kubernetes-sigs · k8s-ci-robot · Aug 5, 2020 · Aug 5, 2020
diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -22,8 +22,10 @@
   delegate_to: "{{ groups['kube-master'][0] }}"
   run_once: true
 
-- name: Calculate kubeadm CA cert hash  # noqa 306
-  shell: openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
+- name: Calculate kubeadm CA cert hash
+  shell: set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
+  args:
+    executable: /bin/bash
   register: kubeadm_ca_hash
   when:
     - kubeadm_ca_stat.stat is defined
@@ -107,11 +109,13 @@
 
 # FIXME(mattymo): Need to point to localhost, otherwise masters will all point
 #                 incorrectly to first master, creating SPoF.
-- name: Update server field in kube-proxy kubeconfig  # noqa 306
+- name: Update server field in kube-proxy kubeconfig
   shell: >-
-    {{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf get configmap kube-proxy -n kube-system -o yaml
+    set -o pipefail && {{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf get configmap kube-proxy -n kube-system -o yaml
     | sed 's#server:.*#server: https://127.0.0.1:{{ kube_apiserver_port }}#g'
     | {{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf replace -f -
+  args:
+    executable: /bin/bash
   run_once: true
   delegate_to: "{{ groups['kube-master']|first }}"
   delegate_facts: false

diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -47,8 +47,10 @@
   when:
     - old_apiserver_cert.stat.exists
 
-- name: kubeadm | Forcefully delete old static pods  # noqa 306
-  shell: "docker ps -f name=k8s_{{ item }} -q | xargs --no-run-if-empty docker rm -f"
+- name: kubeadm | Forcefully delete old static pods
+  shell: "set -o pipefail && docker ps -f name=k8s_{{ item }} -q | xargs --no-run-if-empty docker rm -f"
+  args:
+    executable: /bin/bash
   with_items: ["kube-apiserver", "kube-controller-manager", "kube-scheduler"]
   when:
     - old_apiserver_cert.stat.exists

diff --git a/roles/kubernetes/master/tasks/pre-upgrade.yml b/roles/kubernetes/master/tasks/pre-upgrade.yml
@@ -8,8 +8,10 @@
   register: kube_apiserver_manifest_replaced
   when: etcd_secret_changed|default(false)
 
-- name: "Pre-upgrade | Delete master containers forcefully"  # noqa 306 503
-  shell: "docker ps -af name=k8s_{{ item }}* -q | xargs --no-run-if-empty docker rm -f"
+- name: "Pre-upgrade | Delete master containers forcefully"  # noqa 503
+  shell: "set -o pipefail && docker ps -af name=k8s_{{ item }}* -q | xargs --no-run-if-empty docker rm -f"
+  args:
+    executable: /bin/bash
   with_items:
     - ["kube-apiserver", "kube-controller-manager", "kube-scheduler"]
   when: kube_apiserver_manifest_replaced.changed

diff --git a/roles/kubernetes/node/tasks/pre_upgrade.yml b/roles/kubernetes/node/tasks/pre_upgrade.yml
@@ -1,11 +1,14 @@
 ---
-- name: "Pre-upgrade | check if kubelet container exists"  # noqa 306
+- name: "Pre-upgrade | check if kubelet container exists"
   shell: >-
+    set -o pipefail &&
     {% if container_manager in ['crio', 'docker'] %}
     docker ps -af name=kubelet | grep kubelet
     {% elif container_manager == 'containerd' %}
     crictl ps --all --name kubelet | grep kubelet
     {% endif %}
+  args:
+    executable: /bin/bash
   failed_when: false
   changed_when: false
   register: kubelet_container_check

diff --git a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
@@ -158,8 +158,10 @@
   when:
     - kube_network_plugin == 'calico'
 
-- name: "Get current version of calico cluster version"  # noqa 306
-  shell: "{{ bin_dir }}/calicoctl.sh version  | grep 'Cluster Version:' | awk '{ print $3}'"
+- name: "Get current version of calico cluster version"
+  shell: "set -o pipefail && {{ bin_dir }}/calicoctl.sh version  | grep 'Cluster Version:' | awk '{ print $3}'"
+  args:
+    executable: /bin/bash
   register: calico_version_on_server
   run_once: yes
   changed_when: false

diff --git a/roles/kubernetes/tokens/tasks/gen_tokens.yml b/roles/kubernetes/tokens/tasks/gen_tokens.yml
@@ -42,18 +42,21 @@
   run_once: true
   when: sync_tokens|default(false)
 
-- name: Gen_tokens | Gather tokens  # noqa 306
-  shell: "tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0"
+- name: Gen_tokens | Gather tokens
+  shell: "set -o pipefail && tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0"
   args:
     warn: false
+    executable: /bin/bash
   register: tokens_data
   check_mode: no
   delegate_to: "{{ groups['kube-master'][0] }}"
   run_once: true
   when: sync_tokens|default(false)
 
-- name: Gen_tokens | Copy tokens on masters  # noqa 306
-  shell: "echo '{{ tokens_data.stdout|quote }}' | base64 -d | tar xz -C /"
+- name: Gen_tokens | Copy tokens on masters
+  shell: "set -o pipefail && echo '{{ tokens_data.stdout|quote }}' | base64 -d | tar xz -C /"
+  args:
+    executable: /bin/bash
   when:
     - inventory_hostname in groups['kube-master']
     - sync_tokens|default(false)