From f49e955bf9ad95478ee848595cdeaffb67e97bcb Mon Sep 17 00:00:00 2001 From: Soufiane Jounaid Date: Wed, 1 May 2024 17:27:08 -0400 Subject: [PATCH 1/3] Added a shell command to apply calico net policies In their new v3 api, calico started only allowing global network policies to apply through their [own api (kubectl calico)](https://github.com/projectcalico/calico/issues/2918). This commit is to update the config calico ansible task to apply these policies using kubectl calico instead of kubectl. --- roles/k3s/tasks/config-calico.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/k3s/tasks/config-calico.yml b/roles/k3s/tasks/config-calico.yml index 941d315e..22cb5df8 100644 --- a/roles/k3s/tasks/config-calico.yml +++ b/roles/k3s/tasks/config-calico.yml @@ -56,9 +56,7 @@ - name: Apply Calico global network policies delegate_to: "{{ groups['deployment'][0] }}" - kubernetes.core.k8s: - state: present - src: calico-global-networkpolicy-{{ item }}.yaml + shell: kubectl calico create --filename="{{ role_path }}/files/calico-global-networkpolicy-{{ item }}.yaml" loop: - default-deny - allow-ping From 9502705bda171e6f9a035bea2a53fa91bf6463d2 Mon Sep 17 00:00:00 2001 From: Soufiane Jounaid Date: Wed, 12 Jun 2024 02:48:55 -0400 Subject: [PATCH 2/3] Only applying the calico policies if necessary --- roles/k3s/tasks/config-calico.yml | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/roles/k3s/tasks/config-calico.yml b/roles/k3s/tasks/config-calico.yml index 22cb5df8..987ad70f 100644 --- a/roles/k3s/tasks/config-calico.yml +++ b/roles/k3s/tasks/config-calico.yml @@ -45,18 +45,30 @@ dest: /usr/local/bin/kubectl-calico mode: u=rwx,g=rx,o=rx -- name: Apply Calico custom resources +- name: Initialize policy existence facts + set_fact: + policy_existence: {} + +- name: Check if Calico global network policies exist delegate_to: "{{ groups['deployment'][0] }}" - kubernetes.core.k8s: - state: present - template: calico-custom-resources.yaml.j2 - apply: yes - when: - - not (k3s_dry_run | bool) + command: kubectl calico get globalnetworkpolicy {{ item }} + register: check_policy + ignore_errors: true + loop: + - default-deny + - allow-ping + changed_when: false + failed_when: false + +- name: Update policy existence facts + set_fact: + policy_existence: "{{ policy_existence | combine({item.item: (item.rc == 0)}) }}" + loop: "{{ check_policy.results }}" - name: Apply Calico global network policies delegate_to: "{{ groups['deployment'][0] }}" - shell: kubectl calico create --filename="{{ role_path }}/files/calico-global-networkpolicy-{{ item }}.yaml" + command: kubectl calico create --filename="{{ role_path }}/files/calico-global-networkpolicy-{{ item }}.yaml" + when: not policy_existence[item] loop: - default-deny - allow-ping From cfe8dcc245c844d3e983bc0d213215f9e0131a15 Mon Sep 17 00:00:00 2001 From: Soufiane Jounaid Date: Tue, 18 Jun 2024 16:50:21 -0400 Subject: [PATCH 3/3] Using kubectl apply instead of create --- roles/k3s/tasks/config-calico.yml | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/roles/k3s/tasks/config-calico.yml b/roles/k3s/tasks/config-calico.yml index 987ad70f..7a1605d0 100644 --- a/roles/k3s/tasks/config-calico.yml +++ b/roles/k3s/tasks/config-calico.yml @@ -45,30 +45,10 @@ dest: /usr/local/bin/kubectl-calico mode: u=rwx,g=rx,o=rx -- name: Initialize policy existence facts - set_fact: - policy_existence: {} - -- name: Check if Calico global network policies exist - delegate_to: "{{ groups['deployment'][0] }}" - command: kubectl calico get globalnetworkpolicy {{ item }} - register: check_policy - ignore_errors: true - loop: - - default-deny - - allow-ping - changed_when: false - failed_when: false - -- name: Update policy existence facts - set_fact: - policy_existence: "{{ policy_existence | combine({item.item: (item.rc == 0)}) }}" - loop: "{{ check_policy.results }}" - - name: Apply Calico global network policies delegate_to: "{{ groups['deployment'][0] }}" - command: kubectl calico create --filename="{{ role_path }}/files/calico-global-networkpolicy-{{ item }}.yaml" - when: not policy_existence[item] + command: kubectl calico apply --filename="{{ role_path }}/files/calico-global-networkpolicy-{{ item }}.yaml" loop: - default-deny - allow-ping + become: yes