Moar YAML cleanup and putting finishing touches on k8s debugging for tomorrow - Oh etcd... <3

upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml

@@ -12,7 +12,7 @@ launchConfiguration/{{ $m.Name }}.masters.{{ ClusterName }}:
   associatePublicIP: {{ WithDefaultBool $m.Spec.AssociatePublicIP true }}
   {{ end }}
   {{ if IsTopologyPrivate }}
-  associatePublicIP: false
+  associatePublicIP: true
   {{ end }}
   userData: resources/nodeup.sh {{ $m.Name }}
   rootVolumeSize: {{ or $m.Spec.RootVolumeSize "20" }}

upup/models/cloudup/_aws/master/_not_master_lb/not_master_lb.yaml

@@ -10,4 +10,4 @@ securityGroupRule/https-external-to-master-{{ $index }}:
   protocol: tcp
   fromPort: 443
   toPort: 443
-{{ end }}
+{{ end }}

upup/models/cloudup/_aws/master/master.yaml

@@ -28,6 +28,7 @@ securityGroupRule/master-egress:
   cidr: 0.0.0.0/0
 
 # SSH is open to AdminCIDR set
+{{ if IsTopologyPublic }}
 {{ range $index, $cidr := AdminCIDR }}
 securityGroupRule/ssh-external-to-master-{{ $index }}:
   securityGroup: securityGroup/masters.{{ ClusterName }}
@@ -36,6 +37,7 @@ securityGroupRule/ssh-external-to-master-{{ $index }}:
   fromPort: 22
   toPort: 22
 {{ end }}
+{{ end }}
 
 # Masters can talk to masters
 securityGroupRule/all-master-to-master:
@@ -46,3 +48,9 @@ securityGroupRule/all-master-to-master:
 securityGroupRule/all-master-to-node:
   securityGroup: securityGroup/nodes.{{ ClusterName }}
   sourceGroup: securityGroup/masters.{{ ClusterName }}
+
+{{ if WithBastion }}
+securityGroupRule/bastion-to-master:
+  securityGroup: securityGroup/masters.{{ ClusterName }}
+  sourceGroup: securityGroup/bastion.{{ ClusterName }}
+{{ end }}

upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml

@@ -4,14 +4,6 @@
 #
 # Inspired by https://github.com/kubernetes/kops/issues/428
 #
-# This will handle deploying k8s instance into a private subnet.
-#
-# Where a private subnet means:
-# A subnet doesn't have a route to the Internet gateway.
-#
-# Utility Subnet - A subnet that is used to bridge a private
-# subnet to a public subnet with a NGW
-#
 # ---------------------------------------------------------------
 
 {{ if WithBastion }}
@@ -30,12 +22,13 @@ securityGroupRule/bastion-egress:
   securityGroup: securityGroup/nodes.{{ ClusterName }}
   egress: true
   cidr: 0.0.0.0/0
-securityGroupRule/all-node-to-bastion:
-  securityGroup: securityGroup/bastion.{{ ClusterName }}
-  sourceGroup: securityGroup/nodes.{{ ClusterName }}
-securityGroupRule/all-master-to-bastion:
-  securityGroup: securityGroup/bastion.{{ ClusterName }}
-  sourceGroup: securityGroup/masters.{{ ClusterName }}
+# TODO Kris - I don't think we need to open these
+#securityGroupRule/all-node-to-bastion:
+#  securityGroup: securityGroup/bastion.{{ ClusterName }}
+#  sourceGroup: securityGroup/nodes.{{ ClusterName }}
+#securityGroupRule/all-master-to-bastion:
+#  securityGroup: securityGroup/bastion.{{ ClusterName }}
+#  sourceGroup: securityGroup/masters.{{ ClusterName }}
 securityGroupRule/ssh-external-to-bastion:
   securityGroup: securityGroup/bastion.{{ ClusterName }}
   sourceGroup: securityGroup/bastion-elb.{{ ClusterName }}
@@ -43,6 +36,15 @@ securityGroupRule/ssh-external-to-bastion:
   fromPort: 22
   toPort: 22
 
+# ---------------------------------------------------------------
+# Security Group - Bastion->Nodes
+#
+# If we are creating a bastion, we need to poke a hole in the
+# firewall for it to talk to our masters
+# ---------------------------------------------------------------
+securityGroupRule/all-bastion-to-master:
+  securityGroup: securityGroup/nodes.{{ ClusterName }}
+  sourceGroup: securityGroup/bastion.{{ ClusterName }}
 
