2025-08-01 13:49:01 +02:00
26 changed files with 295 additions and 537 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,4 +1,3 @@
 skip_list:
-  - 'yaml'
+  - '306'
-  - 'risky-shell-pipe'
+  - '405'
  - 'role-name'
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -0,0 +1,56 @@
 # Configuration for probot-stale - https://github.com/probot/stale
 # Number of days of inactivity before an Issue or Pull Request becomes stale
 daysUntilStale: 90
 # Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
 # Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
 daysUntilClose: 30
 # Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
 onlyLabels: []
 # Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
 exemptLabels:
  - pinned
  - security
  - planned
 # Set to true to ignore issues in a project (defaults to false)
 exemptProjects: false
 # Set to true to ignore issues in a milestone (defaults to false)
 exemptMilestones: false
 # Set to true to ignore issues with an assignee (defaults to false)
 exemptAssignees: false
 # Label to use when marking as stale
 staleLabel: stale
 # Limit the number of actions per hour, from 1-30. Default is 30
 limitPerRun: 30
 pulls:
  markComment: |-
    This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
    Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
  unmarkComment: >-
    This pull request is no longer marked for closure.
  closeComment: >-
    This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
 issues:
  markComment: |-
    This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
    Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
  unmarkComment: >-
    This issue is no longer marked for closure.
  closeComment: >-
    This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -1,74 +0,0 @@
 ---
 name: CI
 'on':
  pull_request:
  push:
    branches:
      - master
  schedule:
    - cron: "0 4 * * 3"
 defaults:
  run:
    working-directory: 'geerlingguy.kubernetes'
 jobs:
  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - name: Check out the codebase.
        uses: actions/checkout@v4
        with:
          path: 'geerlingguy.kubernetes'
      - name: Set up Python 3.
        uses: actions/setup-python@v5
        with:
          python-version: '3.x'
      - name: Install test dependencies.
        run: pip3 install yamllint
      - name: Lint code.
        run: |
          yamllint .
  molecule:
    name: Molecule
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - distro: rockylinux9
            playbook: converge.yml
          - distro: ubuntu2004
            playbook: converge.yml
          - distro: debian11
            playbook: converge.yml
          - distro: debian11
            playbook: calico.yml
    steps:
      - name: Check out the codebase.
        uses: actions/checkout@v4
        with:
          path: 'geerlingguy.kubernetes'
      - name: Set up Python 3.
        uses: actions/setup-python@v5
        with:
          python-version: '3.x'
      - name: Install test dependencies.
        run: pip3 install ansible molecule molecule-plugins[docker] docker
      - name: Run Molecule tests.
        run: molecule test
        env:
          PY_COLORS: '1'
          ANSIBLE_FORCE_COLOR: '1'
          MOLECULE_DISTRO: ${{ matrix.distro }}
          MOLECULE_PLAYBOOK: ${{ matrix.playbook }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -1,40 +0,0 @@
 ---
 # This workflow requires a GALAXY_API_KEY secret present in the GitHub
 # repository or organization.
 #
 # See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
 # See: https://github.com/ansible/galaxy/issues/46
 name: Release
 'on':
  push:
    tags:
      - '*'
 defaults:
  run:
    working-directory: 'geerlingguy.kubernetes'
 jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    steps:
      - name: Check out the codebase.
        uses: actions/checkout@v4
        with:
          path: 'geerlingguy.kubernetes'
      - name: Set up Python 3.
        uses: actions/setup-python@v5
        with:
          python-version: '3.x'
      - name: Install Ansible.
        run: pip3 install ansible-core
      - name: Trigger a new import on Galaxy.
        run: >-
          ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}
          $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -1,34 +0,0 @@
 ---
 name: Close inactive issues
 'on':
  schedule:
    - cron: "55 3 * * 0"  # semi-random time
 jobs:
  close-issues:
    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
    steps:
      - uses: actions/stale@v8
        with:
          days-before-stale: 120
          days-before-close: 60
          exempt-issue-labels: bug,pinned,security,planned
          exempt-pr-labels: bug,pinned,security,planned
          stale-issue-label: "stale"
          stale-pr-label: "stale"
          stale-issue-message: |
            This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
          close-issue-message: |
            This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
          stale-pr-message: |
            This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
          close-pr-message: |
            This pr has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,3 @@
 *.retry
 */__pycache__
 *.pyc
 .cache
--- a/.travis.yml
+++ b/.travis.yml
@ -0,0 +1,32 @@
 ---
 language: python
 services: docker
 env:
  global:
    - ROLE_NAME: kubernetes
  matrix:
    - MOLECULE_DISTRO: centos8
    - MOLECULE_DISTRO: centos7
    - MOLECULE_DISTRO: ubuntu1804
    - MOLECULE_DISTRO: debian10
    - MOLECULE_DISTRO: debian10
      MOLECULE_PLAYBOOK: playbook-calico.yml
 install:
