diff options
Diffstat (limited to 'ansible')
| m--------- | ansible/kubespray | 0 | ||||
| -rw-r--r-- | ansible/playbooks/k8s.yml | 2 | ||||
| -rw-r--r-- | ansible/roles/k8s/handlers/main.yml | 6 | ||||
| -rw-r--r-- | ansible/roles/k8s/tasks/main.yml | 4 | ||||
| -rw-r--r-- | ansible/roles/k8s/tasks/ufw.yml | 64 |
5 files changed, 76 insertions, 0 deletions
diff --git a/ansible/kubespray b/ansible/kubespray -Subproject 4628275fdcb21bffd88def0d882cc528fd12c93 +Subproject 2ae66bb366b02b71109f04dd011d1f2435e5cb4 diff --git a/ansible/playbooks/k8s.yml b/ansible/playbooks/k8s.yml index a424b1b..45f03ee 100644 --- a/ansible/playbooks/k8s.yml +++ b/ansible/playbooks/k8s.yml @@ -2,6 +2,8 @@ - name: Deploy a Production Ready Kubernetes Cluster hosts: all become: true + roles: + - role: k8s - name: Import kubespray playbook to deploy k8s cluster ansible.builtin.import_playbook: ../kubespray/cluster.yml diff --git a/ansible/roles/k8s/handlers/main.yml b/ansible/roles/k8s/handlers/main.yml new file mode 100644 index 0000000..d090d0e --- /dev/null +++ b/ansible/roles/k8s/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart UFW + ansible.builtin.service: + name: ufw + state: restarted +... diff --git a/ansible/roles/k8s/tasks/main.yml b/ansible/roles/k8s/tasks/main.yml new file mode 100644 index 0000000..c784c7c --- /dev/null +++ b/ansible/roles/k8s/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- name: Include UFW tasks + ansible.builtin.include_tasks: ufw.yml +... diff --git a/ansible/roles/k8s/tasks/ufw.yml b/ansible/roles/k8s/tasks/ufw.yml new file mode 100644 index 0000000..c4c653a --- /dev/null +++ b/ansible/roles/k8s/tasks/ufw.yml @@ -0,0 +1,64 @@ +--- +- name: Ensure UFW is installed + ansible.builtin.apt: + name: ufw + state: present + +- name: Allow Kubernetes API server (6443) + community.general.ufw: + rule: allow + port: 6443 + proto: tcp + comment: "Kubernetes API server" + +- name: Allow etcd server client API (2379-2380) + community.general.ufw: + rule: allow + port: "2379:2380" + proto: tcp + comment: "etcd server client API" + +- name: Allow Kubelet API (10250) + community.general.ufw: + rule: allow + port: 10250 + proto: tcp + comment: "Kubelet API" + +- name: Allow kube-scheduler (10259) + community.general.ufw: + rule: allow + port: 10259 + proto: tcp + comment: "kube-scheduler" + +- name: Allow kube-controller-manager (10257) + community.general.ufw: + rule: allow + port: 10257 + proto: tcp + comment: "kube-controller-manager" + +- name: Allow kube-proxy (10256) + community.general.ufw: + rule: allow + port: 10256 + proto: tcp + comment: "kube-proxy" + +- name: Allow NodePort services (30000-32767) + community.general.ufw: + rule: allow + port: "30000:32767" + proto: tcp + comment: "NodePort services" + +- name: Enable UFW + community.general.ufw: + state: enabled + +- name: Ensure UFW is enabled on boot + ansible.builtin.systemd: + name: ufw + enabled: true +... |