From 47a7ba2339c05ce4277fb1c466eeb99d24bb1536 Mon Sep 17 00:00:00 2001 From: Mike DAmato Date: Thu, 23 May 2024 15:35:50 -0400 Subject: [PATCH 1/3] fix the CIS hardening steps when tar URL is used --- roles/rke2_common/tasks/cis-hardening.yml | 4 +++- roles/rke2_common/tasks/main.yml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/rke2_common/tasks/cis-hardening.yml b/roles/rke2_common/tasks/cis-hardening.yml index 5553a8a..67a12bb 100644 --- a/roles/rke2_common/tasks/cis-hardening.yml +++ b/roles/rke2_common/tasks/cis-hardening.yml @@ -27,6 +27,7 @@ when: - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' - not rke2_binary_tarball_check.stat.exists + - rke2_tarball_url is not defined or rke2_tarball_url == "" - name: Copy systemctl file for kernel hardening for non-yum installs ansible.builtin.copy: @@ -38,7 +39,8 @@ when: >- (ansible_facts['os_family'] != 'RedHat' and ansible_facts['os_family'] != 'Rocky') or - rke2_binary_tarball_check.stat.exists + rke2_binary_tarball_check.stat.exists or + (rke2_tarball_url is defined and rke2_tarball_url != "") - name: Restart systemd-sysctl ansible.builtin.service: diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml index 7850275..b940df7 100644 --- a/roles/rke2_common/tasks/main.yml +++ b/roles/rke2_common/tasks/main.yml @@ -33,6 +33,7 @@ ((ansible_facts['os_family'] != 'RedHat' and ansible_facts['os_family'] != 'Rocky') or rke2_binary_tarball_check.stat.exists or + (rke2_tarball_url is defined and rke2_tarball_url != "") or rke2_tarball_url != "" ) - name: RHEL/CentOS Installation From 573e949265f5eac0eee76224f8c3a92951137224 Mon Sep 17 00:00:00 2001 From: Mike DAmato Date: Thu, 23 May 2024 16:58:19 -0400 Subject: [PATCH 2/3] remove duplicate when rke2_tarball_url not blank --- roles/rke2_common/tasks/main.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml index b940df7..8b8bad6 100644 --- a/roles/rke2_common/tasks/main.yml +++ b/roles/rke2_common/tasks/main.yml @@ -24,7 +24,7 @@ ansible.builtin.include_tasks: calculate_rke2_version.yml when: - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url == "" + - rke2_tarball_url is not defined or rke2_tarball_url == "" - name: SLES/Ubuntu/Tarball Installation ansible.builtin.include_tasks: tarball_install.yml @@ -33,8 +33,7 @@ ((ansible_facts['os_family'] != 'RedHat' and ansible_facts['os_family'] != 'Rocky') or rke2_binary_tarball_check.stat.exists or - (rke2_tarball_url is defined and rke2_tarball_url != "") or - rke2_tarball_url != "" ) + (rke2_tarball_url is defined and rke2_tarball_url != "")) - name: RHEL/CentOS Installation when: From 860877fb40023edc615cb58796c892c9967c6568 Mon Sep 17 00:00:00 2001 From: Mike DAmato Date: Thu, 23 May 2024 17:55:14 -0400 Subject: [PATCH 3/3] make rke2 server restart faster by removing throttle --- roles/rke2_server/tasks/other_servers.yml | 70 +++++++++++------------ 1 file changed, 34 insertions(+), 36 deletions(-) diff --git a/roles/rke2_server/tasks/other_servers.yml b/roles/rke2_server/tasks/other_servers.yml index 664e0e8..c075b05 100644 --- a/roles/rke2_server/tasks/other_servers.yml +++ b/roles/rke2_server/tasks/other_servers.yml @@ -30,44 +30,42 @@ when: - '"server:" not in server_url_check.stdout' -- name: Start and wait for healthy node +- name: Start rke2-server throttle: 1 - block: - - name: Start rke2-server - ansible.builtin.systemd: - name: rke2-server - state: started - enabled: yes + ansible.builtin.systemd: + name: rke2-server + state: started + enabled: yes - - name: Wait for k8s apiserver reachability - ansible.builtin.wait_for: - host: "{{ kubernetes_api_server_host }}" - port: "6443" - state: present - timeout: 300 +- name: Wait for k8s apiserver reachability + ansible.builtin.wait_for: + host: "{{ kubernetes_api_server_host }}" + port: "6443" + state: present + timeout: 300 - - name: Wait for kubelet process to be present on host - ansible.builtin.command: >- - ps -C kubelet -F -ww --no-headers - register: kubelet_check - until: kubelet_check.rc == 0 - retries: 20 - delay: 10 - changed_when: false +- name: Wait for kubelet process to be present on host + ansible.builtin.command: >- + ps -C kubelet -F -ww --no-headers + register: kubelet_check + until: kubelet_check.rc == 0 + retries: 20 + delay: 10 + changed_when: false - - name: Extract the hostname-override parameter from the kubelet process - ansible.builtin.set_fact: - kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \ - regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ - '\\1') }}" +- name: Extract the hostname-override parameter from the kubelet process + ansible.builtin.set_fact: + kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \ + regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ + '\\1') }}" - - name: Wait for node to show Ready status - ansible.builtin.command: >- - /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml - --server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }} - -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' - register: status_result - until: status_result.stdout.find("True") != -1 - retries: 20 - delay: 10 - changed_when: false +- name: Wait for node to show Ready status + ansible.builtin.command: >- + /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml + --server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }} + -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' + register: status_result + until: status_result.stdout.find("True") != -1 + retries: 20 + delay: 10 + changed_when: false