From 932fef4bbf13c4782b9ca0cd2cc09bf69355d55d Mon Sep 17 00:00:00 2001 From: Nik Date: Fri, 10 Nov 2023 17:23:13 +1000 Subject: [PATCH 1/4] refresh code base --- documentation/Installation.md | 91 +++++++++++++------ kubemarine/core/cluster.py | 4 +- kubemarine/core/group.py | 4 +- kubemarine/keepalived.py | 3 + kubemarine/kubernetes/__init__.py | 4 + kubemarine/packages.py | 6 +- kubemarine/patches/software_upgrade.yaml | 4 + kubemarine/procedures/backup.py | 2 +- kubemarine/procedures/check_iaas.py | 2 +- kubemarine/procedures/check_paas.py | 8 +- kubemarine/procedures/migrate_kubemarine.py | 4 +- .../compatibility/internal/packages.yaml | 32 +++++++ .../resources/configurations/defaults.yaml | 20 ++++ .../resources/configurations/globals.yaml | 27 ++++++ .../etalons/patches/software_upgrade.yaml | 4 + .../definitions/services/modprobe.json | 5 +- .../services/packages/associations.json | 5 +- kubemarine/selinux.py | 2 +- kubemarine/system.py | 11 ++- scripts/thirdparties/src/software/packages.py | 2 + test/unit/test_migrate_kubemarine.py | 5 +- test/unit/test_upgrade.py | 5 +- 22 files changed, 195 insertions(+), 55 deletions(-) diff --git a/documentation/Installation.md b/documentation/Installation.md index 9ac0c89bc..6bb910aa3 100644 --- a/documentation/Installation.md +++ b/documentation/Installation.md @@ -2,10 +2,12 @@ This section provides information about the inventory, features, and steps for i - [Prerequisites](#prerequisites) - [Prerequisites for Deployment Node](#prerequisites-for-deployment-node) + - [Windows Deployer Restrictions](#windows-deployer-restrictions) - [Prerequisites for Cluster Nodes](#prerequisites-for-cluster-nodes) - [Minimal Hardware Requirements](#minimal-hardware-requirements) - [Recommended Hardware Requirements](#recommended-hardware-requirements) - [Disk Partitioning Recommendation](#disk-partitioning-recommendation) + - [Disk Pressure](#disk-pressure) - [ETCD Recommendation](#etcd-recommendation) - [SSH key Recommendation](#ssh-key-recommendation) - [Private Certificate Authority](#private-certificate-authority) @@ -17,44 +19,61 @@ This section provides information about the inventory, features, and steps for i - [Mini-HA Scheme](#mini-ha-scheme) - [Full-HA Scheme](#full-ha-scheme) - [Taints and Toleration](#taints-and-toleration) + - [CoreDNS Deployment with Node Taints](#coredns-deployment-with-node-taints) + - [Plugins Deployment with Node Taints](#plugins-deployment-with-node-taints) - [Configuration](#configuration) + - [Inventory validation](#inventory-validation) - [globals](#globals) - - [node_defaults](#node_defaults) + - [node\_defaults](#node_defaults) - [nodes](#nodes) - - [cluster_name](#cluster_name) - - [control_plain](#control_plain) - - [public_cluster_ip](#public_cluster_ip) + - [cluster\_name](#cluster_name) + - [control\_plain](#control_plain) + - [control\_endpoint](#control_endpoint) + - [public\_cluster\_ip](#public_cluster_ip) - [registry](#registry) - - [gateway_nodes](#gateway_nodes) - - [vrrp_ips](#vrrp_ips) - - [services](#services) + - [registry (new endpoints format)](#registry-new-endpoints-format) + - [registry (old address-port format)](#registry-old-address-port-format) + - [gateway\_nodes](#gateway_nodes) + - [vrrp\_ips](#vrrp_ips) + - [maintenance type](#maintenance-type) + - [Services](#services) - [kubeadm](#kubeadm) - - [Kubernetes version](#kubernetes-version) - - [Cloud Provider Plugin](#cloud-provider-plugin) - - [Service Account Issuer](#service-account-issuer) - - [kubeadm_kubelet](#kubeadm_kubelet) - - [kubeadm_patches](#kubeadm_patches) - - [kernel_security](#kernel_security) + - [Kubernetes version](#kubernetes-version) + - [Cloud Provider Plugin](#cloud-provider-plugin) + - [Service Account Issuer](#service-account-issuer) + - [kubeadm\_kubelet](#kubeadm_kubelet) + - [kubeadm\_patches](#kubeadm_patches) + - [kernel\_security](#kernel_security) - [selinux](#selinux) - [apparmor](#apparmor) - [packages](#packages) - - [package_manager](#package_manager) + - [package\_manager](#package_manager) - [management](#management) + - [mandatory](#mandatory) + - [custom](#custom) - [associations](#associations) + - [RHEL and Centos](#rhel-and-centos) + - [Ubuntu and Debian](#ubuntu-and-debian) - [thirdparties](#thirdparties) - [CRI](#cri) - [modprobe](#modprobe) - [sysctl](#sysctl) - [audit](#audit) - - [Kubernetes Policy](#audit-kubernetes-policy) - - [Daemon](#audit-daemon) + - [Audit Kubernetes Policy](#audit-kubernetes-policy) + - [Audit Daemon](#audit-daemon) - [ntp](#ntp) - [chrony](#chrony) - [timesyncd](#timesyncd) - [resolv.conf](#resolvconf) - - [etc_hosts](#etc_hosts) + - [etc\_hosts](#etc_hosts) - [coredns](#coredns) + - [add\_etc\_hosts\_generated](#add_etc_hosts_generated) + - [configmap](#configmap) + - [deployment](#deployment) - [loadbalancer](#loadbalancer) + - [target\_ports](#target_ports) + - [haproxy](#haproxy) + - [maintenance mode](#maintenance-mode) - [RBAC Admission](#rbac-admission) - [Admission psp](#admission-psp) - [Configuring Admission Controller](#configuring-admission-controller) @@ -63,24 +82,31 @@ This section provides information about the inventory, features, and steps for i - [Admission pss](#admission-pss) - [Configuring Default Profiles](#configuring-default-profiles) - [Configuring Exemptions](#configuring-exemptions) + - [Application prerequisites](#application-prerequisites) - [RBAC Accounts](#rbac-accounts) - - [RBAC account_defaults](#rbac-account_defaults) + - [RBAC account\_defaults](#rbac-account_defaults) - [Plugins](#plugins) - [Predefined Plugins](#predefined-plugins) - [calico](#calico) + - [Calico BGP Configuration](#calico-bgp-configuration) + - [Default Typha Tolerations](#default-typha-tolerations) + - [Calico metrics configuration](#calico-metrics-configuration) + - [Calico Environment Properties](#calico-environment-properties) + - [Calico API server](#calico-api-server) - [nginx-ingress-controller](#nginx-ingress-controller) + - [monitoring](#monitoring) - [kubernetes-dashboard](#kubernetes-dashboard) - [local-path-provisioner](#local-path-provisioner) - [Plugins