
+- name: Configure Calico networking.
+  command: "kubectl apply -f {{ kubernetes_calico_manifest_file }}"
+  register: calico_result
+  changed_when: "'created' in calico_result.stdout"
+  when: kubernetes_pod_network.cni == 'calico'
+  until: calico_result is not failed
+  retries: 12
+  delay: 5
+
+- name: Get Kubernetes version for Weave installation.
+  shell: kubectl version | base64 | tr -d '\n'
+  changed_when: false
+  register: kubectl_version
+  when: kubernetes_pod_network.cni == 'weave'
+  until: kubectl_version is not failed
+  retries: 12
+  delay: 5
+
+- name: Configure Weave networking.
+  command: "{{ item }}"
+  with_items:
+    - "kubectl apply -f https://cloud.weave.works/k8s/net?k8s-version={{ kubectl_version.stdout_lines[0] }}"
+  register: weave_result
+  changed_when: "'created' in weave_result.stdout"
+  when: kubernetes_pod_network.cni == 'weave'
+
+# TODO: Check if taint exists with something like `kubectl describe nodes`
+# instead of using kubernetes_init_stat.stat.exists check.
+- name: Allow pods on control plane (if configured).
+  command: "kubectl taint nodes --all node-role.kubernetes.io/control-plane-"
+  when:
+    - kubernetes_allow_pods_on_control_plane | bool
+    - not kubernetes_init_stat.stat.exists

tasks/kubelet-setup.yml

@@ -0,0 +1,42 @@
+---
+
+# ---- DEPRECATED ----------------
+#
+# Most of the kubernetes_kubelet_extra_args are deprecated. See https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet for details.
+# Use the kubernetes_kubelet_config variable instead, which will be used to create the kubelet config file.
+
+- name: Check for existence of kubelet environment file. (deprecated)
+  stat:
+    path: '{{ kubelet_environment_file_path }}'
+  register: kubelet_environment_file
+
+- name: Set facts for KUBELET_EXTRA_ARGS task if environment file exists. (deprecated)
+  set_fact:
+    kubelet_args_path: '{{ kubelet_environment_file_path }}'
+    kubelet_args_line: "{{ 'KUBELET_EXTRA_ARGS=' + kubernetes_kubelet_extra_args }}"
+    kubelet_args_regexp: '^KUBELET_EXTRA_ARGS='
+  when: kubelet_environment_file.stat.exists
+
+- name: Set facts for KUBELET_EXTRA_ARGS task if environment file doesn't exist. (deprecated)
+  set_fact:
+    kubelet_args_path: '/etc/systemd/system/kubelet.service.d/10-kubeadm.conf'
+    kubelet_args_line: "{{ 'Environment=\"KUBELET_EXTRA_ARGS=' + kubernetes_kubelet_extra_args + '\"' }}"
+    kubelet_args_regexp: '^Environment="KUBELET_EXTRA_ARGS='
+  when: not kubelet_environment_file.stat.exists
+
+- name: Configure KUBELET_EXTRA_ARGS. (deprecated)
+  lineinfile:
+    path: '{{ kubelet_args_path }}'
+    line: '{{ kubelet_args_line }}'
+    regexp: '{{ kubelet_args_regexp }}'
+    state: present
+    mode: 0644
+  register: kubelet_extra_args
+  when: kubernetes_kubelet_extra_args|length > 0
+
+- name: Reload systemd unit if args were changed. (deprecated)
+  systemd:
+    state: restarted
+    daemon_reload: true
+    name: kubelet
+  when: kubelet_extra_args is changed

tasks/main.yml

@@ -1,11 +1,14 @@
 ---
+- name: Include OS-specific variables.
+  include_vars: "{{ ansible_os_family }}.yml"
+
 - include_tasks: setup-RedHat.yml
   when: ansible_os_family == 'RedHat'
 
 - include_tasks: setup-Debian.yml
   when: ansible_os_family == 'Debian'
 
-- name: Ensure depdencies are installed.
+- name: Ensure dependencies are installed.
   package: name=curl state=present
 
 - name: Install Kubernetes packages.
@@ -15,77 +18,42 @@
   notify: restart kubelet
   with_items: "{{ kubernetes_packages }}"
 
-- name: Configure KUBELET_EXTRA_ARGS.
-  lineinfile:
-    path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
-    line: 'Environment="KUBELET_EXTRA_ARGS={{ kubernetes_kubelet_extra_args }}"'
-    regexp: 'Environment="KUBELET_EXTRA_ARGS='
-    insertafter: '^Environment='
-    state: present
-  notify: restart kubelet
+- include_tasks: sysctl-setup.yml
+
+- include_tasks: kubelet-setup.yml  # deprecated
+  when: kubernetes_kubelet_extra_args|length > 0
 
 - name: Ensure kubelet is started and enabled at boot.
   service:
     name: kubelet
     state: started
-    enabled: yes
+    enabled: true
 
 - name: Check if Kubernetes has already been initialized.
   stat:
     path: /etc/kubernetes/admin.conf
   register: kubernetes_init_stat
 
