Merge pull request #166 from vivian-hafener/master

Moves apiversions for kubeadm, kubelet, and kubeproxy from kubeadm-kubelet-config.j2 into defaults/main.yml

.ansible-lint

@@ -1,3 +1,4 @@
 skip_list:
-  - '306'
-  - '405'
+  - 'yaml'
+  - 'risky-shell-pipe'
+  - 'role-name'

.github/workflows/ci.yml

@@ -0,0 +1,74 @@
+---
+name: CI
+'on':
+  pull_request:
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: "0 4 * * 3"
+
+defaults:
+  run:
+    working-directory: 'geerlingguy.kubernetes'
+
+jobs:
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v4
+        with:
+          path: 'geerlingguy.kubernetes'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install yamllint
+
+      - name: Lint code.
+        run: |
+          yamllint .
+
+  molecule:
+    name: Molecule
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - distro: rockylinux9
+            playbook: converge.yml
+          - distro: ubuntu2004
+            playbook: converge.yml
+          - distro: debian11
+            playbook: converge.yml
+
+          - distro: debian11
+            playbook: calico.yml
+
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v4
+        with:
+          path: 'geerlingguy.kubernetes'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install ansible molecule molecule-plugins[docker] docker
+
+      - name: Run Molecule tests.
+        run: molecule test
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          MOLECULE_DISTRO: ${{ matrix.distro }}
+          MOLECULE_PLAYBOOK: ${{ matrix.playbook }}

.github/workflows/release.yml

@@ -0,0 +1,40 @@
+---
+# This workflow requires a GALAXY_API_KEY secret present in the GitHub
+# repository or organization.
+#
+# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
+# See: https://github.com/ansible/galaxy/issues/46
+
+name: Release
+'on':
+  push:
+    tags:
+      - '*'
+
+defaults:
+  run:
+    working-directory: 'geerlingguy.kubernetes'
+
+jobs:
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v4
+        with:
+          path: 'geerlingguy.kubernetes'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install Ansible.
+        run: pip3 install ansible-core
+
+      - name: Trigger a new import on Galaxy.
+        run: >-
+          ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}
+          $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

.github/workflows/stale.yml

@@ -0,0 +1,34 @@
+---
+name: Close inactive issues
+'on':
+  schedule:
+    - cron: "55 3 * * 0"  # semi-random time
+
+jobs:
+  close-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v8
+        with:
+          days-before-stale: 120
+          days-before-close: 60
+          exempt-issue-labels: bug,pinned,security,planned
+          exempt-pr-labels: bug,pinned,security,planned
+          stale-issue-label: "stale"
+          stale-pr-label: "stale"
+          stale-issue-message: |
+            This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
+            
+            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
+          close-issue-message: |
+            This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
+          stale-pr-message: |
+            This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
+            
+            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
+          close-pr-message: |
+            This pr has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -1,3 +1,5 @@
 *.retry
 */__pycache__
 *.pyc
+.cache
+

.travis.yml

@@ -1,31 +0,0 @@
----
-language: python
-services: docker
-
-env:
-  global:
-    - ROLE_NAME: kubernetes
-  matrix:
-    - MOLECULE_DISTRO: centos7
-    - MOLECULE_DISTRO: ubuntu1804
-    - MOLECULE_DISTRO: debian10
-
-    - MOLECULE_DISTRO: debian10
-      MOLECULE_PLAYBOOK: playbook-calico.yml
-
-install:
-  # Install test dependencies.
-  - pip install molecule docker
-
-before_script:
-  # Use actual Ansible Galaxy role name for the project directory.
-  - cd ../
-  - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
-  - cd geerlingguy.$ROLE_NAME
-
-script:
-  # Run tests.
-  - molecule test
-
-notifications:
-  webhooks: https://galaxy.ansible.com/api/v1/notifications/

.yamllint

@@ -1,6 +1,10 @@
 ---
 extends: default
+
 rules:
   line-length:
     max: 150
     level: warning
+
+ignore: |
+  .github/workflows/stale.yml

README.md

@@ -1,90 +1,171 @@
 # Ansible Role: Kubernetes
 
-[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-kubernetes.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-kubernetes)
+[![CI](https://github.com/geerlingguy/ansible-role-kubernetes/actions/workflows/ci.yml/badge.svg)](https://github.com/geerlingguy/ansible-role-kubernetes/actions/workflows/ci.yml)
 
 An Ansible Role that installs [Kubernetes](https://kubernetes.io) on Linux.
 
 ## Requirements
 
-Requires Docker; recommended role for Docker installation: `geerlingguy.docker`.
+Requires a compatible [Container Runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes); recommended role for CRI installation: `geerlingguy.containerd`.
 
 ## Role Variables
 
 Available variables are listed below, along with default values (see `defaults/main.yml`):
 
-    kubernetes_packages:
-      - name: kubelet
-        state: present
-      - name: kubectl
-        state: present
-      - name: kubeadm
-        state: present
-      - name: kubernetes-cni
-        state: present
+```yaml
+kubernetes_packages:
+  - name: kubelet
+    state: present
+  - name: kubectl
+    state: present
+  - name: kubeadm
+    state: present
+  - name: kubernetes-cni
+    state: present
+```
 
 Kubernetes packages to be installed on the server. You can either provide a list of package names, or set `name` and `state` to have more control over whether the package is `present`, `absent`, `latest`, etc.
 
-    kubernetes_version: '1.16'
-    kubernetes_version_rhel_package: '1.16.4'
+```yaml
+kubernetes_version: '1.32'
+kubernetes_version_rhel_package: '1.32'
+```
 
 The minor version of Kubernetes to install. The plain `kubernetes_version` is used to pin an apt package version on Debian, and as the Kubernetes version passed into the `kubeadm init` command (see `kubernetes_version_kubeadm`). The `kubernetes_version_rhel_package` variable must be a specific Kubernetes release, and is used to pin the version on Red Hat / CentOS servers.
 
-    kubernetes_role: master
+```yaml
+kubernetes_role: control_plane
+```
 
-Whether the particular server will serve as a Kubernetes `master` (default) or `node`. The master will have `kubeadm init` run on it to intialize the entire K8s control plane, while `node`s will have `kubeadm join` run on them to join them to the `master`.
+Whether the particular server will serve as a Kubernetes `control_plane` (default) or `node`. The control plane will have `kubeadm init` run on it to intialize the entire K8s control plane, while `node`s will have `kubeadm join` run on them to join them to the `control_plane`.
 
-    kubernetes_kubelet_extra_args: ""
-    kubernetes_kubelet_extra_args_config_file: /etc/default/kubelet
+### Variables to configure kubeadm and kubelet with `kubeadm init` through a config file (recommended)
 
-Extra args to pass to `kubelet` during startup. E.g. to allow `kubelet` to start up even if there is swap is enabled on your server, set this to: `"--fail-swap-on=false"`. Or to specify the node-ip advertised by `kubelet`, set this to `"--node-ip={{ ansible_host }}"`.
+With this role, `kubeadm init` will be run with `--config <FILE>`.
 
-    kubernetes_kubeadm_init_extra_opts: ""
+```yaml
+kubernetes_kubeadm_kubelet_config_file_path: '/etc/kubernetes/kubeadm-kubelet-config.yaml'
+```
+
+Path for `<FILE>`. If the directory does not exist, this role will create it.
+
+The following variables are parsed as options to <FILE>. To understand its syntax, see [kubelet-integration](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration) and [kubeadm-config-file](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file) . The skeleton (`apiVersion`, `kind`) of the config file will be created by this role, so do not define them within the variables. (See `templates/kubeadm-kubelet-config.j2`).
+
+```yaml
+kubernetes_config_init_configuration:
+  localAPIEndpoint:
+    advertiseAddress: "{{ kubernetes_apiserver_advertise_address | default(ansible_default_ipv4.address, true) }}"
+```
+
+Defines the options under `kind: InitConfiguration`. Including `kubernetes_apiserver_advertise_address` here is for backward-compatibilty to older versions of this role, where `kubernetes_apiserver_advertise_address` was used with a command-line-option.
+
+```yaml
+kubernetes_config_cluster_configuration:
+  networking:
+    podSubnet: "{{ kubernetes_pod_network.cidr }}"
+  kubernetesVersion: "{{ kubernetes_version_kubeadm }}"
+```
+
+Options under `kind: ClusterConfiguration`. Including `kubernetes_pod_network.cidr` and `kubernetes_version_kubeadm` here are for backward-compatibilty to older versions of this role, where they were used with command-line-options.
+
+```yaml
+kubernetes_config_kubelet_configuration:
+  cgroupDriver: systemd
+```
+
+Options to configure kubelet on any nodes in your cluster through the `kubeadm init` process. For syntax options read the [kubelet config file](https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file) and [kubelet integration](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration) documentation.
+
+NOTE: This is the recommended way to do the kubelet-configuration. Most command-line-options are deprecated.
+
+NOTE: The recommended cgroupDriver depends on your [Container Runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes). When using this role with Docker instead of containerd, this value should be changed to `cgroupfs`.
+
+```yaml
+kubernetes_config_kube_proxy_configuration: {}
+```
+
+Options to configure kubelet's proxy configuration in the `KubeProxyConfiguration` section of the kubelet configuration.
+
+### Variables to configure kubeadm and kubelet through command-line-options
+
+```yaml
+kubernetes_kubelet_extra_args: ""
+kubernetes_kubelet_extra_args_config_file: /etc/default/kubelet
+```
+
+Extra args to pass to `kubelet` during startup. E.g. to allow `kubelet` to start up even if there is swap is enabled on your server, set this to: `"--fail-swap-on=false"`. Or to specify the node-ip advertised by `kubelet`, set this to `"--node-ip={{ ansible_host }}"`. **This option is deprecated. Please use `kubernetes_config_kubelet_configuration` instead.**
+
+```yaml
+kubernetes_kubeadm_init_extra_opts: ""
+```
 
