Commit Graph

68 Commits

Author SHA1 Message Date
Kenji Kaneda a61caea8d2 Add Azure support
This commit contains all changes required to support Azure
(https://github.com/kubernetes/kops/issues/3957).
2020-12-21 08:27:54 -08:00
John Gardiner Myers 1165fd381e Remove more code specific to unsupported etcd v2 2020-11-15 22:21:24 -08:00
John Gardiner Myers 2ac17bee69 Remove code for no-longer-supported k8s releases 2020-10-29 16:45:53 -07:00
Ole Markus With 886b4c97cb Don't explicitly set insecure-bind-address on newer k8s 2020-09-09 11:41:51 +02:00
Justin SB 786423f617 Expose JWKS via a feature-flag
When the PublicJWKS feature-flag is set, we expose the apiserver JWKS
document publicly (including enabling anonymous access).  This is a
stepping stone to a more hardened configuration where we copy the JWKS
document to S3/GCS/etc.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
2020-08-30 10:15:11 -04:00
John Gardiner Myers c5871df319 Get kubelet certificate from kops-controller 2020-08-15 10:30:20 -07:00
John Gardiner Myers 8258dcd395 Exempt OpenStack from the EnableExternalCloudController feature flag 2020-07-25 13:12:25 -07:00
Ciprian Hacman a7c8d2087c Use github.com/blang/semver/v4 2020-07-01 08:54:42 +03:00
Kubernetes Prow Robot eb39ab7349
Merge pull request #9355 from johngmyers/move-port
Move host-network services off of port 8080
2020-06-16 09:10:04 -07:00
John Gardiner Myers 0d74344a43 Remove the baremetal cloud provider 2020-06-14 10:38:29 -07:00
John Gardiner Myers 4bf8302f14 Move kube-apiserver-healthcheck to port 3990 2020-06-12 22:00:14 -07:00
Kubernetes Prow Robot 9e4bf1699a
Merge pull request #9216 from hakman/prepare-multi-arch
Prepare Kops for multi-architecture support
2020-06-04 21:35:43 -07:00
John Gardiner Myers e88e0cf7ec Remove code supporting dropped k8s versions 2020-06-04 12:11:51 -07:00
Ciprian Hacman d049862cff Make architecture related decisions to nodeup 2020-06-03 17:24:01 +03:00
Ole Markus With 7342525872 Remove vsphere from kops files 2020-05-30 13:36:55 +02:00
Justin Santa Barbara 8db0017e62 kube-apiserver-healthcheck: actually enable on 1.17
We cherry picked the support to 1.17, but now we need to activate the
feature.
2020-05-08 13:32:22 -04:00
Justin SB 75fd939a62
kube-apiserver: healthcheck via sidecar container
kube-apiserver doesn't expose the healthcheck via a dedicated
endpoint, instead relying on anonyomous-access being enabled.  That
has previously forced us to enable the unauthenticated endpoint on
127.0.0.1:8080.

Instead we now run a small sidecar container, which
proxies /healthz and /readyz requests (only) adding appropriate
authentication using a client certificate.

This will also enable better load balancer checks in future, as these
have previously been hampered by the custom CA certificate.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
2020-05-07 08:06:52 -04:00
John Gardiner Myers 83bdb3ef88 Remove code for unsupported k8s versions from pkg/model/components 2020-01-12 16:05:00 -08:00
Michael Wagner bfe9b21213 fix(external-ccm): prevent core components to be misconfigured
Previously when setting the external cloud controller manager
configuration the core components `kubelet`, `apiserver` and
`kubecontroller-manager` were configured to use the external cloud
controller manager. Without setting the feature flag
EnableExternalCloudController this lead to a cluster in which the
masters had the cloud controller taint
`node.cloudprovider.kubernetes.io/uninitialized` which prevents
essential pods, like dns-controller to not be scheduled and leaves a
cluster where worker nodes can't connect to the api server because they
cannot resolve its hostname.
2019-10-10 21:38:50 +02:00
Justin SB 71fed5e6ff
Fix for tarball image names after 1.16
Image names from 1.16 on include an architecture suffix,
e.g. "-amd64"; the generic alias continues to work when pulling, but
when loading from a tarball (i.e. running in CI) we must use the
per-architecture name.
2019-09-26 10:20:54 -04:00
mikesplain 9e55b8230a Update copyright notices
Also cleans some white spaces
2019-09-09 14:47:51 -04:00
Jesse Haka 4cad3676a7 implement append admission controllers 2019-05-26 12:38:16 +03:00
Lily e4cbd3c17c add ALI flags 2019-03-16 17:26:44 +08:00
Derek Lemon -T (delemon - AEROTEK INC at Cisco) c9b5911b1c Openstack gopkg updates 2019-01-19 08:41:15 -07:00
Jordan Liggitt 32f196fd71 Remove Initializers from default admission plugins 2019-01-16 16:49:46 -05:00
Derek Lemon -T (delemon - AEROTEK INC at Cisco) 4f0169bb79 codegen 2019-01-16 09:30:40 -07:00
Justin SB 26bd75aecb
Bulk spelling fixes
Experimenting with my own spelling checker, these are the typos it caught.
2018-12-20 17:43:56 -05:00
Rohith d2bae64dd1 - adding the enable-bootstrap-token-auth to the kubeapi and fixing up the various compoents 2018-06-11 09:57:26 +01:00
Rohith 2d5bd2cfd9 - update the IAM policy to ensure the kubelet permision is skipped
- update the PKI to ensure on new clusters the certificate it not created
2018-06-11 09:57:26 +01:00
Rohith 4531384649 This PR attempts to solve two issues
a) The current implementation use's a static kubelet which doesn't not conform to the Node authorization mode (i.e. system:nodes:<nodename>)
b) As present the kubeconfig is static and reused across all the masters and nodes

