kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
19,201 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

278 Commits

Author SHA1 Message Date
Ciprian Hacman a12b3145ee Enable cross-subnet mode with Calico by default 2021-06-25 07:13:20 +03:00
Kubernetes Prow Robot 17c2edc3a1
Merge pull request #11811 from olemarkus/ebs-bump 
Add back createvolume to master + bump ebs driver
 2021-06-21 02:19:03 -07:00
Kubernetes Prow Robot eb7ba5e943
Merge pull request #9229 from johngmyers/version-fullcluster 
Put versioned API of cluster into state store
 2021-06-21 01:32:52 -07:00
Ole Markus With 79a2c111f2 Remove redundant permissions 2021-06-21 08:59:54 +02:00
Ole Markus With b3f274e140 Apply permissions to master role when irsa is not used 2021-06-21 08:56:11 +02:00
Ole Markus With 778323eec9 Add missing lbc permission 2021-06-19 20:03:40 +02:00
Ole Markus With b37bc7578e Reduce master policy size for lb controller 2021-06-19 10:12:22 +02:00
Kubernetes Prow Robot 135cdf3461
Merge pull request #11789 from johngmyers/seed-rng 
Seed the random number generator on AWS
 2021-06-18 08:48:06 -07:00
Ole Markus With 33a7de60a7 Enable IRSA for EBS CSI Driver 2021-06-18 08:05:59 +02:00
John Gardiner Myers b1e77af664 hack/update-expected.sh 2021-06-17 23:03:52 -07:00
John Gardiner Myers 42bf3ee85b Seed the random number generator on AWS 2021-06-17 22:59:43 -07:00
Ole Markus With 7b850555eb Don't add volume multiple times to a pod 2021-06-18 07:31:33 +02:00
John Gardiner Myers 53695fc183 Put versioned API of cluster into state store 2021-06-16 19:33:46 -07:00
Ole Markus With 6e8e027aff Enable IRSA for Cluster Autoscaler 2021-06-16 18:03:11 +02:00
John Gardiner Myers 4fe25196d8 Trim unnecessary paths from worker node IAM 2021-06-15 21:03:13 -07:00
Kubernetes Prow Robot 78d0089242
Merge pull request #11737 from johngmyers/ipv6-bindaddr 
Set BindAddress appropriately when in IPv6-only mode
 2021-06-13 12:23:02 -07:00
John Gardiner Myers fc9ec13bb7 Set BindAddress appropriately when in IPv6-only mode 2021-06-13 09:41:19 -07:00
Kubernetes Prow Robot cfc93e5178
Merge pull request #9294 from johngmyers/refactor-nodeup-context 
Remove InstanceGroup from NodeupModelContext
 2021-06-12 13:43:01 -07:00
Matthew Wong b6266ce5f0 Run hack/update-expected.sh 2021-06-09 13:53:07 -07:00
Matthew Wong 4e9b45b324 Allow master to touch volumes tagged with kubernetes.io/cluster/<clusterName>:owned 2021-06-09 13:52:48 -07:00
John Gardiner Myers 9cba5e345d hack/update-expected.sh 2021-06-03 21:09:15 -07:00
John Gardiner Myers eb09d31a3c Pass AuxConfig to nodeup 2021-06-03 21:04:21 -07:00
Kubernetes Prow Robot 3c4b6068b9
Merge pull request #11649 from h3poteto/fix-jwks-location 
Fix jwks object path in S3 for IRSA
 2021-06-01 08:26:27 -07:00
AkiraFukushima d52ec60c02
Fix issuer and jwks object path for IRSA 2021-06-01 23:35:21 +09:00
John Gardiner Myers 0a48b9050f Protokube needs dns-controller IAM permissions 2021-05-31 06:58:59 -07:00
John Gardiner Myers b82b129a54 Remove fallback support for legacy IAM 2021-05-30 16:52:42 -07:00
Ole Markus With 0004bcec77 Only allow deletion of snapshots owned by the cluster 2021-05-23 08:13:10 +02:00
Ole Markus With 1868313497 Add snapshot-controller 2021-05-22 09:19:35 +02:00
Ole Markus With d3581ebb84 bump aws lb controller to 2.2.0 2021-05-16 18:26:23 +02:00
Peter Rifel 9165309032
Use kubernetes.default for OIDC discovery in gossip clusters 
It doesn't make sense to use a gossip hostname as the discovery url because it wont be resolveable.
For gossip clusters that dont provide a public VFS store, we can at least use kubernetes.default for internal oidc usage.
 2021-05-12 14:18:53 -05:00
Ole Markus With cd9ddd6716 Add elasticloadbalancing:ModifyTargetGroupAttributes to aws lb controller 2021-05-06 15:27:39 +02:00
Ole Markus With 6f8b3647cf Add support for IRSA in he api 
Apply suggestions from code review

