ansible-collections/kubernetes
2
0
Fork 0
Code Issues 8 Pull Requests 1 Actions Projects Releases 28 Wiki Activity

Merge branch 'development' into 'master'

Browse Source 
chore: release

See merge request nofusscomputing/projects/ansible/collections/kubernetes!47
This commit is contained in:
Jon Lockwood
2024-03-16 13:57:33 +00:00
parent 55c59d3f56 d3666c6825
commit 4d006ebfa1
12 changed files with 123 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.vscode/settings.json vendored Normal file
View File

@ -0,0 +1,14 @@
{
"yaml.schemas": {
"https://raw.githubusercontent.com/ansible/ansible-lint/main/src/ansiblelint/schemas/ansible.json#/$defs/tasks": [
"roles/nfc_firewall/tasks/*.yaml",
"roles/nfc_firewall/tasks/*/*.yaml",
"roles/nfc_firewall/tasks/*/*/*.yaml"
],
"https://raw.githubusercontent.com/ansible/ansible-lint/main/src/ansiblelint/schemas/vars.json": [
"roles/nfc_kubernetes/variables/**.yaml"
]
},
"gitlab.aiAssistedCodeSuggestions.enabled": false,
"gitlab.duoChat.enabled": false,
}

1
docs/projects/ansible/collection/firewall/index.md Normal file
View File

@ -0,0 +1 @@
linked to

2
docs/projects/ansible/collection/kubernetes/index.md
View File

@ -19,7 +19,7 @@ about: https://gitlab.com/nofusscomputing/projects/ansible/collections/kubernete
</span> </span>
This Ansible Collection is for installing a K3s Kubernetes cluster, both single and multi-node cluster deployments are supported. This Ansible Collection is for installing a K3s Kubernetes cluster, both single and multi-node cluster deployments are supported. In addition to installing and configuring the firewall for the node. for further information on the firewall config please see the [firewall docs](../firewall/index.md)
## Installation ## Installation

2
docs/projects/ansible/collection/kubernetes/roles/nfc_kubernetes/firewall.md
View File

@ -10,7 +10,7 @@ This role include logic to generate firewall rules for iptables. Both IPv4 and I
Rules generation workflow: Rules generation workflow:
- itertes over all kubernetes hosts - iterates over all kubernetes hosts
- adds rules if host is masters for worker access - adds rules if host is masters for worker access

1
galaxy.yml
View File

@ -46,6 +46,7 @@ tags:
dependencies: dependencies:
ansible.posix: '1.5.4' ansible.posix: '1.5.4'
kubernetes.core: '3.0.0' kubernetes.core: '3.0.0'
nofusscomputing.firewall: '1.0.1'
# The URL of the originating SCM repository # The URL of the originating SCM repository

2
gitlab-ci

Submodule gitlab-ci updated: 41eeb7badd...a24f352ca3

2
roles/nfc_kubernetes/defaults/main.yml
View File

@ -34,6 +34,8 @@ nfc_role_kubernetes_container_images:
nfc_role_kubernetes_cluster_domain: cluster.local nfc_role_kubernetes_cluster_domain: cluster.local
nfc_role_kubernetes_configure_firewall: true
nfc_role_kubernetes_etcd_enabled: false nfc_role_kubernetes_etcd_enabled: false
nfc_role_kubernetes_install_olm: false nfc_role_kubernetes_install_olm: false

24
roles/nfc_kubernetes/tasks/install.yaml
View File

@ -21,28 +21,18 @@
nfc_kubernetes_install_architectures: "{{ nfc_kubernetes_install_architectures | default({}) | combine({ansible_architecture: ''}) }}" nfc_kubernetes_install_architectures: "{{ nfc_kubernetes_install_architectures | default({}) | combine({ansible_architecture: ''}) }}"
- name: Firewall Rules - name: Configure Kubernetes Firewall Rules
ansible.builtin.include_role: ansible.builtin.include_role:
name: nfc_firewall name: nofusscomputing.firewall.nfc_firewall
vars: vars:
nfc_firewall_enabled_kubernetes: "{{ nfc_kubernetes.enable_firewall | default(false) | bool }}" nfc_role_firewall_firewall_type: iptables
nfc_role_firewall_additional_rules: "{{ ( lookup('template', 'vars/firewall_rules.yaml') | from_yaml ).kubernetes_chains }}"
tags: tags:
- never - always
- install when: >
nfc_role_kubernetes_configure_firewall
# fix, reload firewall `iptables-reloader`
- name: Reload iptables
ansible.builtin.command:
cmd: bash -c /usr/bin/iptables-reloader
changed_when: false
tags:
- never
- install
# kubernetes_installed
- name: K3s Install - name: K3s Install
ansible.builtin.include_tasks: ansible.builtin.include_tasks:
file: k3s/install.yaml file: k3s/install.yaml

