Drop the note about rolling-update not performing a real rolling update as the feature flag has been enabled by default.
Also provides consistency with what is mentioned in kops_rolling-update_cluster.md.
Treat "spectre/meltdown" as one vuln, and stay away from parsing which
CVE is which.
The advisory is that the kernel must be updated, which CVEs are fixed
(or not) are not really the issue.
This advisory covers the following 3 CVEs, Variant 1 and 3 are currently
resolved.
Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)
Automatic merge from submit-queue.
Add --subnets and --utility-subnets to kops create cluster
This change adds two new options to `kops create cluster`
When specifying `--vpc`, `--subnets` can be specified as an unordered array of subnet ids. Kops will then look up the zones of the subnets to find which zone to add the subnet id to.
If `--topology private` is also specified, `--utility-subnets` can similarly be specified.
~If a zone was specified but a subnet wasn't given that matches the zone, then the subnet will be allocated a CIDR with the current behaviour.~ This case fails validation here 7bd0a6a703/pkg/apis/kops/validation/validation.go (L151)
I can add unit tests and docs changes if required, but I am keen to get feedback before I proceed much further.
I have only added support for AWS.
I have tested this by running a command similar to this:
```bash
kops create cluster \
--zones=us-east-1a,us-east-1b,us-east-1c \
--topology private \
--master-zones=us-east-1a,us-east-1b,us-east-1c \
--vpc $vpc_id \
--subnets subnet-111111,subnet-222222,subnet-333333 \
--utility-subnets subnet-444444,subnet-555555,subnet-666666 \
$cluster_hosted_zone_name
```
And the cluster spec was as expected.
Automatic merge from submit-queue.
Support for OIDC 'username-prefix' and 'groups-prefix' flags
### What
Added support for `--oidc-username-prefix` and `--oidc-groups-prefix`.
By passing these it's possible to override the default prefixes used to map the OIDC user with the username in kubernetes.
### See
See: https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server
### IMPORTANT
I'm far from a kubernetes/KOPS, this is not tested so someone needs to have a look and see if something is missing or if this can cause troubles! (don't want to accidentally cause the destruction of the universe 💥 )
It's basically the same done in this other PR: https://github.com/kubernetes/kops/pull/1438/files
I did **not** change the `zz_generated.conversion.go` files as according to comment at the top of them they're autogenerated:
```go
// This file was autogenerated by conversion-gen. Do not edit it manually!
```
(I wonder if they should be `.gitignore`d)
### Fixes
This should fix [#4007: field oidcUsernamePrefix is not recognized in cluster configuration file](https://github.com/kubernetes/kops/issues/4007)
Justin Santa Barbara
Hanfei Shen
mingyuanzhu
k8s-ci-robot
David Keitel
Thomas Hopkins
darron froese
Todd DeShetler
Steve Ruckdashel
Peter Rifel
Alex Last
chrislovecnm
Reid Wiggins
Kubernetes Submit Queue
Eric Hole
Thomas Peitz
Aldo "xoen" Giambelluca
Henry Muru Paenga