kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
17,561 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

195 Commits

Author SHA1 Message Date
Ole Markus With afd7c60d77 Make it possible to enable the shield addon for LBC 2022-06-30 16:23:08 +02:00
Steven E. Harris a1495ac4c8
Allow the AWS LB Controller to use WAFs 
By introducing a few new fields within the Cluster spec's
"awsLoadBalancerController" field, allow users to enable the AWS Load
Balancer Controller to associate WAFs with EC2 Application Load
Balancers (ALBs). It's possible to enable separately use of two kinds
of WAF: WAF Classic and the never version 2-era WAF, the latter of
which bears no distinguishing name.

Retain our default configuration of the AWS Load Balancer Controller
in which this capability remains disabled via command-line flags,
overriding the controller program's enabling of this capability by
default.

Signed-off-by: Steven E. Harris <seh@panix.com>
 2022-05-16 12:20:28 -04:00
Peter Rifel 7aae4d11c8
Add IRSA for kube-router 2022-05-05 21:51:01 -05:00
Steven E. Harris de1ecd844d
Allow cluster autoscaler to get EC2 instance types 
When the cluster autoscaler builds its EC2 instance type catalog
dynamically instead of using only its statically defined set, grant it
the additional IAM permissions required to fetch the instance types
from the AWS API.
 2022-04-20 12:22:28 -04:00
Ole Markus With b080abcd88 Add missing permissions to aws lbc for IP targeting 2022-03-16 13:28:20 +01:00
Ole Markus With cd247f0b3a Add missing permissions to aws lbc for irsa 2022-02-18 15:26:05 +01:00
Ole Markus With 9d476c0e9c Add CreateSecurityGroup permission for vpcs 2022-01-20 17:49:36 +01:00
Ole Markus With 666cf710a2 Push partition into the policy struct 2022-01-20 17:49:36 +01:00
Ole Markus With 0a082fed12 Require tag on create for external AWS CCM 2022-01-20 15:32:46 +01:00
Kubernetes Prow Robot 4eb54f2260
Merge pull request #13114 from olemarkus/nodeup-describe-regions 
Add DescribeRegions to nodeup privs
 2022-01-18 22:14:05 -08:00
Kubernetes Prow Robot fda6210e29
Merge pull request #13104 from olemarkus/tag-on-create-func 
Create helper function for ec2 create/tag-on-create IAM permissions
 2022-01-18 19:30:06 -08:00
Ole Markus With b80488906f Add DescribeRegions to nodeup privs 2022-01-17 09:34:29 +01:00
Ole Markus With 0ef596dd49 Do not create an IAM role for dns-controller on gossip clusters 2022-01-16 10:31:11 +01:00
Ole Markus With f4e538508f Create helper function for ec2 create/tag-on-create IAM permissions 2022-01-14 18:41:28 +01:00
Ole Markus With 0cfea49250 Do not expose the policy actions sets out of package 2021-12-13 09:14:20 +01:00
Ole Markus With 794cb72112 Karpenter addon 
Constrain the instance types to what is supported by the AMI

