kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,222 Commits 116 Branches 250 Tags 533 MiB
Commit Graph

30 Commits

Author SHA1 Message Date
Rodrigo Menezes f35d411544 Fix for when node and master use the same SG. 2018-12-06 09:27:11 -05:00
Justin Santa Barbara 789b7c9f28 Remove duplicate security-group overrides 2018-10-02 12:46:55 -07:00
Justin Santa Barbara 81cadec4ca Simplify building of security groups 
Also add comments about why we don't set e.g. RemoveExtraRules
 2018-10-02 11:53:41 -07:00
Justin Santa Barbara 9a6653421c Support override security groups with bastion 2018-10-02 11:53:41 -07:00
Justin Santa Barbara 1e2a62992b Use JoinSuffixes for node->master traffic, also fix AmazonVPC rule 
This ensures we are consistently naming our rules
 2018-10-02 11:53:41 -07:00
Justin Santa Barbara 1906bcdf5d We need to create the cross-product of rules for SG overrides 
e.g. each master SGs need to be configured to talk to each master SG
 2018-10-02 11:53:41 -07:00
Justin Santa Barbara bfb54935ff Build security groups along with suffixes 
Fixes the case where we mix use of specified & default SGs.
 2018-10-02 11:53:41 -07:00
Rodrigo Menezes 87eec75f5b Fix blocker 2018-10-02 10:22:09 -07:00
Rodrigo Menezes a82f548ff8 Allow using existing/shared Security Groups 
Verbosely log when a user overwrites LB or IG security groups

Change SecurityGroup to SecurityGroupOverride

Allow using existing/shared Security Groups

Update tests
 2018-10-02 00:51:39 -07:00
k8s-ci-robot fc1bed4353
Merge pull request #4224 from nebril/cilium-support 
Add Cilium as CNI plugin
 2018-03-26 07:49:02 -07:00
Justin Santa Barbara 12873d3868 SecurityGroups: ensure owned security groups are tagged 2018-03-24 22:19:54 -04:00
Maciej Kwiek bca52dede9 Add Cilium as CNI plugin 
Signed-off-by: Maciej Kwiek <maciej@covalent.io>
 2018-03-20 13:07:26 +01:00
Manuel de Brito Fontes 2e05dd17aa Add support for Amazon VPC CNI plugin 2017-12-17 18:08:24 -03:00
Justin Santa Barbara 581e954062 Block etcd peer port from nodes 
Ports 2380 & 2381 should not be exposed to nodes.

Fix #3746
 2017-11-25 16:36:46 -05:00
Adam Sunderland fd8fe5ea18 Add node-to-master IPIP to kuberouter 2017-10-30 09:51:21 -05:00
Caleb Gilmour 79d331e590 Add support for Romana as a networking option 2017-09-13 22:48:18 +00:00
Justin Santa Barbara 15d6834113 Flannel: support choosing a backend type 
We support udp, which has to the default for backwards-compatibility,
but also new clusters will now use vxlan.
 2017-08-30 21:16:21 -04:00
Rohith 74f59612c7 Fixes 
- added the master option back the protokube, updating the nodeup model and protokube code
- removed any comments no related to the PR as suggested
- reverted the ordering of the mutex in the AWSVolumes in protokube
 2017-08-06 18:52:38 +01:00
Rohith a73d255b03 Etcd TLS Options 
The current implementation does not put any transport security on the etcd cluster. The PR provides and optional flag to enable TLS the etcd cluster

- cleaned up and fixed any formatting issues on the journey
- added two new certificates (server/client) for etcd peers and a client certificate for kubeapi and others perhaps (perhaps calico?)
- disabled the protokube service for nodes completely is not required; note this was first raised in https://github.com/kubernetes/kops/pull/3091, but figured it would be easier to place in here given the relation
- updated protokube codebase to reflect the changes, removing the master option as its no longer required
- added additional integretion tests for the protokube manifests;
- note, still need to add documentation, but opening the PR to get feedback
- one outstanding issue is the migration from http -> https for preexisting clusters, i'm gonna hit the coreos board to ask for the best options
 2017-08-06 17:06:46 +01:00
Justin Santa Barbara 3dfe48e5ae Wiring up lifecycle 2017-07-15 22:03:54 -04:00
Justin Santa Barbara 645f330dad Re-enable GCE support 
We move everything to the models.  We feature-flag it, because we
probably want to change the names etc, and we aren't going to be able to
offer smooth upgrades until that is done.
 2017-02-28 20:08:03 -05:00
Johannes Würbach 01bcf416e2
Allow node -> master on tcp 10255 
This port serves the read-only kubelet api and is required by heapster
 2017-02-23 00:06:46 +01:00
Justin Santa Barbara 80a732527d Just block specific traffic from node -> master 
We _should_ block per port... but:
 * It causes e2e tests to break
 * Users expect to be able to reach pods
 * If we are running an overlay, we allow all ports anyway
 2017-02-22 13:21:49 -05:00
Matthew Mihok bc235765d1 Adding basic flannel support 2017-02-11 16:26:18 -05:00
Justin Santa Barbara 7140117780 Separate protocol rule naming from AWS rules 2017-01-09 11:35:18 -05:00
Justin Santa Barbara 71c52db994 Open etcd for calico 2017-01-09 10:52:33 -05:00
Justin Santa Barbara a52f1e7342 Security rules for calico & weave 2017-01-09 10:52:33 -05:00
Justin Santa Barbara ec1e99f1d2 Lock down master security group rules 2017-01-09 10:52:33 -05:00
Justin Santa Barbara 50296f1a30 Fix file headers 2016-12-19 00:23:20 -05:00
Justin Santa Barbara fed68310fa Schema v1alpha2 
* Zones are now subnets
* Utility subnet is no longer part of Zone
* Bastion InstanceGroup type added instead
* Etcd clusters defined in terms of InstanceGroups, not zones
* AdminAccess split into SSHAccess & APIAccess
* Dropped unused Multizone flag
 2016-12-18 21:56:57 -05:00