 # ---------------------------------------------------------------
 # Security Group - Bastion ELB
@@ -105,7 +107,7 @@ launchConfiguration/bastion.{{ ClusterName }}:
   iamInstanceProfile: iamInstanceProfile/masters.{{ ClusterName }}
   imageId: {{ GetBastionImageId }}
   instanceType: t2.small
-  associatePublicIP: false
+  associatePublicIP: true
   rootVolumeSize: 20
   rootVolumeType: gp2
 autoscalingGroup/bastion.{{ ClusterName }}:
@@ -118,4 +120,23 @@ autoscalingGroup/bastion.{{ ClusterName }}:
     Name: bastion-{{ GetBastionZone }}.{{ ClusterName }}
     KubernetesCluster: {{ ClusterName }}
 
+# ---------------------------------------------------------------
+# TODO Kris
+#
+# So as it stands we are *NOT* defining a friendly CNAME for the
+# bastion ELB. I think this is a good thing.
+#
+# If we came up with a formula EG: bastion.<clusterName> we could
+# be exposing ourselves to a few threats :)
+#
+# I think it's best in this situation to err on the side of
+# caution and force the end user to define something convenient
+# on their own.
+#
+# TLDR; If you want a friendly CNAME for your bastion - you have
+# to build it yourself. Kops won't support that
+#
+# Right?
+# ---------------------------------------------------------------
+
 {{ end }}

upup/models/cloudup/_aws/topologies/_topology_private/network.yaml

@@ -4,21 +4,9 @@
 #
 # Inspired by https://github.com/kubernetes/kops/issues/428
 #
-# This will handle deploying k8s instance into a private subnet.
-#
-# Where a private subnet means:
-# A subnet doesn't have a route to the Internet gateway.
-#
-# Utility Subnet - A subnet that is used to bridge a private
-# subnet to a public subnet with a NGW
-#
 # ---------------------------------------------------------------
 
 
-
-
-
-
 # ---------------------------------------------------------------
 # VPC
 #
@@ -203,6 +191,25 @@ loadBalancer/api.{{ ClusterName }}:
   listeners:
     443: { instancePort: 443 }
 
+# ---------------------------------------------------------------
+# Kube-Proxy - Healthz - 10249
+#
+# HealthCheck for the kubernetes API via the kube-proxy
+# ---------------------------------------------------------------
+loadBalancerHealthChecks/api.{{ ClusterName }}:
+  loadBalancer: loadBalancer/api.{{ ClusterName }}
+  # 10249 Is the default kube-proxy healthz protocol
+  target: HTTP:10249/healthz
+  healthyThreshold: 2
+  unhealthyThreshold: 2
+  interval: 10
+  timeout: 5
+securityGroupRule/kube-proxy-api-elb:
+  securityGroup: securityGroup/masters.{{ ClusterName }}
+  sourceGroup: securityGroup/api-elb.{{ ClusterName }}
+  protocol: tcp
+  fromPort: 10249
+  toPort: 10249
 
 
 # ---------------------------------------------------------------
@@ -238,3 +245,4 @@ securityGroupRule/https-api-elb:
   protocol: tcp
   fromPort: 443
   toPort: 443
+

upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml

@@ -4,14 +4,6 @@
 #
 # Inspired by https://github.com/kubernetes/kops/issues/428
 #
-# This will handle deploying k8s instance into a private subnet.
-#
-# Where a private subnet means:
-# A subnet doesn't have a route to the Internet gateway.
-#
-# Utility Subnet - A subnet that is used to bridge a private
-# subnet to a public subnet with a NGW
-#
 # ---------------------------------------------------------------
 
 
@@ -48,7 +40,6 @@ securityGroupRule/all-node-to-master:
   sourceGroup: securityGroup/nodes.{{ ClusterName }}
 
 
-
 {{ range $ig := NodeSets }}
 # ---------------------------------------------------------------
 # AutoScaleGroup - Nodes
@@ -62,7 +53,7 @@ launchConfiguration/{{ $ig.Name }}.{{ ClusterName }}:
   iamInstanceProfile: iamInstanceProfile/nodes.{{ ClusterName }}
   imageId: {{ $ig.Spec.Image }}
   instanceType: {{ $ig.Spec.MachineType }}
-  associatePublicIP: false
+  associatePublicIP: true
   userData: resources/nodeup.sh {{ $ig.Name }}
   rootVolumeSize: {{ or $ig.Spec.RootVolumeSize "20" }}
   rootVolumeType: {{ or $ig.Spec.RootVolumeType "gp2" }}

upup/pkg/fi/cloudup/tagbuilder.go

@@ -62,7 +62,7 @@ func buildCloudupTags(cluster *api.Cluster) (map[string]struct{}, error) {
 
 	if useMasterLB {
 		tags["_master_lb"] = struct{}{}
-	} else {
+	} else if cluster.Spec.Topology.Masters == api.TopologyPublic {
 		tags["_not_master_lb"] = struct{}{}
 	}