 Extra args to pass to `kubeadm init` during K8s control plane initialization. E.g. to specify extra Subject Alternative Names for API server certificate, set this to: `"--apiserver-cert-extra-sans my-custom.host"`
 
-    kubernetes_join_command_extra_opts: ""
+```yaml
+kubernetes_join_command_extra_opts: ""
+```
 
 Extra args to pass to the generated `kubeadm join` command during K8s node initialization. E.g. to ignore certain preflight errors like swap being enabled, set this to: `--ignore-preflight-errors=Swap`
 
-    kubernetes_allow_pods_on_master: true
+### Additional variables
 
-Whether to remove the taint that denies pods from being deployed to the Kubernetes master. If you have a single-node cluster, this should definitely be `True`. Otherwise, set to `False` if you want a dedicated Kubernetes master which doesn't run any other pods.
+```yaml
+kubernetes_allow_pods_on_control_plane: true
+```
 
-    kubernetes_enable_web_ui: false
-    kubernetes_web_ui_manifest_file: https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
-
-Whether to enable the Kubernetes web dashboard UI (only accessible on the master itself, or proxied), and the file containing the web dashboard UI manifest.
+Whether to remove the taint that denies pods from being deployed to the Kubernetes control plane. If you have a single-node cluster, this should definitely be `True`. Otherwise, set to `False` if you want a dedicated Kubernetes control plane which doesn't run any other pods.
 
+```yaml
 kubernetes_pod_network:
   # Flannel CNI.
   cni: 'flannel'
   cidr: '10.244.0.0/16'
+  #
   # Calico CNI.
   # cni: 'calico'
   # cidr: '192.168.0.0/16'
+  #
+  # Weave CNI.
+  # cni: 'weave'
+  # cidr: '192.168.0.0/16'
+```
 
-This role currently supports `flannel` (default) or `calico` for cluster pod networking. Choose one or the other for your cluster; converting between the two is not done automatically and could result in broken networking, and should be done outside of this role.
+This role currently supports `flannel` (default), `calico` or `weave` for cluster pod networking. Choose only one for your cluster; converting between them is not done automatically and could result in broken networking; if you need to switch from one to another, it should be done outside of this role.
 
-    kubernetes_apiserver_advertise_address: ''
-    kubernetes_version_kubeadm: 'stable-{{ kubernetes_version }}'
-    kubernetes_ignore_preflight_errors: 'all'
+```yaml
+kubernetes_apiserver_advertise_address: ''`
+kubernetes_version_kubeadm: 'stable-{{ kubernetes_version }}'`
+kubernetes_ignore_preflight_errors: 'all'
+```
 
-Options passed to `kubeadm init` when initializing the Kubernetes master. The `kubernetes_apiserver_advertise_address` defaults to `ansible_default_ipv4.address` if it's left empty.
+Options passed to `kubeadm init` when initializing the Kubernetes control plane. The `kubernetes_apiserver_advertise_address` defaults to `ansible_default_ipv4.address` if it's left empty.
 
-    kubernetes_apt_release_channel: main
-    kubernetes_apt_repository: "deb http://apt.kubernetes.io/ kubernetes-xenial {{ kubernetes_apt_release_channel }}"
-    kubernetes_apt_ignore_key_error: false
+```yaml
+kubernetes_apt_release_channel: "stable"
+kubernetes_apt_repository: "https://pkgs.k8s.io/core:/{{ kubernetes_apt_release_channel }}:/v{{ kubernetes_version }}/deb/"
+```
 
 Apt repository options for Kubernetes installation.
 
-    kubernetes_yum_arch: x86_64
+```yaml
+kubernetes_yum_base_url: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/"
+kubernetes_yum_gpg_key: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/repodata/repomd.xml.key"
+kubernetes_yum_gpg_check: true
+kubernetes_yum_repo_gpg_check: true
+```
 
-Yum repository options for Kubernetes installation.
+Yum repository options for Kubernetes installation. You can change `kubernete_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. Usually in combination with changing `kubernetes_yum_base_url` as well.
 
-    kubernetes_flannel_manifest_file_rbac: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml
-    kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
+```yaml
+kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
+```
 
-Flannel manifest files to apply to the Kubernetes cluster to enable networking. You can copy your own files to your server and apply them instead, if you need to customize the Flannel networking configuration.
+Flannel manifest file to apply to the Kubernetes cluster to enable networking. You can copy your own files to your server and apply them instead, if you need to customize the Flannel networking configuration.
+
+```yaml
+kubernetes_calico_manifest_file: https://projectcalico.docs.tigera.io/manifests/calico.yaml
+```
+
+Calico manifest file to apply to the Kubernetes cluster (if using Calico instead of Flannel).
 