-- name: Initialize the Kubernetes master with kubeadm init.
-  command: >
-    kubeadm init
-    --pod-network-cidr={{ kubernetes_pod_network_cidr }}
-    --apiserver-advertise-address={{ ansible_default_ipv4.address }}
-    --kubernetes-version {{ kubernetes_version }}
-    --ignore-preflight-errors={{ kubernetes_ignore_preflight_errors }}
-  register: kubeadmin_init
-  failed_when: False
-  when: kubernetes_init_stat.stat.exists == False
+# Set up control plane.
+- include_tasks: control-plane-setup.yml
+  when: kubernetes_role == 'control_plane'
 
-- name: Print the init output to screen.
-  debug: var=kubeadmin_init.stdout
-  when: kubernetes_init_stat.stat.exists == False
+# Set up nodes.
+- name: Get the kubeadm join command from the Kubernetes control plane.
+  command: kubeadm token create --print-join-command
+  changed_when: false
+  when: kubernetes_role == 'control_plane'
+  register: kubernetes_join_command_result
 
-- name: Ensure .kube directory exists.
-  file:
-    path: ~/.kube
-    state: directory
+- name: Set the kubeadm join command globally.
+  set_fact:
+    kubernetes_join_command: >
+      {{ kubernetes_join_command_result.stdout }}
+      {{ kubernetes_join_command_extra_opts }}
+  when: kubernetes_join_command_result.stdout is defined
+  delegate_to: "{{ item }}"
+  delegate_facts: true
+  with_items: "{{ groups['all'] }}"
 
-- name: Symlink the kubectl admin.conf to ~/.kube/conf.
-  file:
-    src: /etc/kubernetes/admin.conf
-    dest: ~/.kube/config
-    state: link
-
-- name: Configure Flannel networking.
-  command: "{{ item }}"
-  with_items:
-    - kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
-    - kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml
-  register: flannel_result
-  changed_when: "'created' in flannel_result.stdout"
-
-# TODO: Check if taint exists with something like `kubectl describe nodes`
-# instead of using kubernetes_init_stat.stat.exists check.
-- name: Allow pods on master node (if configured).
-  command: "kubectl taint nodes --all node-role.kubernetes.io/master-"
-  when:
-    - kubernetes_allow_pods_on_master
-    - kubernetes_init_stat.stat.exists == False
-
-- name: Check if Kubernetes Dashboard UI service already exists.
-  shell: kubectl get services --namespace kube-system | grep -q kubernetes-dashboard
-  changed_when: False
-  failed_when: False
-  register: kubernetes_dashboard_service
-  when: kubernetes_enable_web_ui
-
-- name: Enable the Kubernetes Web Dashboard UI (if configured).
-  command: "kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml"
-  when:
-    - kubernetes_enable_web_ui
-    - kubernetes_dashboard_service is failed
+- include_tasks: node-setup.yml
+  when: kubernetes_role == 'node'

tasks/node-setup.yml

@@ -0,0 +1,6 @@
+---
+- name: Join node to Kubernetes control plane.
+  shell: >
+    {{ kubernetes_join_command }}
+    creates=/etc/kubernetes/kubelet.conf
+  tags: ['skip_ansible_lint']

tasks/setup-Debian.yml

@@ -1,21 +1,28 @@
 ---
 - name: Ensure dependencies are installed.
   apt:
-    name: "{{ item }}"
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - python3-debian
     state: present
-  with_items:
-    - apt-transport-https
-    - ca-certificates
-
-- name: Add Kubernetes apt key.
-  apt_key:
-    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
-    state: present
-  register: add_repository_key
-  ignore_errors: "{{ kubernetes_apt_ignore_key_error }}"
 
 - name: Add Kubernetes repository.
-  apt_repository:
-    repo: "{{ kubernetes_apt_repository }}"
-    state: present
-    update_cache: yes
+  deb822_repository:
+    name: kubernetes
+    types: deb
+    uris: "{{ kubernetes_apt_repository }}"
+    suites: /
+    signed_by: "{{ kubernetes_apt_repository }}/Release.key"
+  register: kubernetes_repository
+
+- name: Update Apt cache.
+  apt:
+    update_cache: true
+  when: kubernetes_repository.changed
+
+- name: Add Kubernetes apt preferences file to pin a version.
+  template:
+    src: apt-preferences-kubernetes.j2
+    dest: /etc/apt/preferences.d/kubernetes
+    mode: 0644

tasks/setup-RedHat.yml

@@ -3,25 +3,18 @@
   yum_repository:
     name: kubernetes
     description: Kubernetes
-    enabled: yes
-    gpgcheck: yes
-    repo_gpgcheck: yes
-    baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-{{ kubernetes_yum_arch }}
-    gpgkey:
-      - https://packages.cloud.google.com/yum/doc/yum-key.gpg
-      - https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
+    enabled: true
+    gpgcheck: "{{ kubernetes_yum_gpg_check }}"
+    repo_gpgcheck: "{{ kubernetes_yum_repo_gpg_check }}"
+    baseurl: "{{ kubernetes_yum_base_url }}"
+    gpgkey: "{{ kubernetes_yum_gpg_key }}"
 
