---
- name: Login to OpenShift cluster
command: "oc login -u system:admin --config={{ kube_conf }}"
- name: Extract current node configuration
tempfile:
state: directory
register: temp_dir
- command: oc extract cm/node-config-compute -n openshift-node --to={{ temp_dir.path }}
register: cm_path
- name: 6.8 Network Policy Change Compute Nodes
command: grep -A1 networkpolicy {{ cm_path.stdout }}
changed_when: false
failed_when: "net_policy_compute_node.rc == 2"
register: net_policy_compute_node
- yedit:
src: "{{ cm_path.stdout }}"
key: networkConfig.networkPluginName
value: "redhat/openshift-ovs-networkpolicy"
when: net_policy_compute_node.stdout == ""
#- yedit:
# src: "{{ cm_path.stdout }}"
# key: networkConfig.mtu
# value: 8951
- name: 7.1 Use Security Context Constraints to prevent privileged containers from running
command: grep -A1 allow-privileged {{ cm_path.stdout }}
changed_when: false
failed_when: "allow_priv.rc == 2"
register: allow_priv
- yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.allow-privileged
state: absent
when: allow_priv.stdout != ""
- name: 7.2 Ensure anonymous-auth is not disabled
command: grep -A1 anonymous-auth {{ cm_path.stdout }}
changed_when: false
failed_when: "anon_auth.rc == 2"
register: anon_auth
- yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.anonymous-auth
state: absent
when: anon_auth.stdout != ""
- name: 7.3 Ensure that the --authorization-mode argument is set to WebHook
command: grep -A1 authorization-mode {{ cm_path.stdout }}
changed_when: false
failed_when: "auth_mode.rc == 2"
register: auth_mode
- yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.authorization-mode
state: absent
when: auth_mode.stdout != ""
- name: 7.4 Ensure that the OpenShift default for the client-ca-file argument is not changed
command: grep -A1 client-ca-file {{ cm_path.stdout }}
changed_when: false
failed_when: "client_ca.rc == 2"
register: client_ca
- yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.client-ca-file
state: absent
when: client_ca.stdout != ""
- name: 7.5 Maintain the OpenShift default setting for the read-only-port argument
command: grep -A1 client-ca-file {{ cm_path.stdout }}
changed_when: false
failed_when: "ro_port.rc == 2"
register: ro_port
- yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.read-only-port
state: absent
when: ro_port.stdout != ""
- name: 7.6 Adjust the streaming-connection-idle-timeout argument
yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.streaming-connection-idle-timeout`
#value: "- \"5m\""
value: "- '5m'"
state: present
- name: 7.7 Maintain the OpenShift defaults for the protect-kernel-defaults argument
command: grep -A1 protect-kernel-defaults {{ cm_path.stdout }}
changed_when: false
failed_when: "kern_def.rc == 2"
register: kern_def
- yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.protect-kernel-defaults
state: absent
when: kern_def.stdout != ""
- name: 7.8 Maintain the OpenShift default value of true for the make-iptables-util-chains argument
command: grep -A1 make-iptables-util-chains {{ cm_path.stdout }}
changed_when: false
failed_when: "ip_tables.rc == 2"
register: ip_tables
- yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.make-iptables-util-chains
state: absent
when: ip_tables.stdout != ""
- name: 7.11 Configure the --event-qps argument to 0
yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.event-qps
value: "- '0'"
state: present
- name: 7.12 Do not set the --tls-cert-file and --tls-private-key-file arguments
command: grep -A1 tls-cert-file {{ cm_path.stdout }}
changed_when: false
failed_when: "tls_cert.rc == 2"
register: tls_cert
- yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.tls-cert-file
state: absent
when: tls_cert.stdout != ""
- command: grep -A1 tls-private-key-file {{ cm_path.stdout }}
changed_when: false
failed_when: "tls_key.rc == 2"
register: tls_key
- yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.tls-private-key-file
state: absent
when: tls_key.stdout != ""