  # Install test dependencies.
  - pip install molecule yamllint ansible-lint docker
 before_script:
  # Use actual Ansible Galaxy role name for the project directory.
  - cd ../
  - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
  - cd geerlingguy.$ROLE_NAME
 script:
  # Run tests.
  - molecule test
 notifications:
  webhooks: https://galaxy.ansible.com/api/v1/notifications/
--- a/.yamllint
+++ b/.yamllint
@ -1,10 +1,6 @@
 ---
 extends: default
 rules:
  line-length:
    max: 150
    level: warning
 ignore: |
  .github/workflows/stale.yml
--- a/README.md
+++ b/README.md
@ -1,19 +1,18 @@
 # Ansible Role: Kubernetes
-[![CI](https://github.com/geerlingguy/ansible-role-kubernetes/actions/workflows/ci.yml/badge.svg)](https://github.com/geerlingguy/ansible-role-kubernetes/actions/workflows/ci.yml)
+[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-kubernetes.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-kubernetes)
 An Ansible Role that installs [Kubernetes](https://kubernetes.io) on Linux.
 ## Requirements
-Requires a compatible [Container Runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes); recommended role for CRI installation: `geerlingguy.containerd`.
+Requires Docker; recommended role for Docker installation: `geerlingguy.docker`.
 ## Role Variables
 Available variables are listed below, along with default values (see `defaults/main.yml`):
-```yaml
+    kubernetes_packages:
 kubernetes_packages:
      - name: kubelet
        state: present
      - name: kubectl
@ -22,150 +21,70 @@ kubernetes_packages:
        state: present
      - name: kubernetes-cni
        state: present
 ```
 Kubernetes packages to be installed on the server. You can either provide a list of package names, or set `name` and `state` to have more control over whether the package is `present`, `absent`, `latest`, etc.
-```yaml
+    kubernetes_version: '1.16'
-kubernetes_version: '1.32'
+    kubernetes_version_rhel_package: '1.16.4'
 kubernetes_version_rhel_package: '1.32'
 ```
 The minor version of Kubernetes to install. The plain `kubernetes_version` is used to pin an apt package version on Debian, and as the Kubernetes version passed into the `kubeadm init` command (see `kubernetes_version_kubeadm`). The `kubernetes_version_rhel_package` variable must be a specific Kubernetes release, and is used to pin the version on Red Hat / CentOS servers.
-```yaml
+    kubernetes_role: master
 kubernetes_role: control_plane
 ```
-Whether the particular server will serve as a Kubernetes `control_plane` (default) or `node`. The control plane will have `kubeadm init` run on it to intialize the entire K8s control plane, while `node`s will have `kubeadm join` run on them to join them to the `control_plane`.
+Whether the particular server will serve as a Kubernetes `master` (default) or `node`. The master will have `kubeadm init` run on it to intialize the entire K8s control plane, while `node`s will have `kubeadm join` run on them to join them to the `master`.
-### Variables to configure kubeadm and kubelet with `kubeadm init` through a config file (recommended)
+    kubernetes_kubelet_extra_args: ""
    kubernetes_kubelet_extra_args_config_file: /etc/default/kubelet
-With this role, `kubeadm init` will be run with `--config <FILE>`.
+Extra args to pass to `kubelet` during startup. E.g. to allow `kubelet` to start up even if there is swap is enabled on your server, set this to: `"--fail-swap-on=false"`. Or to specify the node-ip advertised by `kubelet`, set this to `"--node-ip={{ ansible_host }}"`.
-```yaml
+    kubernetes_kubeadm_init_extra_opts: ""
 kubernetes_kubeadm_kubelet_config_file_path: '/etc/kubernetes/kubeadm-kubelet-config.yaml'
 ```
 Path for `<FILE>`. If the directory does not exist, this role will create it.
 The following variables are parsed as options to <FILE>. To understand its syntax, see [kubelet-integration](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration) and [kubeadm-config-file](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file) . The skeleton (`apiVersion`, `kind`) of the config file will be created by this role, so do not define them within the variables. (See `templates/kubeadm-kubelet-config.j2`).
 ```yaml
 kubernetes_config_init_configuration:
  localAPIEndpoint:
    advertiseAddress: "{{ kubernetes_apiserver_advertise_address | default(ansible_default_ipv4.address, true) }}"
 ```
 Defines the options under `kind: InitConfiguration`. Including `kubernetes_apiserver_advertise_address` here is for backward-compatibilty to older versions of this role, where `kubernetes_apiserver_advertise_address` was used with a command-line-option.
 ```yaml
 kubernetes_config_cluster_configuration:
  networking:
    podSubnet: "{{ kubernetes_pod_network.cidr }}"
  kubernetesVersion: "{{ kubernetes_version_kubeadm }}"
 ```
 Options under `kind: ClusterConfiguration`. Including `kubernetes_pod_network.cidr` and `kubernetes_version_kubeadm` here are for backward-compatibilty to older versions of this role, where they were used with command-line-options.
 ```yaml
 kubernetes_config_kubelet_configuration:
  cgroupDriver: systemd
 ```
 Options to configure kubelet on any nodes in your cluster through the `kubeadm init` process. For syntax options read the [kubelet config file](https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file) and [kubelet integration](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration) documentation.
 NOTE: This is the recommended way to do the kubelet-configuration. Most command-line-options are deprecated.
 NOTE: The recommended cgroupDriver depends on your [Container Runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes). When using this role with Docker instead of containerd, this value should be changed to `cgroupfs`.
 ```yaml
 kubernetes_config_kube_proxy_configuration: {}
 ```
 Options to configure kubelet's proxy configuration in the `KubeProxyConfiguration` section of the kubelet configuration.
 ### Variables to configure kubeadm and kubelet through command-line-options
 ```yaml
 kubernetes_kubelet_extra_args: ""
 kubernetes_kubelet_extra_args_config_file: /etc/default/kubelet
 ```
 Extra args to pass to `kubelet` during startup. E.g. to allow `kubelet` to start up even if there is swap is enabled on your server, set this to: `"--fail-swap-on=false"`. Or to specify the node-ip advertised by `kubelet`, set this to `"--node-ip={{ ansible_host }}"`. **This option is deprecated. Please use `kubernetes_config_kubelet_configuration` instead.**
 ```yaml
 kubernetes_kubeadm_init_extra_opts: ""
 ```
 Extra args to pass to `kubeadm init` during K8s control plane initialization. E.g. to specify extra Subject Alternative Names for API server certificate, set this to: `"--apiserver-cert-extra-sans my-custom.host"`
-```yaml
+    kubernetes_join_command_extra_opts: ""
 kubernetes_join_command_extra_opts: ""
 ```
 Extra args to pass to the generated `kubeadm join` command during K8s node initialization. E.g. to ignore certain preflight errors like swap being enabled, set this to: `--ignore-preflight-errors=Swap`
-### Additional variables
+    kubernetes_allow_pods_on_master: true
-```yaml
+Whether to remove the taint that denies pods from being deployed to the Kubernetes master. If you have a single-node cluster, this should definitely be `True`. Otherwise, set to `False` if you want a dedicated Kubernetes master which doesn't run any other pods.
 kubernetes_allow_pods_on_control_plane: true
 ```
-Whether to remove the taint that denies pods from being deployed to the Kubernetes control plane. If you have a single-node cluster, this should definitely be `True`. Otherwise, set to `False` if you want a dedicated Kubernetes control plane which doesn't run any other pods.
+    kubernetes_enable_web_ui: false
    kubernetes_web_ui_manifest_file: https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
-```yaml
+Whether to enable the Kubernetes web dashboard UI (only accessible on the master itself, or proxied), and the file containing the web dashboard UI manifest.
-kubernetes_pod_network:
+
    kubernetes_pod_network:
      # Flannel CNI.
      cni: 'flannel'
      cidr: '10.244.0.0/16'
  #
      # Calico CNI.
      # cni: 'calico'
      # cidr: '192.168.0.0/16'
  #
  # Weave CNI.
  # cni: 'weave'
  # cidr: '192.168.0.0/16'
 ```
-This role currently supports `flannel` (default), `calico` or `weave` for cluster pod networking. Choose only one for your cluster; converting between them is not done automatically and could result in broken networking; if you need to switch from one to another, it should be done outside of this role.
+This role currently supports `flannel` (default) or `calico` for cluster pod networking. Choose one or the other for your cluster; converting between the two is not done automatically and could result in broken networking, and should be done outside of this role.
-```yaml
+    kubernetes_apiserver_advertise_address: ''
-kubernetes_apiserver_advertise_address: ''`
+    kubernetes_version_kubeadm: 'stable-{{ kubernetes_version }}'
-kubernetes_version_kubeadm: 'stable-{{ kubernetes_version }}'`
+    kubernetes_ignore_preflight_errors: 'all'
 kubernetes_ignore_preflight_errors: 'all'
 ```
-Options passed to `kubeadm init` when initializing the Kubernetes control plane. The `kubernetes_apiserver_advertise_address` defaults to `ansible_default_ipv4.address` if it's left empty.
+Options passed to `kubeadm init` when initializing the Kubernetes master. The `kubernetes_apiserver_advertise_address` defaults to `ansible_default_ipv4.address` if it's left empty.
-```yaml
+    kubernetes_apt_release_channel: main
-kubernetes_apt_release_channel: "stable"
+    kubernetes_apt_repository: "deb http://apt.kubernetes.io/ kubernetes-xenial {{ kubernetes_apt_release_channel }}"
-kubernetes_apt_repository: "https://pkgs.k8s.io/core:/{{ kubernetes_apt_release_channel }}:/v{{ kubernetes_version }}/deb/"
+    kubernetes_apt_ignore_key_error: false
 ```
 Apt repository options for Kubernetes installation.