 ## Dependencies
 
@@ -92,25 +173,25 @@ None.
 
 ## Example Playbooks
 
-### Single node (master-only) cluster
+### Single node (control-plane-only) cluster
 
 ```yaml
 - hosts: all
 
   vars:
-    kubernetes_allow_pods_on_master: true
+    kubernetes_allow_pods_on_control_plane: true
 
   roles:
     - geerlingguy.docker
     - geerlingguy.kubernetes
 ```
 
-### Two or more nodes (single master) cluster
+### Two or more nodes (single control-plane) cluster
 
-Master inventory vars:
+Control plane inventory vars:
 
 ```yaml
-kubernetes_role: "master"
+kubernetes_role: "control_plane"
 ```
 
 Node(s) inventory vars:
@@ -125,14 +206,14 @@ Playbook:
 - hosts: all
 
   vars:
-    kubernetes_allow_pods_on_master: true
+    kubernetes_allow_pods_on_control_plane: true
 
   roles:
     - geerlingguy.docker
     - geerlingguy.kubernetes
 ```
 
-Then, log into the Kubernetes master, and run `kubectl get nodes` as root, and you should see a list of all the servers.
+Then, log into the Kubernetes control plane, and run `kubectl get nodes` as root, and you should see a list of all the servers.
 
 ## License
 

defaults/main.yml

@@ -9,19 +9,17 @@ kubernetes_packages:
   - name: kubernetes-cni
     state: present
 
-kubernetes_version: '1.16'
-kubernetes_version_rhel_package: '1.16.4'
+kubernetes_version: '1.32'
+kubernetes_version_rhel_package: '1.32'
 
-kubernetes_role: master
+kubernetes_role: control_plane
 
+# This is deprecated. Please use kubernetes_config_kubelet_configuration instead.
 kubernetes_kubelet_extra_args: ""
+
 kubernetes_kubeadm_init_extra_opts: ""
 kubernetes_join_command_extra_opts: ""
-
-kubernetes_allow_pods_on_master: true
-kubernetes_enable_web_ui: true
-kubernetes_web_ui_manifest_file: https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
-
+kubernetes_allow_pods_on_control_plane: true
 kubernetes_pod_network:
   # Flannel CNI.
   cni: 'flannel'
@@ -30,20 +28,44 @@ kubernetes_pod_network:
   # cni: 'calico'
   # cidr: '192.168.0.0/16'
 
+kubernetes_kubeadm_kubelet_config_file_path: '/etc/kubernetes/kubeadm-kubelet-config.yaml'
+
+kubernetes_config_kubeadm_apiversion: v1beta3
+kubenetes_config_kubelet_apiversion: v1beta1
+kubernetes_config_kubeproxy_apiversion: v1alpha1
+
+kubernetes_config_kubelet_configuration:
+  cgroupDriver: "systemd"
+
+kubernetes_config_init_configuration:
+  localAPIEndpoint:
+    advertiseAddress: "{{ kubernetes_apiserver_advertise_address | default(ansible_default_ipv4.address, true) }}"
+# if you use the next lines, remove the command line argument below
+# nodeRegistration:
+#    ignorePreflightErrors:
+#      - all
+
+kubernetes_config_cluster_configuration:
+  networking:
+    podSubnet: "{{ kubernetes_pod_network.cidr }}"
+  kubernetesVersion: "{{ kubernetes_version_kubeadm }}"
+
+kubernetes_config_kube_proxy_configuration: {}
+
 kubernetes_apiserver_advertise_address: ''
 kubernetes_version_kubeadm: 'stable-{{ kubernetes_version }}'
 kubernetes_ignore_preflight_errors: 'all'
 
-kubernetes_apt_release_channel: main
-# Note that xenial repo is used for all Debian derivatives at this time.
-kubernetes_apt_repository: "deb http://apt.kubernetes.io/ kubernetes-xenial {{ kubernetes_apt_release_channel }}"
-kubernetes_apt_ignore_key_error: false
+kubernetes_apt_release_channel: "stable"
+kubernetes_apt_repository: "https://pkgs.k8s.io/core:/{{ kubernetes_apt_release_channel }}:/v{{ kubernetes_version }}/deb/"
 
-kubernetes_yum_arch: x86_64
+kubernetes_yum_base_url: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/"
+kubernetes_yum_gpg_key: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/repodata/repomd.xml.key"
+kubernetes_yum_gpg_check: true
+kubernetes_yum_repo_gpg_check: true
 
-# Flannel config files.
-kubernetes_flannel_manifest_file_rbac: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml
-kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
+# Flannel config file.
+kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml
 
-# Calico config files
-kubernetes_calico_manifest_file: https://docs.projectcalico.org/v3.10/manifests/calico.yaml
+# Calico config file.
+kubernetes_calico_manifest_file: https://projectcalico.docs.tigera.io/manifests/calico.yaml

meta/main.yml

@@ -2,24 +2,24 @@
 dependencies: []
 
 galaxy_info:
+  role_name: kubernetes
   author: geerlingguy
   description: Kubernetes for Linux.
   company: "Midwestern Mac, LLC"
   license: "license (BSD, MIT)"
-  min_ansible_version: 2.4
+  min_ansible_version: 2.10
   platforms:
-    - name: EL
-      versions:
-        - 7
-        - 8
     - name: Debian
       versions:
         - stretch
         - buster
+        - bullseye
     - name: Ubuntu
       versions:
         - xenial
         - bionic
+        - focal
+        - jammy
   galaxy_tags:
     - system
     - containers

molecule/default/calico.yml

@@ -1,16 +1,20 @@
 ---
 - name: Converge
   hosts: all
-  become: true
+  #become: true
 
   vars:
     kubernetes_pod_network:
       cni: 'calico'
       cidr: '192.168.0.0/16'
 
-    # Allow swap in test environments (hard to control in some Docker envs).
-    kubernetes_kubelet_extra_args: "--fail-swap-on=false --cgroup-driver=cgroupfs"
-    docker_install_compose: false
+    # Allow swap in test environments (hard to control in some envs).
+    kubernetes_config_kubelet_configuration:
+      cgroupDriver: "systemd"
+      failSwapOn: false
+      cgroupsPerQOS: true
+      enforceNodeAllocatable: ['pods']
+    containerd_config_cgroup_driver_systemd: true
 
   pre_tasks:
     - name: Update apt cache.
@@ -29,7 +33,7 @@
       action: setup
 
   roles:
-    - role: geerlingguy.docker
+    - role: geerlingguy.containerd
     - role: geerlingguy.kubernetes
 
   post_tasks:

molecule/default/converge.yml

@@ -1,12 +1,16 @@
 ---
 - name: Converge
   hosts: all
-  become: true
+  #become: true
 
   vars:
-    # Allow swap in test environments (hard to control in some Docker envs).
-    kubernetes_kubelet_extra_args: "--fail-swap-on=false --cgroup-driver=cgroupfs"
-    docker_install_compose: false
+    # Allow swap in test environments (hard to control in some envs).
+    kubernetes_config_kubelet_configuration:
+      cgroupDriver: "systemd"
+      failSwapOn: false
+      cgroupsPerQOS: true
+      enforceNodeAllocatable: ['pods']
+    containerd_config_cgroup_driver_systemd: true
 
   pre_tasks:
     - name: Update apt cache.
@@ -25,7 +29,7 @@
       action: setup
 
   roles:
-    - role: geerlingguy.docker
+    - role: geerlingguy.containerd
     - role: geerlingguy.kubernetes
 
   post_tasks:

molecule/default/molecule.yml

@@ -1,30 +1,22 @@
 ---
+role_name_check: 1
 dependency:
   name: galaxy
+  options:
+    ignore-errors: true
 driver:
   name: docker
-lint:
-  name: yamllint
-  options:
-    config-file: molecule/default/yaml-lint.yml
 platforms:
   - name: instance
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      - /var/lib/docker
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      - /var/lib/containerd
+    cgroupns_mode: host
     privileged: true
     pre_build_image: true
 provisioner:
   name: ansible
-  lint:
-    name: ansible-lint
   playbooks:
-    converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
-scenario:
-  name: default
-verifier:
-  name: testinfra
-  lint:
-    name: flake8
+    converge: ${MOLECULE_PLAYBOOK:-converge.yml}

molecule/default/requirements.yml

@@ -1,2 +1,2 @@
 ---
-- src: geerlingguy.docker
+- src: geerlingguy.containerd

tasks/control-plane-setup.yml

@@ -0,0 +1,89 @@
+---
+- name: Create the directory for the kubernetes_config_file
+  file:
+    path: "{{ kubernetes_kubeadm_kubelet_config_file_path | dirname }}"
+    state: directory
+
+- name: Deploy the config-file for kubeadm and kubelet
+  template:
+    src: "kubeadm-kubelet-config.j2"
+    dest: "{{ kubernetes_kubeadm_kubelet_config_file_path }}"
+
+- name: Initialize Kubernetes control plane with kubeadm init
+  command: >
+    kubeadm init
+    --config {{ kubernetes_kubeadm_kubelet_config_file_path }}
+    {{ kubernetes_kubeadm_init_extra_opts }}
+  register: kubeadmin_init
+  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is not defined)
+
+- name: Initialize Kubernetes control plane with kubeadm init and ignore_preflight_errors
