kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
16,812 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

1088 Commits

Author SHA1 Message Date
Ciprian Hacman 0ed8942835 Add log rotation for etcd-cilium.log 2021-07-07 08:31:08 +03:00
John Gardiner Myers 5834fc2690 hack/update-expected.sh 2021-07-03 17:33:13 -07:00
John Gardiner Myers 921d09523e Rename the "ca" keyset to "kubernetes-ca" 2021-07-03 17:33:13 -07:00
Peter Rifel c5fbcccfa6
Update pause image to 3.5 2021-07-02 06:40:27 -04:00
John Gardiner Myers 5c5969d102 hack/update-expected.sh 2021-07-01 22:25:51 -07:00
John Gardiner Myers 1e0c6cb1aa Refactor apiserver-aggregator-ca 2021-07-01 22:25:47 -07:00
John Gardiner Myers 7162a7473a Remove dead code 2021-07-01 13:58:51 -07:00
John Gardiner Myers 0f1de5cfc8 hack/update-expected.sh 2021-06-30 18:55:35 -07:00
John Gardiner Myers 3de05a500e Refactor etcd-clients-ca keyset for api-server 2021-06-30 18:55:30 -07:00
John Gardiner Myers 7dfe9d82ab hack/update-expected.sh 2021-06-27 08:45:06 -07:00
John Gardiner Myers e1df9f09dd Refactor service-account public keys 2021-06-27 08:45:06 -07:00
John Gardiner Myers 20ca7082d7 hack/update-expected.sh 2021-06-27 08:45:05 -07:00
John Gardiner Myers 7e0c6acbad Take poorly formed keypair out of tests 2021-06-27 08:45:05 -07:00
John Gardiner Myers 60ae29c93c Refactor EncryptionConfig 2021-06-27 08:45:05 -07:00
John Gardiner Myers fdf034058d hack/update-expected.sh 2021-06-27 08:45:05 -07:00
John Gardiner Myers 1312163edd Update nodes with an APIServer when APIServer spec changes 2021-06-27 08:45:04 -07:00
John Gardiner Myers 5de6d16e76 Catch calls to GetBootstrapCert from control plane 2021-06-26 00:04:52 -07:00
John Gardiner Myers 2faf28379a Refactor etcd-client-cilium secrets 2021-06-25 23:57:23 -07:00
John Gardiner Myers 1752f0f4db Move most of nodeup.Config out of userdata 2021-06-25 22:25:49 -07:00
John Gardiner Myers c132ae1520 Move fields from AuxConfig to nodeup.Config 2021-06-25 18:41:29 -07:00
Ciprian Hacman d7f405f65a Decrease default values for net.ipv4.tcp_rmem and net.ipv4.tcp_wmem 2021-06-25 21:27:56 +03:00
Kubernetes Prow Robot 0e4d766deb
Merge pull request #11852 from hakman/hooks-containerd 
Handle containerExec hooks when using containerd
 2021-06-23 23:27:40 -07:00
Ciprian Hacman cf19ba343b Handle containerExec hooks when using containerd 2021-06-24 07:42:53 +03:00
Ciprian Hacman cb179b3b62 Pre-add hooks integration test 2021-06-24 06:38:20 +03:00
John Gardiner Myers 1e89064be3 Refactor kube-controller-manager secrets 2021-06-22 22:32:52 -07:00
Kubernetes Prow Robot d5119c0338
Merge pull request #11833 from johngmyers/update-on-primary-change 
Mark nodes NeedsUpdate when keys they use change
 2021-06-22 08:11:58 -07:00
John Gardiner Myers 366210d189 Remove dead code 2021-06-21 21:45:55 -07:00
John Gardiner Myers a83bf7b20f Mark nodes NeedsUpdate when keys they use change 2021-06-21 19:37:23 -07:00
Kubernetes Prow Robot 9a0e90e1ed
Merge pull request #11824 from johngmyers/remove-kubeup 
Remove support for importing and converting kubeup clusters
 2021-06-21 12:46:50 -07:00
John Gardiner Myers fc94505a76 Include multiple certs in aws-iam-authenticator trust bundle 2021-06-21 07:35:50 -07:00
John Gardiner Myers 002a1f7fd3 Remove 'kops toolbox convert-imported' 2021-06-21 07:34:29 -07:00
Kubernetes Prow Robot ab0ee8a2a9
Merge pull request #11823 from johngmyers/get-keypairs-2 
Improve the output of 'kops get keypairs'
 2021-06-21 02:19:10 -07:00
John Gardiner Myers 1ed3619362 Improve the output of 'kops get keypairs' 2021-06-20 15:51:09 -07:00
Ciprian Hacman 904f21cd77 Remove previous implementation of pre-pulling container images 2021-06-20 23:01:52 +02:00
Ciprian Hacman 65d21ee463 Pre-pull container images from list of desired prefixes 2021-06-20 23:01:52 +02:00
John Gardiner Myers 204a134a7d Include multiple CA certificates in the common trust store 2021-06-19 10:56:30 -07:00
John Gardiner Myers c337d217ba Refactor kops-controller to use FindPrimaryKeypair and use consistent filenames 2021-06-19 10:56:29 -07:00
John Gardiner Myers 6b9aebae88 Include multiple CA certificates in bootstrap kubeconfigs 2021-06-19 10:56:29 -07:00
John Gardiner Myers 0dee785ebf Pass multiple CA certs to kops-controller client 2021-06-19 10:50:53 -07:00
John Gardiner Myers e0d9259be1 Remove dead code 2021-06-19 10:50:52 -07:00
John Gardiner Myers 42bf3ee85b Seed the random number generator on AWS 2021-06-17 22:59:43 -07:00
Kubernetes Prow Robot d35bce0ff8
Merge pull request #11764 from olemarkus/cilium-etcd-fix 
Don't try to build etcd-manager secrets for cilium twice
 2021-06-17 00:14:20 -07:00
Ole Markus With f80b550c7a Use internal name for cilium etcd if we do not enable api server nodes 2021-06-16 08:27:26 +02:00
Ole Markus With a3cfe8d098 Don't try to build etcd-manager secrets for cilium twice 2021-06-15 12:42:11 +02:00
Ole Markus With e7fa3fa82c Set containerd config on nodeup.Config instead of clusterspec 
This allows us to set a default containerd config per IG (e.g add a different config for GPU IGs)

Can also be considered a cleanup as we no longer use containerd.overrideConfig as a mechanism for bringing the default containerd config from cloudup to nodeup.
 2021-06-15 11:08:22 +02:00
Kubernetes Prow Robot b71ba1d566
Merge pull request #11219 from johngmyers/refactor-keypair 
Refactor keypair code in preparation for secret rotation
 2021-06-12 14:25:00 -07:00
Kubernetes Prow Robot cfc93e5178
Merge pull request #9294 from johngmyers/refactor-nodeup-context 
Remove InstanceGroup from NodeupModelContext
 2021-06-12 13:43:01 -07:00
Ole Markus With 224cae1113 Only warm-pull images used by the CSI DS 
Pulling the Deployment images serves no purpose as they tend not to run on normal nodes
 2021-06-10 09:28:53 +02:00
Ole Markus With c162013a3c Use quay images for cilium 2021-06-08 23:01:08 +02:00
John Gardiner Myers e0915887ed Move asset copying out of apply_cluster 2021-06-05 21:17:50 -07:00
John Gardiner Myers 12465ac27c Simplify extraction of service-account public keys 2021-06-05 16:38:28 -07:00
John Gardiner Myers fa77f8b964 Rename fi.Keystore.StoreKeypair to StoreKeyset 2021-06-05 16:38:26 -07:00
John Gardiner Myers 2300d89591 Rename pki.FindKeypair to FindPrimaryKeypair 2021-06-05 16:38:26 -07:00
John Gardiner Myers ed1f6ff79e Refactor StoreKeypair and AddCert 2021-06-05 16:38:25 -07:00
John Gardiner Myers 0364a3af25 Refactor FindKeypair interfaces 2021-06-05 16:38:24 -07:00
John Gardiner Myers 6b2250a9af Have apiserver trust all service-account keys 2021-06-05 16:38:08 -07:00
John Gardiner Myers b45c0b4489 Remove InstanceGroup from NodeupModelContext 2021-06-03 21:27:01 -07:00
John Gardiner Myers 14ab4a3453 Move UpdatePolicy into NodeConfig 2021-06-03 21:20:56 -07:00
John Gardiner Myers 59c8826b17 Move FileAssets into the NodeupAuxConfig 2021-06-03 21:20:55 -07:00
John Gardiner Myers 06658c9d13 Move Hooks into the NodeupAuxConfig 2021-06-03 21:09:45 -07:00
John Gardiner Myers c3c1aca3c1 Include AuxConfig output in TestBootstrapUserData 2021-06-03 21:09:45 -07:00
John Gardiner Myers 2e1629c610 Introduce nodeup.AuxConfig 2021-06-03 20:37:22 -07:00
Kubernetes Prow Robot c62090fc6c
Merge pull request #11552 from hakman/etcd-events-tests 
Add etcd-server related tests
 2021-05-21 09:29:35 -07:00
Ciprian Hacman 48ef1555bb Add etcd-server related tests for kube-apiserver 2021-05-21 18:53:54 +03:00
Ciprian Hacman f4ec3df187 Prepare etcd-server related tests for kube-apiserver 2021-05-21 18:53:54 +03:00
Ole Markus With 46e13c0009 Bump snapshot-controller version 
Update upup/models/cloudup/resources/addons/storage-aws.addons.k8s.io/v1.15.0.yaml.template

