kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,334 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

122 Commits

Author SHA1 Message Date
Ciprian Hacman a3a0b91b5f Order policy document sections alphabetically 2020-11-04 16:15:00 +02:00
John Gardiner Myers 2ac17bee69 Remove code for no-longer-supported k8s releases 2020-10-29 16:45:53 -07:00
Ciprian Hacman 2c15acfa44 Enable Calico AWS src/dest check permissions when CrossSubnet is set 2020-10-10 04:17:19 +03:00
Ciprian Hacman d0349fd6bb Open etcd port only when Calico uses "etcd" datastore 2020-10-09 09:33:38 +03:00
monicagangwar a63ccd5163 [calico] awsSrcDstCheck to disable src/dest checks in AWS 
* replacing k8s-ec2-srcdst with calico's config awsSrcDstCheck and
  flag FELIX_AWSSRCDSTCHECK
* documentation and iam changes for calico awsSrcDstCheck
 2020-10-08 17:17:23 +05:30
Peter Rifel d4d4545345
Add AWS partition support to iam service account roles 2020-09-17 10:01:27 -05:00
Justin SB 6fa8be2716 JSON formatting of IAM: Workaround for optional fields 
AWS IAM is very strict and doesn't support `Resource: []` for example.
We implement a custom MarshalJSON method to work around that.
 2020-09-09 09:57:07 -04:00
Justin Santa Barbara d8895c57ec Add version logic to UseServiceAccountIAM 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:07 -04:00
Justin SB a61ecf4c58 Refactor to use interface for iam Subjects 
Hat-tip to johngmyers for the idea!
 2020-09-09 09:57:07 -04:00
Justin SB 8498ac9dbb Create PublicJWKS feature flag 
This should be much easier to start and to get under testing; it only
works with a load balancer, it sets the apiserver into anonymous-auth
allowed, it grants the anonymous auth user permission to read our jwks
tokens.  But it shouldn't need a second bucket or anything of that
nature.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:06 -04:00
Justin SB 5d1e7bcf82 Refactor IAM route53 construction 
This helps for the JWKS / ServiceAccount role support.
 2020-09-01 11:34:42 -04:00
Justin SB 786423f617 Expose JWKS via a feature-flag 
When the PublicJWKS feature-flag is set, we expose the apiserver JWKS
document publicly (including enabling anonymous access).  This is a
stepping stone to a more hardened configuration where we copy the JWKS
document to S3/GCS/etc.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-08-30 10:15:11 -04:00
Justin SB b158ffab04 Refactor: KopsModelContext embeds IAMModelContext 
go syntax makes this an annoying change, unfortunately.
 2020-08-25 11:22:34 -04:00
Peter Rifel 7d9f0a06cf
Update API slice fields to not use pointers 
This is causing problems with the Kubernetes 1.19 code-generator.
A nil entry in these slices wouldn't be valid anyways, so this should have no impact.
 2020-08-24 07:46:38 -05:00
John Gardiner Myers ba96a84926 Don't give access to calico-client key when not needed 2020-08-18 13:45:27 -07:00
John Gardiner Myers 07220797b4 Issue the cilium etcd client cert out of kops-controller 2020-08-17 21:15:34 -07:00
John Gardiner Myers b6947ccaee Use kops-controller to issue kube-router cert 2020-08-16 23:40:38 -07:00
John Gardiner Myers 8e43c1d637 Use kops-controller to issue kube-proxy cert 2020-08-16 23:36:42 -07:00
Peter Rifel 4d9f0128a3
Upgrade to klog2 
This splits up the kubernetes 1.19 PR to make it easier to keep up to date until we get it sorted out.
 2020-08-16 20:56:48 -05:00
John Gardiner Myers c5871df319 Get kubelet certificate from kops-controller 2020-08-15 10:30:20 -07:00
Ole Markus With 2fd6e52af7
Apply suggestions from code review 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-06-27 07:43:30 +02:00
Ole Markus With 51235b2edc Deploy cilium etcd credentials if the cilium cluster exists 2020-06-27 07:11:19 +02:00
Ole Markus With acaa1e1dfc Implement VFS for vault 2020-06-18 13:02:37 +02:00
Justin SB 0351590512 IAM: Refactor vfs-access logic so we can see the required readable paths 
This will enable us to apply similar restricted permissions on GCE and
other clouds.
 2020-06-11 00:41:57 -04:00
Justin SB 1e559618f5 Ensure we have IAM bucket permissions to other S3 buckets 
If we are expected to write to other buckets, we need to have suitable
permissions to e.g. determine their location.
 2020-06-04 22:37:17 -04:00
Ole Markus With 991549a5f4 Remove support for Romana 2020-06-03 08:23:53 +02:00
Ciprian Hacman 00cbbce2b5 Allow listing versions for objects in the S3 bucket 2020-05-29 08:50:56 +03:00
Ciprian Hacman d54aadc89c Fix nits for removal of S3 file versions 2020-05-28 06:50:32 +03:00
Ole Markus With 869ab75dea Use etcd-manager for the cilium etcd cluster 2020-04-16 08:42:59 +02:00
Matteo Ruina 0e66339d11 Add missing ec2:DescribeInstanceTypes policy 2020-03-17 17:10:00 +01:00
Ole Markus With ced8f00201 Add option to use ENI as IPAM mode for Cilium 
* Force cilium-operator run on master nodes
* Add option for setting cilium ipam mode
* If cilium ipam mode is eni, add additional permissions to master nodes
* Allow NonMasqueradeCIDR overlap with NetworkCIDR when Cilium ENI is enabled
 2020-02-16 19:11:01 +01:00
Peter Rifel bf42bb0e43 Update IAM permissions for amazon-vpc-cni-k8s 1.6.0 2020-02-13 11:10:38 -06:00
Lee Azzarello 441cd2523c remove comment 2020-01-17 17:17:30 -08:00
Lee Azzarello 23cf0dd59e use IAMPrefix() for hostedzone 2020-01-17 14:48:52 -08:00
Matteo Ruina 46ba9ff605 Add missing IAM permission 2019-10-31 15:29:12 +01:00
Kubernetes Prow Robot e35e9cc7ab
Merge pull request #7580 from michalschott/master 
Updating master IAM policies.
 2019-09-23 10:43:24 -07:00
Kubernetes Prow Robot 3b9821d5c5
Merge pull request #7474 from nebril/cilium-standalone 
Change Cilium templates to standalone version
 2019-09-18 14:01:00 -07:00
Michal Schott c2d5c0fb91
Updating master IAM policies. 2019-09-13 13:07:52 +02:00
Maciej Kwiek 74e10dadec Change Cilium templates to standalone version 
This commit doesn't include any Cilium configuration, just takes the
quick install yaml from
https://github.com/cilium/cilium/blob/v1.6.0/install/kubernetes/quick-install.yaml

Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
 2019-09-12 17:23:50 +02:00
Raymond Finch 8bfb0eb21b Fix 'unable to infer CloudProvider from Zones' for us-gov-east-1 2019-09-11 11:12:48 -07:00
mikesplain 9e55b8230a Update copyright notices 
Also cleans some white spaces
 2019-09-09 14:47:51 -04:00
Peter Rifel 79474ffc0b Upgrade AWS VPC CNI provider to 1.5.0 
Released a few days ago: https://github.com/aws/amazon-vpc-cni-k8s/releases/tag/v1.5.0
 2019-06-07 16:33:55 -07:00
Justin SB 76d03b3f71
Generated files: glog -> klog 2019-05-06 12:56:03 -04:00
Justin SB 3e33ac7682
Change code from glog to klog 
We don't call klog.InitFlags yet, because that will cause a flag
redefinition error until we get everyone to stop using glog.  That
will happen when we update to k8s 1.13.
 2019-05-06 12:54:51 -04:00
Ryan Bonham 54ef99ef54 Update Tests 2019-04-30 09:15:08 -05:00
Ryan Bonham 9b03f36463 Support Scale from 0 with Lauch Templates 2019-04-30 09:01:35 -05:00
Chris Stein 54a8c81718 use dynamic s3 prefix in addAmazonVPCCNIPermissions func 2019-04-08 15:36:45 -05:00
Kenjiro Nakayama 92689c51c6 Add permission for CreateTag on ENI to amazon-vpc-cni-k8s 
Although amazon-vpc-cni-k8s adds tag to ENI, kops does not add the
permission. Hence it does not work by default.

This patch adds the permission for CreateTag on ENI to
amazon-vpc-cni-k8s's nodes policy.
 2019-01-24 22:21:01 +09:00
Justin SB 26bd75aecb
Bulk spelling fixes 
Experimenting with my own spelling checker, these are the typos it caught.
 2018-12-20 17:43:56 -05:00
Chris Phillips af7377d530 fix use of --networking in create cluster 2018-11-07 08:08:44 -08:00