6
roles/nfc_kubernetes/tasks/k3s/configure.yaml
View File

@ -14,7 +14,7 @@
- name: Check if FW dir exists - name: Check if FW dir exists
ansible.builtin.stat: ansible.builtin.stat:
name: /etc/iptables.rules.d name: /etc/iptables-reloader/rules.d
register: firewall_rules_dir_metadata register: firewall_rules_dir_metadata
@ -37,10 +37,10 @@
when: "{{ kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname }}" when: "{{ kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname }}"
- src: iptables-kubernetes.rules.j2 - src: iptables-kubernetes.rules.j2
dest: "/etc/iptables.rules.d/iptables-kubernetes.rules" dest: "/etc/iptables-reloader/rules.d/iptables-kubernetes.rules"
notify: firewall_reloader notify: firewall_reloader
when: |- when: |-
{%- if nfc_kubernetes.enable_firewall -%} {%- if firewall_installed -%}
{{ firewall_rules_dir_metadata.stat.exists }} {{ firewall_rules_dir_metadata.stat.exists }}

2
roles/nfc_kubernetes/templates/iptables-kubernetes.rules.j2
View File

@ -1,7 +1,7 @@
# #
# IP Tables Firewall Rules for Kubernetes # IP Tables Firewall Rules for Kubernetes
# #
# Managed By ansible/role/nfc_kubernetes # Managed By ansible/collection/kubernetes
# #
# Dont edit this file directly as it will be overwritten. To grant a host API access # Dont edit this file directly as it will be overwritten. To grant a host API access
# edit the cluster config, adding the hostname/ip to path kubernetes_config.cluster.access # edit the cluster config, adding the hostname/ip to path kubernetes_config.cluster.access

2
roles/nfc_kubernetes/templates/k3s-config.yaml.j2
View File

@ -134,7 +134,7 @@
{%- else -%} {%- else -%}
{%- set node_name = inventory_hostnamet -%} {%- set node_name = inventory_hostname -%}
{%- endif -%} {%- endif -%}

90
roles/nfc_kubernetes/vars/firewall_rules.yaml Normal file
View File

@ -0,0 +1,90 @@
---
kubernetes_chains:
- name: kubernetes-embedded-etcd
chain: true
table: INPUT
protocol: tcp
dest:
port:
- '2379'
- '2380'
comment: etcd. Servers only
when: "{{ nfc_role_kubernetes_etcd_enabled }}"
- name: kubernetes-api
chain: true
table: INPUT
protocol: tcp
dest:
port: '6443'
comment: Kubernetes API access. All Cluster hosts and end users
- name: kubernetes-calico-bgp
chain: true
table: INPUT
protocol: tcp
dest:
port: '179'
comment: Kubernetes Calico BGP. All Cluster hosts and end users
when: false # currently hard set to false. see Installation-manifest-Calico_Cluster.yaml.j2
- name: kubernetes-flannel-vxlan
chain: true
table: INPUT
protocol: udp
dest:
port: '4789'
comment: Flannel. All cluster hosts
- name: kubernetes-kubelet-metrics
chain: true
table: INPUT
protocol: tcp
dest:
port: '10250'
comment: Kubernetes Metrics. All cluster hosts
- name: kubernetes-flannel-wg-four
chain: true
table: INPUT
protocol: udp
dest:
port: '51820'
comment: Flannel Wiregaurd IPv4. All cluster hosts
- name: kubernetes-flannel-wg-six
chain: true
table: INPUT
protocol: udp
dest:
port: '51821'
comment: Flannel Wiregaurd IPv6. All cluster hosts
when: false # ipv6 is disabled. see install.yaml sysctrl
- name: kubernetes-calico-typha
chain: true
table: INPUT
protocol: tcp
dest:
port: '5473'
comment: Calico networking with Typha enabled. Typha agent hosts.
- name: metallb-l2-tcp
chain: true
table: INPUT
protocol: tcp
dest:
port: '7946'
comment: MetalLB Gossip
when: "{{ nfc_kubernetes_enable_metallb }}"
- name: metallb-l2-udp
chain: true
table: INPUT
protocol: udp
dest:
port: '7946'
comment: MetalLB Gossip
when: "{{ nfc_kubernetes_enable_metallb }}"