diff --git a/ansible_header.j2 b/ansible_header.j2 new file mode 100644 index 0000000..0377d97 --- /dev/null +++ b/ansible_header.j2 @@ -0,0 +1,3 @@ +## This is an Ansible managed file, contents will be overwritten ## + +{{ file_contents }} diff --git a/roles/rke2_common/tasks/add-pod-security-admission-config.yml b/roles/rke2_common/tasks/add-pod-security-admission-config.yml deleted file mode 100644 index 1f572e6..0000000 --- a/roles/rke2_common/tasks/add-pod-security-admission-config.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - recurse: yes - -- name: Add pod security admission config file - ansible.builtin.copy: - src: "{{ pod_security_admission_config_file_path }}" - dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" - mode: '0640' - owner: root - group: root - when: caller_role_name == "server" - notify: Restart rke2-server diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml index 4bb92a6..7850275 100644 --- a/roles/rke2_common/tasks/main.yml +++ b/roles/rke2_common/tasks/main.yml @@ -74,10 +74,6 @@ ansible.builtin.include_tasks: add-registry-config.yml when: registry_config_file_path | length > 0 -- name: Include task file add-pod-security-admission-config.yml - ansible.builtin.include_tasks: add-pod-security-admission-config.yml - when: pod_security_admission_config_file_path | length > 0 - - name: Run CIS-Hardening Tasks ansible.builtin.include_role: name: rke2_common diff --git a/roles/rke2_server/tasks/add-pod-security-admission-config.yml b/roles/rke2_server/tasks/add-pod-security-admission-config.yml new file mode 100644 index 0000000..79200cd --- /dev/null +++ b/roles/rke2_server/tasks/add-pod-security-admission-config.yml @@ -0,0 +1,45 @@ +--- +- name: Create the /etc/rancher/rke2 config dir + ansible.builtin.file: + path: /etc/rancher/rke2 + state: directory + recurse: yes + +- name: Add pod security admission config file + vars: + file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" + ansible.builtin.template: + src: ansible_header.j2 + dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" + mode: '0640' + owner: root + group: root + when: + - pod_security_admission_config_file_path is defined + - pod_security_admission_config_file_path|length != 0 + notify: Restart rke2-server + +- name: Remove pod security admission config file + block: + - name: Check that the PSA config file exists + ansible.builtin.stat: + path: "/etc/rancher/rke2/pod-security-admission-config.yaml" + register: stat_result + + - name: "Check that the PSA config file has ansible managed comments" + lineinfile: + name: "/etc/rancher/rke2/pod-security-admission-config.yaml" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists + + - name: Remove the PSA config file if exists and has ansible managed comments + ansible.builtin.file: + path: "/etc/rancher/rke2/pod-security-admission-config.yaml" + state: absent + when: + - ansible_managed_check.changed == false + when: + - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0 \ No newline at end of file diff --git a/roles/rke2_server/tasks/main.yml b/roles/rke2_server/tasks/main.yml index e0efd78..b9654ea 100644 --- a/roles/rke2_server/tasks/main.yml +++ b/roles/rke2_server/tasks/main.yml @@ -7,6 +7,9 @@ name: rke2_common tasks_from: main +- name: Include task file add-pod-security-admission-config.yml + ansible.builtin.include_tasks: add-pod-security-admission-config.yml + - name: Setup initial server ansible.builtin.include_tasks: first_server.yml when: inventory_hostname in groups['rke2_servers'][0]