-```yaml
+    kubernetes_yum_arch: x86_64
 kubernetes_yum_base_url: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/"
 kubernetes_yum_gpg_key: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/repodata/repomd.xml.key"
 kubernetes_yum_gpg_check: true
 kubernetes_yum_repo_gpg_check: true
 ```
-Yum repository options for Kubernetes installation. You can change `kubernete_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. Usually in combination with changing `kubernetes_yum_base_url` as well.
+Yum repository options for Kubernetes installation.
-```yaml
+    kubernetes_flannel_manifest_file_rbac: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml
-kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
+    kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
 ```
-Flannel manifest file to apply to the Kubernetes cluster to enable networking. You can copy your own files to your server and apply them instead, if you need to customize the Flannel networking configuration.
+Flannel manifest files to apply to the Kubernetes cluster to enable networking. You can copy your own files to your server and apply them instead, if you need to customize the Flannel networking configuration.
 ```yaml
 kubernetes_calico_manifest_file: https://projectcalico.docs.tigera.io/manifests/calico.yaml
 ```
 Calico manifest file to apply to the Kubernetes cluster (if using Calico instead of Flannel).
 ## Dependencies
@ -173,25 +92,25 @@ None.
 ## Example Playbooks
-### Single node (control-plane-only) cluster
+### Single node (master-only) cluster
 ```yaml
 - hosts: all
  vars:
-    kubernetes_allow_pods_on_control_plane: true
+    kubernetes_allow_pods_on_master: true
  roles:
    - geerlingguy.docker
    - geerlingguy.kubernetes
 ```
-### Two or more nodes (single control-plane) cluster
+### Two or more nodes (single master) cluster
-Control plane inventory vars:
+Master inventory vars:
 ```yaml
-kubernetes_role: "control_plane"
+kubernetes_role: "master"
 ```
 Node(s) inventory vars:
@ -206,14 +125,14 @@ Playbook:
 - hosts: all
  vars:
-    kubernetes_allow_pods_on_control_plane: true
+    kubernetes_allow_pods_on_master: true
  roles:
    - geerlingguy.docker
    - geerlingguy.kubernetes
 ```
-Then, log into the Kubernetes control plane, and run `kubectl get nodes` as root, and you should see a list of all the servers.
+Then, log into the Kubernetes master, and run `kubectl get nodes` as root, and you should see a list of all the servers.
 ## License
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -9,17 +9,19 @@ kubernetes_packages:
  - name: kubernetes-cni
    state: present
-kubernetes_version: '1.32'
+kubernetes_version: '1.16'
-kubernetes_version_rhel_package: '1.32'
+kubernetes_version_rhel_package: '1.16.4'
-kubernetes_role: control_plane
+kubernetes_role: master
 # This is deprecated. Please use kubernetes_config_kubelet_configuration instead.
 kubernetes_kubelet_extra_args: ""
 kubernetes_kubeadm_init_extra_opts: ""
 kubernetes_join_command_extra_opts: ""
-kubernetes_allow_pods_on_control_plane: true
+
 kubernetes_allow_pods_on_master: true
 kubernetes_enable_web_ui: true
 kubernetes_web_ui_manifest_file: https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
 kubernetes_pod_network:
  # Flannel CNI.
  cni: 'flannel'
@ -28,44 +30,20 @@ kubernetes_pod_network:
  # cni: 'calico'
  # cidr: '192.168.0.0/16'
 kubernetes_kubeadm_kubelet_config_file_path: '/etc/kubernetes/kubeadm-kubelet-config.yaml'
 kubernetes_config_kubeadm_apiversion: v1beta3
 kubenetes_config_kubelet_apiversion: v1beta1
 kubernetes_config_kubeproxy_apiversion: v1alpha1
 kubernetes_config_kubelet_configuration:
  cgroupDriver: "systemd"
 kubernetes_config_init_configuration:
  localAPIEndpoint:
    advertiseAddress: "{{ kubernetes_apiserver_advertise_address | default(ansible_default_ipv4.address, true) }}"
 # if you use the next lines, remove the command line argument below
 # nodeRegistration:
 #    ignorePreflightErrors:
 #      - all
 kubernetes_config_cluster_configuration:
  networking:
    podSubnet: "{{ kubernetes_pod_network.cidr }}"
  kubernetesVersion: "{{ kubernetes_version_kubeadm }}"
 kubernetes_config_kube_proxy_configuration: {}
 kubernetes_apiserver_advertise_address: ''
 kubernetes_version_kubeadm: 'stable-{{ kubernetes_version }}'
 kubernetes_ignore_preflight_errors: 'all'
-kubernetes_apt_release_channel: "stable"
+kubernetes_apt_release_channel: main
-kubernetes_apt_repository: "https://pkgs.k8s.io/core:/{{ kubernetes_apt_release_channel }}:/v{{ kubernetes_version }}/deb/"
+# Note that xenial repo is used for all Debian derivatives at this time.
 kubernetes_apt_repository: "deb http://apt.kubernetes.io/ kubernetes-xenial {{ kubernetes_apt_release_channel }}"
 kubernetes_apt_ignore_key_error: false
-kubernetes_yum_base_url: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/"
+kubernetes_yum_arch: x86_64
 kubernetes_yum_gpg_key: "https://pkgs.k8s.io/core:/stable:/v{{ kubernetes_version }}/rpm/repodata/repomd.xml.key"
 kubernetes_yum_gpg_check: true
 kubernetes_yum_repo_gpg_check: true
-# Flannel config file.
