Patch versions updates

2026-03-25 19:18:29 +03:00 · 2025-11-28 02:50:20 +00:00
236 changed files with 4916 additions and 1656 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -1,4 +1,5 @@
 ---
 parseable: true
 skip_list:
  # see https://docs.ansible.com/ansible-lint/rules/default_rules.html for a list of all default rules
@@ -33,8 +34,6 @@ skip_list:
  # Disable run-once check with free strategy
  # (Disabled in June 2023 after ansible upgrade; FIXME)
  - 'run-once[task]'
  - 'jinja[spacing]'
 exclude_paths:
  # Generated files
  - tests/files/custom_cni/cilium.yaml
--- a/.github/workflows/auto-label-os.yml
+++ b/.github/workflows/auto-label-os.yml
@@ -13,16 +13,16 @@ jobs:
      issues: write
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
      - name: Parse issue form
-        uses: stefanbuck/github-issue-parser@10dcc54158ba4c137713d9d69d70a2da63b6bda3
+        uses: stefanbuck/github-issue-parser@2ea9b35a8c584529ed00891a8f7e41dc46d0441e
        id: issue-parser
        with:
          template-path: .github/ISSUE_TEMPLATE/bug-report.yaml
      - name: Set labels based on OS field
-        uses: redhat-plumbers-in-action/advanced-issue-labeler@b80ae64e3e156e9c111b075bfa04b295d54e8e2e
+        uses: redhat-plumbers-in-action/advanced-issue-labeler@e38e6809c5420d038eed380d49ee9a6ca7c92dbf
        with:
          issue-form: ${{ steps.issue-parser.outputs.jsonString }}
          section: os
--- a/.github/workflows/upgrade-patch-versions-schedule.yml
+++ b/.github/workflows/upgrade-patch-versions-schedule.yml
@@ -13,14 +13,14 @@ jobs:
    outputs:
      branches: ${{ steps.get-branches.outputs.data }}
    steps:
-    - uses: octokit/graphql-action@ddde8ebb2493e79f390e6449c725c21663a67505
+    - uses: octokit/graphql-action@abaeca7ba4f0325d63b8de7ef943c2418d161b93
      id: get-branches
      with:
        query: |
          query get_release_branches($owner:String!, $name:String!) {
            repository(owner:$owner, name:$name) {
              refs(refPrefix: "refs/heads/",
-                   first: 3,
+                   first: 1, # TODO increment once we have release branch with the new checksums format
                   query: "release-",
                   orderBy: {
                     field: ALPHABETICAL,
--- a/.github/workflows/upgrade-patch-versions.yml
+++ b/.github/workflows/upgrade-patch-versions.yml
@@ -11,7 +11,7 @@ jobs:
  update-patch-versions:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
      with:
        ref: ${{ inputs.branch }}
    - uses: actions/setup-python@v6
@@ -22,14 +22,14 @@ jobs:
    - run: update-hashes
      env:
        API_KEY: ${{ secrets.GITHUB_TOKEN }}
-    - uses: actions/cache@v5
+    - uses: actions/cache@v4
      with:
        key: pre-commit-hook-propagate
        path: |
          ~/.cache/pre-commit
    - run: pre-commit run --all-files propagate-ansible-variables
      continue-on-error: true
-    - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
+    - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412
      with:
        commit-message: Patch versions updates
        title: Patch versions updates - ${{ inputs.branch }}
--- a/.gitlab-ci/kubevirt.yml
+++ b/.gitlab-ci/kubevirt.yml
@@ -41,33 +41,19 @@ pr:
          - debian12-cilium
          - debian13-cilium
          - fedora39-kube-router
-          - fedora41-kube-router
+          - openeuler24-calico
          - fedora42-calico
          - rockylinux9-cilium
          - rockylinux10-cilium
          - ubuntu22-calico-all-in-one
          - ubuntu22-calico-all-in-one-upgrade
          - ubuntu24-calico-etcd-datastore
          - ubuntu24-calico-all-in-one-hardening
          - ubuntu24-cilium-sep
          - ubuntu24-crio-scale
          - ubuntu24-crio-upgrade
          - ubuntu24-flannel-collection
          - ubuntu24-kube-router-sep
          - ubuntu24-kube-router-svc-proxy
          - ubuntu24-ha-separate-etcd
          - flatcar4081-calico
          - fedora40-flannel-crio-collection-scale
          - openeuler24-calico
 # This is for flakey test so they don't disrupt the PR worklflow too much.
 # Jobs here MUST have a open issue so we don't lose sight of them
 pr-flakey:
  extends: pr
  retry: 1
  parallel:
    matrix:
      - TESTCASE:
          - flatcar4081-calico # https://github.com/kubernetes-sigs/kubespray/issues/12309
 # The ubuntu24-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu24-calico-all-in-one:
@@ -104,8 +90,6 @@ pr_full:
          - debian12-custom-cni-helm
          - fedora39-calico-swap-selinux
          - fedora39-crio
          - fedora41-calico-swap-selinux
          - fedora41-crio
          - ubuntu24-calico-ha-wireguard
          - ubuntu24-flannel-ha
          - ubuntu24-flannel-ha-once
@@ -143,7 +127,6 @@ pr_extended:
          - debian12-docker
          - debian13-calico
          - rockylinux9-calico
          - rockylinux10-calico
          - ubuntu22-all-in-one-docker
          - ubuntu24-all-in-one-docker
          - ubuntu24-calico-all-in-one
@@ -165,7 +148,6 @@ periodic:
          - debian12-cilium-svc-proxy
          - fedora39-calico-selinux
          - fedora40-docker-calico
          - fedora41-calico-selinux
          - ubuntu24-calico-etcd-kubeadm-upgrade-ha
          - ubuntu24-calico-ha-recover
          - ubuntu24-calico-ha-recover-noquorum
--- a/.gitlab-ci/terraform.yml
+++ b/.gitlab-ci/terraform.yml
@@ -37,6 +37,7 @@ terraform_validate:
          - hetzner
          - vsphere
          - upcloud
          - nifcloud
 .terraform_apply:
  extends: .terraform_install
@@ -88,10 +89,11 @@ tf-elastx_cleanup:
    - ./scripts/openstack-cleanup/main.py
  allow_failure: true
-tf-elastx_ubuntu24-calico:
+tf-elastx_ubuntu20-calico:
  extends: .terraform_apply
  stage: deploy-part1
  when: on_success
  allow_failure: true
  variables:
    <<: *elastx_variables
    PROVIDER: openstack
@@ -114,6 +116,5 @@ tf-elastx_ubuntu24-calico:
    TF_VAR_az_list_node: '["sto1"]'
    TF_VAR_flavor_k8s_master: 3f73fc93-ec61-4808-88df-2580d94c1a9b    # v1-standard-2
    TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
-    TF_VAR_image: ubuntu-24.04-server-latest
+    TF_VAR_image: ubuntu-20.04-server-latest
    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
    TESTCASE: $CI_JOB_NAME
--- a/.gitlab-ci/vagrant.yml
+++ b/.gitlab-ci/vagrant.yml
@@ -36,7 +36,7 @@ vagrant:
    policy: pull-push # TODO: change to "pull" when not on main
  stage: deploy-extended
  rules:
-    - if: $PR_LABELS =~ /.*ci-full.*/
+    - if: $PR_LABELS =~ /.*(ci-extended|ci-full).*/
      when: on_success
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "daily-ci"
      when: on_success
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -12,6 +12,7 @@ To install development dependencies you can set up a python virtual env with the
 virtualenv venv
 source venv/bin/activate
 pip install -r tests/requirements.txt
 ansible-galaxy install -r tests/requirements.yml
 ```
 #### Linting
--- a/10
+++ b/10
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
-# Use immutable image tags rather than mutable tags (like ubuntu:24.04)
+# Use immutable image tags rather than mutable tags (like ubuntu:22.04)
-FROM ubuntu:noble-20260113@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b
+FROM ubuntu:22.04@sha256:149d67e29f765f4db62aa52161009e99e389544e25a8f43c8c89d4a445a7ca37
 # Some tools like yamllint need this
 # Pip needs this as well at the moment to install ansible
@@ -29,14 +29,14 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
    --mount=type=cache,sharing=locked,id=pipcache,mode=0777,target=/root/.cache/pip \
-    pip install --break-system-packages --no-compile --no-cache-dir -r requirements.txt \
+    pip install --no-compile --no-cache-dir -r requirements.txt \
    && find /usr -type d -name '*__pycache__' -prune -exec rm -rf {} \;
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.35.1/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && curl -L "https://dl.k8s.io/release/v1.34.2/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.35.1/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.34.2/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl
 COPY *.yml ./
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ Ensure you have installed Docker then
 ```ShellSession
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
  --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.30.0 bash
+  quay.io/kubespray/kubespray:v2.29.0 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```
@@ -89,13 +89,13 @@ vagrant up
 - **Flatcar Container Linux by Kinvolk**
 - **Debian** Bookworm, Bullseye, Trixie
 - **Ubuntu** 22.04, 24.04
- **CentOS Stream / RHEL** 9, 10
+- **CentOS/RHEL** [8, 9](docs/operating_systems/rhel.md#rhel-8)
- **Fedora** 39, 40, 41, 42
+- **Fedora** 39, 40
 - **Fedora CoreOS** (see [fcos Note](docs/operating_systems/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
- **Oracle Linux** 9, 10
+- **Oracle Linux** [8, 9](docs/operating_systems/rhel.md#rhel-8)
- **Alma Linux** 9, 10
+- **Alma Linux** [8, 9](docs/operating_systems/rhel.md#rhel-8)
- **Rocky Linux** 9, 10 (experimental in 10: see [Rocky Linux 10 notes](docs/operating_systems/rhel.md#rocky-linux-10))
+- **Rocky Linux** [8, 9](docs/operating_systems/rhel.md#rhel-8)
 - **Kylin Linux Advanced Server V10** (experimental: see [kylin linux notes](docs/operating_systems/kylinlinux.md))
 - **Amazon Linux 2** (experimental: see [amazon linux notes](docs/operating_systems/amazonlinux.md))
 - **UOS Linux** (experimental: see [uos linux notes](docs/operating_systems/uoslinux.md))
@@ -111,23 +111,24 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.35.1
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.34.2
-  - [etcd](https://github.com/etcd-io/etcd) 3.6.8
+  - [etcd](https://github.com/etcd-io/etcd) 3.5.25
  - [docker](https://www.docker.com/) 28.3
-  - [containerd](https://containerd.io/) 2.2.1
+  - [containerd](https://containerd.io/) 2.1.5
-  - [cri-o](http://cri-o.io/) 1.35.0 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [cri-o](http://cri-o.io/) 1.34.2 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
  - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
-  - [calico](https://github.com/projectcalico/calico) 3.30.6
+  - [calico](https://github.com/projectcalico/calico) 3.30.5
-  - [cilium](https://github.com/cilium/cilium) 1.19.1
+  - [cilium](https://github.com/cilium/cilium) 1.18.4
  - [flannel](https://github.com/flannel-io/flannel) 0.27.3
  - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
  - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1
  - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) 4.2.2
-  - [kube-vip](https://github.com/kube-vip/kube-vip) 1.0.3
+  - [kube-vip](https://github.com/kube-vip/kube-vip) 0.8.0
 - Application
  - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
-  - [coredns](https://github.com/coredns/coredns) 1.12.4
+  - [coredns](https://github.com/coredns/coredns) 1.12.1
  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3
  - [argocd](https://argoproj.github.io/) 2.14.5
  - [helm](https://helm.sh/) 3.18.4
  - [metallb](https://metallb.universe.tf/) 0.13.9
@@ -201,6 +202,8 @@ See also [Network checker](docs/advanced/netcheck.md).
 ## Ingress Plugins
 - [nginx](https://kubernetes.github.io/ingress-nginx): the NGINX Ingress Controller.
 - [metallb](docs/ingress/metallb.md): the MetalLB bare-metal service LoadBalancer provider.
 ## Community docs and resources
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -15,7 +15,7 @@ The Kubespray Project is released on an as-needed basis. The process is as follo
 1. The release issue is closed
 1. An announcement email is sent to `dev@kubernetes.io` with the subject `[ANNOUNCE] Kubespray $VERSION is released`
 1. The topic of the #kubespray channel is updated with `vX.Y.Z is released! | ...`
-1. Create/Update Issue for upgrading kubernetes and [k8s-conformance](https://github.com/cncf/k8s-conformance)
+1. Create/Update Issue for upgradeing kubernetes and [k8s-conformance](https://github.com/cncf/k8s-conformance)
 ## Major/minor releases and milestones
--- a/3
+++ b/3
@@ -35,9 +35,6 @@ SUPPORTED_OS = {
  "fedora40"            => {box: "fedora/40-cloud-base",       user: "vagrant"},
  "fedora39-arm64"      => {box: "bento/fedora-39-arm64",      user: "vagrant"},
  "fedora40-arm64"      => {box: "bento/fedora-40",            user: "vagrant"},
  "fedora41"            => {box: "fedora/41-cloud-base",       user: "vagrant"},
  "fedora42"            => {box: "fedora/42-cloud-base",       user: "vagrant"},
  "fedora41-bento"      => {box: "bento/fedora-41",            user: "vagrant"},
  "opensuse"            => {box: "opensuse/Leap-15.6.x86_64",  user: "vagrant"},
  "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
  "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
--- a/contrib/offline/manage-offline-container-images.sh
+++ b/contrib/offline/manage-offline-container-images.sh
@@ -20,6 +20,7 @@ function create_container_image_tar() {
 		kubectl describe cronjobs,jobs,pods --all-namespaces | grep " Image:" | awk '{print $2}' | sort | uniq > "${IMAGES}"
 		# NOTE: etcd and pause cannot be seen as pods.
 		# The pause image is used for --pod-infra-container-image option of kubelet.
 		kubectl cluster-info dump | grep -E "quay.io/coreos/etcd:|registry.k8s.io/pause:" | sed s@\"@@g >> "${IMAGES}"
 	else
 		echo "Getting images from file \"${IMAGES_FROM_FILE}\""
--- a/contrib/terraform/gcp/README.md
+++ b/contrib/terraform/gcp/README.md
@@ -51,7 +51,7 @@ To generate kubespray inventory based on the terraform state file you can run th
 You should now have a inventory file named `inventory.ini` that you can use with kubespray, e.g.
