From f91e00a61b831199dd3809e7144249a979db5c2f Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 4 Mar 2024 09:52:10 +0100 Subject: [PATCH 1/7] preinstall: Move ipvs packages into defaults --- roles/kubernetes/preinstall/defaults/main.yml | 1 + roles/kubernetes/preinstall/tasks/0070-system-packages.yml | 7 +------ 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml index 8ab2c9aa1..0a168eb99 100644 --- a/roles/kubernetes/preinstall/defaults/main.yml +++ b/roles/kubernetes/preinstall/defaults/main.yml @@ -17,6 +17,7 @@ common_required_pkgs: - ebtables - bash-completion - tar + - "{{ kube_proxy_mode == 'ipvs' | ternary(['ipvsadm', 'ipset'], []) }}" # Set to true if your network does not support IPv6 # This may be necessary for pulling Docker images from diff --git a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml index 8d02a8575..7f0c05474 100644 --- a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml +++ b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml @@ -59,14 +59,9 @@ tags: - bootstrap-os -- name: Update common_required_pkgs with ipvsadm when kube_proxy_mode is ipvs - set_fact: - common_required_pkgs: "{{ common_required_pkgs | default([]) + ['ipvsadm', 'ipset'] }}" - when: kube_proxy_mode == 'ipvs' - - name: Install packages requirements package: - name: "{{ required_pkgs | default([]) | union(common_required_pkgs | default([])) }}" + name: "{{ required_pkgs | union(common_required_pkgs) | flatten }}" state: present register: pkgs_task_result until: pkgs_task_result is succeeded From 3a43ac450665319dbd0c791b3e77cf68ef9a964d Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 8 Apr 2024 16:23:01 +0200 Subject: [PATCH 2/7] Don't special case openssl for tumbleweed openssl 1.1.1 is EOL since 12 September 2023, so just use the default version on tumbleweed like we do on other distributions. --- roles/kubernetes/preinstall/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml index 0a168eb99..372421415 100644 --- a/roles/kubernetes/preinstall/defaults/main.yml +++ b/roles/kubernetes/preinstall/defaults/main.yml @@ -7,7 +7,7 @@ epel_enabled: false dns_late: false common_required_pkgs: - - "{{ (ansible_distribution == 'openSUSE Tumbleweed') | ternary('openssl-1_1', 'openssl') }}" + - openssl - curl - rsync - socat From a2019c1c2477166d81930dbe445e1a101ce9c72d Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Thu, 25 Apr 2024 16:13:55 +0200 Subject: [PATCH 3/7] Add a JSON schema describing the packages install structure Since the structure we're setting in place for installing packages has some complexity, add a JSON schema to avoid frustrating errors when modifying the informations (adding/removing packages install). --- .../preinstall/files/pkgs-schema.json | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 roles/kubernetes/preinstall/files/pkgs-schema.json diff --git a/roles/kubernetes/preinstall/files/pkgs-schema.json b/roles/kubernetes/preinstall/files/pkgs-schema.json new file mode 100644 index 000000000..22fd0fa19 --- /dev/null +++ b/roles/kubernetes/preinstall/files/pkgs-schema.json @@ -0,0 +1,75 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://kubespray.io/internal/os_packages.schema.json", + "title": "Os packages", + "description": "Criteria for selecting packages to install on Kubernetes nodes during installation by Kubespray", + "type": "object", + "patternProperties": { + ".*": { + "type": "object", + "additionalProperties": false, + "properties": { + "groups": { + "description": "Match if the host is in one of these groups. If not specified match any host.", + "type": "array", + "minItems": 1, + "items":{ + "type": "string", + "pattern": "^[0-9A-Za-z_]*$" + } + }, + "os": { + "type": "object", + "description": "If not specified match any OS. Otherwise, must match by 'families' or 'distributions' to be included.", + "additionalProperties": false, + "minProperties": 1, + "properties": { + "families": { + "description": "Match if ansible_os_family is part of the list.", + "type": "array", + "minItems": 1, + "items": { + "type": "string" + } + }, + "distributions": { + "type": "object", + "description": "Match if ansible_distribution match one of defined keys.", + "minProperties": 1, + "patternProperties": { + ".*": { + "description": "Match if either the value is the empty hash, or one major_versions/versions/releases contains the corresponding variable ('ansible_distrbution_*')", + "type": "object", + "additionalProperties": false, + "properties": { + "major_versions": { + "type": "array", + "minItems": 1, + "items": { + "type": "string" + } + }, + "versions": { + "type": "array", + "minItems": 1, + "items": { + "type": "string" + } + }, + "releases": { + "type": "array", + "minItems": 1, + "items": { + "type": "string" + } + } + } + } + } + } + } + } + } + } + } +} From 663fcd104c38ddc2bf8c023f6f6b3705048d531e Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Fri, 5 Apr 2024 16:10:04 +0200 Subject: [PATCH 4/7] Filter packages installation by OS and by group Adds infrastructure to install OS packages depending not only on OS (family, versions, etc) but on groups. All the informations related to a particular package should reside in the `pkgs` dictionnary, which takes inspiration from the `downloads` dictionary structure. --- .../preinstall/tasks/0070-system-packages.yml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml index 7f0c05474..1e27c6b7a 100644 --- a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml +++ b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml @@ -60,13 +60,27 @@ - bootstrap-os - name: Install packages requirements + vars: + # The json_query for selecting packages name is split for readability + # see files/pkgs-schema.json for the structure of `pkgs` + # and the matching semantics + full_query: "[? value | ( {{ filters_os }} ) && ( {{ filters_groups }} ) ].key" + filters_groups: "groups | @ == null || [? contains(`{{ group_names }}`, @)]" + filters_os: "os == null || (os | ( {{ filters_family }} ) || ( {{ filters_distro }} ))" + dquote: !unsafe '"' + # necessary to workaround Ansible escaping + filters_distro: "distributions.{{ dquote }}{{ ansible_distribution }}{{ dquote }} | + @ == `{}` || + contains(not_null(major_versions, `[]`), '{{ ansible_distribution_major_version }}') || + contains(not_null(versions, `[]`), '{{ ansible_distribution_version }}') || + contains(not_null(releases, `[]`), '{{ ansible_distribution_release }}')" + filters_family: "families && contains(families, '{{ ansible_os_family }}')" package: - name: "{{ required_pkgs | union(common_required_pkgs) | flatten }}" + name: "{{ pkgs | dict2items | to_json|from_json | community.general.json_query(full_query) }}" state: present register: pkgs_task_result until: pkgs_task_result is succeeded retries: "{{ pkg_install_retries }}" delay: "{{ retry_stagger | random + 3 }}" - when: not (ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] or is_fedora_coreos) tags: - bootstrap-os From da3ff1cc117d688f55bd440fa8254d1bdc9c28f5 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 8 Apr 2024 10:27:39 +0200 Subject: [PATCH 5/7] Convert OS specific packages to new format Uses the logic introduced in the previous patch to convert all kubernetes/preinstall/vars/* os specific files to the `pkgs` dictionary. Some niceties for devs: - always validate the `pkgs` variable to catch mistakes in CI. - ensure that `pkgs` is always sorted. This makes it easier to find the packages you're looking for. --- .../preinstall/tasks/0020-set_facts.yml | 14 --- .../preinstall/tasks/0040-verify-settings.yml | 12 +++ roles/kubernetes/preinstall/vars/amazon.yml | 7 -- roles/kubernetes/preinstall/vars/centos.yml | 8 -- .../kubernetes/preinstall/vars/debian-11.yml | 10 --- .../kubernetes/preinstall/vars/debian-12.yml | 11 --- roles/kubernetes/preinstall/vars/debian.yml | 9 -- roles/kubernetes/preinstall/vars/fedora.yml | 8 -- roles/kubernetes/preinstall/vars/main.yml | 88 +++++++++++++++++++ roles/kubernetes/preinstall/vars/redhat.yml | 8 -- roles/kubernetes/preinstall/vars/suse.yml | 5 -- roles/kubernetes/preinstall/vars/ubuntu.yml | 8 -- 12 files changed, 100 insertions(+), 88 deletions(-) delete mode 100644 roles/kubernetes/preinstall/vars/amazon.yml delete mode 100644 roles/kubernetes/preinstall/vars/centos.yml delete mode 100644 roles/kubernetes/preinstall/vars/debian-11.yml