+# Flannel config files.
-kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml
+kubernetes_flannel_manifest_file_rbac: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml
 kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
-# Calico config file.
+# Calico config files
-kubernetes_calico_manifest_file: https://projectcalico.docs.tigera.io/manifests/calico.yaml
+kubernetes_calico_manifest_file: https://docs.projectcalico.org/v3.10/manifests/calico.yaml
--- a/meta/main.yml
+++ b/meta/main.yml
@ -2,24 +2,24 @@
 dependencies: []
 galaxy_info:
  role_name: kubernetes
  author: geerlingguy
  description: Kubernetes for Linux.
  company: "Midwestern Mac, LLC"
  license: "license (BSD, MIT)"
-  min_ansible_version: 2.10
+  min_ansible_version: 2.4
  platforms:
    - name: EL
      versions:
        - 7
        - 8
    - name: Debian
      versions:
        - stretch
        - buster
        - bullseye
    - name: Ubuntu
      versions:
        - xenial
        - bionic
        - focal
        - jammy
  galaxy_tags:
    - system
    - containers
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -1,16 +1,12 @@
 ---
 - name: Converge
  hosts: all
-  #become: true
+  become: true
  vars:
-    # Allow swap in test environments (hard to control in some envs).
+    # Allow swap in test environments (hard to control in some Docker envs).
-    kubernetes_config_kubelet_configuration:
+    kubernetes_kubelet_extra_args: "--fail-swap-on=false --cgroup-driver=cgroupfs"
-      cgroupDriver: "systemd"
+    docker_install_compose: false
      failSwapOn: false
      cgroupsPerQOS: true
      enforceNodeAllocatable: ['pods']
    containerd_config_cgroup_driver_systemd: true
  pre_tasks:
    - name: Update apt cache.
@ -29,7 +25,7 @@
      action: setup
  roles:
-    - role: geerlingguy.containerd
+    - role: geerlingguy.docker
    - role: geerlingguy.kubernetes
  post_tasks:
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -1,19 +1,19 @@
 ---
 role_name_check: 1
 dependency:
  name: galaxy
  options:
    ignore-errors: true
 driver:
  name: docker
 lint: |
  set -e
  yamllint .
  ansible-lint
 platforms:
  - name: instance
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible:latest"
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
    command: ${MOLECULE_DOCKER_COMMAND:-""}
    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      - /var/lib/containerd
+      - /var/lib/docker
    cgroupns_mode: host
    privileged: true
    pre_build_image: true
 provisioner:
--- a/molecule/default/playbook-calico.yml
+++ b/molecule/default/playbook-calico.yml
@ -1,20 +1,16 @@
 ---
 - name: Converge
  hosts: all
-  #become: true
+  become: true
  vars:
    kubernetes_pod_network:
      cni: 'calico'
      cidr: '192.168.0.0/16'
-    # Allow swap in test environments (hard to control in some envs).
+    # Allow swap in test environments (hard to control in some Docker envs).
-    kubernetes_config_kubelet_configuration:
+    kubernetes_kubelet_extra_args: "--fail-swap-on=false --cgroup-driver=cgroupfs"
-      cgroupDriver: "systemd"
+    docker_install_compose: false
      failSwapOn: false
      cgroupsPerQOS: true
      enforceNodeAllocatable: ['pods']
    containerd_config_cgroup_driver_systemd: true
  pre_tasks:
    - name: Update apt cache.
@ -33,7 +29,7 @@
      action: setup
  roles:
-    - role: geerlingguy.containerd
+    - role: geerlingguy.docker
    - role: geerlingguy.kubernetes
  post_tasks:
--- a/molecule/default/requirements.yml
+++ b/molecule/default/requirements.yml
@ -1,2 +1,2 @@
 ---
- src: geerlingguy.containerd
+- src: geerlingguy.docker
--- a/tasks/control-plane-setup.yml
+++ b/tasks/control-plane-setup.yml
@ -1,89 +0,0 @@
 ---
 - name: Create the directory for the kubernetes_config_file
  file:
    path: "{{ kubernetes_kubeadm_kubelet_config_file_path | dirname }}"
    state: directory
 - name: Deploy the config-file for kubeadm and kubelet
  template:
    src: "kubeadm-kubelet-config.j2"
    dest: "{{ kubernetes_kubeadm_kubelet_config_file_path }}"
 - name: Initialize Kubernetes control plane with kubeadm init
  command: >
    kubeadm init
    --config {{ kubernetes_kubeadm_kubelet_config_file_path }}
    {{ kubernetes_kubeadm_init_extra_opts }}
  register: kubeadmin_init
  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is not defined)
 - name: Initialize Kubernetes control plane with kubeadm init and ignore_preflight_errors
  command: >
    kubeadm init
    --config {{ kubernetes_kubeadm_kubelet_config_file_path }}
    --ignore-preflight-errors={{ kubernetes_ignore_preflight_errors }}
    {{ kubernetes_kubeadm_init_extra_opts }}
  register: kubeadmin_init
  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is defined)
 - name: Print the init output to screen.
