Improving yamllint configuration (#11389)

Signed-off-by: Bas Meijer <bas.meijer@enexis.nl>
2026-02-28 09:39:12 +03:00 · 2024-07-26 03:42:20 +02:00
parent 5394715d9b
commit 8f5f75211f
154 changed files with 342 additions and 334 deletions
--- a/roles/bastion-ssh-config/molecule/default/converge.yml
+++ b/roles/bastion-ssh-config/molecule/default/converge.yml
@@ -12,4 +12,4 @@
        dest: "{{ ssh_bastion_confing__name }}"
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
-        mode: 0644
+        mode: "0644"
--- a/roles/bastion-ssh-config/tasks/main.yml
+++ b/roles/bastion-ssh-config/tasks/main.yml
@@ -19,4 +19,4 @@
  template:
    src: "{{ ssh_bastion_confing__name }}.j2"
    dest: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
-    mode: 0640
+    mode: "0640"
--- a/roles/bootstrap-os/tasks/centos.yml
+++ b/roles/bootstrap-os/tasks/centos.yml
@@ -12,7 +12,7 @@
    value: "{{ http_proxy | default(omit) }}"
    state: "{{ http_proxy | default(False) | ternary('present', 'absent') }}"
    no_extra_spaces: true
-    mode: 0644
+    mode: "0644"
  become: true
  when: not skip_http_proxy_on_os_packages

@@ -21,7 +21,7 @@
  get_url:
    url: https://yum.oracle.com/public-yum-ol7.repo
    dest: /etc/yum.repos.d/public-yum-ol7.repo
-    mode: 0644
+    mode: "0644"
  when:
    - use_oracle_public_repo | default(true)
    - '''ID="ol"'' in os_release.stdout_lines'
@@ -34,7 +34,7 @@
    section: "{{ item }}"
    option: enabled
    value: "1"
-    mode: 0644
+    mode: "0644"
  with_items:
    - ol7_latest
    - ol7_addons
@@ -59,7 +59,7 @@
    section: "ol{{ ansible_distribution_major_version }}_addons"
    option: "{{ item.option }}"
    value: "{{ item.value }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - { option: "name", value: "ol{{ ansible_distribution_major_version }}_addons" }
    - { option: "enabled", value: "1" }
@@ -75,7 +75,7 @@
    section: "extras"
    option: "{{ item.option }}"
    value: "{{ item.value }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - { option: "name", value: "CentOS-{{ ansible_distribution_major_version }} - Extras" }
    - { option: "enabled", value: "1" }
--- a/roles/bootstrap-os/tasks/fedora.yml
+++ b/roles/bootstrap-os/tasks/fedora.yml
@@ -17,7 +17,7 @@
    value: "{{ http_proxy | default(omit) }}"
    state: "{{ http_proxy | default(False) | ternary('present', 'absent') }}"
    no_extra_spaces: true
-    mode: 0644
+    mode: "0644"
  become: true
  when: not skip_http_proxy_on_os_packages

--- a/roles/bootstrap-os/tasks/main.yml
+++ b/roles/bootstrap-os/tasks/main.yml
@@ -36,7 +36,7 @@
  file:
    path: "{{ ansible_remote_tmp | default('~/.ansible/tmp') }}"
    state: directory
-    mode: 0700
+    mode: "0700"

 - name: Gather facts
  setup:
@@ -61,4 +61,4 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
--- a/roles/bootstrap-os/tasks/redhat.yml
+++ b/roles/bootstrap-os/tasks/redhat.yml
@@ -12,7 +12,7 @@
    value: "{{ http_proxy | default(omit) }}"
    state: "{{ http_proxy | default(False) | ternary('present', 'absent') }}"
    no_extra_spaces: true
-    mode: 0644
+    mode: "0644"
  become: true
  when: not skip_http_proxy_on_os_packages

--- a/roles/container-engine/containerd/tasks/main.yml
+++ b/roles/container-engine/containerd/tasks/main.yml
@@ -35,7 +35,7 @@
  unarchive:
    src: "{{ downloads.containerd.dest }}"
    dest: "{{ containerd_bin_dir }}"
-    mode: 0755
+    mode: "0755"
    remote_src: yes
    extra_opts:
      - --strip-components=1
@@ -60,7 +60,7 @@
  template:
    src: containerd.service.j2
    dest: /etc/systemd/system/containerd.service
-    mode: 0644
+    mode: "0644"
    validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:containerd.service'"
    # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release)
    # Remove once we drop support for systemd < 250
@@ -70,7 +70,7 @@
  file:
    dest: "{{ item }}"
    state: directory
-    mode: 0755
+    mode: "0755"
    owner: root
    group: root
  with_items:
@@ -83,7 +83,7 @@
  template:
    src: http-proxy.conf.j2
    dest: "{{ containerd_systemd_dir }}/http-proxy.conf"
-    mode: 0644
+    mode: "0644"
  notify: Restart containerd
  when: http_proxy is defined or https_proxy is defined

@@ -102,7 +102,7 @@
    content: "{{ item.value }}"
    dest: "{{ containerd_cfg_dir }}/{{ item.key }}"
    owner: "root"
-    mode: 0644
+    mode: "0644"
  with_dict: "{{ containerd_base_runtime_specs | default({}) }}"
  notify: Restart containerd

@@ -111,7 +111,7 @@
    src: config.toml.j2
    dest: "{{ containerd_cfg_dir }}/config.toml"
    owner: "root"
-    mode: 0640
+    mode: "0640"
  notify: Restart containerd

 - name: Containerd | Configure containerd registries
@@ -121,13 +121,13 @@
      file:
        path: "{{ containerd_cfg_dir }}/certs.d/{{ item.prefix }}"
        state: directory
-        mode: 0755
+        mode: "0755"
      loop: "{{ containerd_registries_mirrors }}"
    - name: Containerd | Write hosts.toml file
      template:
        src: hosts.toml.j2
        dest: "{{ containerd_cfg_dir }}/certs.d/{{ item.prefix }}/hosts.toml"
-        mode: 0640
+        mode: "0640"
      loop: "{{ containerd_registries_mirrors }}"

 # you can sometimes end up in a state where everything is installed
--- a/roles/container-engine/cri-dockerd/molecule/default/prepare.yml
+++ b/roles/container-engine/cri-dockerd/molecule/default/prepare.yml
@@ -28,7 +28,7 @@
        src: "{{ item }}"
        dest: "/tmp/{{ item }}"
        owner: root
-        mode: 0644
+        mode: "0644"
      with_items:
        - container.json
        - sandbox.json
@@ -37,12 +37,12 @@
        path: /etc/cni/net.d
        state: directory
        owner: "{{ kube_owner }}"
-        mode: 0755
+        mode: "0755"
    - name: Setup CNI
      copy:
        src: "{{ item }}"
        dest: "/etc/cni/net.d/{{ item }}"
        owner: root
-        mode: 0644
+        mode: "0644"
      with_items:
        - 10-mynet.conf
--- a/roles/container-engine/cri-dockerd/tasks/main.yml
+++ b/roles/container-engine/cri-dockerd/tasks/main.yml
@@ -8,7 +8,7 @@
  copy:
    src: "{{ local_release_dir }}/cri-dockerd"
    dest: "{{ bin_dir }}/cri-dockerd"
-    mode: 0755
+    mode: "0755"
    remote_src: true
  notify:
    - Restart and enable cri-dockerd
@@ -17,7 +17,7 @@
  template:
    src: "{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
-    mode: 0644
+    mode: "0644"
    validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:{{ item }}'"
    # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release)
    # Remove once we drop support for systemd < 250
--- a/roles/container-engine/cri-o/molecule/default/prepare.yml
+++ b/roles/container-engine/cri-o/molecule/default/prepare.yml
@@ -33,7 +33,7 @@
        src: "{{ item }}"
        dest: "/tmp/{{ item }}"
        owner: root
-        mode: 0644
+        mode: "0644"
      with_items:
        - container.json
        - sandbox.json
@@ -42,12 +42,12 @@
        path: /etc/cni/net.d
        state: directory
        owner: "{{ kube_owner }}"
-        mode: 0755
+        mode: "0755"
    - name: Setup CNI
      copy:
        src: "{{ item }}"
        dest: "/etc/cni/net.d/{{ item }}"
        owner: root
-        mode: 0644
+        mode: "0644"
      with_items:
        - 10-mynet.conf
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -56,27 +56,27 @@
  file:
    path: "{{ item }}"
    state: directory
-    mode: 0755
+    mode: "0755"

 - name: Cri-o | install cri-o config
  template:
    src: crio.conf.j2
    dest: /etc/crio/crio.conf
-    mode: 0644
+    mode: "0644"
  register: config_install

 - name: Cri-o | install config.json
  template:
    src: config.json.j2
    dest: /etc/crio/config.json
-    mode: 0644
+    mode: "0644"
  register: reg_auth_install

 - name: Cri-o | copy binaries
  copy:
    src: "{{ local_release_dir }}/cri-o/bin/{{ item }}"
    dest: "{{ bin_dir }}/{{ item }}"
-    mode: 0755
+    mode: "0755"
    remote_src: true
  with_items:
    - "{{ crio_bin_files }}"
@@ -86,7 +86,7 @@
  copy:
    src: "{{ local_release_dir }}/cri-o/contrib/crio.service"
    dest: /etc/systemd/system/crio.service
-    mode: 0755
+    mode: "0755"
    remote_src: true
  notify: Restart crio

@@ -115,7 +115,7 @@
  copy:
    src: "{{ local_release_dir }}/cri-o/contrib/policy.json"
    dest: /etc/containers/policy.json
-    mode: 0755
+    mode: "0755"
    remote_src: true
  notify: Restart crio

@@ -123,7 +123,7 @@
  copy:
    src: mounts.conf
    dest: /etc/containers/mounts.conf
-    mode: 0644
+    mode: "0644"
  when:
    - ansible_os_family == 'RedHat'
  notify: Restart crio
@@ -133,7 +133,7 @@
    path: /etc/containers/oci/hooks.d
    state: directory
    owner: root
-    mode: 0755
+    mode: "0755"

 - name: Cri-o | set overlay driver
  community.general.ini_file:
@@ -141,7 +141,7 @@
    section: storage
    option: "{{ item.option }}"
    value: "{{ item.value }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - option: driver
      value: '"overlay"'
@@ -157,20 +157,20 @@
    section: storage.options.overlay
    option: mountopt
    value: '{{ ''"nodev"'' if ansible_kernel is version_compare(("4.18" if ansible_os_family == "RedHat" else "4.19"), "<") else ''"nodev,metacopy=on"'' }}'
-    mode: 0644
+    mode: "0644"

 - name: Cri-o | create directory registries configs
  file:
    path: /etc/containers/registries.conf.d
    state: directory
    owner: root
-    mode: 0755
+    mode: "0755"

 - name: Cri-o | write registries configs
  template:
    src: registry.conf.j2
    dest: "/etc/containers/registries.conf.d/10-{{ item.prefix | default(item.location) | regex_replace(':|/', '_') }}.conf"
-    mode: 0644
+    mode: "0644"
  loop: "{{ crio_registries }}"
  notify: Restart crio

@@ -178,14 +178,14 @@
  template:
    src: unqualified.conf.j2
    dest: "/etc/containers/registries.conf.d/01-unqualified.conf"
-    mode: 0644
+    mode: "0644"
  notify: Restart crio

 - name: Cri-o | write cri-o proxy drop-in
  template:
    src: http-proxy.conf.j2
    dest: /etc/systemd/system/crio.service.d/http-proxy.conf
-    mode: 0644
+    mode: "0644"
  notify: Restart crio
  when: http_proxy is defined or https_proxy is defined

--- a/roles/container-engine/cri-o/tasks/setup-amazon.yaml
+++ b/roles/container-engine/cri-o/tasks/setup-amazon.yaml
@@ -20,7 +20,7 @@
    option: enabled
    value: "0"
    backup: yes
-    mode: 0644
+    mode: "0644"
  when:
    - amzn2_extras_file_stat.stat.exists
    - not amzn2_extras_docker_repo.changed
--- a/roles/container-engine/crictl/handlers/main.yml
+++ b/roles/container-engine/crictl/handlers/main.yml
@@ -9,4 +9,4 @@
  copy:
    dest: /etc/bash_completion.d/crictl
    content: "{{ cri_completion.stdout }}"
-    mode: 0644
+    mode: "0644"
--- a/roles/container-engine/crictl/tasks/crictl.yml
+++ b/roles/container-engine/crictl/tasks/crictl.yml
@@ -9,13 +9,13 @@
    src: crictl.yaml.j2
    dest: /etc/crictl.yaml
    owner: root
-    mode: 0644
+    mode: "0644"

 - name: Copy crictl binary from download dir
  copy:
    src: "{{ local_release_dir }}/crictl"
    dest: "{{ bin_dir }}/crictl"
-    mode: 0755
+    mode: "0755"
    remote_src: true
  notify:
    - Get crictl completion
--- a/roles/container-engine/crun/tasks/main.yml
+++ b/roles/container-engine/crun/tasks/main.yml
@@ -8,5 +8,5 @@
  copy:
    src: "{{ downloads.crun.dest }}"
    dest: "{{ bin_dir }}/crun"
-    mode: 0755
+    mode: "0755"
    remote_src: true
--- a/roles/container-engine/docker-storage/tasks/main.yml
+++ b/roles/container-engine/docker-storage/tasks/main.yml
@@ -10,12 +10,12 @@
  template:
    src: docker-storage-setup.j2
    dest: /etc/sysconfig/docker-storage-setup
-    mode: 0644
+    mode: "0644"

 - name: Docker-storage-override-directory | docker service storage-setup override dir
  file:
    dest: /etc/systemd/system/docker.service.d
-    mode: 0755
+    mode: "0755"
    owner: root
    group: root
    state: directory
@@ -30,7 +30,7 @@

    owner: root
    group: root
-    mode: 0644
+    mode: "0644"

 # https://docs.docker.com/engine/installation/linux/docker-ce/centos/#install-using-the-repository
 - name: Docker-storage-setup | install lvm2
--- a/roles/container-engine/docker/tasks/main.yml
+++ b/roles/container-engine/docker/tasks/main.yml
@@ -82,14 +82,14 @@
  template:
    src: "fedora_docker.repo.j2"
    dest: "{{ yum_repo_dir }}/docker.repo"
-    mode: 0644
+    mode: "0644"
  when: ansible_distribution == "Fedora" and not is_ostree

 - name: Configure docker repository on RedHat/CentOS/OracleLinux/AlmaLinux/KylinLinux
  template:
    src: "rh_docker.repo.j2"
    dest: "{{ yum_repo_dir }}/docker-ce.repo"
-    mode: 0644
+    mode: "0644"
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution != "Fedora"
--- a/roles/container-engine/docker/tasks/systemd.yml
+++ b/roles/container-engine/docker/tasks/systemd.yml
@@ -3,13 +3,13 @@
  file:
    path: /etc/systemd/system/docker.service.d
    state: directory
-    mode: 0755
+    mode: "0755"

 - name: Write docker proxy drop-in
  template:
    src: http-proxy.conf.j2
    dest: /etc/systemd/system/docker.service.d/http-proxy.conf
-    mode: 0644
+    mode: "0644"
  notify: Restart docker
  when: http_proxy is defined or https_proxy is defined

@@ -27,7 +27,7 @@
  template:
    src: docker.service.j2
    dest: /etc/systemd/system/docker.service
-    mode: 0644
+    mode: "0644"
  register: docker_service_file
  notify: Restart docker
  when:
@@ -38,14 +38,14 @@
  template:
    src: docker-options.conf.j2
    dest: "/etc/systemd/system/docker.service.d/docker-options.conf"
-    mode: 0644
+    mode: "0644"
  notify: Restart docker

 - name: Write docker dns systemd drop-in
  template:
    src: docker-dns.conf.j2
    dest: "/etc/systemd/system/docker.service.d/docker-dns.conf"
-    mode: 0644
+    mode: "0644"
  notify: Restart docker
  when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'

@@ -53,14 +53,14 @@
  copy:
    src: cleanup-docker-orphans.sh
    dest: "{{ bin_dir }}/cleanup-docker-orphans.sh"
-    mode: 0755
+    mode: "0755"
  when: docker_orphan_clean_up | bool

 - name: Write docker orphan clean up systemd drop-in
  template:
    src: docker-orphan-cleanup.conf.j2
    dest: "/etc/systemd/system/docker.service.d/docker-orphan-cleanup.conf"
-    mode: 0644
+    mode: "0644"
  notify: Restart docker
  when: docker_orphan_clean_up | bool

--- a/roles/container-engine/gvisor/molecule/default/prepare.yml
+++ b/roles/container-engine/gvisor/molecule/default/prepare.yml
@@ -29,7 +29,7 @@
        src: "{{ item }}"
        dest: "/tmp/{{ item }}"
        owner: root
-        mode: 0644
+        mode: "0644"
      with_items:
        - container.json
        - sandbox.json
@@ -38,12 +38,12 @@
        path: /etc/cni/net.d
        state: directory
        owner: root
-        mode: 0755
+        mode: "0755"
    - name: Setup CNI
      copy:
        src: "{{ item }}"
        dest: "/etc/cni/net.d/{{ item }}"
        owner: root
-        mode: 0644
+        mode: "0644"
      with_items:
        - 10-mynet.conf
--- a/roles/container-engine/gvisor/tasks/main.yml
+++ b/roles/container-engine/gvisor/tasks/main.yml
@@ -13,7 +13,7 @@
  copy:
    src: "{{ item.src }}"
    dest: "{{ bin_dir }}/{{ item.dest }}"
-    mode: 0755
+    mode: "0755"
    remote_src: yes
  with_items:
    - { src: "{{ downloads.gvisor_runsc.dest }}", dest: "runsc" }
--- a/roles/container-engine/kata-containers/molecule/default/prepare.yml
+++ b/roles/container-engine/kata-containers/molecule/default/prepare.yml
@@ -29,7 +29,7 @@
        src: "{{ item }}"
        dest: "/tmp/{{ item }}"
        owner: root
-        mode: 0644
+        mode: "0644"
      with_items:
        - container.json
        - sandbox.json
@@ -38,12 +38,12 @@
        path: /etc/cni/net.d
        state: directory
        owner: "{{ kube_owner }}"
-        mode: 0755
+        mode: "0755"
    - name: Setup CNI
      copy:
        src: "{{ item }}"
        dest: "/etc/cni/net.d/{{ item }}"
        owner: root
-        mode: 0644
+        mode: "0644"
      with_items:
        - 10-mynet.conf
--- a/roles/container-engine/kata-containers/tasks/main.yml
+++ b/roles/container-engine/kata-containers/tasks/main.yml
@@ -8,7 +8,7 @@
  unarchive:
    src: "{{ downloads.kata_containers.dest }}"
    dest: "/"
-    mode: 0755
+    mode: "0755"
    owner: root
    group: root
    remote_src: yes
@@ -17,13 +17,13 @@
  file:
    path: "{{ kata_containers_config_dir }}"
    state: directory
-    mode: 0755
+    mode: "0755"

 - name: Kata-containers | Set configuration
  template:
    src: "{{ item }}.j2"
    dest: "{{ kata_containers_config_dir }}/{{ item }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - configuration-qemu.toml

@@ -33,7 +33,7 @@
  template:
    dest: "{{ kata_containers_containerd_bin_dir }}/containerd-shim-kata-{{ item }}-v2"
    src: containerd-shim-kata-v2.j2
-    mode: 0755
+    mode: "0755"
  with_items:
    - qemu

@@ -48,7 +48,7 @@
 - name: Kata-containers | Persist vhost kernel modules
  copy:
    dest: /etc/modules-load.d/kubespray-kata-containers.conf
-    mode: 0644
+    mode: "0644"
    content: |
      vhost_vsock
      vhost_net
--- a/roles/container-engine/nerdctl/handlers/main.yml
+++ b/roles/container-engine/nerdctl/handlers/main.yml
@@ -9,4 +9,4 @@
  copy:
    dest: /etc/bash_completion.d/nerdctl
    content: "{{ nerdctl_completion.stdout }}"
-    mode: 0644
+    mode: "0644"
--- a/roles/container-engine/nerdctl/tasks/main.yml
+++ b/roles/container-engine/nerdctl/tasks/main.yml
@@ -8,7 +8,7 @@
  copy:
    src: "{{ local_release_dir }}/nerdctl"
    dest: "{{ bin_dir }}/nerdctl"
-    mode: 0755
+    mode: "0755"
    remote_src: true
    owner: root
    group: root
@@ -21,7 +21,7 @@
  file:
    path: /etc/nerdctl
    state: directory
-    mode: 0755
+    mode: "0755"
    owner: root
    group: root
  become: true
@@ -30,7 +30,7 @@
  template:
    src: nerdctl.toml.j2
    dest: /etc/nerdctl/nerdctl.toml
-    mode: 0644
+    mode: "0644"
    owner: root
    group: root
  become: true
--- a/roles/container-engine/runc/tasks/main.yml
+++ b/roles/container-engine/runc/tasks/main.yml
@@ -27,7 +27,7 @@
  copy:
    src: "{{ downloads.runc.dest }}"
    dest: "{{ runc_bin_dir }}/runc"
-    mode: 0755
+    mode: "0755"
    remote_src: true

 - name: Runc | Remove orphaned binary
--- a/roles/container-engine/skopeo/tasks/main.yml
+++ b/roles/container-engine/skopeo/tasks/main.yml
@@ -28,5 +28,5 @@
  copy:
    src: "{{ downloads.skopeo.dest }}"
    dest: "{{ bin_dir }}/skopeo"
-    mode: 0755
+    mode: "0755"
    remote_src: true
--- a/roles/container-engine/youki/molecule/default/prepare.yml
+++ b/roles/container-engine/youki/molecule/default/prepare.yml
@@ -29,7 +29,7 @@
        src: "{{ item }}"
        dest: "/tmp/{{ item }}"
        owner: root
-        mode: 0644
+        mode: "0644"
      with_items:
        - container.json
        - sandbox.json
@@ -38,12 +38,12 @@
        path: /etc/cni/net.d
        state: directory
        owner: root
-        mode: 0755
+        mode: "0755"
    - name: Setup CNI
      copy:
        src: "{{ item }}"
        dest: "/etc/cni/net.d/{{ item }}"
        owner: root
-        mode: 0644
+        mode: "0644"
      with_items:
        - 10-mynet.conf
--- a/roles/container-engine/youki/tasks/main.yml
+++ b/roles/container-engine/youki/tasks/main.yml
@@ -8,5 +8,5 @@
  copy:
    src: "{{ local_release_dir }}/youki_{{ youki_version | regex_replace('\\.', '_') }}_linux/youki-{{ youki_version }}/youki"
    dest: "{{ youki_bin_dir }}/youki"
-    mode: 0755
+    mode: "0755"
    remote_src: true
--- a/roles/download/tasks/download_file.yml
+++ b/roles/download/tasks/download_file.yml
@@ -22,7 +22,7 @@
    file:
      path: "{{ download.dest | dirname }}"
      owner: "{{ download.owner | default(omit) }}"
-      mode: 0755
+      mode: "0755"
      state: directory
      recurse: yes

--- a/roles/download/tasks/prep_download.yml
+++ b/roles/download/tasks/prep_download.yml
@@ -69,7 +69,7 @@
  file:
    path: "{{ local_release_dir }}/images"
    state: directory
-    mode: 0755
+    mode: "0755"
    owner: "{{ ansible_ssh_user | default(ansible_user_id) }}"
  when:
    - ansible_os_family not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
@@ -78,7 +78,7 @@
  file:
    path: "{{ download_cache_dir }}/images"
    state: directory
-    mode: 0755
+    mode: "0755"
  delegate_to: localhost
  connection: local
  delegate_facts: no
--- a/roles/download/tasks/prep_kubeadm_images.yml
+++ b/roles/download/tasks/prep_kubeadm_images.yml
@@ -18,7 +18,7 @@
  template:
    src: "kubeadm-images.yaml.j2"
    dest: "{{ kube_config_dir }}/kubeadm-images.yaml"
-    mode: 0644
+    mode: "0644"
  when:
    - not skip_kubeadm_images | default(false)

@@ -26,7 +26,7 @@
  copy:
    src: "{{ downloads.kubeadm.dest }}"
    dest: "{{ bin_dir }}/kubeadm"
-    mode: 0755
+    mode: "0755"
    remote_src: true

 - name: Prep_kubeadm_images | Set kubeadm binary permissions
--- a/roles/etcd/handlers/backup.yml
+++ b/roles/etcd/handlers/backup.yml
@@ -16,7 +16,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0600
+    mode: "0600"
  listen: Restart etcd
  when: etcd_cluster_is_healthy.rc == 0