delete mode 100644 roles/kubernetes/preinstall/vars/debian-12.yml delete mode 100644 roles/kubernetes/preinstall/vars/debian.yml delete mode 100644 roles/kubernetes/preinstall/vars/fedora.yml create mode 100644 roles/kubernetes/preinstall/vars/main.yml delete mode 100644 roles/kubernetes/preinstall/vars/redhat.yml delete mode 100644 roles/kubernetes/preinstall/vars/suse.yml delete mode 100644 roles/kubernetes/preinstall/vars/ubuntu.yml diff --git a/roles/kubernetes/preinstall/tasks/0020-set_facts.yml b/roles/kubernetes/preinstall/tasks/0020-set_facts.yml index fa7fba113..4541c14c5 100644 --- a/roles/kubernetes/preinstall/tasks/0020-set_facts.yml +++ b/roles/kubernetes/preinstall/tasks/0020-set_facts.yml @@ -199,20 +199,6 @@ supersede domain-name-servers {{ (nameservers | d([]) + cloud_resolver | d([])) | unique | join(', ') }}; when: dns_early and not dns_late -- name: Gather os specific variables - include_vars: "{{ item }}" - with_first_found: - - files: - - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower | replace('/', '_') }}.yml" - - "{{ ansible_distribution | lower }}-{{ ansible_distribution_release }}.yml" - - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower | replace('/', '_') }}.yml" - - "{{ ansible_distribution | lower }}.yml" - - "{{ ansible_os_family | lower }}.yml" - - defaults.yml - paths: - - ../vars - skip: true - - name: Set etcd vars if using kubeadm mode set_fact: etcd_cert_dir: "{{ kube_cert_dir }}" diff --git a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml index f2d40e995..91b78b75f 100644 --- a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml +++ b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml @@ -316,3 +316,15 @@ when: - kube_apiserver_enable_admission_plugins is defined - kube_apiserver_enable_admission_plugins | length > 0 + +- name: Verify that the packages list structure is valid + ansible.utils.validate: + criteria: "{{ lookup('file', 'pkgs-schema.json') }}" + data: "{{ pkgs }}" + +- name: Verify that the packages list is sorted + vars: + pkgs_lists: "{{ pkgs.keys() | list }}" + assert: + that: "pkgs_lists | sort == pkgs_lists" + fail_msg: "pkgs is not sorted: {{ pkgs_lists | ansible.utils.fact_diff(pkgs_lists | sort) }}" diff --git a/roles/kubernetes/preinstall/vars/amazon.yml b/roles/kubernetes/preinstall/vars/amazon.yml deleted file mode 100644 index 09c645f51..000000000 --- a/roles/kubernetes/preinstall/vars/amazon.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -required_pkgs: - - libselinux-python - - device-mapper-libs - - nss - - conntrack-tools - - libseccomp diff --git a/roles/kubernetes/preinstall/vars/centos.yml b/roles/kubernetes/preinstall/vars/centos.yml deleted file mode 100644 index 9b1a8749e..000000000 --- a/roles/kubernetes/preinstall/vars/centos.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -required_pkgs: - - "{{ ((ansible_distribution_major_version | int) < 8) | ternary('libselinux-python', 'python3-libselinux') }}" - - device-mapper-libs - - nss - - conntrack - - container-selinux - - libseccomp diff --git a/roles/kubernetes/preinstall/vars/debian-11.yml b/roles/kubernetes/preinstall/vars/debian-11.yml deleted file mode 100644 index 59cbc5a37..000000000 --- a/roles/kubernetes/preinstall/vars/debian-11.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -required_pkgs: - - python3-apt - - gnupg - - apt-transport-https - - software-properties-common - - conntrack - - iptables - - apparmor - - libseccomp2 diff --git a/roles/kubernetes/preinstall/vars/debian-12.yml b/roles/kubernetes/preinstall/vars/debian-12.yml deleted file mode 100644 index e0dca4dcd..000000000 --- a/roles/kubernetes/preinstall/vars/debian-12.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -required_pkgs: - - python3-apt - - gnupg - - apt-transport-https - - software-properties-common - - conntrack - - iptables - - apparmor - - libseccomp2 - - mergerfs diff --git a/roles/kubernetes/preinstall/vars/debian.yml b/roles/kubernetes/preinstall/vars/debian.yml deleted file mode 100644 index 51a280237..000000000 --- a/roles/kubernetes/preinstall/vars/debian.