 ```bash
-ansible-playbook -i contrib/terraform/gcp/inventory.ini cluster.yml -b -v
+ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
 ```
 ## Variables
--- a/contrib/terraform/nifcloud/.gitignore
+++ b/contrib/terraform/nifcloud/.gitignore
@@ -0,0 +1,5 @@
 *.tfstate*
 .terraform.lock.hcl
 .terraform
 sample-inventory/inventory.ini
--- a/contrib/terraform/nifcloud/README.md
+++ b/contrib/terraform/nifcloud/README.md
@@ -0,0 +1,138 @@
 # Kubernetes on NIFCLOUD with Terraform
 Provision a Kubernetes cluster on [NIFCLOUD](https://pfs.nifcloud.com/) using Terraform and Kubespray
 ## Overview
 The setup looks like following
 ```text
                              Kubernetes cluster
                        +----------------------------+
 +---------------+       |   +--------------------+   |
 |               |       |   | +--------------------+ |
 | API server LB +---------> | |                    | |
 |               |       |   | | Control Plane/etcd | |
 +---------------+       |   | | node(s)            | |
                        |   +-+                    | |
                        |     +--------------------+ |
                        |           ^                |
                        |           |                |
                        |           v                |
                        |   +--------------------+   |
                        |   | +--------------------+ |
                        |   | |                    | |
                        |   | |        Worker      | |
                        |   | |        node(s)     | |
                        |   +-+                    | |
                        |     +--------------------+ |
                        +----------------------------+
 ```
 ## Requirements
 * Terraform 1.3.7
 ## Quickstart
 ### Export Variables
 * Your NIFCLOUD credentials:
  ```bash
  export NIFCLOUD_ACCESS_KEY_ID=<YOUR ACCESS KEY>
  export NIFCLOUD_SECRET_ACCESS_KEY=<YOUR SECRET ACCESS KEY>
  ```
 * The SSH KEY used to connect to the instance:
  * FYI: [Cloud Help(SSH Key)](https://pfs.nifcloud.com/help/ssh.htm)
  ```bash
  export TF_VAR_SSHKEY_NAME=<YOUR SSHKEY NAME>
  ```
 * The IP address to connect to bastion server:
  ```bash
  export TF_VAR_working_instance_ip=$(curl ifconfig.me)
  ```
 ### Create The Infrastructure
 * Run terraform:
  ```bash
  terraform init
  terraform apply -var-file ./sample-inventory/cluster.tfvars
  ```
 ### Setup The Kubernetes
 * Generate cluster configuration file:
  ```bash
  ./generate-inventory.sh > sample-inventory/inventory.ini
  ```
 * Export Variables:
  ```bash
  BASTION_IP=$(terraform output -json | jq -r '.kubernetes_cluster.value.bastion_info | to_entries[].value.public_ip')
  API_LB_IP=$(terraform output -json | jq -r '.kubernetes_cluster.value.control_plane_lb')
  CP01_IP=$(terraform output -json | jq -r '.kubernetes_cluster.value.control_plane_info | to_entries[0].value.private_ip')
  export ANSIBLE_SSH_ARGS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand=\"ssh root@${BASTION_IP} -W %h:%p\""
  ```
 * Set ssh-agent"
  ```bash
  eval `ssh-agent`
  ssh-add <THE PATH TO YOUR SSH KEY>
  ```
 * Run cluster.yml playbook:
  ```bash
  cd ./../../../
  ansible-playbook -i contrib/terraform/nifcloud/inventory/inventory.ini cluster.yml
  ```
 ### Connecting to Kubernetes
 * [Install kubectl](https://kubernetes.io/docs/tasks/tools/) on the localhost
 * Fetching kubeconfig file:
  ```bash
  mkdir -p ~/.kube
  scp -o ProxyCommand="ssh root@${BASTION_IP} -W %h:%p" root@${CP01_IP}:/etc/kubernetes/admin.conf ~/.kube/config
  ```
 * Rewrite /etc/hosts
  ```bash
  sudo echo "${API_LB_IP} lb-apiserver.kubernetes.local" >> /etc/hosts
  ```
 * Run kubectl
  ```bash
  kubectl get node
  ```
 ## Variables
 * `region`: Region where to run the cluster
 * `az`: Availability zone where to run the cluster
 * `private_ip_bn`: Private ip address of bastion server
 * `private_network_cidr`:  Subnet of private network
 * `instances_cp`: Machine to provision as Control Plane. Key of this object will be used as part of the machine' name
  * `private_ip`: private ip address of machine
 * `instances_wk`: Machine to provision as Worker Node. Key of this object will be used as part of the machine' name
  * `private_ip`: private ip address of machine
 * `instance_key_name`: The key name of the Key Pair to use for the instance
 * `instance_type_bn`: The instance type of bastion server
 * `instance_type_wk`: The instance type of worker node
 * `instance_type_cp`: The instance type of control plane
 * `image_name`: OS image used for the instance
 * `working_instance_ip`: The IP address to connect to bastion server
 * `accounting_type`: Accounting type. (1: monthly, 2: pay per use)
--- a/contrib/terraform/nifcloud/generate-inventory.sh
+++ b/contrib/terraform/nifcloud/generate-inventory.sh
@@ -0,0 +1,64 @@
 #!/bin/bash
 #
 # Generates a inventory file based on the terraform output.
 # After provisioning a cluster, simply run this command and supply the terraform state file
 # Default state file is terraform.tfstate
 #
 set -e
 TF_OUT=$(terraform output -json)
 CONTROL_PLANES=$(jq -r '.kubernetes_cluster.value.control_plane_info | to_entries[]'  <(echo "${TF_OUT}"))
 WORKERS=$(jq -r '.kubernetes_cluster.value.worker_info | to_entries[]'  <(echo "${TF_OUT}"))
 mapfile -t CONTROL_PLANE_NAMES < <(jq -r '.key'  <(echo "${CONTROL_PLANES}"))
 mapfile -t WORKER_NAMES < <(jq -r '.key'  <(echo "${WORKERS}"))
 API_LB=$(jq -r '.kubernetes_cluster.value.control_plane_lb' <(echo "${TF_OUT}"))
 echo "[all]"
 # Generate control plane hosts
 i=1
 for name in "${CONTROL_PLANE_NAMES[@]}"; do
  private_ip=$(jq -r '. | select( .key=='"\"${name}\""' ) | .value.private_ip'  <(echo "${CONTROL_PLANES}"))
  echo "${name} ansible_user=root ansible_host=${private_ip} access_ip=${private_ip} ip=${private_ip} etcd_member_name=etcd${i}"
  i=$(( i + 1 ))
 done
 # Generate worker hosts
 for name in "${WORKER_NAMES[@]}"; do
  private_ip=$(jq -r '. | select( .key=='"\"${name}\""' ) | .value.private_ip'  <(echo "${WORKERS}"))
  echo "${name} ansible_user=root ansible_host=${private_ip} access_ip=${private_ip} ip=${private_ip}"
 done
 API_LB=$(jq -r '.kubernetes_cluster.value.control_plane_lb'  <(echo "${TF_OUT}"))
 echo ""
 echo "[all:vars]"
 echo "upstream_dns_servers=['8.8.8.8','8.8.4.4']"
 echo "loadbalancer_apiserver={'address':'${API_LB}','port':'6443'}"
 echo ""
 echo "[kube_control_plane]"
 for name in "${CONTROL_PLANE_NAMES[@]}"; do
  echo "${name}"
 done
 echo ""
 echo "[etcd]"
 for name in "${CONTROL_PLANE_NAMES[@]}"; do
  echo "${name}"
 done
 echo ""
 echo "[kube_node]"
 for name in "${WORKER_NAMES[@]}"; do
  echo "${name}"
 done
 echo ""
 echo "[k8s_cluster:children]"
 echo "kube_control_plane"
 echo "kube_node"
--- a/contrib/terraform/nifcloud/main.tf
+++ b/contrib/terraform/nifcloud/main.tf
@@ -0,0 +1,36 @@
 provider "nifcloud" {
  region = var.region
 }
 module "kubernetes_cluster" {
  source = "./modules/kubernetes-cluster"
  availability_zone = var.az
  prefix            = "dev"
  private_network_cidr = var.private_network_cidr
  instance_key_name = var.instance_key_name
  instances_cp      = var.instances_cp
  instances_wk      = var.instances_wk
  image_name        = var.image_name
  instance_type_bn = var.instance_type_bn
  instance_type_cp = var.instance_type_cp
  instance_type_wk = var.instance_type_wk
  private_ip_bn = var.private_ip_bn
  additional_lb_filter = [var.working_instance_ip]
 }
 resource "nifcloud_security_group_rule" "ssh_from_bastion" {
  security_group_names = [
    module.kubernetes_cluster.security_group_name.bastion
  ]
  type      = "IN"
  from_port = 22
  to_port   = 22
  protocol  = "TCP"
  cidr_ip   = var.working_instance_ip
 }
--- a/contrib/terraform/nifcloud/modules/kubernetes-cluster/main.tf
+++ b/contrib/terraform/nifcloud/modules/kubernetes-cluster/main.tf
@@ -0,0 +1,301 @@
 #################################################
 ##
 ## Local variables
 ##
 locals {
  # e.g. east-11 is 11
  az_num = reverse(split("-", var.availability_zone))[0]
  # e.g. east-11 is e11
  az_short_name = "${substr(reverse(split("-", var.availability_zone))[1], 0, 1)}${local.az_num}"
  # Port used by the protocol
  port_ssh     = 22
  port_kubectl = 6443
  port_kubelet = 10250
  # calico: https://docs.tigera.io/calico/latest/getting-started/kubernetes/requirements#network-requirements
  port_bgp   = 179
  port_vxlan = 4789
  port_etcd  = 2379
 }
 #################################################
 ##
 ## General
 ##
 # data
 data "nifcloud_image" "this" {
  image_name = var.image_name
 }
 # private lan
 resource "nifcloud_private_lan" "this" {
  private_lan_name  = "${var.prefix}lan"
  availability_zone = var.availability_zone
  cidr_block        = var.private_network_cidr
  accounting_type   = var.accounting_type
 }
 #################################################
 ##
 ## Bastion
 ##
 resource "nifcloud_security_group" "bn" {
  group_name        = "${var.prefix}bn"
  description       = "${var.prefix} bastion"
  availability_zone = var.availability_zone
 }
 resource "nifcloud_instance" "bn" {
  instance_id    = "${local.az_short_name}${var.prefix}bn01"
  security_group = nifcloud_security_group.bn.group_name
  instance_type  = var.instance_type_bn
  user_data = templatefile("${path.module}/templates/userdata.tftpl", {
    private_ip_address = var.private_ip_bn
    ssh_port           = local.port_ssh
    hostname           = "${local.az_short_name}${var.prefix}bn01"
  })
  availability_zone = var.availability_zone
  accounting_type   = var.accounting_type
  image_id          = data.nifcloud_image.this.image_id
  key_name          = var.instance_key_name
  network_interface {
    network_id = "net-COMMON_GLOBAL"
  }
  network_interface {
    network_id = nifcloud_private_lan.this.network_id
    ip_address = "static"
  }
  # The image_id changes when the OS image type is demoted from standard to public.
  lifecycle {
    ignore_changes = [
      image_id,
      user_data,
    ]
  }
 }
 #################################################
 ##
 ## Control Plane
 ##
 resource "nifcloud_security_group" "cp" {
  group_name        = "${var.prefix}cp"
  description       = "${var.prefix} control plane"
  availability_zone = var.availability_zone
 }
 resource "nifcloud_instance" "cp" {
  for_each = var.instances_cp
  instance_id    = "${local.az_short_name}${var.prefix}${each.key}"
  security_group = nifcloud_security_group.cp.group_name
  instance_type  = var.instance_type_cp
  user_data = templatefile("${path.module}/templates/userdata.tftpl", {
    private_ip_address = each.value.private_ip
    ssh_port           = local.port_ssh
    hostname           = "${local.az_short_name}${var.prefix}${each.key}"
  })
  availability_zone = var.availability_zone
  accounting_type   = var.accounting_type
  image_id          = data.nifcloud_image.this.image_id
  key_name          = var.instance_key_name
  network_interface {
    network_id = "net-COMMON_GLOBAL"
  }
  network_interface {
    network_id = nifcloud_private_lan.this.network_id
    ip_address = "static"
  }
  # The image_id changes when the OS image type is demoted from standard to public.
  lifecycle {
    ignore_changes = [
      image_id,
      user_data,
    ]
  }
 }
 resource "nifcloud_load_balancer" "this" {
  load_balancer_name = "${local.az_short_name}${var.prefix}cp"
  accounting_type    = var.accounting_type
  balancing_type     = 1 // Round-Robin
  load_balancer_port = local.port_kubectl
  instance_port      = local.port_kubectl
  instances          = [for v in nifcloud_instance.cp : v.instance_id]
  filter = concat(
    [for k, v in nifcloud_instance.cp : v.public_ip],
    [for k, v in nifcloud_instance.wk : v.public_ip],
    var.additional_lb_filter,
  )
  filter_type = 1 // Allow
 }
 #################################################
 ##
 ## Worker
 ##
 resource "nifcloud_security_group" "wk" {
  group_name        = "${var.prefix}wk"
  description       = "${var.prefix} worker"
  availability_zone = var.availability_zone
 }
 resource "nifcloud_instance" "wk" {
  for_each = var.instances_wk
  instance_id    = "${local.az_short_name}${var.prefix}${each.key}"
  security_group = nifcloud_security_group.wk.group_name
  instance_type  = var.instance_type_wk
  user_data = templatefile("${path.module}/templates/userdata.tftpl", {
    private_ip_address = each.value.private_ip
    ssh_port           = local.port_ssh
    hostname           = "${local.az_short_name}${var.prefix}${each.key}"
  })
  availability_zone = var.availability_zone
  accounting_type   = var.accounting_type
  image_id          = data.nifcloud_image.this.image_id
  key_name          = var.instance_key_name
  network_interface {
    network_id = "net-COMMON_GLOBAL"
  }
  network_interface {
    network_id = nifcloud_private_lan.this.network_id
    ip_address = "static"