- name: 7.13 Maintain the OpenShift default of 0 for the cadvisor-port argument
command: grep -A1 cadvisor-port {{ cm_path.stdout }}
changed_when: false
failed_when: "cadvisor.rc == 2"
register: cadvisor
- yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.cadvisor-port
state: absent
when: cadvisor.stdout != ""
- name: 7.14 and 7.15 Ensure that the RotateKubeletClientCertificate/RotateKubeletServerCertificate argument is not set to false
command: grep -E 'RotateKubeletClientCertificate=true.*RotateKubeletServerCertificate=true' {{ cm_path.stdout }}
changed_when: false
failed_when: "kube_certs.rc == 2"
register: kube_certs
- lineinfile:
path: "{{ cm_path.stdout }}"
regexp: 'RotateKubelet(Client|Server)Certificate=(true|false)'
state: absent
when: kube_certs.stdout == ""
- yedit:
src: "{{ cm_path.stdout }}"
key: kubeletArguments.feature-gates
value: "- RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true"
state: present
when: kube_certs.stdout == ""
- name: Save modified node configuration
command: oc create configmap node-config-compute-update --from-file {{ cm_path.stdout }} -n openshift-node
- command: oc delete configmap node-config-compute -n openshift-node
- command: oc create configmap node-config-compute --from-file {{ cm_path.stdout }} -n openshift-node
- command: oc delete configmap node-config-compute-update -n openshift-node
- name: Extract infra node config map
command: oc extract cm/node-config-infra -n openshift-node --to={{ temp_dir.path }}
register: cm_path_infra
- name: 6.8 Network Policy Change Infra Nodes
command: grep -A1 networkpolicy {{ cm_path_infra.stdout }}
changed_when: false
failed_when: "net_policy_infra_node.rc == 2"
register: net_policy_infra_node
- yedit:
src: "{{ cm_path_infra.stdout }}"
key: networkConfig.networkPluginName
value: "redhat/openshift-ovs-networkpolicy"
when: net_policy_infra_node.stdout == ""
- name: Save modified infra node configuration
command: oc create configmap node-config-infra-update --from-file {{ cm_path_infra.stdout }} -n openshift-node
- command: oc delete configmap node-config-infra -n openshift-node
- command: oc create configmap node-config-infra --from-file {{ cm_path_infra.stdout }} -n openshift-node
- command: oc delete configmap node-config-infra-update -n openshift-node
- name: Extract master node config map
command: oc extract cm/node-config-master -n openshift-node --to={{ temp_dir.path }}
register: cm_path_master
- name: 6.8 Network Policy Change Master Nodes
command: grep -A1 networkpolicy {{ cm_path_master.stdout }}
changed_when: false
failed_when: "net_policy_master_node.rc == 2"
register: net_policy_master_node
- yedit:
src: "{{ cm_path_master.stdout }}"
key: networkConfig.networkPluginName
value: "redhat/openshift-ovs-networkpolicy"
when: net_policy_master_node.stdout == ""
- name: Save modified master node configuration
command: oc create configmap node-config-master-update --from-file {{ cm_path_master.stdout }} -n openshift-node
- command: oc delete configmap node-config-master -n openshift-node
- command: oc create configmap node-config-master --from-file {{ cm_path_master.stdout }} -n openshift-node
- command: oc delete configmap node-config-master-update -n openshift-node
# Tasks to do to update sdn for nodes (might need to update other playbooks)
- name: Stop node service
command: systemctl stop atomic-openshift-node.service
- name: Restart OpenShift SDN on all masters and nodes
command: oc delete pod --all -n openshift-sdn
delegate_to: localhost
- name: Restart node service
command: systemctl restart atomic-openshift-node.service
# Not changing to third party plugin so no more needed
- name: Restart Master API
command: /usr/local/bin/master-restart api
register: mra
failed_when: mra.rc != 0
when: "'netpolicy' not in netpol.stdout"
- name: Restart Master Controllers
command: /usr/local/bin/master-restart controllers
register: mrc
failed_when: mrc.rc != 0
when: "'netpolicy' not in netpol.stdout"