Automatic merge from submit-queue.
Add audit log format flag for api server
In kubernetes 1.8, a flag for audit-log format has been added, this flag can be set to `legacy` or `json` format on the kubernetes API server.
Automatic merge from submit-queue.
Support for OIDC 'username-prefix' and 'groups-prefix' flags
### What
Added support for `--oidc-username-prefix` and `--oidc-groups-prefix`.
By passing these it's possible to override the default prefixes used to map the OIDC user with the username in kubernetes.
### See
See: https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server
### IMPORTANT
I'm far from a kubernetes/KOPS, this is not tested so someone needs to have a look and see if something is missing or if this can cause troubles! (don't want to accidentally cause the destruction of the universe 💥 )
It's basically the same done in this other PR: https://github.com/kubernetes/kops/pull/1438/files
I did **not** change the `zz_generated.conversion.go` files as according to comment at the top of them they're autogenerated:
```go
// This file was autogenerated by conversion-gen. Do not edit it manually!
```
(I wonder if they should be `.gitignore`d)
### Fixes
This should fix [#4007: field oidcUsernamePrefix is not recognized in cluster configuration file](https://github.com/kubernetes/kops/issues/4007)
Automatic merge from submit-queue.
Allow disabling kube-proxy
This adds the ability to turn off kube-proxy.
My specific use case is the usage of a custom CNI.
Automatic merge from submit-queue.
Initial aggregation work
Create the keypairs, which are supposed to be signed by a different CA.
Set the `--requestheader-...` flags on apiserver.
Fix#3152Fix#2691
Automatic merge from submit-queue. .
Support encryption-at-rest for the kube-apiserver
This PR adds support for enabling encryption-at-rest for data in etcd, via the kube-apiserver (as per https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data).
I've put the functionality behind a feature flag, `+EnableDataEncryption`. It can then be enabled per-cluster by using `--enable-encryption-config` on the command line, or by adding a `kubeEncryptionConfig` section to the cluster spec. This is passed through to the kube-apiserver by the nodeup process. I'm not sure if this is the best way of doing it right now, but it is working.
Fixes#3356.
- add a new kops secret command to store encryption config
- add the experimential-encryption-provider-config flag to the kube-apiserver
- add functionality to nodeup to create the stored encryption config in the correct path
This is part I of multi part Pull Request to enable the
cloud-controller-manager through kops. This specific PR introduces the
cloud-controller-manager api, and puts it behind a feature flag.
Please feel free to merge this.
Automatic merge from submit-queue
Additional Kubelet Options
This PR add additional options to the kubelet spec allowing users to set the --runtime-request-timeout and -volume-stats-agg-period
In related to issue https://github.com/kubernetes/kops/issues/3265
The current implementaton does not permit the user to specify the kubelet read-only port (which unset defaults to 10255). Note security reasons we need this port switched off i.e. 0. This PR retains the default behaviour but adds the readOnlyPort as an options for those whom need to override.
podInfraContainerImage: gcr.io/google_containers/pause-amd64:3.0
podManifestPath: /etc/kubernetes/manifests
+ readOnlyPort: 0
registerSchedulable: false
requireKubeconfig: true
This enables external admission controller webhooks, api aggregation,
and anything else that relies on the
--proxy-client-cert-file/--proxy-client-key-file apiserver args.
The current implementation does not put any transport security on the etcd cluster. The PR provides and optional flag to enable TLS the etcd cluster
- cleaned up and fixed any formatting issues on the journey
- added two new certificates (server/client) for etcd peers and a client certificate for kubeapi and others perhaps (perhaps calico?)
- disabled the protokube service for nodes completely is not required; note this was first raised in https://github.com/kubernetes/kops/pull/3091, but figured it would be easier to place in here given the relation
- updated protokube codebase to reflect the changes, removing the master option as its no longer required
- added additional integretion tests for the protokube manifests;
- note, still need to add documentation, but opening the PR to get feedback
- one outstanding issue is the migration from http -> https for preexisting clusters, i'm gonna hit the coreos board to ask for the best options
- fixed any of the vettting / formatting issues that i'm came across on the update
- removed the commented out lines from the componentconfig as it make its increasingly difficult to find what is supported, what is not and the difference between them.
- added SerializeImagePulls, RegisterSchedulable to kubelet (by default they are ignored)
- added FeatureGates to the kube-proxy
Out of interest can someone point me to where these multi-versioned componentconfig are being used?
- adding the options to permit adjusting the cluster to use auth on the kubelet
- for testing i've used kubelet-client-certificate and kubelet-client-key to /srv/kubernetes/server.{cert,key} and
setting the --client-ca-file on the node kubelet to /srv/kubernetes/ca.crt (tested as working).
- note i'm not enforcing anything i.e. the user has to edit the cluster and apply the configuration on the kubelet and kubeAPIServer in the cluster spec
* Add support of CoreDNS for vSphere provider.
* Add instructions about how to setup CoreDNS for vSphere provider.
* Address comments for CoreDNS support code.
Ian Hoegen
Brian Schultz
Kubernetes Submit Queue
Purandare, Aditya
Aldo "xoen" Giambelluca
Isac Petruzzi
King'ori Maina
Justin Santa Barbara
Johannes 'fish' Ziemke
Diego Woitasen
Manatsawin Hanmongkolchai
Rohith
Rodrigo Menezes
Mike Splain
georgebuckerfield
wlan0
Robin Percy
Torin Sandall
Austin Moore
alexandrst88
Chris Love
Abrar Shivani
Miao Luo