  debug:
    var: kubeadmin_init.stdout
    verbosity: 2
  when: not kubernetes_init_stat.stat.exists
 - name: Ensure .kube directory exists.
  file:
    path: ~/.kube
    state: directory
    mode: 0755
 - name: Symlink the kubectl admin.conf to ~/.kube/conf.
  file:
    src: /etc/kubernetes/admin.conf
    dest: ~/.kube/config
    state: link
    mode: 0644
 - name: Configure Flannel networking.
  command: "kubectl apply -f {{ kubernetes_flannel_manifest_file }}"
  register: flannel_result
  changed_when: "'created' in flannel_result.stdout"
  when: kubernetes_pod_network.cni == 'flannel'
  until: flannel_result is not failed
  retries: 12
  delay: 5
 - name: Configure Calico networking.
  command: "kubectl apply -f {{ kubernetes_calico_manifest_file }}"
  register: calico_result
  changed_when: "'created' in calico_result.stdout"
  when: kubernetes_pod_network.cni == 'calico'
  until: calico_result is not failed
  retries: 12
  delay: 5
 - name: Get Kubernetes version for Weave installation.
  shell: kubectl version | base64 | tr -d '\n'
  changed_when: false
  register: kubectl_version
  when: kubernetes_pod_network.cni == 'weave'
  until: kubectl_version is not failed
  retries: 12
  delay: 5
 - name: Configure Weave networking.
  command: "{{ item }}"
  with_items:
    - "kubectl apply -f https://cloud.weave.works/k8s/net?k8s-version={{ kubectl_version.stdout_lines[0] }}"
  register: weave_result
  changed_when: "'created' in weave_result.stdout"
  when: kubernetes_pod_network.cni == 'weave'
 # TODO: Check if taint exists with something like `kubectl describe nodes`
 # instead of using kubernetes_init_stat.stat.exists check.
 - name: Allow pods on control plane (if configured).
  command: "kubectl taint nodes --all node-role.kubernetes.io/control-plane-"
  when:
    - kubernetes_allow_pods_on_control_plane | bool
    - not kubernetes_init_stat.stat.exists
--- a/tasks/kubelet-setup.yml
+++ b/tasks/kubelet-setup.yml
@ -1,42 +1,34 @@
 ---
-
+- name: Check for existence of kubelet environment file.
 # ---- DEPRECATED ----------------
 #
 # Most of the kubernetes_kubelet_extra_args are deprecated. See https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet for details.
 # Use the kubernetes_kubelet_config variable instead, which will be used to create the kubelet config file.
 - name: Check for existence of kubelet environment file. (deprecated)
  stat:
    path: '{{ kubelet_environment_file_path }}'
  register: kubelet_environment_file
- name: Set facts for KUBELET_EXTRA_ARGS task if environment file exists. (deprecated)
+- name: Set facts for KUBELET_EXTRA_ARGS task if environment file exists.
  set_fact:
    kubelet_args_path: '{{ kubelet_environment_file_path }}'
    kubelet_args_line: "{{ 'KUBELET_EXTRA_ARGS=' + kubernetes_kubelet_extra_args }}"
    kubelet_args_regexp: '^KUBELET_EXTRA_ARGS='
  when: kubelet_environment_file.stat.exists
- name: Set facts for KUBELET_EXTRA_ARGS task if environment file doesn't exist. (deprecated)
+- name: Set facts for KUBELET_EXTRA_ARGS task if environment file doesn't exist.
  set_fact:
    kubelet_args_path: '/etc/systemd/system/kubelet.service.d/10-kubeadm.conf'
    kubelet_args_line: "{{ 'Environment=\"KUBELET_EXTRA_ARGS=' + kubernetes_kubelet_extra_args + '\"' }}"
    kubelet_args_regexp: '^Environment="KUBELET_EXTRA_ARGS='
  when: not kubelet_environment_file.stat.exists
- name: Configure KUBELET_EXTRA_ARGS. (deprecated)
+- name: Configure KUBELET_EXTRA_ARGS.
