We previously needed them to allow list operations; however we now use a
keyset.yaml file instead of listing keys. That should be the sole use,
so we should no longer need this permission.
If not, we can re-enable the code easily.
Automatic merge from submit-queue.
Force nodeup to use the bundle
We disable fallback entirely for nodeup, so we can still share code, but
won't accidentally be using the wrong code path.
Builds on #3839
Automatic merge from submit-queue.
Fix null pointer issues when custom PROTOKUBE_IMAGE is specified.
When setting a custom protokube location via the environment variable `PROTOKUBE_IMAGE`, this appeared to not be getting set properly at the time of applying Cluster updates (via `kops update cluster ${KOPS_CLUSTER_NAME} --yes`), resulting in a runtime exception.
This PR resolves the above issue, so cluster updates are correctly applied with reference to a custom protokube image location (if provided).
This avoids the need to list directories, which is problematic on GCE.
It also makes for a more consistent experience; we can move nodeup to
use the bundle always, and we can move writing to the Mirror task, so
that VFS & kops-server are more similar.
Automatic merge from submit-queue.
Refactor VFS CA store to reuse keyset from clientset
This ensures the two behave more similarly, but also will help us parse a
serialized keyset.
Builds on #3836
Automatic merge from submit-queue.
Refactor: clean up SecretStore to not use KeystoreItem
More moving to use API objects, except in this case we eventually want to
deprecate SecretStore entirely.
Builds on #3833
Automatic merge from submit-queue.
Add --subnets and --utility-subnets to kops create cluster
This change adds two new options to `kops create cluster`
When specifying `--vpc`, `--subnets` can be specified as an unordered array of subnet ids. Kops will then look up the zones of the subnets to find which zone to add the subnet id to.
If `--topology private` is also specified, `--utility-subnets` can similarly be specified.
~If a zone was specified but a subnet wasn't given that matches the zone, then the subnet will be allocated a CIDR with the current behaviour.~ This case fails validation here 7bd0a6a703/pkg/apis/kops/validation/validation.go (L151)
I can add unit tests and docs changes if required, but I am keen to get feedback before I proceed much further.
I have only added support for AWS.
I have tested this by running a command similar to this:
```bash
kops create cluster \
--zones=us-east-1a,us-east-1b,us-east-1c \
--topology private \
--master-zones=us-east-1a,us-east-1b,us-east-1c \
--vpc $vpc_id \
--subnets subnet-111111,subnet-222222,subnet-333333 \
--utility-subnets subnet-444444,subnet-555555,subnet-666666 \
$cluster_hosted_zone_name
```
And the cluster spec was as expected.
Automatic merge from submit-queue.
work on using files assets
Basic MVP for file assests.
- using file assest builder
- able to upload files
- using URL structs instead of strings everywhere
File assets and the SHA files are uploaded to the new location. Files
when are users uses s3 are upload public read only. The copyfile task
uses only the existing SHA value.
This PR include major refactoring of the use of URLs. Strings are no
longer categnated, but converted into a URL struct and path.Join is
utlilized.
A new values.go file is included so that we can start refactoring more
code out of the "fi" package.
A
Automatic merge from submit-queue.
Support for hostPort when using canal
Similar to: https://github.com/kubernetes/kops/pull/3206
Without this, we are unable to get `hostPort` working with `canal`. The same is true for `flannel`, but this does add support for plain flannel.
Automatic merge from submit-queue.
Bump weave version in bootstrapchannelbuilder
2.1.3 upstream becomes 2.1.3-kops.1, so if we need to make our own
"packaging" changes, we can do 2.1.3-kops.2 etc.
Automatic merge from submit-queue.
Update Weave Net to version 2.1.3
This version supports 'v1' NetworkPolicy semantics.
Also includes a feature to clear down data for deleted nodes, which is probably the most-requested fix.
Automatic merge from submit-queue.
Add additionalNetworkCIDRs to support VPCs with multiple CIDRs in AWS
Add additionalNetworkCIDRs to support VPCs with multiple CIDRs in AWS.
@justinsb I cannot find anywhere that does a check on an existing VPC to see if the networkCIDR matches what is on the VPC defined, I was looking for that so I can add a similar check for this. Am I missing something or is there really no check like that?
Automatic merge from submit-queue.
Let a user set a hostnameOverride when the cloud provider is aws.