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2021-05-01 16:03:42 +02:00
Ole Markus With 5ca7c9b5d7 Use VFS as service account issuer if configured 
Also add an integration test that uses VFS
 2021-04-30 21:02:30 +02:00
Ole Markus With 25b5f0cfb2 Move publicDataStore to serviceAccountIssuerDiscovery.discoveryStore 2021-04-30 19:19:06 +02:00
Ole Markus With 1ec0bd18e8 Enable support for the ASG WarmPool lifecycle hook 
Update pkg/model/iam/iam_builder.go

Co-authored-by: Ciprian Hacman <ciprianhacman@gmail.com>
 2021-04-24 09:40:52 +02:00
Jason Haugen 36722afb0f change casing Asg->ASG 2021-04-22 13:07:01 -05:00
Jason Haugen 366634e66a change permisisons & node selector 2021-04-19 15:43:05 -05:00
Jason Haugen d07b067249 Add NTH queue-processor mode 2021-04-19 15:43:05 -05:00
Ole Markus With af92896dc7 Don't start kubelet if we are warming 2021-04-14 11:05:50 +02:00
Ole Markus With dbd23473ef Add irsa support for awslbcontroller 
This commit also introduces support for adding token projection volumes for well-known SAs.
Slightly less complicated than explicitly parsing the objects for a manifest
 2021-04-04 21:24:07 +02:00
guydog28 bd80c3f2b4 replace hard coded aws region checks with aws sdk calls 2021-03-24 15:31:05 +00:00
Justin SB c75e084158 Re-add integration tests for jwks 
We removed them from #10756, but they can be re-added.
 2021-03-20 22:55:11 -04:00
Kubernetes Prow Robot 15e4028c81
Merge pull request #10722 from olemarkus/apiserver-nodes 
Apiserver nodes
 2021-03-20 16:43:42 -07:00
Ole Markus With 20bd724f5e Add support for scaling out the control plane with dedicated apiserver nodes 
Ensure apiserver role can only be used on AWS (because of firewalling)

Apply api-server label to CP as well

Consolidate node not ready validation message

Guard apiserver nodes with a feature flag

Rename Apiserver role to APIServer

Add an integration test for apiserver nodes

Rename Apiserver role to APIServer

Enumerate all roles in rolling update docs

Apply suggestions from code review

Co-authored-by: Steven E. Harris <seh@panix.com>
 2021-03-20 20:57:00 +01:00
Kubernetes Prow Robot 2b46042241
Merge pull request #11086 from justinsb/controlplane_should_not_need_dns_permissions 
Don't add control-plane DNS permissions with UseServiceAccountIAM
 2021-03-20 12:29:42 -07:00
Justin SB d7683d85ce Don't add control-plane DNS permissions with UseServiceAccountIAM 
Should not be needed; dns-controller should run on the control-plane
node so there should not be a bootstrapping problem with the nodes.