 - name: Add Kubernetes GPG keys.
   rpm_key:
-    key: "{{ item }}"
+    key: "{{ kubernetes_yum_gpg_key }}"
     state: present
   register: kubernetes_rpm_key
-  with_items:
-    - https://packages.cloud.google.com/yum/doc/yum-key.gpg
-    - https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 
 - name: Make cache if Kubernetes GPG key changed.
   command: "yum -q makecache -y --disablerepo='*' --enablerepo='kubernetes'"
   when: kubernetes_rpm_key is changed
-  args:
-    warn: no

tasks/sysctl-setup.yml

@@ -0,0 +1,21 @@
+---
+- name: Ensure procps is installed.
+  package:
+    name: "{{ procps_package }}"
+    state: present
+  when: >
+    ansible_distribution != 'Debian'
+    or ansible_distribution_major_version | int < 10
+
+# See: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#letting-iptables-see-bridged-traffic
+- name: Let iptables see bridged traffic.
+  sysctl:
+    name: "{{ item }}"
+    value: '1'
+    state: present
+  loop:
+    - net.bridge.bridge-nf-call-iptables
+    - net.bridge.bridge-nf-call-ip6tables
+  when: >
+    ansible_distribution != 'Debian'
+    or ansible_distribution_major_version | int < 10

templates/apt-preferences-kubernetes.j2

@@ -0,0 +1,11 @@
+Package: kubectl
+Pin: version {{ kubernetes_version }}.*
+Pin-Priority: 1000
+
+Package: kubeadm
+Pin: version {{ kubernetes_version }}.*
+Pin-Priority: 1000
+
+Package: kubelet
+Pin: version {{ kubernetes_version }}.*
+Pin-Priority: 1000

templates/kubeadm-kubelet-config.j2

@@ -0,0 +1,20 @@
+---
+apiVersion: kubeadm.k8s.io/{{ kubernetes_config_kubeadm_apiversion }}
+kind: InitConfiguration
+{{ kubernetes_config_init_configuration | to_nice_yaml }}
+---
+apiVersion: kubeadm.k8s.io/{{ kubernetes_config_kubeadm_apiversion }}
+kind: ClusterConfiguration
+{{ kubernetes_config_cluster_configuration | to_nice_yaml }}
+{% if kubernetes_config_kubelet_configuration|length > 0 %}
+---
+apiVersion: kubelet.config.k8s.io/{{ kubenetes_config_kubelet_apiversion }}
+kind: KubeletConfiguration
+{{ kubernetes_config_kubelet_configuration | to_nice_yaml }}
+{% endif %}
+{% if kubernetes_config_kube_proxy_configuration|length > 0 %}
+---
+apiVersion: kubeproxy.config.k8s.io/{{ kubernetes_config_kubeproxy_apiversion }}
+kind: KubeProxyConfiguration
+{{ kubernetes_config_kube_proxy_configuration | to_nice_yaml }}
+{% endif %}

tests/README.md

@@ -1,11 +0,0 @@
-# Ansible Role tests
-
-To run the test playbook(s) in this directory:
-
-  1. Install and start Docker.
-  1. Download the test shim (see .travis.yml file for the URL) into `tests/test.sh`:
-    - `wget -O tests/test.sh https://gist.githubusercontent.com/geerlingguy/73ef1e5ee45d8694570f334be385e181/raw/`
-  1. Make the test shim executable: `chmod +x tests/test.sh`.
-  1. Run (from the role root directory) `distro=[distro] playbook=[playbook] ./tests/test.sh`
-
-If you don't want the container to be automatically deleted after the test playbook is run, add the following environment variables: `cleanup=false container_id=$(date +%s)`

tests/requirements.yml

@@ -1,2 +0,0 @@
----
-- src: geerlingguy.docker

tests/test.yml

@@ -1,25 +0,0 @@
----
-- hosts: all
-
-  vars:
-    # Allow swap in test environments (hard to control in some Docker envs).
-    kubernetes_kubelet_extra_args: "--fail-swap-on=false"
-
-  pre_tasks:
-    - name: Update apt cache.
-      apt: update_cache=yes cache_valid_time=600
-      when: ansible_os_family == 'Debian'
-
-    - name: Ensure test dependencies are installed.
-      package: name=iproute state=present
-
-    - action: setup
-
-    - name: Use cgroupfs cgroup driver instead of systemd (Red Hat).
-      set_fact:
-        kubernetes_kubelet_extra_args: "--fail-swap-on=false --cgroup-driver=cgroupfs"
-      when: ansible_os_family == 'RedHat'
-
-  roles:
-    - geerlingguy.docker
-    - role_under_test

vars/Debian.yml

@@ -0,0 +1,3 @@
+---
+procps_package: procps
+kubelet_environment_file_path: /etc/default/kubelet

vars/RedHat.yml

@@ -0,0 +1,3 @@
+---
+procps_package: procps-ng
+kubelet_environment_file_path: /etc/sysconfig/kubelet