v0.0.4

group_vars/alpha.yml

@@ -1,4 +1,5 @@
 ---
 # Group vars for alpha cluster
-ipv4_subnet: 0
-ipv6_subnet: a
+kubernetes_pod_network:
+  cni: 'flannel'
+  cidr: '10.0.0.0/16'

group_vars/clusters.yml

@@ -0,0 +1,3 @@
+---
+# Group vars for clusters
+containerd_config_cgroup_driver_systemd: true

group_vars/control_plane.yml

@@ -1,3 +1,22 @@
 ---
 # Group vars for Kubernetes control plane nodes
 kubernetes_role: control_plane
+open_ports:
+  - interface: any
+    protocol: tcp
+    port: 22
+  - interface: any
+    protocol: tcp
+    port: 6443
+  - interface: any
+    protocol: tcp
+    port: 2379-2380
+  - interface: any
+    protocol: tcp
+    port: 10250
+  - interface: any
+    protocol: tcp
+    port: 10257
+  - interface: any
+    protocol: tcp
+    port: 10259

group_vars/workers.yml

@@ -1,3 +1,16 @@
 ---
 # Group vars for Kubernetes worker nodes
 kubernetes_role: node
+open_ports:
+  - interface: any
+    protocol: tcp
+    port: 22
+  - interface: any
+    protocol: tcp
+    port: 10250
+  - interface: any
+    protocol: tcp
+    port: 10256
+  - interface: any
+    protocol: tcp
+    port: 30000-32767

host_vars/alpha-control-plane.yml

@@ -2,15 +2,20 @@
 # Host vars for alpha-control-plane
 network_interfaces: "
 # The primary network interface
+
 auto eno8303
+
 iface eno8303 inet static
+
     address 10.0.0.2/16
-    gateway 10.0.0.1
+
 iface eno8303 inet6 static
+
     address fc00:6572:6963:a::2/64
-    gateway fc00:6572:6963:a::1
 
 # The secondary network interface
+
 allow-hotplug eno8403
+
 iface eno8403 inet dhcp
 "

host_vars/alpha-worker-0.yml

@@ -2,15 +2,20 @@
 # Host vars for alpha-worker-0
 network_interfaces: "
 # The primary network interface
+
 auto eno1np0
+
 iface eno1np0 inet static
+
     address 10.0.0.3/16
-    gateway 10.0.0.1
+
 iface eno1np0 inet6 static
+
     address fc00:6572:6963:a::3/64
-    gateway fc00:6572:6963:a::1
 
 # The secondary network interface
+
 allow-hotplug eno2np1
+
 iface eno2np1 inet dhcp
 "

roles/ericomeehan.configure_network/tasks/Debian_firewall.yml

@@ -1,5 +1,10 @@
 ---
 # tasks file for Debian_firewall
+- name: Copy nftables configuration template
+  template:
+    src: "nftables.conf.j2"
+    dest: /etc/nftables.con
+
 - name: Enable nftables
   service:
     name: nftables

roles/ericomeehan.configure_network/templates/nftables.conf.j2

@@ -0,0 +1,18 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter;
+    {% for port in open_ports %}
+    iifname "{{ port.interface }}" {{ port.protocol }} dport {{ port.port }} accept
+    {% endfor %}
+	}
+	chain forward {
+		type filter hook forward priority filter;
+	}
+	chain output {
+		type filter hook output priority filter;
+	}
+}

roles/ericomeehan.save_initial_configuration/tasks/dump_debconf_db.yml

@@ -4,12 +4,20 @@
   apt:
     name: debconf-utils
     state: present
+
+- name: Check if /root/preseed.txt exists
+  stat:
+    path: /root/preseed.txt
+  register: preseed_file
       
 - name: Create preseed file
   command: echo "#_preseed_V1" > /root/preseed.txt
+  when: not preseed_file.stat.exists
 
 - name: Append installer's debconf database to the file
   command: debconf-get-selections --installer >> /root/preseed.txt
+  when: not preseed_file.stat.exists
 
 - name: Append debconf database to the file
   command: debconf-get-selections >> /root/preseed.txt
+  when: not preseed_file.stat.exists

roles/geerlingguy.containerd/defaults/main.yml

@@ -12,7 +12,7 @@ containerd_config_default_write: true
 
 # Set systemd as cgroup driver in config.toml
 # Only use with containerd_config_default_write: true
-containerd_config_cgroup_driver_systemd: true
+containerd_config_cgroup_driver_systemd: false
 
 # Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed.
 docker_apt_release_channel: stable

roles/geerlingguy.kubernetes/defaults/main.yml

@@ -12,7 +12,7 @@ kubernetes_packages:
 kubernetes_version: '1.25'
 kubernetes_version_rhel_package: '1.25.1'
 
-kubernetes_role: "{{ kubernetes_role }}"
+kubernetes_role: control_plane
 
 # This is deprecated. Please use kubernetes_config_kubelet_configuration instead.
 kubernetes_kubelet_extra_args: ""
@@ -23,7 +23,7 @@ kubernetes_allow_pods_on_control_plane: true
 kubernetes_pod_network:
   # Flannel CNI.
   cni: 'flannel'
-  cidr: '10.{{ ipv4_subnet }}.0.0/16'
+  cidr: '10.244.0.0/16'
   # Calico CNI.
   # cni: 'calico'
   # cidr: '192.168.0.0/16'

site.yml

@@ -7,11 +7,28 @@
     - role: ericomeehan.save_initial_configuration
     - role: ericomeehan.configure_network
 
-- name: Configure Kubernetes clusters
+- name: Prepare cluster environments
   hosts: clusters
   become: true
+  pre_tasks:
+    - name: Update sysctl configuration to enable IPv4 packet forwarding
+      lineinfile:
+        path: /etc/sysctl.conf
+        line: 'net.ipv4.ip_forward = 1'
+        state: present
+    - name: Update sysctl configuration to enable IPv6 packet forwarding
+      lineinfile:
+        path: /etc/sysctl.conf
+        line: 'net.ipv6.conf.all.forwarding = 1'
+        state: present
+    - name: Reload sysctl configuration
+      command: sysctl --system
+    - name: Enable br_netfilter kernel module
+      command: modprobe br_netfilter
+    - name: Add the module to a configuration file for persistence
+      lineinfile:
+        path: /etc/modules-load.d/modules.conf
+        line: "br_netfilter"
   roles:
     - role: geerlingguy.containerd
     - role: geerlingguy.kubernetes
-      kubernetes_role: "{{ kubernetes_role }}"
-      ipv4_subnet: "{{ ipv4_subnet }}"