Co-authored-by: Peter Rifel <rifelpet@users.noreply.github.com>

Update upup/models/cloudup/resources/addons/storage-aws.addons.k8s.io/v1.15.0.yaml.template

Co-authored-by: Peter Rifel <rifelpet@users.noreply.github.com>
 2021-05-21 15:40:40 +02:00
Alexander Block bb52334222 Make the events etcd cluster optional 2021-05-20 08:05:42 +02:00
Peter Rifel 47add60546
Fix KCM livenessProbe to use secure port 2021-05-11 08:01:42 -05:00
John Gardiner Myers 36f93d0069 hack/update-expected.sh 2021-05-07 23:40:03 -07:00
John Gardiner Myers d3469d6ec2 Remove code for no-longer-supported k8s versions 2021-05-07 23:40:03 -07:00
Peter Rifel cc4fae3f71
Remove unused k8s version parsing 2021-05-03 17:23:23 -05:00
dntosas 9481246e22
[csi/aws] Add support for warm pools 
Add pulling needed images as initial task for warming up instances for
csi driver resources.

Signed-off-by: dntosas <ntosas@gmail.com>
 2021-04-25 16:59:57 +03:00
Ole Markus With df2f66e1e5 Make API servers provision themselves. 
API servers also have access to secret store, so there is no need to go through kops-controller.
This lets API server only depend on etcd from the CP nodes, which should make it easier to scale out API servers under pressure
 2021-04-23 06:59:15 +02:00
Ole Markus With 769c6e584f Add install section to kubelet unit 2021-04-19 19:19:46 +02:00
Ole Markus With df4f429ceb Apply suggestions from code review 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2021-04-19 07:25:42 +02:00
Ole Markus With 202e440920 Pre-pull cilium and kube-proxy in warming mode 2021-04-18 18:42:59 +02:00
Ole Markus With aac4741b0e Add a golden test for warmpool mode 2021-04-15 07:01:33 +02:00
Ole Markus With af92896dc7 Don't start kubelet if we are warming 2021-04-14 11:05:50 +02:00
Ciprian Hacman 1737925c44 Replace k8s.io/utils/mount with k8s.io/mount-utils 2021-04-14 07:01:43 +03:00
Ole Markus With bd731ce989 Use secure kubelet auth 
Without secure node auth enabled, commands like `kubectl logs` may fail
with certain configurations.

Previously, we checked if anonymousAuth was enabled on the kubelet
before securing node communication, but this isn't really relevant. We
can still authenticate even if anonymous access is allowed.
 2021-04-13 08:59:39 +02:00
John Gardiner Myers fdc61b4bdb Rename the service account key 2021-04-11 08:11:27 -07:00
Kenji Kaneda baff30d66e Add an option to skip NTP installation 
Add NTPConfig to ClusterSpec. NTPConfig has the SkipInstall option.

