Closed psztoch closed 4 months ago
Its unclear to me why you are attempting to run a nonexistent playbook. just call ansible-playbook playbook/site.yml -i inventory.yml
We have added noqa where appropriate, errors have been converted to warnings. Currently ansible-lint
returns only warnings for that reason
$ ansible-lint
...
Passed: 0 failure(s), 18 warning(s) on 48 files.
K3s cannot operate with standard firewalld or ufw in place. Standard practice is to completely disable firewalld or ufw. However, traditional IT users obviously get nervous about that. So instead you must open ports for K3s to operate. Please see https://docs.k3s.io/installation/requirements#inbound-rules-for-k3s-nodes
We will not change the tokens to be prefixed. While this goes against ansible convention, this helps match against the configuration values in K3s. Also, this whole playbook is about running k3s, prefixing everything would be redundant.
Its unclear to me why you are attempting to run a nonexistent playbook. just call
ansible-playbook playbook/site.yml -i inventory.yml
Because I want to use your collection as collection. Then I have to callansible-playbook /home/psztoch/.ansible/collections/ansible_collections/k3s/orchestration/playbook/site.yml -i inventory.yml
. If you fix your non-convention name thenansible-playbook k3s.orchestration.site
will be enough.
- We have added noqa where appropriate, errors have been converted to warnings. Currently
ansible-lint
returns only warnings for that reason$ ansible-lint ... Passed: 0 failure(s), 18 warning(s) on 48 files.
Maybe it is not error, but: Last profile that met the validation criteria was 'min'.
In three environments where I want to use your collection, Q&A force 'production' level. When you explicitly commit var-naming[no-role-prefix] using noq, you will solve a certain problem for me. yaml[comments-indentation] should be fixed.
3. K3s cannot operate with standard firewalld or ufw in place. Standard practice is to completely disable firewalld or ufw. However, traditional IT users obviously get nervous about that. So instead you must open ports for K3s to operate. Please see https://docs.k3s.io/installation/requirements#inbound-rules-for-k3s-nodes
I konw it. But if you put some firewalld tasks, then it should be correct. In my opinion it is not consistent.
3.1. cluster and service net should be added to trusted - it is ok in your task 3.2. open ports for etcd an kube api should be open in internal (it is in trusted zone currently, and it is usesless, because trusted accept all traffic) 3.3. other ports for flannel 8472/udp, 51820/udp, 51821/udp should be open for internal zone too 3.4. http and https services should be open for public zone
4. We will not change the tokens to be prefixed. While this goes against ansible convention, this helps match against the configuration values in K3s. Also, this whole playbook is about running k3s, prefixing everything would be redundant.
Nevertheless, I think that the name token is too general and may conflict with other poorly made playbooks. k3s_token would solve this problem.
ansible-playbook k3s.orchestration.site
will not works without it .# noqa: ...
Zone trusted accept traffic to all ports. What is the purpose of these tasks?
It will be ok for 'zone: internal'. Then public IPs of cluster nodes can be added to 'internal' zones.