Let a user use the hostname or set a hostnameOverride when the cloud provider is aws. This would allow for a more descriptive name to be used. The name of the hosts when using @hostname can be set by using a hook or some other method.
We've done this in the API already, but we had a single CAStore
interface that did Keysets and SSHCredentials. Separate out
SSHCredentials into SSHCredentialStore, and start using API objects as
our primary representation.
Automatic merge from submit-queue.
When using private DNS add ELB name to the api certificate
This fixes issue #2032 by using the gossip paths with private dns as well:
* When creating the api server certificate, include the ELB hostname
* When generating kubeconfig, use the ELB hostname as the api server name
Automatic merge from submit-queue.
DNS Controller Optional
The current implementation enforces a dns-controller is running; given the user can switch the make the kube-apiserver server Internal and then reuse the dns for the masterInternalName; this effectlively removes the need to run the service (assuming your not using it for pods, node and service dns)
- adding a disableDnsController to the ExternalDNS spec provides a toggle on the addon (name is definitely up for debate)
- the default behaviour remains, the dns-controller is always pushed as an addon
Works around nil SleepDelay problem: latest aws-sdk-go (in k8s 1.9 and
kops 1.8) has updated SleepDelay logic; fix is in
https://github.com/kubernetes/kubernetes/pull/55307 but that is only in
1.9.
Set the SleepDelay to work around the problem.
Renamed the k8s-1.8 manifest to a k8s-1.7. This is required because of config
change that occurs between k8s 1.6 and k8s 1.7. This refactor will also
be re-used when Calico Kubernetes data source support is added to kops.
Updated bootstrapchannelbuilder with the new Calico version numbers.
Automatic merge from submit-queue.
Respect the shared tag when deleting route tables
Fixes#3828.
Modifies the `buildTrackerForRouteTable` function (used by `ListRouteTables`) to set the `Shared` field of each returned route table resource, based on the presence of the `kubernetes.io/cluster/<clustername>: shared` tag. This prevents route tables with this tag from being deleted.
WIP while I add some more tests.
Automatic merge from submit-queue.
Implement volume task for Openstack platform
Implement volume task to create volume for ETCD cluster.
Which issue this PR fixes: #3886
The current implementation requires enforces a dns-controller is running; given the user can switch the make the kube-apiserver server Internal and then reuse the dns for the masterInternalName; this effectlively removes the need to run the service (assuming your not using it for pods, node and service dns)
- adding a disableDnsController to the ExternalDNS spec provides a toggle on the addon (name is definitely up for debate)
- the default behaviour remains, the dns-controller is always pushed as an addon
Automatic merge from submit-queue.
add openstack cloud provider
Add an Openstack cloud provider. It does not implement all the interfaces of fi.Cloud, hence, can not create a cluster, but it can pass the work flow of creating cluster for the command like "kops create cluster --cloud openstack --zones nova -v 15 --target direct --yes myoscluster4.k8s.local"
Which issue this PR fixes: #3819
* Limit each CNI provider to 100m
* Remove CPU limits - they cause serious problems
(https://github.com/kubernetes/kubernetes/issues/51135), but this also
makes the CPU allocation less problematic.
* Bump versions and start introducing the `-kops.1` suffix preemptively.
* Upgrade flannel to 0.9.0 as it fixes a lot.
Automatic merge from submit-queue.
kube-router: remove beta annotation versions (deprectated in 1.8) of init container
kube-router: remove beta annotation versions (deprectated in 1.8) of init container and move init container to spec section
- adding a fix to the building of the argument, as the double quote cause an yaml parsing error
error building tasks: error remapping manifest addons/dns-controller.addons.k8s.io/pre-k8s-1.6.yaml: error parsing yaml: error converting YAML to JSON: yaml: line 37: did not find expected key
This lets us configure cross-project permissions while ourselves needing
minimal permissions, but also gives us a nice hook for future lockdown
of object-level permissions.
This ensures that the cluster can read the kops state store files, even
if the GCS bucket is in a different project.
We automatically set up an IAM access policy that grants access.
Automatic merge from submit-queue.
Implement DigitalOcean Droplet FI Task
Implements cloudup fi tasks for DigitalOcean droplets. It makes a few assumptions to reduce the size of this PR, those will be addressed in future PRs.
Also does some cleanup in the DigitalOcean `dns` package.
