2 files changed, 45 insertions, 5 deletions

diff --git a/kud/hosting_providers/vagrant/installer.sh b/kud/hosting_providers/vagrant/installer.sh
index 71e4d8b7..43638b4f 100755
--- a/kud/hosting_providers/vagrant/installer.sh
+++ b/kud/hosting_providers/vagrant/installer.sh
@@ -102,6 +102,7 @@ function _set_environment_file {
     echo "export OVN_CENTRAL_ADDRESS=$(get_ovn_central_address)" | sudo tee --append /etc/environment
     echo "export KUBE_CONFIG_DIR=/opt/kubeconfig" | sudo tee --append /etc/environment
     echo "export CSAR_DIR=/opt/csar" | sudo tee --append /etc/environment
+    echo "export ANSIBLE_CONFIG=${ANSIBLE_CONFIG}" | sudo tee --append /etc/environment
 }
 
 # install_k8s() - Install Kubernetes using kubespray tool
@@ -117,7 +118,6 @@ function install_k8s {
     _install_ansible
     wget https://github.com/kubernetes-incubator/kubespray/archive/$tarball
     sudo tar -C $dest_folder -xzf $tarball
-    sudo mv $dest_folder/kubespray-$version/ansible.cfg /etc/ansible/ansible.cfg
     sudo chown -R $USER $dest_folder/kubespray-$version
     sudo mkdir -p ${local_release_dir}/containers
     rm $tarball
@@ -139,6 +139,8 @@ function install_k8s {
     if [[ -n "${https_proxy:-}" ]]; then
         echo "https_proxy: \"$https_proxy\"" | tee --append $kud_inventory_folder/group_vars/all.yml
     fi
+    export ANSIBLE_CONFIG=$dest_folder/kubespray-$version/ansible.cfg
+    ansible-playbook $verbose -i $kud_inventory $kud_playbooks/preconfigure-kubespray.yml --become --become-user=root | sudo tee $log_folder/setup-kubernetes.log
     ansible-playbook $verbose -i $kud_inventory $dest_folder/kubespray-$version/cluster.yml --become --become-user=root | sudo tee $log_folder/setup-kubernetes.log
 
     # Configure environment
@@ -155,17 +157,24 @@ function install_addons {
     _install_ansible
     sudo ansible-galaxy install $verbose -r $kud_infra_folder/galaxy-requirements.yml --ignore-errors
     ansible-playbook $verbose -i $kud_inventory -e "base_dest=$HOME" $kud_playbooks/configure-kud.yml | sudo tee $log_folder/setup-kud.log
+    # The order of KUD_ADDONS is important: some plugins (sriov, qat)
+    # require nfd to be enabled.
     for addon in ${KUD_ADDONS:-topology-manager virtlet ovn4nfv nfd sriov qat optane cmk}; do
         echo "Deploying $addon using configure-$addon.yml playbook.."
         ansible-playbook $verbose -i $kud_inventory -e "base_dest=$HOME" $kud_playbooks/configure-${addon}.yml | sudo tee $log_folder/setup-${addon}.log
     done
     echo "Run the test cases if testing_enabled is set to true."
     if [[ "${testing_enabled}" == "true" ]]; then
+        failed_kud_tests=""
         for addon in ${KUD_ADDONS:-multus topology-manager virtlet ovn4nfv nfd sriov qat optane cmk}; do
             pushd $kud_tests
-            bash ${addon}.sh
+            bash ${addon}.sh || failed_kud_tests="${failed_kud_tests} ${addon}"
             popd
         done
+        if [[ ! -z "$failed_kud_tests" ]]; then
+            echo "Test cases failed:${failed_kud_tests}"
+            return 1
+        fi
     fi
     echo "Add-ons deployment complete..."
 }
diff --git a/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml b/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml
index 30fd5c0b..5b06b788 100644
--- a/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml
+++ b/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml
@@ -50,9 +50,6 @@ enable_nodelocaldns: false
 local_volumes_enabled: true
 local_volume_provisioner_enabled: true
 
-## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.16.9
-
 # Helm deployment
 helm_enabled: true
 
@@ -79,3 +76,37 @@ download_localhost: True
 kube_service_addresses: 10.244.0.0/18
 # Subnet for Pod IPs
 kube_pods_subnet: 10.244.64.0/18
+
+# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
+podsecuritypolicy_enabled: true
+# The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of
+#   allowedCapabilities:
+#     - '*'
+# by
+#   requiredDropCapabilities:
+#    - NET_RAW
+podsecuritypolicy_restricted_spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  volumes:
+    - '*'
+  hostNetwork: true
+  hostPorts:
+    - min: 0
+      max: 65535
+  hostIPC: true
+  hostPID: true
+  requiredDropCapabilities:
+    - NET_RAW
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+  # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
+  allowedUnsafeSysctls:
+    - '*'