diff --git a/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml b/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml index 790b40aa7a..be695bb2e4 100644 --- a/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml +++ b/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml @@ -12,7 +12,7 @@ launchConfiguration/{{ $m.Name }}.masters.{{ ClusterName }}: associatePublicIP: {{ WithDefaultBool $m.Spec.AssociatePublicIP true }} {{ end }} {{ if IsTopologyPrivate }} - associatePublicIP: false + associatePublicIP: true {{ end }} userData: resources/nodeup.sh {{ $m.Name }} rootVolumeSize: {{ or $m.Spec.RootVolumeSize "20" }} diff --git a/upup/models/cloudup/_aws/master/_not_master_lb/not_master_lb.yaml b/upup/models/cloudup/_aws/master/_not_master_lb/not_master_lb.yaml index c16aab519a..c9e421b938 100644 --- a/upup/models/cloudup/_aws/master/_not_master_lb/not_master_lb.yaml +++ b/upup/models/cloudup/_aws/master/_not_master_lb/not_master_lb.yaml @@ -10,4 +10,4 @@ securityGroupRule/https-external-to-master-{{ $index }}: protocol: tcp fromPort: 443 toPort: 443 -{{ end }} +{{ end }} \ No newline at end of file diff --git a/upup/models/cloudup/_aws/master/master.yaml b/upup/models/cloudup/_aws/master/master.yaml index bb5c6628af..117ce53ff7 100644 --- a/upup/models/cloudup/_aws/master/master.yaml +++ b/upup/models/cloudup/_aws/master/master.yaml @@ -28,6 +28,7 @@ securityGroupRule/master-egress: cidr: 0.0.0.0/0 # SSH is open to AdminCIDR set +{{ if IsTopologyPublic }} {{ range $index, $cidr := AdminCIDR }} securityGroupRule/ssh-external-to-master-{{ $index }}: securityGroup: securityGroup/masters.{{ ClusterName }} @@ -36,6 +37,7 @@ securityGroupRule/ssh-external-to-master-{{ $index }}: fromPort: 22 toPort: 22 {{ end }} +{{ end }} # Masters can talk to masters securityGroupRule/all-master-to-master: @@ -46,3 +48,9 @@ securityGroupRule/all-master-to-master: securityGroupRule/all-master-to-node: securityGroup: securityGroup/nodes.{{ ClusterName }} sourceGroup: securityGroup/masters.{{ ClusterName }} + +{{ if WithBastion }} +securityGroupRule/bastion-to-master: + securityGroup: securityGroup/masters.{{ ClusterName }} + sourceGroup: securityGroup/bastion.{{ ClusterName }} +{{ end }} \ No newline at end of file diff --git a/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml b/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml index ccbb99626e..a28b557d48 100644 --- a/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml +++ b/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml @@ -4,14 +4,6 @@ # # Inspired by https://github.com/kubernetes/kops/issues/428 # -# This will handle deploying k8s instance into a private subnet. -# -# Where a private subnet means: -# A subnet doesn't have a route to the Internet gateway. -# -# Utility Subnet - A subnet that is used to bridge a private -# subnet to a public subnet with a NGW -# # --------------------------------------------------------------- {{ if WithBastion }} @@ -30,12 +22,13 @@ securityGroupRule/bastion-egress: securityGroup: securityGroup/nodes.{{ ClusterName }} egress: true cidr: 0.0.0.0/0 -securityGroupRule/all-node-to-bastion: - securityGroup: securityGroup/bastion.{{ ClusterName }} - sourceGroup: securityGroup/nodes.{{ ClusterName }} -securityGroupRule/all-master-to-bastion: - securityGroup: securityGroup/bastion.{{ ClusterName }} - sourceGroup: securityGroup/masters.{{ ClusterName }} +# TODO Kris - I don't think we need to open these +#securityGroupRule/all-node-to-bastion: +# securityGroup: securityGroup/bastion.{{ ClusterName }} +# sourceGroup: securityGroup/nodes.{{ ClusterName }} +#securityGroupRule/all-master-to-bastion: +# securityGroup: securityGroup/bastion.{{ ClusterName }} +# sourceGroup: securityGroup/masters.{{ ClusterName }} securityGroupRule/ssh-external-to-bastion: securityGroup: securityGroup/bastion.{{ ClusterName }} sourceGroup: securityGroup/bastion-elb.{{ ClusterName }} @@ -43,6 +36,15 @@ securityGroupRule/ssh-external-to-bastion: fromPort: 22 toPort: 22 +# --------------------------------------------------------------- +# Security Group - Bastion->Nodes +# +# If we are creating a bastion, we need to poke a hole in the +# firewall for it to talk to our masters +# --------------------------------------------------------------- +securityGroupRule/all-bastion-to-master: + securityGroup: securityGroup/nodes.{{ ClusterName }} + sourceGroup: securityGroup/bastion.{{ ClusterName }} # --------------------------------------------------------------- # Security Group - Bastion ELB @@ -105,7 +107,7 @@ launchConfiguration/bastion.