---
# disclaimer
# I was not able to enable pod security flags via kubespray and role out
# in existing cluster
# 
# tried to set following VARS
#  * kube_kubeadm_apiserver_extra_args 
#  * kubelet_custom_flags
# rollout with --tags kubelet,master
# also whole cluster.yml
# => but flags weren't set

- name: "Configure kubelet"
  become: yes
  block:
  - name: "Add line in kubelet.env file"
    ansible.builtin.lineinfile:
      state: present
      path: '/etc/kubernetes/kubelet.env'
      insertafter: '^--runtime-cgroups=/systemd/system.slice'
      line: '--feature-gates=PodSecurity=true \'
    register: kubelet_conf

  - name: "Restart kubelet"
    systemd:
      name: kubelet
      state: restarted
    when: kubelet_conf.changed
  when: 
    - inventory_hostname in groups['k8s_cluster']

- name: "Configure apiserver: Add line in apiserver manifest"
  become: yes
  throttle: 1
  ansible.builtin.lineinfile:
    state: present
    path: '/etc/kubernetes/manifests/kube-apiserver.yaml'
    insertafter: '- --secure-port=6443'
    line: '    - --feature-gates=PodSecurity=true'
  when: 
    - inventory_hostname in groups['kube_control_plane']