Features](#plugins-features) - - [plugin_defaults](#plugin_defaults) + - [plugin\_defaults](#plugin_defaults) - [Plugins Reinstallation](#plugins-reinstallation) - [Plugins Installation Order](#plugins-installation-order) - [Node Selector](#node-selector) - [Tolerations](#tolerations) - - [Resources requets and limits](#resources-requests-and-limits) + - [Resources Requests and Limits](#resources-requests-and-limits) - [Custom Plugins Installation Procedures](#custom-plugins-installation-procedures) - [template](#template) - - [config](#config) + - [config](#config) - [expect pods](#expect-pods) - [expect deployments/daemonsets/replicasets/statefulsets](#expect-deploymentsdaemonsetsreplicasetsstatefulsets) - [python](#python) @@ -88,7 +114,7 @@ This section provides information about the inventory, features, and steps for i - [shell](#shell) - [ansible](#ansible) - [helm](#helm) - - [Advanced features](#advanced-features) + - [Advanced Features](#advanced-features) - [List Merge Strategy](#list-merge-strategy) - [Merge Strategy Positioning](#merge-strategy-positioning) - [List Merge Allowed Sections](#list-merge-allowed-sections) @@ -105,15 +131,22 @@ This section provides information about the inventory, features, and steps for i - [Tasks List Redefinition](#tasks-list-redefinition) - [Logging](#logging) - [Dump Files](#dump-files) + - [Finalized Dump](#finalized-dump) - [Configurations Backup](#configurations-backup) - [Ansible Inventory](#ansible-inventory) - [Contents](#contents) - - [[all]](#all) - - [[cluster:children]](#clusterchildren) - - [[balancer], [control-plane], [worker]](#balancer-control-plane-worker) - - [[cluster:vars]](#clustervars) + - [\[all\]](#all) + - [\[cluster:children\]](#clusterchildren) + - [\[balancer\], \[control-plane\], \[worker\]](#balancer-control-plane-worker) + - [\[cluster:vars\]](#clustervars) - [Cumulative Points](#cumulative-points) - [Supported Versions](#supported-versions) + - [Default Dependent Components Versions for Kubernetes Versions v1.23.17](#default-dependent-components-versions-for-kubernetes-versions-v12317) + - [Default Dependent Components Versions for Kubernetes Versions v1.24.11](#default-dependent-components-versions-for-kubernetes-versions-v12411) + - [Default Dependent Components Versions for Kubernetes Versions v1.25.7](#default-dependent-components-versions-for-kubernetes-versions-v1257) + - [Default Dependent Components Versions for Kubernetes Versions v1.26.7](#default-dependent-components-versions-for-kubernetes-versions-v1267) + - [Default Dependent Components Versions for Kubernetes Versions v1.27.4](#default-dependent-components-versions-for-kubernetes-versions-v1274) + - [Default Dependent Components Versions for Kubernetes Versions v1.28.0](#default-dependent-components-versions-for-kubernetes-versions-v1280) # Prerequisites @@ -166,8 +199,8 @@ For cluster machines, ensure the following requirements are met: * Centos 7.5+, 8.4 * RHEL 7.5+, 8.4, 8.6, 8.7 - * Oracle Linux 7.5+, 8.4 - * RockyLinux 8.6, 8.7 + * Oracle Linux 7.5+, 8.4, 9.2 + * RockyLinux 8.6, 8.7, 9.2 * Ubuntu 20.04 * Ubuntu 22.04.1 @@ -212,7 +245,7 @@ If you have other solution, remove or switch off the IP firewall before the inst * Installation of the following packages is highly recommended; however, Kubernetes can work without them, but may show warnings: * ethtool - * ebtables + * ebtables (included in the iptables-nft package which is available on systems like RHEL 9+) * socat **Warning**: You have to specify packages names in "RPM format" if it is possible for you OS, diff --git a/kubemarine/core/cluster.py b/kubemarine/core/cluster.py index f3f85c328..5f79d3e31 100755 --- a/kubemarine/core/cluster.py +++ b/kubemarine/core/cluster.py @@ -215,7 +215,7 @@ def get_os_family_for_nodes(self, hosts: Iterable[str]) -> str: """ Returns the detected operating system family for hosts. - :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "multiple", "unknown", "unsupported". + :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "rhel9", "multiple", "unknown", "unsupported". """ os_families = {self.get_os_family_for_node(host) for host in hosts} if len(os_families) > 1: @@ -230,7 +230,7 @@ def get_os_family(self) -> str: Returns common OS family name from all final remote hosts. The method can be used during enrichment when NodeGroups are not yet calculated. - :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "multiple", "unknown", "unsupported". + :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "rhel9", "multiple", "unknown", "unsupported". """ hosts_detect_os_family = [] for node in self.inventory['nodes']: diff --git a/kubemarine/core/group.py b/kubemarine/core/group.py index 2862055f8..5b4d5a472 100755 --- a/kubemarine/core/group.py +++ b/kubemarine/core/group.py @@ -614,7 +614,7 @@ def get_nodes_os(self) -> str: """ Returns the detected operating system family for group. - :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "multiple", "unknown", "unsupported". + :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "rhel9", "multiple", "unknown", "unsupported". """ return self.cluster.get_os_family_for_nodes(self.nodes) @@ -631,7 +631,7 @@ def get_subgroup_with_os(self: GROUP_SELF, os_family: str) -> GROUP_SELF: :param os_family: The name of required OS family :return: NodeGroup """ - if os_family not in ['debian', 'rhel', 'rhel8']: + if os_family not in ['debian', 'rhel', 'rhel8', 'rhel9']: raise Exception('Unsupported OS family provided') hosts = [] for host in self.nodes: diff --git a/kubemarine/keepalived.py b/kubemarine/keepalived.py index 59a41c113..627dc1ae7 100644 --- a/kubemarine/keepalived.py +++ b/kubemarine/keepalived.py @@ -196,6 +196,9 @@ def install_haproxy_check_script(group: DeferredGroup) -> None: group.put(io.StringIO(script), "/usr/local/bin/check_haproxy.sh", sudo=True) group.sudo("chmod +x /usr/local/bin/check_haproxy.sh") + if group.get_nodes_os() in ['rhel', 'rhel8', 'rhel9']: + group.sudo("chcon -u