--- a/roles/etcd/tasks/configure.yml
+++ b/roles/etcd/tasks/configure.yml
@@ -50,7 +50,7 @@
    src: "etcd-{{ etcd_deployment_type }}.service.j2"
    dest: /etc/systemd/system/etcd.service
    backup: yes
-    mode: 0644
+    mode: "0644"
    # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release)
    # Remove once we drop support for systemd < 250
    validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:etcd-{{ etcd_deployment_type }}.service'"
@@ -61,7 +61,7 @@
    src: "etcd-events-{{ etcd_deployment_type }}.service.j2"
    dest: /etc/systemd/system/etcd-events.service
    backup: yes
-    mode: 0644
+    mode: "0644"
    validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:etcd-events-{{ etcd_deployment_type }}.service'"
    # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release)
    # Remove once we drop support for systemd < 250
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -13,7 +13,7 @@
    path: "{{ etcd_script_dir }}"
    state: directory
    owner: root
-    mode: 0700
+    mode: "0700"
  run_once: yes
  when: inventory_hostname == groups['etcd'][0]

@@ -21,7 +21,7 @@
  template:
    src: "openssl.conf.j2"
    dest: "{{ etcd_config_dir }}/openssl.conf"
-    mode: 0640
+    mode: "0640"
  run_once: yes
  delegate_to: "{{ groups['etcd'][0] }}"
  when:
@@ -32,7 +32,7 @@
  template:
    src: "make-ssl-etcd.sh.j2"
    dest: "{{ etcd_script_dir }}/make-ssl-etcd.sh"
-    mode: 0700
+    mode: "0700"
  run_once: yes
  when:
    - gen_certs | default(false)
@@ -90,7 +90,7 @@
    content: "{{ item.content | b64decode }}"
    group: "{{ etcd_cert_group }}"
    owner: "{{ etcd_owner }}"
-    mode: 0640
+    mode: "0640"
  with_items: "{{ etcd_master_certs.results }}"
  when:
    - inventory_hostname in groups['etcd']
@@ -122,7 +122,7 @@
    content: "{{ item.content | b64decode }}"
    group: "{{ etcd_cert_group }}"
    owner: "{{ etcd_owner }}"
-    mode: 0640
+    mode: "0640"
  with_items: "{{ etcd_master_node_certs.results }}"
  when:
    - inventory_hostname in groups['etcd']
--- a/roles/etcd/tasks/install_docker.yml
+++ b/roles/etcd/tasks/install_docker.yml
@@ -28,7 +28,7 @@
    src: etcd.j2
    dest: "{{ bin_dir }}/etcd"
    owner: 'root'
-    mode: 0750
+    mode: "0750"
    backup: yes
  when: etcd_cluster_setup

@@ -37,6 +37,6 @@
    src: etcd-events.j2
    dest: "{{ bin_dir }}/etcd-events"
    owner: 'root'
-    mode: 0750
+    mode: "0750"
    backup: yes
  when: etcd_events_cluster_setup
--- a/roles/etcd/tasks/install_host.yml
+++ b/roles/etcd/tasks/install_host.yml
@@ -24,7 +24,7 @@
  copy:
    src: "{{ local_release_dir }}/etcd-{{ etcd_version }}-linux-{{ host_architecture }}/{{ item }}"
    dest: "{{ bin_dir }}/{{ item }}"
-    mode: 0755
+    mode: "0755"
    remote_src: yes
  with_items:
    - etcd
--- a/roles/etcd/tasks/refresh_config.yml
+++ b/roles/etcd/tasks/refresh_config.yml
@@ -3,7 +3,7 @@
  template:
    src: etcd.env.j2
    dest: /etc/etcd.env
-    mode: 0640
+    mode: "0640"
  notify: Restart etcd
  when: is_etcd_master and etcd_cluster_setup

@@ -11,6 +11,6 @@
  template:
    src: etcd-events.env.j2
    dest: /etc/etcd-events.env
-    mode: 0640
+    mode: "0640"
  notify: Restart etcd-events
  when: is_etcd_master and etcd_events_cluster_setup
--- a/roles/etcd/tasks/upd_ca_trust.yml
+++ b/roles/etcd/tasks/upd_ca_trust.yml
@@ -21,7 +21,7 @@
    src: "{{ etcd_cert_dir }}/ca.pem"
    dest: "{{ ca_cert_path }}"
    remote_src: true
-    mode: 0640
+    mode: "0640"
  register: etcd_ca_cert

 - name: Gen_certs | update ca-certificates (Debian/Ubuntu/SUSE/Flatcar)  # noqa no-handler
--- a/roles/etcdctl_etcdutl/tasks/main.yml
+++ b/roles/etcdctl_etcdutl/tasks/main.yml
@@ -31,7 +31,7 @@
  copy:
    src: "{{ local_release_dir }}/etcd-{{ etcd_version }}-linux-{{ host_architecture }}/{{ item }}"
    dest: "{{ bin_dir }}/{{ item }}"
-    mode: 0755
+    mode: "0755"
    remote_src: yes
  with_items:
    - etcdctl
@@ -42,4 +42,4 @@
  template:
    src: etcdctl.sh.j2
    dest: "{{ bin_dir }}/etcdctl.sh"
-    mode: 0755
+    mode: "0755"
--- a/roles/kubernetes-apps/ansible/tasks/coredns.yml
+++ b/roles/kubernetes-apps/ansible/tasks/coredns.yml
@@ -3,7 +3,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  loop:
    - { name: coredns, file: coredns-clusterrole.yml, type: clusterrole }
    - { name: coredns, file: coredns-clusterrolebinding.yml, type: clusterrolebinding }
@@ -31,7 +31,7 @@
  template:
    src: "{{ item.src }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - { name: coredns, src: coredns-deployment.yml, file: coredns-deployment-secondary.yml, type: deployment }
    - { name: coredns, src: coredns-svc.yml, file: coredns-svc-secondary.yml, type: svc }
--- a/roles/kubernetes-apps/ansible/tasks/dashboard.yml
+++ b/roles/kubernetes-apps/ansible/tasks/dashboard.yml
@@ -3,7 +3,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - { file: dashboard.yml, type: deploy, name: kubernetes-dashboard }
  register: manifests
--- a/roles/kubernetes-apps/ansible/tasks/etcd_metrics.yml
+++ b/roles/kubernetes-apps/ansible/tasks/etcd_metrics.yml
@@ -3,7 +3,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - { file: etcd_metrics-endpoints.yml, type: endpoints, name: etcd-metrics }
    - { file: etcd_metrics-service.yml, type: service, name: etcd-metrics }
--- a/roles/kubernetes-apps/ansible/tasks/netchecker.yml
+++ b/roles/kubernetes-apps/ansible/tasks/netchecker.yml
@@ -29,7 +29,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ netchecker_templates }}"
  register: manifests
  when:
--- a/roles/kubernetes-apps/ansible/tasks/nodelocaldns.yml
+++ b/roles/kubernetes-apps/ansible/tasks/nodelocaldns.yml
@@ -20,7 +20,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - { name: nodelocaldns, file: nodelocaldns-config.yml, type: configmap }
    - { name: nodelocaldns, file: nodelocaldns-sa.yml, type: sa }
@@ -51,7 +51,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - { name: nodelocaldns, file: nodelocaldns-second-daemonset.yml, type: daemonset }
  register: nodelocaldns_second_manifests
--- a/roles/kubernetes-apps/argocd/tasks/main.yml
+++ b/roles/kubernetes-apps/argocd/tasks/main.yml
@@ -36,7 +36,7 @@
      url: "{{ item.url }}"
      unarchive: false
      owner: "root"
-      mode: 0644
+      mode: "0644"
      sha256: ""
    download: "{{ download_defaults | combine(download_argocd) }}"
  with_items: "{{ argocd_templates | selectattr('url', 'defined') | list }}"
@@ -73,7 +73,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ argocd_templates | selectattr('url', 'undefined') | list }}"
  loop_control:
    label: "{{ item.file }}"
--- a/roles/kubernetes-apps/cloud_controller/oci/tasks/main.yml
+++ b/roles/kubernetes-apps/cloud_controller/oci/tasks/main.yml
@@ -7,7 +7,7 @@
  template:
    src: controller-manager-config.yml.j2
    dest: "{{ kube_config_dir }}/controller-manager-config.yml"
-    mode: 0644
+    mode: "0644"
  when: inventory_hostname == groups['kube_control_plane'][0]

 - name: "OCI Cloud Controller | Slurp Configuration"
@@ -24,7 +24,7 @@
  template:
    src: oci-cloud-provider.yml.j2
    dest: "{{ kube_config_dir }}/oci-cloud-provider.yml"
-    mode: 0644
+    mode: "0644"
  when: inventory_hostname == groups['kube_control_plane'][0]