https://github.com/kubernetes/kops/issues/9661
 2021-03-31 12:33:32 -07:00
Peter Rifel e2ea5f8a95
Update protokube systemd unit docs link 2021-03-24 20:57:00 -05:00
Barry Melbourne 05123faf5a Update containerd to v1.3.10/v1.4.4 2021-03-23 17:02:01 +00:00
Ciprian Hacman 1b57bfbb8f Load env vars from file for kops-configuration service 2021-03-23 04:32:34 +02:00
Kubernetes Prow Robot 8b5be9baf9
Merge pull request #11082 from bharath-123/task/remove-dbus 
Remove dbus dependency
 2021-03-21 21:31:43 -07:00
Ole Markus With 20bd724f5e Add support for scaling out the control plane with dedicated apiserver nodes 
Ensure apiserver role can only be used on AWS (because of firewalling)

Apply api-server label to CP as well

Consolidate node not ready validation message

Guard apiserver nodes with a feature flag

Rename Apiserver role to APIServer

Add an integration test for apiserver nodes

Rename Apiserver role to APIServer

Enumerate all roles in rolling update docs

Apply suggestions from code review

Co-authored-by: Steven E. Harris <seh@panix.com>
 2021-03-20 20:57:00 +01:00
Bharath Vedartham 26319c6e96 Remove dbus dependency 2021-03-20 15:06:10 +05:30
Peter Rifel b57318fc3d
Download kubectl to /opt/kops/bin on Flatcar OS 
Also add it to protokube's PATH.

Our flatcar job is currently failing because channels arent being applied.
A newly added error log reports that kubectl isn't in protokube's PATH.

This adds the kubectl's location (/opt/bin) to protokube's PATH.

See https://storage.googleapis.com/kubernetes-jenkins/logs/e2e-kops-aws-distro-imageflatcar/1371379886664454144/artifacts/54.206.100.130/protokube.log
 2021-03-18 22:26:38 -05:00
Bharath Vedartham 368f3e94f2 Create an environment file for kops-configuration systemd process 2021-03-13 16:25:04 +05:30
Kubernetes Prow Robot ad7c793050
Merge pull request #10913 from seh/scope-os-update-policy-to-instance-group-too 
Honor OS update policy at InstanceGroup level too
 2021-03-12 22:03:03 -08:00
Ciprian Hacman 79a0720143 Fix rendering of multiple Docker insecure registries 2021-03-12 16:30:15 +02:00
Ciprian Hacman 77b72efe1d Fix various nits when changing Protokube to run as service 2021-03-08 07:19:48 +02:00
Bharath Vedartham d45514cff3 Make protokube a systemd process 2021-03-06 00:32:44 +05:30
Steven E. Harris e39c985ee7 Honor OS update policy at InstanceGroup level too 
As with the Cluster-level "spec.updatePolicy" field, add a similar
field at the InstanceGroup level, allowing overriding of the
cluster-level choice in each InstanceGroup.

Introduce a new value for the field ("automatic") as equivalent to the
default value applied when the field is absent. Honoring this new
value allows disabling automatic updates at the cluster level, but
then enabling them again for particular InstanceGroups. Without such a
positive affirmation, it's not possible to override a cluster-level
"external" policy at the InstanceGroup level, as there's no way to
specify positively that you want to recover the default
value. Instead, expressing the explicit "automatic" value is clear and
unambiguous.
 2021-03-05 08:53:07 -05:00
Kubernetes Prow Robot 730fe1ffff
Merge pull request #10813 from justinsb/containerd_always_configure 
containerd installation: always configure, even if we don't install
 2021-02-15 23:29:05 -08:00
Justin SB 071c090065 containerd installation: always configure, even if we don't install 
Even if we don't install containerd (e.g. ContainerOS or Flatcar), we
likely still need to configure it; particularly in the case of
kubenet.

Additionally, on ContainerOS we can't change the path from
/etc/containerd/config.toml, so we have to write it there.  We may in
future be able to use this on all distros.
 2021-02-13 18:19:16 -05:00
Justin SB bc84cdaf11 iptables: Use the lock when checking for existing rules 
Otherwise we sometimes get an "in-use" message, telling us to use the
lock, if another iptables process is running concurrently.
 2021-02-13 16:12:11 -05:00
Kubernetes Prow Robot ce3f5416b9
Merge pull request #10759 from justinsb/containerd_kubenet_configuration 
kubenet containerd: match upstream
 2021-02-13 12:59:04 -08:00
Steven E. Harris d44612cc84 Capture outcome of "hack/update-expected.sh" run 2021-02-11 10:49:49 -05:00
Justin SB c921aff34c kubenet containerd: match upstream configuration 
Configure kubenet in containerd/CNI mode to match upstream configuration.