+  command: >
+    kubeadm init
+    --config {{ kubernetes_kubeadm_kubelet_config_file_path }}
+    --ignore-preflight-errors={{ kubernetes_ignore_preflight_errors }}
+    {{ kubernetes_kubeadm_init_extra_opts }}
+  register: kubeadmin_init
+  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is defined)
+
+- name: Print the init output to screen.
+  debug:
+    var: kubeadmin_init.stdout
+    verbosity: 2
+  when: not kubernetes_init_stat.stat.exists
+
+- name: Ensure .kube directory exists.
+  file:
+    path: ~/.kube
+    state: directory
+    mode: 0755
+
+- name: Symlink the kubectl admin.conf to ~/.kube/conf.
+  file:
+    src: /etc/kubernetes/admin.conf
+    dest: ~/.kube/config
+    state: link
+    mode: 0644
+
+- name: Configure Flannel networking.
+  command: "kubectl apply -f {{ kubernetes_flannel_manifest_file }}"
+  register: flannel_result
+  changed_when: "'created' in flannel_result.stdout"
+  when: kubernetes_pod_network.cni == 'flannel'
+  until: flannel_result is not failed
+  retries: 12
+  delay: 5
+
+- name: Configure Calico networking.
+  command: "kubectl apply -f {{ kubernetes_calico_manifest_file }}"
+  register: calico_result
+  changed_when: "'created' in calico_result.stdout"
+  when: kubernetes_pod_network.cni == 'calico'
+  until: calico_result is not failed
+  retries: 12
+  delay: 5
+
+- name: Get Kubernetes version for Weave installation.
+  shell: kubectl version | base64 | tr -d '\n'
+  changed_when: false
+  register: kubectl_version
+  when: kubernetes_pod_network.cni == 'weave'
+  until: kubectl_version is not failed
+  retries: 12
+  delay: 5
+
+- name: Configure Weave networking.
+  command: "{{ item }}"
+  with_items:
+    - "kubectl apply -f https://cloud.weave.works/k8s/net?k8s-version={{ kubectl_version.stdout_lines[0] }}"
+  register: weave_result
+  changed_when: "'created' in weave_result.stdout"
+  when: kubernetes_pod_network.cni == 'weave'
+
+# TODO: Check if taint exists with something like `kubectl describe nodes`
+# instead of using kubernetes_init_stat.stat.exists check.
+- name: Allow pods on control plane (if configured).
+  command: "kubectl taint nodes --all node-role.kubernetes.io/control-plane-"
+  when:
+    - kubernetes_allow_pods_on_control_plane | bool
+    - not kubernetes_init_stat.stat.exists

tasks/kubelet-setup.yml

@@ -1,34 +1,42 @@
 ---
-- name: Check for existence of kubelet environment file.
+
+# ---- DEPRECATED ----------------
+#
+# Most of the kubernetes_kubelet_extra_args are deprecated. See https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet for details.
+# Use the kubernetes_kubelet_config variable instead, which will be used to create the kubelet config file.
+
+- name: Check for existence of kubelet environment file. (deprecated)
   stat:
     path: '{{ kubelet_environment_file_path }}'
   register: kubelet_environment_file
 
-- name: Set facts for KUBELET_EXTRA_ARGS task if environment file exists.
+- name: Set facts for KUBELET_EXTRA_ARGS task if environment file exists. (deprecated)
   set_fact:
     kubelet_args_path: '{{ kubelet_environment_file_path }}'
     kubelet_args_line: "{{ 'KUBELET_EXTRA_ARGS=' + kubernetes_kubelet_extra_args }}"
     kubelet_args_regexp: '^KUBELET_EXTRA_ARGS='
   when: kubelet_environment_file.stat.exists
 
-- name: Set facts for KUBELET_EXTRA_ARGS task if environment file doesn't exist.
+- name: Set facts for KUBELET_EXTRA_ARGS task if environment file doesn't exist. (deprecated)
   set_fact:
     kubelet_args_path: '/etc/systemd/system/kubelet.service.d/10-kubeadm.conf'
     kubelet_args_line: "{{ 'Environment=\"KUBELET_EXTRA_ARGS=' + kubernetes_kubelet_extra_args + '\"' }}"
     kubelet_args_regexp: '^Environment="KUBELET_EXTRA_ARGS='
   when: not kubelet_environment_file.stat.exists
 
-- name: Configure KUBELET_EXTRA_ARGS.
+- name: Configure KUBELET_EXTRA_ARGS. (deprecated)
   lineinfile:
     path: '{{ kubelet_args_path }}'
     line: '{{ kubelet_args_line }}'
     regexp: '{{ kubelet_args_regexp }}'
     state: present
-  register: kubelet_config_file
+    mode: 0644
+  register: kubelet_extra_args
+  when: kubernetes_kubelet_extra_args|length > 0
 
-- name: Reload systemd unit if args were changed.
+- name: Reload systemd unit if args were changed. (deprecated)
   systemd:
     state: restarted
     daemon_reload: true
     name: kubelet
-  when: kubelet_config_file is changed
+  when: kubelet_extra_args is changed

tasks/main.yml

@@ -18,7 +18,10 @@
   notify: restart kubelet
   with_items: "{{ kubernetes_packages }}"
 
-- include_tasks: kubelet-setup.yml
+- include_tasks: sysctl-setup.yml
+
+- include_tasks: kubelet-setup.yml  # deprecated
+  when: kubernetes_kubelet_extra_args|length > 0
 
 - name: Ensure kubelet is started and enabled at boot.
   service:
@@ -31,15 +34,15 @@
     path: /etc/kubernetes/admin.conf
   register: kubernetes_init_stat
 
-# Set up master.
-- include_tasks: master-setup.yml
-  when: kubernetes_role == 'master'
+# Set up control plane.
+- include_tasks: control-plane-setup.yml
+  when: kubernetes_role == 'control_plane'
 
 # Set up nodes.
-- name: Get the kubeadm join command from the Kubernetes master.
+- name: Get the kubeadm join command from the Kubernetes control plane.
   command: kubeadm token create --print-join-command
   changed_when: false
-  when: kubernetes_role == 'master'
+  when: kubernetes_role == 'control_plane'
   register: kubernetes_join_command_result
 
 - name: Set the kubeadm join command globally.

tasks/master-setup.yml

@@ -1,68 +0,0 @@
----
-- name: Initialize Kubernetes master with kubeadm init.
-  command: >
-    kubeadm init
-    --pod-network-cidr={{ kubernetes_pod_network.cidr }}
-    --apiserver-advertise-address={{ kubernetes_apiserver_advertise_address | default(ansible_default_ipv4.address, true) }}
-    --kubernetes-version {{ kubernetes_version_kubeadm }}
-    --ignore-preflight-errors={{ kubernetes_ignore_preflight_errors }}
-    {{ kubernetes_kubeadm_init_extra_opts }}
-  with_items: "{{ kubernetes_pod_network }}"
-  register: kubeadmin_init
-  failed_when: false
-  when: not kubernetes_init_stat.stat.exists
-
-- name: Print the init output to screen.
-  debug:
-    var: kubeadmin_init.stdout
-    verbosity: 2
-  when: not kubernetes_init_stat.stat.exists
-
-- name: Ensure .kube directory exists.
-  file:
-    path: ~/.kube
-    state: directory
-
-- name: Symlink the kubectl admin.conf to ~/.kube/conf.
-  file:
-    src: /etc/kubernetes/admin.conf
-    dest: ~/.kube/config
-    state: link
-
-- name: Configure Flannel networking.
-  command: "{{ item }}"
-  with_items:
-    - kubectl apply -f {{ kubernetes_flannel_manifest_file_rbac }}
-    - kubectl apply -f {{ kubernetes_flannel_manifest_file }}
-  register: flannel_result
-  changed_when: "'created' in flannel_result.stdout"
-  when: kubernetes_pod_network.cni == 'flannel'
-
-- name: Configure Calico networking.
-  command: "{{ item }}"
-  with_items:
-    - kubectl apply -f {{ kubernetes_calico_manifest_file }}
-  register: calico_result
-  changed_when: "'created' in calico_result.stdout"
-  when: kubernetes_pod_network.cni == 'calico'
-
-# TODO: Check if taint exists with something like `kubectl describe nodes`
-# instead of using kubernetes_init_stat.stat.exists check.
-- name: Allow pods on master node (if configured).
-  command: "kubectl taint nodes --all node-role.kubernetes.io/master-"
-  when:
-    - kubernetes_allow_pods_on_master | bool
-    - not kubernetes_init_stat.stat.exists
-
-- name: Check if Kubernetes Dashboard UI service already exists.
-  shell: kubectl get services --namespace kube-system | grep -q kubernetes-dashboard
-  changed_when: false
-  failed_when: false
-  register: kubernetes_dashboard_service
-  when: kubernetes_enable_web_ui | bool
-
-- name: Enable the Kubernetes Web Dashboard UI (if configured).
-  command: "kubectl create -f {{ kubernetes_web_ui_manifest_file }}"
-  when:
-    - kubernetes_enable_web_ui | bool
-    - kubernetes_dashboard_service is failed

tasks/node-setup.yml

@@ -1,5 +1,5 @@
 ---
-- name: Join node to Kubernetes master
+- name: Join node to Kubernetes control plane.
   shell: >
     {{ kubernetes_join_command }}
     creates=/etc/kubernetes/kubelet.conf

tasks/setup-Debian.yml

@@ -4,22 +4,25 @@