 - name: "OCI Cloud Controller | Apply Manifests"
--- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
@@ -15,7 +15,7 @@
  template:
    src: "node-crb.yml.j2"
    dest: "{{ kube_config_dir }}/node-crb.yml"
-    mode: 0640
+    mode: "0640"
  register: node_crb_manifest
  when:
    - rbac_enabled
@@ -70,7 +70,7 @@
  copy:
    src: k8s-cluster-critical-pc.yml
    dest: "{{ kube_config_dir }}/k8s-cluster-critical-pc.yml"
-    mode: 0640
+    mode: "0640"
  when: inventory_hostname == groups['kube_control_plane'] | last

 - name: PriorityClass | Create k8s-cluster-critical
--- a/roles/kubernetes-apps/cluster_roles/tasks/oci.yml
+++ b/roles/kubernetes-apps/cluster_roles/tasks/oci.yml
@@ -3,7 +3,7 @@
  copy:
    src: "oci-rbac.yml"
    dest: "{{ kube_config_dir }}/oci-rbac.yml"
-    mode: 0640
+    mode: "0640"
  when:
  - cloud_provider is defined
  - cloud_provider == 'oci'
--- a/roles/kubernetes-apps/container_engine_accelerator/nvidia_gpu/tasks/main.yml
+++ b/roles/kubernetes-apps/container_engine_accelerator/nvidia_gpu/tasks/main.yml
@@ -26,14 +26,14 @@
    path: "{{ kube_config_dir }}/addons/container_engine_accelerator"
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
    recurse: true

 - name: Container Engine Acceleration Nvidia GPU | Create manifests for nvidia accelerators
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/container_engine_accelerator/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - { name: nvidia-driver-install-daemonset, file: nvidia-driver-install-daemonset.yml, type: daemonset }
    - { name: k8s-device-plugin-nvidia-daemonset, file: k8s-device-plugin-nvidia-daemonset.yml, type: daemonset }
--- a/roles/kubernetes-apps/container_runtimes/gvisor/tasks/main.yaml
+++ b/roles/kubernetes-apps/container_runtimes/gvisor/tasks/main.yaml
@@ -4,7 +4,7 @@
    path: "{{ kube_config_dir }}/addons/gvisor"
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
    recurse: true

 - name: GVisor | Templates List
@@ -16,7 +16,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/gvisor/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ gvisor_templates }}"
  register: gvisor_manifests
  when:
--- a/roles/kubernetes-apps/container_runtimes/kata_containers/tasks/main.yaml
+++ b/roles/kubernetes-apps/container_runtimes/kata_containers/tasks/main.yaml
@@ -5,7 +5,7 @@
    path: "{{ kube_config_dir }}/addons/kata_containers"
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
    recurse: true

 - name: Kata Containers | Templates list
@@ -17,7 +17,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/kata_containers/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ kata_containers_templates }}"
  register: kata_containers_manifests
  when:
--- a/roles/kubernetes-apps/csi_driver/aws_ebs/tasks/main.yml
+++ b/roles/kubernetes-apps/csi_driver/aws_ebs/tasks/main.yml
@@ -3,7 +3,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - {name: aws-ebs-csi-driver, file: aws-ebs-csi-driver.yml}
    - {name: aws-ebs-csi-controllerservice, file: aws-ebs-csi-controllerservice-rbac.yml}
--- a/roles/kubernetes-apps/csi_driver/azuredisk/tasks/main.yml
+++ b/roles/kubernetes-apps/csi_driver/azuredisk/tasks/main.yml
@@ -7,7 +7,7 @@
    src: "azure-csi-cloud-config.j2"
    dest: "{{ kube_config_dir }}/azure_csi_cloud_config"
    group: "{{ kube_cert_group }}"
-    mode: 0640
+    mode: "0640"
  when: inventory_hostname == groups['kube_control_plane'][0]

 - name: Azure CSI Driver | Get base64 cloud-config
@@ -20,7 +20,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - {name: azure-csi-azuredisk-driver, file: azure-csi-azuredisk-driver.yml}
    - {name: azure-csi-cloud-config-secret, file: azure-csi-cloud-config-secret.yml}
--- a/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-write-cacert.yml
+++ b/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-write-cacert.yml
@@ -7,5 +7,5 @@
    src: "{{ cinder_cacert }}"
    dest: "{{ kube_config_dir }}/cinder-cacert.pem"
    group: "{{ kube_cert_group }}"
-    mode: 0640
+    mode: "0640"
  delegate_to: "{{ delegate_host_to_write_cacert }}"
--- a/roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml
+++ b/roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml
@@ -18,7 +18,7 @@
    src: "cinder-csi-cloud-config.j2"
    dest: "{{ kube_config_dir }}/cinder_cloud_config"
    group: "{{ kube_cert_group }}"
-    mode: 0640
+    mode: "0640"
  when: inventory_hostname == groups['kube_control_plane'][0]

 - name: Cinder CSI Driver | Get base64 cloud-config
@@ -31,7 +31,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - {name: cinder-csi-driver, file: cinder-csi-driver.yml}
    - {name: cinder-csi-cloud-config-secret, file: cinder-csi-cloud-config-secret.yml}
--- a/roles/kubernetes-apps/csi_driver/csi_crd/tasks/main.yml
+++ b/roles/kubernetes-apps/csi_driver/csi_crd/tasks/main.yml
@@ -3,7 +3,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - {name: volumesnapshotclasses, file: volumesnapshotclasses.yml}
    - {name: volumesnapshotcontents, file: volumesnapshotcontents.yml}
--- a/roles/kubernetes-apps/csi_driver/gcp_pd/tasks/main.yml
+++ b/roles/kubernetes-apps/csi_driver/gcp_pd/tasks/main.yml
@@ -9,7 +9,7 @@
    src: "{{ gcp_pd_csi_sa_cred_file }}"
    dest: "{{ kube_config_dir }}/cloud-sa.json"
    group: "{{ kube_cert_group }}"
-    mode: 0640
+    mode: "0640"
  when: inventory_hostname == groups['kube_control_plane'][0]

 - name: GCP PD CSI Driver | Get base64 cloud-sa.json
@@ -22,7 +22,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - {name: gcp-pd-csi-cred-secret, file: gcp-pd-csi-cred-secret.yml}
    - {name: gcp-pd-csi-setup, file: gcp-pd-csi-setup.yml}
--- a/roles/kubernetes-apps/csi_driver/upcloud/tasks/main.yml
+++ b/roles/kubernetes-apps/csi_driver/upcloud/tasks/main.yml
@@ -16,7 +16,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - {name: upcloud-csi-cred-secret, file: upcloud-csi-cred-secret.yml}
    - {name: upcloud-csi-setup, file: upcloud-csi-setup.yml}
--- a/roles/kubernetes-apps/csi_driver/vsphere/tasks/main.yml
+++ b/roles/kubernetes-apps/csi_driver/vsphere/tasks/main.yml
@@ -6,7 +6,7 @@
  template:
    src: "{{ item }}.j2"
    dest: "{{ kube_config_dir }}/{{ item }}"
-    mode: 0640
+    mode: "0640"
  with_items:
    - vsphere-csi-cloud-config
  when: inventory_hostname == groups['kube_control_plane'][0]
@@ -15,7 +15,7 @@
  template:
    src: "{{ item }}.j2"
    dest: "{{ kube_config_dir }}/{{ item }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - vsphere-csi-namespace.yml
    - vsphere-csi-driver.yml
--- a/roles/kubernetes-apps/external_cloud_controller/hcloud/tasks/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/hcloud/tasks/main.yml
@@ -4,7 +4,7 @@
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
    group: "{{ kube_cert_group }}"
-    mode: 0640
+    mode: "0640"
  with_items:
    - {name: external-hcloud-cloud-secret, file: external-hcloud-cloud-secret.yml}
    - {name: external-hcloud-cloud-service-account, file: external-hcloud-cloud-service-account.yml}
--- a/roles/kubernetes-apps/external_cloud_controller/huaweicloud/tasks/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/huaweicloud/tasks/main.yml
@@ -24,7 +24,7 @@
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
    group: "{{ kube_cert_group }}"
-    mode: 0640
+    mode: "0640"
  with_items:
    - {name: external-huawei-cloud-config-secret, file: external-huawei-cloud-config-secret.yml}
    - {name: external-huawei-cloud-controller-manager-roles, file: external-huawei-cloud-controller-manager-roles.yml}
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml
@@ -24,7 +24,7 @@
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
    group: "{{ kube_cert_group }}"
-    mode: 0640
+    mode: "0640"
  with_items:
    - {name: external-openstack-cloud-config-secret, file: external-openstack-cloud-config-secret.yml}
    - {name: external-openstack-cloud-controller-manager-roles, file: external-openstack-cloud-controller-manager-roles.yml}
--- a/roles/kubernetes-apps/external_cloud_controller/vsphere/tasks/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/vsphere/tasks/main.yml
@@ -6,7 +6,7 @@
  template:
    src: "{{ item }}.j2"
    dest: "{{ kube_config_dir }}/{{ item }}"
-    mode: 0640
+    mode: "0640"
  with_items:
    - external-vsphere-cpi-cloud-config
  when: inventory_hostname == groups['kube_control_plane'][0]
@@ -15,7 +15,7 @@
  template:
    src: "{{ item }}.j2"
    dest: "{{ kube_config_dir }}/{{ item }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - external-vsphere-cpi-cloud-config-secret.yml
    - external-vsphere-cloud-controller-manager-roles.yml
--- a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml
@@ -33,7 +33,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]

@@ -54,7 +54,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/cephfs_provisioner/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ cephfs_provisioner_templates }}"
  register: cephfs_provisioner_manifests
  when: inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
@@ -5,7 +5,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]

@@ -13,7 +13,7 @@
  file:
    path: "{{ local_path_provisioner_claim_root }}"
    state: directory
-    mode: 0755
+    mode: "0755"

 - name: Local Path Provisioner | Render Template
  set_fact:
@@ -30,7 +30,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/local_path_provisioner/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ local_path_provisioner_templates }}"
  register: local_path_provisioner_manifests
  when: inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/main.yml
@@ -12,7 +12,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"

 - name: Local Volume Provisioner | Templates list
  set_fact:
@@ -29,7 +29,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/local_volume_provisioner/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ local_volume_provisioner_templates }}"
  register: local_volume_provisioner_manifests
  when: inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml
@@ -33,7 +33,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]

@@ -54,7 +54,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/rbd_provisioner/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ rbd_provisioner_templates }}"
  register: rbd_provisioner_manifests
  when: inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/helm/tasks/main.yml
+++ b/roles/kubernetes-apps/helm/tasks/main.yml
@@ -32,7 +32,7 @@
  copy:
    src: "{{ local_release_dir }}/helm-{{ helm_version }}/linux-{{ image_arch }}/helm"
    dest: "{{ bin_dir }}/helm"
-    mode: 0755
+    mode: "0755"
    remote_src: true

 - name: Helm | Get helm completion
@@ -45,5 +45,5 @@
  copy:
    dest: /etc/bash_completion.d/helm.sh
    content: "{{ helm_completion.stdout }}"
-    mode: 0755
+    mode: "0755"
  become: True
--- a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml
@@ -6,13 +6,13 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"

 - name: ALB Ingress Controller | Create manifests
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/alb_ingress/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - { name: alb-ingress-clusterrole, file: alb-ingress-clusterrole.yml, type: clusterrole }
    - { name: alb-ingress-clusterrolebinding, file: alb-ingress-clusterrolebinding.yml, type: clusterrolebinding }
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
@@ -24,7 +24,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]

@@ -38,7 +38,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ cert_manager_templates }}"
  register: cert_manager_manifests
  when:
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
@@ -6,7 +6,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]

@@ -50,7 +50,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ ingress_nginx_templates }}"
  register: ingress_nginx_manifests
  when:
--- a/roles/kubernetes-apps/krew/tasks/krew.yml
+++ b/roles/kubernetes-apps/krew/tasks/krew.yml
@@ -8,13 +8,13 @@
  template:
    src: krew.j2
    dest: /etc/bash_completion.d/krew
-    mode: 0644
+    mode: "0644"

 - name: Krew | Copy krew manifest
  template:
    src: krew.yml.j2
    dest: "{{ local_release_dir }}/krew.yml"
-    mode: 0644
+    mode: "0644"

 - name: Krew | Install krew  # noqa command-instead-of-shell
  shell: "{{ local_release_dir }}/krew-{{ host_os }}_{{ image_arch }} install --archive={{ local_release_dir }}/krew-{{ host_os }}_{{ image_arch }}.tar.gz --manifest={{ local_release_dir }}/krew.yml"
@@ -33,6 +33,6 @@
  copy:
    dest: /etc/bash_completion.d/krew.sh
    content: "{{ krew_completion.stdout }}"
-    mode: 0755
+    mode: "0755"
  become: True
  when: krew_completion.rc == 0
--- a/roles/kubernetes-apps/metallb/tasks/main.yml
+++ b/roles/kubernetes-apps/metallb/tasks/main.yml
@@ -16,7 +16,7 @@
  template:
    src: "metallb.yaml.j2"
    dest: "{{ kube_config_dir }}/metallb.yaml"
-    mode: 0644
+    mode: "0644"
  register: metallb_rendering
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
@@ -47,7 +47,7 @@
      ansible.builtin.template:
        src: pools.yaml.j2
        dest: "{{ kube_config_dir }}/pools.yaml"
-        mode: 0644
+        mode: "0644"
      register: pools_rendering

    - name: MetalLB | Create address pools configuration
@@ -67,7 +67,7 @@
      ansible.builtin.template:
        src: layer2.yaml.j2
        dest: "{{ kube_config_dir }}/layer2.yaml"
-        mode: 0644
+        mode: "0644"
      register: layer2_rendering

    - name: MetalLB | Create layer2 configuration
@@ -87,7 +87,7 @@
      ansible.builtin.template:
        src: layer3.yaml.j2
        dest: "{{ kube_config_dir }}/layer3.yaml"
-        mode: 0644
+        mode: "0644"
      register: layer3_rendering

    - name: MetalLB | Create layer3 configuration
--- a/roles/kubernetes-apps/metrics_server/tasks/main.yml
+++ b/roles/kubernetes-apps/metrics_server/tasks/main.yml
@@ -19,7 +19,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]

@@ -39,7 +39,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/metrics_server/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ metrics_server_templates }}"
  register: metrics_server_manifests
  when:
--- a/roles/kubernetes-apps/node_feature_discovery/tasks/main.yml
+++ b/roles/kubernetes-apps/node_feature_discovery/tasks/main.yml
@@ -5,7 +5,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]

@@ -31,7 +31,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/node_feature_discovery/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ node_feature_discovery_templates }}"
  register: node_feature_discovery_manifests
  when:
--- a/roles/kubernetes-apps/persistent_volumes/aws-ebs-csi/tasks/main.yml
+++ b/roles/kubernetes-apps/persistent_volumes/aws-ebs-csi/tasks/main.yml
@@ -3,7 +3,7 @@
  template:
    src: "aws-ebs-csi-storage-class.yml.j2"
    dest: "{{ kube_config_dir }}/aws-ebs-csi-storage-class.yml"
-    mode: 0644
+    mode: "0644"
  register: manifests
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/persistent_volumes/azuredisk-csi/tasks/main.yml
+++ b/roles/kubernetes-apps/persistent_volumes/azuredisk-csi/tasks/main.yml
@@ -3,7 +3,7 @@
  template:
    src: "azure-csi-storage-class.yml.j2"
    dest: "{{ kube_config_dir }}/azure-csi-storage-class.yml"
-    mode: 0644
+    mode: "0644"
  register: manifests
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/persistent_volumes/cinder-csi/tasks/main.yml
+++ b/roles/kubernetes-apps/persistent_volumes/cinder-csi/tasks/main.yml
@@ -3,7 +3,7 @@
  template:
    src: "cinder-csi-storage-class.yml.j2"
    dest: "{{ kube_config_dir }}/cinder-csi-storage-class.yml"
-    mode: 0644
+    mode: "0644"
  register: manifests
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/persistent_volumes/gcp-pd-csi/tasks/main.yml
+++ b/roles/kubernetes-apps/persistent_volumes/gcp-pd-csi/tasks/main.yml
@@ -3,7 +3,7 @@
  template:
    src: "gcp-pd-csi-storage-class.yml.j2"
    dest: "{{ kube_config_dir }}/gcp-pd-csi-storage-class.yml"
-    mode: 0644
+    mode: "0644"
  register: manifests
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/persistent_volumes/openstack/tasks/main.yml
+++ b/roles/kubernetes-apps/persistent_volumes/openstack/tasks/main.yml
@@ -3,7 +3,7 @@
  template:
    src: "openstack-storage-class.yml.j2"
    dest: "{{ kube_config_dir }}/openstack-storage-class.yml"
-    mode: 0644
+    mode: "0644"
  register: manifests
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/persistent_volumes/upcloud-csi/tasks/main.yml
+++ b/roles/kubernetes-apps/persistent_volumes/upcloud-csi/tasks/main.yml
@@ -3,7 +3,7 @@
  template:
    src: "upcloud-csi-storage-class.yml.j2"
    dest: "{{ kube_config_dir }}/upcloud-csi-storage-class.yml"
-    mode: 0644
+    mode: "0644"
  register: manifests
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
@@ -3,7 +3,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - {name: calico-kube-controllers, file: calico-kube-controllers.yml, type: deployment}
    - {name: calico-kube-controllers, file: calico-kube-sa.yml, type: sa}
--- a/roles/kubernetes-apps/registry/tasks/main.yml
+++ b/roles/kubernetes-apps/registry/tasks/main.yml
@@ -31,7 +31,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"

 - name: Registry | Templates list
  set_fact:
@@ -54,7 +54,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/registry/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items: "{{ registry_templates }}"
  register: registry_manifests
  when: inventory_hostname == groups['kube_control_plane'][0]
@@ -74,7 +74,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/registry/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - { name: registry-pvc, file: registry-pvc.yml, type: pvc }
  register: registry_manifests
--- a/roles/kubernetes-apps/scheduler_plugins/tasks/main.yml
+++ b/roles/kubernetes-apps/scheduler_plugins/tasks/main.yml
@@ -5,7 +5,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
  when: inventory_hostname == groups['kube_control_plane'][0]
  tags:
    - scheduler_plugins
@@ -14,7 +14,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/scheduler-plugins/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - { name: appgroup, file: appgroup.diktyo.x-k8s.io_appgroups.yaml, type: crd }
    - { name: networktopology, file: networktopology.diktyo.x-k8s.io_networktopologies.yaml, type: crd }
--- a/roles/kubernetes-apps/snapshots/cinder-csi/tasks/main.yml
+++ b/roles/kubernetes-apps/snapshots/cinder-csi/tasks/main.yml
@@ -3,7 +3,7 @@
  template:
    src: "cinder-csi-snapshot-class.yml.j2"
    dest: "{{ kube_config_dir }}/cinder-csi-snapshot-class.yml"
-    mode: 0644
+    mode: "0644"
  register: manifests
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/snapshots/snapshot-controller/tasks/main.yml
+++ b/roles/kubernetes-apps/snapshots/snapshot-controller/tasks/main.yml
@@ -13,7 +13,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0644
+    mode: "0644"
  with_items:
    - {name: snapshot-ns, file: snapshot-ns.yml, apply: not snapshot_namespace_exists}
    - {name: rbac-snapshot-controller, file: rbac-snapshot-controller.yml}
--- a/roles/kubernetes/client/tasks/main.yml
+++ b/roles/kubernetes/client/tasks/main.yml
@@ -80,7 +80,7 @@
  copy:
    content: "{{ final_admin_kubeconfig | to_nice_yaml(indent=2) }}"
    dest: "{{ artifacts_dir }}/admin.conf"
-    mode: 0600
+    mode: "0600"
  delegate_to: localhost
  connection: local
  become: no
@@ -106,7 +106,7 @@
      #!/bin/bash
      ${BASH_SOURCE%/*}/kubectl --kubeconfig=${BASH_SOURCE%/*}/admin.conf "$@"
    dest: "{{ artifacts_dir }}/kubectl.sh"
-    mode: 0755
+    mode: "0755"
  become: no
  run_once: yes
  delegate_to: localhost
--- a/roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml
+++ b/roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml
@@ -37,4 +37,4 @@
    dest: "{{ kube_cert_dir }}/secrets_encryption.yaml"
    owner: root
    group: "{{ kube_cert_group }}"
-    mode: 0640
+    mode: "0640"
--- a/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml
@@ -25,5 +25,5 @@
    path: "{{ etcd_data_dir }}"
    owner: "{{ etcd_owner }}"
    group: "{{ etcd_owner }}"
-    mode: 0700
+    mode: "0700"
  when: etcd_deployment_type == "kubeadm"
--- a/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
@@ -34,7 +34,7 @@
  template:
    src: "kubeadm-controlplane.{{ kubeadmConfig_api_version }}.yaml.j2"
    dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml"
-    mode: 0640
+    mode: "0640"
    backup: yes
  when:
    - inventory_hostname != first_kube_control_plane
@@ -77,7 +77,7 @@
    dest: "{{ kube_config_dir }}/cluster-info-discovery-kubeconfig.yaml"
    content: "{{ kubeconfig_file_discovery.stdout }}"
    owner: "root"
-    mode: 0644
+    mode: "0644"
  when:
    - inventory_hostname != first_kube_control_plane
    - kubeadm_use_file_discovery
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -51,35 +51,35 @@
  file:
    path: "{{ audit_policy_file | dirname }}"
    state: directory
-    mode: 0640
+    mode: "0640"
  when: kubernetes_audit | default(false) or kubernetes_audit_webhook | default(false)

 - name: Write api audit policy yaml
  template:
    src: apiserver-audit-policy.yaml.j2
    dest: "{{ audit_policy_file }}"
-    mode: 0640
+    mode: "0640"
  when: kubernetes_audit | default(false) or kubernetes_audit_webhook | default(false)

 - name: Write api audit webhook config yaml
  template:
    src: apiserver-audit-webhook-config.yaml.j2
    dest: "{{ audit_webhook_config_file }}"
-    mode: 0640
+    mode: "0640"
  when: kubernetes_audit_webhook | default(false)

 - name: Create apiserver tracing config directory
  file:
    path: "{{ kube_config_dir }}/tracing"
    state: directory
-    mode: 0640
+    mode: "0640"
  when: kube_apiserver_tracing

 - name: Write apiserver tracing config yaml
  template:
    src: apiserver-tracing.yaml.j2
    dest: "{{ kube_config_dir }}/tracing/apiserver-tracing.yaml"
-    mode: 0640
+    mode: "0640"
  when: kube_apiserver_tracing

 # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
@@ -96,27 +96,27 @@
  template:
    src: "kubeadm-config.{{ kubeadmConfig_api_version }}.yaml.j2"
    dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
-    mode: 0640
+    mode: "0640"

 - name: Kubeadm | Create directory to store admission control configurations
  file:
    path: "{{ kube_config_dir }}/admission-controls"
    state: directory
-    mode: 0640
+    mode: "0640"
  when: kube_apiserver_admission_control_config_file

 - name: Kubeadm | Push admission control config file
  template:
    src: "admission-controls.yaml.j2"
    dest: "{{ kube_config_dir }}/admission-controls/admission-controls.yaml"
-    mode: 0640
+    mode: "0640"
  when: kube_apiserver_admission_control_config_file

 - name: Kubeadm | Push admission control config files
  template:
    src: "{{ item | lower }}.yaml.j2"
    dest: "{{ kube_config_dir }}/admission-controls/{{ item | lower }}.yaml"
-    mode: 0640
+    mode: "0640"
  when:
    - kube_apiserver_admission_control_config_file
    - item in kube_apiserver_admission_plugins_needs_configuration
@@ -126,7 +126,7 @@
  template:
    src: "podnodeselector.yaml.j2"
    dest: "{{ kube_config_dir }}/admission-controls/podnodeselector.yaml"
-    mode: 0640
+    mode: "0640"
  when:
    - kube_apiserver_admission_plugins_podnodeselector_default_node_selector is defined
    - kube_apiserver_admission_plugins_podnodeselector_default_node_selector | length > 0
@@ -178,7 +178,7 @@
  file:
    path: "{{ kubeadm_patches.dest_dir }}"
    state: directory
-    mode: 0640
+    mode: "0640"
  when: kubeadm_patches is defined and kubeadm_patches.enabled

 - name: Kubeadm | Copy kubeadm patches from inventory files
@@ -186,7 +186,7 @@
    src: "{{ kubeadm_patches.source_dir }}/"
    dest: "{{ kubeadm_patches.dest_dir }}"
    owner: "root"
-    mode: 0644
+    mode: "0644"
  when: kubeadm_patches is defined and kubeadm_patches.enabled

