fix: provide an option to ignore sysctl errors about unknown keys (#12514)

* fix: provide an option to ignore sysctl errors about unknown keys * fix: rename sysctl_ignoreerrors and remove useless var definitions
2025-12-13 21:34:40 +03:00 · 2025-09-01 16:07:14 +02:00
parent eb26449e80
commit fe7592dd0c
6 changed files with 15 additions and 0 deletions
--- a/inventory/sample/group_vars/all/all.yml
+++ b/inventory/sample/group_vars/all/all.yml
@@ -115,6 +115,9 @@ no_proxy_exclude_workers: false
 # sysctl_file_path to add sysctl conf to
 # sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"

+# ignore sysctl errors about unknown keys
+# sysctl_ignore_unknown_keys: false
+
 ## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
 kube_webhook_token_auth: false
 kube_webhook_token_auth_url_skip_tls_verify: false
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -50,6 +50,7 @@
    sysctl_file: "{{ sysctl_file_path }}"
    state: present
    reload: true
+    ignoreerrors: "{{ sysctl_ignore_unknown_keys }}"
  when: kube_apiserver_node_port_range is defined
  tags:
    - kube-proxy
@@ -100,6 +101,7 @@
    sysctl_file: "{{ sysctl_file_path }}"
    value: "1"
    reload: true
+    ignoreerrors: "{{ sysctl_ignore_unknown_keys }}"
  when: sysctl_bridge_nf_call_iptables.rc == 0
  with_items:
    - net.bridge.bridge-nf-call-iptables
--- a/roles/kubernetes/preinstall/defaults/main.yml
+++ b/roles/kubernetes/preinstall/defaults/main.yml
@@ -28,6 +28,7 @@ kubelet_flexvolumes_plugins_dir: /usr/libexec/kubernetes/kubelet-plugins/volume/
 # for hostnet pods and infra needs
 resolveconf_cloud_init_conf: /etc/resolveconf_cloud_init.conf

+# sysctl_file_path to add sysctl conf to
 sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"

 # Minimal memory requirement in MB for safety checks
--- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
+++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
@@ -76,6 +76,7 @@
    value: "1"
    state: present
    reload: true
+    ignoreerrors: "{{ sysctl_ignore_unknown_keys }}"
  when: ipv4_stack | bool

 - name: Enable ipv6 forwarding
@@ -85,6 +86,7 @@
    value: "1"
    state: present
    reload: true
+    ignoreerrors: "{{ sysctl_ignore_unknown_keys }}"
  when: ipv6_stack | bool

 - name: Check if we need to set fs.may_detach_mounts
@@ -103,6 +105,7 @@
    value: 1
    state: present
    reload: true
+    ignoreerrors: "{{ sysctl_ignore_unknown_keys }}"
  when: fs_may_detach_mounts.stat.exists | d(false)

 - name: Ensure kubelet expected parameters are set
@@ -112,6 +115,7 @@
    value: "{{ item.value }}"
    state: present
    reload: true
+    ignoreerrors: "{{ sysctl_ignore_unknown_keys }}"
  with_items:
    - { name: kernel.keys.root_maxbytes, value: 25000000 }
    - { name: kernel.keys.root_maxkeys, value: 1000000 }
@@ -135,6 +139,7 @@
    value: "{{ item.value }}"
    state: present
    reload: true
+    ignoreerrors: "{{ sysctl_ignore_unknown_keys }}"
  with_items: "{{ additional_sysctl }}"

 - name: Disable fapolicyd service
--- a/roles/kubespray_defaults/defaults/main/main.yml
+++ b/roles/kubespray_defaults/defaults/main/main.yml
@@ -774,6 +774,9 @@ proxy_disable_env:
 # sysctl_file_path to add sysctl conf to
 sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"

+# ignore sysctl errors about unknown keys
+sysctl_ignore_unknown_keys: false
+
 system_upgrade: false
 system_upgrade_reboot: on-upgrade  # never, always

--- a/roles/network_plugin/macvlan/tasks/main.yml
+++ b/roles/network_plugin/macvlan/tasks/main.yml
@@ -108,3 +108,4 @@
    sysctl_file: "{{ sysctl_file_path }}"
    state: present
    reload: true
+    ignoreerrors: "{{ sysctl_ignore_unknown_keys }}"