{"id":16777327,"url":"https://github.com/githubixx/ansible-role-kubernetes-worker","last_synced_at":"2025-04-10T20:41:07.086Z","repository":{"id":18708058,"uuid":"82224049","full_name":"githubixx/ansible-role-kubernetes-worker","owner":"githubixx","description":"ansible-role-kubernetes-worker","archived":false,"fork":false,"pushed_at":"2025-01-27T20:16:01.000Z","size":212,"stargazers_count":16,"open_issues_count":0,"forks_count":7,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-24T18:11:57.152Z","etag":null,"topics":["ansible","ansible-role","k8s","kubernetes","worker"],"latest_commit_sha":null,"homepage":"https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-worker/","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/githubixx.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-16T20:40:17.000Z","updated_at":"2025-01-27T20:15:37.000Z","dependencies_parsed_at":"2023-12-13T22:34:20.454Z","dependency_job_id":"b5b63d5d-a80e-4e4d-a239-63be3e0c854d","html_url":"https://github.com/githubixx/ansible-role-kubernetes-worker","commit_stats":null,"previous_names":[],"tags_count":39,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubixx%2Fansible-role-kubernetes-worker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubixx%2Fansible-role-kubernetes-worker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubixx%2Fansible-role-kubernetes-worker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubixx%2Fansible-role-kubernetes-worker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/githubixx","download_url":"https://codeload.github.com/githubixx/ansible-role-kubernetes-worker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248292669,"owners_count":21079480,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","k8s","kubernetes","worker"],"created_at":"2024-10-13T07:24:23.377Z","updated_at":"2025-04-10T20:41:07.061Z","avatar_url":"https://github.com/githubixx.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ansible-role-kubernetes-worker\n\nThis Ansible role is used in [Kubernetes the not so hard way with Ansible - Worker](https://www.tauceti.blog/posts/kubernetes-the-not-so-hard-way-with-ansible-worker-2020/). This Ansible role setup Kubernetes worker nodes. For more information please see [Kubernetes the not so hard way with Ansible - Worker](https://www.tauceti.blog/posts/kubernetes-the-not-so-hard-way-with-ansible-worker-2020/).\n\n## Versions\n\nI tag every release and try to stay with [semantic versioning](http://semver.org). If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag `28.0.0+1.31.5` means this is release `28.0.0` of this role and it's meant to be used with Kubernetes version `1.31.5` (but should work with any K8s 1.31.x release of course). If the role itself changes `X.Y.Z` before `+` will increase. If the Kubernetes version changes `X.Y.Z` after `+` will increase too. This allows to tag bugfixes and new major versions of the role while it's still developed for a specific Kubernetes release. That's especially useful for Kubernetes major releases with breaking changes.\n\n## Requirements\n\nThis playbook expects that you already have rolled out the Kubernetes controller components (see [kubernetes-controller](https://github.com/githubixx/ansible-role-kubernetes-controller) and [Kubernetes the not so hard way with Ansible - Control plane](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-control-plane/).\n\nYou also need [containerd](https://github.com/githubixx/ansible-role-containerd), [CNI plugins](https://github.com/githubixx/ansible-role-cni) and [runc](https://github.com/githubixx/ansible-role-runc) installed. To enable Kubernetes `Pods` to communicate between different hosts it makes sense to install [Cilium](https://galaxy.ansible.com/githubixx/cilium_kubernetes) later once the worker nodes are running e.g. Of course `Calico`, `WeaveNet`, `kube-router` or [flannel](https://galaxy.ansible.com/githubixx/flanneld) or other Kubernetes network solutions are valid options.\n\n## Supported OS\n\n- Ubuntu 20.04 (Focal Fossa) (reaches EOL April 2025 - not recommended)\n- Ubuntu 22.04 (Jammy Jellyfish)\n- Ubuntu 24.04 (Noble Numbat) (recommended)\n\n## Changelog\n\n**Change history:**\n\nSee full [CHANGELOG.md](https://github.com/githubixx/ansible-role-kubernetes-worker/blob/master/CHANGELOG.md)\n\n**IMPORTANT** Version `24.0.0+1.27.8` had a lot of potential breaking changes. So if you upgrade from a version \u003c `24.0.0+1.27.8` please read the CHANGELOG of that version too!\n\n**Recent changes:**\n\n## 28.0.0+1.31.5\n\n- **UPDATE**\n  - update `k8s_worker_release` to `1.31.5`\n\n## 27.0.1+1.30.9\n\n- **UPDATE**\n  - update `k8s_worker_release` to `1.30.9`\n\n## 27.0.0+1.30.5\n\n- **UPDATE**\n  - update `k8s_worker_release` to `1.30.5`\n\n- **OTHER CHANGES**\n  - support Ubuntu 24.04\n  - update `.yamllint`\n\n## 26.0.2+1.29.9\n\n- **OTHER CHANGES**\n  - fix download URLs for Kubernetes binaries (see: [Download Kubernetes - Binaries](https://kubernetes.io/releases/download/#binaries)\n\n## Installation\n\n- Directly download from Github (Change into Ansible roles directory before cloning. You can figure out the role path by using `ansible-config dump | grep DEFAULT_ROLES_PATH` command):\n`git clone https://github.com/githubixx/ansible-role-kubernetes-worker.git githubixx.kubernetes_worker`\n\n- Via `ansible-galaxy` command and download directly from Ansible Galaxy:\n`ansible-galaxy install role githubixx.kubernetes_worker`\n\n- Create a `requirements.yml` file with the following content (this will download the role from Github) and install with\n`ansible-galaxy role install -r requirements.yml` (change `version` if needed):\n\n```yaml\n---\nroles:\n  - name: githubixx.kubernetes_worker\n    src: https://github.com/githubixx/ansible-role-kubernetes-worker.git\n    version: 28.0.0+1.31.5\n```\n\n## Role Variables\n\n```yaml\n# The base directory for Kubernetes configuration and certificate files for\n# everything worker nodes related. After the playbook is done this directory\n# contains various sub-folders.\nk8s_worker_conf_dir: \"/etc/kubernetes/worker\"\n\n# All certificate files (Private Key Infrastructure related) specified in\n# \"k8s_worker_certificates\" (see \"vars/main.yml\") will be stored here.\n# Owner and group of this new directory will be \"root\". File permissions\n# will be \"0640\".\nk8s_worker_pki_dir: \"{{ k8s_worker_conf_dir }}/pki\"\n\n# The directory to store the Kubernetes binaries (see \"k8s_worker_binaries\"\n# variable in \"vars/main.yml\"). Owner and group of this new directory\n# will be \"root\" in both cases. Permissions for this directory will be \"0755\".\n#\n# NOTE: The default directory \"/usr/local/bin\" normally already exists on every\n# Linux installation with the owner, group and permissions mentioned above. If\n# your current settings are different consider a different directory. But make sure\n# that the new directory is included in your \"$PATH\" variable value.\nk8s_worker_bin_dir: \"/usr/local/bin\"\n\n# K8s release\nk8s_worker_release: \"1.31.5\"\n\n# The interface on which the Kubernetes services should listen on. As all cluster\n# communication should use a VPN interface the interface name is\n# normally \"wg0\" (WireGuard),\"peervpn0\" (PeerVPN) or \"tap0\".\n#\n# The network interface on which the Kubernetes worker services should\n# listen on. That is:\n#\n# - kube-proxy\n# - kubelet\n#\nk8s_interface: \"eth0\"\n\n# The directory from where to copy the K8s certificates. By default this\n# will expand to user's LOCAL $HOME (the user that run's \"ansible-playbook ...\"\n# plus \"/k8s/certs\". That means if the user's $HOME directory is e.g.\n# \"/home/da_user\" then \"k8s_ca_conf_directory\" will have a value of\n# \"/home/da_user/k8s/certs\".\nk8s_ca_conf_directory: \"{{ '~/k8s/certs' | expanduser }}\"\n\n# The IP address or hostname of the Kubernetes API endpoint. This variable\n# is used by \"kube-proxy\" and \"kubelet\" to connect to the \"kube-apiserver\"\n# (Kubernetes API server).\n#\n# By default the first host in the Ansible group \"k8s_controller\" is\n# specified here. NOTE: This setting is not fault tolerant! That means\n# if the first host in the Ansible group \"k8s_controller\" is down\n# the worker node and its workload continue working but the worker\n# node doesn't receive any updates from Kubernetes API server.\n#\n# If you have a loadbalancer that distributes traffic between all\n# Kubernetes API servers it should be specified here (either its IP\n# address or the DNS name). But you need to make sure that the IP\n# address or the DNS name you want to use here is included in the\n# Kubernetes API server TLS certificate (see \"k8s_apiserver_cert_hosts\"\n# variable of https://github.com/githubixx/ansible-role-kubernetes-ca\n# role). If it's not specified you'll get certificate errors in the\n# logs of the services mentioned above.\nk8s_worker_api_endpoint_host: \"{% set controller_host = groups['k8s_controller'][0] %}{{ hostvars[controller_host]['ansible_' + hostvars[controller_host]['k8s_interface']].ipv4.address }}\"\n\n# As above just for the port. It specifies on which port the\n# Kubernetes API servers are listening. Again if there is a loadbalancer\n# in place that distributes the requests to the Kubernetes API servers\n# put the port of the loadbalancer here.\nk8s_worker_api_endpoint_port: \"6443\"\n\n# OS packages needed on a Kubernetes worker node. You can add additional\n# packages at any time. But please be aware if you remove one or more from\n# the default list your worker node might not work as expected or doesn't work\n# at all.\nk8s_worker_os_packages:\n  - ebtables\n  - ethtool\n  - ipset\n  - conntrack\n  - iptables\n  - iptstate\n  - netstat-nat\n  - socat\n  - netbase\n\n# Directory to store kubelet configuration\nk8s_worker_kubelet_conf_dir: \"{{ k8s_worker_conf_dir }}/kubelet\"\n\n# kubelet settings\n#\n# If you want to enable the use of \"RuntimeDefault\" as the default seccomp\n# profile for all workloads add these settings to \"k8s_worker_kubelet_settings\":\n#\n# \"seccomp-default\": \"\"\n#\n# Also see:\n# https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads\nk8s_worker_kubelet_settings:\n  \"config\": \"{{ k8s_worker_kubelet_conf_dir }}/kubelet-config.yaml\"\n  \"node-ip\": \"{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}\"\n  \"kubeconfig\": \"{{ k8s_worker_kubelet_conf_dir }}/kubeconfig\"\n\n# kubelet kubeconfig\nk8s_worker_kubelet_conf_yaml: |\n  kind: KubeletConfiguration\n  apiVersion: kubelet.config.k8s.io/v1beta1\n  address: {{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}\n  authentication:\n    anonymous:\n      enabled: false\n    webhook:\n      enabled: true\n    x509:\n      clientCAFile: \"{{ k8s_worker_pki_dir }}/ca-k8s-apiserver.pem\"\n  authorization:\n    mode: Webhook\n  clusterDomain: \"cluster.local\"\n  clusterDNS:\n    - \"10.32.0.254\"\n  failSwapOn: true\n  healthzBindAddress: \"{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}\"\n  healthzPort: 10248\n  runtimeRequestTimeout: \"15m\"\n  serializeImagePulls: false\n  tlsCertFile: \"{{ k8s_worker_pki_dir }}/cert-{{ inventory_hostname }}.pem\"\n  tlsPrivateKeyFile: \"{{ k8s_worker_pki_dir }}/cert-{{ inventory_hostname }}-key.pem\"\n  cgroupDriver: \"systemd\"\n  registerNode: true\n  containerRuntimeEndpoint: \"unix:///run/containerd/containerd.sock\"\n\n# Directory to store kube-proxy configuration\nk8s_worker_kubeproxy_conf_dir: \"{{ k8s_worker_conf_dir }}/kube-proxy\"\n\n# kube-proxy settings\nk8s_worker_kubeproxy_settings:\n  \"config\": \"{{ k8s_worker_kubeproxy_conf_dir }}/kubeproxy-config.yaml\"\n\nk8s_worker_kubeproxy_conf_yaml: |\n  kind: KubeProxyConfiguration\n  apiVersion: kubeproxy.config.k8s.io/v1alpha1\n  bindAddress: {{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}\n  clientConnection:\n    kubeconfig: \"{{ k8s_worker_kubeproxy_conf_dir }}/kubeconfig\"\n  healthzBindAddress: {{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}:10256\n  mode: \"ipvs\"\n  ipvs:\n    minSyncPeriod: 0s\n    scheduler: \"\"\n    syncPeriod: 2s\n  iptables:\n    masqueradeAll: true\n  clusterCIDR: \"10.200.0.0/16\"\n```\n\n## Dependencies\n\n- [kubernetes_controller](https://github.com/githubixx/ansible-role-kubernetes-controller)\n- [containerd](https://github.com/githubixx/ansible-role-containerd)\n- [runc](https://github.com/githubixx/ansible-role-runc)\n- [CNI plugins](https://github.com/githubixx/ansible-role-cni)\n\n## Example Playbook\n\n```yaml\n- hosts: k8s_worker\n  roles:\n    - githubixx.kubernetes_worker\n```\n\n## Testing\n\nThis role has a small test setup that is created using [Molecule](https://github.com/ansible-community/molecule), libvirt (vagrant-libvirt) and QEMU/KVM. Please see my blog post [Testing Ansible roles with Molecule, libvirt (vagrant-libvirt) and QEMU/KVM](https://www.tauceti.blog/posts/testing-ansible-roles-with-molecule-libvirt-vagrant-qemu-kvm/) how to setup. The test configuration is [here](https://github.com/githubixx/ansible-role-kubernetes-worker/tree/master/molecule/default).\n\nAfterwards Molecule can be executed. This will setup a few virtual machines (VM) with supported Ubuntu OS and installs a Kubernetes cluster:\n\n```bash\nmolecule converge\n```\n\nAt this time the cluster isn't fully functional as a network plugin is missing e.g. So Pod to Pod communication between two different nodes isn't possible yet. To fix this the following command can be used to install [Cilium](https://github.com/githubixx/ansible-role-cilium-kubernetes) for all Kubernetes networking needs and [CoreDNS](https://github.com/githubixx/ansible-kubernetes-playbooks/tree/master/coredns) for Kubernetes DNS stuff:\n\n```bash\nmolecule converge -- --extra-vars k8s_worker_setup_networking=install\n```\n\nAfter this you basically have a fully functional Kubernetes cluster.\n\nA small verification step is also included:\n\n```bash\nmolecule verify\n```\n\nTo clean up run\n\n```bash\nmolecule destroy\n```\n\n## License\n\nGNU GENERAL PUBLIC LICENSE Version 3\n\n## Author Information\n\n[http://www.tauceti.blog](http://www.tauceti.blog)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithubixx%2Fansible-role-kubernetes-worker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgithubixx%2Fansible-role-kubernetes-worker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithubixx%2Fansible-role-kubernetes-worker/lists"}