Automatic merge from submit-queue
Etcd TLS Options
The current implementation does not put any transport security on the etcd cluster. The PR provides and optional flag to enable TLS the etcd cluster
- cleaned up and fixed any formatting issues on the journey
- added two new certificates (server/client) for etcd peers and a client certificate for kubeapi and others perhaps (perhaps calico?)
- disabled the protokube service for nodes completely is not required; note this was first raised in https://github.com/kubernetes/kops/pull/3091, but figured it would be easier to place in here given the relation
- updated protokube codebase to reflect the changes, removing the master option as its no longer required
- added additional integretion tests for the protokube manifests;
- note, still need to add documentation, but opening the PR to get feedback
- one outstanding issue is the migration from http -> https for preexisting clusters, i'm gonna hit the coreos board to ask for the best options
- added the master option back the protokube, updating the nodeup model and protokube code
- removed any comments no related to the PR as suggested
- reverted the ordering of the mutex in the AWSVolumes in protokube
Automatic merge from submit-queue
Fix for Canal Taints and Tolerations
This PR fixes issues with taints and tolerations for the Canal network type.
There are 2 problems:
1. Canal pods will not schedule onto dedicated instancegroups due to their too-strict tolerations. A similar fix for calico was merged recently #3097 - this is the same fix for Canal instead.
2. When booting a cluster with 1.7.0 we ran into the same issue mentioned in projectcalico/canal#77 and likely experienced in #2856. Specifically one of our dedicated instancegroups and the master nodes had no Taints attached. To mitigate we simply bump the versions of calico/node and calico/cni to match the versions that resolvedprojectcalico/canal#77.
When using these fixes to boot our k8s 1.7.3 cluster with this branch the Taints showed up and Calico scheduled on our masters and our dedicated IG.
I am not sure if there are associated tests that need to be updated here - still not familiar enough with the kops repo to tell.
Automatic merge from submit-queue
Fixing clusterautoscaler rbac
Fixes#3144
I have tested on my cluster and it can now update the status of the pods. Im not sure if it also needs the permission to `patch` on the `endpoint`
Maybe someone with better RBAC knowlage can pick up on this? @chrislovecnm
I also gave the file some pretty treatment.. sorry habbit
The current implementation does not put any transport security on the etcd cluster. The PR provides and optional flag to enable TLS the etcd cluster
- cleaned up and fixed any formatting issues on the journey
- added two new certificates (server/client) for etcd peers and a client certificate for kubeapi and others perhaps (perhaps calico?)
- disabled the protokube service for nodes completely is not required; note this was first raised in https://github.com/kubernetes/kops/pull/3091, but figured it would be easier to place in here given the relation
- updated protokube codebase to reflect the changes, removing the master option as its no longer required
- added additional integretion tests for the protokube manifests;
- note, still need to add documentation, but opening the PR to get feedback
- one outstanding issue is the migration from http -> https for preexisting clusters, i'm gonna hit the coreos board to ask for the best options
Automatic merge from submit-queue
Rename OWNERS assignees: to approvers:
They are effectively the same, assignees is deprecated
ref: kubernetes/test-infra#3851
I broke this into two commits around vendor/ because I'm not sure it's kosher to be editing vendored OWNERS directly. ref: kubernetes/test-infra#3694
ref: https://github.com/kubernetes/gengo/pull/71 for the gengo OWNERS changes if that's the more appropriate route to go
Previously the configuration has been written after docker has been started and
was actually only applied after a reboot.
Manually reload system and restart docker to ensure the configuration has been
applied.
Automatic merge from submit-queue
Configure docker on CoreOS/ContainerOS
While the installation of docker should be skipped, docker should still be
configured to allow overriding the docker config using kops.
Fixes https://github.com/kubernetes/kops/issues/3057
//cc @aledbf
Automatic merge from submit-queue
adding warning about --full
This starts work on https://github.com/kubernetes/kops/issues/2290. Adds a warning to deter users from using YAML generated by --full.
Automatic merge from submit-queue
Update kube-proxy to handle aws returning multiple hostnames
Amazon's dhcp service supports returning a space separated list of hostnames. This patch makes sure to split the domains first before picking the hostname override.
Closes#3060.