Biggest change is a move to the ptp plugin.

Co-authored-by: Ciprian Hacman <ciprian@hakman.dev>
 2021-02-11 08:25:55 -05:00
Kubernetes Prow Robot 41d7d2dbe4
Merge pull request #10707 from slu2011/master 
Use the kubeApiServerConfig clientCAFile field
 2021-02-09 03:58:46 -08:00
Kubernetes Prow Robot 4507be8e13
Merge pull request #10469 from justinsb/boot_nodes_from_kops_controller 
Boot nodes without state store access
 2021-02-08 11:28:19 -08:00
Ciprian Hacman 8ea5987851 Always generate kops-controller certs 2021-02-07 23:35:11 +02:00
shil dc03028e5d Update the logic to set kubeAPIServer.ClientCAFile 2021-02-02 12:10:43 -08:00
shil a0350a0dfa Use the kubeApiServerConfig clientCAFile field 2021-02-01 15:26:09 -08:00
Ciprian Hacman 7aeb8c2af3 Add back support for kubenet style networking with containerd 2021-01-24 21:16:45 +02:00
Ole Markus With 91a6777e60 Replace gopkg yaml with k8s-sigs yaml 2021-01-22 14:28:05 +01:00
Justin SB 23646b6546 Install dbus if needed for protokube with kope.io 2021-01-21 18:17:35 +02:00
Justin SB f9c43bbb3e containerd: Add /etc/crictl config to enable crictl 
This configuration file means users don't have to pass the endpoint
to run crictl.
 2021-01-14 23:05:47 -05:00
Kubernetes Prow Robot e4f4a20d27
Merge pull request #10419 from bharath-123/task/default-systemd 
Default cgroup driver to systemd from k8s 1.20
 2021-01-12 08:30:27 -08:00
Bharath Vedartham a8d709acf2 Default cgroup driver to systemd from k8s 1.20 
Currently, kOps uses cgroupfs cgroup driver for the kubelet and CRIs. This PR defaults
the cgroup driver to systemd for clusters created with k8s versions >= 1.20.

Using systemd as the cgroup-driver is the recommended way as per
https://kubernetes.io/docs/setup/production-environment/container-runtimes/
 2021-01-12 20:39:25 +05:30
Ole Markus With 4d2eca199f Remove node-authorization 2021-01-11 18:59:45 +01:00
Kubernetes Prow Robot 4ee8936d63
Merge pull request #10547 from justinsb/cos_var_lib_kubelet 
COS/GCE: exec on kubelet/flexvolume dirs
 2021-01-10 08:23:17 -08:00
Kubernetes Prow Robot 50999d24bd
Merge pull request #10538 from justinsb/ubuntu_2010_partii 
Refactor and centralize distribution logic
 2021-01-10 03:45:06 -08:00
Justin Santa Barbara e9f6623a80 COS/GCE: exec on kubelet/flexvolume dirs 
Upstream bind mounts /var/lib/kubelet with exec, dev and suid
permissions, because emptyDirs end up inheriting these permissions.

Similarly, /home/kubernetes/flexvolume needs exec permission to
support flexdrivers.
 2021-01-09 13:56:18 -05:00
Justin SB 4ac9d5c17b Boot nodes without state store access 
kops-controller can now serve the instance group & cluster config to
nodes, as part of the bootstrap process.

This enables nodes to boot without access to the state
store (i.e. without S3 / GCS / etc permissions)

