Move to Ansible 3.4.0 (#7672)

* Ansible: move to Ansible 3.4.0 which uses ansible-base 2.10.10

* Docs: add a note about ansible upgrade post 2.9.x

* CI: ensure ansible is removed before ansible 3.x is installed to avoid pip failures

* Ansible: use newer ansible-lint

* Fix ansible-lint 5.0.11 found issues

* syntax issues
* risky-file-permissions
* var-naming
* role-name
* molecule tests

* Mitogen: use 0.3.0rc1 which adds support for ansible 2.10+

* Pin ansible-base to 2.10.11 to get package fix on RHEL8

roles/kubernetes/control-plane/tasks/main.yml

@@ -7,12 +7,14 @@
   template:
     src: webhook-token-auth-config.yaml.j2
     dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
+    mode: 0640
   when: kube_webhook_token_auth|default(false)
 
 - name: Create webhook authorization config
   template:
     src: webhook-authorization-config.yaml.j2
     dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
+    mode: 0640
   when: kube_webhook_authorization|default(false)
 
 - name: Create kube-scheduler config
@@ -40,7 +42,7 @@
   when: ansible_os_family in ["Debian","RedHat"]
   tags:
     - kubectl
-  ignore_errors: True
+  ignore_errors: true  # noqa ignore-errors
 
 - name: Set kubectl bash completion file permissions
   file:
@@ -52,7 +54,7 @@
   tags:
     - kubectl
     - upgrade
-  ignore_errors: True
+  ignore_errors: true  # noqa ignore-errors
 
 - name: Disable SecurityContextDeny admission-controller and enable PodSecurityPolicy
   set_fact:
@@ -77,12 +79,13 @@
   template:
     src: k8s-certs-renew.sh.j2
     dest: "{{ bin_dir }}/k8s-certs-renew.sh"
-    mode: '755'
+    mode: 0755
 
 - name: Renew K8S control plane certificates monthly 1/2
   template:
     src: "{{ item }}.j2"
     dest: "/etc/systemd/system/{{ item }}"
+    mode: 0644
   with_items:
     - k8s-certs-renew.service
     - k8s-certs-renew.timer