kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,999 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

73 Commits

Author SHA1 Message Date
Ole Markus With ced8f00201 Add option to use ENI as IPAM mode for Cilium 
* Force cilium-operator run on master nodes
* Add option for setting cilium ipam mode
* If cilium ipam mode is eni, add additional permissions to master nodes
* Allow NonMasqueradeCIDR overlap with NetworkCIDR when Cilium ENI is enabled
 2020-02-16 19:11:01 +01:00
Peter Rifel bf42bb0e43 Update IAM permissions for amazon-vpc-cni-k8s 1.6.0 2020-02-13 11:10:38 -06:00
Lee Azzarello 441cd2523c remove comment 2020-01-17 17:17:30 -08:00
Lee Azzarello 23cf0dd59e use IAMPrefix() for hostedzone 2020-01-17 14:48:52 -08:00
Matteo Ruina 46ba9ff605 Add missing IAM permission 2019-10-31 15:29:12 +01:00
Kubernetes Prow Robot e35e9cc7ab
Merge pull request #7580 from michalschott/master 
Updating master IAM policies.
 2019-09-23 10:43:24 -07:00
Kubernetes Prow Robot 3b9821d5c5
Merge pull request #7474 from nebril/cilium-standalone 
Change Cilium templates to standalone version
 2019-09-18 14:01:00 -07:00
Michal Schott c2d5c0fb91
Updating master IAM policies. 2019-09-13 13:07:52 +02:00
Maciej Kwiek 74e10dadec Change Cilium templates to standalone version 
This commit doesn't include any Cilium configuration, just takes the
quick install yaml from
https://github.com/cilium/cilium/blob/v1.6.0/install/kubernetes/quick-install.yaml

Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
 2019-09-12 17:23:50 +02:00
Raymond Finch 8bfb0eb21b Fix 'unable to infer CloudProvider from Zones' for us-gov-east-1 2019-09-11 11:12:48 -07:00
Peter Rifel 79474ffc0b Upgrade AWS VPC CNI provider to 1.5.0 
Released a few days ago: https://github.com/aws/amazon-vpc-cni-k8s/releases/tag/v1.5.0
 2019-06-07 16:33:55 -07:00
Justin SB 3e33ac7682
Change code from glog to klog 
We don't call klog.InitFlags yet, because that will cause a flag
redefinition error until we get everyone to stop using glog.  That
will happen when we update to k8s 1.13.
 2019-05-06 12:54:51 -04:00
Ryan Bonham 9b03f36463 Support Scale from 0 with Lauch Templates 2019-04-30 09:01:35 -05:00
Chris Stein 54a8c81718 use dynamic s3 prefix in addAmazonVPCCNIPermissions func 2019-04-08 15:36:45 -05:00
Kenjiro Nakayama 92689c51c6 Add permission for CreateTag on ENI to amazon-vpc-cni-k8s 
Although amazon-vpc-cni-k8s adds tag to ENI, kops does not add the
permission. Hence it does not work by default.

This patch adds the permission for CreateTag on ENI to
amazon-vpc-cni-k8s's nodes policy.
 2019-01-24 22:21:01 +09:00
Justin SB 26bd75aecb
Bulk spelling fixes 
Experimenting with my own spelling checker, these are the typos it caught.
 2018-12-20 17:43:56 -05:00
Chris Phillips af7377d530 fix use of --networking in create cluster 2018-11-07 08:08:44 -08:00
Chris Phillips 2b9a56f8e6 rename to LyftVPC. Removes all the settings from the NetworkingSpec 2018-11-07 08:08:44 -08:00
Chris Phillips 3a8078763a Adds support for Lyft's cni-ipvlan-vpc-k8s 
https://github.com/lyft/cni-ipvlan-vpc-k8s

This cni solution is slightly different in that it doesn't require running a daemonset

It requires:
  * a config file in /etc/cni/net.d
  * the binaries in /opt/cni/bin
  * adding the --node-ip param to the kubelet

This code is modeled after the AmazonVPC cni bits.

I've left the setup of the required subnets as an exercise to the reader.
 2018-11-07 08:08:13 -08:00
Jay Eno 107b079cf6
Add permission to check encryption policy on root bucket. 2018-11-02 23:50:30 -06:00
Kelly Campbell 8132073ad9 Add elasticloadbalancing:DeregisterTargets permission to master policy 
Without this permission, controller-manager gets the following error:

    failed to ensure load balancer for service XXX: Error trying to
    deregister targets in target group:
    "AccessDenied: User: arn:aws:sts::XXX:assumed-role/masters...
    is not authorized to perform: elasticloadbalancing:DeregisterTargets
    on resource: arn:aws:elasticloadbalancing:XXX
 2018-09-05 14:01:01 -04:00
Kashif Saadat 03e18d37af Add AWS IAM permission to check for volume resize 2018-08-10 16:47:20 +01:00
Justin Santa Barbara a7b22b4876 Remove GetAsgForInstance IAM permission 
It isn't a valid IAM permission - it was introduced in error, but IAM
is kind enough to ignore it.