The PR firstly introduces the ability for users to use bootstrap tokens and secondly when enabled ensure the kubelets for the masters as have unique usernames.  Note, this PR does not attempt to address the distribution of the bootstrap tokens themselves, that's for cluster admins. One solution for this would be a daemonset on the masters running on hostNetwork and reuse dns-controller to annotated the pods and give as the DNS

Notes:
- the master node do not use bootstrap tokens, instead given they have access to the ca anyhow, we generate certificates for each.
- when bootstrap token is not enabled the behaviour will stay the same; i.e. a kubelet configuration brought down from the store.
- when bootstrap tokens are enabled, the Nodes sit in a timeout loop waiting for the configuration to appear (by third party).
- given the nodeup docker and manifests builders are executed before the kubelet builder, the assumption here is a unit file kicks of a custom container to bootstrap the rest.
- the current firewalls on between the master and nodes are fairly open so no need to open ports between the two
- much of the work was ported from @justinsb PR [here](https://github.com/kubernetes/kops/pull/4134/)
- we add a very presumptuous server and client certificates for use with an authorizer (node-bootstrap-internal.dns_zone)

I do have an additional PR which performs the entire thing. The process being a node_authorizer which runs on the master nodes via a daemonset, the service implements a series of authorizers (i.e. alwaysallow, aws, gce etc). For aws, the process is similar to how vault authorizes nodes [here](https://www.vaultproject.io/docs/auth/aws.html). Nodeup no then calls out to the node_authorizer on bootstrap and provisions the kubelet.
2018-06-11 09:56:32 +01:00
Andrew Sy Kim 5004652505
Revert "digitalocean: don't set --cloud-provider=external on control plane starting v1.10" 2018-06-08 11:41:07 -04:00
Rohith 67296c2db9 - fixing up the spelling mistakes found 2018-06-06 10:03:51 +01:00
Justin Santa Barbara 53bf6ea6ad Replace deprecated flags: address -> insecure-bind-address 2018-05-31 23:23:33 -04:00
Ripta Pasay dfa4190cb5 Add --enable-admission-plugins API server flag, deprecating --admission-control in v1.10 2018-05-29 16:42:23 -07:00
k8s-ci-robot ad60dbd63d
Merge pull request #5178 from dims/patch-1
Add a FIXME and don't log about insecure ports
2018-05-26 14:22:41 -07:00
Davanum Srinivas 3e075fcab5
Add a FIXME and don't log about insecure ports
Thanks to @craigtracey for spotting this.
2018-05-25 09:35:06 -07:00
andrewsykim 2b325be8cf digitalocean: don't set --cloud-provider=external on control plane starting v1.10 2018-04-16 18:19:38 -04:00
Justin Santa Barbara 2bccf880d2 etcd-quorum-read flag: explicitly default to off for v2
Kubernetes 1.9 changed the default for etcd-quorum-read flag value to
true, in the hope of fixing some of the edge-case controller issues.

However, while this is cheap on etcd3, that fix was not backported to
etcd2, and performance there of quorum reads is poor.

For non-HA clusters with etcd2, it still goes through raft, but does not
need to - we set etcd-quorum-read to false, as this is just a missed
optimization in etcd2.

For HA clusters with etcd2, it's trickier, but at least for now we're
going to avoid the (crippling) performance regression.  kops 1.10 should
have etcd-manager (allowing upgrades to etcd3), and the ability to
configure IOPS on the etcd volume, so we can revisit this in 1.10 /
1.11.
2018-03-25 19:08:05 -04:00
Blake e37be9a88c Update list of AdmissionControllers for k8s 1.9 2018-01-18 13:40:23 -08:00
zengchen1024 f9c98c3b4c add openstack cloud provider 2017-11-13 16:59:24 +08:00
Kubernetes Submit Queue 8df13bd468 Merge pull request #3679 from justinsb/support_api_aggregation
Automatic merge from submit-queue.

Initial aggregation work

Create the keypairs, which are supposed to be signed by a different CA.
    
Set the `--requestheader-...` flags on apiserver.
    
Fix #3152
Fix #2691
2017-10-24 12:08:27 -07:00
Justin Santa Barbara a879521ba3 Initial aggregation support
Create the keypairs, which are supposed to be signed by a different CA.

Set the `--requestheader-...` flags on apiserver.

Fix #3152
Fix #2691
2017-10-22 14:41:38 -04:00
wlan0 d3143ec3cc add Cloud Controller Manager addon 2017-10-19 12:33:44 -07:00
Justin Santa Barbara 3478031533 API types changed package 2017-10-01 14:03:56 -04:00
Justin Santa Barbara 45032502c6 baremetal: fill out more of the baremetal mappings
This gets us to the point where we can create the objects.
2017-09-22 23:03:07 -04:00
Justin Santa Barbara 4d52a7c9e6 Add Initializers admission controller
Also sync up Admission controllers with current default sets for 1.7 &
1.8
2017-08-27 20:53:57 -04:00
georgebuckerfield 58960f39cd Move etcd config for apiserver into code, set cloud provider for Digital Ocean to external 2017-08-26 08:23:19 +01:00
georgebuckerfield ff7f60dc35 Initial work on moving apiserver templates into code 2017-08-26 00:32:28 +01:00
chrislovecnm 2afdb5ab2e mapping-and-uploading-kube-assets 2017-08-21 15:16:56 -06:00
Rohith 7cd214266a Requested Changes - Etvd v3
- removing the StorageType on the etcd cluster spec (sticking with the Version field only)
- changed the protokube flag back to -etcd-image
- users have to explicitly set the etcd version now; the latest version in gcr.io is 3.0.17
- reverted the ordering on the populate spec
2017-08-11 21:08:09 +01:00