  }
  # The image_id changes when the OS image type is demoted from standard to public.
  lifecycle {
    ignore_changes = [
      image_id,
      user_data,
    ]
  }
 }
 #################################################
 ##
 ## Security Group Rule: Kubernetes
 ##
 # ssh
 resource "nifcloud_security_group_rule" "ssh_from_bastion" {
  security_group_names = [
    nifcloud_security_group.wk.group_name,
    nifcloud_security_group.cp.group_name,
  ]
  type                       = "IN"
  from_port                  = local.port_ssh
  to_port                    = local.port_ssh
  protocol                   = "TCP"
  source_security_group_name = nifcloud_security_group.bn.group_name
 }
 # kubectl
 resource "nifcloud_security_group_rule" "kubectl_from_worker" {
  security_group_names = [
    nifcloud_security_group.cp.group_name,
  ]
  type                       = "IN"
  from_port                  = local.port_kubectl
  to_port                    = local.port_kubectl
  protocol                   = "TCP"
  source_security_group_name = nifcloud_security_group.wk.group_name
 }
 # kubelet
 resource "nifcloud_security_group_rule" "kubelet_from_worker" {
  security_group_names = [
    nifcloud_security_group.cp.group_name,
  ]
  type                       = "IN"
  from_port                  = local.port_kubelet
  to_port                    = local.port_kubelet
  protocol                   = "TCP"
  source_security_group_name = nifcloud_security_group.wk.group_name
 }
 resource "nifcloud_security_group_rule" "kubelet_from_control_plane" {
  security_group_names = [
    nifcloud_security_group.wk.group_name,
  ]
  type                       = "IN"
  from_port                  = local.port_kubelet
  to_port                    = local.port_kubelet
  protocol                   = "TCP"
  source_security_group_name = nifcloud_security_group.cp.group_name
 }
 #################################################
 ##
 ## Security Group Rule: calico
 ##
 # vslan
 resource "nifcloud_security_group_rule" "vxlan_from_control_plane" {
  security_group_names = [
    nifcloud_security_group.wk.group_name,
  ]
  type                       = "IN"
  from_port                  = local.port_vxlan
  to_port                    = local.port_vxlan
  protocol                   = "UDP"
  source_security_group_name = nifcloud_security_group.cp.group_name
 }
 resource "nifcloud_security_group_rule" "vxlan_from_worker" {
  security_group_names = [
    nifcloud_security_group.cp.group_name,
  ]
  type                       = "IN"
  from_port                  = local.port_vxlan
  to_port                    = local.port_vxlan
  protocol                   = "UDP"
  source_security_group_name = nifcloud_security_group.wk.group_name
 }
 # bgp
 resource "nifcloud_security_group_rule" "bgp_from_control_plane" {
  security_group_names = [
    nifcloud_security_group.wk.group_name,
  ]
  type                       = "IN"
  from_port                  = local.port_bgp
  to_port                    = local.port_bgp
  protocol                   = "TCP"
  source_security_group_name = nifcloud_security_group.cp.group_name
 }
 resource "nifcloud_security_group_rule" "bgp_from_worker" {
  security_group_names = [
    nifcloud_security_group.cp.group_name,
  ]
  type                       = "IN"
  from_port                  = local.port_bgp
  to_port                    = local.port_bgp
  protocol                   = "TCP"
  source_security_group_name = nifcloud_security_group.wk.group_name
 }
 # etcd
 resource "nifcloud_security_group_rule" "etcd_from_worker" {
  security_group_names = [
    nifcloud_security_group.cp.group_name,
  ]
  type                       = "IN"
  from_port                  = local.port_etcd
  to_port                    = local.port_etcd
  protocol                   = "TCP"
  source_security_group_name = nifcloud_security_group.wk.group_name
 }
--- a/contrib/terraform/nifcloud/modules/kubernetes-cluster/outputs.tf
+++ b/contrib/terraform/nifcloud/modules/kubernetes-cluster/outputs.tf
@@ -0,0 +1,48 @@
 output "control_plane_lb" {
  description = "The DNS name of LB for control plane"
  value       = nifcloud_load_balancer.this.dns_name
 }
 output "security_group_name" {
  description = "The security group used in the cluster"
  value = {
    bastion       = nifcloud_security_group.bn.group_name,
    control_plane = nifcloud_security_group.cp.group_name,
    worker        = nifcloud_security_group.wk.group_name,
  }
 }
 output "private_network_id" {
  description = "The private network used in the cluster"
  value       = nifcloud_private_lan.this.id
 }
 output "bastion_info" {
  description = "The basion information in cluster"
  value = { (nifcloud_instance.bn.instance_id) : {
    instance_id = nifcloud_instance.bn.instance_id,
    unique_id   = nifcloud_instance.bn.unique_id,
    private_ip  = nifcloud_instance.bn.private_ip,
    public_ip   = nifcloud_instance.bn.public_ip,
  } }
 }
 output "worker_info" {
  description = "The worker information in cluster"
  value = { for v in nifcloud_instance.wk : v.instance_id => {
    instance_id = v.instance_id,
    unique_id   = v.unique_id,
    private_ip  = v.private_ip,
    public_ip   = v.public_ip,
  } }
 }
 output "control_plane_info" {
  description = "The control plane information in cluster"
  value = { for v in nifcloud_instance.cp : v.instance_id => {
    instance_id = v.instance_id,
    unique_id   = v.unique_id,
    private_ip  = v.private_ip,
    public_ip   = v.public_ip,
  } }
 }
--- a/contrib/terraform/nifcloud/modules/kubernetes-cluster/templates/userdata.tftpl
+++ b/contrib/terraform/nifcloud/modules/kubernetes-cluster/templates/userdata.tftpl
@@ -0,0 +1,45 @@
 #!/bin/bash
 #################################################
 ##
 ## IP Address
 ##
 configure_private_ip_address () {
  cat << EOS > /etc/netplan/01-netcfg.yaml
 network:
    version: 2
    renderer: networkd
    ethernets:
        ens192:
            dhcp4: yes
            dhcp6: yes
            dhcp-identifier: mac
        ens224:
            dhcp4: no
            dhcp6: no
            addresses: [${private_ip_address}]
 EOS
  netplan apply
 }
 configure_private_ip_address
 #################################################
 ##
 ## SSH
 ##
 configure_ssh_port () {
  sed -i 's/^#*Port [0-9]*/Port ${ssh_port}/' /etc/ssh/sshd_config
 }
 configure_ssh_port
 #################################################
 ##
 ## Hostname
 ##
 hostnamectl set-hostname ${hostname}
 #################################################
 ##
 ## Disable swap files genereated by systemd-gpt-auto-generator
 ##
 systemctl mask "dev-sda3.swap"
--- a/contrib/terraform/nifcloud/modules/kubernetes-cluster/terraform.tf
+++ b/contrib/terraform/nifcloud/modules/kubernetes-cluster/terraform.tf
@@ -0,0 +1,9 @@
 terraform {
  required_version = ">=1.3.7"
  required_providers {
    nifcloud = {
      source  = "nifcloud/nifcloud"
      version = ">= 1.8.0, < 2.0.0"
    }
  }
 }
--- a/contrib/terraform/nifcloud/modules/kubernetes-cluster/variables.tf
+++ b/contrib/terraform/nifcloud/modules/kubernetes-cluster/variables.tf
@@ -0,0 +1,81 @@
 variable "availability_zone" {
  description = "The availability zone"
  type        = string
 }
 variable "prefix" {
  description = "The prefix for the entire cluster"
  type        = string
  validation {
    condition     = length(var.prefix) <= 5
    error_message = "Must be a less than 5 character long."
  }
 }
 variable "private_network_cidr" {
  description = "The subnet of private network"
  type        = string
  validation {
    condition     = can(cidrnetmask(var.private_network_cidr))
    error_message = "Must be a valid IPv4 CIDR block address."
  }
 }
 variable "private_ip_bn" {
  description = "Private IP of bastion server"
  type        = string
 }
 variable "instances_cp" {
  type = map(object({
    private_ip = string
  }))
 }
 variable "instances_wk" {
  type = map(object({
    private_ip = string
  }))
 }
 variable "instance_key_name" {
  description = "The key name of the Key Pair to use for the instance"
  type        = string
 }
 variable "instance_type_bn" {
  description = "The instance type of bastion server"
  type        = string
 }
 variable "instance_type_wk" {
  description = "The instance type of worker"
  type        = string
 }
 variable "instance_type_cp" {
  description = "The instance type of control plane"
  type        = string
 }
 variable "image_name" {
  description = "The name of image"
  type        = string
 }
 variable "additional_lb_filter" {
  description = "Additional LB filter"
  type        = list(string)
 }
 variable "accounting_type" {
  type    = string
  default = "1"
  validation {
    condition = anytrue([
      var.accounting_type == "1", // Monthly
      var.accounting_type == "2", // Pay per use
    ])
    error_message = "Must be a 1 or 2."
  }
 }
--- a/contrib/terraform/nifcloud/output.tf
+++ b/contrib/terraform/nifcloud/output.tf
@@ -0,0 +1,3 @@
 output "kubernetes_cluster" {
  value = module.kubernetes_cluster
 }
--- a/contrib/terraform/nifcloud/sample-inventory/cluster.tfvars
+++ b/contrib/terraform/nifcloud/sample-inventory/cluster.tfvars
@@ -0,0 +1,22 @@
 region = "jp-west-1"
 az     = "west-11"
 instance_key_name = "deployerkey"
 instance_type_bn = "e-medium"
 instance_type_cp = "e-medium"
 instance_type_wk = "e-medium"
 private_network_cidr = "192.168.30.0/24"
 instances_cp = {
  "cp01" : { private_ip : "192.168.30.11/24" }
  "cp02" : { private_ip : "192.168.30.12/24" }
  "cp03" : { private_ip : "192.168.30.13/24" }
 }
 instances_wk = {
  "wk01" : { private_ip : "192.168.30.21/24" }
  "wk02" : { private_ip : "192.168.30.22/24" }
 }
 private_ip_bn = "192.168.30.10/24"
 image_name = "Ubuntu Server 22.04 LTS"
--- a/contrib/terraform/nifcloud/sample-inventory/group_vars
+++ b/contrib/terraform/nifcloud/sample-inventory/group_vars
@@ -0,0 +1 @@
 ../../../../inventory/sample/group_vars
--- a/contrib/terraform/nifcloud/terraform.tf
+++ b/contrib/terraform/nifcloud/terraform.tf
@@ -0,0 +1,9 @@
 terraform {
  required_version = ">=1.3.7"
  required_providers {
    nifcloud = {
      source  = "nifcloud/nifcloud"
      version = "1.8.0"
    }
  }
 }
--- a/contrib/terraform/nifcloud/variables.tf
+++ b/contrib/terraform/nifcloud/variables.tf
@@ -0,0 +1,77 @@
 variable "region" {
  description = "The region"
  type        = string
 }
 variable "az" {
  description = "The availability zone"
  type        = string
 }
 variable "private_ip_bn" {
  description = "Private IP of bastion server"
  type        = string
 }
 variable "private_network_cidr" {
  description = "The subnet of private network"
  type        = string
  validation {
    condition     = can(cidrnetmask(var.private_network_cidr))
    error_message = "Must be a valid IPv4 CIDR block address."
  }
 }
 variable "instances_cp" {
  type = map(object({
    private_ip = string
  }))
 }
 variable "instances_wk" {
  type = map(object({
    private_ip = string
  }))
 }
 variable "instance_key_name" {
  description = "The key name of the Key Pair to use for the instance"
  type        = string
 }
 variable "instance_type_bn" {
  description = "The instance type of bastion server"
  type        = string
 }
 variable "instance_type_wk" {
  description = "The instance type of worker"
  type        = string
 }
 variable "instance_type_cp" {
  description = "The instance type of control plane"
  type        = string
 }
 variable "image_name" {
  description = "The name of image"
  type        = string
 }
 variable "working_instance_ip" {
  description = "The IP address to connect to bastion server."
  type        = string
 }
 variable "accounting_type" {
  type    = string
  default = "2"
  validation {
    condition = anytrue([
      var.accounting_type == "1", // Monthly
      var.accounting_type == "2", // Pay per use
    ])
    error_message = "Must be a 1 or 2."