Reverts #10529
 2021-03-20 14:00:46 -04:00
Justin SB 48ebac6892 Improve error messages around PublicJWKS 
I left off the publicDataStore (must pass --overwrite on create, I
believe), and the error message was a type-cast failure.
 2021-03-20 13:59:14 -04:00
Peter Rifel 7c900b7fae Generate and upload keys.json + discovery.json to public store 
Generate and upload keys.json + discovery.json to public store

Don't enable anonymous auth on publicjwks

Remove tests that won't work using FS VFS anymore
 2021-03-19 20:03:26 +01:00
Ole Markus With 063e3f6c7b Use internal api url for jwks when required 
The public api url cannot be used by pods and nodes if access is restricted. So by default we need to use the internal one.
This should finally pass the OIDC e2e test

For public access, api server must be publically available and anonymous
auth must be enabled
 2021-03-05 06:52:51 +01:00
Ole Markus With 56330188d0 Add AWS LoadBalancerController 2021-02-11 08:47:03 +01:00
Peter Rifel a15957da2f
IRSA - continue adding route53 permisions to masters 
These are needed by protokube to create the kops-controller DNS record to allow nodes to bootstrap.

See these logs: https://storage.googleapis.com/kubernetes-jenkins/logs/e2e-kops-grid-scenario-public-jwks/1345956556562239488/artifacts/ip-172-20-48-1.sa-east-1.compute.internal/protokube.log

```
I0104 05:03:51.264472    6482 dnscache.go:74] querying all DNS zones (no cached results)
I0104 05:03:51.264570    6482 route53.go:53] AWS request: route53 ListHostedZones
W0104 05:03:51.389485    6482 dnscontroller.go:124] Unexpected error in DNS controller, will retry: error querying for zones: error querying for DNS zones: AccessDenied: User: arn:aws:sts::768319786644:assumed-role/masters.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io/i-05b1db10d1a5b8637 is not authorized to perform: route53:ListHostedZones
```

and the nodeup logs on nodes that couldn't join the cluster:

```
Jan 04 04:55:53.500187 ip-172-20-38-84 nodeup[2070]: W0104 04:55:53.500117    2070 executor.go:131] error running task "BootstrapClient/BootstrapClient" (9m52s remaining to succeed): Post "https://kops-controller.internal.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io:3988/bootstrap": dial tcp: lookup kops-controller.internal.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io on 127.0.0.53:53: no such host
```
 2021-01-04 21:03:53 -06:00
Justin SB 72329db188 IAM ServiceAccount Roles: truncate name at 64 characters 
The maximum IAM role name length is 64 characters, which we hit much
more often now that we are constructing complex names.  Use our normal
strategy of adding a hash when we truncate.