Add taints and label to karpenter provisioner

Add instance types to karpenter provisioner
 2021-12-12 19:33:41 +01:00
Ciprian Hacman ea7df00719 Run hack/update-gofmt.sh 2021-12-01 22:39:50 +02:00
John Gardiner Myers b9ac79ec6e Rename fields in v1alpha3 networking API to fit acronym convention 2021-11-22 08:07:55 -08:00
John Gardiner Myers 5a42c10fd3 Rename fields in v1alpha3 cluster API to fit acronym convention 2021-11-21 16:16:32 -08:00
Kubernetes Prow Robot b47e023b1e
Merge pull request #12680 from rifelpet/fix-iam-conditions 
Fix ELB IAM conditions (part 2)
 2021-11-03 23:34:03 -07:00
Peter Rifel 9d0d1998cb
Move CLB CreateLoadBalancer* IAM actions to cluster-tagged 
Manual testing confirmed that these require aws:ResourceTag rater than aws:RequestTag
 2021-11-03 22:16:30 -05:00
Peter Rifel c3e8420731
Revert "Move some AWS IAM policy actions from tagged conditions to wildcard" 
This reverts commit 91e4767851.
 2021-11-03 21:59:43 -05:00
Kubernetes Prow Robot 1e97b0cf76
Merge pull request #12674 from rifelpet/fix-iam-conditions 
Remove tag conditions on certain AWS IAM actions
 2021-11-03 02:24:59 -07:00
Peter Rifel 91e4767851
Move some AWS IAM policy actions from tagged conditions to wildcard 
I checked these against the IAM docs for each API and moved the actions that dont support tag conditions:
https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancing.html#elasticloadbalancing-actions-as-permissions
https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancingv2.html#elasticloadbalancingv2-actions-as-permissions
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2autoscaling.html#amazonec2autoscaling-actions-as-permissions
 2021-11-02 20:06:35 -05:00
Peter Rifel dede42efd2
Fix cluster name used in IAM policies 2021-11-02 17:39:57 -05:00
Kubernetes Prow Robot 9bc5887610
Merge pull request #12638 from rifelpet/arn-partition 
Fix hardcoded ARN partitions
 2021-10-29 23:37:19 -07:00
Peter Rifel c734f5c08d
Update IAMBuilder to include the current partition in ARNs 2021-10-29 23:07:31 -05:00
Ciprian Hacman 9d1e11c73a Allow kops-controller to describe network interfaces 2021-10-30 06:50:32 +03:00
Kubernetes Prow Robot 5bfdefb43c
Merge pull request #12623 from johngmyers/cilium-ipv6-ipam 
Never masquerade IPv6 with Cilium
 2021-10-29 05:56:51 -07:00
John Gardiner Myers 7cb4fbe91e Never masquerade IPv6 with Cilium 2021-10-27 23:40:02 -07:00
Ciprian Hacman a3f4ed7502 Update node permissions 2021-10-28 07:47:09 +03:00
Ole Markus With 795ac25363 Add permissions needed for KCM to provision NLBs 2021-10-26 08:51:28 +02:00
Kubernetes Prow Robot af85e5e52e
Merge pull request #12309 from olemarkus/lbc-security 
Allow AWS LBC to attach certificates
 2021-10-23 13:16:21 -07:00
Peter Rifel 7b3fc875f9
Add ec2:DescribeLaunchTemplateVersions to CA IAM policy 2021-10-20 15:15:06 -07:00
John Gardiner Myers 8e6214c046 Stop requiring the cluster IAM substruct be present 2021-10-02 20:18:46 -07:00
justinsb db1ba01e94 Only add IPv6 IAM permissions if using IPv6 
This avoids users wondering what these permissions are for until we
need them.
 2021-09-18 13:49:40 -04:00
Ole Markus With a3a2a9c3bf Have nodeup assign an ipv6 prefix 2021-09-16 19:28:07 +02:00
Ole Markus With bdad72e9aa Allow AWS LBC to attach certificates 2021-09-11 12:50:37 +02:00
Ole Markus With 4ab75b01cb Have instances learn about their GPU capabilities 2021-09-05 20:09:04 +02:00
John Gardiner Myers 6655022ce1 Remove support for the Lyft CNI 2021-08-28 11:54:39 -07:00
Ole Markus With 38f805c5ef Make external-dns a drop-in for dns-controller 
Support TXT records
 2021-08-27 06:24:47 +02:00
Peter Rifel 3db20bed01
./hack/update-expected.sh 2021-08-20 08:41:25 -05:00
Peter Rifel 67007e1a0a
Consolidate IAM statements 2021-08-19 23:16:04 -05:00
Ole Markus With 0439bb0d76 Remove UseServiceAccountIAM feature flag and rename feature to UseServiceAccountExternalPermissions 2021-08-07 21:20:03 +02:00
Ole Markus With ce86d851aa IRSA support for CCM 
Update pkg/model/components/addonmanifests/awscloudcontroller/iam.go

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2021-08-07 10:27:36 +02:00
John Gardiner Myers b94bcafe56 Remove unnecessary IAM permission 2021-07-23 14:03:41 -07:00
Ole Markus With 7c448d3535 Remove redundant call to addSnapshotPermissions 2021-07-19 21:19:05 +02:00
Ole Markus With 28bd45a8fa Add irsa support for nth 2021-07-19 15:12:35 +02:00
Ole Markus With f0390eda29 Dedicated function for ccm permissons 
Update pkg/model/iam/iam_builder.go

Co-authored-by: Peter Rifel <rifelpet@users.noreply.github.com>
 2021-07-16 19:39:57 +02:00
John Gardiner Myers 9dbf3479d6 Stop writing the certificate-only keyset.yaml 2021-07-11 11:16:11 -07:00