Automatic merge from submit-queue
added wider toleration to calico-node daemonset (#2857)
Calico pod needs to run on all nodes, regardless of their taints. Otherwise the node cannot join the cluster. See #2857 for more discussion. This commit was originally b66b6260e7 by @ca16. It's also similar to the PR that kube-aws recently merged: https://github.com/kubernetes-incubator/kube-aws/pull/687/files.
Would you mind merging this to 1.7 branch too?
Automatic merge from submit-queue
Add `kops create secret dockerconfig` feature
This adds a well-known secret name `dockerconfig` which will automatically
be used if present to create `/root/.docker/config.json` on all nodes. This will
allow private registries to be used for kops hooks as well as any k8s images
without the need to define `imagePullSecrets` in every namespace.
closes https://github.com/kubernetes/kops/issues/2505
Automatic merge from submit-queue
Vetting / Formatting / Cleanup
- fixed any of the vettting / formatting issues that i'm came across on the update
- removed the commented out lines from the componentconfig as it make its increasingly difficult to find what is supported, what is not and the difference between them.
- added SerializeImagePulls, RegisterSchedulable to kubelet (by default they are ignored)
- added FeatureGates to the kube-proxy
- fixed the vetting issue with NodeUpConfig -> Config
- added the aws london regions for cloud provider lookup
Out of interest can someone point me to where these multi-versioned componentconfig are being used?
Automatic merge from submit-queue
docs/topology - Fix the rolling-update command
This patch updates the `kops rolling-update` command which should be
run after making changes to the API server topology.
Fixes#3093
Signed-off-by: M S Vishwanath Bhat <msvbhat@gmail.com>
While the installation of docker should be skipped, docker should still be
configured to allow overriding the docker config using kops.
Fixes https://github.com/kubernetes/kops/issues/3057
Automatic merge from submit-queue
remove source/destination check requirement for kube-router from docs
Kube-router automatically disables source/destination checks for the AWS
EC2 instances now user need not perform explicitly.
Fixed as part of https://github.com/cloudnativelabs/kube-router/issues/35
Automatic merge from submit-queue
Fix Wildcard domains returned as ASCII in dns-controller
After running into https://github.com/kubernetes/kops/issues/2671 whenever dns-controller restarted, I looked into why dns-controller successfully creates entries for wildcard domains (e.g. `*.example.com` ) but after restarting, it errors, unable to find the old record. It looks amazon returns ascii `\\052.example.com` instead of the `*.example.com` we expect. This was a simple fix I tested in our cluster and it seems to have fixed the issue. I'm open to any changes but I think this could be a useful fix for those that may run into this in the future.
This isn't a new thing apparently: https://github.com/boto/boto/issues/818
Fixes https://github.com/kubernetes/kops/issues/2671
Automatic merge from submit-queue
AWS: root volume provisioned IOPS support
It is possible to set `rootVolumeType: gp2` so an instance group will use `gp2` as disk type (https://github.com/kubernetes/kops/blob/master/docs/instance_groups.md)
If the option is set to `rootVolumeType: io1` then the below error is thrown when building the cluster:
`W0731 13:44:44.298875 8784 executor.go:109] error running task "LaunchConfiguration/master-eu-west-1a.masters.cluster.name" (9m48s remaining to succeed): error creating AutoscalingLaunchConfiguration: ValidationError: Iops is required for a provisioned IOPS volume.
status code: 400, request id: 072e23b2-75ee-11e7-968a-191d6f6e9343`
This PR tries to address this so if anyone needs, it can use `io1` as disk type for the root volume.
In order to define the number of Iops set `rootVolumeIops: <number>` (minimum is 100)
If `rootVolumeType: io1` is set and `rootVolumeIops` is not defined, then `rootVolumeIops` defaults to 100.
I am not quite familiar with the Kops codebase and this is my first encounter with Go, so some changes might not be suitable (I also do not have a software developer background so bear with me :) ). Please review and add feed-back.
I've included a small change to the Makefile as I compiled Kops on a Mac and didn't had $GOPATH set after installing Go. I thought that pulling this via `go env` would be more flexible, but I am not 100% sure as I don't do much development in this area and not sure about possible use cases.
Kubernetes Submit Queue
Rohith
Prachetas Prabhu
BradErz
Sathiya Shunmugasundaram
Johannes Würbach
Aaron Crickenberger
bhack
Grischa Ekart
Blake
Mike Splain
Devipriya Sarkar
Murali Reddy
Markus Padourek
Ionut Craciunescu