  lineinfile:
    path: '{{ kubelet_args_path }}'
    line: '{{ kubelet_args_line }}'
    regexp: '{{ kubelet_args_regexp }}'
    state: present
-    mode: 0644
+  register: kubelet_config_file
  register: kubelet_extra_args
  when: kubernetes_kubelet_extra_args|length > 0
- name: Reload systemd unit if args were changed. (deprecated)
+- name: Reload systemd unit if args were changed.
  systemd:
    state: restarted
    daemon_reload: true
    name: kubelet
-  when: kubelet_extra_args is changed
+  when: kubelet_config_file is changed
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -18,10 +18,7 @@
  notify: restart kubelet
  with_items: "{{ kubernetes_packages }}"
- include_tasks: sysctl-setup.yml
+- include_tasks: kubelet-setup.yml
 - include_tasks: kubelet-setup.yml  # deprecated
  when: kubernetes_kubelet_extra_args|length > 0
 - name: Ensure kubelet is started and enabled at boot.
  service:
@ -34,15 +31,15 @@
    path: /etc/kubernetes/admin.conf
  register: kubernetes_init_stat
-# Set up control plane.
+# Set up master.
- include_tasks: control-plane-setup.yml
+- include_tasks: master-setup.yml
-  when: kubernetes_role == 'control_plane'
+  when: kubernetes_role == 'master'
 # Set up nodes.
- name: Get the kubeadm join command from the Kubernetes control plane.
+- name: Get the kubeadm join command from the Kubernetes master.
  command: kubeadm token create --print-join-command
  changed_when: false
-  when: kubernetes_role == 'control_plane'
+  when: kubernetes_role == 'master'
  register: kubernetes_join_command_result
 - name: Set the kubeadm join command globally.
--- a/tasks/master-setup.yml
+++ b/tasks/master-setup.yml
@ -0,0 +1,66 @@
 ---
 - name: Initialize Kubernetes master with kubeadm init.
  command: >
    kubeadm init
    --pod-network-cidr={{ kubernetes_pod_network.cidr }}
    --apiserver-advertise-address={{ kubernetes_apiserver_advertise_address | default(ansible_default_ipv4.address, true) }}
    --kubernetes-version {{ kubernetes_version_kubeadm }}
    --ignore-preflight-errors={{ kubernetes_ignore_preflight_errors }}
    {{ kubernetes_kubeadm_init_extra_opts }}
  register: kubeadmin_init
  when: not kubernetes_init_stat.stat.exists
 - name: Print the init output to screen.
  debug:
    var: kubeadmin_init.stdout
    verbosity: 2
  when: not kubernetes_init_stat.stat.exists
 - name: Ensure .kube directory exists.
  file:
    path: ~/.kube
    state: directory
 - name: Symlink the kubectl admin.conf to ~/.kube/conf.
  file:
    src: /etc/kubernetes/admin.conf
    dest: ~/.kube/config
    state: link
 - name: Configure Flannel networking.
  command: "{{ item }}"
  with_items:
    - kubectl apply -f {{ kubernetes_flannel_manifest_file_rbac }}
    - kubectl apply -f {{ kubernetes_flannel_manifest_file }}
  register: flannel_result
  changed_when: "'created' in flannel_result.stdout"
  when: kubernetes_pod_network.cni == 'flannel'
 - name: Configure Calico networking.
  command: "{{ item }}"
  with_items:
    - kubectl apply -f {{ kubernetes_calico_manifest_file }}
  register: calico_result
  changed_when: "'created' in calico_result.stdout"
  when: kubernetes_pod_network.cni == 'calico'
 # TODO: Check if taint exists with something like `kubectl describe nodes`
 # instead of using kubernetes_init_stat.stat.exists check.
 - name: Allow pods on master node (if configured).
  command: "kubectl taint nodes --all node-role.kubernetes.io/master-"
  when:
    - kubernetes_allow_pods_on_master | bool
    - not kubernetes_init_stat.stat.exists
 - name: Check if Kubernetes Dashboard UI service already exists.
  shell: kubectl get services --namespace kube-system | grep -q kubernetes-dashboard
  changed_when: false
  failed_when: false
  register: kubernetes_dashboard_service
  when: kubernetes_enable_web_ui | bool
 - name: Enable the Kubernetes Web Dashboard UI (if configured).
  command: "kubectl create -f {{ kubernetes_web_ui_manifest_file }}"
  when:
    - kubernetes_enable_web_ui | bool
    - kubernetes_dashboard_service is failed
--- a/tasks/node-setup.yml
+++ b/tasks/node-setup.yml
@ -1,5 +1,5 @@
 ---
- name: Join node to Kubernetes control plane.
+- name: Join node to Kubernetes master
  shell: >
    {{ kubernetes_join_command }}
    creates=/etc/kubernetes/kubelet.conf
--- a/tasks/setup-Debian.yml
+++ b/tasks/setup-Debian.yml
@ -4,25 +4,22 @@
    name:
      - apt-transport-https
      - ca-certificates
      - python3-debian
    state: present
- name: Add Kubernetes repository.
+- name: Add Kubernetes apt key.
