diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go index c4878d3fed..eb1bcbb2e7 100644 --- a/cmd/kops/create_cluster.go +++ b/cmd/kops/create_cluster.go @@ -257,7 +257,7 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command { cmd.Flags().StringVar(&options.DNSZone, "dns-zone", options.DNSZone, "DNS hosted zone to use (defaults to longest matching zone)") cmd.Flags().StringVar(&options.OutDir, "out", options.OutDir, "Path to write any local output") cmd.Flags().StringSliceVar(&options.AdminAccess, "admin-access", options.AdminAccess, "Restrict API access to this CIDR. If not set, access will not be restricted by IP.") - cmd.Flags().StringSliceVar(&options.SSHAccess, "ssh-access", options.SSHAccess, "Restrict SSH access to this CIDR. If not set, access will not be restricted by IP. (default [0.0.0.0/0])") + cmd.Flags().StringSliceVar(&options.SSHAccess, "ssh-access", options.SSHAccess, "Restrict SSH access to this CIDR. If not set, uses the value of the admin-access flag.") // TODO: Can we deprecate this flag - it is awkward? cmd.Flags().BoolVar(&associatePublicIP, "associate-public-ip", false, "Specify --associate-public-ip=[true|false] to enable/disable association of public IP for master ASG and nodes. Default is 'true'.") diff --git a/docs/cli/kops_create_cluster.md b/docs/cli/kops_create_cluster.md index 0b63bf5298..152ab85f91 100644 --- a/docs/cli/kops_create_cluster.md +++ b/docs/cli/kops_create_cluster.md @@ -66,7 +66,7 @@ kops create cluster [flags] ### Options ``` - --admin-access strings Restrict API access to this CIDR. If not set, access will not be restricted by IP. (default [0.0.0.0/0]) + --admin-access strings Restrict API access to this CIDR. If not set, access will not be restricted by IP. (default [0.0.0.0/0,::/0]) --api-loadbalancer-class string Currently only supported in AWS. Sets the API loadbalancer class to either 'classic' or 'network' --api-loadbalancer-type string Sets the API loadbalancer type to either 'public' or 'internal' --api-ssl-certificate string Currently only supported in AWS. Sets the ARN of the SSL Certificate to use for the API server loadbalancer. @@ -113,7 +113,7 @@ kops create cluster [flags] --out string Path to write any local output -o, --output string Output format. One of json|yaml. Used with the --dry-run flag. --project string Project to use (must be set on GCE) - --ssh-access strings Restrict SSH access to this CIDR. If not set, access will not be restricted by IP. (default [0.0.0.0/0]) + --ssh-access strings Restrict SSH access to this CIDR. If not set, uses the value of the admin-access flag. --ssh-public-key string SSH public key to use (defaults to ~/.ssh/id_rsa.pub on AWS) --subnets strings Set to use shared subnets --target string Valid targets: direct, terraform, cloudformation. Set this flag to terraform if you want kOps to generate terraform (default "direct") diff --git a/upup/pkg/fi/cloudup/new_cluster.go b/upup/pkg/fi/cloudup/new_cluster.go index 60ab1d1970..5a430614c0 100644 --- a/upup/pkg/fi/cloudup/new_cluster.go +++ b/upup/pkg/fi/cloudup/new_cluster.go @@ -59,7 +59,7 @@ type NewClusterOptions struct { ConfigBase string // KubernetesVersion is the version of Kubernetes to deploy. It defaults to the version recommended by the channel. KubernetesVersion string - // AdminAccess is the set of CIDR blocks permitted to connect to the Kubernetes API. It defaults to "0.0.0.0/0". + // AdminAccess is the set of CIDR blocks permitted to connect to the Kubernetes API. It defaults to "0.0.0.0/0" and "::/0". AdminAccess []string // SSHAccess is the set of CIDR blocks permitted to connect to SSH on the nodes. It defaults to the value of AdminAccess. SSHAccess []string @@ -145,7 +145,7 @@ type NewClusterOptions struct { func (o *NewClusterOptions) InitDefaults() { o.Channel = api.DefaultChannel o.Authorization = AuthorizationFlagRBAC - o.AdminAccess = []string{"0.0.0.0/0"} + o.AdminAccess = []string{"0.0.0.0/0", "::/0"} o.Networking = "kubenet" o.Topology = api.TopologyPublic o.DNSType = string(api.DNSTypePublic) @@ -220,7 +220,7 @@ func NewCluster(opt *NewClusterOptions, clientset simple.Clientset) (*NewCluster } if len(opt.AdminAccess) == 0 { - opt.AdminAccess = []string{"0.0.0.0/0"} + opt.AdminAccess = []string{"0.0.0.0/0", "::/0"} } cluster.Spec.KubernetesAPIAccess = opt.AdminAccess if len(opt.SSHAccess) != 0 {