Feature-flagged behind the KopsControllerStateStore feature-flag.
 2021-01-09 13:08:48 -05:00
Ciprian Hacman 422cfad1da Add containerd config file to Flatcar based instances 2021-01-06 15:33:17 +02:00
Justin Santa Barbara 78b139465c Refactor and centralize distribution logic 
Use of a struct makes it more sustainable, centralizing into the
distribution package makes it simpler to follow.
 2021-01-05 11:50:23 -05:00
Justin SB b17e44b709 Recognize ubuntu 20.10 
Teach nodeup about ubuntu 20.10, including the unusual
/etc/resolv.conf configuration.
 2021-01-05 10:53:40 -05:00
Ciprian Hacman c02e5a20ea Remove support for Kubenet with containerd 2020-12-27 18:21:16 +02:00
Kenji Kaneda a61caea8d2 Add Azure support 
This commit contains all changes required to support Azure
(https://github.com/kubernetes/kops/issues/3957).
 2020-12-21 08:27:54 -08:00
Ciprian Hacman 91c6df4f04 Update docker.service file 2020-12-15 11:46:03 +02:00
Ciprian Hacman 6986df9523 Update containerd.service file 2020-12-15 11:46:03 +02:00
Ciprian Hacman 416fd15e3c Mount /lib64 for Protokube only on AMD64 2020-12-09 18:58:18 +02:00
Rodrigo Menezes da773ba35c Allow setting CPU limit and Mem request / limit for kube API 2020-11-23 10:03:34 -08:00
John Gardiner Myers 046a64cb19 Use separate domain for kops-controller bootstrap 2020-11-14 12:14:34 -08:00
John Gardiner Myers 2ef4aa2dbb Move nfs packages to packages.go 2020-11-13 13:37:47 -08:00
John Gardiner Myers 77c4ad4092 Don't install the misc packages for k8s 1.20+ 2020-11-12 22:22:06 -08:00
John Gardiner Myers 2ac17bee69 Remove code for no-longer-supported k8s releases 2020-10-29 16:45:53 -07:00
Kubernetes Prow Robot c9aa53895a
Merge pull request #10048 from hakman/container-runtime-assets 
Install container runtime packages as assets
 2020-10-25 21:03:01 -07:00
Ole Markus With 5c941dee38 Fix circular dependency in tasks related to cilium certs 2020-10-24 09:27:15 +02:00
Ole Markus With 1525ccdee9 Fix circular dependency in tasks related to kubelet serving cert 2020-10-24 09:02:41 +02:00
Ciprian Hacman c36262009b Install container runtime packages as assets - Code Review 1 2020-10-23 11:05:41 +03:00
Ciprian Hacman b27431d86f Install container runtime packages as assets - Tests 2020-10-14 15:41:51 +03:00
Ciprian Hacman 852bebe165 Install container runtime packages as assets - Misc 2020-10-14 15:41:51 +03:00
Ciprian Hacman 732a161313 Install container runtime packages as assets - Main 2020-10-14 15:41:51 +03:00
AkiraFukushima 4e4c4a1e16 Install wireguard OS package in nodeup 2020-10-11 15:53:11 +09:00
Kubernetes Prow Robot cc41bba0cf
Merge pull request #10022 from olemarkus/metrics-server 
Kubelet serving certificate and metrics server addon
 2020-10-09 03:09:07 -07:00
Ciprian Hacman d0349fd6bb Open etcd port only when Calico uses "etcd" datastore 2020-10-09 09:33:38 +03:00
Ole Markus With 466dcd001e Apply suggestions from code review 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-10-09 08:27:08 +02:00
Ole Markus With 809aa93634 Make use of kubelet service certificate 2020-10-09 08:27:08 +02:00
Ole Markus With 1d922af364 Pass cloud into populate cluster 2020-09-24 07:22:13 +02:00
Ole Markus With 7bc17f4b1f Build cloud outside of PerformAssignments 
We tend to build cloud, call some method, and then build cloud over
again. It would be easier to just pass the first one along.

Passing along cloud would also make it easier to mock cloud.
 2020-09-23 07:54:28 +02:00
Ciprian Hacman 96e3fefd85 Update Docker to v19.03.13 2020-09-18 12:14:43 +03:00
Ciprian Hacman fcc486d250 Update containerd to v1.4.1 2020-09-18 10:01:30 +03:00
Ole Markus With 6efb91a15b Don't write application credentials to cloud config unless external CCM is enabled 2020-09-15 09:45:09 +02:00
Ciprian Hacman 07ffd665a7 Allow container runtime to run before BootstrapKubeconfig 2020-09-12 08:13:40 +03:00
Kubernetes Prow Robot 4604fa53b3
Merge pull request #9899 from olemarkus/remove-insecure-bind-address 
Don't explicitly set insecure-bind-address on newer k8s
 2020-09-09 03:25:53 -07:00
Ole Markus With 886b4c97cb Don't explicitly set insecure-bind-address on newer k8s 2020-09-09 11:41:51 +02:00
Ole Markus With 192d6a46f9 Errors when encryptionConfig is enabled, but no encryptionconfig secret 
When encryptionConfig is enabled, but the secret is missing, there is no
visible errors anywhere. kube-apiserver just goes into a crashloop
without any complains. This PR adds warnings both on the client side and
through nodeup.
 2020-09-08 17:46:18 +02:00
Justin SB 786423f617 Expose JWKS via a feature-flag 
When the PublicJWKS feature-flag is set, we expose the apiserver JWKS
document publicly (including enabling anonymous access).  This is a
stepping stone to a more hardened configuration where we copy the JWKS
document to S3/GCS/etc.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-08-30 10:15:11 -04:00
Justin SB 2be21562a9 Support writing a full certificate chain 
This means that our https endpoint will serve the ca.crt as well.
 2020-08-25 11:09:04 -04:00
Ciprian Hacman f267c54b9a Stop trying to pull the Protokube image 2020-08-25 09:04:45 +03:00
Kubernetes Prow Robot f1a0e0312f
Merge pull request #9777 from hakman/containerd-1.4.0 
Add support for containerd v1.4.0
 2020-08-18 14:45:11 -07:00
Kubernetes Prow Robot bacd944dea
Merge pull request #9776 from johngmyers/cni-client-certs 
Issue the cilium etcd client cert out of kops-controller
 2020-08-18 08:13:30 -07:00
Ciprian Hacman 537ad60191 Add support for containerd v1.4.0 2020-08-18 10:04:18 +03:00
Kubernetes Prow Robot ffe3b3468d
Merge pull request #9766 from hakman/distros 
Use /etc/os-release to identify the distribution
 2020-08-17 22:37:30 -07:00
John Gardiner Myers 07220797b4 Issue the cilium etcd client cert out of kops-controller 2020-08-17 21:15:34 -07:00
John Gardiner Myers 2d898fa645 Inline some methods 2020-08-17 00:18:00 -07:00
John Gardiner Myers b6947ccaee Use kops-controller to issue kube-router cert 2020-08-16 23:40:38 -07:00
John Gardiner Myers 8e43c1d637 Use kops-controller to issue kube-proxy cert 2020-08-16 23:36:42 -07:00
Ciprian Hacman 22ec1512dc Use numbers for distribution names 2020-08-17 07:25:43 +03:00
Ciprian Hacman e68ee80a93 Move and rename the "distros" package 2020-08-17 07:25:43 +03:00
Peter Rifel 4d9f0128a3
Upgrade to klog2 
This splits up the kubernetes 1.19 PR to make it easier to keep up to date until we get it sorted out.
 2020-08-16 20:56:48 -05:00
John Gardiner Myers 1a253dc574 Send the STS queries to the local region 2020-08-15 10:30:22 -07:00
John Gardiner Myers fb381c4c8b Don't issue kubelet cert on masters before k8s 1.19 2020-08-15 10:30:21 -07:00
John Gardiner Myers c5871df319 Get kubelet certificate from kops-controller 2020-08-15 10:30:20 -07:00
John Gardiner Myers bec273ebf1 Implement signing of kubelet cert in kops-controller 2020-08-15 10:30:20 -07:00
John Gardiner Myers 321035f460 Allow cert/key file tasks to specify owner 2020-08-15 10:30:20 -07:00
John Gardiner Myers cfa262a81a Authenticate from nodeup to kops-controller 2020-08-15 09:50:08 -07:00
John Gardiner Myers 9c01e1f44d Send bootstrap query from nodeup to kops-controller 2020-08-15 09:50:08 -07:00
John Gardiner Myers 82c75211cf update-expected.sh 2020-08-15 09:50:07 -07:00
John Gardiner Myers 00c60ddff6 Add server code to kops-controller 2020-08-15 09:46:30 -07:00
Kubernetes Prow Robot 96ab8423b1
Merge pull request #9566 from hakman/arm64-images 
Add ARM64 support for masters
 2020-08-14 20:46:17 -07:00
John Gardiner Myers e405d24f8c Default kubelet authenticationTokenWebhook to true for k8s 1.19+ 2020-08-14 11:57:56 -07:00
Ciprian Hacman d70fb506e5 Remove unused FSRoot from NodeUp 2020-08-12 18:35:35 +03:00
Ciprian Hacman 44db702f7e Update bazel 2020-08-12 18:35:26 +03:00
Ciprian Hacman d75042cc85 Remove unused Tags from NodeUp 2020-08-12 18:35:26 +03:00
Ciprian Hacman 331d223043 ARM64 support - Side-load multi-arch images 2020-08-10 13:47:07 +03:00
John Gardiner Myers d2e7e2a41d Default kubelet authorization-mode to Webhook for k8s 1.19+ 2020-08-08 21:00:48 -07:00
Ole Markus With a708a96c05 Adds support for using OS application credentials 
Application credentials allows you to export a purpose-specific set of
credentials for a user instead of exposing user login credentials.
Especially useful when using LDAP or similar for Openstack users.
Also lets you rotate credentials more easily since multiple application
credentials can be provisioned per user.

Update pkg/model/bootstrapscript.go

Co-authored-by: Ciprian Hacman <ciprianhacman@gmail.com>
 2020-08-07 14:26:47 +02:00
Ole Markus With 7e2366ac64 Determine fixedip for api cert directly in nodeup 2020-08-04 08:22:00 +02:00
Ciprian Hacman 479da6e4bf Fix test that tries to find the default user's home dir 2020-07-29 05:12:53 +03:00
Ciprian Hacman 0566e65f9b Add Ubuntu 20.04 support for Docker 18.06.3 2020-07-23 14:32:03 +03:00
Ciprian Hacman 234149559b Restore default SELinux security contexts for container runtime binaries 2020-07-20 05:44:19 +03:00
John Gardiner Myers c0774d7ffa Stop using legacy IAM in integration tests 2020-07-17 19:32:48 -07:00
John Gardiner Myers ef1765b734 Use fixed UID for etcd user and restrict to legacy provider 2020-07-15 23:48:19 -07:00
Kubernetes Prow Robot 7a61e9f07a
Merge pull request #9403 from hakman/protokube-distroless 
Use distroless image as base for Protokube
 2020-07-12 20:32:34 -07:00
Kubernetes Prow Robot 33722a9eca
Merge pull request #9534 from johngmyers/fix-multi-master 
Use a stable key for signing service account tokens
 2020-07-12 12:04:33 -07:00
John Gardiner Myers ee88693b5b update-expected.sh 2020-07-11 13:18:59 -07:00
John Gardiner Myers 70926d43fc Use a stable key for signing service account tokens 2020-07-11 13:18:50 -07:00
Ciprian Hacman ed3f43bf4c Remove the checksum workaround for Flannel VXLAN 2020-07-10 07:55:52 +03:00
Kubernetes Prow Robot 0c62641dad
Merge pull request #9354 from johngmyers/refactor-certs-2 
Continue refactoring certs into nodeup
 2020-07-06 17:13:57 -07:00
Ciprian Hacman 94104810c8 Update tests output 2020-07-05 14:41:29 +03:00
Ciprian Hacman 64fff220c9 Mount host bin dirs for "utils/nsenter" and "utils/mount" 2020-07-05 14:41:29 +03:00
Ciprian Hacman 3a057aa27c Use distroless image as base for protokube 2020-07-05 14:41:29 +03:00
Justin SB 6cdf9d5001 Don't start kubelet in protokube 
Previously as an optimization we would start the kubelet from
protokube, after we had mounted the disks.  This helped avoid e.g. the
apiserver going into backoff waiting for etcd.

However, this no longer achieves anything with etcd-manager - nothing
happens on this front until after we start the kubelet anyway.

Doing this both takes protokube out of the dependency sequence here
(slightly faster boot time), but also removes the systemd dependency
from the protokube image.  (So we can get a smaller image, perhaps
even distroless)
 2020-07-05 14:41:29 +03:00
Ciprian Hacman 69511a998e Use kubelet docker-specific flags only for Docker 2020-07-05 07:57:10 +03:00
Kubernetes Prow Robot 734a0eb5f3
Merge pull request #9415 from johngmyers/refactor-nodeup-2 
Continue moving InstanceGroup data to NodeupConfig
 2020-07-02 20:50:47 -07:00