# roles/k8s/k8scommon/tasks/main.yml --- # === 1. Обновление пакетов и базовые утилиты === - name: Install base packages ansible.builtin.apt: update_cache: yes name: - apt-transport-https - ca-certificates - curl - gnupg - lsb-release state: present # === 2. Отключить swap === - name: Disable swap immediately ansible.builtin.command: swapoff -a changed_when: false - name: Backup fstab ansible.builtin.copy: src: /etc/fstab dest: /etc/fstab.bak remote_src: yes force: no - name: Comment out swap entries in fstab ansible.builtin.replace: path: /etc/fstab regexp: '^\s*([^#].*\s+swap\s+.*)$' replace: '# \1' # === 3. Модули ядра === - name: Write kernel modules config for Kubernetes ansible.builtin.copy: dest: /etc/modules-load.d/k8s.conf content: | overlay br_netfilter - name: Load overlay module ansible.builtin.command: modprobe overlay changed_when: false - name: Load br_netfilter module ansible.builtin.command: modprobe br_netfilter changed_when: false # === 4. sysctl для Kubernetes / containerd === - name: Configure Kubernetes sysctl params ansible.builtin.copy: dest: /etc/sysctl.d/99-kubernetes-cri.conf content: | net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.ipv4.ip_forward = 1 - name: Apply sysctl settings ansible.builtin.command: sysctl --system changed_when: false # === 5. Установить containerd === - name: Install containerd ansible.builtin.apt: update_cache: yes name: containerd state: present - name: Ensure containerd config directory exists ansible.builtin.file: path: /etc/containerd state: directory mode: '0755' # ВАЖНО: всегда пересоздаём config.toml, как в manual script - name: Generate default containerd config (overwrite) ansible.builtin.shell: | set -o errexit containerd config default > /etc/containerd/config.toml args: executable: /bin/bash - name: Enable SystemdCgroup in containerd config ansible.builtin.replace: path: /etc/containerd/config.toml regexp: 'SystemdCgroup = false' replace: 'SystemdCgroup = true' - name: Set correct CNI bin_dir in containerd config ansible.builtin.replace: path: /etc/containerd/config.toml regexp: 'bin_dir = .*' replace: 'bin_dir = "/opt/cni/bin"' - name: Set correct CNI conf_dir in containerd config ansible.builtin.replace: path: /etc/containerd/config.toml regexp: 'conf_dir = .*' replace: 'conf_dir = "/etc/cni/net.d"' - name: Enable and restart containerd ansible.builtin.systemd: name: containerd enabled: true state: restarted # === 6. Подготовить директории для CNI === - name: Ensure CNI directories exist ansible.builtin.file: path: "{{ item }}" state: directory mode: '0755' loop: - /opt/cni/bin - /etc/cni/net.d # /usr/lib/cni → /opt/cni/bin, только если /usr/lib/cni не существует - name: Check if /usr/lib/cni exists ansible.builtin.stat: path: /usr/lib/cni register: cni_usr_lib - name: Create symlink /usr/lib/cni -> /opt/cni/bin (if not exists) ansible.builtin.file: src: /opt/cni/bin dest: /usr/lib/cni state: link when: not cni_usr_lib.stat.exists # === 7. Репозиторий Kubernetes v1.34 === - name: Ensure apt keyrings directory exists ansible.builtin.file: path: /etc/apt/keyrings state: directory mode: '0755' - name: Download Kubernetes repo key ansible.builtin.shell: | set -o errexit curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.34/deb/Release.key \ | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg args: executable: /bin/bash creates: /etc/apt/keyrings/kubernetes-apt-keyring.gpg - name: Add Kubernetes apt repository ansible.builtin.copy: dest: /etc/apt/sources.list.d/kubernetes.list content: | deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.34/deb/ / - name: Update apt cache after adding Kubernetes repo ansible.builtin.apt: update_cache: yes # === 8. Установить kubelet, kubeadm, kubectl и зафиксировать версии === - name: Install kubelet, kubeadm, kubectl ansible.builtin.apt: name: - kubelet - kubeadm - kubectl state: present update_cache: yes - name: Hold Kubernetes packages ansible.builtin.command: apt-mark hold kubelet kubeadm kubectl register: hold_result changed_when: >- 'hold' in hold_result.stdout or 'marked' in hold_result.stdout or hold_result.rc == 0