Ansible configuration to run an Ansible Galaxy playbook

Hello,

I have been learning to use Ansible through Red Hat training for approximately the last 6 months or so. I have learned how to build some of my own basic play books and roles.
For the first time i have decided to download and run a role from Ansible Galaxy (https://galaxy.ansible.com/geerlingguy/kubernetes). I have several questions about making sure my environment, ansible.cfg, inventory, etc is set up properly.

My Environment-

Ansible Control Node:
Ansible 2.9 on CentOS 8.2

Target Machines:
CentOS 8.3
Kubernetes Master: kube1
Kubernetes Workers: kube2, kube3

ANSIBLE CONFIG
/home/ansuser/ansible/ansible.cfg
[defaults]
inventory=./inventory
remote_user=ansuser
ask_pass=false

[privilege_escalation]
becom=true
become_method=sudo
become_ask_pass=true

INVENTORY
/home/ansuser/ansible/inventory
[kube-master]
kube1.idm.nac-issa.org kubernetes_role=master

[kube-node]
kube2.idm.nac-issa.org kubernetes_role=node
kube3.idm.nac-issa.org kubernetes_role=node

I have created a user “ansuser”. Ansuser has sudo permissions (but not passwordless sudo) and is a member of the wheel group. I created my ssh keys with that user and copied them to the target servers. ansible all -m ping works without any issues.

If I try to run the playbook with:
$ansible-playbook kubernetes.yml
I will quickly run into a failure, the error is: “This command has to be run under the root user”. When prompted for the BECOME password, I provided the ansuser password.

I can add become_user=root to the config and provide the root user password. I still get the same error message.

I could change my remote_user=root and that will allow the playbook to completely finish everything but that forces me to run my kubernetes cluster as root to download images, run pods, etc. That doesn’t seem right.

I could also adjust the specific play to use become, such as:

• name: Ensure the httpd service is running
  service:
  name: httpd
  state: started
  become: true

but that would be a lot of work because there are multiple sections requiring root privileges (further making me believe I am doing something wrong) and the developer who published these roles has a lot of experience.

What am I missing? It seems like something is not correct with my environment that causes the playbook to fail at multiple points where root privilege is needed. There must be some info I am not understanding or need explained in a different way so it makes sense. I welcome everyone’s input. Thanks!

----KUBERNETES.YML PLAYBOOK----

Hello,

I have been learning to use Ansible through Red Hat training for approximately the last 6 months or so. I have learned how to build some of my own basic play books and roles.
For the first time i have decided to download and run a role from Ansible Galaxy (https://galaxy.ansible.com/geerlingguy/kubernetes). I have several questions about making sure my environment, ansible.cfg, inventory, etc is set up properly.

My Environment-

Ansible Control Node:
Ansible 2.9 on CentOS 8.2

Target Machines:
CentOS 8.3
Kubernetes Master: kube1
Kubernetes Workers: kube2, kube3

ANSIBLE CONFIG
/home/ansuser/ansible/ansible.cfg
[defaults]
inventory=./inventory
remote_user=ansuser
ask_pass=false

[privilege_escalation]
becom=true

Typo?

become_method=sudo
become_ask_pass=true

INVENTORY
/home/ansuser/ansible/inventory
[kube-master]
kube1.idm.nac-issa.org kubernetes_role=master

[kube-node]
kube2.idm.nac-issa.org kubernetes_role=node
kube3.idm.nac-issa.org kubernetes_role=node

I have created a user “ansuser”. Ansuser has sudo permissions (but not passwordless sudo) and is a member of the wheel group. I created my ssh keys with that user and copied them to the target servers. ansible all -m ping works without any issues.

If I try to run the playbook with:
$ansible-playbook kubernetes.yml
I will quickly run into a failure, the error is: “This command has to be run under the root user”. When prompted for the BECOME password, I provided the ansuser password.

I can add become_user=root to the config and provide the root user password. I still get the same error message.

I could change my remote_user=root and that will allow the playbook to completely finish everything but that forces me to run my kubernetes cluster as root to download images, run pods, etc. That doesn’t seem right.

I could also adjust the specific play to use become, such as:

• name: Ensure the httpd service is running
  service:
  name: httpd
  state: started
  become: true

but that would be a lot of work because there are multiple sections requiring root privileges (further making me believe I am doing something wrong) and the developer who published these roles has a lot of experience.

What am I missing? It seems like something is not correct with my environment that causes the playbook to fail at multiple points where root privilege is needed. There must be some info I am not understanding or need explained in a different way so it makes sense. I welcome everyone’s input. Thanks!

----KUBERNETES.YML PLAYBOOK----

• hosts: all

Put ‘become: yes’ here and your entire playbook will use that.

OMG, how did I miss that? no not a typo, that is what I had configured. Talk about missing something simple. Thanks for pointing out my mistake!