Merge branch 'master' of https://github.com/kubernetes-sigs/kubespray

* 'master' of https://github.com/kubernetes-sigs/kubespray: (32 commits)
  Update api version, deprecated in 1.19 (kubernetes-sigs#6656)
  Update etcd to 3.4.13 (kubernetes-sigs#6658)
  Update dockerfile for v1.19.1 (kubernetes-sigs#6668)
  yamllint: ignore .git dir (kubernetes-sigs#6667)
  fix kubelet_flexvolumes_plugins_dir undefined (kubernetes-sigs#6645)
  Remove deprecated (and removed in 1.19) flag and function --basic-auth-file (kubernetes-sigs#6655)
  Update CoreDNS to 1.7.0 (kubernetes-sigs#6657)
  Update various dependencies following 1.19 release (kubernetes-sigs#6660)
  Add Kubernetes 1.19.1 hashes and set default (kubernetes-sigs#6654)
  crio: use system default for storage driver by default (kubernetes-sigs#6637)
  Add iptables_backend to weave options (kubernetes-sigs#6639)
  Add comment clarifying network allocation and sizes (kubernetes-sigs#6607)
  Allowing resource management of metrics-server container.  Will allow fine-tuning of resource allocation and solving throttling issues. Setting defaults as per the current request & limit allocation: cpu: 43m, memory 55Mi for both limits & requests. (kubernetes-sigs#6652)
  Fix a bunch of failed quality rules (kubernetes-sigs#6646)
  Update calico to 3.16.1 (kubernetes-sigs#6644)
  NetworkManager lists must be separated by , (kubernetes-sigs#6643)
  Set ansible_python_interpreter to python3 on debian (fix error with mitogen) (kubernetes-sigs#6633)
  Use v2.14.0 as base image for CI (kubernetes-sigs#6636)
  Cleanup v1.16 hashes (kubernetes-sigs#6635)
  Update kube_version_min_required for 2.14 release (kubernetes-sigs#6634)
  ...

.gitlab-ci.yml

@@ -8,7 +8,7 @@ stages:
   - deploy-special
 
 variables:
-  KUBESPRAY_VERSION: v2.13.3
+  KUBESPRAY_VERSION: v2.14.0
   FAILFASTCI_NAMESPACE: 'kargo-ci'
   GITLAB_REPOSITORY: 'kargo-ci/kubernetes-sigs-kubespray'
   ANSIBLE_FORCE_COLOR: "true"

.yamllint

@@ -1,6 +1,9 @@
 ---
 extends: default
 
+ignore: |
+  .git/
+
 rules:
   braces:
     min-spaces-inside: 0

Dockerfile

@@ -1,4 +1,7 @@
-FROM ubuntu:18.04
+# Use imutable image tags rather than mutable tags (like ubuntu:18.04)
+FROM ubuntu:bionic-20200807
+
+ENV KUBE_VERSION=v1.19.1
 
 RUN mkdir /kubespray
 WORKDIR /kubespray
@@ -14,7 +17,8 @@ RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
     && apt update -y && apt-get install docker-ce -y
 COPY . .
 RUN /usr/bin/python3 -m pip install pip -U && /usr/bin/python3 -m pip install -r tests/requirements.txt && python3 -m pip install -r requirements.txt && update-alternatives --install /usr/bin/python python /usr/bin/python3 1
-RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.5/bin/linux/amd64/kubectl \
+
+RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/amd64/kubectl \
     && chmod a+x kubectl && cp kubectl /usr/local/bin/kubectl
 
 # Some tools like yamllint need this

README.md

@@ -116,16 +116,16 @@ Note: Upstart/SysV init based OS types are not supported.
 ## Supported Components
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.18.8
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.19.1
   - [etcd](https://github.com/coreos/etcd) v3.4.3
   - [docker](https://www.docker.com/) v19.03 (see note)
   - [containerd](https://containerd.io/) v1.2.13
   - [cri-o](http://cri-o.io/) v1.17 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.6
-  - [calico](https://github.com/projectcalico/calico) v3.15.2
+  - [calico](https://github.com/projectcalico/calico) v3.16.1
   - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-  - [cilium](https://github.com/cilium/cilium) v1.8.2
+  - [cilium](https://github.com/cilium/cilium) v1.8.3
   - [contiv](https://github.com/contiv/install) v1.2.1
   - [flanneld](https://github.com/coreos/flannel) v0.12.0
   - [kube-ovn](https://github.com/alauda/kube-ovn) v1.3.0
@@ -137,15 +137,15 @@ Note: Upstart/SysV init based OS types are not supported.
   - [ambassador](https://github.com/datawire/ambassador): v1.5
   - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
   - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
-  - [cert-manager](https://github.com/jetstack/cert-manager) v0.15.2
-  - [coredns](https://github.com/coredns/coredns) v1.6.7
+  - [cert-manager](https://github.com/jetstack/cert-manager) v0.16.1
+  - [coredns](https://github.com/coredns/coredns) v1.7.0
   - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.35.0
 
 Note: The list of validated [docker versions](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#docker) is 1.13.1, 17.03, 17.06, 17.09, 18.06, 18.09 and 19.03. The recommended docker version is 19.03. The kubelet might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).
 
 ## Requirements
 
-- **Minimum required version of Kubernetes is v1.16**
+- **Minimum required version of Kubernetes is v1.17**
 - **Ansible v2.9+, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands**
 - The target servers must have **access to the Internet** in order to pull docker images. Otherwise, additional configuration is required (See [Offline Environment](docs/offline-environment.md))
 - The target servers are configured to allow **IPv4 forwarding**.

Vagrantfile

@@ -43,7 +43,7 @@ $num_instances ||= 3
 $instance_name_prefix ||= "k8s"
 $vm_gui ||= false
 $vm_memory ||= 2048
-$vm_cpus ||= 1
+$vm_cpus ||= 2
 $shared_folders ||= {}
 $forwarded_ports ||= {}
 $subnet ||= "172.18.8"

docs/getting-started.md

@@ -95,7 +95,7 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati
 
 Supported version is kubernetes-dashboard v2.0.x :
 
-- Login options are : token/kubeconfig by default, basic can be enabled with `kube_basic_auth: true` inventory variable - not recommended because this requires ABAC api-server which is not tested by kubespray team
+- Login option : token/kubeconfig by default
 - Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory,
 - Only serves over https
 

docs/nodes.md

@@ -52,7 +52,7 @@ change your inventory to:
 
 ## 2) Upgrade the cluster
 
-run `cluster-upgrade.yml` or `cluster.yml`. Now you are good to go on with the removal.
+run `upgrade-cluster.yml` or `cluster.yml`. Now you are good to go on with the removal.
 
 ## Adding/replacing a worker node
 

docs/vars.md

@@ -72,8 +72,6 @@ following default cluster parameters:
   on the CoreDNS service.
 * *cloud_provider* - Enable extra Kubelet option if operating inside GCE or
   OpenStack (default is unset)
-* *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
-  Kubernetes
 * *kube_feature_gates* - A list of key=value pairs that describe feature gates for
   alpha/experimental Kubernetes features. (defaults is `[]`)
 * *authorization_modes* - A list of [authorization mode](
@@ -119,10 +117,6 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m
   is unlikely to work on newer releases. Starting with Kubernetes v1.7
   series, this now defaults to ``host``. Before v1.7, the default was Docker.
   This is because of cgroup [issues](https://github.com/kubernetes/kubernetes/issues/43704).
-* *kubelet_load_modules* - For some things, kubelet needs to load kernel modules.  For example,
-  dynamic kernel services are needed for mounting persistent volumes into containers.  These may not be
-  loaded by preinstall kubernetes processes.  For example, ceph and rbd backed volumes.  Set this variable to
-  true to let kubelet load kernel modules.
 * *kubelet_cgroup_driver* - Allows manual override of the
   cgroup-driver option for Kubelet. By default autodetection is used
   to match Docker configuration.
@@ -215,11 +209,3 @@ in the form of dicts of key-value pairs of configuration parameters that will be
 
 * *helm_version* - Defaults to v3.x, set to a v2 version (e.g. `v2.16.1` ) to install Helm 2.x (will install Tiller!).
 Picking v3 for an existing cluster running Tiller will leave it alone. In that case you will have to remove Tiller manually afterwards.
-
-## User accounts
-
-The variable `kube_basic_auth` is false by default, but if set to true, a user with admin rights is created, named `kube`.
-The password can be viewed after deployment by looking at the file
-`{{ credentials_dir }}/kube_user.creds` (`credentials_dir` is set to `{{ inventory_dir }}/credentials` by default). This contains a randomly generated
-password. If you wish to set your own password, just precreate/modify this
-file yourself or change `kube_api_pwd` var.