Automatic merge from submit-queue.
UsePolicyConfigMap for kube-scheduler
Continued from #3546
In this version, a single option `usePolicyConfigMap` is added that will install scheduler.addons.k8s.io, which contains a default configmap.
Automatic merge from submit-queue.
adding kubernetes core rate limiter handlers
This PR is re-using the handlers from the k8s core project, to create a global rate limiting.
This work starts work on https://github.com/kubernetes/kops/issues/3471
Automatic merge from submit-queue.
Initial aggregation work
Create the keypairs, which are supposed to be signed by a different CA.
Set the `--requestheader-...` flags on apiserver.
Fix#3152Fix#2691
* Stop setting the Name tag on a shared subnet/vpc
* Stop setting the legacy KubernetesCluster tag on a shared subnet/vpc
that is new enough (>=1.6); we rely on the shared tags instead
* Set tags on shared subnets; i.e. we _do_ set the shared tag on a
shared subnet; that is important for ELBs
* Set tags on shared VPCs; i.e. we _do_ set the shared tag on a shared
VPC; that is not used but consistent with subnets.
* Add tests for shared subnet
Automatic merge from submit-queue.
Add Cloud Controller Manager addon
This adds the CCM addon for the Kubernetes cluster.
This is a follow-up PR to https://github.com/kubernetes/kops/pull/3408.
cc @chrislovecnm @andrewsykim
Automatic merge from submit-queue.
Add Calico v2.5 support for Kubernetes v1.8+
Added support for Canal (Calico) v2.5.1, which is required to work with Kubernetes v1.8.0+.
Older versions of Calico relied on ThirdPartyResources API to store it's config data, however this is now fully deprecated in Kubernetes v1.8 and has moved over to CustomResourceDefinitions (CRD). Calico v2.5+ has been updated to use CRD, however there is a manual upgrade process involved to migrate the configuration data across: https://github.com/projectcalico/calico/blob/master/upgrade/v2.5/README.md
including a Weave Net template for Kubernetes 1.7 and above which adds
a volume-mount for the iptables lock file, which avoids collisions
between Weave components and kube-proxy that would result in a
half-configured Weave network.
This is only for version 1.7 and above because it requires the change
in https://github.com/kubernetes/kubernetes/issues/47212
Automatic merge from submit-queue.
Use system:kube-router User for clusterrole binding
Kube-router as it provides service proxy as well, it has a chicken-egg problem (can not
access api server till it can setup service proxy), so service account are not usable. certificate generated for kube-router has CN `system:kube-router`, so user `system:kube-router` need to be given necessary RBAC permissions
Fixes#3463
Automatic merge from submit-queue.
Initial bazel support
Builds on the 1.8 version bump
The "trick" is to strip the BUILD & BUILD.bazel files from the vendor-ed deps.
Will rebase after 1.8 version bump merges.
Automatic merge from submit-queue.
Update kube-dns to 1.14.5 for CVE-2017-14491
As described: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
Not sure if it'd be possible to cut a new 1.7 release with this or something to give people a quick fix.
Current work around would be to manually update the addons in s3. For those who may reference this, simply upgrading to 1.7.7 will not fix this in kops.
### Edit
~ @chrislovecnm
Please see https://github.com/kubernetes/kops/issues/3512 for more information on how to address these concerns with current kops releases. We are still in the process of testing this release of kube-dns, which is a very critical component of kubernetes.
Automatic merge from submit-queue.
Add Zones field to InstanceGroup
The Zones field can specify zones where they are not specified on a
Subnet, for example on GCE where we have regional subnets.
Jeff Grafton
k8s-ci-robot
Blake
Kashif Saadat
Otto Yiu
Justin Santa Barbara
chrislovecnm
Albert
Kubernetes Submit Queue
Peter Whitesell
Manuel de Brito Fontes
Raúl Cuza
Henry Muru Paenga
Rajiv Makhijani
Peter Rifel
zengchen1024
Rodrigo Menezes
Bryan Boreham
Ripta Pasay
Mike Splain
Arto Jantunen
Rohith
georgebuckerfield
Caleb Gilmour
Tom Denham
marshallbrekka
Giacomo Tagliabue
Alex Simenduev
pdh
Divya Vavili
andrewsykim
Manatsawin Hanmongkolchai
wlan0
Bryan Boreham
Murali Reddy