Merge branch 'kubernetes-sigs:master' into patch-1

.ansible-lint-ignore

@@ -5,4 +5,4 @@ roles/kubernetes/control-plane/defaults/main/main.yml jinja[spacing]
 roles/kubernetes/kubeadm/defaults/main.yml jinja[spacing]
 roles/kubernetes/node/defaults/main.yml jinja[spacing]
 roles/kubernetes/preinstall/defaults/main.yml jinja[spacing]
-roles/kubespray-defaults/defaults/main.yaml jinja[spacing]
+roles/kubespray-defaults/defaults/main/main.yml jinja[spacing]

Dockerfile

@@ -18,26 +18,18 @@ COPY extra_playbooks ./extra_playbooks
 COPY playbooks ./playbooks
 COPY plugins ./plugins
 
-RUN apt update -q \
-    && apt install -yq --no-install-recommends \
+RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
+   apt update -q \
+   && apt install -yq --no-install-recommends \
        curl \
        python3 \
        python3-pip \
        sshpass \
        vim \
        rsync \
        openssh-client \
-    && pip install --no-compile --no-cache-dir \
-       ansible==7.6.0 \
-       ansible-core==2.14.6 \
-       cryptography==41.0.1 \
-       jinja2==3.1.2 \
-       netaddr==0.8.0 \
-       jmespath==1.0.1 \
-       MarkupSafe==2.1.3 \
-       ruamel.yaml==0.17.21 \
-       passlib==1.7.4 \
-    && KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main.yaml) \
+    && pip install --no-compile --no-cache-dir -r requirements.txt \
+    && KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main/main.yml) \
     && curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
     && echo $(curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl \

README.md

@@ -164,7 +164,7 @@ Note: Upstart/SysV init based OS types are not supported.
   - [kubernetes](https://github.com/kubernetes/kubernetes) v1.28.4
   - [etcd](https://github.com/etcd-io/etcd) v3.5.9
   - [docker](https://www.docker.com/) v20.10 (see note)
-  - [containerd](https://containerd.io/) v1.7.8
+  - [containerd](https://containerd.io/) v1.7.11
   - [cri-o](http://cri-o.io/) v1.27 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0

contrib/offline/README.md

@@ -27,7 +27,7 @@ manage-offline-container-images.sh   register
 
 ## generate_list.sh
 
-This script generates the list of downloaded files and the list of container images by `roles/download/defaults/main/main.yml` file.
+This script generates the list of downloaded files and the list of container images by `roles/kubespray-defaults/defaults/main/download.yml` file.
 
 Run this script will execute `generate_list.yml` playbook in kubespray root directory and generate four files,
 all downloaded files url in files.list, all container images in images.list, jinja2 templates in *.template.

contrib/offline/generate_list.sh

@@ -5,7 +5,7 @@ CURRENT_DIR=$(cd $(dirname $0); pwd)
 TEMP_DIR="${CURRENT_DIR}/temp"
 REPO_ROOT_DIR="${CURRENT_DIR%/contrib/offline}"
 
-: ${DOWNLOAD_YML:="roles/download/defaults/main/main.yml"}
+: ${DOWNLOAD_YML:="roles/kubespray-defaults/defaults/main/download.yml"}
 
 mkdir -p ${TEMP_DIR}
 
@@ -19,7 +19,7 @@ sed -n '/^downloads:/,/download_defaults:/p' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
     | sed 'N;s#\n# #g' | tr ' ' ':' | sed 's/\"//g' > ${TEMP_DIR}/images.list.template
 
