We generate a kube-scheduler configuration file in the kops CLI, and
nodeup will use it if provided (instead of generating one).
We put the configuration file into the fileAssets.
Users can provide a kube-scheduler configuration in additional
objects, and this will be used as the base configuration (we add the
kubeconfig path).
Issue #13352
Co-authored-by: Ciprian Hacman <ciprian@hakman.dev>
We need to open up the ipip protocol, which wasn't previously enabled.
Future work could construct the firewall rules in a common library,
and then adapt them to the various clouds.
* 'sv' may have 'nil' or other unexpected value as its corresponding error variable may be not 'nil'
* Apply suggestions from code review
Co-authored-by: Ciprian Hacman <ciprian@hakman.dev>
Ensure apiserver role can only be used on AWS (because of firewalling)
Apply api-server label to CP as well
Consolidate node not ready validation message
Guard apiserver nodes with a feature flag
Rename Apiserver role to APIServer
Add an integration test for apiserver nodes
Rename Apiserver role to APIServer
Enumerate all roles in rolling update docs
Apply suggestions from code review
Co-authored-by: Steven E. Harris <seh@panix.com>
* refactor TargetLoadBalancer to use DNSTarget interface instead of LoadBalancer
* add LoadBalancerClass fields into api
* make api machinery
* WIP: Implemented API loadbalancer class, allowing NLB and ELB support on AWS for new clusters.
* perform vendoring related tasks and apply fixes identified from hack/
dissallow spotinst + nlb
remove reflection in status_discovery.go
Add precreated additional security groups to the Master nodes in case of NLB
Remove support for attaching individual instances to NLB; only rely on ASG attachments
Don't specify Classic loadbalancer in GCE integration test
* add utility function to the kops model context to make LoadBalancer comparisons simpler
* use DNSTarget interface when locating DNSName of API ELB
* wip: create target group task
* Consolidate TargetGroup tasks
* Use context helper for determining api load balancer type to avoid nil pointers
* Update NLB creation to use target group ARN from separate task rather than creating a TG in-line
* Address staticcheck and bazel failures
* Removing NLB Attachment tasks because they're not used since we switched to defining them as a part of the ASGs
* Address PR review feedback
* Only set LB Class field for AWS clusters, fix nil pointer
* Move target group attributes from NLB task to TG task, removing unused attributes
* Add terraform and cloudformation support for NLBs, listeners, and target groups
* Update integration test for NLB support
* Fix NLB name format to pass terraform validation
* Preserve security group rule names when switching ELB to NLB to reduce destructive terraform changes
* Use elbv2 enums and address some TODOs
* Set healthcheck values in target group
* Find TG tags, fix NLB name detection
* Fix more spurious changes reported by lifecycle integration test
* Fix spotinst validation, more code cleanup
* Address more PR feedback
* ReconcileTargetGroups unit test + more code simplification
* Addressing PR feedback Renaming task 1. awstasks.LoadBalancer -> awstasks.ClassicLoadBalancer
* Addressing PR feedback Renaming task: ELBName() -> CLBName() / LinkToELB() -> LinkToCLB()
* Addressing PR feedback: Various text changes
* fix export of kubecfg
* address TargetGroup should have the same name as the NLB
* should address error when fetching tags due to missing ARN
* Update expected and crds
* Add feature table to NLB docs
* Address more feedback and remove some TODOs that arent applicable anymore
* Update spotinst validation error message
Co-authored-by: Peter Rifel <pgrifel@gmail.com>
This should be much easier to start and to get under testing; it only
works with a load balancer, it sets the apiserver into anonymous-auth
allowed, it grants the anonymous auth user permission to read our jwks
tokens. But it shouldn't need a second bucket or anything of that
nature.
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
This adds any labels defined in the Cluster spec's CloudLabels to the tags of the following AWS resource types:
Elastic IP
Internet Gateway
NAT Gateway
Route Table
Security Group
Subnet
VPC DHCP Options
VPC
Add tests for no ssh key functionality
Add docs for setting no ssh key
Disable sshKey rendering for cloudformation if nosshkey is set
Fix broken test
make goimports
Fix
Formatting fix
Update kubernetes version for tests
Update expected test output
Fix imports in mesh.pb.go
Run hack/update-expected.sh
Change digital ocean logic to handle *string for SSHKeyName
Fix expected output
Missed a few
With etcd-manager the DNS names should only be used by the
etcd-manager pod itself, so we don't need to share /etc/hosts with the
host.
By not sharing we avoid:
(1) the temptation to address etcd directly
(2) problems of concurrent updates to /etc/hosts being hard from within a container (because locking is difficult across bind mounts)
Introducing with kubernetes 1.17 to avoid changing behavior of existing versions.
We don't call klog.InitFlags yet, because that will cause a flag
redefinition error until we get everyone to stop using glog. That
will happen when we update to k8s 1.13.
In 1.12 (kops & kubenetes):
* We default etcd-manager on
* We default to etcd3
* We default to full TLS for etcd (client and peer)
* We stop allowing external access to etcd
Peter Rifel
justinsb
John Gardiner Myers
Ciprian Hacman
Ole Markus With
Jason Haugen
Akiros001
Ciprian Hacman
Christian Joun
Kubernetes Prow Robot
Austin Moore
tanjunchen
mikesplain
Rohith
Rob Graham