kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,934 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

40 Commits

Author SHA1 Message Date
Peter Rifel 4ee5d7a543
Add tagging support for AWS IAM Roles 2020-12-23 15:11:07 -06:00
Justin SB 1945a656a0 Remove deprecated ResourceHolder 
Cleaning up what is now dead code.
 2020-12-19 23:15:37 -05:00
John Gardiner Myers 4f5def8610 Address review comment 2020-12-03 23:24:43 -08:00
Kubernetes Prow Robot 50e61d6bc9
Merge pull request #9924 from hakman/additional-policies-shared-roles 
Only add additional policies to kops managed IAMRoles
 2020-09-15 20:03:19 -07:00
Kubernetes Prow Robot a93febf5a6
Merge pull request #9911 from hakman/fix-gossip 
Allow the BootstrapClient task to run after Protokube
 2020-09-13 21:10:57 -07:00
Ciprian Hacman 07be801a12 Only add additional policies to kops managed IAMRoles 2020-09-12 08:36:24 +03:00
Ciprian Hacman c1e0991153 Skip the iamPolicy.DNSZone task when using gossip 2020-09-10 22:55:36 +03:00
Evgeny Zislis 608a561f8c
only apply external policy tasks on non-shared iam 2020-09-10 12:58:54 +03:00
Justin SB 6fa8be2716 JSON formatting of IAM: Workaround for optional fields 
AWS IAM is very strict and doesn't support `Resource: []` for example.
We implement a custom MarshalJSON method to work around that.
 2020-09-09 09:57:07 -04:00
Justin Santa Barbara d8895c57ec Add version logic to UseServiceAccountIAM 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:07 -04:00
Justin SB a61ecf4c58 Refactor to use interface for iam Subjects 
Hat-tip to johngmyers for the idea!
 2020-09-09 09:57:07 -04:00
Justin SB f05980f6ba IAM Policy: rely on stub resolution/unification 
This avoids the hacky search through the list of tasks.
 2020-09-09 09:57:06 -04:00
Justin SB 8498ac9dbb Create PublicJWKS feature flag 
This should be much easier to start and to get under testing; it only
works with a load balancer, it sets the apiserver into anonymous-auth
allowed, it grants the anonymous auth user permission to read our jwks
tokens.  But it shouldn't need a second bucket or anything of that
nature.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:06 -04:00
Kubernetes Prow Robot 8a81d94c7b
Merge pull request #9773 from victorfrancax1/7286 
Adding support for permission boundaries for AWS IAM Roles
 2020-08-19 06:51:11 -07:00
Victor Ferreira 3aaa9a7c0f feat(aws): adding support to permission boundaries for IAM Roles 2020-08-19 01:16:13 -03:00
Peter Rifel 4d9f0128a3
Upgrade to klog2 
This splits up the kubernetes 1.19 PR to make it easier to keep up to date until we get it sorted out.
 2020-08-16 20:56:48 -05:00
Matt Ouille f025ff0e70
Add External Policies (AWS managed policy attachments) 2020-02-16 21:54:12 -08:00
tanjunchen 8acb51e061 pkg/apis/ pkg/commands/ pkg/model/ staticcheck 2019-12-30 21:13:40 +08:00
mikesplain 9e55b8230a Update copyright notices 
Also cleans some white spaces
 2019-09-09 14:47:51 -04:00
Justin SB 3e33ac7682
Change code from glog to klog 
We don't call klog.InitFlags yet, because that will cause a flag
redefinition error until we get everyone to stop using glog.  That
will happen when we update to k8s 1.13.
 2019-05-06 12:54:51 -04:00
Lars Lehtonen 677f19f32d pkg/model: Fix dropped error 2019-04-11 19:35:36 -07:00
Justin Santa Barbara 8f15a58e8c Validate IAM additionalPolicies 
We now validate them with the cluster, so we should give early and
clear feedback if the IAM policy is not valid.
 2018-07-27 15:22:24 -04:00
k8s-ci-robot d7486e490f
Merge pull request #5533 from justinsb/hotfix_5522 
Check errors when parsing JSON on IAM policies
 2018-07-27 12:20:56 -07:00
Justin Santa Barbara f3fb513852 Remove unnecessary reflect.ValueOf 
We can replace with a simpler string cast
 2018-07-27 00:58:14 -04:00
Justin Santa Barbara 3ddf598448 Check errors when parsing JSON on IAM policies 
We weren't checking the error code, and this led to #5522
 2018-07-27 00:54:57 -04:00
Peter Rifel 5f0b63100d Add support for using existing instance profiles 2018-06-08 10:33:09 -07:00
Rohith c8e4a1caf8 Kubernetes Calico TLS 
The current implementation when Etcd TLS was added does not support using calico as the configuration and client certificates are not present. This PR updates the calico manifests and adds the distribution of the client certificate
 2018-02-14 23:41:45 +00:00
Albert c52472cfa8 Add support for cn-northwest-1. 2017-12-27 15:37:09 +08:00
chrislovecnm 2e6b7eedb9 Revision to IAM Policies created by Kops, and wrapped in Cluster Spec 
IAM Legacy flag.
 2017-09-15 08:05:23 +01:00
Justin Santa Barbara 3dfe48e5ae Wiring up lifecycle 2017-07-15 22:03:54 -04:00
Justin Santa Barbara bde69b5b3e Rename RoleType to ExportWithID in IAMRole 
Tweaks for #2508
 2017-05-16 10:21:11 -04:00
Pierre-Alexandre St-Jean 347dccfa25 Added instance role as terraform output 
Added:
- Instance role name
- Instance role arn

as terraform outputs, this can then be references later on to
use as sts:assume role, create after this one
 2017-05-05 16:21:43 -04:00
Justin Santa Barbara 864a999602 Fix automatic private DNS zone creation 
We have to defer creation of the IAM policy until we have created the
hosted zone.

Fix #2444
 2017-04-29 17:01:18 -04:00
Jakub Paweł Głazik cd795d0c8c Resolve DNS Hosted Zone ID while building IAM policy 
Fixes #1949
 2017-02-23 11:45:58 +01:00
Justin Santa Barbara 2bfed0d2b1 Remove additional IAM policies that have been removed 
This uses an explicit deletion approach, where we set the policy to
empty, and use that to signal that the policy should be deleted.  This
is acceptable because IAM policies can't be empty anyway.

We probably should use a tag-based "garbage-collection" approach, but
IAM objects can't be tagged, so we're pretty much always going to be
doing something name based.

Fix #1642
 2017-01-31 10:46:45 -05:00
Justin Santa Barbara 4c92aa558f Attach additional IAM policies to same role 2017-01-30 09:52:48 -05:00
Yissachar Radcliffe 1981f42e69 Format 2017-01-11 11:05:36 -05:00
Yissachar Radcliffe 773335e342 Create separate IAM policies instead of editing existing one 2017-01-11 11:05:36 -05:00
Justin Santa Barbara 50296f1a30 Fix file headers 2016-12-19 00:23:20 -05:00
Justin Santa Barbara fed68310fa Schema v1alpha2 
* Zones are now subnets
* Utility subnet is no longer part of Zone
* Bastion InstanceGroup type added instead
* Etcd clusters defined in terms of InstanceGroups, not zones
* AdminAccess split into SSHAccess & APIAccess
* Dropped unused Multizone flag
 2016-12-18 21:56:57 -05:00