From 834feb58bdcbd448714888147e1db4421270ba93 Mon Sep 17 00:00:00 2001 From: clyhtsuriva Date: Mon, 3 Feb 2025 22:54:35 +0100 Subject: opentofu&ansible: add `become` to `ansible_provisioner` & open k8s ports --- ansible/kubespray | 2 +- ansible/playbooks/k8s.yml | 2 ++ ansible/roles/k8s/handlers/main.yml | 6 ++++ ansible/roles/k8s/tasks/main.yml | 4 +++ ansible/roles/k8s/tasks/ufw.yml | 64 +++++++++++++++++++++++++++++++++++++ 5 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/k8s/handlers/main.yml create mode 100644 ansible/roles/k8s/tasks/main.yml create mode 100644 ansible/roles/k8s/tasks/ufw.yml (limited to 'ansible') diff --git a/ansible/kubespray b/ansible/kubespray index 4628275..2ae66bb 160000 --- a/ansible/kubespray +++ b/ansible/kubespray @@ -1 +1 @@ -Subproject commit 4628275fdcb21bffd88def0d882cc528fd12c935 +Subproject commit 2ae66bb366b02b71109f04dd011d1f2435e5cb49 diff --git a/ansible/playbooks/k8s.yml b/ansible/playbooks/k8s.yml index a424b1b..45f03ee 100644 --- a/ansible/playbooks/k8s.yml +++ b/ansible/playbooks/k8s.yml @@ -2,6 +2,8 @@ - name: Deploy a Production Ready Kubernetes Cluster hosts: all become: true + roles: + - role: k8s - name: Import kubespray playbook to deploy k8s cluster ansible.builtin.import_playbook: ../kubespray/cluster.yml diff --git a/ansible/roles/k8s/handlers/main.yml b/ansible/roles/k8s/handlers/main.yml new file mode 100644 index 0000000..d090d0e --- /dev/null +++ b/ansible/roles/k8s/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart UFW + ansible.builtin.service: + name: ufw + state: restarted +... diff --git a/ansible/roles/k8s/tasks/main.yml b/ansible/roles/k8s/tasks/main.yml new file mode 100644 index 0000000..c784c7c --- /dev/null +++ b/ansible/roles/k8s/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- name: Include UFW tasks + ansible.builtin.include_tasks: ufw.yml +... diff --git a/ansible/roles/k8s/tasks/ufw.yml b/ansible/roles/k8s/tasks/ufw.yml new file mode 100644 index 0000000..c4c653a --- /dev/null +++ b/ansible/roles/k8s/tasks/ufw.yml @@ -0,0 +1,64 @@ +--- +- name: Ensure UFW is installed + ansible.builtin.apt: + name: ufw + state: present + +- name: Allow Kubernetes API server (6443) + community.general.ufw: + rule: allow + port: 6443 + proto: tcp + comment: "Kubernetes API server" + +- name: Allow etcd server client API (2379-2380) + community.general.ufw: + rule: allow + port: "2379:2380" + proto: tcp + comment: "etcd server client API" + +- name: Allow Kubelet API (10250) + community.general.ufw: + rule: allow + port: 10250 + proto: tcp + comment: "Kubelet API" + +- name: Allow kube-scheduler (10259) + community.general.ufw: + rule: allow + port: 10259 + proto: tcp + comment: "kube-scheduler" + +- name: Allow kube-controller-manager (10257) + community.general.ufw: + rule: allow + port: 10257 + proto: tcp + comment: "kube-controller-manager" + +- name: Allow kube-proxy (10256) + community.general.ufw: + rule: allow + port: 10256 + proto: tcp + comment: "kube-proxy" + +- name: Allow NodePort services (30000-32767) + community.general.ufw: + rule: allow + port: "30000:32767" + proto: tcp + comment: "NodePort services" + +- name: Enable UFW + community.general.ufw: + state: enabled + +- name: Ensure UFW is enabled on boot + ansible.builtin.systemd: + name: ufw + enabled: true +... -- cgit v1.2.3