docs(cilium): update documentation for unprivileged agent configuration (#12628)

Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>

.github/workflows/auto-label-os.yml

@@ -13,10 +13,10 @@ jobs:
       issues: write
 
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
       - name: Parse issue form
-        uses: stefanbuck/github-issue-parser@2ea9b35a8c584529ed00891a8f7e41dc46d0441e
+        uses: stefanbuck/github-issue-parser@25f1485edffc1fee3ea68eb9f59a72e58720ffc4
         id: issue-parser
         with:
           template-path: .github/ISSUE_TEMPLATE/bug-report.yaml

.github/workflows/upgrade-patch-versions.yml

@@ -11,7 +11,7 @@ jobs:
   update-patch-versions:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         ref: ${{ inputs.branch }}
     - uses: actions/setup-python@v6
@@ -29,7 +29,7 @@ jobs:
           ~/.cache/pre-commit
     - run: pre-commit run --all-files propagate-ansible-variables
       continue-on-error: true
-    - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412
+    - uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676
       with:
         commit-message: Patch versions updates
         title: Patch versions updates - ${{ inputs.branch }}

.gitlab-ci/terraform.yml

@@ -116,5 +116,5 @@ tf-elastx_ubuntu20-calico:
     TF_VAR_az_list_node: '["sto1"]'
     TF_VAR_flavor_k8s_master: 3f73fc93-ec61-4808-88df-2580d94c1a9b    # v1-standard-2
     TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
-    TF_VAR_image: ubuntu-20.04-server-latest
+    TF_VAR_image: ubuntu-24.04-server-latest
     TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'

docs/CNI/cilium.md

@@ -1,5 +1,13 @@
 # Cilium
 
+## Unprivileged agent configuration
+
+By default, Cilium is installed with `securityContext.privileged: false`. You need to set the `kube_owner` variable to `root` in the inventory:
+
+```yml
+kube_owner: root
+```
+
 ## IP Address Management (IPAM)
 
 IP Address Management (IPAM) is responsible for the allocation and management of IP addresses used by network endpoints (container and others) managed by Cilium. The default mode is "Cluster Scope".

docs/ansible/ansible.md

@@ -45,10 +45,7 @@ Kubespray expects users to use one of the following variables sources for settin
 |  - inventory host_vars                 | host specific vars overrides, group_vars is usually more practical           |
 | **extra vars** (always win precedence) | override with ``ansible-playbook -e @foo.yml``                               |
 
-[!IMPORTANT]
+> Extra vars are best used to override kubespray internal variables, for instances, roles/vars/. Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray interface. Thus they can change, disappear, or break stuff unexpectedly.
-Extra vars are best used to override kubespray internal variables, for instances, roles/vars/.
-Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray
-interface. Thus they can change, disappear, or break stuff unexpectedly.
 
 ## Ansible tags
 

inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml

@@ -22,7 +22,8 @@ local_release_dir: "/tmp/releases"
 # Random shifts for retrying failed ops like pushing/downloading
 retry_stagger: 5
 
-# This is the user that owns tha cluster installation.
+# This is the user that owns the cluster installation.
+# Note: cilium needs to set kube_owner to root https://kubespray.io/#/docs/CNI/cilium?id=unprivileged-agent-configuration
 kube_owner: kube
 
 # This is the group that the cert creation scripts chgrp the

roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml

@@ -11,24 +11,23 @@
   tags:
     - facts
 
-- name: Upload certificates so they are fresh and not expired
+- name: Obtain kubeadm certificate key for joining control planes nodes
-  command: >-
-    {{ bin_dir }}/kubeadm init phase
-    --config {{ kube_config_dir }}/kubeadm-config.yaml
-    upload-certs
-    --upload-certs
-  register: kubeadm_upload_cert
   when:
-    - inventory_hostname == first_kube_control_plane
     - not kube_external_ca_mode
-
-- name: Parse certificate key if not set
-  set_fact:
-    kubeadm_certificate_key: "{{ hostvars[first_kube_control_plane]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}"
   run_once: true
-  when:
+  block:
-    - hostvars[first_kube_control_plane]['kubeadm_upload_cert'] is defined
+    - name: Upload certificates so they are fresh and not expired
-    - hostvars[first_kube_control_plane]['kubeadm_upload_cert'] is not skipped
+      command: >-
+        {{ bin_dir }}/kubeadm init phase
+        --config {{ kube_config_dir }}/kubeadm-config.yaml
+        upload-certs
+        --upload-certs
+      register: kubeadm_upload_cert
+      delegate_to: "{{ first_kube_control_plane }}"
+
+    - name: Parse certificate key if not set
+      set_fact:
+        kubeadm_certificate_key: "{{ kubeadm_upload_cert.stdout_lines[-1] | trim }}"
 
 - name: Wait for k8s apiserver
   wait_for:

roles/network_plugin/calico/tasks/check.yml

@@ -61,6 +61,7 @@
         executable: /bin/bash
       register: calico_version_on_server
       changed_when: false
+      check_mode: false
 
     - name: Assert that current calico version is enough for upgrade
       assert:

roles/network_plugin/cilium/defaults/main.yml

@@ -1,8 +1,6 @@
 ---
 cilium_min_version_required: "1.15"
 
-# remove migrate after 2.29 released
-cilium_remove_old_resources: false
 # Log-level
 cilium_debug: false
 

roles/network_plugin/cilium/tasks/main.yml

@@ -5,10 +5,5 @@
 - name: Cilium install
   include_tasks: install.yml
 
-# Remove after 2.29 released
-- name: Cilium remove old resources
-  when: cilium_remove_old_resources
-  include_tasks: remove_old_resources.yml
-
 - name: Cilium apply
   include_tasks: apply.yml

roles/network_plugin/cilium/tasks/remove_old_resources.yml

@@ -1,45 +0,0 @@
----
-# Remove after 2.29 released
-- name: Cilium | Delete Old Resource
-  command: |
-    {{ kubectl }} delete {{ item.kind | lower }} {{ item.name }} \
-    {{ '-n kube-system' if item.kind not in ['ClusterRole', 'ClusterRoleBinding'] else '' }} \
-  loop:
-    - { kind: ServiceAccount, name: cilium }
-    - { kind: ServiceAccount, name: cilium-operator }
-    - { kind: ServiceAccount, name: hubble-generate-certs }
-    - { kind: ServiceAccount, name: hubble-relay }
-    - { kind: ServiceAccount, name: hubble-ui }
-    - { kind: Service, name: hubble-metrics }
-    - { kind: Service, name: hubble-relay-metrics }
-    - { kind: Service, name: hubble-relay }
-    - { kind: Service, name: hubble-ui }
-    - { kind: Service, name: hubble-peer }
-    - { kind: Deployment, name: cilium-operator }
-    - { kind: Deployment, name: hubble-relay }
-    - { kind: Deployment, name: hubble-ui }
-    - { kind: DaemonSet, name: cilium }
-    - { kind: CronJob, name: hubble-generate-certs }
-    - { kind: Job, name: hubble-generate-certs }
-    - { kind: ConfigMap, name: cilium-config }
-    - { kind: ConfigMap, name: ip-masq-agent }
-    - { kind: ConfigMap, name: hubble-relay-config }
-    - { kind: ConfigMap, name: hubble-ui-nginx }
-    - { kind: ClusterRole, name: cilium }
-    - { kind: ClusterRole, name: cilium-operator }
-    - { kind: ClusterRole, name: hubble-generate-certs }
-    - { kind: ClusterRole, name: hubble-relay }
-    - { kind: ClusterRole, name: hubble-ui }
-    - { kind: ClusterRoleBinding, name: cilium }
-    - { kind: ClusterRoleBinding, name: cilium-operator }
-    - { kind: ClusterRoleBinding, name: hubble-generate-certs }
-    - { kind: ClusterRoleBinding, name: hubble-relay }
-    - { kind: ClusterRoleBinding, name: hubble-ui }
-    - { kind: Secret, name: hubble-ca-secret }
-    - { kind: Secret, name: hubble-relay-client-certs }
-    - { kind: Secret, name: hubble-server-certs }
-  register: patch_result
-  when: inventory_hostname == groups['kube_control_plane'][0]
-  failed_when:
-    - patch_result.rc != 0
-    - "'not found' not in patch_result.stderr"