From 5ac7e482eafc385a48d5898005afaadfd4232f16 Mon Sep 17 00:00:00 2001 From: eric o meehan Date: Wed, 3 Jul 2024 19:35:21 +0000 Subject: [PATCH] v0.0.4 --- group_vars/alpha.yml | 5 ++-- group_vars/clusters.yml | 3 +++ group_vars/control_plane.yml | 19 +++++++++++++++ group_vars/workers.yml | 13 +++++++++++ host_vars/alpha-control-plane.yml | 9 ++++++-- host_vars/alpha-worker-0.yml | 9 ++++++-- .../tasks/Debian_firewall.yml | 5 ++++ .../templates/nftables.conf.j2 | 18 +++++++++++++++ .../tasks/dump_debconf_db.yml | 8 +++++++ .../geerlingguy.containerd/defaults/main.yml | 2 +- .../geerlingguy.kubernetes/defaults/main.yml | 4 ++-- site.yml | 23 ++++++++++++++++--- 12 files changed, 106 insertions(+), 12 deletions(-) create mode 100644 group_vars/clusters.yml create mode 100755 roles/ericomeehan.configure_network/templates/nftables.conf.j2 diff --git a/group_vars/alpha.yml b/group_vars/alpha.yml index 03bef45..037f7fc 100644 --- a/group_vars/alpha.yml +++ b/group_vars/alpha.yml @@ -1,4 +1,5 @@ --- # Group vars for alpha cluster -ipv4_subnet: 0 -ipv6_subnet: a +kubernetes_pod_network: + cni: 'flannel' + cidr: '10.0.0.0/16' diff --git a/group_vars/clusters.yml b/group_vars/clusters.yml new file mode 100644 index 0000000..9bf2b74 --- /dev/null +++ b/group_vars/clusters.yml @@ -0,0 +1,3 @@ +--- +# Group vars for clusters +containerd_config_cgroup_driver_systemd: true diff --git a/group_vars/control_plane.yml b/group_vars/control_plane.yml index f75b7c5..d3f4924 100644 --- a/group_vars/control_plane.yml +++ b/group_vars/control_plane.yml @@ -1,3 +1,22 @@ --- # Group vars for Kubernetes control plane nodes kubernetes_role: control_plane +open_ports: + - interface: any + protocol: tcp + port: 22 + - interface: any + protocol: tcp + port: 6443 + - interface: any + protocol: tcp + port: 2379-2380 + - interface: any + protocol: tcp + port: 10250 + - interface: any + protocol: tcp + port: 10257 + - interface: any + protocol: tcp + port: 10259 diff --git a/group_vars/workers.yml b/group_vars/workers.yml index a5fe477..b00897d 100644 --- a/group_vars/workers.yml +++ b/group_vars/workers.yml @@ -1,3 +1,16 @@ --- # Group vars for Kubernetes worker nodes kubernetes_role: node +open_ports: + - interface: any + protocol: tcp + port: 22 + - interface: any + protocol: tcp + port: 10250 + - interface: any + protocol: tcp + port: 10256 + - interface: any + protocol: tcp + port: 30000-32767 diff --git a/host_vars/alpha-control-plane.yml b/host_vars/alpha-control-plane.yml index 71ed4da..b4d04e1 100644 --- a/host_vars/alpha-control-plane.yml +++ b/host_vars/alpha-control-plane.yml @@ -2,15 +2,20 @@ # Host vars for alpha-control-plane network_interfaces: " # The primary network interface + auto eno8303 + iface eno8303 inet static + address 10.0.0.2/16 - gateway 10.0.0.1 + iface eno8303 inet6 static + address fc00:6572:6963:a::2/64 - gateway fc00:6572:6963:a::1 # The secondary network interface + allow-hotplug eno8403 + iface eno8403 inet dhcp " diff --git a/host_vars/alpha-worker-0.yml b/host_vars/alpha-worker-0.yml index 0c4d95f..b821fb2 100644 --- a/host_vars/alpha-worker-0.yml +++ b/host_vars/alpha-worker-0.yml @@ -2,15 +2,20 @@ # Host vars for alpha-worker-0 network_interfaces: " # The primary network interface + auto eno1np0 + iface eno1np0 inet static + address 10.0.0.3/16 - gateway 10.0.0.1 + iface eno1np0 inet6 static + address fc00:6572:6963:a::3/64 - gateway fc00:6572:6963:a::1 # The secondary network interface + allow-hotplug eno2np1 + iface eno2np1 inet dhcp " diff --git a/roles/ericomeehan.configure_network/tasks/Debian_firewall.yml b/roles/ericomeehan.configure_network/tasks/Debian_firewall.yml index 3b0e69d..7f32dff 100644 --- a/roles/ericomeehan.configure_network/tasks/Debian_firewall.yml +++ b/roles/ericomeehan.configure_network/tasks/Debian_firewall.yml @@ -1,5 +1,10 @@ --- # tasks file for Debian_firewall +- name: Copy nftables configuration template + template: + src: "nftables.conf.j2" + dest: /etc/nftables.con + - name: Enable nftables service: name: nftables diff --git a/roles/ericomeehan.configure_network/templates/nftables.conf.j2 b/roles/ericomeehan.configure_network/templates/nftables.conf.j2 new file mode 100755 index 0000000..2f827f2 --- /dev/null +++ b/roles/ericomeehan.configure_network/templates/nftables.conf.j2 @@ -0,0 +1,18 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; + {% for port in open_ports %} + iifname "{{ port.interface }}" {{ port.protocol }} dport {{ port.port }} accept + {% endfor %} + } + chain forward { + type filter hook forward priority filter; + } + chain output { + type filter hook output priority filter; + } +} diff --git a/roles/ericomeehan.save_initial_configuration/tasks/dump_debconf_db.yml b/roles/ericomeehan.save_initial_configuration/tasks/dump_debconf_db.yml index 629ade9..3bf8a62 100644 --- a/roles/ericomeehan.save_initial_configuration/tasks/dump_debconf_db.yml +++ b/roles/ericomeehan.save_initial_configuration/tasks/dump_debconf_db.yml @@ -4,12 +4,20 @@ apt: name: debconf-utils state: present + +- name: Check if /root/preseed.txt exists + stat: + path: /root/preseed.txt + register: preseed_file - name: Create preseed file command: echo "#_preseed_V1" > /root/preseed.txt + when: not preseed_file.stat.exists - name: Append installer's debconf database to the file command: debconf-get-selections --installer >> /root/preseed.txt + when: not preseed_file.stat.exists - name: Append debconf database to the file command: debconf-get-selections >> /root/preseed.txt + when: not preseed_file.stat.exists diff --git a/roles/geerlingguy.containerd/defaults/main.yml b/roles/geerlingguy.containerd/defaults/main.yml index 49d7a1f..fe65e81 100644 --- a/roles/geerlingguy.containerd/defaults/main.yml +++ b/roles/geerlingguy.containerd/defaults/main.yml @@ -12,7 +12,7 @@ containerd_config_default_write: true # Set systemd as cgroup driver in config.toml # Only use with containerd_config_default_write: true -containerd_config_cgroup_driver_systemd: true +containerd_config_cgroup_driver_systemd: false # Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed. docker_apt_release_channel: stable diff --git a/roles/geerlingguy.kubernetes/defaults/main.yml b/roles/geerlingguy.kubernetes/defaults/main.yml index 90cd9d7..e850ed0 100644 --- a/roles/geerlingguy.kubernetes/defaults/main.yml +++ b/roles/geerlingguy.kubernetes/defaults/main.yml @@ -12,7 +12,7 @@ kubernetes_packages: kubernetes_version: '1.25' kubernetes_version_rhel_package: '1.25.1' -kubernetes_role: "{{ kubernetes_role }}" +kubernetes_role: control_plane # This is deprecated. Please use kubernetes_config_kubelet_configuration instead. kubernetes_kubelet_extra_args: "" @@ -23,7 +23,7 @@ kubernetes_allow_pods_on_control_plane: true kubernetes_pod_network: # Flannel CNI. cni: 'flannel' - cidr: '10.{{ ipv4_subnet }}.0.0/16' + cidr: '10.244.0.0/16' # Calico CNI. # cni: 'calico' # cidr: '192.168.0.0/16' diff --git a/site.yml b/site.yml index 8e182cb..ad836d6 100644 --- a/site.yml +++ b/site.yml @@ -7,11 +7,28 @@ - role: ericomeehan.save_initial_configuration - role: ericomeehan.configure_network -- name: Configure Kubernetes clusters +- name: Prepare cluster environments hosts: clusters become: true + pre_tasks: + - name: Update sysctl configuration to enable IPv4 packet forwarding + lineinfile: + path: /etc/sysctl.conf + line: 'net.ipv4.ip_forward = 1' + state: present + - name: Update sysctl configuration to enable IPv6 packet forwarding + lineinfile: + path: /etc/sysctl.conf + line: 'net.ipv6.conf.all.forwarding = 1' + state: present + - name: Reload sysctl configuration + command: sysctl --system + - name: Enable br_netfilter kernel module + command: modprobe br_netfilter + - name: Add the module to a configuration file for persistence + lineinfile: + path: /etc/modules-load.d/modules.conf + line: "br_netfilter" roles: - role: geerlingguy.containerd - role: geerlingguy.kubernetes - kubernetes_role: "{{ kubernetes_role }}" - ipv4_subnet: "{{ ipv4_subnet }}"