 - name: Kubeadm | Initialize first master
--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -8,21 +8,21 @@
  template:
    src: webhook-token-auth-config.yaml.j2
    dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
-    mode: 0640
+    mode: "0640"
  when: kube_webhook_token_auth | default(false)

 - name: Create webhook authorization config
  template:
    src: webhook-authorization-config.yaml.j2
    dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
-    mode: 0640
+    mode: "0640"
  when: kube_webhook_authorization | default(false)

 - name: Create kube-scheduler config
  template:
    src: kubescheduler-config.yaml.j2
    dest: "{{ kube_config_dir }}/kubescheduler-config.yaml"
-    mode: 0644
+    mode: "0644"

 - name: Apply Kubernetes encrypt at rest config
  import_tasks: encrypt-at-rest.yml
@@ -35,7 +35,7 @@
  copy:
    src: "{{ downloads.kubectl.dest }}"
    dest: "{{ bin_dir }}/kubectl"
-    mode: 0755
+    mode: "0755"
    remote_src: true
  tags:
    - kubectl
@@ -53,7 +53,7 @@
    path: /etc/bash_completion.d/kubectl.sh
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"
  when: ansible_os_family in ["Debian","RedHat"]
  tags:
    - kubectl
@@ -101,13 +101,13 @@
  template:
    src: k8s-certs-renew.sh.j2
    dest: "{{ bin_dir }}/k8s-certs-renew.sh"
-    mode: 0755
+    mode: "0755"

 - name: Renew K8S control plane certificates monthly 1/2
  template:
    src: "{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
-    mode: 0644
+    mode: "0644"
    validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:{{item}}'"
    # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release)
    # Remove once we drop support for systemd < 250
--- a/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml
+++ b/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml
@@ -8,7 +8,7 @@
  template:
    src: "kubeadm-client.conf.{{ kubeadmConfig_api_version }}.j2"
    dest: "{{ kube_config_dir }}/kubeadm-cert-controlplane.conf"
-    mode: 0640
+    mode: "0640"
  vars:
    kubeadm_cert_controlplane: true

--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -69,7 +69,7 @@
    dest: "{{ kube_config_dir }}/cluster-info-discovery-kubeconfig.yaml"
    content: "{{ kubeconfig_file_discovery.stdout }}"
    owner: "root"
-    mode: 0644
+    mode: "0644"
  when:
    - not is_kube_master
    - not kubelet_conf.stat.exists
@@ -80,14 +80,14 @@
    src: "kubeadm-client.conf.{{ kubeadmConfig_api_version }}.j2"
    dest: "{{ kube_config_dir }}/kubeadm-client.conf"
    backup: yes
-    mode: 0640
+    mode: "0640"
  when: not is_kube_master

 - name: Kubeadm | Create directory to store kubeadm patches
  file:
    path: "{{ kubeadm_patches.dest_dir }}"
    state: directory
-    mode: 0640
+    mode: "0640"
  when: kubeadm_patches is defined and kubeadm_patches.enabled

 - name: Kubeadm | Copy kubeadm patches from inventory files
@@ -95,7 +95,7 @@
    src: "{{ kubeadm_patches.source_dir }}/"
    dest: "{{ kubeadm_patches.dest_dir }}"
    owner: "root"
-    mode: 0644
+    mode: "0644"
  when: kubeadm_patches is defined and kubeadm_patches.enabled

 - name: Join to cluster if needed
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@@ -3,7 +3,7 @@
  copy:
    src: "{{ downloads.kubeadm.dest }}"
    dest: "{{ bin_dir }}/kubeadm"
-    mode: 0755
+    mode: "0755"
    remote_src: true
  tags:
    - kubeadm
@@ -14,7 +14,7 @@
  copy:
    src: "{{ downloads.kubelet.dest }}"
    dest: "{{ bin_dir }}/kubelet"
-    mode: 0755
+    mode: "0755"
    remote_src: true
  tags:
    - kubelet
--- a/roles/kubernetes/node/tasks/kubelet.yml
+++ b/roles/kubernetes/node/tasks/kubelet.yml
@@ -12,7 +12,7 @@
    dest: "{{ kube_config_dir }}/kubelet.env"
    setype: "{{ (preinstall_selinux_state != 'disabled') | ternary('etc_t', omit) }}"
    backup: yes
-    mode: 0600
+    mode: "0600"
  notify: Node | restart kubelet
  tags:
    - kubelet
@@ -22,7 +22,7 @@
  template:
    src: "kubelet-config.{{ kubeletConfig_api_version }}.yaml.j2"
    dest: "{{ kube_config_dir }}/kubelet-config.yaml"
-    mode: 0600
+    mode: "0600"
  notify: Kubelet | restart kubelet
  tags:
    - kubelet
@@ -33,7 +33,7 @@
    src: "kubelet.service.j2"
    dest: "/etc/systemd/system/kubelet.service"
    backup: "yes"
-    mode: 0600
+    mode: "0600"
    validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:kubelet.service'"
    # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release)
    # Remove once we drop support for systemd < 250
--- a/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml
+++ b/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml
@@ -8,7 +8,7 @@
  file:
    path: "{{ haproxy_config_dir }}"
    state: directory
-    mode: 0755
+    mode: "0755"
    owner: root

 - name: Haproxy | Write haproxy configuration
@@ -16,7 +16,7 @@
    src: "loadbalancer/haproxy.cfg.j2"
    dest: "{{ haproxy_config_dir }}/haproxy.cfg"
    owner: root
-    mode: 0755
+    mode: "0755"
    backup: yes

 - name: Haproxy | Get checksum from config
@@ -31,4 +31,4 @@
  template:
    src: manifests/haproxy.manifest.j2
    dest: "{{ kube_manifest_dir }}/haproxy.yml"
-    mode: 0640
+    mode: "0640"
--- a/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml
+++ b/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml
@@ -10,4 +10,4 @@
  template:
    src: manifests/kube-vip.manifest.j2
    dest: "{{ kube_manifest_dir }}/kube-vip.yml"
-    mode: 0640
+    mode: "0640"
--- a/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml
+++ b/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml
@@ -8,7 +8,7 @@
  file:
    path: "{{ nginx_config_dir }}"
    state: directory
-    mode: 0700
+    mode: "0700"
    owner: root

 - name: Nginx-proxy | Write nginx-proxy configuration
@@ -16,7 +16,7 @@
    src: "loadbalancer/nginx.conf.j2"
    dest: "{{ nginx_config_dir }}/nginx.conf"
    owner: root
-    mode: 0755
+    mode: "0755"
    backup: yes

 - name: Nginx-proxy | Get checksum from config
@@ -31,4 +31,4 @@
  template:
    src: manifests/nginx-proxy.manifest.j2
    dest: "{{ kube_manifest_dir }}/nginx-proxy.yml"
-    mode: 0640
+    mode: "0640"
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -14,7 +14,7 @@
  file:
    path: /var/lib/cni
    state: directory
-    mode: 0755
+    mode: "0755"

 - name: Install kubelet binary
  import_tasks: install.yml
@@ -74,7 +74,7 @@
  file:
    path: "{{ item }}"
    state: directory
-    mode: 0755
+    mode: "0755"
  loop:
    - /etc/modules-load.d
    - /etc/modprobe.d
@@ -89,7 +89,7 @@
  copy:
    dest: /etc/modules-load.d/kubespray-br_netfilter.conf
    content: br_netfilter
-    mode: 0644
+    mode: "0644"
  when: modinfo_br_netfilter.rc == 0

 # kube-proxy needs net.bridge.bridge-nf-call-iptables enabled when found if br_netfilter is not a module
@@ -162,7 +162,7 @@
    content: "{{ openstack_cacert | b64decode if openstack_cacert_is_base64 else omit }}"
    dest: "{{ kube_config_dir }}/openstack-cacert.pem"
    group: "{{ kube_cert_group }}"
-    mode: 0640
+    mode: "0640"
  when:
    - cloud_provider is defined
    - cloud_provider == 'openstack'
@@ -176,7 +176,7 @@
    src: "cloud-configs/{{ cloud_provider }}-cloud-config.j2"
    dest: "{{ kube_config_dir }}/cloud_config"
    group: "{{ kube_cert_group }}"
-    mode: 0640
+    mode: "0640"
  when:
    - cloud_provider is defined
    - cloud_provider in [ 'openstack', 'azure', 'vsphere', 'aws', 'gce' ]
--- a/Show More
+++ b/Show More