system_u -r object_r -t bin_t /usr/local/bin/check_haproxy.sh") + def uninstall(group: NodeGroup) -> RunnersGroupResult: return packages.remove(group, include='keepalived') diff --git a/kubemarine/kubernetes/__init__.py b/kubemarine/kubernetes/__init__.py index cf3a6e74a..29d0ac52b 100644 --- a/kubemarine/kubernetes/__init__.py +++ b/kubemarine/kubernetes/__init__.py @@ -362,6 +362,8 @@ def install(group: NodeGroup) -> RunnersGroupResult: log.debug("Uploading to '%s'..." % node.get_host()) node.put(io.StringIO(template + "\n"), '/etc/systemd/system/kubelet.service', sudo=True) node.sudo("chmod 600 /etc/systemd/system/kubelet.service") + if group.get_nodes_os() in ['rhel', 'rhel8', 'rhel9']: + node.sudo("chcon -u system_u -r object_r -t systemd_unit_file_t /etc/systemd/system/kubelet.service") log.debug("\nReloading systemd daemon...") system.reload_systemctl(exe.group) @@ -1239,6 +1241,8 @@ def images_prepull(group: DeferredGroup, collector: CollectorCallback) -> Token: config = f'{config}---\n{yaml.dump(kubeadm_init, default_flow_style=False)}' group.put(io.StringIO(config), '/etc/kubernetes/prepull-config.yaml', sudo=True) + if group.get_nodes_os() in ['rhel', 'rhel8', 'rhel9']: + group.sudo("chcon -u system_u -r object_r -t kubernetes_file_t /etc/kubernetes/prepull-config.yaml") return group.sudo("kubeadm config images pull --config=/etc/kubernetes/prepull-config.yaml", callback=collector) diff --git a/kubemarine/packages.py b/kubemarine/packages.py index 8594b3073..568a319c9 100644 --- a/kubemarine/packages.py +++ b/kubemarine/packages.py @@ -489,7 +489,7 @@ def remove_unused_os_family_associations(cluster: KubernetesCluster, inventory: def get_associations_os_family_keys() -> Set[str]: - return {'debian', 'rhel', 'rhel8'} + return {'debian', 'rhel', 'rhel8', 'rhel9'} def get_compatibility_version_key(os_family: str) -> str: @@ -540,7 +540,7 @@ def search(self, group: DeferredGroup, package: str, callback: Callback = None) def get_package_manager(group: AbstractGroup[GROUP_RUN_TYPE]) -> PackageManager: os_family = group.get_nodes_os() - if os_family in ['rhel', 'rhel8']: + if os_family in ['rhel', 'rhel8', 'rhel9']: return yum elif os_family == 'debian': return apt @@ -686,7 +686,7 @@ def get_package_name(os_family: str, package: str) -> str: package_name = "" if package: - if os_family in ["rhel", "rhel8"]: + if os_family in ["rhel", "rhel8", "rhel9"]: # regexp is needed to split package and its version, the pattern start with '-' then should be number or '*' package_name = re.split(r'-[\d,\*]', package)[0] else: diff --git a/kubemarine/patches/software_upgrade.yaml b/kubemarine/patches/software_upgrade.yaml index 83a7d5f01..b669d26ba 100644 --- a/kubemarine/patches/software_upgrade.yaml +++ b/kubemarine/patches/software_upgrade.yaml @@ -14,20 +14,24 @@ packages: docker: version_rhel: [] version_rhel8: [] + version_rhel9: [] version_debian: [] containerd: version_debian: [] containerdio: version_rhel: [] version_rhel8: [] + version_rhel9: [] version_debian: [] haproxy: version_rhel: false version_rhel8: false + version_rhel9: false version_debian: false keepalived: version_rhel: false version_rhel8: false + version_rhel9: false version_debian: false plugins: calico: [] diff --git a/kubemarine/procedures/backup.py b/kubemarine/procedures/backup.py index ec64ed664..a642ffb33 100755 --- a/kubemarine/procedures/backup.py +++ b/kubemarine/procedures/backup.py @@ -105,7 +105,7 @@ def export_ansible_inventory(cluster: KubernetesCluster) -> None: def export_packages_list(cluster: KubernetesCluster) -> None: cluster.context['backup_descriptor']['nodes']['packages'] = {} - if cluster.get_os_family() in ['rhel', 'rhel8']: + if cluster.get_os_family() in ['rhel', 'rhel8', 'rhel9']: cmd = r"rpm -qa" else: cmd = r"dpkg-query -f '${Package}=${Version}\n' -W" diff --git a/kubemarine/procedures/check_iaas.py b/kubemarine/procedures/check_iaas.py index 27c387230..56ce85039 100755 --- a/kubemarine/procedures/check_iaas.py +++ b/kubemarine/procedures/check_iaas.py @@ -426,7 +426,7 @@ def check_access_to_package_repositories(cluster: KubernetesCluster) -> None: # TODO: think about better parsing repository_urls: List[str] = [] repositories = cluster.inventory['services']['packages']['package_manager'].get("repositories") - if cluster.get_os_family() not in ['debian', 'rhel', 'rhel8']: + if cluster.get_os_family() not in ['debian', 'rhel', 'rhel8', 'rhel9']: # Skip check in case of multiply or unknown OS raise TestWarn("Can't check package repositories on multiply OS") if isinstance(repositories, list): diff --git a/kubemarine/procedures/check_paas.py b/kubemarine/procedures/check_paas.py index a6b8c70d9..2eb980500 100755 --- a/kubemarine/procedures/check_paas.py +++ b/kubemarine/procedures/check_paas.py @@ -698,7 +698,7 @@ def verify_selinux_status(cluster: KubernetesCluster) -> None: :param cluster: KubernetesCluster object :return: None """ - if cluster.get_os_family() not in ('rhel', 'rhel8'): + if cluster.get_os_family() not in ('rhel', 'rhel8', 'rhel9'): return with TestCase(cluster, '213', "Security", "Selinux security policy") as tc: @@ -757,7 +757,7 @@ def verify_selinux_config(cluster: KubernetesCluster) -> None: :param cluster: KubernetesCluster object :return: None """ - if cluster.get_os_family() not in ('rhel', 'rhel8'): + if cluster.get_os_family() not in ('rhel', 'rhel8', 'rhel9'): return with TestCase(cluster, '214', "Security", "Selinux configuration") as tc: @@ -1399,7 +1399,7 @@ def verify_apparmor_status(cluster: KubernetesCluster) -> None: :param cluster: KubernetesCluster object :return: None """ - if cluster.get_os_family() in ['rhel', 'rhel8']: + if cluster.get_os_family() in ['rhel', 'rhel8', 'rhel9']: return with TestCase(cluster, '227', "Security", "Apparmor security policy") as tc: @@ -1427,7 +1427,7 @@ def verify_apparmor_config(cluster: KubernetesCluster) -> None: :param cluster: KubernetesCluster object :return: None """ - if cluster.get_os_family() in ['rhel', 'rhel8']: + if cluster.get_os_family() in ['rhel', 'rhel8', 