diff --git a/roles/rke2_common/tasks/images_tarball_install.yml b/roles/rke2_common/tasks/images_tarball_install.yml index f16ea25..4682d9a 100644 --- a/roles/rke2_common/tasks/images_tarball_install.yml +++ b/roles/rke2_common/tasks/images_tarball_install.yml @@ -23,12 +23,12 @@ - name: Download images tar files url ansible.builtin.get_url: - url: "{{item}}" + url: "{{ item }}" dest: "/var/lib/rancher/rke2/agent/images" mode: "0644" when: - rke2_images_urls != [] - with_items: "{{rke2_images_urls}}" + with_items: "{{ rke2_images_urls }}" - name: Add images tar.gz to needed directory if provided ansible.builtin.copy: diff --git a/roles/rke2_server/tasks/add-pod-security-admission-config.yml b/roles/rke2_server/tasks/add-pod-security-admission-config.yml index 8df2c2d..4b7a193 100644 --- a/roles/rke2_server/tasks/add-pod-security-admission-config.yml +++ b/roles/rke2_server/tasks/add-pod-security-admission-config.yml @@ -1,45 +1,45 @@ ---- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - recurse: yes - -- name: Add pod security admission config file - vars: - file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" - ansible.builtin.template: - src: ansible_header.j2 - dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" - mode: '0640' - owner: root - group: root - when: - - pod_security_admission_config_file_path is defined - - pod_security_admission_config_file_path|length != 0 - notify: Restart rke2-server - -- name: Remove pod security admission config file - block: - - name: Check that the PSA config file exists - ansible.builtin.stat: - path: "/etc/rancher/rke2/pod-security-admission-config.yaml" - register: stat_result - - - name: "Check that the PSA config file has ansible managed comments" - lineinfile: - name: "/etc/rancher/rke2/pod-security-admission-config.yaml" - line: '## This is an Ansible managed file, contents will be overwritten ##' - state: present - check_mode: yes - register: ansible_managed_check - when: stat_result.stat.exists - - - name: Remove the PSA config file if exists and has ansible managed comments - ansible.builtin.file: - path: "/etc/rancher/rke2/pod-security-admission-config.yaml" - state: absent - when: - - ansible_managed_check.changed == false - when: - - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0 +--- +- name: Create the /etc/rancher/rke2 config dir + ansible.builtin.file: + path: /etc/rancher/rke2 + state: directory + recurse: yes + +- name: Add pod security admission config file + vars: + file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" + ansible.builtin.template: + src: ansible_header.j2 + dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" + mode: '0640' + owner: root + group: root + when: + - pod_security_admission_config_file_path is defined + - pod_security_admission_config_file_path|length != 0 + notify: Restart rke2-server + +- name: Remove pod security admission config file + when: + - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0 + block: + - name: Check that the PSA config file exists + ansible.builtin.stat: + path: "/etc/rancher/rke2/pod-security-admission-config.yaml" + register: stat_result + + - name: "Check that the PSA config file has ansible managed comments" + ansible.builtin.lineinfile: + name: "/etc/rancher/rke2/pod-security-admission-config.yaml" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists | bool is true + + - name: Remove the PSA config file if exists and has ansible managed comments + ansible.builtin.file: + path: "/etc/rancher/rke2/pod-security-admission-config.yaml" + state: absent + when: + - ansible_managed_check.changed | bool is false diff --git a/sample_files/pod-security-admission-config.yaml b/sample_files/pod-security-admission-config.yaml index d3ee1b2..fbde7fa 100644 --- a/sample_files/pod-security-admission-config.yaml +++ b/sample_files/pod-security-admission-config.yaml @@ -1,57 +1,57 @@ ---- -apiVersion: apiserver.config.k8s.io/v1 -kind: AdmissionConfiguration -plugins: - - name: PodSecurity - configuration: - apiVersion: pod-security.admission.config.k8s.io/v1 - kind: PodSecurityConfiguration - defaults: - enforce: "restricted" - enforce-version: "latest" - audit: "restricted" - audit-version: "latest" - warn: "restricted" - warn-version: "latest" - exemptions: - usernames: [] - runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-provisioning-capi-system, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - local-path-storage, - rancher-alerting-drivers, - security-scan, - tigera-operator] \ No newline at end of file +--- +apiVersion: apiserver.config.k8s.io/v1 +kind: AdmissionConfiguration +plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [calico-apiserver, + calico-system, + cattle-alerting, + cattle-csp-adapter-system, + cattle-elemental-system, + cattle-epinio-system, + cattle-externalip-system, + cattle-fleet-local-system, + cattle-fleet-system, + cattle-gatekeeper-system, + cattle-global-data, + cattle-global-nt, + cattle-impersonation-system, + cattle-istio, + cattle-istio-system, + cattle-logging, + cattle-logging-system, + cattle-monitoring-system, + cattle-neuvector-system, + cattle-prometheus, + cattle-provisioning-capi-system, + cattle-resources-system, + cattle-sriov-system, + cattle-system, + cattle-ui-plugin-system, + cattle-windows-gmsa-system, + cert-manager, + cis-operator-system, + fleet-default, + ingress-nginx, + istio-system, + kube-node-lease, + kube-public, + kube-system, + longhorn-system, + local-path-storage, + rancher-alerting-drivers, + security-scan, + tigera-operator]