kubernetes/base: apt pinning vs package hold

2 files changed, 20 insertions, 4 deletions

diff --git a/roles/kubernetes/base/tasks/main.yml b/roles/kubernetes/base/tasks/main.yml
index 70be0d3a..892dda51 100644
--- a/roles/kubernetes/base/tasks/main.yml
+++ b/roles/kubernetes/base/tasks/main.yml
@@ -17,6 +17,21 @@
   include_role:
     name: apt-repo/kubic-project
 
+- name: generate apt pin files for kubelet and cri-tools
+  loop:
+  - name: kubelet
+    version: "{{ kubernetes_version }}-00"
+  - name: cri-tools
+    version: "{{ kubernetes_cri_tools_pkg_version }}"
+  loop_control:
+    label: "{{ item.name }} == {{ item.version }}"
+  copy:
+    dest: "/etc/apt/preferences.d/{{ item.name }}.pref"
+    content: |
+      Package: {{ item.name }}
+      Pin: version {{ item.version }}
+      Pin-Priority: 1001
+
 - name: install kubelet and common packages
   apt:
     name:
@@ -25,17 +40,17 @@
     - "kubelet={{ kubernetes_version }}-00"
     state: present
     force: yes
-    ## TODO: remove force once the following changes are available
-    ##   https://github.com/ansible/ansible/pull/73629 or https://github.com/ansible/ansible/pull/72562
+    ## TODO: remove force once the following change is available (ansible >= 5.0)
     ##   https://github.com/ansible/ansible/pull/74852
 
-- name: disable automatic upgrades for kubelet and cri-tools
+  ## TODO: remove this when all machines are migrated to use pin files
+- name: unhold packages (we now use APT pinning)
   loop:
   - kubelet
   - cri-tools
   dpkg_selections:
     name: "{{ item }}"
-    selection: hold
+    selection: install
 
 - name: configure endpoints for crictl
   copy:
diff --git a/roles/kubernetes/test-pods.url b/roles/kubernetes/test-pods.url
new file mode 100644
index 00000000..59404701
--- /dev/null
+++ b/roles/kubernetes/test-pods.url
@@ -0,0 +1 @@
+https://k8s-examples.container-solutions.com/examples/Pod/Pod.html