  }
 }
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -281,9 +281,9 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`k8s_allowed_remote_ips_ipv6` | List of IPv6 CIDR allowed to initiate a SSH connection, empty by default |
 |`k8s_allowed_egress_ipv6_ips` | List of IPv6 CIDRs allowed for egress traffic, `["::/0"]` by default |
 |`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
-|`worker_allowed_ports_ipv6` | List of ports to open on worker nodes for IPv6 CIDR blocks, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "::/0"}, { "protocol" = "ipv6-icmp", "port_range_min" = 0, "port_range_max" = 0, "remote_ip_prefix" = "::/0"}]` by default |
+|`worker_allowed_ports_ipv6` | List of ports to open on worker nodes for IPv6 CIDR blocks, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "::/0"}]` by default |
 |`master_allowed_ports` | List of ports to open on master nodes, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "0.0.0.0/0"}]`, empty by default |
-|`master_allowed_ports_ipv6` | List of ports to open on master nodes for IPv6 CIDR blocks, `[{ "protocol" = "ipv6-icmp", "port_range_min" = 0, "port_range_max" = 0, "remote_ip_prefix" = "::/0"}]` by default |
+|`master_allowed_ports_ipv6` | List of ports to open on master nodes for IPv6 CIDR blocks, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "::/0"}]`, empty by default |
 |`node_root_volume_size_in_gb` | Size of the root volume for nodes, 0 to use ephemeral storage |
 |`master_root_volume_size_in_gb` | Size of the root volume for masters, 0 to use ephemeral storage |
 |`master_volume_type` | Volume type of the root volume for control_plane, 'Default' by default |
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -1006,7 +1006,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
  name              = "${var.cluster_name}-gfs-node-nf-${count.index + 1}"
  count             = var.number_of_gfs_nodes_no_floating_ip
  availability_zone = element(var.az_list, count.index)
-  image_id          = var.gfs_root_volume_size_in_gb == 0 ? local.image_to_use_gfs : null
+  image_name        = var.gfs_root_volume_size_in_gb == 0 ? local.image_to_use_gfs : null
  flavor_id         = var.flavor_gfs_node
  key_pair          = openstack_compute_keypair_v2.k8s.name
@@ -1078,7 +1078,7 @@ resource "openstack_networking_floatingip_associate_v2" "k8s_nodes" {
  port_id               = openstack_networking_port_v2.k8s_nodes_port[each.key].id
 }
-resource "openstack_blockstorage_volume_v3" "glusterfs_volume" {
+resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
  name        = "${var.cluster_name}-glusterfs_volume-${count.index + 1}"
  count       = var.gfs_root_volume_size_in_gb == 0 ? var.number_of_gfs_nodes_no_floating_ip : 0
  description = "Non-ephemeral volume for GlusterFS"
@@ -1088,5 +1088,5 @@ resource "openstack_blockstorage_volume_v3" "glusterfs_volume" {
 resource "openstack_compute_volume_attach_v2" "glusterfs_volume" {
  count       = var.gfs_root_volume_size_in_gb == 0 ? var.number_of_gfs_nodes_no_floating_ip : 0
  instance_id = element(openstack_compute_instance_v2.glusterfs_node_no_floating_ip.*.id, count.index)
-  volume_id   = element(openstack_blockstorage_volume_v3.glusterfs_volume.*.id, count.index)
+  volume_id   = element(openstack_blockstorage_volume_v2.glusterfs_volume.*.id, count.index)
 }
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -271,14 +271,7 @@ variable "master_allowed_ports" {
 variable "master_allowed_ports_ipv6" {
  type = list(any)
-  default = [
+  default = []
    {
      "protocol"         = "ipv6-icmp"
      "port_range_min"   = 0
      "port_range_max"   = 0
      "remote_ip_prefix" = "::/0"
    },
  ]
 }
 variable "worker_allowed_ports" {
@@ -304,12 +297,6 @@ variable "worker_allowed_ports_ipv6" {
      "port_range_max"   = 32767
      "remote_ip_prefix" = "::/0"
    },
    {
      "protocol"         = "ipv6-icmp"
      "port_range_min"   = 0
      "port_range_max"   = 0
      "remote_ip_prefix" = "::/0"
    },
  ]
 }
--- a/docs/CNI/cilium.md
+++ b/docs/CNI/cilium.md
@@ -1,13 +1,5 @@
 # Cilium
 ## Unprivileged agent configuration
 By default, Cilium is installed with `securityContext.privileged: false`. You need to set the `kube_owner` variable to `root` in the inventory:
 ```yml
 kube_owner: root
 ```
 ## IP Address Management (IPAM)
 IP Address Management (IPAM) is responsible for the allocation and management of IP addresses used by network endpoints (container and others) managed by Cilium. The default mode is "Cluster Scope".
@@ -245,7 +237,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 ```yml
-cilium_version: "1.19.1"
+cilium_version: "1.18.4"
 ```
 ## Add variable to config
--- a/docs/CRI/containerd.md
+++ b/docs/CRI/containerd.md
@@ -65,8 +65,9 @@ In kubespray, the default runtime name is "runc", and it can be configured with
 containerd_runc_runtime:
  name: runc
  type: "io.containerd.runc.v2"
  engine: ""
  root: ""
  options:
    Root: ""
    SystemdCgroup: "false"
    BinaryName: /usr/local/bin/my-runc
  base_runtime_spec: cri-base.json
--- a/docs/_sidebar.md
+++ b/docs/_sidebar.md
@@ -57,6 +57,7 @@
  * [Setting-up-your-first-cluster](/docs/getting_started/setting-up-your-first-cluster.md)
 * Ingress
  * [Alb Ingress Controller](/docs/ingress/alb_ingress_controller.md)
  * [Ingress Nginx](/docs/ingress/ingress_nginx.md)
  * [Kube-vip](/docs/ingress/kube-vip.md)
  * [Metallb](/docs/ingress/metallb.md)
 * Operating Systems
--- a/docs/advanced/cert_manager.md
+++ b/docs/advanced/cert_manager.md
@@ -30,7 +30,14 @@ If you don't have a TLS Root CA certificate and key available, you can create th
 A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
-For example, if you're using the Traefik ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
+To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and set `ingress_nginx_enabled` to true.
 ```ini
 # Nginx ingress controller deployment
 ingress_nginx_enabled: true
 ```
 For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
 ```yaml
 apiVersion: networking.k8s.io/v1
@@ -41,9 +48,9 @@ metadata:
  labels:
    prometheus: k8s
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: ca-issuer
 spec:
  ingressClassName: "traefik"
  tls:
  - hosts:
    - prometheus.example.com
@@ -65,8 +72,8 @@ Once deployed to your K8s cluster, every 3 months cert-manager will automaticall
 Please consult the official upstream documentation:
- [cert-manager Ingress Usage](https://cert-manager.io/usage/ingress/)
+- [cert-manager Ingress Usage](https://cert-manager.io/v1.5-docs/usage/ingress/)
- [cert-manager Ingress Tutorial](https://cert-manager.io/tutorials/acme/ingress/#step-3-assign-a-dns-name)
+- [cert-manager Ingress Tutorial](https://cert-manager.io/v1.5-docs/tutorials/acme/ingress/#step-3-assign-a-dns-name)
 ### ACME
@@ -74,12 +81,12 @@ The ACME Issuer type represents a single account registered with the Automated C
 Certificates issued by public ACME servers are typically trusted by client’s computers by default. This means that, for example, visiting a website that is backed by an ACME certificate issued for that URL, will be trusted by default by most client’s web browsers. ACME certificates are typically free.
- [ACME Configuration](https://cert-manager.io/docs/configuration/acme/)
+- [ACME Configuration](https://cert-manager.io/v1.5-docs/configuration/acme/)
- [ACME HTTP Validation](https://cert-manager.io/docs/tutorials/acme/http-validation/)
+- [ACME HTTP Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/http-validation/)
-  - [HTTP01 Challenges](https://cert-manager.io/docs/configuration/acme/http01/)
+  - [HTTP01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/http01/)
- [ACME DNS Validation](https://cert-manager.io/docs/tutorials/acme/dns-validation/)
+- [ACME DNS Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/dns-validation/)
-  - [DNS01 Challenges](https://cert-manager.io/docs/configuration/acme/dns01/)
+  - [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/)
- [ACME FAQ](https://cert-manager.io/docs/troubleshooting/acme/)
+- [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/)
 #### ACME With An Internal Certificate Authority
--- a/docs/ansible/ansible.md
+++ b/docs/ansible/ansible.md
@@ -30,9 +30,9 @@ If the latest version supported according to pip is 6.7.0 it means you are runni
 Based on the table below and the available python version for your ansible host you should choose the appropriate ansible version to use with kubespray.
-|  Ansible Version  | Python Version |
+| Ansible Version | Python Version |
-|-------------------|----------------|
+|-----------------|----------------|
-| >=2.18.0, <2.19.0 | 3.11-3.13      |
+| >= 2.17.3       | 3.10-3.12      |
 ## Customize Ansible vars
@@ -45,7 +45,10 @@ Kubespray expects users to use one of the following variables sources for settin
 |  - inventory host_vars                 | host specific vars overrides, group_vars is usually more practical           |
 | **extra vars** (always win precedence) | override with ``ansible-playbook -e @foo.yml``                               |
-> Extra vars are best used to override kubespray internal variables, for instances, roles/vars/. Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray interface. Thus they can change, disappear, or break stuff unexpectedly.
+[!IMPORTANT]
 Extra vars are best used to override kubespray internal variables, for instances, roles/vars/.
 Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray
 interface. Thus they can change, disappear, or break stuff unexpectedly.
 ## Ansible tags
@@ -78,6 +81,7 @@ The following tags are defined in playbooks:
 | crio                           | Configuring crio container engine for hosts           |
 | crun                           | Configuring crun runtime                              |
 | csi-driver                     | Configuring csi driver                                |
 | dashboard                      | Installing and configuring the Kubernetes Dashboard   |
 | dns                            | Remove dns entries when resetting                     |
 | docker                         | Configuring docker engine runtime for hosts           |
 | download                       | Fetching container images to a delegate host          |
@@ -192,11 +196,11 @@ You will then need to use [bind mounts](https://docs.docker.com/storage/bind-mou
 to access the inventory and SSH key in the container, like this:
 ```ShellSession
-git checkout v2.30.0
+git checkout v2.29.0
-docker pull quay.io/kubespray/kubespray:v2.30.0
+docker pull quay.io/kubespray/kubespray:v2.29.0
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
  --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.30.0 bash
+  quay.io/kubespray/kubespray:v2.29.0 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```
--- a/docs/developers/ci-setup.md
+++ b/docs/developers/ci-setup.md
@@ -145,6 +145,7 @@ upstream_dns_servers:
  - 1.0.0.1
 # Extensions
 ingress_nginx_enabled: True
 helm_enabled: True
 cert_manager_enabled: True
 metrics_server_enabled: True
--- a/docs/developers/ci.md
+++ b/docs/developers/ci.md
@@ -13,12 +13,10 @@ debian12 |  :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
 debian13 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 fedora40 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 fedora42 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 ubuntu20 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu22 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu24 |  :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: |
@@ -33,14 +31,12 @@ debian12 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu20 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu22 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
-ubuntu24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ## docker
@@ -53,11 +49,9 @@ debian12 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu20 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu22 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
--- a/docs/getting_started/getting-started.md
+++ b/docs/getting_started/getting-started.md
@@ -83,6 +83,32 @@ authentication. One can get a kubeconfig from kube_control_plane hosts
 For more information on kubeconfig and accessing a Kubernetes cluster, refer to
 the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).
 ## Accessing Kubernetes Dashboard
 Supported version is kubernetes-dashboard v2.0.x :
 - Login option : token/kubeconfig by default
 - Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory,
 - Only serves over https
 Access is described in [dashboard docs](https://github.com/kubernetes/dashboard/tree/master/docs/user/accessing-dashboard). With kubespray's default deployment in kube-system namespace, instead of kubernetes-dashboard :
 - Proxy URL is <http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#/login>
 - kubectl commands must be run with "-n kube-system"
 Accessing through Ingress is highly recommended. For proxy access, please note that proxy must listen to [localhost](https://github.com/kubernetes/dashboard/issues/692#issuecomment-220492484) (`proxy  --address="x.x.x.x"` will not work)
 For token authentication, guide to create Service Account is provided in [dashboard sample user](https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md) doc. Still take care of default namespace.
 Access can also by achieved via ssh tunnel on a control plane :
 ```bash
 # localhost:8081 will be sent to control-plane-1's own localhost:8081
 ssh -L8001:localhost:8001 user@control-plane-1
 sudo -i
 kubectl proxy
 ```
 ## Accessing Kubernetes API
 The main client of Kubernetes is `kubectl`. It is installed on each kube_control_plane
--- a/docs/ingress/ingress_nginx.md
+++ b/docs/ingress/ingress_nginx.md
@@ -0,0 +1,203 @@
 # Installation Guide
 ## Contents
 - [Prerequisite Generic Deployment Command](#prerequisite-generic-deployment-command)
  - [Provider Specific Steps](#provider-specific-steps)
    - [Docker for Mac](#docker-for-mac)
    - [minikube](#minikube)
    - [AWS](#aws)
    - [GCE - GKE](#gce-gke)
    - [Azure](#azure)
    - [Bare-metal](#bare-metal)
  - [Verify installation](#verify-installation)
  - [Detect installed version](#detect-installed-version)
 - [Using Helm](#using-helm)
 ## Prerequisite Generic Deployment Command
 !!! attention
    The default configuration watches Ingress object from *all the namespaces*.
    To change this behavior use the flag `--watch-namespace` to limit the scope to a particular namespace.
 !!! warning
    If multiple Ingresses define different paths for the same host, the ingress controller will merge the definitions.
 !!! attention
    If you're using GKE you need to initialize your user as a cluster-admin with the following command:
 ```console
 kubectl create clusterrolebinding cluster-admin-binding \
 --clusterrole cluster-admin \
 --user $(gcloud config get-value account)
 ```
 The following **Mandatory Command** is required for all deployments except for AWS. See below for the AWS version.
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.3/deploy/static/provider/cloud/deploy.yaml
 ```
 ### Provider Specific Steps
 There are cloud provider specific yaml files.
 #### Docker for Mac
 Kubernetes is available in Docker for Mac (from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018))
 First you need to [enable kubernetes](https://docs.docker.com/docker-for-mac/#kubernetes).
 Then you have to create a service:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 #### minikube
 For standard usage:
 ```console
 minikube addons enable ingress
 ```
 For development:
 1. Disable the ingress addon:
 ```console
 minikube addons disable ingress
 ```
 1. Execute `make dev-env`
 1. Confirm the `nginx-ingress-controller` deployment exists:
 ```console
 $ kubectl get pods -n ingress-nginx
 NAME                                       READY     STATUS    RESTARTS   AGE
 default-http-backend-66b447d9cf-rrlf9      1/1       Running   0          12s
 nginx-ingress-controller-fdcdcd6dd-vvpgs   1/1       Running   0          11s
 ```
 #### AWS
 In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of `Type=LoadBalancer`.
 Since Kubernetes v1.9.0 it is possible to use a classic load balancer (ELB) or network load balancer (NLB)
 Please check the [elastic load balancing AWS details page](https://aws.amazon.com/elasticloadbalancing/details/)
 ##### Elastic Load Balancer - ELB
 This setup requires to choose in which layer (L4 or L7) we want to configure the Load Balancer:
 - [Layer 4](https://en.wikipedia.org/wiki/OSI_model#Layer_4:_Transport_Layer): Use an Network Load Balancer (NLB) with TCP as the listener protocol for ports 80 and 443.
 - [Layer 7](https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer): Use an Elastic Load Balancer (ELB) with HTTP as the listener protocol for port 80 and terminate TLS in the ELB
 For L4:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy.yaml
 ```
 For L7:
 Change the value of `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` in the file `provider/aws/deploy-tls-termination.yaml` replacing the dummy id with a valid one. The dummy value is `"arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"`
 Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the [ELB Idle Timeouts section](#elb-idle-timeouts) for additional information. If a change is required, users will need to update the value of `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` in `provider/aws/deploy-tls-termination.yaml`
 Then execute:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 This example creates an ELB with just two listeners, one in port 80 and another in port 443
 ![Listeners](https://github.com/kubernetes/ingress-nginx/blob/main/docs/images/elb-l7-listener.png)
 ##### ELB Idle Timeouts
 In some scenarios users will need to modify the value of the ELB idle timeout.
 Users need to ensure the idle timeout is less than the [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) that is configured for NGINX.
 By default NGINX `keepalive_timeout` is set to `75s`.
 The default ELB idle timeout will work for most scenarios, unless the NGINX [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) has been modified,
 in which case `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` will need to be modified to ensure it is less than the `keepalive_timeout` the user has configured.
 *Please Note: An idle timeout of `3600s` is recommended when using WebSockets.*
 More information with regards to idle timeouts for your Load Balancer can be found in the [official AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html).
 ##### Network Load Balancer (NLB)
 This type of load balancer is supported since v1.10.0 as an ALPHA feature.
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/service-nlb.yaml
 ```
 #### GCE-GKE
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 **Important Note:** proxy protocol is not supported in GCE/GKE
 #### Azure
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 #### Bare-metal
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml
 ```
 !!! tip
    For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/baremetal.md).
 ### Verify installation
 To check if the ingress controller pods have started, run the following command:
 ```console
 kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch
 ```
 Once the operator pods are running, you can cancel the above command by typing `Ctrl+C`.
 Now, you are ready to create your first ingress.
 ### Detect installed version
 To detect which version of the ingress controller is running, exec into the pod and run `nginx-ingress-controller version` command.
 ```console
 POD_NAMESPACE=ingress-nginx
 POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
 ```
 ## Using Helm
 NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [ingress-nginx/ingress-nginx](https://kubernetes.github.io/ingress-nginx).
 Official documentation is [here](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm)
 To install the chart with the release name `my-nginx`:
 ```console
 helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
 helm install my-nginx ingress-nginx/ingress-nginx
 ```
 Detect installed version:
 ```console
 POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version
 ```
--- a/docs/ingress/kube-vip.md
+++ b/docs/ingress/kube-vip.md
@@ -63,8 +63,6 @@ kube_vip_bgppeers:
 # kube_vip_bgp_peeraddress:
 # kube_vip_bgp_peerpass:
 # kube_vip_bgp_peeras:
 # kube_vip_bgp_sourceip:
 # kube_vip_bgp_sourceif:
 ```
 If using [control plane load-balancing](https://kube-vip.io/docs/about/architecture/#control-plane-load-balancing):
--- a/docs/ingress/metallb.md
+++ b/docs/ingress/metallb.md
@@ -21,12 +21,6 @@ metallb_enabled: true
 metallb_speaker_enabled: true
 ```
 By default, MetalLB resources are deployed into the `metallb-system` namespace. You can override this namespace using a variable.
 ```yaml
 metallb_namespace: woodenlb-system
 ```
 By default only the MetalLB BGP speaker is allowed to run on control plane nodes. If you have a single node cluster or a cluster where control plane are also worker nodes you may need to enable tolerations for the MetalLB controller:
 ```yaml
--- a/docs/operating_systems/rhel.md
+++ b/docs/operating_systems/rhel.md
@@ -6,9 +6,9 @@ The documentation also applies to Red Hat derivatives, including Alma Linux, Roc
 The content of this section does not apply to open-source derivatives.
-In order to install packages via yum or dnf, RHEL hosts are required to be registered for a valid Red Hat support subscription.
+In order to install packages via yum or dnf, RHEL 7/8 hosts are required to be registered for a valid Red Hat support subscription.
-You can apply for a 1-year Development support subscription by creating a [Red Hat Developers](https://developers.redhat.com/) account. Be aware though that as the Red Hat Developers subscription is limited to only 1 year, it should not be used to register RHEL hosts provisioned in Production environments.
+You can apply for a 1-year Development support subscription by creating a [Red Hat Developers](https://developers.redhat.com/) account. Be aware though that as the Red Hat Developers subscription is limited to only 1 year, it should not be used to register RHEL 7/8 hosts provisioned in Production environments.
 Once you have a Red Hat support account, simply add the credentials to the Ansible inventory parameters `rh_subscription_username` and `rh_subscription_password` prior to deploying Kubespray. If your company has a Corporate Red Hat support account, then obtain an **Organization ID** and **Activation Key**, and add these to the Ansible inventory parameters `rh_subscription_org_id` and `rh_subscription_activation_key` instead of using your Red Hat support account credentials.
@@ -29,12 +29,12 @@ rh_subscription_role: "Red Hat Enterprise Server"
 rh_subscription_sla: "Self-Support"
 ```
-If the RHEL hosts are already registered to a valid Red Hat support subscription via an alternative configuration management approach prior to the deployment of Kubespray, the successful RHEL `subscription-manager` status check will simply result in the RHEL subscription registration tasks being skipped.
+If the RHEL 8/9 hosts are already registered to a valid Red Hat support subscription via an alternative configuration management approach prior to the deployment of Kubespray, the successful RHEL `subscription-manager` status check will simply result in the RHEL subscription registration tasks being skipped.
-## Rocky Linux 10
+## RHEL 8
-(Experimental in Kubespray CI)
+If you have containers that are using iptables in the host network namespace (`hostNetwork=true`),
 you need to ensure they are using iptables-nft.
 An example how k8s do the autodetection can be found [in this PR](https://github.com/kubernetes/kubernetes/pull/82966)
-The official Rocky Linux 10 cloud image does not include `kernel-module-extra`. Both Kube Proxy and CNI rely on this package, and since it relates to kernel version compatibility (which may require VM reboots, etc.), we haven't found an ideal solution.
+The kernel version is lower than the kubernetes 1.32 system validation, please refer to the [kernel requirements](../operations/kernel-requirements.md).
 However, some users report that it doesn't affect them (minimal version). Therefore, the Kubespray CI Rocky Linux 10 image is built by Kubespray maintainers using `diskimage-builder`. For detailed methods, please refer to [the comments](https://github.com/kubernetes-sigs/kubespray/pull/12355#issuecomment-3705400093).
--- a/docs/operations/etcd.md
+++ b/docs/operations/etcd.md
@@ -32,12 +32,12 @@ etcd_metrics_service_labels:
  k8s-app: etcd
  app.kubernetes.io/managed-by: Kubespray
  app: kube-prometheus-stack-kube-etcd
-  release: kube-prometheus-stack
+  release: prometheus-stack
 ```
 The last two labels in the above example allows to scrape the metrics from the
 [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack)
-chart when it is installed with the release name `kube-prometheus-stack` and the following Helm `values.yaml`:
+chart with the following Helm `values.yaml` :
 ```yaml
 kubeEtcd:
@@ -45,22 +45,8 @@ kubeEtcd:
    enabled: false
 ```
-If your Helm release name is different, adjust the `release` label accordingly.
+To fully override metrics exposition urls, define it in the inventory with:
 To fully override metrics exposition URLs, define it in the inventory with:
 ```yaml
 etcd_listen_metrics_urls: "http://0.0.0.0:2381"
 ```
 If you choose to expose metrics on specific node IPs (for example `10.141.4.22`, `10.141.4.23`, `10.141.4.24`) in `etcd_listen_metrics_urls`,
 you can configure kube-prometheus-stack to scrape those endpoints directly with:
 ```yaml
 kubeEtcd:
  enabled: true
  endpoints:
    - 10.141.4.22
    - 10.141.4.23
    - 10.141.4.24
 ```
--- a/docs/operations/hardening.md
+++ b/docs/operations/hardening.md
@@ -100,6 +100,8 @@ kubelet_make_iptables_util_chains: true
 kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
 kubelet_seccomp_default: true
 kubelet_systemd_hardening: true
 # To disable kubelet's staticPodPath (for nodes that don't use static pods like worker nodes)
 kubelet_static_pod_path: ""
 # In case you have multiple interfaces in your
 # control plane nodes and you want to specify the right
 # IP addresses, kubelet_secure_addresses allows you
--- a/docs/operations/offline-environment.md
+++ b/docs/operations/offline-environment.md
@@ -85,7 +85,7 @@ crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-v{{ crictl_ve
 # If using Calico
 calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # If using Calico with kdd
-calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
+calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_version }}.tar.gz"
 # Containerd
 containerd_download_url: "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz"
 runc_download_url: "{{ files_repo }}/runc.{{ image_arch }}"
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -2,7 +2,7 @@
 namespace: kubernetes_sigs
 description: Deploy a production ready Kubernetes cluster
 name: kubespray
-version: 2.31.0
+version: 2.30.0
 readme: README.md
 authors:
  - The Kubespray maintainers (https://kubernetes.slack.com/channels/kubespray)
--- a/index.html
+++ b/index.html
@@ -38,7 +38,6 @@
    loadSidebar: 'docs/_sidebar.md',
    repo: 'https://github.com/kubernetes-sigs/kubespray',
    auto2top: true,
    noCompileLinks: ['.*\.ini'],
    logo: '/logo/logo-clear.png'
  }
 </script>
--- a/inventory/sample/group_vars/all/containerd.yml
+++ b/inventory/sample/group_vars/all/containerd.yml
@@ -11,15 +11,15 @@
 # containerd_runc_runtime:
 #   name: runc
 #   type: "io.containerd.runc.v2"
-#   options:
+#   engine: ""
-#     Root: ""
+#   root: ""
 # containerd_additional_runtimes:
 # Example for Kata Containers as additional runtime:
 #   - name: kata
 #     type: "io.containerd.kata.v2"
-#     options:
+#     engine: ""
-#       Root: ""
+#     root: ""
 # containerd_grpc_max_recv_message_size: 16777216
 # containerd_grpc_max_send_message_size: 16777216
--- a/inventory/sample/group_vars/all/offline.yml
+++ b/inventory/sample/group_vars/all/offline.yml
@@ -44,7 +44,7 @@
 # [Optional] Calico: If using Calico network plugin
 # calicoctl_download_url: "{{ files_repo }}/github.com/projectcalico/calico/releases/download/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # [Optional] Calico with kdd: If using Calico network plugin with kdd datastore
-# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
+# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/archive/v{{ calico_version }}.tar.gz"
 # [Optional] Cilium: If using Cilium network plugin
 # ciliumcli_download_url: "{{ files_repo }}/github.com/cilium/cilium-cli/releases/download/v{{ cilium_cli_version }}/cilium-linux-{{ image_arch }}.tar.gz"
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@@ -1,4 +1,8 @@
 ---
 # Kubernetes dashboard
 # RBAC required. see docs/getting-started.md for access details.
 # dashboard_enabled: false
 # Helm deployment
 helm_enabled: false
@@ -63,6 +67,39 @@ local_volume_provisioner_enabled: false
 # Gateway API CRDs
 gateway_api_enabled: false
 # Nginx ingress controller deployment
 ingress_nginx_enabled: false
 # ingress_nginx_host_network: false
 # ingress_nginx_service_type: LoadBalancer
 # ingress_nginx_service_annotations:
 #   example.io/loadbalancerIPs: 1.2.3.4
 # ingress_nginx_service_nodeport_http: 30080
 # ingress_nginx_service_nodeport_https: 30081
 ingress_publish_status_address: ""
 # ingress_nginx_nodeselector:
 #   kubernetes.io/os: "linux"
 # ingress_nginx_tolerations:
 #   - key: "node-role.kubernetes.io/control-plane"
 #     operator: "Equal"
 #     value: ""
 #     effect: "NoSchedule"
 # ingress_nginx_namespace: "ingress-nginx"
 # ingress_nginx_insecure_port: 80
 # ingress_nginx_secure_port: 443
 # ingress_nginx_configmap:
 #   map-hash-bucket-size: "128"
 #   ssl-protocols: "TLSv1.2 TLSv1.3"
 # ingress_nginx_configmap_tcp_services:
 #   9000: "default/example-go:8080"
 # ingress_nginx_configmap_udp_services:
 #   53: "kube-system/coredns:53"
 # ingress_nginx_extra_args:
 #   - --default-ssl-certificate=default/foo-tls
 # ingress_nginx_termination_grace_period_seconds: 300
 # ingress_nginx_class: nginx
 # ingress_nginx_without_class: true
 # ingress_nginx_default: false
 # ALB ingress controller deployment
 ingress_alb_enabled: false
 # alb_ingress_aws_region: "us-east-1"
@@ -199,8 +236,6 @@ kube_vip_enabled: false
 # kube_vip_leasename: plndr-cp-lock
 # kube_vip_enable_node_labeling: false
 # kube_vip_lb_fwdmethod: local
 # kube_vip_bgp_sourceip:
 # kube_vip_bgp_sourceif:
 # Node Feature Discovery
 node_feature_discovery_enabled: false
--- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
@@ -22,8 +22,7 @@ local_release_dir: "/tmp/releases"
 # Random shifts for retrying failed ops like pushing/downloading
 retry_stagger: 5
-# This is the user that owns the cluster installation.
+# This is the user that owns tha cluster installation.
 # Note: cilium needs to set kube_owner to root https://kubespray.io/#/docs/CNI/cilium?id=unprivileged-agent-configuration
 kube_owner: kube
 # This is the group that the cert creation scripts chgrp the
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
@@ -56,8 +56,8 @@ cilium_l2announcements: false
 #
 # Only effective when monitor aggregation is set to "medium" or higher.
 # cilium_monitor_aggregation_flags: "all"
-# Kube Proxy Replacement mode (true/false)
+# Kube Proxy Replacement mode (strict/partial)
-# cilium_kube_proxy_replacement: false
+# cilium_kube_proxy_replacement: partial
 # If upgrading from Cilium < 1.5, you may want to override some of these options
 # to prevent service disruptions. See also:
@@ -361,6 +361,8 @@ cilium_l2announcements: false
 # -- Enable the use of well-known identities.
 # cilium_enable_well_known_identities: false
 # cilium_enable_bpf_clock_probe: true
 # -- Whether to enable CNP status updates.
 # cilium_disable_cnp_status_updates: true
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.18.0,<2.19.0"
+requires_ansible: ">=2.17.3"
--- a/pipeline.Dockerfile
+++ b/pipeline.Dockerfile
@@ -1,5 +1,5 @@
-# Use immutable image tags rather than mutable tags (like ubuntu:24.04)
+# Use immutable image tags rather than mutable tags (like ubuntu:22.04)
-FROM ubuntu:noble-20260113@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b
+FROM ubuntu:jammy-20230308
 # Some tools like yamllint need this
 # Pip needs this as well at the moment to install ansible
 # (and potentially other packages)
@@ -27,14 +27,14 @@ RUN apt update -q \
         ca-certificates \
         curl \
         gnupg2 \
         software-properties-common \
         unzip \
         libvirt-clients \
         qemu-utils \
         qemu-kvm \
         dnsmasq \
-        && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
+    && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - \
-        && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+    && add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \
            $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | tee /etc/apt/sources.list.d/docker.list \
    && apt update -q \
    && apt install --no-install-recommends -yq docker-ce \
    && apt autoremove -yqq --purge && apt clean && rm -rf /var/lib/apt/lists/* /var/log/*
@@ -44,10 +44,11 @@ ADD ./requirements.txt  /kubespray/requirements.txt
 ADD ./tests/requirements.txt /kubespray/tests/requirements.txt
 RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
-    && pip install --break-system-packages --ignore-installed --no-compile --no-cache-dir pip -U \
+    && pip install --no-compile --no-cache-dir pip -U \
-    && pip install --break-system-packages --no-compile --no-cache-dir -r tests/requirements.txt \
+    && pip install --no-compile --no-cache-dir -r tests/requirements.txt \
-    && curl -L https://dl.k8s.io/release/v1.35.1/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && pip install --no-compile --no-cache-dir -r requirements.txt \
-    && echo $(curl -L https://dl.k8s.io/release/v1.35.1/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L https://dl.k8s.io/release/v1.34.2/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
    && echo $(curl -L https://dl.k8s.io/release/v1.34.2/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl \
    # Install Vagrant
    && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
@@ -55,5 +56,5 @@ RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
    && rm vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
    && vagrant plugin install vagrant-libvirt \
    # Install Kubernetes collections
-    && pip install --break-system-packages --no-compile --no-cache-dir kubernetes \
+    && pip install --no-compile --no-cache-dir kubernetes \
    && ansible-galaxy collection install kubernetes.core
--- a/playbooks/ansible_version.yml
+++ b/playbooks/ansible_version.yml
@@ -5,8 +5,8 @@
  become: false
  run_once: true
  vars:
-    minimal_ansible_version: 2.18.0
+    minimal_ansible_version: 2.17.3
-    maximal_ansible_version: 2.19.0
+    maximal_ansible_version: 2.18.0
  tags: always
  tasks:
    - name: "Check {{ minimal_ansible_version }} <= Ansible version < {{ maximal_ansible_version }}"
--- a/playbooks/internal_facts.yml
+++ b/playbooks/internal_facts.yml
@@ -16,8 +16,6 @@
    - name: Gather and compute network facts
      import_role:
        name: network_facts
      tags:
        - always
    - name: Gather minimal facts
      setup:
        gather_subset: '!all'
--- a/playbooks/upgrade_cluster.yml
+++ b/playbooks/upgrade_cluster.yml
@@ -55,7 +55,7 @@
    - { role: kubernetes-apps/kubelet-csr-approver, tags: kubelet-csr-approver }
    - { role: container-engine, tags: "container-engine", when: deploy_container_engine }
    - { role: kubernetes/node, tags: node }
-    - { role: kubernetes/control-plane, tags: control-plane, upgrade_cluster_setup: true }
+    - { role: kubernetes/control-plane, tags: master, upgrade_cluster_setup: true }
    - { role: kubernetes/client, tags: client }
    - { role: kubernetes/node-label, tags: node-label }
    - { role: kubernetes/node-taint, tags: node-taint }
@@ -100,7 +100,7 @@
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray_defaults }
-    - { role: win_nodes/kubernetes_patch, tags: ["control-plane", "win_nodes"] }
+    - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"] }
 - name: Install Calico Route Reflector
  hosts: calico_rr
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,7 @@
-ansible==11.13.0
+ansible==10.7.0
 # Needed for community.crypto module
-cryptography==46.0.5
+cryptography==46.0.3
 # Needed for jinja2 json_query templating
-jmespath==1.1.0
+jmespath==1.0.1
 # Needed for ansible.utils.ipaddr
 netaddr==1.3.0
--- a/roles/adduser/molecule/default/molecule.yml
+++ b/roles/adduser/molecule/default/molecule.yml
@@ -9,8 +9,6 @@ platforms:
    vm_memory: 512
 provisioner:
  name: ansible
  env:
    ANSIBLE_ROLES_PATH: ../../../
  config_options:
    defaults:
      callbacks_enabled: profile_tasks
--- a/roles/bastion-ssh-config/defaults/main.yml
+++ b/roles/bastion-ssh-config/defaults/main.yml
@@ -1,2 +1,2 @@
 ---
-ssh_bastion_config_name: ssh-bastion.conf
+ssh_bastion_confing__name: ssh-bastion.conf
--- a/roles/bastion-ssh-config/molecule/default/converge.yml
+++ b/roles/bastion-ssh-config/molecule/default/converge.yml
@@ -8,8 +8,8 @@
  tasks:
    - name: Copy config to remote host
      copy:
-        src: "{{ playbook_dir }}/{{ ssh_bastion_config_name }}"
+        src: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
-        dest: "{{ ssh_bastion_config_name }}"
+        dest: "{{ ssh_bastion_confing__name }}"
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: "0644"
--- a/roles/bastion-ssh-config/molecule/default/molecule.yml
+++ b/roles/bastion-ssh-config/molecule/default/molecule.yml
@@ -9,8 +9,6 @@ platforms:
    vm_memory: 512
 provisioner:
  name: ansible
  env:
    ANSIBLE_ROLES_PATH: ../../../
  config_options:
    defaults:
      callbacks_enabled: profile_tasks
--- a/roles/bastion-ssh-config/tasks/main.yml
+++ b/roles/bastion-ssh-config/tasks/main.yml
@@ -17,6 +17,6 @@
  delegate_to: localhost
  connection: local
  template:
-    src: "{{ ssh_bastion_config_name }}.j2"
+    src: "{{ ssh_bastion_confing__name }}.j2"
-    dest: "{{ playbook_dir }}/{{ ssh_bastion_config_name }}"
+    dest: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
    mode: "0640"
--- a/roles/bootstrap_os/defaults/main.yml
+++ b/roles/bootstrap_os/defaults/main.yml
@@ -12,10 +12,6 @@ coreos_locksmithd_disable: false
 # Install epel repo on Centos/RHEL
 epel_enabled: false
 ## openEuler specific variables
 # Enable metalink for openEuler repos (auto-selects fastest mirror by location)
 openeuler_metalink_enabled: false
 ## Oracle Linux specific variables
 # Install public repo on Oracle Linux
 use_oracle_public_repo: true
--- a/roles/bootstrap_os/molecule/default/molecule.yml
+++ b/roles/bootstrap_os/molecule/default/molecule.yml
@@ -21,8 +21,6 @@ platforms:
    vm_memory: 512
 provisioner:
  name: ansible
  env:
    ANSIBLE_ROLES_PATH: ../../../
  config_options:
    defaults:
      callbacks_enabled: profile_tasks
--- a/roles/bootstrap_os/tasks/openEuler.yml
+++ b/roles/bootstrap_os/tasks/openEuler.yml
@@ -1,43 +1,3 @@
 ---
- name: Import CentOS bootstrap for openEuler
+- name: Import Centos boostrap for openEuler
-  ansible.builtin.import_tasks: centos.yml
+  import_tasks: centos.yml
 - name: Get existing openEuler repo sections
  ansible.builtin.shell:
    cmd: "set -o pipefail && grep '^\\[' /etc/yum.repos.d/openEuler.repo | tr -d '[]'"
    executable: /bin/bash
  register: _openeuler_repo_sections
  changed_when: false
  failed_when: false
  check_mode: false
  become: true
  when: openeuler_metalink_enabled
 - name: Enable metalink for openEuler repos
  community.general.ini_file:
    path: /etc/yum.repos.d/openEuler.repo
    section: "{{ item.key }}"
    option: metalink
    value: "{{ item.value }}"
    no_extra_spaces: true
    mode: "0644"
  loop: "{{ _openeuler_metalink_repos | dict2items | selectattr('key', 'in', _openeuler_repo_sections.stdout_lines | default([])) }}"
  become: true
  when: openeuler_metalink_enabled
  register: _openeuler_metalink_result
  vars:
    _openeuler_metalink_repos:
      OS: "https://mirrors.openeuler.org/metalink?repo=$releasever/OS&arch=$basearch"
      everything: "https://mirrors.openeuler.org/metalink?repo=$releasever/everything&arch=$basearch"
      EPOL: "https://mirrors.openeuler.org/metalink?repo=$releasever/EPOL/main&arch=$basearch"
      debuginfo: "https://mirrors.openeuler.org/metalink?repo=$releasever/debuginfo&arch=$basearch"
      source: "https://mirrors.openeuler.org/metalink?repo=$releasever&arch=source"
      update: "https://mirrors.openeuler.org/metalink?repo=$releasever/update&arch=$basearch"
      update-source: "https://mirrors.openeuler.org/metalink?repo=$releasever/update&arch=source"
 - name: Clean dnf cache to apply metalink mirror selection
  ansible.builtin.command: dnf clean all
  become: true
  when:
    - openeuler_metalink_enabled
    - _openeuler_metalink_result.changed
--- a/roles/container-engine/containerd/defaults/main.yml
+++ b/roles/container-engine/containerd/defaults/main.yml
@@ -13,9 +13,10 @@ containerd_snapshotter: "overlayfs"
 containerd_runc_runtime:
  name: runc
  type: "io.containerd.runc.v2"
  engine: ""
  root: ""
  base_runtime_spec: cri-base.json
  options:
    Root: ""
    SystemdCgroup: "{{ containerd_use_systemd_cgroup | ternary('true', 'false') }}"
    BinaryName: "{{ bin_dir }}/runc"
@@ -23,8 +24,8 @@ containerd_additional_runtimes: []
 # Example for Kata Containers as additional runtime:
 #  - name: kata
 #    type: "io.containerd.kata.v2"
-#    options:
+#    engine: ""
-#      Root: ""
+#    root: ""
 containerd_base_runtime_spec_rlimit_nofile: 65535
@@ -35,8 +36,8 @@ containerd_default_base_runtime_spec_patch:
        hard: "{{ containerd_base_runtime_spec_rlimit_nofile }}"
        soft: "{{ containerd_base_runtime_spec_rlimit_nofile }}"
-# Only for containerd < 2.1; discard unpacked layers to save disk space
+# Can help reduce disk usage
-# https://github.com/containerd/containerd/blob/release/2.1/docs/cri/config.md#image-pull-configuration-since-containerd-v21
+# https://github.com/containerd/containerd/discussions/6295
 containerd_discard_unpacked_layers: true
 containerd_base_runtime_specs:
--- a/roles/container-engine/containerd/templates/config.toml.j2
+++ b/roles/container-engine/containerd/templates/config.toml.j2
@@ -52,6 +52,8 @@ oom_score = {{ containerd_oom_score }}
 {% for runtime in [containerd_runc_runtime] + containerd_additional_runtimes %}
       [plugins."io.containerd.cri.v1.runtime".containerd.runtimes.{{ runtime.name }}]
         runtime_type = "{{ runtime.type }}"
         runtime_engine = "{{ runtime.engine }}"
         runtime_root = "{{ runtime.root }}"
 {% if runtime.base_runtime_spec is defined %}
         base_runtime_spec = "{{ containerd_cfg_dir }}/{{ runtime.base_runtime_spec }}"
 {% endif %}
@@ -76,9 +78,7 @@ oom_score = {{ containerd_oom_score }}
  [plugins."io.containerd.cri.v1.images"]
    snapshotter = "{{ containerd_snapshotter }}"
 {% if containerd_discard_unpacked_layers and containerd_version is version('2.1.0', '<') %}
    discard_unpacked_layers = {{ containerd_discard_unpacked_layers | lower }}
 {% endif %}
    image_pull_progress_timeout = "{{ containerd_image_pull_progress_timeout }}"
  [plugins."io.containerd.cri.v1.images".pinned_images]
    sandbox = "{{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}"
--- a/roles/container-engine/cri-dockerd/handlers/main.yml
+++ b/roles/container-engine/cri-dockerd/handlers/main.yml
@@ -6,6 +6,12 @@
    masked: false
  listen: Restart and enable cri-dockerd
 - name: Cri-dockerd | restart docker.service
  service:
    name: docker.service
    state: restarted
  listen: Restart and enable cri-dockerd
 - name: Cri-dockerd | reload cri-dockerd.socket
  service:
    name: cri-dockerd.socket
--- a/roles/container-engine/cri-o/templates/config.json.j2
+++ b/roles/container-engine/cri-o/templates/config.json.j2
@@ -1,16 +1,16 @@
 {% if crio_registry_auth is defined and crio_registry_auth|length %}
 {
  "auths": {
 {% for reg in crio_registry_auth %}
  "auths": {
    "{{ reg.registry }}": {
      "auth": "{{ (reg.username + ':' + reg.password) | string | b64encode }}"
 {% if not loop.last %}
    },
 {% else %}
    }
 {% if not loop.last %}
  },
 {% else %}
  }
 {% endif %}
 {% endfor %}
  }
 }
 {% else %}
 {}
--- a/roles/container-engine/docker/tasks/main.yml
+++ b/roles/container-engine/docker/tasks/main.yml
@@ -55,7 +55,7 @@
  register: keyserver_task_result
  until: keyserver_task_result is succeeded
  retries: 4
-  delay: "{{ retry_stagger }}"
+  delay: "{{ retry_stagger | d(3) }}"
  with_items: "{{ docker_repo_key_info.repo_keys }}"
  environment: "{{ proxy_env }}"
  when: ansible_pkg_mgr == 'apt'
@@ -128,7 +128,7 @@
  register: docker_task_result
  until: docker_task_result is succeeded
  retries: 4
-  delay: "{{ retry_stagger }}"
+  delay: "{{ retry_stagger | d(3) }}"
  notify: Restart docker
  when:
    - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
--- a/roles/container-engine/docker/templates/docker.service.j2
+++ b/roles/container-engine/docker/templates/docker.service.j2
@@ -30,7 +30,7 @@ LimitCORE=infinity
 TimeoutStartSec=1min
 # restart the docker process if it exits prematurely
 Restart=on-failure