 # add kube-* images to images list template
-# Those container images are downloaded by kubeadm, then roles/download/defaults/main/main.yml
+# Those container images are downloaded by kubeadm, then roles/kubespray-defaults/defaults/main/download.yml
 # doesn't contain those images. That is reason why here needs to put those images into the
 # list separately.
 KUBE_IMAGES="kube-apiserver kube-controller-manager kube-scheduler kube-proxy"

docs/hardening.md

@@ -54,6 +54,11 @@ kube_apiserver_enable_admission_plugins:
   - PodNodeSelector
   - PodSecurity
 kube_apiserver_admission_control_config_file: true
+# Creates config file for PodNodeSelector
+# kube_apiserver_admission_plugins_needs_configuration: [PodNodeSelector]
+# Define the default node selector, by default all the workloads will be scheduled on nodes
+# with label network=srv1
+# kube_apiserver_admission_plugins_podnodeselector_default_node_selector: "network=srv1"
 # EventRateLimit plugin configuration
 kube_apiserver_admission_event_rate_limits:
   limit_1:

docs/offline-environment.md

@@ -95,7 +95,7 @@ If you use the settings like the one above, you'll need to define in your invent
 
 * `registry_host`: Container image registry. If you _don't_ use the same repository path for the container images that
   the ones defined
-  in [Download's role defaults](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/download/defaults/main/main.yml)
+  in [kubesprays-defaults's role defaults](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/kubespray-defaults/defaults/main/download.yml)
   , you need to override the `*_image_repo` for these container images. If you want to make your life easier, use the
   same repository path, you won't have to override anything else.
 * `registry_addr`: Container image registry, but only have [domain or ip]:[port].

extra_playbooks/migrate_openstack_provider.yml

@@ -12,7 +12,7 @@
   hosts: kube_control_plane[0]
   tasks:
     - name: Include kubespray-default variables
-      include_vars: ../roles/kubespray-defaults/defaults/main.yaml
+      include_vars: ../roles/kubespray-defaults/defaults/main/main.yml
     - name: Copy get_cinder_pvs.sh to master
       copy:
         src: get_cinder_pvs.sh

inventory/sample/group_vars/all/all.yml

@@ -57,7 +57,7 @@ loadbalancer_apiserver_healthcheck_port: 8081
 # https_proxy: ""
 # https_proxy_cert_file: ""
 
-## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
+## Refer to roles/kubespray-defaults/defaults/main/main.yml before modifying no_proxy
 # no_proxy: ""
 
 ## Some problems may occur when downloading files over https proxy due to ansible bug

pipeline.Dockerfile

@@ -40,11 +40,11 @@ WORKDIR /kubespray
 
 RUN --mount=type=bind,target=./requirements.txt,src=./requirements.txt \
     --mount=type=bind,target=./tests/requirements.txt,src=./tests/requirements.txt \
-    --mount=type=bind,target=./roles/kubespray-defaults/defaults/main.yaml,src=./roles/kubespray-defaults/defaults/main.yaml \
+    --mount=type=bind,target=./roles/kubespray-defaults/defaults/main/main.yml,src=./roles/kubespray-defaults/defaults/main/main.yml \
     update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && pip install --no-compile --no-cache-dir pip -U \
     && pip install --no-compile --no-cache-dir -r tests/requirements.txt \
-    && KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main.yaml) \
+    && KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main/main.yml) \
     && curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
     && echo $(curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl \

roles/etcd/tasks/check_certs.yml

@@ -88,49 +88,12 @@
     - kube_network_plugin != "calico" or calico_datastore == "etcd"
     - force_etcd_cert_refresh or not item in etcdcert_master.files | map(attribute='path') | list
 
-- name: "Check_certs | Set 'gen_master_certs' object to track whether member and admin certs exist on first etcd node"
-  set_fact:
-    # noqa: jinja[spacing]
-    gen_master_certs: |-
-      {
-      {% set etcd_members = groups['etcd'] -%}
-      {% set existing_certs = etcdcert_master.files | map(attribute='path') | list | sort %}
-      {% for host in etcd_members -%}
-        {% set member_cert = "%s/member-%s.pem" | format(etcd_cert_dir, host) %}
-        {% set member_key = "%s/member-%s-key.pem" | format(etcd_cert_dir, host) %}
-        {% set admin_cert = "%s/admin-%s.pem" | format(etcd_cert_dir, host) %}
-        {% set admin_key = "%s/admin-%s-key.pem" | format(etcd_cert_dir, host) %}
-        {% if force_etcd_cert_refresh -%}
-        "{{ host }}": True,
-        {% elif member_cert in existing_certs and member_key in existing_certs and admin_cert in existing_certs and admin_key in existing_certs  -%}
-        "{{ host }}": False,
-        {% else -%}
-        "{{ host }}": True,
-        {% endif -%}
-      {% endfor %}
-      }
-  run_once: true
-
-- name: "Check_certs | Set 'gen_node_certs' object to track whether node certs exist on first etcd node"
-  set_fact:
-    # noqa: jinja[spacing]
-    gen_node_certs: |-
-      {
-      {% set k8s_nodes = groups['k8s_cluster'] -%}
-      {% set existing_certs = etcdcert_master.files | map(attribute='path') | list | sort %}
-      {% for host in k8s_nodes -%}
-        {% set host_cert = "%s/node-%s.pem" | format(etcd_cert_dir, host) %}
-        {% set host_key = "%s/node-%s-key.pem" | format(etcd_cert_dir, host) %}
-        {% if force_etcd_cert_refresh -%}
-        "{{ host }}": True,
-        {% elif host_cert in existing_certs and host_key in existing_certs -%}
-        "{{ host }}": False,
-        {% else -%}
-        "{{ host }}": True,
-        {% endif -%}
-      {% endfor %}
-      }
-  run_once: true
+- name: "Check_certs | Set 'gen_*_certs' groups to track which nodes needs to have certs generated on first etcd node"
+  vars:
+    existing_certs: etcdcert_master.files | map(attribute='path')
+  ansible.builtin.group_by:
+    key: "gen_{{ item.node_type }}_certs_{{ force_etcd_cert_refresh or item.certs is not subset(existing_certs) }}"
+  loop: "{{ cert_files | dict2items(key_name='node_type', value_name='certs') }}"
 
 - name: "Check_certs | Set 'etcd_member_requires_sync' to true if ca or member/admin cert and key don't exist on etcd member or checksum doesn't match"
   set_fact:
@@ -167,5 +130,5 @@
   when:
     - etcd_member_requires_sync | default(false) or
       kubernetes_host_requires_sync | default(false) or
-      (inventory_hostname in gen_master_certs and gen_master_certs[inventory_hostname]) or
-      (inventory_hostname in gen_node_certs and gen_node_certs[inventory_hostname])
+      'gen_master_certs_True' in group_names or
+      'gen_node_certs_True' in group_names

roles/etcd/tasks/gen_certs_script.yml

@@ -41,18 +41,8 @@
 - name: Gen_certs | run cert generation script for etcd and kube control plane nodes
   command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
   environment:
-    MASTERS: |-
-      {% for m in groups['etcd'] %}
-        {% if gen_master_certs[m] %}
-          {{ m }}
-        {% endif %}
-      {% endfor %}
-    HOSTS: |-
-      {% for h in groups['kube_control_plane'] %}
-        {% if gen_node_certs[h] %}
-          {{ h }}
-        {% endif %}
-      {% endfor %}
+    MASTERS: "{{ groups['gen_master_certs_True'] | ansible.builtin.intersect(groups['etcd']) | join(' ') }}"
+    HOSTS: "{{ groups['gen_node_certs_True'] | ansible.builtin.intersect(groups['kube_control_plane']) | join(' ') }}"
   run_once: yes
   delegate_to: "{{ groups['etcd'][0] }}"
   when: gen_certs | default(false)
@@ -61,12 +51,7 @@
 - name: Gen_certs | run cert generation script for all clients
   command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
   environment:
-    HOSTS: |-
-      {% for h in groups['k8s_cluster'] %}
-        {% if gen_node_certs[h] %}
-          {{ h }}
-        {% endif %}
-      {% endfor %}
+    HOSTS: "{{ groups['gen_node_certs_True'] | ansible.builtin.intersect(groups['k8s_cluster']) | join(' ') }}"
   run_once: yes
   delegate_to: "{{ groups['etcd'][0] }}"
   when:

roles/etcd/vars/main.yml

@@ -0,0 +1,10 @@
+---
+cert_files:
+  master:
+  - "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem"
+  - "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem"
+  - "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
+  - "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
+  node:
+  - "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem"
+  - "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}-key.pem"

roles/kubernetes/control-plane/defaults/main/main.yml

@@ -141,6 +141,8 @@ kube_webhook_token_auth_url_skip_tls_verify: false
 kube_webhook_authorization: false
 kube_webhook_authorization_url_skip_tls_verify: false
 
+# Default podnodeselector
+kube_apiserver_admission_plugins_podnodeselector_default_node_selector: ""
 
 ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
 ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)

roles/kubernetes/control-plane/meta/main.yml

@@ -9,3 +9,4 @@ dependencies:
     when:
       - etcd_deployment_type == "kubeadm"
       - not (ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk", "ClearLinux"] or is_fedora_coreos)
+  - role: network_plugin/calico_defaults

roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml

@@ -15,10 +15,3 @@
     - "Master | Restart kube-controller-manager"
     - "Master | Restart kube-scheduler"
     - "Master | reload kubelet"
-
-- name: Update etcd-servers for apiserver
-  lineinfile:
-    dest: "{{ kube_config_dir }}/manifests/kube-apiserver.yaml"
-    regexp: '^    - --etcd-servers='
-    line: '    - --etcd-servers={{ etcd_access_addresses }}'
-  when: etcd_deployment_type != "kubeadm"

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

@@ -108,6 +108,15 @@
     - item in kube_apiserver_admission_plugins_needs_configuration
   loop: "{{ kube_apiserver_enable_admission_plugins }}"
 
+- name: Kubeadm | Configure default cluster podnodeslector
+  template:
+    src: "podnodeselector.yaml.j2"
+    dest: "{{ kube_config_dir }}/admission-controls/podnodeselector.yaml"
+    mode: 0640
+  when:
+    - kube_apiserver_admission_plugins_podnodeselector_default_node_selector is defined
+    - kube_apiserver_admission_plugins_podnodeselector_default_node_selector | length > 0
+
 - name: Kubeadm | Check apiserver.crt SANs
   vars:
     apiserver_ips: "{{ apiserver_sans | map('ansible.utils.ipaddr') | reject('equalto', False) | list }}"

roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2

@@ -295,11 +295,15 @@ controllerManager:
     cluster-cidr: "{{ kube_pods_subnet }}{{ ',' + kube_pods_subnet_ipv6 if enable_dual_stack_networks else '' }}"
 {% endif %}
     service-cluster-ip-range: "{{ kube_service_addresses }}{{ ',' + kube_service_addresses_ipv6 if enable_dual_stack_networks else '' }}"
+{% if kube_network_plugin is defined and kube_network_plugin == "calico" and not calico_ipam_host_local %}
+    allocate-node-cidrs: "false"
+{% else %}
 {% if enable_dual_stack_networks %}
     node-cidr-mask-size-ipv4: "{{ kube_network_node_prefix }}"
     node-cidr-mask-size-ipv6: "{{ kube_network_node_prefix_ipv6 }}"
 {% else %}
     node-cidr-mask-size: "{{ kube_network_node_prefix }}"
+{% endif %}
 {% endif %}
     profiling: "{{ kube_profiling }}"
     terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"

roles/kubernetes/control-plane/templates/podnodeselector.yaml.j2

@@ -0,0 +1,2 @@
+podNodeSelectorPluginConfig:
+  clusterDefaultNodeSelector: {{ kube_apiserver_admission_plugins_podnodeselector_default_node_selector }}

roles/download/defaults/main/checksums.yml → roles/kubespray-defaults/defaults/main/checksums.yml

