-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardening options are not applying and breaking installation #11842
Comments
@dmakeienko : I confirm that setting |
Oh, I think I encountered this issue a few months ago, when trying to setup a hardened cluster myself, ill rebase with master after today's release, then see if I'm still able to setup a new hardened cluster with all the recent few months changes. It's also possible its been fixed in today's release too, so ill try that first before I try with my own hardening fixes ontop. I should get a chance to look at later today or tomorrow |
Your inventory looks wrong :
Do you have |
I have only following files that resides in |
@dmakeienko : in Under the Here is a valid example :
|
What happened?
For deploying k8s on Openstack, I've made following structure:
`
`
Obviously,
all.yaml
contains all necessary configuration for a cluster,openstack.yaml
contains some values for openstack that are generated by terraform, andhardening.yaml
contains most of the configuration from https://github.com/kubernetes-sigs/kubespray/blob/master/docs/operations/hardening.mdI deploy cluster with this command:
ansible-playbook -i ../inventory -b -vvvvv --private-key=~/.ssh/admin cluster.yml
Then, I check everything and find that about nothing from
hardening.yaml
have applied.Next step, I try to specifically point to that file:
ansible-playbook -i ../inventory -b -vvvvv --private-key=~/.ssh/dev1-k8s-admin -e "@../inventory/group_vars/hardening.yaml" cluster.yml
After that command, about half options have applied:
But other still missing, i.e. kube_audit logs, kube_scheduler_bind_address, kube_controller_manager_bind_address
Then I tried to run this command:
ansible-playbook -i ../inventory -b -vvvvv --private-key=~/.ssh/dev1-k8s-admin -e "@../inventory/group_vars/hardening.yaml" -e upgrade_cluster_setup=true cluster.yml
but nothing changed. I've checked
/etc/kubernetes/manifests/kube-api-server.yaml
but it didn't change, however, filekubeadm-config.yaml
contained audit logs parameters.Then I've combined ALL variables into single file
all.yaml
, recreated infrastructure completely and ranansible-playbook -i ../inventory -b -vvvvv --private-key=~/.ssh/admin cluster.yml
However, kubespray failed on a step when it tries to install
kubelet-csr-approver
and I got following error:kubespray stderr: Error: release kubelet-csr-approver failed, and has been uninstalled due to atomic being set: context deadline exceeded
When that happened i've noticed, that all nodes were tainted with the following taint:
node.cloudprovider.kubernetes.io/uninitialized=true:NoSchedule
and
kubelet-csr-approver
failed to deploy because of that. I've tried to remove those taints and rancluster.yaml
again andkubelet-csr-approver
successfully deployed.Also, no matter what I do, some options simply not applying. Example:
And other options completely breaks installation process, such as:
Regarding the
remove_anonymous_access
, the problem is similar to this issuekube-apiserver.yaml
kubeadm-config.yaml
What did you expect to happen?
I can deploy kubernetes from scratch with all hardening settings enabled.
How can we reproduce it (as minimally and precisely as possible)?
Create following structure:
`
`
and use my values
OS
Linux 5.15.0-130-generic x86_64
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
Version of Ansible
ansible [core 2.16.14]
config file = /home/denys/project/k8s-svc/env/dev1/kubespray/ansible.cfg
configured module search path = ['/home/denys/project/k8s-svc/env/dev1/kubespray/library']
ansible python module location = /home/denys/project/k8s-svc/env/dev1/kubespray/venv/lib/python3.12/site-packages/ansible
ansible collection location = /home/denys/.ansible/collections:/usr/share/ansible/collections
executable location = /home/denys/project/k8s-svc/env/dev1/kubespray/venv/bin/ansible
python version = 3.12.3 (main, Nov 6 2024, 18:32:19) [GCC 13.2.0] (/home/denys/project/k8s-svc/env/dev1/kubespray/venv/bin/python3)
jinja version = 3.1.5
libyaml = True
Version of Python
Python 3.10.12
Version of Kubespray (commit)
3305ae9
Network plugin used
cilium
Full inventory with variables
all.yaml
hardening.yaml
Command used to invoke ansible
ansible-playbook -i ../inventory -b -vvvvv --private-key=~/.ssh/key cluster.yml
Output of ansible run
Anything else we need to know
No response
The text was updated successfully, but these errors were encountered: