kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,141 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

44 Commits

Author SHA1 Message Date
Rohith 2d5bd2cfd9 - update the IAM policy to ensure the kubelet permision is skipped 
- update the PKI to ensure on new clusters the certificate it not created
 2018-06-11 09:57:26 +01:00
Kashif Saadat d665bfdcd4 Remove custom Statement IDs from IAM Policy Statements. 2018-04-10 15:33:08 +01:00
Justin Santa Barbara 7b0ac91cdb Avoid collisions in IAM ids 
Fix #4951
 2018-04-09 23:43:11 -04:00
Justin Santa Barbara dde7600dae Initial support for standalone etcd-manager backups 
The etcd-manager will (ideally) take over etcd management.  To provide a
nice migration path, and because we want etcd backups, we're creating a
standalone image that just backs up etcd in the etcd-manager format.

This isn't really ready for actual usage, but should be harmless because
it runs as a sidecar container.
 2018-02-20 20:06:08 -05:00
Rohith c8e4a1caf8 Kubernetes Calico TLS 
The current implementation when Etcd TLS was added does not support using calico as the configuration and client certificates are not present. This PR updates the calico manifests and adds the distribution of the client certificate
 2018-02-14 23:41:45 +00:00
Shane Starcher fc022db0cf master node requires DescribeRegions when using a bucket from another account 2018-02-08 08:15:41 -05:00
Caleb Gilmour 1e74216b94 Update route-related IAM permissions for Romana 2018-02-02 00:37:46 +00:00
Mikael Knutsson 1dbd435019 Fix ASG scaling by adding in ec2:DescribeRegions permission 2018-01-22 17:11:49 +08:00
Albert c52472cfa8 Add support for cn-northwest-1. 2017-12-27 15:37:09 +08:00
Kubernetes Submit Queue 15c7d61dfb
Merge pull request #3997 from aledbf/amazon-vpc-cni 
Automatic merge from submit-queue.

Add support for Amazon VPC CNI plugin

TODO:
- [x] IAM perms so that the CNI provider only has perms for the nodes in the cluster
- [x] Cleanup of security groups
- [ ] Replace image aledbf/k8s-ec2-srcdst:v0.1.0-5 with the official after https://github.com/ottoyiu/k8s-ec2-srcdst/pull/5 and https://github.com/ottoyiu/k8s-ec2-srcdst/pull/6
 2017-12-17 21:41:13 -08:00
Manuel de Brito Fontes 2e05dd17aa Add support for Amazon VPC CNI plugin 2017-12-17 18:08:24 -03:00
Eric Hole 59bc52a05a Adds permissions for ELB and NLB req'd by 1.9 2017-12-17 13:03:54 -08:00
Robin Percy 6a2ded4681 Adding DescribeTags to masters 2017-12-13 11:48:24 -08:00
Manuel de Brito Fontes 683799c9ab Add missing permissions for NLB creation 2017-12-01 08:56:55 -03:00
Fabricio Toresan d4eef657d6 Changing the prefix of the ResourceTag condition to match the one specified in the ASG documentation 2017-11-18 09:17:07 -02:00
Kashif Saadat 029d0c0393 Add Node IAM permissions to access kube-router key in S3. 2017-11-09 09:57:02 +00:00
chrislovecnm d71f53d4b5 fixing panic with iam unit tests 2017-11-06 13:36:45 -07:00
Caleb Gilmour d2b8741455 Add additional Describe permissions required for Romana CNI 2017-11-06 09:31:09 +00:00
Kashif Saadat 1dea528a0e Update IAM roles documentation based on recent changes. 2017-10-30 16:41:55 +00:00
Kashif Saadat 5bfb22ac92 Make the IAM ECR Permissions optional, can be specified within the Cluster Spec. 2017-10-24 09:20:17 +01:00
Kashif Saadat 28c4b7aca9 Add IAM Permissions so nodes can access AWS ECR 2017-10-23 10:11:27 +01:00
chrislovecnm 2e6b7eedb9 Revision to IAM Policies created by Kops, and wrapped in Cluster Spec 
IAM Legacy flag.
 2017-09-15 08:05:23 +01:00
Kubernetes Submit Queue ec074bb473 Merge pull request #3346 from rushtehrani/update-autoscaling-policy 
Automatic merge from submit-queue

add autoscaling:DescribeLaunchConfigurations permission

As of 0.6.1, Cluster Autoscaler supports [scaling node groups from/to 0](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider/aws#scaling-a-node-group-to-0), but requires the `autoscaling:DescribeLaunchConfigurations` permission.  

It'd be great to have this in kops since this permission needs to be re-added back to the master policy every time the cluster is updated.
 2017-09-14 18:17:42 -07:00
Justin Santa Barbara 7b5510028a Add CreateSecurityGroup permission 
Also document the available filtering for the methods we use.
 2017-09-10 19:14:41 -04:00
rushtehrani db505adb65 add autoscaling:DescribeLaunchConfigurations action 2017-09-05 23:41:19 -07:00
Kubernetes Submit Queue fdce8b4b7b Merge pull request #3186 from KashifSaadat/limit-master-ec2-policy 
Automatic merge from submit-queue

Limit the IAM EC2 policy for the master nodes

Related to: https://github.com/kubernetes/kops/pull/3158

The EC2 policy for the master nodes are quite open currently, allowing them to create/delete/modify resources that are not associated with the cluster the node originates from. I've come up with a potential solution using condition keys to validate that the `ec2:ResourceTag/KubernetesCluster` matches the cluster name.
 2017-08-28 02:00:46 -07:00
Kashif Saadat d6e5a62678 Limit the IAM EC2 policy for the master nodes, wrapped in 'Spec.IAM.LegacyIAM' API flag. 2017-08-26 11:46:09 +01:00
Rohith 0dc4e5e4dc Kops Secrets on Nodes 
The current implementation permits nodes access to /secrets/* thought the nodes themselve do [not](https://github.com/gambol99/kops/blob/secrets/nodeup/pkg/model/secrets.go#L77-L79) require access. This PR changed the ACL on the iam policy to deny access for nodes to /secrets/*
 2017-08-25 19:47:37 +01:00
Kashif Saadat 0e5c393f10 Rename IAM switch to legacy, default to false for new cluster creations. 2017-08-22 13:27:55 +01:00
Kashif Saadat 0aac9b7f8d Allow the strict IAM policies to be optional, default to original behaviour (not-strict) 2017-08-22 13:27:54 +01:00
Kashif Saadat fd0ce236dc Remove node requirement to access private ca and master keys in S3 2017-08-11 16:12:32 +01:00
Kashif Saadat cd149414df Tighten down S3 IAM policy statements 2017-08-11 11:51:46 +01:00
amdonov e0428207cc Properly set IAM prefix for GovCloud 2017-07-08 00:03:22 -04:00
Justin Santa Barbara 3c6689b5b0 Always grant route53 ListHostedZones permission 2017-06-19 14:16:35 -04:00
Justin Santa Barbara 5955467be0 Default to loadbalancer ingress for gossip dns 
DNS ingress won't work anyway.
 2017-06-19 14:16:35 -04:00
Justin Santa Barbara 864a999602 Fix automatic private DNS zone creation 
We have to defer creation of the IAM policy until we have created the
hosted zone.

Fix #2444
 2017-04-29 17:01:18 -04:00
Justin Santa Barbara cb4641fea3 Code updates 2017-03-16 02:40:50 -04:00
Jakub Paweł Głazik cd795d0c8c Resolve DNS Hosted Zone ID while building IAM policy 
Fixes #1949
 2017-02-23 11:45:58 +01:00
Jakub Paweł Głazik a3019905a1 Merge remote-tracking branch 'origin/master' into iam-route53-scoping 2017-02-17 10:52:04 +01:00
Justin Santa Barbara dc9a343434 Support string-or-slice in IAM policies 
Fix #1920
 2017-02-16 22:24:28 -05:00
Jakub Paweł Głazik f50f010d2f Scope route53 permissions to DNS_ZONE only 2017-02-15 22:34:04 +01:00
Sergio Ballesteros 9e9c0c105b Add autoscaling policy to master role 2017-01-25 17:18:10 +01:00
Justin Santa Barbara 51a4adb555 Create stub IAM policy for bastions 2016-12-18 21:56:57 -05:00
Justin Santa Barbara fed68310fa Schema v1alpha2 
* Zones are now subnets
* Utility subnet is no longer part of Zone
* Bastion InstanceGroup type added instead
* Etcd clusters defined in terms of InstanceGroups, not zones
* AdminAccess split into SSHAccess & APIAccess
* Dropped unused Multizone flag
 2016-12-18 21:56:57 -05:00