Stricter kubeadm validation (config and runtime checks) (#11710)

* kubeadm: do not ignore preflight errors blindly The "ignoring all errors" seems to date back to the inception of the kubeadm support (it was --skip-preflight-check before). This can mask real errors and prevent users from seeing them. Do not ignore any errors by default and make the set of ignored errors configurable. * download/kubeadm: remove redundant task The mode is already set by the previous `copy` task. * Validate kubeadm configs This should help to fail early when we have invalid kubeadm configs (from a kubespray bug or a misconfiguration). * kubeadm-upgrade: remove unnecessary bool cast * Convert kubeadm join discovery timeout to v1beta4 config * CI: Ignore kubeadm:Mem errors on some setup.
2026-02-28 09:39:12 +03:00 · 2024-11-15 07:34:52 +01:00
parent 05e2b47db6
commit 68718dcb6f
11 changed files with 49 additions and 53 deletions
--- a/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
@@ -36,6 +36,7 @@
    dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml"
    mode: "0640"
    backup: true
+    validate: "{{ bin_dir }}/kubeadm config validate --config %s"
  when:
    - inventory_hostname != first_kube_control_plane
    - not kubeadm_already_run.stat.exists
@@ -87,7 +88,7 @@
  command: >-
    {{ bin_dir }}/kubeadm join
    --config {{ kube_config_dir }}/kubeadm-controlplane.yaml
-    --ignore-preflight-errors=all
+    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
    --skip-phases={{ kubeadm_join_phases_skip | join(',') }}
  environment:
    PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"