     name:
       - apt-transport-https
       - ca-certificates
+      - python3-debian
     state: present
 
-- name: Add Kubernetes apt key.
-  apt_key:
-    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
-    state: present
-  register: add_repository_key
-  ignore_errors: "{{ kubernetes_apt_ignore_key_error }}"
-
 - name: Add Kubernetes repository.
-  apt_repository:
-    repo: "{{ kubernetes_apt_repository }}"
-    state: present
+  deb822_repository:
+    name: kubernetes
+    types: deb
+    uris: "{{ kubernetes_apt_repository }}"
+    suites: /
+    signed_by: "{{ kubernetes_apt_repository }}/Release.key"
+  register: kubernetes_repository
+
+- name: Update Apt cache.
+  apt:
     update_cache: true
+  when: kubernetes_repository.changed
 
 - name: Add Kubernetes apt preferences file to pin a version.
   template:
     src: apt-preferences-kubernetes.j2
     dest: /etc/apt/preferences.d/kubernetes
+    mode: 0644

tasks/setup-RedHat.yml

@@ -4,24 +4,17 @@
     name: kubernetes
     description: Kubernetes
     enabled: true
-    gpgcheck: true
-    repo_gpgcheck: true
-    baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-{{ kubernetes_yum_arch }}
-    gpgkey:
-      - https://packages.cloud.google.com/yum/doc/yum-key.gpg
-      - https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
+    gpgcheck: "{{ kubernetes_yum_gpg_check }}"
+    repo_gpgcheck: "{{ kubernetes_yum_repo_gpg_check }}"
+    baseurl: "{{ kubernetes_yum_base_url }}"
+    gpgkey: "{{ kubernetes_yum_gpg_key }}"
 
 - name: Add Kubernetes GPG keys.
   rpm_key:
-    key: "{{ item }}"
+    key: "{{ kubernetes_yum_gpg_key }}"
     state: present
   register: kubernetes_rpm_key
-  with_items:
-    - https://packages.cloud.google.com/yum/doc/yum-key.gpg
-    - https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 
 - name: Make cache if Kubernetes GPG key changed.
   command: "yum -q makecache -y --disablerepo='*' --enablerepo='kubernetes'"
   when: kubernetes_rpm_key is changed
-  args:
-    warn: false

tasks/sysctl-setup.yml

@@ -0,0 +1,21 @@
+---
+- name: Ensure procps is installed.
+  package:
+    name: "{{ procps_package }}"
+    state: present
+  when: >
+    ansible_distribution != 'Debian'
+    or ansible_distribution_major_version | int < 10
+
+# See: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#letting-iptables-see-bridged-traffic
+- name: Let iptables see bridged traffic.
+  sysctl:
+    name: "{{ item }}"
+    value: '1'
+    state: present
+  loop:
+    - net.bridge.bridge-nf-call-iptables
+    - net.bridge.bridge-nf-call-ip6tables
+  when: >
+    ansible_distribution != 'Debian'
+    or ansible_distribution_major_version | int < 10

templates/kubeadm-kubelet-config.j2

@@ -0,0 +1,20 @@
+---
+apiVersion: kubeadm.k8s.io/{{ kubernetes_config_kubeadm_apiversion }}
+kind: InitConfiguration
+{{ kubernetes_config_init_configuration | to_nice_yaml }}
+---
+apiVersion: kubeadm.k8s.io/{{ kubernetes_config_kubeadm_apiversion }}
+kind: ClusterConfiguration
+{{ kubernetes_config_cluster_configuration | to_nice_yaml }}
+{% if kubernetes_config_kubelet_configuration|length > 0 %}
+---
+apiVersion: kubelet.config.k8s.io/{{ kubenetes_config_kubelet_apiversion }}
+kind: KubeletConfiguration
+{{ kubernetes_config_kubelet_configuration | to_nice_yaml }}
+{% endif %}
+{% if kubernetes_config_kube_proxy_configuration|length > 0 %}
+---
+apiVersion: kubeproxy.config.k8s.io/{{ kubernetes_config_kubeproxy_apiversion }}
+kind: KubeProxyConfiguration
+{{ kubernetes_config_kube_proxy_configuration | to_nice_yaml }}
+{% endif %}

vars/Debian.yml

@@ -1,2 +1,3 @@
 ---
+procps_package: procps
 kubelet_environment_file_path: /etc/default/kubelet

vars/RedHat.yml

@@ -1,11 +1,3 @@
 ---
+procps_package: procps-ng
 kubelet_environment_file_path: /etc/sysconfig/kubelet
-kubernetes_packages:
-  - name: kubelet-{{ kubernetes_version_rhel_package }}-0
-    state: present
-  - name: kubectl-{{ kubernetes_version_rhel_package }}-0
-    state: present
-  - name: kubeadm-{{ kubernetes_version_rhel_package }}-0
-    state: present
-  - name: kubernetes-cni
-    state: present