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -required_pkgs: - - python-apt - - aufs-tools - - apt-transport-https - - software-properties-common - - conntrack - - apparmor - - libseccomp2 diff --git a/roles/kubernetes/preinstall/vars/fedora.yml b/roles/kubernetes/preinstall/vars/fedora.yml deleted file mode 100644 index d69b111b6..000000000 --- a/roles/kubernetes/preinstall/vars/fedora.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -required_pkgs: - - iptables - - libselinux-python3 - - device-mapper-libs - - conntrack - - container-selinux - - libseccomp diff --git a/roles/kubernetes/preinstall/vars/main.yml b/roles/kubernetes/preinstall/vars/main.yml new file mode 100644 index 000000000..6f7d6fa94 --- /dev/null +++ b/roles/kubernetes/preinstall/vars/main.yml @@ -0,0 +1,88 @@ +--- +pkgs: + apparmor: &debian_family_base + os: + families: + - Debian + apt-transport-https: *debian_family_base + aufs-tools: &deb_10 + groups: + - k8s_cluster + os: + distributions: + Debian: + major_versions: + - "10" + conntrack: &deb_redhat + groups: + - k8s_cluster + os: + families: + - Debian + - RedHat + conntrack-tools: + groups: + - k8s_cluster + os: + families: + - Suse + distributions: + Amazon: {} + container-selinux: &redhat_family + groups: + - k8s_cluster + os: + families: + - RedHat + device-mapper: + groups: + - k8s_cluster + os: + families: + - Suse + device-mapper-libs: *redhat_family + gnupg: &debian + groups: + - k8s_cluster + os: + distributions: + Debian: + major_versions: + - "11" + - "12" + iptables: *deb_redhat + libseccomp: *redhat_family + libseccomp2: + groups: + - k8s_cluster + os: + families: + - Suse + - Debian + libselinux-python: # TODO: Handle rehat_family + major < 8 + os: + distributions: + Amazon: {} + libselinux-python3: + os: + distributions: + Fedora: {} + mergerfs: + os: + distributions: + Debian: + major_versions: + - "12" + nss: *redhat_family + python-apt: *deb_10 + # TODO: not for debian 10 + python3-apt: *debian_family_base + python3-libselinux: + os: + distributions: + RedHat: &major_redhat_like + major_versions: + - "8" + - "9" + Centos: *major_redhat_like + software-properties-common: *debian_family_base diff --git a/roles/kubernetes/preinstall/vars/redhat.yml b/roles/kubernetes/preinstall/vars/redhat.yml deleted file mode 100644 index 9b1a8749e..000000000 --- a/roles/kubernetes/preinstall/vars/redhat.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -required_pkgs: - - "{{ ((ansible_distribution_major_version | int) < 8) | ternary('libselinux-python', 'python3-libselinux') }}" - - device-mapper-libs - - nss - - conntrack - - container-selinux - - libseccomp diff --git a/roles/kubernetes/preinstall/vars/suse.yml b/roles/kubernetes/preinstall/vars/suse.yml deleted file mode 100644 index d089ac150..000000000 --- a/roles/kubernetes/preinstall/vars/suse.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -required_pkgs: - - device-mapper - - conntrack-tools - - libseccomp2 diff --git a/roles/kubernetes/preinstall/vars/ubuntu.yml b/roles/kubernetes/preinstall/vars/ubuntu.yml deleted file mode 100644 index 85b3f255a..000000000 --- a/roles/kubernetes/preinstall/vars/ubuntu.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -required_pkgs: - - python3-apt - - apt-transport-https - - software-properties-common - - conntrack - - apparmor - - libseccomp2 From 11f35e462ca5ca8f9f27584b1f1515ab3be8fc55 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 8 Apr 2024 16:25:57 +0200 Subject: [PATCH 6/7] Convert common packages to use the new tooling The empty dict means that packages will always be installed on the host. --- roles/kubernetes/preinstall/defaults/main.yml | 10 ---------- roles/kubernetes/preinstall/vars/main.yml | 10 ++++++++++ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml index 372421415..09da2ec9b 100644 --- a/roles/kubernetes/preinstall/defaults/main.yml +++ b/roles/kubernetes/preinstall/defaults/main.yml @@ -7,16 +7,6 @@ epel_enabled: false dns_late: false common_required_pkgs: - - openssl - - curl - - rsync - - socat - - unzip - - e2fsprogs - - xfsprogs - - ebtables - - bash-completion - - tar - "{{ kube_proxy_mode == 'ipvs' | ternary(['ipvsadm', 'ipset'], []) }}" # Set to true if your network does not support IPv6 diff --git