inventory/sample/group_vars/all/all.yml

@@ -35,11 +35,6 @@ loadbalancer_apiserver_port: 6443
 loadbalancer_apiserver_healthcheck_port: 8081
 
 ### OTHER OPTIONAL VARIABLES
-## For some things, kubelet needs to load kernel modules.  For example, dynamic kernel services are needed
-## for mounting persistent volumes into containers.  These may not be loaded by preinstall kubernetes
-## processes.  For example, ceph and rbd backed volumes.  Set to true to allow kubelet to load kernel
-## modules.
-# kubelet_load_modules: false
 
 ## Upstream dns servers
 # upstream_dns_servers:

inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml

@@ -14,13 +14,10 @@ kube_cert_dir: "{{ kube_config_dir }}/ssl"
 # This is where all of the bearer tokens will be stored
 kube_token_dir: "{{ kube_config_dir }}/tokens"
 
-# This is where to save basic auth file
-kube_users_dir: "{{ kube_config_dir }}/users"
-
 kube_api_anonymous_auth: true
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.18.8
+kube_version: v1.19.1
 
 # kubernetes image repo define
 kube_image_repo: "k8s.gcr.io"
@@ -41,19 +38,8 @@ kube_log_level: 2
 # Directory where credentials will be stored
 credentials_dir: "{{ inventory_dir }}/credentials"
 
-# Users to create for basic auth in Kubernetes API via HTTP
-# Optionally add groups for user
-kube_api_pwd: "{{ lookup('password', credentials_dir + '/kube_user.creds length=15 chars=ascii_letters,digits') }}"
-kube_users:
-  kube:
-    pass: "{{kube_api_pwd}}"
-    role: admin
-    groups:
-      - system:masters
-
-## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
+## It is possible to activate / deactivate selected authentication methods (oidc, static token auth)
 # kube_oidc_auth: false
-# kube_basic_auth: false
 # kube_token_auth: false
 
 
@@ -95,8 +81,20 @@ kube_service_addresses: 10.233.0.0/18
 kube_pods_subnet: 10.233.64.0/18
 
 # internal network node size allocation (optional). This is the size allocated
-# to each node on your network.  With these defaults you should have
-# room for 4096 nodes with 254 pods per node.
+# to each node for pod IP address allocation. Note that the number of pods per node is
+# also limited by the kubelet_max_pods variable which defaults to 110.
+#
+# Example:
+# Up to 64 nodes and up to 254 or kubelet_max_pods (the lowest of the two) pods per node:
+#  - kube_pods_subnet: 10.233.64.0/18
+#  - kube_network_node_prefix: 24
+#  - kubelet_max_pods: 110
+#
+# Example:
+# Up to 128 nodes and up to 126 or kubelet_max_pods (the lowest of the two) pods per node:
+#  - kube_pods_subnet: 10.233.64.0/18
+#  - kube_network_node_prefix: 25
+#  - kubelet_max_pods: 110
 kube_network_node_prefix: 24
 
 # The port the API Server will be listening on.

inventory/sample/group_vars/k8s-cluster/k8s-net-kube-router.yml

@@ -39,6 +39,9 @@
 # https://github.com/cloudnativelabs/kube-router/blob/master/docs/user-guide.md#hairpin-mode
 # kube_router_support_hairpin_mode: false
 
+# Select DNS Policy ClusterFirstWithHostNet, ClusterFirst, etc.
+# kube_router_dns_policy: ClusterFirstWithHostNet
+
 # Array of annotations for master
 # kube_router_annotations_master: []
 

inventory/sample/group_vars/k8s-cluster/k8s-net-weave.yml

@@ -53,6 +53,9 @@
 # only with Weave IPAM (default).
 # weave_no_masq_local: true
 