-  deb822_repository:
+  apt_key:
-    name: kubernetes
+    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
-    types: deb
+    state: present
-    uris: "{{ kubernetes_apt_repository }}"
+  register: add_repository_key
-    suites: /
+  ignore_errors: "{{ kubernetes_apt_ignore_key_error }}"
    signed_by: "{{ kubernetes_apt_repository }}/Release.key"
  register: kubernetes_repository
- name: Update Apt cache.
+- name: Add Kubernetes repository.
-  apt:
+  apt_repository:
    repo: "{{ kubernetes_apt_repository }}"
    state: present
    update_cache: true
  when: kubernetes_repository.changed
 - name: Add Kubernetes apt preferences file to pin a version.
  template:
    src: apt-preferences-kubernetes.j2
    dest: /etc/apt/preferences.d/kubernetes
    mode: 0644
--- a/tasks/setup-RedHat.yml
+++ b/tasks/setup-RedHat.yml
@ -4,17 +4,24 @@
    name: kubernetes
    description: Kubernetes
    enabled: true
-    gpgcheck: "{{ kubernetes_yum_gpg_check }}"
+    gpgcheck: true
-    repo_gpgcheck: "{{ kubernetes_yum_repo_gpg_check }}"
+    repo_gpgcheck: true
-    baseurl: "{{ kubernetes_yum_base_url }}"
+    baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-{{ kubernetes_yum_arch }}
-    gpgkey: "{{ kubernetes_yum_gpg_key }}"
+    gpgkey:
      - https://packages.cloud.google.com/yum/doc/yum-key.gpg
      - https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 - name: Add Kubernetes GPG keys.
  rpm_key:
-    key: "{{ kubernetes_yum_gpg_key }}"
+    key: "{{ item }}"
    state: present
  register: kubernetes_rpm_key
  with_items:
    - https://packages.cloud.google.com/yum/doc/yum-key.gpg
    - https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 - name: Make cache if Kubernetes GPG key changed.
  command: "yum -q makecache -y --disablerepo='*' --enablerepo='kubernetes'"
  when: kubernetes_rpm_key is changed
  args:
    warn: false
--- a/tasks/sysctl-setup.yml
+++ b/tasks/sysctl-setup.yml
@ -1,21 +0,0 @@
 ---
 - name: Ensure procps is installed.
  package:
    name: "{{ procps_package }}"
    state: present
  when: >
    ansible_distribution != 'Debian'
    or ansible_distribution_major_version | int < 10
 # See: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#letting-iptables-see-bridged-traffic
 - name: Let iptables see bridged traffic.
  sysctl:
    name: "{{ item }}"
    value: '1'
    state: present
  loop:
    - net.bridge.bridge-nf-call-iptables
    - net.bridge.bridge-nf-call-ip6tables
  when: >
    ansible_distribution != 'Debian'
    or ansible_distribution_major_version | int < 10
--- a/templates/kubeadm-kubelet-config.j2
+++ b/templates/kubeadm-kubelet-config.j2
@ -1,20 +0,0 @@
 ---
 apiVersion: kubeadm.k8s.io/{{ kubernetes_config_kubeadm_apiversion }}
 kind: InitConfiguration
 {{ kubernetes_config_init_configuration | to_nice_yaml }}
 ---
 apiVersion: kubeadm.k8s.io/{{ kubernetes_config_kubeadm_apiversion }}
 kind: ClusterConfiguration
 {{ kubernetes_config_cluster_configuration | to_nice_yaml }}
 {% if kubernetes_config_kubelet_configuration|length > 0 %}
 ---
 apiVersion: kubelet.config.k8s.io/{{ kubenetes_config_kubelet_apiversion }}
 kind: KubeletConfiguration
 {{ kubernetes_config_kubelet_configuration | to_nice_yaml }}
 {% endif %}
 {% if kubernetes_config_kube_proxy_configuration|length > 0 %}
 ---
 apiVersion: kubeproxy.config.k8s.io/{{ kubernetes_config_kubeproxy_apiversion }}
 kind: KubeProxyConfiguration
 {{ kubernetes_config_kube_proxy_configuration | to_nice_yaml }}
 {% endif %}
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@ -1,3 +1,2 @@
 ---
 procps_package: procps
 kubelet_environment_file_path: /etc/default/kubelet
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -1,3 +1,11 @@
 ---
 procps_package: procps-ng
 kubelet_environment_file_path: /etc/sysconfig/kubelet
 kubernetes_packages:
  - name: kubelet-{{ kubernetes_version_rhel_package }}-0
    state: present
  - name: kubectl-{{ kubernetes_version_rhel_package }}-0
    state: present
  - name: kubeadm-{{ kubernetes_version_rhel_package }}-0
    state: present
  - name: kubernetes-cni
    state: present
`@ -1,2 +1,2 @@`
	`---`	`---`
	`- src: geerlingguy.containerd`	`- src: geerlingguy.docker`