a/roles/kubernetes/preinstall/vars/main.yml b/roles/kubernetes/preinstall/vars/main.yml index 6f7d6fa94..7c83d855e 100644 --- a/roles/kubernetes/preinstall/vars/main.yml +++ b/roles/kubernetes/preinstall/vars/main.yml @@ -13,6 +13,7 @@ pkgs: Debian: major_versions: - "10" + bash-completion: {} conntrack: &deb_redhat groups: - k8s_cluster @@ -34,6 +35,7 @@ pkgs: os: families: - RedHat + curl: {} device-mapper: groups: - k8s_cluster @@ -41,6 +43,8 @@ pkgs: families: - Suse device-mapper-libs: *redhat_family + e2fsprogs: {} + ebtables: {} gnupg: &debian groups: - k8s_cluster @@ -74,6 +78,7 @@ pkgs: major_versions: - "12" nss: *redhat_family + openssl: {} python-apt: *deb_10 # TODO: not for debian 10 python3-apt: *debian_family_base @@ -85,4 +90,9 @@ pkgs: - "8" - "9" Centos: *major_redhat_like + rsync: {} + socat: {} software-properties-common: *debian_family_base + tar: {} + unzip: {} + xfsprogs: {} From 088b1b0cec84dd5f09f594a8af981e66ec5a8364 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 29 Apr 2024 15:31:27 +0200 Subject: [PATCH 7/7] Add `enabled` to pkgs to handle ipvs Some packages requirements depends on inventory variables (`kube_proxy_mode` in that case but it could apply to others). As the case seems pretty rare, instead of adding complexity to pkgs, we add an escape hatch to use jinja conditions. That should be revisited if we find ourselves shoehorning lots of logic in this later on. --- roles/kubernetes/preinstall/defaults/main.yml | 3 --- roles/kubernetes/preinstall/files/pkgs-schema.json | 5 +++++ .../kubernetes/preinstall/tasks/0070-system-packages.yml | 2 +- roles/kubernetes/preinstall/vars/main.yml | 8 ++++++++ 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml index 09da2ec9b..77de0b702 100644 --- a/roles/kubernetes/preinstall/defaults/main.yml +++ b/roles/kubernetes/preinstall/defaults/main.yml @@ -6,9 +6,6 @@ epel_enabled: false # Kubespray sets this to true after clusterDNS is running to apply changes to the host resolv.conf dns_late: false -common_required_pkgs: - - "{{ kube_proxy_mode == 'ipvs' | ternary(['ipvsadm', 'ipset'], []) }}" - # Set to true if your network does not support IPv6 # This may be necessary for pulling Docker images from # GCE docker repository diff --git a/roles/kubernetes/preinstall/files/pkgs-schema.json b/roles/kubernetes/preinstall/files/pkgs-schema.json index 22fd0fa19..1fb9e28de 100644 --- a/roles/kubernetes/preinstall/files/pkgs-schema.json +++ b/roles/kubernetes/preinstall/files/pkgs-schema.json @@ -9,6 +9,11 @@ "type": "object", "additionalProperties": false, "properties": { + "enabled": { + "description": "Escape hatch to filter packages. The value is expected to be pre-resolved to a boolean by Jinja", + "type": "boolean", + "default": true + }, "groups": { "description": "Match if the host is in one of these groups. If not specified match any host.", "type": "array", diff --git a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml index 1e27c6b7a..7085ffb0c 100644 --- a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml +++ b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml @@ -64,7 +64,7 @@ # The json_query for selecting packages name is split for readability # see files/pkgs-schema.json for the structure of `pkgs` # and the matching semantics - full_query: "[? value | ( {{ filters_os }} ) && ( {{ filters_groups }} ) ].key" + full_query: "[? value | (enabled == null || enabled) && ( {{ filters_os }} ) && ( {{ filters_groups }} ) ].key" filters_groups: "groups | @ == null || [? contains(`{{ group_names }}`, @)]" filters_os: "os == null || (os | ( {{ filters_family }} ) || ( {{ filters_distro }} ))" dquote: !unsafe '"' diff --git a/roles/kubernetes/preinstall/vars/main.yml b/roles/kubernetes/preinstall/vars/main.yml index 7c83d855e..28ee56a27 100644 --- a/roles/kubernetes/preinstall/vars/main.yml +++ b/roles/kubernetes/preinstall/vars/main.yml @@ -54,7 +54,15 @@ pkgs: major_versions: - "11" - "12" + ipset: + enabled: "{{ kube_proxy_mode != 'ipvs' }}" + groups: + - k8s_cluster iptables: *deb_redhat + ipvsadm: + enabled: "{{ kube_proxy_mode == 'ipvs' }}" + groups: + - k8s_cluster libseccomp: *redhat_family libseccomp2: groups: