Stricter kubeadm validation (config and runtime checks) (#11710)

* kubeadm: do not ignore preflight errors blindly The "ignoring all errors" seems to date back to the inception of the kubeadm support (it was --skip-preflight-check before). This can mask real errors and prevent users from seeing them. Do not ignore any errors by default and make the set of ignored errors configurable. * download/kubeadm: remove redundant task The mode is already set by the previous `copy` task. * Validate kubeadm configs This should help to fail early when we have invalid kubeadm configs (from a kubespray bug or a misconfiguration). * kubeadm-upgrade: remove unnecessary bool cast * Convert kubeadm join discovery timeout to v1beta4 config * CI: Ignore kubeadm:Mem errors on some setup.
2026-02-28 09:39:12 +03:00 · 2024-11-15 07:34:52 +01:00
parent 05e2b47db6
commit 68718dcb6f
11 changed files with 49 additions and 53 deletions
--- a/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
@@ -36,6 +36,7 @@
    dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml"
    mode: "0640"
    backup: true
+    validate: "{{ bin_dir }}/kubeadm config validate --config %s"
  when:
    - inventory_hostname != first_kube_control_plane
    - not kubeadm_already_run.stat.exists
@@ -87,7 +88,7 @@
  command: >-
    {{ bin_dir }}/kubeadm join
    --config {{ kube_config_dir }}/kubeadm-controlplane.yaml
-    --ignore-preflight-errors=all
+    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
    --skip-phases={{ kubeadm_join_phases_skip | join(',') }}
  environment:
    PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -93,6 +93,7 @@
    src: "kubeadm-config.{{ kubeadm_config_api_version }}.yaml.j2"
    dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
    mode: "0640"
+    validate: "{{ bin_dir }}/kubeadm config validate --config %s"

 - name: Kubeadm | Create directory to store admission control configurations
  file:
@@ -168,7 +169,7 @@
    timeout -k {{ kubeadm_init_timeout }} {{ kubeadm_init_timeout }}
    {{ bin_dir }}/kubeadm init
    --config={{ kube_config_dir }}/kubeadm-config.yaml
-    --ignore-preflight-errors=all
+    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
    --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
    {{ kube_external_ca_mode | ternary('', '--upload-certs') }}
  register: kubeadm_init
--- a/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml
@@ -15,9 +15,9 @@
    {{ bin_dir }}/kubeadm
    upgrade apply -y {{ kube_version }}
    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
-    --ignore-preflight-errors=all
+    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
    --allow-experimental-upgrades
-    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | bool | lower }}
+    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
    {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
    --force
  register: kubeadm_upgrade
@@ -36,9 +36,9 @@
    {{ bin_dir }}/kubeadm
    upgrade apply -y {{ kube_version }}
    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
-    --ignore-preflight-errors=all
+    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
    --allow-experimental-upgrades
-    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | bool | lower }}
+    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
    {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
    --force
  register: kubeadm_upgrade