{{ ClusterName }}: iamInstanceProfile: iamInstanceProfile/masters.{{ ClusterName }} imageId: {{ GetBastionImageId }} instanceType: t2.small - associatePublicIP: false + associatePublicIP: true rootVolumeSize: 20 rootVolumeType: gp2 autoscalingGroup/bastion.{{ ClusterName }}: @@ -118,4 +120,23 @@ autoscalingGroup/bastion.{{ ClusterName }}: Name: bastion-{{ GetBastionZone }}.{{ ClusterName }} KubernetesCluster: {{ ClusterName }} +# --------------------------------------------------------------- +# TODO Kris +# +# So as it stands we are *NOT* defining a friendly CNAME for the +# bastion ELB. I think this is a good thing. +# +# If we came up with a formula EG: bastion. we could +# be exposing ourselves to a few threats :) +# +# I think it's best in this situation to err on the side of +# caution and force the end user to define something convenient +# on their own. +# +# TLDR; If you want a friendly CNAME for your bastion - you have +# to build it yourself. Kops won't support that +# +# Right? +# --------------------------------------------------------------- + {{ end }} diff --git a/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml b/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml index 88d907350e..204cbc9a76 100644 --- a/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml +++ b/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml @@ -4,21 +4,9 @@ # # Inspired by https://github.com/kubernetes/kops/issues/428 # -# This will handle deploying k8s instance into a private subnet. -# -# Where a private subnet means: -# A subnet doesn't have a route to the Internet gateway. -# -# Utility Subnet - A subnet that is used to bridge a private -# subnet to a public subnet with a NGW -# # --------------------------------------------------------------- - - - - # --------------------------------------------------------------- # VPC # @@ -203,6 +191,25 @@ loadBalancer/api.{{ ClusterName }}: listeners: 443: { instancePort: 443 } +# --------------------------------------------------------------- +# Kube-Proxy - Healthz - 10249 +# +# HealthCheck for the kubernetes API via the kube-proxy +# --------------------------------------------------------------- +loadBalancerHealthChecks/api.{{ ClusterName }}: + loadBalancer: loadBalancer/api.{{ ClusterName }} + # 10249 Is the default kube-proxy healthz protocol + target: HTTP:10249/healthz + healthyThreshold: 2 + unhealthyThreshold: 2 + interval: 10 + timeout: 5 +securityGroupRule/kube-proxy-api-elb: + securityGroup: securityGroup/masters.{{ ClusterName }} + sourceGroup: securityGroup/api-elb.{{ ClusterName }} + protocol: tcp + fromPort: 10249 + toPort: 10249 # --------------------------------------------------------------- @@ -238,3 +245,4 @@ securityGroupRule/https-api-elb: protocol: tcp fromPort: 443 toPort: 443 + diff --git a/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml b/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml index 3a2dee6423..a68c0507a3 100644 --- a/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml +++ b/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml @@ -4,14 +4,6 @@ # # Inspired by https://github.com/kubernetes/kops/issues/428 # -# This will handle deploying k8s instance into a private subnet. -# -# Where a private subnet means: -# A subnet doesn't have a route to the Internet gateway. -# -# Utility Subnet - A subnet that is used to bridge a private -# subnet to a public subnet with a NGW -# # --------------------------------------------------------------- @@ -48,7 +40,6 @@ securityGroupRule/all-node-to-master: sourceGroup: securityGroup/nodes.{{ ClusterName }} - {{ range $ig := NodeSets }} # --------------------------------------------------------------- # AutoScaleGroup - Nodes @@ -62,7 +53,7 @@ launchConfiguration/{{ $ig.Name }}.{{ ClusterName }}: iamInstanceProfile: iamInstanceProfile/nodes.{{ ClusterName }} imageId: {{ $ig.Spec.Image }} instanceType: {{ $ig.Spec.MachineType }} - associatePublicIP: false + associatePublicIP: true userData: resources/nodeup.sh {{ $ig.Name }} rootVolumeSize: {{ or $ig.Spec.RootVolumeSize "20" }} rootVolumeType: {{ or $ig.Spec.RootVolumeType "gp2" }} diff --git a/upup/pkg/fi/cloudup/tagbuilder.go b/upup/pkg/fi/cloudup/tagbuilder.go index 2a75ed2cad..dc81e0145f 100644 --- a/upup/pkg/fi/cloudup/tagbuilder.go +++ b/upup/pkg/fi/cloudup/tagbuilder.go @@ -62,7 +62,7 @@ func buildCloudupTags(cluster *api.Cluster) (map[string]struct{}, error) { if useMasterLB { tags["_master_lb"] = struct{}{} - } else { + } else if cluster.Spec.Topology.Masters == api.TopologyPublic { tags["_not_master_lb"] = struct{}{} }