'rhel9']: return with TestCase(cluster, '228', "Security", "Apparmor security policy") as tc: diff --git a/kubemarine/procedures/migrate_kubemarine.py b/kubemarine/procedures/migrate_kubemarine.py index c33b765ac..768f34e6f 100644 --- a/kubemarine/procedures/migrate_kubemarine.py +++ b/kubemarine/procedures/migrate_kubemarine.py @@ -370,7 +370,7 @@ def resolve_upgrade_patches() -> List[_SoftwareUpgradePatch]: k8s_versions = [version for pkg in ('docker', 'containerd', 'containerdio') - for v_key in ('version_rhel', 'version_rhel8', 'version_debian') + for v_key in ('version_rhel', 'version_rhel8', 'version_rhel9', 'version_debian') for version in upgrade_config['packages'][pkg].get(v_key, [])] if k8s_versions: verify_allowed_kubernetes_versions(k8s_versions) @@ -378,7 +378,7 @@ def resolve_upgrade_patches() -> List[_SoftwareUpgradePatch]: for package_name in ['haproxy', 'keepalived']: if any(upgrade_config['packages'][package_name].get(v_key) - for v_key in ('version_rhel', 'version_rhel8', 'version_debian')): + for v_key in ('version_rhel', 'version_rhel8', 'version_rhel9', 'version_debian')): upgrade_patches.append(BalancerUpgradePatch(upgrade_config, package_name)) default_plugins = static.DEFAULTS['plugins'] diff --git a/kubemarine/resources/configurations/compatibility/internal/packages.yaml b/kubemarine/resources/configurations/compatibility/internal/packages.yaml index 6d4900902..bbf1df8dc 100644 --- a/kubemarine/resources/configurations/compatibility/internal/packages.yaml +++ b/kubemarine/resources/configurations/compatibility/internal/packages.yaml @@ -8,62 +8,77 @@ docker: v1.23.1: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.23.6: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.23.11: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.23.17: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.24.2: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.24.11: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.25.2: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.25.7: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.26.3: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.26.4: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.26.7: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.27.1: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.27.4: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.28.0: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* v1.28.3: version_rhel: 19.03* version_rhel8: 19.03* + version_rhel9: 20.10* version_debian: 5:20.10.* containerd: v1.23.1: @@ -100,68 +115,85 @@ containerdio: v1.23.1: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.5.* v1.23.6: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.5.* v1.23.11: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.5.* v1.23.17: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.5.* v1.24.2: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.6.* v1.24.11: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.6.* v1.25.2: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.6.* v1.25.7: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.6.* v1.26.3: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.6.* v1.26.4: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.6.* v1.26.7: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.6.* v1.27.1: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.6.* v1.27.4: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.6.* v1.28.0: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.6.* v1.28.3: version_rhel: 1.6* version_rhel8: 1.6* + version_rhel9: 1.6* version_debian: 1.6.* haproxy: version_rhel: 1.8* version_rhel8: 1.8* + version_rhel9: 2.4* version_debian: 2.* keepalived: version_rhel: 1.3* version_rhel8: 2.1* + version_rhel9: 2.2* version_debian: 1:2.* diff --git a/kubemarine/resources/configurations/defaults.yaml b/kubemarine/resources/configurations/defaults.yaml index 1f9dc4682..cc2e144f4 100644 --- a/kubemarine/resources/configurations/defaults.yaml +++ b/kubemarine/resources/configurations/defaults.yaml @@ -157,6 +157,13 @@ services: - '{% if not nodes[0]["internal_address"]|isipv4 %}nf_nat{% endif %}' - '{% if not nodes[0]["internal_address"]|isipv4 %}nf_reject_ipv6{% endif %}' - '{% if not nodes[0]["internal_address"]|isipv4 %}nf_defrag_ipv6{% endif %}' + rhel9: + - br_netfilter + - '{% if not nodes[0]["internal_address"]|isipv4 %}ip6table_filter{% endif %}' + - '{% if not nodes[0]["internal_address"]|isipv4 %}nf_conntrack{% endif %}' + - '{% if not nodes[0]["internal_address"]|isipv4 %}nf_nat{% endif %}' + - '{% if not nodes[0]["internal_address"]|isipv4 %}nf_reject_ipv6{% endif %}' + - '{% if not nodes[0]["internal_address"]|isipv4 %}nf_defrag_ipv6{% endif %}' debian: - br_netfilter - '{% if not nodes[0]["internal_address"]|isipv4 %}ip6table_filter{% endif %}' @@ -478,6 +485,19 @@ services: package_name: 'conntrack-tools' semanage: package_name: 'policycoreutils-python-utils' + rhel9: + docker: {} + containerd: {} + haproxy: + executable_name: '/usr/sbin/haproxy' + service_name: 'haproxy' + keepalived: {} + audit: + package_name: 'audit' + conntrack: + package_name: 'conntrack-tools' + semanage: + package_name: 'policycoreutils-python-utils' plugin_defaults: installation: {} diff --git a/kubemarine/resources/configurations/globals.yaml b/kubemarine/resources/configurations/globals.yaml index 6661239fc..e75f0cbef 100644 --- a/kubemarine/resources/configurations/globals.yaml +++ b/kubemarine/resources/configurations/globals.yaml @@ -202,6 +202,21 @@ packages: keepalived: package_name: - keepalived: keepalived + rhel9: + docker: + package_name: + - docker-ce: docker + - docker-ce-cli: docker + - containerd.io: containerdio + containerd: + package_name: + - containerd.io: containerdio + haproxy: + package_name: + - haproxy: haproxy + keepalived: + package_name: + - keepalived: keepalived common_associations: docker: executable_name: 'docker' @@ -314,6 +329,9 @@ compatibility_map: - os_family: 'rhel8' versions: - '8.4' + - os_family: 'rhel9' + versions: + - '9' rhel: - os_family: 'rhel' versions: @@ -328,11 +346,17 @@ compatibility_map: - '8.6' - '8.7' - '8.8' + - os_family: 'rhel9' + versions: + - '9.2' rocky: - os_family: 'rhel8' versions: - '8.6' - '8.7' + - os_family: 'rhel9' + versions: + - '9.2' ubuntu: - os_family: 'debian' versions: @@ -356,6 +380,9 @@ compatibility_map: - os_family: 'rhel8' versions: - '8.4' + - os_family: 'rhel9' + versions: + - '9.2' network: connection: diff --git a/kubemarine/resources/etalons/patches/software_upgrade.yaml b/kubemarine/resources/etalons/patches/software_upgrade.yaml index 83a7d5f01..b669d26ba 100644 --- a/kubemarine/resources/etalons/patches/software_upgrade.yaml +++ b/kubemarine/resources/etalons/patches/software_upgrade.yaml @@ -14,20 +14,24 @@ packages: docker: version_rhel: [] version_rhel8: [] + version_rhel9: [] version_debian: [] containerd: version_debian: [] containerdio: version_rhel: [] version_rhel8: [] + version_rhel9: [] version_debian: [] haproxy: version_rhel: false version_rhel8: false + version_rhel9: false version_debian: false keepalived: version_rhel: false version_rhel8: false + version_rhel9: false version_debian: false plugins: calico: [] diff --git a/kubemarine/resources/schemas/definitions/services/modprobe.json b/kubemarine/resources/schemas/definitions/services/modprobe.json index 62b5f89b7..da8a67a2e 100644 --- a/kubemarine/resources/schemas/definitions/services/modprobe.json +++ b/kubemarine/resources/schemas/definitions/services/modprobe.json @@ -4,11 +4,12 @@ "properties": { "debian": {"$ref": "#/definitions/OSFamilyModules"}, "rhel": {"$ref": "#/definitions/OSFamilyModules"}, - "rhel8": {"$ref": "#/definitions/OSFamilyModules"} + "rhel8": {"$ref": "#/definitions/OSFamilyModules"}, + "rhel9": {"$ref": "#/definitions/OSFamilyModules"} }, "propertyNames": { "anyOf": [ - {"enum": ["debian", "rhel", "rhel8"]} + {"enum": ["debian", "rhel", "rhel8", "rhel9"]} ] }, "definitions": { diff --git a/kubemarine/resources/schemas/definitions/services/packages/associations.json b/kubemarine/resources/schemas/definitions/services/packages/associations.json index fcd00afac..ca492b5df 100644 --- a/kubemarine/resources/schemas/definitions/services/packages/associations.json +++ b/kubemarine/resources/schemas/definitions/services/packages/associations.json @@ -5,12 +5,13 @@ "properties": { "debian": {"$ref": "#/definitions/OSFamilyAssociations"}, "rhel": {"$ref": "#/definitions/OSFamilyAssociations"}, - "rhel8": {"$ref": "#/definitions/OSFamilyAssociations"} + "rhel8": {"$ref": "#/definitions/OSFamilyAssociations"}, + "rhel9": {"$ref": "#/definitions/OSFamilyAssociations"} }, "propertyNames": { "anyOf": [ {"$ref": "#/definitions/AssociationsNames"}, - {"enum": ["debian", "rhel", "rhel8"]} + {"enum": ["debian", "rhel", "rhel8", "rhel9"]} ] }, "definitions": { diff --git a/kubemarine/selinux.py b/kubemarine/selinux.py index 084115296..bac32a015 100644 --- a/kubemarine/selinux.py +++ b/kubemarine/selinux.py @@ -179,7 +179,7 @@ def setup_selinux(group: NodeGroup) -> Optional[RunnersGroupResult]: log = group.cluster.log # this method handles cluster with multiple os, suppressing should be enabled - if group.get_nodes_os() not in ['rhel', 'rhel8']: + if group.get_nodes_os() not in ['rhel', 'rhel8', 'rhel9']: log.debug("Skipped - selinux is not supported on Ubuntu/Debian os family") return None diff --git a/kubemarine/system.py b/kubemarine/system.py index daa64bf85..742ba1cea 100644 --- a/kubemarine/system.py +++ b/kubemarine/system.py @@ -91,7 +91,7 @@ def enrich_kernel_modules(inventory: dict, cluster: KubernetesCluster) -> dict: os_family = cluster.get_os_family() if os_family in ["unknown", "unsupported"]: raise Exception(ERROR_UNSUPPORTED_KERNEL_MODULES_VERSIONS_DETECTED) - elif os_family in ["debian", "rhel", "rhel8"]: + elif os_family in ["debian", "rhel", "rhel8", "rhel9"]: modprobe = {} modprobe[os_family] = inventory["services"]["modprobe"][os_family] inventory["services"]["modprobe"] = modprobe @@ -265,6 +265,10 @@ def patch_systemd_service(group: DeferredGroup, service_name: str, patch_source: group.put(io.StringIO(utils.read_internal(patch_source)), f"/etc/systemd/system/{service_name}.service.d/{service_name}.conf", sudo=True) + if group.get_nodes_os() in ['rhel', 'rhel8', 'rhel9']: + group.sudo(f"chcon -u system_u -r object_r -t systemd_unit_file_t /etc/systemd/system/{service_name}.service.d") + group.sudo(f"chcon -u system_u -r object_r -t systemd_unit_file_t /etc/systemd/system/{service_name}.service.d/{service_name}.conf") + group.sudo("systemctl daemon-reload") @@ -509,6 +513,9 @@ def setup_modprobe(group: NodeGroup) -> Optional[RunnersGroupResult]: group.put(io.StringIO(config), "/etc/modules-load.d/predefined.conf", backup=True, sudo=True) group.sudo("modprobe -a %s" % raw_config) + if group.get_nodes_os() in ['rhel', 'rhel8', 'rhel9']: + group.sudo("chcon -u system_u -r object_r -t etc_t /etc/modules-load.d/predefined.conf") + group.cluster.schedule_cumulative_point(reboot_nodes) group.cluster.schedule_cumulative_point(verify_system) @@ -537,7 +544,7 @@ def verify_system(cluster: KubernetesCluster) -> None: # this method handles clusters with multiple OS os_family = group.get_nodes_os() - if os_family in ['rhel', 'rhel8'] and cluster.is_task_completed('prepare.system.setup_selinux'): + if os_family in ['rhel', 'rhel8', 'rhel9'] and cluster.is_task_completed('prepare.system.setup_selinux'): log.debug("Verifying Selinux...") selinux_configured, selinux_result, selinux_parsed_result = \ selinux.is_config_valid(group, diff --git a/scripts/thirdparties/src/software/packages.py b/scripts/thirdparties/src/software/packages.py index 8636375f8..0c7ddb8d5 100644 --- a/scripts/thirdparties/src/software/packages.py +++ b/scripts/thirdparties/src/software/packages.py @@ -86,11 +86,13 @@ def get_compatibility_version_keys(package_name: str) -> List[str]: keys = [ 'version_rhel', 'version_rhel8', + 'version_rhel9', 'version_debian', ] if package_name == 'containerd': keys.remove('version_rhel') keys.remove('version_rhel8') + keys.remove('version_rhel9') return keys diff --git a/test/unit/test_migrate_kubemarine.py b/test/unit/test_migrate_kubemarine.py index 3e840a969..74fd0b207 100644 --- a/test/unit/test_migrate_kubemarine.py +++ b/test/unit/test_migrate_kubemarine.py @@ -201,7 +201,8 @@ def test_specific_os_family_cri_association_upgrade_required(self): for os_name, os_family, os_version in ( ('ubuntu', 'debian', '20.04'), ('centos', 'rhel', '7.9'), - ('rhel', 'rhel8', '8.7') + ('rhel', 'rhel8', '8.7'), + ('rhel', 'rhel9', '9.2') ): for cri in ('docker', 'containerd'): for package_vary in ('docker', 'containerd', 'containerdio'): @@ -216,7 +217,7 @@ def test_specific_os_family_cri_association_upgrade_required(self): def _packages_for_cri_os_family(self, cri: str, os_family: str) -> List[str]: if cri == 'containerd': - if os_family in ('rhel', 'rhel8'): + if os_family in ('rhel', 'rhel8', 'rhel9'): package_names = ['containerdio'] else: package_names = ['containerd'] diff --git a/test/unit/test_upgrade.py b/test/unit/test_upgrade.py index 9bd2098e0..3d659bbe1 100755 --- a/test/unit/test_upgrade.py +++ b/test/unit/test_upgrade.py @@ -209,7 +209,8 @@ def test_compatibility_upgrade_required(self): for os_name, os_family, os_version in ( ('ubuntu', 'debian', '20.04'), ('centos', 'rhel', '7.9'), - ('rhel', 'rhel8', '8.7') + ('rhel', 'rhel8', '8.7'), + ('rhel', 'rhel9', '9.2') ): for cri in ('docker', 'containerd'): for package_vary in ('docker', 'containerd', 'containerdio'): @@ -230,7 +231,7 @@ def test_compatibility_upgrade_required(self): def _packages_for_cri_os_family(self, cri: str, os_family: str) -> List[str]: if cri == 'containerd': - if os_family in ('rhel', 'rhel8'): + if os_family in ('rhel', 'rhel8', 'rhel9'): package_names = ['containerdio'] else: package_names = ['containerd'] From 843ce2880a533bc0b424697dadd214bc25051ab3 Mon Sep 17 00:00:00 2001 From: Nik Date: Fri, 10 Nov 2023 17:49:54 +1000 Subject: [PATCH 2/4] revert some changes --- kubemarine/system.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/kubemarine/system.py b/kubemarine/system.py index 742ba1cea..dbbcbda1b 100644 --- a/kubemarine/system.py +++ b/kubemarine/system.py @@ -265,10 +265,6 @@ def patch_systemd_service(group: DeferredGroup, service_name: str, patch_source: group.put(io.StringIO(utils.read_internal(patch_source)), f"/etc/systemd/system/{service_name}.service.d/{service_name}.conf", sudo=True) - if group.get_nodes_os() in ['rhel', 'rhel8', 'rhel9']: - group.sudo(f"chcon -u system_u -r object_r -t systemd_unit_file_t /etc/systemd/system/{service_name}.service.d") - group.sudo(f"chcon -u system_u -r object_r -t systemd_unit_file_t /etc/systemd/system/{service_name}.service.d/{service_name}.conf") - group.sudo("systemctl daemon-reload") From 199099e5b7e46d5840dc533548bd743bdd46ac49 Mon Sep 17 00:00:00 2001 From: Nik Date: Fri, 10 Nov 2023 17:59:53 +1000 Subject: [PATCH 3/4] remove chcon from code --- kubemarine/keepalived.py | 4 ---- kubemarine/kubernetes/__init__.py | 4 ---- kubemarine/system.py | 3 --- 3 files changed, 11 deletions(-) diff --git a/kubemarine/keepalived.py b/kubemarine/keepalived.py index 627dc1ae7..8dd1ac96a 100644 --- a/kubemarine/keepalived.py +++ b/kubemarine/keepalived.py @@ -196,10 +196,6 @@ def install_haproxy_check_script(group: DeferredGroup) -> None: group.put(io.StringIO(script), "/usr/local/bin/check_haproxy.sh", sudo=True) group.sudo("chmod +x /usr/local/bin/check_haproxy.sh") - if group.get_nodes_os() in ['rhel', 'rhel8', 'rhel9']: - group.sudo("chcon -u system_u -r object_r -t bin_t /usr/local/bin/check_haproxy.sh") - - def uninstall(group: NodeGroup) -> RunnersGroupResult: return packages.remove(group, include='keepalived') diff --git a/kubemarine/kubernetes/__init__.py b/kubemarine/kubernetes/__init__.py index 29d0ac52b..cf3a6e74a 100644 --- a/kubemarine/kubernetes/__init__.py +++ b/kubemarine/kubernetes/__init__.py @@ -362,8 +362,6 @@ def install(group: NodeGroup) -> RunnersGroupResult: log.debug("Uploading to '%s'..." % node.get_host()) node.put(io.StringIO(template + "\n"), '/etc/systemd/system/kubelet.service', sudo=True) node.sudo("chmod 600 /etc/systemd/system/kubelet.service") - if group.get_nodes_os() in ['rhel', 'rhel8', 'rhel9']: - node.sudo("chcon -u system_u -r object_r -t systemd_unit_file_t /etc/systemd/system/kubelet.service") log.debug("\nReloading systemd daemon...") system.reload_systemctl(exe.group) @@ -1241,8 +1239,6 @@ def images_prepull(group: DeferredGroup, collector: CollectorCallback) -> Token: config = f'{config}---\n{yaml.dump(kubeadm_init, default_flow_style=False)}' group.put(io.StringIO(config), '/etc/kubernetes/prepull-config.yaml', sudo=True) - if group.get_nodes_os() in ['rhel', 'rhel8', 'rhel9']: - group.sudo("chcon -u system_u -r object_r -t kubernetes_file_t /etc/kubernetes/prepull-config.yaml") return group.sudo("kubeadm config images pull --config=/etc/kubernetes/prepull-config.yaml", callback=collector) diff --git a/kubemarine/system.py b/kubemarine/system.py index dbbcbda1b..1825cca41 100644 --- a/kubemarine/system.py +++ b/kubemarine/system.py @@ -509,9 +509,6 @@ def setup_modprobe(group: NodeGroup) -> Optional[RunnersGroupResult]: group.put(io.StringIO(config), "/etc/modules-load.d/predefined.conf", backup=True, sudo=True) group.sudo("modprobe -a %s" % raw_config) - if group.get_nodes_os() in ['rhel', 'rhel8', 'rhel9']: - group.sudo("chcon -u system_u -r object_r -t etc_t /etc/modules-load.d/predefined.conf") - group.cluster.schedule_cumulative_point(reboot_nodes) group.cluster.schedule_cumulative_point(verify_system) From 5f62bb60ce20b36c6796d012fbd89672d3083f09 Mon Sep 17 00:00:00 2001 From: Nik Date: Tue, 18 Jul 2023 13:25:51 +1000 Subject: [PATCH 4/4] Add rocky 9.2, remove OL 9.1, remove rocky 8.8 Remove unnecessary chcon invocations. Instead, use mv -Z to copy files from /tmp Changed default iptables package for rhel9 Fixed compatibility with haproxy & keeaplived up to minor part Updated compatibility with docker-ce --- documentation/Installation.md | 86 ++++++------------- kubemarine/admission.py | 13 +-- kubemarine/core/group.py | 7 +- kubemarine/packages.py | 2 +- .../resources/configurations/defaults.yaml | 2 + .../resources/configurations/globals.yaml | 1 + 6 files changed, 39 insertions(+), 72 deletions(-) diff --git a/documentation/Installation.md b/documentation/Installation.md index 6bb910aa3..15ed4eea1 100644 --- a/documentation/Installation.md +++ b/documentation/Installation.md @@ -2,12 +2,10 @@ This section provides information about the inventory, features, and steps for i - [Prerequisites](#prerequisites) - [Prerequisites for Deployment Node](#prerequisites-for-deployment-node) - - [Windows Deployer Restrictions](#windows-deployer-restrictions) - [Prerequisites for Cluster Nodes](#prerequisites-for-cluster-nodes) - [Minimal Hardware Requirements](#minimal-hardware-requirements) - [Recommended Hardware Requirements](#recommended-hardware-requirements) - [Disk Partitioning Recommendation](#disk-partitioning-recommendation) - - [Disk Pressure](#disk-pressure) - [ETCD Recommendation](#etcd-recommendation) - [SSH key Recommendation](#ssh-key-recommendation) - [Private Certificate Authority](#private-certificate-authority) @@ -19,61 +17,44 @@ This section provides information about the inventory, features, and steps for i - [Mini-HA Scheme](#mini-ha-scheme) - [Full-HA Scheme](#full-ha-scheme) - [Taints and Toleration](#taints-and-toleration) - - [CoreDNS Deployment with Node Taints](#coredns-deployment-with-node-taints) - - [Plugins Deployment with Node Taints](#plugins-deployment-with-node-taints) - [Configuration](#configuration) - - [Inventory validation](#inventory-validation) - [globals](#globals) - - [node\_defaults](#node_defaults) + - [node_defaults](#node_defaults) - [nodes](#nodes) - - [cluster\_name](#cluster_name) - - [control\_plain](#control_plain) - - [control\_endpoint](#control_endpoint) - - [public\_cluster\_ip](#public_cluster_ip) + - [cluster_name](#cluster_name) + - [control_plain](#control_plain) + - [public_cluster_ip](#public_cluster_ip) - [registry](#registry) - - [registry (new endpoints format)](#registry-new-endpoints-format) - - [registry (old address-port format)](#registry-old-address-port-format) - - [gateway\_nodes](#gateway_nodes) - - [vrrp\_ips](#vrrp_ips) - - [maintenance type](#maintenance-type) - - [Services](#services) + - [gateway_nodes](#gateway_nodes) + - [vrrp_ips](#vrrp_ips) + - [services](#services) - [kubeadm](#kubeadm) - - [Kubernetes version](#kubernetes-version) - - [Cloud Provider Plugin](#cloud-provider-plugin) - - [Service Account Issuer](#service-account-issuer) - - [kubeadm\_kubelet](#kubeadm_kubelet) - - [kubeadm\_patches](#kubeadm_patches) - - [kernel\_security](#kernel_security) + - [Kubernetes version](#kubernetes-version) + - [Cloud Provider Plugin](#cloud-provider-plugin) + - [Service Account Issuer](#service-account-issuer) + - [kubeadm_kubelet](#kubeadm_kubelet) + - [kubeadm_patches](#kubeadm_patches) + - [kernel_security](#kernel_security) - [selinux](#selinux) - [apparmor](#apparmor) - [packages](#packages) - - [package\_manager](#package_manager) + - [package_manager](#package_manager) - [management](#management) - - [mandatory](#mandatory) - - [custom](#custom) - [associations](#associations) - - [RHEL and Centos](#rhel-and-centos) - - [Ubuntu and Debian](#ubuntu-and-debian) - [thirdparties](#thirdparties) - [CRI](#cri) - [modprobe](#modprobe) - [sysctl](#sysctl) - [audit](#audit) - - [Audit Kubernetes Policy](#audit-kubernetes-policy) - - [Audit Daemon](#audit-daemon) + - [Kubernetes Policy](#audit-kubernetes-policy) + - [Daemon](#audit-daemon) - [ntp](#ntp) - [chrony](#chrony) - [timesyncd](#timesyncd) - [resolv.conf](#resolvconf) - - [etc\_hosts](#etc_hosts) + - [etc_hosts](#etc_hosts) - [coredns](#coredns) - - [add\_etc\_hosts\_generated](#add_etc_hosts_generated) - - [configmap](#configmap) - - [deployment](#deployment) - [loadbalancer](#loadbalancer) - - [target\_ports](#target_ports) - - [haproxy](#haproxy) - - [maintenance mode](#maintenance-mode) - [RBAC Admission](#rbac-admission) - [Admission psp](#admission-psp) - [Configuring Admission Controller](#configuring-admission-controller) @@ -82,23 +63,17 @@ This section provides information about the inventory, features, and steps for i - [Admission pss](#admission-pss) - [Configuring Default Profiles](#configuring-default-profiles) - [Configuring Exemptions](#configuring-exemptions) - - [Application prerequisites](#application-prerequisites) + - [Application Prerequisites](#application-prerequisites) - [RBAC Accounts](#rbac-accounts) - - [RBAC account\_defaults](#rbac-account_defaults) + - [RBAC account_defaults](#rbac-account_defaults) - [Plugins](#plugins) - [Predefined Plugins](#predefined-plugins) - [calico](#calico) - - [Calico BGP Configuration](#calico-bgp-configuration) - - [Default Typha Tolerations](#default-typha-tolerations) - - [Calico metrics configuration](#calico-metrics-configuration) - - [Calico Environment Properties](#calico-environment-properties) - - [Calico API server](#calico-api-server) - [nginx-ingress-controller](#nginx-ingress-controller) - - [monitoring](#monitoring) - [kubernetes-dashboard](#kubernetes-dashboard) - [local-path-provisioner](#local-path-provisioner) - [Plugins Features](#plugins-features) - - [plugin\_defaults](#plugin_defaults) + - [plugin_defaults](#plugin_defaults) - [Plugins Reinstallation](#plugins-reinstallation) - [Plugins Installation Order](#plugins-installation-order) - [Node Selector](#node-selector) @@ -131,22 +106,15 @@ This section provides information about the inventory, features, and steps for i - [Tasks List Redefinition](#tasks-list-redefinition) - [Logging](#logging) - [Dump Files](#dump-files) - - [Finalized Dump](#finalized-dump) - [Configurations Backup](#configurations-backup) - [Ansible Inventory](#ansible-inventory) - [Contents](#contents) - - [\[all\]](#all) - - [\[cluster:children\]](#clusterchildren) - - [\[balancer\], \[control-plane\], \[worker\]](#balancer-control-plane-worker) - - [\[cluster:vars\]](#clustervars) + - [[all]](#all) + - [[cluster:children]](#clusterchildren) + - [[balancer], [control-plane], [worker]](#balancer-control-plane-worker) + - [[cluster:vars]](#clustervars) - [Cumulative