Fixes #5549
 2018-08-02 11:27:29 -04:00
Kashif Saadat 2f0fdbc6d7 Add IAM ec2:ModifyVolume permission to allow EBS volume resize 2018-07-06 15:49:34 +01:00
k8s-ci-robot f346efd290
Merge pull request #5240 from nebril/etcd-tls 
Add etcd TLS support for Cilium
 2018-06-21 09:23:37 -07:00
Maciej Kwiek e1a0f4a73e Etcd TLS support for Cilium 
Signed-off-by: Maciej Kwiek <maciej@covalent.io>
 2018-06-20 14:27:24 +02:00
Justin Santa Barbara ba6d14d1a8 GCE: Grant bucket permissions for etcd-manager 
Unfortunately it has to be bucket level, because that is all that GCS
supports.
 2018-06-14 17:50:16 -04:00
Justin Santa Barbara 8064f19fc4 Avoid changing IAM policy for users 
Follow on to #5253, making it so that users that don't adopt bootstrap
kubelet config don't have their IAM policies change.
 2018-06-12 11:58:08 -04:00
Rohith d2bae64dd1 - adding the enable-bootstrap-token-auth to the kubeapi and fixing up the various compoents 2018-06-11 09:57:26 +01:00
Rohith 2d5bd2cfd9 - update the IAM policy to ensure the kubelet permision is skipped 
- update the PKI to ensure on new clusters the certificate it not created
 2018-06-11 09:57:26 +01:00
Kashif Saadat d665bfdcd4 Remove custom Statement IDs from IAM Policy Statements. 2018-04-10 15:33:08 +01:00
Justin Santa Barbara 7b0ac91cdb Avoid collisions in IAM ids 
Fix #4951
 2018-04-09 23:43:11 -04:00
Justin Santa Barbara dde7600dae Initial support for standalone etcd-manager backups 
The etcd-manager will (ideally) take over etcd management.  To provide a
nice migration path, and because we want etcd backups, we're creating a
standalone image that just backs up etcd in the etcd-manager format.

This isn't really ready for actual usage, but should be harmless because
it runs as a sidecar container.
 2018-02-20 20:06:08 -05:00
Rohith c8e4a1caf8 Kubernetes Calico TLS 
The current implementation when Etcd TLS was added does not support using calico as the configuration and client certificates are not present. This PR updates the calico manifests and adds the distribution of the client certificate
 2018-02-14 23:41:45 +00:00
Shane Starcher fc022db0cf master node requires DescribeRegions when using a bucket from another account 2018-02-08 08:15:41 -05:00
Caleb Gilmour 1e74216b94 Update route-related IAM permissions for Romana 2018-02-02 00:37:46 +00:00
Mikael Knutsson 1dbd435019 Fix ASG scaling by adding in ec2:DescribeRegions permission 2018-01-22 17:11:49 +08:00
Albert c52472cfa8 Add support for cn-northwest-1. 2017-12-27 15:37:09 +08:00
Kubernetes Submit Queue 15c7d61dfb
Merge pull request #3997 from aledbf/amazon-vpc-cni 
Automatic merge from submit-queue.

Add support for Amazon VPC CNI plugin

TODO:
- [x] IAM perms so that the CNI provider only has perms for the nodes in the cluster
- [x] Cleanup of security groups
- [ ] Replace image aledbf/k8s-ec2-srcdst:v0.1.0-5 with the official after https://github.com/ottoyiu/k8s-ec2-srcdst/pull/5 and https://github.com/ottoyiu/k8s-ec2-srcdst/pull/6
 2017-12-17 21:41:13 -08:00
Manuel de Brito Fontes 2e05dd17aa Add support for Amazon VPC CNI plugin 2017-12-17 18:08:24 -03:00
Eric Hole 59bc52a05a Adds permissions for ELB and NLB req'd by 1.9 2017-12-17 13:03:54 -08:00
Robin Percy 6a2ded4681 Adding DescribeTags to masters 2017-12-13 11:48:24 -08:00
Manuel de Brito Fontes 683799c9ab Add missing permissions for NLB creation 2017-12-01 08:56:55 -03:00
Fabricio Toresan d4eef657d6 Changing the prefix of the ResourceTag condition to match the one specified in the ASG documentation 2017-11-18 09:17:07 -02:00
Kashif Saadat 029d0c0393 Add Node IAM permissions to access kube-router key in S3. 2017-11-09 09:57:02 +00:00
chrislovecnm d71f53d4b5 fixing panic with iam unit tests 2017-11-06 13:36:45 -07:00
Caleb Gilmour d2b8741455 Add additional Describe permissions required for Romana CNI 2017-11-06 09:31:09 +00:00
Kashif Saadat 1dea528a0e Update IAM roles documentation based on recent changes. 2017-10-30 16:41:55 +00:00
Kashif Saadat 5bfb22ac92 Make the IAM ECR Permissions optional, can be specified within the Cluster Spec. 2017-10-24 09:20:17 +01:00
Kashif Saadat 28c4b7aca9 Add IAM Permissions so nodes can access AWS ECR 2017-10-23 10:11:27 +01:00