This is not a breaking change, because these names were not valid
previously.
 2020-12-16 13:38:38 -05:00
Ciprian Hacman ab9d30a015 Order by name fields in CalicoNetworkingSpec 2020-12-11 18:23:49 +02:00
John Gardiner Myers e7508cc973 Use custom-configured ServiceAccountIssuer when present 2020-12-04 09:03:03 -08:00
John Gardiner Myers 4f5def8610 Address review comment 2020-12-03 23:24:43 -08:00
John Gardiner Myers 9607b9955c Set --service-account-issuer for k8s 1.20+ 2020-11-20 22:20:39 -08:00
Ciprian Hacman a3a0b91b5f Order policy document sections alphabetically 2020-11-04 16:15:00 +02:00
John Gardiner Myers 2ac17bee69 Remove code for no-longer-supported k8s releases 2020-10-29 16:45:53 -07:00
Ciprian Hacman 2c15acfa44 Enable Calico AWS src/dest check permissions when CrossSubnet is set 2020-10-10 04:17:19 +03:00
Ciprian Hacman d0349fd6bb Open etcd port only when Calico uses "etcd" datastore 2020-10-09 09:33:38 +03:00
monicagangwar a63ccd5163 [calico] awsSrcDstCheck to disable src/dest checks in AWS 
* replacing k8s-ec2-srcdst with calico's config awsSrcDstCheck and
  flag FELIX_AWSSRCDSTCHECK
* documentation and iam changes for calico awsSrcDstCheck
 2020-10-08 17:17:23 +05:30
Peter Rifel d4d4545345
Add AWS partition support to iam service account roles 2020-09-17 10:01:27 -05:00
Justin SB 6fa8be2716 JSON formatting of IAM: Workaround for optional fields 
AWS IAM is very strict and doesn't support `Resource: []` for example.
We implement a custom MarshalJSON method to work around that.
 2020-09-09 09:57:07 -04:00
Justin Santa Barbara d8895c57ec Add version logic to UseServiceAccountIAM 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:07 -04:00
Justin SB a61ecf4c58 Refactor to use interface for iam Subjects 
Hat-tip to johngmyers for the idea!
 2020-09-09 09:57:07 -04:00
Justin SB 8498ac9dbb Create PublicJWKS feature flag 
This should be much easier to start and to get under testing; it only
works with a load balancer, it sets the apiserver into anonymous-auth
allowed, it grants the anonymous auth user permission to read our jwks
tokens.  But it shouldn't need a second bucket or anything of that
nature.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:06 -04:00
Justin SB 5d1e7bcf82 Refactor IAM route53 construction 
This helps for the JWKS / ServiceAccount role support.
 2020-09-01 11:34:42 -04:00
Justin SB 786423f617 Expose JWKS via a feature-flag 
When the PublicJWKS feature-flag is set, we expose the apiserver JWKS
document publicly (including enabling anonymous access).  This is a
stepping stone to a more hardened configuration where we copy the JWKS
document to S3/GCS/etc.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-08-30 10:15:11 -04:00
Justin SB b158ffab04 Refactor: KopsModelContext embeds IAMModelContext 
go syntax makes this an annoying change, unfortunately.
 2020-08-25 11:22:34 -04:00
Peter Rifel 7d9f0a06cf
Update API slice fields to not use pointers 
This is causing problems with the Kubernetes 1.19 code-generator.
A nil entry in these slices wouldn't be valid anyways, so this should have no impact.
 2020-08-24 07:46:38 -05:00
John Gardiner Myers ba96a84926 Don't give access to calico-client key when not needed 2020-08-18 13:45:27 -07:00
John Gardiner Myers 07220797b4 Issue the cilium etcd client cert out of kops-controller 2020-08-17 21:15:34 -07:00
John Gardiner Myers b6947ccaee Use kops-controller to issue kube-router cert 2020-08-16 23:40:38 -07:00
John Gardiner Myers 8e43c1d637 Use kops-controller to issue kube-proxy cert 2020-08-16 23:36:42 -07:00
Peter Rifel 4d9f0128a3
Upgrade to klog2 
This splits up the kubernetes 1.19 PR to make it easier to keep up to date until we get it sorted out.
 2020-08-16 20:56:48 -05:00
John Gardiner Myers c5871df319 Get kubelet certificate from kops-controller 2020-08-15 10:30:20 -07:00
Ole Markus With 2fd6e52af7
Apply suggestions from code review 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-06-27 07:43:30 +02:00
Ole Markus With 51235b2edc Deploy cilium etcd credentials if the cilium cluster exists 2020-06-27 07:11:19 +02:00
Ole Markus With acaa1e1dfc Implement VFS for vault 2020-06-18 13:02:37 +02:00
Justin SB 0351590512 IAM: Refactor vfs-access logic so we can see the required readable paths 
This will enable us to apply similar restricted permissions on GCE and
other clouds.
 2020-06-11 00:41:57 -04:00
Justin SB 1e559618f5 Ensure we have IAM bucket permissions to other S3 buckets 
If we are expected to write to other buckets, we need to have suitable
permissions to e.g. determine their location.
 2020-06-04 22:37:17 -04:00
Ole Markus With 991549a5f4 Remove support for Romana 2020-06-03 08:23:53 +02:00
Ciprian Hacman 00cbbce2b5 Allow listing versions for objects in the S3 bucket 2020-05-29 08:50:56 +03:00
Ciprian Hacman d54aadc89c Fix nits for removal of S3 file versions 2020-05-28 06:50:32 +03:00
Ole Markus With 869ab75dea Use etcd-manager for the cilium etcd cluster 2020-04-16 08:42:59 +02:00
Matteo Ruina 0e66339d11 Add missing ec2:DescribeInstanceTypes policy 2020-03-17 17:10:00 +01:00
Ole Markus With ced8f00201 Add option to use ENI as IPAM mode for Cilium 
* Force cilium-operator run on master nodes
* Add option for setting cilium ipam mode
* If cilium ipam mode is eni, add additional permissions to master nodes
* Allow NonMasqueradeCIDR overlap with NetworkCIDR when Cilium ENI is enabled
 2020-02-16 19:11:01 +01:00
Peter Rifel bf42bb0e43 Update IAM permissions for amazon-vpc-cni-k8s 1.6.0 2020-02-13 11:10:38 -06:00
Lee Azzarello 441cd2523c remove comment 2020-01-17 17:17:30 -08:00
Lee Azzarello 23cf0dd59e use IAMPrefix() for hostedzone 2020-01-17 14:48:52 -08:00
Matteo Ruina 46ba9ff605 Add missing IAM permission 2019-10-31 15:29:12 +01:00
Kubernetes Prow Robot e35e9cc7ab
Merge pull request #7580 from michalschott/master 
Updating master IAM policies.
 2019-09-23 10:43:24 -07:00
Kubernetes Prow Robot 3b9821d5c5
Merge pull request #7474 from nebril/cilium-standalone 
Change Cilium templates to standalone version
 2019-09-18 14:01:00 -07:00
Michal Schott c2d5c0fb91
Updating master IAM policies. 2019-09-13 13:07:52 +02:00
Maciej Kwiek 74e10dadec Change Cilium templates to standalone version 
This commit doesn't include any Cilium configuration, just takes the
quick install yaml from
https://github.com/cilium/cilium/blob/v1.6.0/install/kubernetes/quick-install.yaml

Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
 2019-09-12 17:23:50 +02:00
Raymond Finch 8bfb0eb21b Fix 'unable to infer CloudProvider from Zones' for us-gov-east-1 2019-09-11 11:12:48 -07:00
mikesplain 9e55b8230a Update copyright notices 
Also cleans some white spaces
 2019-09-09 14:47:51 -04:00
Peter Rifel 79474ffc0b Upgrade AWS VPC CNI provider to 1.5.0 
Released a few days ago: https://github.com/aws/amazon-vpc-cni-k8s/releases/tag/v1.5.0
 2019-06-07 16:33:55 -07:00
Justin SB 76d03b3f71
Generated files: glog -> klog 2019-05-06 12:56:03 -04:00
Justin SB 3e33ac7682
Change code from glog to klog 
We don't call klog.InitFlags yet, because that will cause a flag
redefinition error until we get everyone to stop using glog.  That
will happen when we update to k8s 1.13.
 2019-05-06 12:54:51 -04:00
Ryan Bonham 54ef99ef54 Update Tests 2019-04-30 09:15:08 -05:00
Ryan Bonham 9b03f36463 Support Scale from 0 with Lauch Templates 2019-04-30 09:01:35 -05:00
Chris Stein 54a8c81718 use dynamic s3 prefix in addAmazonVPCCNIPermissions func 2019-04-08 15:36:45 -05:00
Kenjiro Nakayama 92689c51c6 Add permission for CreateTag on ENI to amazon-vpc-cni-k8s 
Although amazon-vpc-cni-k8s adds tag to ENI, kops does not add the
permission. Hence it does not work by default.

This patch adds the permission for CreateTag on ENI to
amazon-vpc-cni-k8s's nodes policy.
 2019-01-24 22:21:01 +09:00
Justin SB 26bd75aecb
Bulk spelling fixes 
Experimenting with my own spelling checker, these are the typos it caught.
 2018-12-20 17:43:56 -05:00
Chris Phillips af7377d530 fix use of --networking in create cluster 2018-11-07 08:08:44 -08:00
Chris Phillips 2b9a56f8e6 rename to LyftVPC. Removes all the settings from the NetworkingSpec 2018-11-07 08:08:44 -08:00
Chris Phillips 3a8078763a Adds support for Lyft's cni-ipvlan-vpc-k8s 
https://github.com/lyft/cni-ipvlan-vpc-k8s

This cni solution is slightly different in that it doesn't require running a daemonset

It requires:
  * a config file in /etc/cni/net.d
  * the binaries in /opt/cni/bin
  * adding the --node-ip param to the kubelet

This code is modeled after the AmazonVPC cni bits.