Points](#cumulative-points) - [Supported Versions](#supported-versions) - - [Default Dependent Components Versions for Kubernetes Versions v1.23.17](#default-dependent-components-versions-for-kubernetes-versions-v12317) - - [Default Dependent Components Versions for Kubernetes Versions v1.24.11](#default-dependent-components-versions-for-kubernetes-versions-v12411) - - [Default Dependent Components Versions for Kubernetes Versions v1.25.7](#default-dependent-components-versions-for-kubernetes-versions-v1257) - - [Default Dependent Components Versions for Kubernetes Versions v1.26.7](#default-dependent-components-versions-for-kubernetes-versions-v1267) - - [Default Dependent Components Versions for Kubernetes Versions v1.27.4](#default-dependent-components-versions-for-kubernetes-versions-v1274) - - [Default Dependent Components Versions for Kubernetes Versions v1.28.0](#default-dependent-components-versions-for-kubernetes-versions-v1280) # Prerequisites @@ -197,8 +165,8 @@ For cluster machines, ensure the following requirements are met: * The following distributives and versions are supported: - * Centos 7.5+, 8.4 - * RHEL 7.5+, 8.4, 8.6, 8.7 + * Centos 7.5+, 8.4, 9 + * RHEL 7.5+, 8.4, 8.6, 8.7, 8.8, 9.2 * Oracle Linux 7.5+, 8.4, 9.2 * RockyLinux 8.6, 8.7, 9.2 * Ubuntu 20.04 @@ -3749,7 +3717,7 @@ The default configuration does not enforce the default policy to any of the pods Do not change the namespaces exemption list without strong necessary. In any case check our maintenance guide before any implementation. -#### Application prerequisites +#### Application Prerequisites In case of using PSS the application that installed in Kubernetes cluster should be matched with PSS profiles (`privileged`, `baseline`, `restricted`). Those profiles may be set by labeling the namespace so as it described above for predefined plugins. diff --git a/kubemarine/admission.py b/kubemarine/admission.py index d3b811a4e..42897c116 100644 --- a/kubemarine/admission.py +++ b/kubemarine/admission.py @@ -856,7 +856,7 @@ def update_finalized_inventory(cluster: KubernetesCluster, inventory_to_finalize def copy_pss(group: NodeGroup) -> Optional[RunnersGroupResult]: - if group.cluster.inventory['rbac']['admission'] != "pss": + if group.cluster.inventory['rbac']['admission'] != "pss": return None if group.cluster.context.get('initial_procedure') == 'manage_pss': if not is_security_enabled(group.cluster.inventory) and \ @@ -875,15 +875,10 @@ def copy_pss(group: NodeGroup) -> Optional[RunnersGroupResult]: .render(defaults=defaults,exemptions=exemptions) # put admission config on every control-planes - filename = uuid.uuid4().hex - remote_path = tmp_filepath_pattern % filename - group.cluster.log.debug("Copy admission config: %s, %s" % (remote_path, admission_path)) - group.put(io.StringIO(admission_config), remote_path, backup=True, sudo=True) - group.sudo("mkdir -p %s" % admission_dir, warn=True) - result = group.sudo("cp %s %s" % (remote_path, admission_path), warn=True) - group.sudo("rm -f %s" % remote_path) + group.cluster.log.debug(f"Copy admission config to {admission_path}") + group.put(io.StringIO(admission_config), admission_path, backup=True, sudo=True, mkdir=True) - return result + return group.sudo(f'ls -la {admission_path}') def _get_default_labels(profile: str) -> Dict[str, str]: diff --git a/kubemarine/core/group.py b/kubemarine/core/group.py index 5b4d5a472..c32c1e313 100755 --- a/kubemarine/core/group.py +++ b/kubemarine/core/group.py @@ -389,7 +389,7 @@ def _put_with_mv(self, local_stream: Union[io.BytesIO, str], remote_file: str, if immutable: self.cluster.log.verbose('File \"%s\" immutable set required' % remote_file) - advanced_move_required = sudo or backup or immutable + advanced_move_required = sudo or backup or immutable or mkdir temp_filepath = remote_file if advanced_move_required: @@ -406,10 +406,11 @@ def _put_with_mv(self, local_stream: Union[io.BytesIO, str], remote_file: str, self.cluster.log.verbose("Moving temporary file '%s' to '%s'..." % (temp_filepath, remote_file)) + # -Z option is necessary for RHEL family to set SELinux context to default type. if sudo: - mv_command = "sudo chown root:root %s && sudo mv -f %s %s" % (temp_filepath, temp_filepath, remote_file) + mv_command = "sudo chown root:root %s && sudo mv -fZ %s %s" % (temp_filepath, temp_filepath, remote_file) else: - mv_command = "mv -f %s %s" % (temp_filepath, remote_file) + mv_command = "mv -fZ %s %s" % (temp_filepath, remote_file) if backup: if sudo: diff --git a/kubemarine/packages.py b/kubemarine/packages.py index 568a319c9..3d501f436 100644 --- a/kubemarine/packages.py +++ b/kubemarine/packages.py @@ -598,7 +598,7 @@ def search_package(group: DeferredGroup, package: str, callback: Callback = None def get_detect_package_version_cmd(os_family: str, package_name: str) -> str: - if os_family in ["rhel", "rhel8"]: + if os_family in ["rhel", "rhel8", "rhel9"]: cmd = r"rpm -q %s" % package_name else: cmd = r"dpkg-query -f '${Package}=${Version}\n' -W %s" % package_name diff --git a/kubemarine/resources/configurations/defaults.yaml b/kubemarine/resources/configurations/defaults.yaml index cc2e144f4..e4049f6c7 100644 --- a/kubemarine/resources/configurations/defaults.yaml +++ b/kubemarine/resources/configurations/defaults.yaml @@ -498,6 +498,8 @@ services: package_name: 'conntrack-tools' semanage: package_name: 'policycoreutils-python-utils' + iptables: + package_name: 'iptables-nft' plugin_defaults: installation: {} diff --git a/kubemarine/resources/configurations/globals.yaml b/kubemarine/resources/configurations/globals.yaml index e75f0cbef..4496eba1b 100644 --- a/kubemarine/resources/configurations/globals.yaml +++ b/kubemarine/resources/configurations/globals.yaml @@ -349,6 +349,7 @@ compatibility_map: - os_family: 'rhel9' versions: - '9.2' + rocky: - os_family: 'rhel8' versions: