You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+15-6
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,14 @@
1
1
# Changelog
2
2
3
+
## 25.0.0+1.30.5
4
+
5
+
-**UPDATE**
6
+
- update `k8s_ctl_release` to `1.30.5`
7
+
8
+
-**OTHER CHANGES**
9
+
- support Ubuntu 24.04
10
+
- update `.yamllint`
11
+
3
12
## 24.0.2+1.29.9
4
13
5
14
-**OTHER CHANGES**
@@ -8,23 +17,23 @@
8
17
## 24.0.1+1.29.9
9
18
10
19
-**UPDATE**
11
-
- update `k8s_release` to `1.29.9`
20
+
- update `k8s_ctl_release` to `1.29.9`
12
21
13
22
## 24.0.0+1.29.4
14
23
15
24
-**UPDATE**
16
-
- update `k8s_release` to `1.29.4`
25
+
- update `k8s_ctl_release` to `1.29.4`
17
26
18
27
## 24.0.0+1.29.3
19
28
20
29
-**UPDATE**
21
-
- update `k8s_release` to `1.29.3`
30
+
- update `k8s_ctl_release` to `1.29.3`
22
31
- Molecule: use `alvistack` instead of `generic` Vagrant boxes
23
32
24
33
## 23.1.2+1.28.8
25
34
26
35
-**UPDATE**
27
-
- update `k8s_release` to `1.28.8`
36
+
- update `k8s_ctl_release` to `1.28.8`
28
37
29
38
## 23.1.1+1.28.5
30
39
@@ -45,7 +54,7 @@
45
54
## 23.0.0+1.28.5
46
55
47
56
-**UPDATE**
48
-
- Update `k8s_release` to `1.28.5`
57
+
- Update `k8s_ctl_release` to `1.28.5`
49
58
50
59
-**BREAKING**
51
60
- Extend `enable-admission-plugins` in `k8s_apiserver_settings` by: `PodSecurity,Priority,StorageObjectInUseProtection,RuntimeClass,CertificateApproval,CertificateSigning,ClusterTrustBundleAttest,CertificateSubjectRestriction,DefaultIngressClass`. These are enabled by default if this flag is not specified (see [Admission Controllers Reference](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) for more information).
@@ -65,7 +74,7 @@
65
74
**Please remove**`/var/lib/kubernetes/admin.kubeconfig` on the K8s controller nodes (if you didn't change the default directory for this file). Older versions of this role created this file. It's no longer needed. It contains the `kubeconfig` (so basically the credentials file) for the `admin` user. This is a very powerful user (actually the user with the most permissions). So use with care and store the file in a secure place! `admin.kubeconfig` should only be used at the very beginning to create a new user with less permissions.
66
75
67
76
-**UPDATE**
68
-
- update `k8s_release` to `1.27.8`
77
+
- update `k8s_ctl_release` to `1.27.8`
69
78
70
79
-**BREAKING**
71
80
- Rename variable `k8s_conf_dir` to `k8s_ctl_conf_dir`. Additionally the default value changed from `/usr/lib/kubernetes` to `/etc/kubernetes/controller`.
Copy file name to clipboardExpand all lines: README.md
+18-41
Original file line number
Diff line number
Diff line change
@@ -4,17 +4,21 @@ This role is used in [Kubernetes the not so hard way with Ansible - Control plan
4
4
5
5
## Versions
6
6
7
-
I tag every release and try to stay with [semantic versioning](http://semver.org). If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag `24.0.1+1.29.9` means this is release `24.0.1` of this role and it's meant to be used with Kubernetes version `1.29.9` (but should work with any K8s 1.29.x release of course). If the role itself changes `X.Y.Z` before `+` will increase. If the Kubernetes version changes `X.Y.Z` after `+` will increase too. This allows to tag bugfixes and new major versions of the role while it's still developed for a specific Kubernetes release. That's especially useful for Kubernetes major releases with breaking changes.
7
+
I tag every release and try to stay with [semantic versioning](http://semver.org). If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag `25.0.0+1.30.5` means this is release `25.0.0` of this role and it's meant to be used with Kubernetes version `1.30.5` (but should work with any K8s 1.30.x release of course). If the role itself changes `X.Y.Z` before `+` will increase. If the Kubernetes version changes `X.Y.Z` after `+` will increase too. This allows to tag bugfixes and new major versions of the role while it's still developed for a specific Kubernetes release. That's especially useful for Kubernetes major releases with breaking changes.
8
8
9
9
## Requirements
10
10
11
-
This role requires that you already created some certificates for Kubernetes API server (see [Kubernetes the not so hard way with Ansible - Certificate authority (CA)](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-certificate-authority/)). The role copies the certificates from `k8s_ctl_ca_conf_directory` (which is by default the same as `k8s_ca_conf_directory` used by `githubixx.kubernetes_ca` role) to the destination host. You should also setup a fully meshed VPN with e.g. WireGuard (see [Kubernetes the not so hard way with Ansible - WireGuard](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/)) and of course an etcd cluster (see [Kubernetes the not so hard way with Ansible - etcd cluster](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-etcd/)). The WireGuard VPN Mesh is not a requirement but increases security as all traffic between the K8s hosts is encrypted by default. But as long as all hosts included have an interface where they can communicate with each other it's fine.
11
+
This role requires that you already created some certificates for Kubernetes API server (see [Kubernetes the not so hard way with Ansible - Certificate authority (CA)](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-certificate-authority/)). The role copies the certificates from `k8s_ctl_ca_conf_directory` (which is by default the same as `k8s_ca_conf_directory` used by `githubixx.kubernetes_ca` role) to the destination host.
12
+
13
+
Your hosts on which you want to install Kubernetes should be able to communicate with each other of course. To add an additional layer of security you can setup a fully meshed VPN with WireGuard e.g. (see [Kubernetes the not so hard way with Ansible - WireGuard](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/)). This encrypts every communication between the Kubernetes nodes if the Kubernetes processes use the WireGuard interface. Using WireGuard actually makes it also easily possible to have a Kubernetes cluster that is distributed in various data centers e.g.
14
+
15
+
And of course an [etcd](https://etcd.io/) cluster (see [Kubernetes the not so hard way with Ansible - etcd cluster](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-etcd/)) to store the state of the Kubernetes cluster.
12
16
13
17
## Supported OS
14
18
15
-
- Ubuntu 20.04 (Focal Fossa)
19
+
- Ubuntu 20.04 (Focal Fossa) (reaches EOL April 2024 - not recommended)
16
20
- Ubuntu 22.04 (Jammy Jellyfish)
17
-
- Ubuntu 24.04 (Noble Numbat)
21
+
- Ubuntu 24.04 (Noble Numbat) (recommended)
18
22
19
23
## Changelog
20
24
@@ -26,6 +30,11 @@ See full [CHANGELOG.md](https://github.com/githubixx/ansible-role-kubernetes-con
26
30
27
31
**Recent changes:**
28
32
33
+
## 25.0.0+1.30.5
34
+
35
+
-**UPDATE**
36
+
- update `k8s_ctl_release` to `1.30.5`
37
+
29
38
## 24.0.2+1.29.9
30
39
31
40
-**OTHER CHANGES**
@@ -34,51 +43,19 @@ See full [CHANGELOG.md](https://github.com/githubixx/ansible-role-kubernetes-con
34
43
## 24.0.1+1.29.9
35
44
36
45
-**UPDATE**
37
-
- update `k8s_release` to `1.29.9`
46
+
- update `k8s_ctl_release` to `1.29.9`
38
47
39
48
## 24.0.0+1.29.4
40
49
41
50
-**UPDATE**
42
-
- update `k8s_release` to `1.29.4`
51
+
- update `k8s_ctl_release` to `1.29.4`
43
52
44
53
## 24.0.0+1.29.3
45
54
46
55
-**UPDATE**
47
-
- update `k8s_release` to `1.29.3`
56
+
- update `k8s_ctl_release` to `1.29.3`
48
57
- Molecule: use `alvistack` instead of `generic` Vagrant boxes
49
58
50
-
## 23.1.2+1.28.8
51
-
52
-
-**UPDATE**
53
-
- update `k8s_release` to `1.28.8`
54
-
55
-
## 23.1.1+1.28.5
56
-
57
-
-**BUGFIX**
58
-
- ClusterRoleBinding `system:kube-apiserver` needs to honor `k8s_apiserver_csr_cn` value for as username
59
-
- Because of the previous change move `files/kube-apiserver-to-kubelet_cluster_role.yaml -> templates/rbac/kube-apiserver-to-kubelet_cluster_role.yaml.j2` and `files/kube-apiserver-to-kubelet_cluster_role_binding.yaml -> templates/rbac/kube-apiserver-to-kubelet_cluster_role_binding.yaml.j2` as both files became a Jinja2 template.
60
-
61
-
## 23.1.0+1.28.5
62
-
63
-
-**MOLECULE**
64
-
- Change to Ubuntu 22.04 for test-assets VM
65
-
- Adjust common names for certificates / change algo to ecdsa and algo size
66
-
67
-
-**OTHER CHANGES**
68
-
- Fix permissions for temporary directory
69
-
- Adjust Github action because of Ansible Galaxy changes
70
-
71
-
## 23.0.0+1.28.5
72
-
73
-
-**UPDATE**
74
-
- Update `k8s_release` to `1.28.5`
75
-
76
-
-**BREAKING**
77
-
- Extend `enable-admission-plugins` in `k8s_apiserver_settings` by: `PodSecurity,Priority,StorageObjectInUseProtection,RuntimeClass,CertificateApproval,CertificateSigning,ClusterTrustBundleAttest,CertificateSubjectRestriction,DefaultIngressClass`. These are enabled by default if this flag is not specified (see [Admission Controllers Reference](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) for more information).
78
-
79
-
-**MOLECULE**
80
-
- Change IP addresses
81
-
82
59
## Installation
83
60
84
61
- Directly download from Github (Change into Ansible roles directory before cloning. You can figure out the role path by using `ansible-config dump | grep DEFAULT_ROLES_PATH` command):
@@ -95,7 +72,7 @@ See full [CHANGELOG.md](https://github.com/githubixx/ansible-role-kubernetes-con
0 commit comments