+# set to nft to use nftables backend for iptables (default is iptables)
+# weave_iptables_backend: iptables
+
 # Extra variables that passing to launch.sh, useful for enabling seed mode, see
 # https://www.weave.works/docs/net/latest/tasks/ipam/ipam/
 # weave_extra_args: ~

roles/bootstrap-os/defaults/main.yml

@@ -13,7 +13,7 @@ use_oracle_public_repo: true
 
 fedora_coreos_packages:
   - python
-  - libselinux-python3
+  - python3-libselinux
   - ethtool                 # required in kubeadm preflight phase for verifying the environment
   - ipset                   # required in kubeadm preflight phase for verifying the environment
   - conntrack-tools         # required by kube-proxy

roles/bootstrap-os/tasks/bootstrap-centos.yml

@@ -32,11 +32,12 @@
 - name: Enable Oracle Linux repo
   ini_file:
     dest: "/etc/yum.repos.d/oracle-linux-ol{{ ansible_distribution_major_version }}.repo"
-    section: "{{ item }}"
-    option: enabled
-    value: "1"
+    section: "ol{{ ansible_distribution_major_version }}_addons"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
   with_items:
-    - "ol{{ ansible_distribution_major_version }}_addons"
+    - { option: "enabled", value: "1" }
+    - { option: "baseurl", value: "http://yum.oracle.com/repo/OracleLinux/OL{{ ansible_distribution_major_version }}/addons/x86_64/" }
   when:
     - '"Oracle" in os_release.stdout'
     - (ansible_distribution_version | float) >= 7.6

roles/bootstrap-os/tasks/bootstrap-debian.yml

@@ -86,6 +86,10 @@
   when:
     - need_bootstrap.rc != 0
 
+- name: Set the ansible_python_interpreter fact
+  set_fact:
+    ansible_python_interpreter: "/usr/bin/python3"
+
 # Workaround for https://github.com/ansible/ansible/issues/25543
 - name: Install dbus for the hostname module
   package:

roles/bootstrap-os/tasks/bootstrap-fedora-coreos.yml

@@ -8,17 +8,38 @@
   tags:
     - facts
 
+- name: Remove podman network cni
+  raw: "podman network rm podman"
+  become: true
+  ignore_errors: yes
+  when: need_bootstrap.rc != 0
+
 - name: Clean up possible pending packages on fedora coreos
   raw: "export http_proxy={{ http_proxy | default('') }};rpm-ostree cleanup -p }}"
   become: true
   when: need_bootstrap.rc != 0
 
+  # Because the package "python3-libselinux" has a dependency on libselinux,
+  # which is a base package in Fedora CoreOS and cannot be upgraded.
+  # Temporary disabling update repo allows to install python3-libselinux
+  # see https://github.com/coreos/fedora-coreos-tracker/issues/592
+- name: Temporary disable fedora updates repo because of base packages conflicts
+  raw: "sed -i 's|^enabled=1|enabled=0|g' /etc/yum.repos.d/fedora-updates.repo"
+  become: true
+  when: need_bootstrap.rc != 0
+
 - name: Install required packages on fedora coreos
   raw: "export http_proxy={{ http_proxy | default('') }};rpm-ostree install {{ fedora_coreos_packages|join(' ') }}"
   become: true
   when: need_bootstrap.rc != 0
 
-# playbook fails because connection lost
+  # see https://github.com/coreos/fedora-coreos-tracker/issues/592
+- name: Enable fedora updates repo
+  raw: "sed -i 's|^enabled=0|enabled=1|g' /etc/yum.repos.d/fedora-updates.repo"
+  become: true
+  when: need_bootstrap.rc != 0
+
+  # playbook fails because connection lost
 - name: Reboot immediately for updated ostree, please run playbook again if failed first time.
   raw: "nohup bash -c 'sleep 5s && shutdown -r now'"
   become: true

roles/container-engine/cri-o/defaults/main.yml

@@ -15,7 +15,10 @@ crio_runc_path: "/usr/bin/runc"
 crio_seccomp_profile: ""
 crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
 crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
-crio_storage_driver: "overlay2"
+
+# Override system default for storage driver
+# crio_storage_driver: "overlay"
+
 crio_stream_port: "10010"
 
 crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"

roles/container-engine/cri-o/templates/crio.conf.j2

@@ -24,7 +24,9 @@
 
 # Storage driver used to manage the storage of images and containers. Please
 # refer to containers-storage.conf(5) to see all available storage drivers.
+{% if crio_storage_driver is defined %}
 storage_driver = "{{ crio_storage_driver }}"
+{% endif %}
 
 # List to pass options to the storage driver. Please refer to
 # containers-storage.conf(5) to see all available storage options.