digitalis-io / k3s-on-prem-production Goto Github PK
View Code? Open in Web Editor NEWPlaybooks needed to set up an on-premises K3s cluster and securize it
License: Apache License 2.0
Playbooks needed to set up an on-premises K3s cluster and securize it
License: Apache License 2.0
Hi @89luca89 ,
I'm still trying to adapt this to run in Ubuntu 20.04, now on the k3s-deploy
role, I'm getting this error:
"Failed to run kubelet" err="failed to run Kubelet: failed to create kubelet: open /dev/kmsg: permission denied"
I've searched this error, and everything points to either non-root user, or LXD, but I know none of these is actually used in the configuration.
Do you know something that may have caused this? Thanks.
Hi,
FYI, content in limits.yml is already defined in crontab.yml.
I think there must be something else... right?
The README describes several attributes that can be changed but does not describe the basic workflow for using.
It would be good to show an example playbook.
Hi,
I haven't read all of the Ansible tasks, but I'm currently using Ubuntu distros for the nodes, and fixing here and there for the difference in packages (such as replacing crond
with cron
, audit
with auditd
, and so on). I'm beginning to wonder, or maybe it is mentioned somewhere in the README, is it tested / meant for CentOS only? I gave up at the error: "Update Grub and Initramfs /RedHat". Thanks.
Hello!
I would first like to say that I am amazed by the content of your blog post/repository. I am learning a lot and it gives me great ideas. Therefore, thank you for sharing!!!
I do want to ask what your opinion is on the PodSecurityPolicy Admission Controller since it is deprecated now (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)
Do you think for example that the SecurityContextDeny Controller would be a good replacement? Rancher is referring to it regarding the cis benchmark requirements here: https://rancher.com/docs/k3s/latest/en/security/self_assessment/#1-2-13
Thank you,
Gera
Hi,
considering now the nginx ingress has moved to stable in its latest version as described here, it has removed many of its "v1beta1" resources. Can you suggest on how to update the nginx templates in the roles/k3s-deploy/templates/ingress/*.j2
files? I've tried just only updating the k3s_version: v1.22.4+k3s1
and the nginx_ingress_version: 1.0.5
in the default's main.yml
without modifying any of the templates, but it errors with: "failed to list *v1beta1.Ingress: the server could not find the requested resource", which is still looking for the deprecated v1beta1 resource. The official migration example here from the nginx ingress only lists basic examples, while the templates uses different approaches (such as PodSecurityPolicy, WebHook, etc) which I'm not yet familiar with. Thank you.
some idea on what i did wrong?
i used centos-stream-8 as image?
worker-02 was failing earlier with the same error message
TASK [hardening : Wait for system to become reachable] ********************************************************************************
fatal: [worker-03]: FAILED! => {"changed": false, "elapsed": 301, "msg": "timed out waiting for ping module test: Failed to connect to the host via ssh: #################################################################################\n# Welcom
e to worker-03\n# Authorized uses only. All activity may be monitored and reported.\n# Disconnect IMMEDIATELY if you are not an authorized user!\n#################################################################################\nroot@<MYIP>
5: Permission denied (publickey,password)."}
fatal: [worker-01]: FAILED! => {"changed": false, "elapsed": 301, "msg": "timed out waiting for ping module test: Failed to connect to the host via ssh: #################################################################################\n# Welcom
e to worker-01\n# Authorized uses only. All activity may be monitored and reported.\n# Disconnect IMMEDIATELY if you are not an authorized user!\n#################################################################################\nroot@<MYIP>
: Permission denied (publickey,password)."}
fatal: [master-02]: FAILED! => {"changed": false, "elapsed": 301, "msg": "timed out waiting for ping module test: Failed to connect to the host via ssh: #################################################################################\n# Welcom
e to master-02\n# Authorized uses only. All activity may be monitored and reported.\n# Disconnect IMMEDIATELY if you are not an authorized user!\n#################################################################################\nroot@<MYIP>:
Permission denied (publickey,password)."}
fatal: [master-03]: FAILED! => {"changed": false, "elapsed": 302, "msg": "timed out waiting for ping module test: Failed to connect to the host via ssh: #################################################################################\n# Welcom
e to master-03\n# Authorized uses only. All activity may be monitored and reported.\n# Disconnect IMMEDIATELY if you are not an authorized user!\n#################################################################################\nroot@<MYIP>
: Permission denied (publickey,password)."}
fatal: [master-01]: FAILED! => {"changed": false, "elapsed": 302, "msg": "timed out waiting for ping module test: Failed to connect to the host via ssh: #################################################################################\n# Welcom
e to master-01\n# Authorized uses only. All activity may be monitored and reported.\n# Disconnect IMMEDIATELY if you are not an authorized user!\n#################################################################################\nroot@<MYIP>:
Permission denied (publickey,password)."}
NO MORE HOSTS LEFT ********************************************************************************************************************
NO MORE HOSTS LEFT ********************************************************************************************************************
PLAY RECAP ****************************************************************************************************************************
master-01 : ok=78 changed=55 unreachable=0 failed=1 skipped=4 rescued=0 ignored=0
master-02 : ok=78 changed=55 unreachable=0 failed=1 skipped=4 rescued=0 ignored=0
master-03 : ok=78 changed=55 unreachable=0 failed=1 skipped=4 rescued=0 ignored=0
worker-01 : ok=78 changed=55 unreachable=0 failed=1 skipped=4 rescued=0 ignored=0
worker-02 : ok=59 changed=43 unreachable=1 failed=0 skipped=1 rescued=0 ignored=0
worker-03 : ok=78 changed=55 unreachable=0 failed=1 skipped=4 rescued=0 ignored=0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.