Stricter kubeadm validation (config and runtime checks) (#11710)

* kubeadm: do not ignore preflight errors blindly The "ignoring all errors" seems to date back to the inception of the kubeadm support (it was --skip-preflight-check before). This can mask real errors and prevent users from seeing them. Do not ignore any errors by default and make the set of ignored errors configurable. * download/kubeadm: remove redundant task The mode is already set by the previous `copy` task. * Validate kubeadm configs This should help to fail early when we have invalid kubeadm configs (from a kubespray bug or a misconfiguration). * kubeadm-upgrade: remove unnecessary bool cast * Convert kubeadm join discovery timeout to v1beta4 config * CI: Ignore kubeadm:Mem errors on some setup.
2026-03-09 19:58:07 +03:00 · 2024-11-15 07:34:52 +01:00
parent 05e2b47db6
commit 68718dcb6f
11 changed files with 49 additions and 53 deletions
--- a/roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2
+++ b/roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2
@@ -20,8 +20,14 @@ discovery:
    unsafeSkipCAVerification: true
 {% endif %}
 {% endif %}
-  timeout: {{ discovery_timeout }}
  tlsBootstrapToken: {{ kubeadm_token }}
+{# TODO: drop the if when we drop support for k8s<1.31 #}
+{% if kubeadm_config_api_version == 'v1beta3' %}
+  timeout: {{ discovery_timeout }}
+{% else %}
+timeouts:
+  discovery: {{ discovery_timeout }}
+{% endif %}
 caCertPath: {{ kube_cert_dir }}/ca.crt
 {% if kubeadm_cert_controlplane is defined and kubeadm_cert_controlplane %}
 controlPlane: