Thulium-Drake/ansible-role-k8s

Plain Kubernetes, powered by Ansible

This role provides you with a Kubernetes cluster that is as clean as possible. The only thing this role sets up for you is CRI-O as the Container Runtime. Plugins for CNI, Storage etc. still need to be setup after this role has run.

It provides a cluster for the following scenarios:

• Multiple control_planes with (or without) workers
• Single control_plane with workers
• Remapping public repositories to private mirrors (NOTE: authentication is currently not supported)

Missing features:

• Removing nodes

Setup

Most of this role is controlled via the Ansible Inventory, for example a simple 1 control_plane 2 worker cluster looks like this:

[k8s_cluster]
k8s1.example.com
k8s2.example.com
k8s3.example.com

All of the other aspects of this cluster are controlled via Group and Host variables, e.g. the following files:

---
# Hosts variables for k8s1.example.com
k8s_role: 'control-plane'

---
# Group variables for k8s_cluster
k8s_role: 'worker'
k8s_cluster_group: 'k8s_cluster'

For all the other options available, please refer to the Defaults.

After configuring the inventory, you can deploy the cluster by running a playbook like this:

---
- name: 'Deploy K8s'
  hosts: 'k8s_cluster'
  roles:
    - 'k8s'

Multiple control-planes

When using multiple control-planes in the cluster, the role will automatically find the first node that has the control-plane node in the inventory. Some important notes:

• To be as idempotent as possible the role sorts all nodes in dynamic groups on alphanumerical order
• When adding additional control-planes, make sure to set their hostnames to be alphanumerically later then existing nodes
• A multi control-plane cluster requires a load balanced API endpoint

External Etcd instances

The role can aid you in setting up a cluster that uses external etcd, this role however does not set up the etcd cluster. In order to use it you need to:

• Set up the cluster certificates, for more info see: https://kubernetes.io/docs/setup/best-practices/certificates/
• Set up the external etcd cluster
• Configure this role
• Run Ansible

Notes, tips and tricks

When installing a CNI plugin (e.g. Calico), delete all then-current running pods in the cluster. This is required to re-assign them new IP addresses that are actually processed properly by the CNI. You can do this as follows:

kubectl delete pods -A --all

Afterwards all the pods will respawn with their proper IP address and will have network connectivity.

Etcdctl function

If your system does not come with a etcdctl package, you can also use the function below. Which will enter one of the containers running etcd and query the information from there.

function etcdctl {
    [ -z "$ETCDPOD" ] && ETCDPOD=$( kubectl get -n kube-system pod -l component=etcd -o name  | sed 's?^pod/??' )
    #kubectl get -n kube-system pod -o name  | sed 's?^pod/??' | grep -m 1 ^etcd
    [ -z "$ETCDPOD" ] && {
        echo "Failed to find etcd Pod"
        return 1
    }

    kubectl -n kube-system exec -it $ETCDPOD  -c etcd -- /bin/sh -c "ETCDCTL_CACERT=/etc/kubernetes/pki/etcd/ca.crt ETCDCTL_CERT=/etc/kubernetes/pki/etcd/server.crt ETCDCTL_KEY=/etc/kubernetes/pki/etcd/server.key etcdctl --endpoints=https://127.0.0.1:2379 $*";
}