I've left the setup of the required subnets as an exercise to the reader.
 2018-11-07 08:08:13 -08:00
Jay Eno e0948842f3
Update iam_builder_node_strict_ecr.json 2018-11-03 01:03:01 -06:00
Jay Eno e5c12bdbef
Update iam_builder_node_strict.json 2018-11-03 01:02:42 -06:00
Jay Eno b0201c5922
Update iam_builder_node_legacy.json 2018-11-03 01:02:24 -06:00
Jay Eno ccfee27165
Update iam_builder_master_strict_ecr.json 2018-11-03 01:01:47 -06:00
Jay Eno d7dab870c9
Update iam_builder_master_legacy.json 2018-11-03 01:01:08 -06:00
Jay Eno 107b079cf6
Add permission to check encryption policy on root bucket. 2018-11-02 23:50:30 -06:00
Jay Eno 7228721439
Update test for new role 2018-11-02 23:46:02 -06:00
Kelly Campbell 8132073ad9 Add elasticloadbalancing:DeregisterTargets permission to master policy 
Without this permission, controller-manager gets the following error:

    failed to ensure load balancer for service XXX: Error trying to
    deregister targets in target group:
    "AccessDenied: User: arn:aws:sts::XXX:assumed-role/masters...
    is not authorized to perform: elasticloadbalancing:DeregisterTargets
    on resource: arn:aws:elasticloadbalancing:XXX
 2018-09-05 14:01:01 -04:00
Kashif Saadat 03e18d37af Add AWS IAM permission to check for volume resize 2018-08-10 16:47:20 +01:00
Justin Santa Barbara a7b22b4876 Remove GetAsgForInstance IAM permission 
It isn't a valid IAM permission - it was introduced in error, but IAM
is kind enough to ignore it.

Fixes #5549
 2018-08-02 11:27:29 -04:00
Justin Santa Barbara 8f15a58e8c Validate IAM additionalPolicies 
We now validate them with the cluster, so we should give early and
clear feedback if the IAM policy is not valid.
 2018-07-27 15:22:24 -04:00
Kashif Saadat 2f0fdbc6d7 Add IAM ec2:ModifyVolume permission to allow EBS volume resize 2018-07-06 15:49:34 +01:00
k8s-ci-robot f346efd290
Merge pull request #5240 from nebril/etcd-tls 
Add etcd TLS support for Cilium
 2018-06-21 09:23:37 -07:00
Maciej Kwiek e1a0f4a73e Etcd TLS support for Cilium 
Signed-off-by: Maciej Kwiek <maciej@covalent.io>
 2018-06-20 14:27:24 +02:00
Justin Santa Barbara ba6d14d1a8 GCE: Grant bucket permissions for etcd-manager 
Unfortunately it has to be bucket level, because that is all that GCS
supports.
 2018-06-14 17:50:16 -04:00
Justin Santa Barbara 8064f19fc4 Avoid changing IAM policy for users 
Follow on to #5253, making it so that users that don't adopt bootstrap
kubelet config don't have their IAM policies change.
 2018-06-12 11:58:08 -04:00
Rohith d2bae64dd1 - adding the enable-bootstrap-token-auth to the kubeapi and fixing up the various compoents 2018-06-11 09:57:26 +01:00
Rohith 2d5bd2cfd9 - update the IAM policy to ensure the kubelet permision is skipped 
- update the PKI to ensure on new clusters the certificate it not created
 2018-06-11 09:57:26 +01:00
Kashif Saadat bf30b2559f Update AWS IAM Policy tests following Statement ID removal 2018-04-10 15:33:51 +01:00
Kashif Saadat d665bfdcd4 Remove custom Statement IDs from IAM Policy Statements. 2018-04-10 15:33:08 +01:00
Justin Santa Barbara 7b0ac91cdb Avoid collisions in IAM ids 
Fix #4951
 2018-04-09 23:43:11 -04:00
Mike Splain 45a57915e2 Fix bazel deprecation notice 2018-02-26 09:36:13 -05:00
Justin Santa Barbara dde7600dae Initial support for standalone etcd-manager backups 
The etcd-manager will (ideally) take over etcd management.  To provide a
nice migration path, and because we want etcd backups, we're creating a
standalone image that just backs up etcd in the etcd-manager format.