-StartLimitBurst=10
+StartLimitBurst=3
 StartLimitInterval=60s
 # Set the cgroup slice of the service so that kube reserved takes effect
 {% if kube_reserved is defined and kube_reserved|bool %}
--- a/roles/container-engine/meta/main.yml
+++ b/roles/container-engine/meta/main.yml
@@ -0,0 +1,58 @@
 # noqa role-name - this is a meta role that doesn't need a name
 ---
 dependencies:
  - role: container-engine/validate-container-engine
    tags:
      - container-engine
      - validate-container-engine
  - role: container-engine/kata-containers
    when:
      - kata_containers_enabled
    tags:
      - container-engine
      - kata-containers
  - role: container-engine/gvisor
    when:
      - gvisor_enabled
      - container_manager in ['docker', 'containerd']
    tags:
      - container-engine
      - gvisor
  - role: container-engine/crun
    when:
      - crun_enabled
    tags:
      - container-engine
      - crun
  - role: container-engine/youki
    when:
      - youki_enabled
      - container_manager == 'crio'
    tags:
      - container-engine
      - youki
  - role: container-engine/cri-o
    when:
      - container_manager == 'crio'
    tags:
      - container-engine
      - crio
  - role: container-engine/containerd
    when:
      - container_manager == 'containerd'
    tags:
      - container-engine
      - containerd
  - role: container-engine/cri-dockerd
    when:
      - container_manager == 'docker'
    tags:
      - container-engine
      - docker
--- a/roles/container-engine/tasks/main.yml
+++ b/roles/container-engine/tasks/main.yml
@@ -1,48 +0,0 @@
 ---
 - name: Validate container engine
  import_role:
    name: container-engine/validate-container-engine
  tags:
    - container-engine
    - validate-container-engine
 - name: Container runtimes
  include_role:
    name: "container-engine/{{ item.role }}"
    apply:
      tags:
        - container-engine
        - "{{ item.role }}"
  loop:
    - { role: 'kata-containers', enabled: "{{ kata_containers_enabled }}" }
    - { role: 'gvisor', enabled: "{{ gvisor_enabled and container_manager in ['docker', 'containerd'] }}" }
    - { role: 'crun', enabled: "{{ crun_enabled }}" }
    - { role: 'youki', enabled: "{{ youki_enabled and container_manager == 'crio' }}" }
  # TODO: Technically, this is more container-runtime than engine
  when: item.enabled
  tags:
    - container-engine
    - kata-containers
    - gvisor
    - crun
    - youki
 - name: Container Manager
  vars:
    container_manager_role:
      crio: cri-o
      docker: cri-dockerd
      containerd: containerd
  include_role:
    name: "container-engine/{{ container_manager_role[container_manager] }}"
    apply:
      tags:
        - container-engine
        - crio
        - docker
        - containerd
  tags:
    - container-engine
    - crio
    - docker
    - containerd
--- a/roles/download/templates/kubeadm-images.yaml.j2
+++ b/roles/download/templates/kubeadm-images.yaml.j2
@@ -1,9 +1,9 @@
-apiVersion: kubeadm.k8s.io/v1beta4
+apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
 kind: InitConfiguration
 nodeRegistration:
  criSocket: {{ cri_socket }}
 ---
-apiVersion: kubeadm.k8s.io/v1beta4
+apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
 kind: ClusterConfiguration
 imageRepository: {{ kubeadm_image_repo }}
 kubernetesVersion: v{{ kube_version }}
--- a/roles/etcd/handlers/backup.yml
+++ b/roles/etcd/handlers/backup.yml
@@ -34,7 +34,6 @@
  when:
    - etcd_data_dir_member.stat.exists
    - etcd_cluster_is_healthy.rc == 0
    - etcd_version is version('3.6.0', '<')
  command: >-
    {{ bin_dir }}/etcdctl backup
      --data-dir {{ etcd_data_dir }}
--- a/roles/etcd/tasks/clean_v2_store.yml
+++ b/roles/etcd/tasks/clean_v2_store.yml
@@ -1,43 +0,0 @@
 ---
 # When upgrading from etcd 3.5 to 3.6, need to clean up v2 store before upgrading.
 # Without this, etcd 3.6 will crash with following error:
 #   "panic: detected disallowed v2 WAL for stage --v2-deprecation=write-only [recovered]"
 - name: Cleanup v2 store when upgrade etcd from <3.6 to >=3.6
  when:
    - etcd_cluster_setup
    - etcd_current_version != ''
    - etcd_current_version is version('3.6.0', '<')
    - etcd_version is version('3.6.0', '>=')
  block:
    - name: Ensure etcd version is >=3.5.26
      when:
        - etcd_current_version is version('3.5.26', '<')
      fail:
        msg: "You need to upgrade etcd to 3.5.26 or later before upgrade to 3.6. Current version is {{ etcd_current_version }}."
    # Workarounds:
    # Disable --enable-v2 (recommended in 20289) and do workaround of 20231 (MAX_WALS=1 and SNAPSHOT_COUNT=1)
    # - https://github.com/etcd-io/etcd/issues/20809
    # - https://github.com/etcd-io/etcd/discussions/20231#discussioncomment-13958051
    - name: Change etcd configuration temporally to limit number of WALs and snapshots to clean up v2 store
      ansible.builtin.lineinfile:
        path: /etc/etcd.env
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      loop:
        - { regexp: '^ETCD_SNAPSHOT_COUNT=', line: 'ETCD_SNAPSHOT_COUNT=1' }
        - { regexp: '^ETCD_MAX_WALS=', line: 'ETCD_MAX_WALS=1' }
        - { regexp: '^ETCD_MAX_SNAPSHOTS=', line: 'ETCD_MAX_SNAPSHOTS=1' }
        - { regexp: '^ETCD_ENABLE_V2=', line: 'ETCD_ENABLE_V2=false' }
    # Restart etcd to apply temporal configuration and prevent some upgrade failures
    # See also: https://etcd.io/blog/2025/upgrade_from_3.5_to_3.6_issue_followup/
    - name: Stop etcd
      service:
        name: etcd
        state: stopped
    - name: Start etcd
      service:
        name: etcd
        state: started
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -5,7 +5,8 @@
    group: "{{ etcd_cert_group }}"
    state: directory
    owner: "{{ etcd_owner }}"
-    mode: "0700"
+    mode: "{{ etcd_cert_dir_mode }}"
    recurse: true
 - name: "Gen_certs | create etcd script dir (on {{ groups['etcd'][0] }})"
  file:
@@ -144,6 +145,15 @@
    - ('k8s_cluster' in group_names) and
        sync_certs | default(false) and inventory_hostname not in groups['etcd']
 - name: Gen_certs | check certificate permissions
  file:
    path: "{{ etcd_cert_dir }}"
    group: "{{ etcd_cert_group }}"
    state: directory
    owner: "{{ etcd_owner }}"
    mode: "{{ etcd_cert_dir_mode }}"
    recurse: true
 # This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
 # TODO: fix certs generation to have the same file everywhere
 # OR work with kubeadm on node-specific config
--- a/roles/etcd/tasks/install_docker.yml
+++ b/roles/etcd/tasks/install_docker.yml
@@ -23,14 +23,6 @@
    - etcd_events_cluster_setup
    - etcd_image_tag not in etcd_events_current_docker_image.stdout | default('')
 - name: Get currently-deployed etcd version as x.y.z format
  set_fact:
    etcd_current_version: "{{ (etcd_current_docker_image.stdout | regex_search('.*:v([0-9]+\\.[0-9]+\\.[0-9]+)', '\\1'))[0] | default('') }}"
  when: etcd_cluster_setup
 - name: Cleanup v2 store data
  import_tasks: clean_v2_store.yml
 - name: Install etcd launch script
  template:
    src: etcd.j2
--- a/roles/etcd/tasks/install_host.yml
+++ b/roles/etcd/tasks/install_host.yml
@@ -21,14 +21,6 @@
    - etcd_events_cluster_setup
    - etcd_version not in etcd_current_host_version.stdout | default('')
 - name: Get currently-deployed etcd version as x.y.z format
  set_fact:
    etcd_current_version: "{{ (etcd_current_host_version.stdout | regex_search('etcd Version: ([0-9]+\\.[0-9]+\\.[0-9]+)', '\\1'))[0] | default('') }}"
  when: etcd_cluster_setup
 - name: Cleanup v2 store data
  import_tasks: clean_v2_store.yml
 - name: Install | Copy etcd binary from download dir
  copy:
    src: "{{ local_release_dir }}/etcd-v{{ etcd_version }}-linux-{{ host_architecture }}/{{ item }}"
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -53,12 +53,6 @@
    - control-plane
    - network
 - name: Install etcd
  include_tasks: "install_{{ etcd_deployment_type }}.yml"
  when: ('etcd' in group_names)
  tags:
    - upgrade
 - name: Install etcdctl and etcdutl binary
  import_role:
    name: etcdctl_etcdutl
@@ -70,6 +64,12 @@
    - ('etcd' in group_names)
    - etcd_cluster_setup
 - name: Install etcd
  include_tasks: "install_{{ etcd_deployment_type }}.yml"
  when: ('etcd' in group_names)
  tags:
    - upgrade
 - name: Configure etcd
  include_tasks: configure.yml
  when: ('etcd' in group_names)
--- a/roles/etcd/templates/etcd.env.j2
+++ b/roles/etcd/templates/etcd.env.j2
@@ -25,6 +25,8 @@ ETCD_MAX_REQUEST_BYTES={{ etcd_max_request_bytes }}
 ETCD_LOG_LEVEL={{ etcd_log_level }}
 ETCD_MAX_SNAPSHOTS={{ etcd_max_snapshots }}
 ETCD_MAX_WALS={{ etcd_max_wals }}
 # Flannel need etcd v2 API
 ETCD_ENABLE_V2=true
 # TLS settings
 ETCD_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
--- a/roles/etcd/templates/openssl.conf.j2
+++ b/roles/etcd/templates/openssl.conf.j2
@@ -32,16 +32,23 @@ DNS.{{ counter["dns"] }} = {{ hostvars[host]['etcd_access_address'] }}{{ increme
 {# This will always expand to inventory_hostname, which can be a completely arbitrary name, that etcd will not know or care about, hence this line is (probably) redundant. #}
 DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }}
 {% endfor %}
 {% if apiserver_loadbalancer_domain_name is defined %}
 DNS.{{ counter["dns"] }} = {{ apiserver_loadbalancer_domain_name }}{{ increment(counter, 'dns') }}
 {% endif %}
 {% for etcd_alt_name in etcd_cert_alt_names %}
 DNS.{{ counter["dns"] }} = {{ etcd_alt_name }}{{ increment(counter, 'dns') }}
 {% endfor %}
 {% for host in groups['etcd'] %}
-{% for address in hostvars[host]['main_access_ips'] %}
+{% if hostvars[host]['access_ip'] is defined  %}
-IP.{{ counter["ip"] }} = {{ address }}{{ increment(counter, 'ip') }}
+IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter, 'ip') }}
-{% endfor %}
+{% endif %}
-{% for address in hostvars[host]['main_ips'] %}
+{% if hostvars[host]['access_ip6'] is defined  %}
-IP.{{ counter["ip"] }} = {{ address }}{{ increment(counter, 'ip') }}
+IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip6'] }}{{ increment(counter, 'ip') }}
-{% endfor %}
+{% endif %}
 {% if ipv6_stack  %}
 IP.{{ counter["ip"] }} = {{ hostvars[host]['ip6'] | default(hostvars[host]['fallback_ip6']) }}{{ increment(counter, 'ip') }}
 {% endif %}
 IP.{{ counter["ip"] }} = {{ hostvars[host]['main_ip'] }}{{ increment(counter, 'ip') }}
 {% endfor %}
 {% for cert_alt_ip in etcd_cert_alt_ips %}
 IP.{{ counter["ip"] }} = {{ cert_alt_ip }}{{ increment(counter, 'ip') }}
--- a/roles/etcd_defaults/defaults/main.yml
+++ b/roles/etcd_defaults/defaults/main.yml
@@ -18,6 +18,7 @@ etcd_backup_retention_count: -1
 force_etcd_cert_refresh: true
 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
 etcd_cert_dir_mode: "0700"
 etcd_cert_group: root
 # Note: This does not set up DNS entries. It simply adds the following DNS
 # entries to the certificate
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -11,7 +11,6 @@ dns_nodes_per_replica: 16
 dns_cores_per_replica: 256
 dns_prevent_single_point_failure: "{{ 'true' if dns_min_replicas | int > 1 else 'false' }}"
 enable_coredns_reverse_dns_lookups: true
 coredns_svc_name: "coredns"
 coredns_ordinal_suffix: ""
 # dns_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
 coredns_affinity:
@@ -88,5 +87,60 @@ dns_autoscaler_affinity: {}
 #   app: kube-prometheus-stack-kube-etcd
 #   release: prometheus-stack
 # Netchecker
 deploy_netchecker: false
 netchecker_port: 31081
 agent_report_interval: 15
 netcheck_namespace: default
 # Limits for netchecker apps
 netchecker_agent_cpu_limit: 30m
 netchecker_agent_memory_limit: 100M
 netchecker_agent_cpu_requests: 15m
 netchecker_agent_memory_requests: 64M
 netchecker_server_cpu_limit: 100m
 netchecker_server_memory_limit: 256M
 netchecker_server_cpu_requests: 50m
 netchecker_server_memory_requests: 64M
 netchecker_etcd_cpu_limit: 200m
 netchecker_etcd_memory_limit: 256M
 netchecker_etcd_cpu_requests: 100m
 netchecker_etcd_memory_requests: 128M
 # SecurityContext (user/group)
 netchecker_agent_user: 1000
 netchecker_server_user: 1000
 netchecker_agent_group: 1000
 netchecker_server_group: 1000
 # Log levels
 netchecker_agent_log_level: 5
 netchecker_server_log_level: 5
 netchecker_etcd_log_level: info
 # Dashboard
 dashboard_replicas: 1
 # Namespace for dashboard
 dashboard_namespace: kube-system
 # Limits for dashboard
 dashboard_cpu_limit: 100m
 dashboard_memory_limit: 256M
 dashboard_cpu_requests: 50m
 dashboard_memory_requests: 64M
 # Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that
 # contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs
 dashboard_use_custom_certs: false
 dashboard_certs_secret_name: kubernetes-dashboard-certs
 dashboard_tls_key_file: dashboard.key
 dashboard_tls_cert_file: dashboard.crt
 dashboard_master_toleration: true
 # Override dashboard default settings
 dashboard_token_ttl: 900
 dashboard_skip_login: false
 # Policy Controllers
 # policy_controller_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -87,3 +87,37 @@
  when: etcd_metrics_port is defined and etcd_metrics_service_labels is defined
  tags:
    - etcd_metrics
 - name: Kubernetes Apps | Netchecker
  command:
    cmd: "{{ kubectl_apply_stdin }}"
    stdin: "{{ lookup('template', item) }}"
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  run_once: true
  vars:
    k8s_namespace: "{{ netcheck_namespace }}"
  when: deploy_netchecker
  tags:
    - netchecker
  loop:
    - netchecker-ns.yml.j2
    - netchecker-agent-sa.yml.j2
    - netchecker-agent-ds.yml.j2
    - netchecker-agent-hostnet-ds.yml.j2
    - netchecker-server-sa.yml.j2
    - netchecker-server-clusterrole.yml.j2
    - netchecker-server-clusterrolebinding.yml.j2
    - netchecker-server-deployment.yml.j2
    - netchecker-server-svc.yml.j2
 - name: Kubernetes Apps | Dashboard
  command:
    cmd: "{{ kubectl_apply_stdin }}"
    stdin: "{{ lookup('template', 'dashboard.yml.j2') }}"
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  run_once: true
  vars:
    k8s_namespace: "{{ dashboard_namespace }}"
  when: dashboard_enabled
  tags:
    - dashboard
--- a/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ coredns_svc_name }}{{ coredns_ordinal_suffix }}
+  name: coredns{{ coredns_ordinal_suffix }}
  namespace: kube-system
  labels:
    k8s-app: kube-dns{{ coredns_ordinal_suffix }}
--- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
@@ -0,0 +1,323 @@
 # Copyright 2017 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # Configuration to deploy release version of the Dashboard UI compatible with
 # Kubernetes 1.8.
 #
 # Example usage: kubectl create -f <this_file>
 {% if k8s_namespace != 'kube-system' %}
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: {{ k8s_namespace }}
  labels:
    name: {{ k8s_namespace }}
 {% endif %}
 ---
 # ------------------- Dashboard Secrets ------------------- #
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
 type: Opaque
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
 type: Opaque
 data:
  csrf: ""
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
 type: Opaque
 ---
 # ------------------- Dashboard ConfigMap ------------------- #
 kind: ConfigMap
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
 ---
 # ------------------- Dashboard Service Account ------------------- #
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 ---
 # ------------------- Dashboard Role & Role Binding ------------------- #
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
 subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: {{ k8s_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kubernetes-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
 subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: {{ k8s_namespace }}
 ---
 # ------------------- Dashboard Deployment ------------------- #
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 spec:
  replicas: {{ dashboard_replicas }}
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      containers:
        - name: kubernetes-dashboard
          image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
          imagePullPolicy: {{ k8s_image_pull_policy }}
          resources:
            limits:
              cpu: {{ dashboard_cpu_limit }}
              memory: {{ dashboard_memory_limit }}
            requests:
              cpu: {{ dashboard_cpu_requests }}
              memory: {{ dashboard_memory_requests }}
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --namespace={{ k8s_namespace }}
 {% if dashboard_use_custom_certs %}
            - --tls-key-file={{ dashboard_tls_key_file }}
            - --tls-cert-file={{ dashboard_tls_cert_file }}
 {% else %}
            - --auto-generate-certificates
 {% endif %}
 {% if dashboard_skip_login %}
            - --enable-skip-login
 {% endif %}
            - --authentication-mode=token
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
            - --token-ttl={{ dashboard_token_ttl }}
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: {{ dashboard_certs_secret_name }}
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
 {% if dashboard_master_toleration %}
      tolerations:
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
 {% endif %}
 ---
 # ------------------- Dashboard Service ------------------- #
 kind: Service
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
 ---
 # ------------------- Metrics Scraper Service Account ------------------- #
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]
 ---
 # ------------------- Metrics Scraper Service  ------------------- #
 kind: Service
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-metrics-scraper
  name: dashboard-metrics-scraper
 spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: kubernetes-metrics-scraper
 ---
 # ------------------- Metrics Scraper Deployment  ------------------- #
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  labels:
    k8s-app: kubernetes-metrics-scraper
  name: kubernetes-metrics-scraper
 spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: kubernetes-metrics-scraper
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      containers:
        - name: kubernetes-metrics-scraper
          image: {{ dashboard_metrics_scraper_repo }}:{{ dashboard_metrics_scraper_tag }}
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
      serviceAccountName: kubernetes-dashboard
      volumes:
      - name: tmp-volume
        emptyDir: {}
 {% if dashboard_master_toleration %}
      tolerations:
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
 {% endif %}
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2
@@ -0,0 +1,56 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  labels:
    app: netchecker-agent
  name: netchecker-agent
  namespace: {{ netcheck_namespace }}
 spec:
  selector:
    matchLabels:
      app: netchecker-agent
  template:
    metadata:
      name: netchecker-agent
      labels:
        app: netchecker-agent
    spec:
      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
      tolerations:
        - effect: NoSchedule
          operator: Exists
      nodeSelector:
        kubernetes.io/os: linux
      containers:
        - name: netchecker-agent
          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          env:
            - name: MY_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: MY_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          args:
            - "-v={{ netchecker_agent_log_level }}"
            - "-alsologtostderr=true"
            - "-serverendpoint=netchecker-service:8081"
            - "-reportinterval={{ agent_report_interval }}"
          resources:
            limits:
              cpu: {{ netchecker_agent_cpu_limit }}
              memory: {{ netchecker_agent_memory_limit }}
            requests:
              cpu: {{ netchecker_agent_cpu_requests }}
              memory: {{ netchecker_agent_memory_requests }}
          securityContext:
            runAsUser: {{ netchecker_agent_user | default('0') }}
            runAsGroup: {{ netchecker_agent_group | default('0') }}
      serviceAccountName: netchecker-agent
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 100%
    type: RollingUpdate
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2
@@ -0,0 +1,58 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  labels:
    app: netchecker-agent-hostnet
  name: netchecker-agent-hostnet
  namespace: {{ netcheck_namespace }}
 spec:
  selector:
    matchLabels:
      app: netchecker-agent-hostnet
  template:
    metadata:
      name: netchecker-agent-hostnet
      labels:
        app: netchecker-agent-hostnet
    spec:
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      nodeSelector:
        kubernetes.io/os: linux
      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
      tolerations:
        - effect: NoSchedule
          operator: Exists
      containers:
        - name: netchecker-agent
          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          env:
            - name: MY_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: MY_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          args:
            - "-v={{ netchecker_agent_log_level }}"
            - "-alsologtostderr=true"
            - "-serverendpoint=netchecker-service:8081"
            - "-reportinterval={{ agent_report_interval }}"
          resources:
            limits:
              cpu: {{ netchecker_agent_cpu_limit }}
              memory: {{ netchecker_agent_memory_limit }}
            requests:
              cpu: {{ netchecker_agent_cpu_requests }}
              memory: {{ netchecker_agent_memory_requests }}
          securityContext:
            runAsUser: {{ netchecker_agent_user | default('0') }}
            runAsGroup: {{ netchecker_agent_group | default('0') }}
      serviceAccountName: netchecker-agent
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 100%
    type: RollingUpdate
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-sa.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-sa.yml.j2
@@ -0,0 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: netchecker-agent
  namespace: {{ netcheck_namespace }}
--- a/roles/kubernetes-apps/ansible/templates/netchecker-ns.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-ns.yml.j2
@@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: "{{ netcheck_namespace }}"
  labels:
    name: "{{ netcheck_namespace }}"
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrole.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrole.yml.j2
@@ -0,0 +1,9 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: netchecker-server
  namespace: {{ netcheck_namespace }}
 rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["list", "get"]
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrolebinding.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrolebinding.yml.j2
@@ -0,0 +1,13 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: netchecker-server
  namespace: {{ netcheck_namespace }}
 subjects:
  - kind: ServiceAccount
    name: netchecker-server
    namespace: {{ netcheck_namespace }}
 roleRef:
  kind: ClusterRole
  name: netchecker-server
  apiGroup: rbac.authorization.k8s.io
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
@@ -0,0 +1,86 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: netchecker-server
  namespace: {{ netcheck_namespace }}
  labels:
    app: netchecker-server
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: netchecker-server
  template:
    metadata:
      name: netchecker-server
      labels:
        app: netchecker-server
    spec:
      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
      volumes:
        - name: etcd-data
          emptyDir: {}
      containers:
        - name: netchecker-server
          image: "{{ netcheck_server_image_repo }}:{{ netcheck_server_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          resources:
            limits:
              cpu: {{ netchecker_server_cpu_limit }}
              memory: {{ netchecker_server_memory_limit }}
            requests:
              cpu: {{ netchecker_server_cpu_requests }}
              memory: {{ netchecker_server_memory_requests }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ['ALL']
            runAsUser: {{ netchecker_server_user | default('0') }}
            runAsGroup: {{ netchecker_server_group | default('0') }}
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          ports:
            - containerPort: 8081
          args:
            - -v={{ netchecker_server_log_level }}
            - -logtostderr
            - -kubeproxyinit=false
            - -endpoint=0.0.0.0:8081
            - -etcd-endpoints=http://127.0.0.1:2379
        - name: etcd
          image: "{{ etcd_image_repo }}:{{ netcheck_etcd_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          env:
            - name: ETCD_LOG_LEVEL
              value: "{{ netchecker_etcd_log_level }}"
          command:
            - etcd
            - --listen-client-urls=http://127.0.0.1:2379
            - --advertise-client-urls=http://127.0.0.1:2379
            - --data-dir=/var/lib/etcd
            - --enable-v2
            - --force-new-cluster
          volumeMounts:
            - mountPath: /var/lib/etcd
              name: etcd-data
          resources:
            limits:
              cpu: {{ netchecker_etcd_cpu_limit }}
              memory: {{ netchecker_etcd_memory_limit }}
            requests:
              cpu: {{ netchecker_etcd_cpu_requests }}
              memory: {{ netchecker_etcd_memory_requests }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ['ALL']
            runAsUser: {{ netchecker_server_user | default('0') }}
            runAsGroup: {{ netchecker_server_group | default('0') }}
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
      tolerations:
        - effect: NoSchedule
          operator: Exists
      serviceAccountName: netchecker-server
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-sa.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-sa.yml.j2
@@ -0,0 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: netchecker-server
  namespace: {{ netcheck_namespace }}
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-svc.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-svc.yml.j2
@@ -0,0 +1,15 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: netchecker-service
  namespace: {{ netcheck_namespace }}
 spec:
  selector:
    app: netchecker-server
  ports:
    -
      protocol: TCP
      port: 8081
      targetPort: 8081
      nodePort: {{ netchecker_port }}
  type: NodePort
--- a/roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2
@@ -45,7 +45,7 @@ data:
            force_tcp
        }
        prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_prometheus_port }}
-        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_health_port }}
+        health {{ nodelocaldns_ip }}:{{ nodelocaldns_health_port }}
 {% if dns_etchosts | default(None) %}
        hosts /etc/coredns/hosts {
          fallthrough
@@ -132,7 +132,7 @@ data:
            force_tcp
        }
        prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_secondary_prometheus_port }}
-        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_second_health_port }}
+        health {{ nodelocaldns_ip }}:{{ nodelocaldns_second_health_port }}
 {% if dns_etchosts | default(None) %}
        hosts /etc/coredns/hosts {
          fallthrough
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml
@@ -21,7 +21,7 @@ external_openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}"
 ##    arg1: "value1"
 ##    arg2: "value2"
 external_openstack_cloud_controller_extra_args: {}
-external_openstack_cloud_controller_image_tag: "v1.35.0"
+external_openstack_cloud_controller_image_tag: "v1.32.0"
 external_openstack_cloud_controller_bind_address: 127.0.0.1
 external_openstack_cloud_controller_dns_policy: ClusterFirst
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`---`	`---`
	`requires_ansible: ">=2.18.0,<2.19.0"`	`requires_ansible: ">=2.17.3"`