Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix the CIS hardening steps when tar URL is used #231

Merged
merged 3 commits into from
May 24, 2024
Merged

fix the CIS hardening steps when tar URL is used #231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
47a7ba2
fix the CIS hardening steps when tar URL is used
mddamato May 23, 2024
573e949
remove duplicate when rke2_tarball_url not blank
mddamato May 23, 2024
860877f
make rke2 server restart faster by removing throttle
mddamato May 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion roles/rke2_common/tasks/cis-hardening.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
when:
- ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky'
- not rke2_binary_tarball_check.stat.exists
- rke2_tarball_url is not defined or rke2_tarball_url == ""

- name: Copy systemctl file for kernel hardening for non-yum installs
ansible.builtin.copy:
Expand All @@ -38,7 +39,8 @@
when: >-
(ansible_facts['os_family'] != 'RedHat' and
ansible_facts['os_family'] != 'Rocky') or
rke2_binary_tarball_check.stat.exists
rke2_binary_tarball_check.stat.exists or
(rke2_tarball_url is defined and rke2_tarball_url != "")

- name: Restart systemd-sysctl
ansible.builtin.service:
Expand Down
4 changes: 2 additions & 2 deletions roles/rke2_common/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
ansible.builtin.include_tasks: calculate_rke2_version.yml
when:
- not rke2_binary_tarball_check.stat.exists
- rke2_tarball_url == ""
- rke2_tarball_url is not defined or rke2_tarball_url == ""

- name: SLES/Ubuntu/Tarball Installation
ansible.builtin.include_tasks: tarball_install.yml
Expand All @@ -33,7 +33,7 @@
((ansible_facts['os_family'] != 'RedHat' and
ansible_facts['os_family'] != 'Rocky') or
rke2_binary_tarball_check.stat.exists or
rke2_tarball_url != "" )
(rke2_tarball_url is defined and rke2_tarball_url != ""))

- name: RHEL/CentOS Installation
when:
Expand Down
70 changes: 34 additions & 36 deletions roles/rke2_server/tasks/other_servers.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,44 +30,42 @@
when:
- '"server:" not in server_url_check.stdout'

- name: Start and wait for healthy node
- name: Start rke2-server
throttle: 1
block:
- name: Start rke2-server
ansible.builtin.systemd:
name: rke2-server
state: started
enabled: yes
ansible.builtin.systemd:
name: rke2-server
state: started
enabled: yes

- name: Wait for k8s apiserver reachability
ansible.builtin.wait_for:
host: "{{ kubernetes_api_server_host }}"
port: "6443"
state: present
timeout: 300
- name: Wait for k8s apiserver reachability
ansible.builtin.wait_for:
host: "{{ kubernetes_api_server_host }}"
port: "6443"
state: present
timeout: 300

- name: Wait for kubelet process to be present on host
ansible.builtin.command: >-
ps -C kubelet -F -ww --no-headers
register: kubelet_check
until: kubelet_check.rc == 0
retries: 20
delay: 10
changed_when: false
- name: Wait for kubelet process to be present on host
ansible.builtin.command: >-
ps -C kubelet -F -ww --no-headers
register: kubelet_check
until: kubelet_check.rc == 0
retries: 20
delay: 10
changed_when: false

- name: Extract the hostname-override parameter from the kubelet process
ansible.builtin.set_fact:
kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \
regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\
'\\1') }}"
- name: Extract the hostname-override parameter from the kubelet process
ansible.builtin.set_fact:
kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \
regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\
'\\1') }}"

- name: Wait for node to show Ready status
ansible.builtin.command: >-
/var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml
--server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }}
-o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
register: status_result
until: status_result.stdout.find("True") != -1
retries: 20
delay: 10
changed_when: false
- name: Wait for node to show Ready status
ansible.builtin.command: >-
/var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml
--server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }}
-o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
register: status_result
until: status_result.stdout.find("True") != -1
retries: 20
delay: 10
changed_when: false
Loading