This isn't really ready for actual usage, but should be harmless because
it runs as a sidecar container.
 2018-02-20 20:06:08 -05:00
Rohith c8e4a1caf8 Kubernetes Calico TLS 
The current implementation when Etcd TLS was added does not support using calico as the configuration and client certificates are not present. This PR updates the calico manifests and adds the distribution of the client certificate
 2018-02-14 23:41:45 +00:00
Shane Starcher b1fdb35118 fixing ecr policy test 2018-02-08 11:12:51 -05:00
Shane Starcher ffc92d4da3 updating the test 2018-02-08 10:52:07 -05:00
Shane Starcher fc022db0cf master node requires DescribeRegions when using a bucket from another account 2018-02-08 08:15:41 -05:00
Caleb Gilmour 1e74216b94 Update route-related IAM permissions for Romana 2018-02-02 00:37:46 +00:00
Mikael Knutsson 1dbd435019 Fix ASG scaling by adding in ec2:DescribeRegions permission 2018-01-22 17:11:49 +08:00
chrislovecnm 4dd3bb1dea Updating bazel BUILD files with new go_rules version 2017-12-29 15:03:14 -07:00
Albert c52472cfa8 Add support for cn-northwest-1. 2017-12-27 15:37:09 +08:00
Kubernetes Submit Queue 15c7d61dfb
Merge pull request #3997 from aledbf/amazon-vpc-cni 
Automatic merge from submit-queue.

Add support for Amazon VPC CNI plugin

TODO:
- [x] IAM perms so that the CNI provider only has perms for the nodes in the cluster
- [x] Cleanup of security groups
- [ ] Replace image aledbf/k8s-ec2-srcdst:v0.1.0-5 with the official after https://github.com/ottoyiu/k8s-ec2-srcdst/pull/5 and https://github.com/ottoyiu/k8s-ec2-srcdst/pull/6
 2017-12-17 21:41:13 -08:00
Manuel de Brito Fontes 2e05dd17aa Add support for Amazon VPC CNI plugin 2017-12-17 18:08:24 -03:00
Eric Hole 59bc52a05a Adds permissions for ELB and NLB req'd by 1.9 2017-12-17 13:03:54 -08:00
Robin Percy 6a2ded4681 Adding DescribeTags to masters 2017-12-13 11:48:24 -08:00
Manuel de Brito Fontes 683799c9ab Add missing permissions for NLB creation 2017-12-01 08:56:55 -03:00
Fabricio Toresan d4eef657d6 Changing the prefix of the ResourceTag condition to match the one specified in the ASG documentation 2017-11-18 09:17:07 -02:00
Kashif Saadat 029d0c0393 Add Node IAM permissions to access kube-router key in S3. 2017-11-09 09:57:02 +00:00
chrislovecnm d71f53d4b5 fixing panic with iam unit tests 2017-11-06 13:36:45 -07:00
Justin Santa Barbara 132b428d64
Merge pull request #3776 from chrislovecnm/bazel-work 
gazelle updates with new bazel version
 2017-11-06 14:08:57 -05:00
Caleb Gilmour d2b8741455 Add additional Describe permissions required for Romana CNI 2017-11-06 09:31:09 +00:00
chrislovecnm 609e268a1d gazelle updates with new bazel version 2017-11-05 17:41:53 -07:00