@@ -1230,6 +1230,9 @@ nerdctl_archive_checksums:
     1.0.0: 2fb02e629a4be16b194bbfc64819132a72ede1f52596bd8e1ec2beaf7c28c117
 containerd_archive_checksums:
   arm:
+    1.7.11: 0
+    1.7.10: 0
+    1.7.9: 0
     1.7.8: 0
     1.7.7: 0
     1.7.6: 0
@@ -1239,6 +1242,7 @@ containerd_archive_checksums:
     1.7.2: 0
     1.7.1: 0
     1.7.0: 0
+    1.6.25: 0
     1.6.24: 0
     1.6.23: 0
     1.6.22: 0
@@ -1270,6 +1274,9 @@ containerd_archive_checksums:
     1.5.15: 0
     1.5.14: 0
   arm64:
+    1.7.11: 5eae27cce38a14be5390d4035127aa11416bc5ae592a9ff25b11870872ce1159
+    1.7.10: 0667b12a04a896a61cf508a4a77190c280f4a1fa35f38c8a4ba63f605b5ec375
+    1.7.9: 09ca326dee14e00c439137071747c15cc280480e2c26c1e82698c992dd1889c6
     1.7.8: 3fc551e8f51150804d80cc1958a271bd2252b6334f0355244d0faa5da7fa55d1
     1.7.7: 0a104f487193665d2681fcb5ed83f2baa5f97849fe2661188da835c9d4eaf9e3
     1.7.6: d844a1c8b993e7e9647f73b9814567004dce1287c0529ce55c50519490eafcce
@@ -1279,6 +1286,8 @@ containerd_archive_checksums:
     1.7.2: d75a4ca53d9addd0b2c50172d168b12957e18b2d8b802db2658f2767f15889a6
     1.7.1: 1f828dc063e3c24b0840b284c5635b5a11b1197d564c97f9e873b220bab2b41b
     1.7.0: e7e5be2d9c92e076f1e2e15c9f0a6e0609ddb75f7616999b843cba92d01e4da2
+    1.6.26: 177bed65b6425255bacbe48d99ea7aa5209d381576962c0962dc8615ef16c5c5
+    1.6.25: 4948677cfc5f98a1d5d46cec90d6d6f84f6b27cd6d28fd87f7f5936d61580ceb
     1.6.24: 1d741e9e2d907f02a8b2a46034a28ff9aacdba88c485cef2f4bad18be9ea23ba
     1.6.23: ea7afb82dc5789307e684ef9b4a55ce1ee9a05dc02c2118df640b01207208c45
     1.6.22: 7882d6e7f4e97dcba041c37592c4cb9e7a5b4d972380c74d959e388b12d57d01
@@ -1310,6 +1319,9 @@ containerd_archive_checksums:
     1.5.15: 0
     1.5.14: 0
   amd64:
+    1.7.11: d66161d54546fad502fd50a13fcb79efff033fcd895adc9c44762680dcde4e69
+    1.7.10: eacb0296bff2ae5225a18492dcb32fb28ad4a1fe0a39ea9073367c7e43dc5838
+    1.7.9: ccd5b434393666f6ebbc90eea959ffd3e61958a1e3e1cc830a678f040142d4b0
     1.7.8: 5f1d017a5a7359514d6187d6656e88fb2a592d107e6298db7963dbddb9a111d9
     1.7.7: 371de359d6102c51f6ee2361d08297948d134ce7379e01cb965ceeffa4365fba
     1.7.6: 58408cfa025003e671b0af72183b963363d519543d0d0ba186037e9c57489ffe
@@ -1319,6 +1331,8 @@ containerd_archive_checksums:
     1.7.2: 2755c70152ab40856510b4549c2dd530e15f5355eb7bf82868e813c9380e22a7
     1.7.1: 9504771bcb816d3b27fab37a6cf76928ee5e95a31eb41510a7d10ae726e01e85
     1.7.0: b068b05d58025dc9f2fc336674cac0e377a478930f29b48e068f97c783a423f0
+    1.6.26: fa806d3e945a8ad25aa1f8123a98524768ead83af2ed1ab3d922d2dd5fe6b14c
+    1.6.25: 878b331b5fa65df3d33c68ee355724de0044c25071486086409b374a9c62d145
     1.6.24: a56fac5ba03c3d6f74ceae14abdc9fafabcba900105e9890c0ac895cc00164ad
     1.6.23: bcf16bb63a295721a2603e9a56602c5d18e5443df04a9f2c1ca5328f41556fcc
     1.6.22: 5671eb4eba97f0ec98223c84401c9aeb21d0ef16ac3ece3eb8fadd46174d7eab
@@ -1350,6 +1364,9 @@ containerd_archive_checksums:
     1.5.15: 0d09043be08dcf6bf136aa78bfd719e836cf9f9679afa4db0b6e4d478e396528
     1.5.14: 8513ead11aca164b7e70bcea0429b4e51dad836b6383b806322e128821aaebbd
   ppc64le:
+    1.7.11: 6f91c5dabdccd1fc75aae8687381bb185b9eb4200beb29d0993dea8175f5fa61
+    1.7.10: 15a5191bf7c555956a8565d8786399d51b13f2718d59b1a5b2bd380fc420bf8a
+    1.7.9: 174b8af2d878ad8410205b9ba44fa8d2a9683a521abf13f168f67b7f7375d5b3
     1.7.8: 2b563df9e1bddc96a99a023963c99b5faf3066d3fcbc23ff44ba24229e939444
     1.7.7: 0335e7447ed84757489337686a709e95ffa379a8780f238725abb10facaeaa7f
     1.7.6: 956fadb01b35c3214f2b6f82abc0dda3e1b754cb223cd24e818334b08cb09fb2
@@ -1359,6 +1376,8 @@ containerd_archive_checksums:
     1.7.2: cbe7ec913cb603ca218bd8867efdce4bee3b0e0115e467e51c910467daf8184e
     1.7.1: 17d97ef55c6ce7af9778dbafb5e73f577d1b34220043a91cccde49dbcc610342
     1.7.0: 051e897d3ee5b8c8097f65be447fea2d29226b583ca5d9ed78e9aebcf4e69889
+    1.6.26: 75fb01a4bd3bcd16263c2f833b8e7081356e2e390dd7eb0710232cb04dac5a01
+    1.6.25: 3ddcc1739ffeb3e1df786d45518a01d93a5cef243eb6dee61cbdd4cd110bc723
     1.6.24: abff9e7ec4cc21d19150d2bc55fc89cf53dc03c002cdaf5016ee82aedead9b03
     1.6.23: 1099fce4a4dfc78712cc1c19be6d9f80e9321f513834dba0b2418bd5c78ad398
     1.6.22: 0f8647aedd96174704a63a17b1a7cf4c4c5c2fc066606b1a419b2a860b754bfb

roles/download/defaults/main/main.yml → roles/kubespray-defaults/defaults/main/download.yml

@@ -76,11 +76,11 @@ image_arch: "{{ host_architecture | default('amd64') }}"
 # Versions
 kubeadm_version: "{{ kube_version }}"
 crun_version: 1.8.5
-runc_version: v1.1.9
+runc_version: v1.1.10
 kata_containers_version: 3.1.3
 youki_version: 0.1.0
 gvisor_version: 20230807
-containerd_version: 1.7.8
+containerd_version: 1.7.11
 cri_dockerd_version: 0.3.4
 
 # this is relevant when container_manager == 'docker'