You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 lines
1.1 KiB
YAML
42 lines
1.1 KiB
YAML
---
|
|
# disclaimer
|
|
# I was not able to enable pod security flags via kubespray and role out
|
|
# in existing cluster
|
|
#
|
|
# tried to set following VARS
|
|
# * kube_kubeadm_apiserver_extra_args
|
|
# * kubelet_custom_flags
|
|
# rollout with --tags kubelet,master
|
|
# also whole cluster.yml
|
|
# => but flags weren't set
|
|
|
|
- name: "Configure kubelet"
|
|
become: yes
|
|
block:
|
|
- name: "Add line in kubelet.env file"
|
|
ansible.builtin.lineinfile:
|
|
state: present
|
|
path: '/etc/kubernetes/kubelet.env'
|
|
insertafter: '^--runtime-cgroups=/systemd/system.slice'
|
|
line: '--feature-gates=PodSecurity=true \'
|
|
register: kubelet_conf
|
|
|
|
- name: "Restart kubelet"
|
|
systemd:
|
|
name: kubelet
|
|
state: restarted
|
|
when: kubelet_conf.changed
|
|
when:
|
|
- inventory_hostname in groups['k8s_cluster']
|
|
|
|
- name: "Configure apiserver: Add line in apiserver manifest"
|
|
become: yes
|
|
throttle: 1
|
|
ansible.builtin.lineinfile:
|
|
state: present
|
|
path: '/etc/kubernetes/manifests/kube-apiserver.yaml'
|
|
insertafter: '- --secure-port=6443'
|
|
line: ' - --feature-gates=PodSecurity=true'
|
|
when:
|
|
- inventory_hostname in groups['kube_control_plane']
|