Treat "spectre/meltdown" as one vuln, and stay away from parsing which
CVE is which.
The advisory is that the kernel must be updated, which CVEs are fixed
(or not) are not really the issue.
This advisory covers the following 3 CVEs, Variant 1 and 3 are currently
resolved.
Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)
Automatic merge from submit-queue.
Add --subnets and --utility-subnets to kops create cluster
This change adds two new options to `kops create cluster`
When specifying `--vpc`, `--subnets` can be specified as an unordered array of subnet ids. Kops will then look up the zones of the subnets to find which zone to add the subnet id to.
If `--topology private` is also specified, `--utility-subnets` can similarly be specified.
~If a zone was specified but a subnet wasn't given that matches the zone, then the subnet will be allocated a CIDR with the current behaviour.~ This case fails validation here 7bd0a6a703/pkg/apis/kops/validation/validation.go (L151)
I can add unit tests and docs changes if required, but I am keen to get feedback before I proceed much further.
I have only added support for AWS.
I have tested this by running a command similar to this:
```bash
kops create cluster \
--zones=us-east-1a,us-east-1b,us-east-1c \
--topology private \
--master-zones=us-east-1a,us-east-1b,us-east-1c \
--vpc $vpc_id \
--subnets subnet-111111,subnet-222222,subnet-333333 \
--utility-subnets subnet-444444,subnet-555555,subnet-666666 \
$cluster_hosted_zone_name
```
And the cluster spec was as expected.
Automatic merge from submit-queue.
Support for OIDC 'username-prefix' and 'groups-prefix' flags
### What
Added support for `--oidc-username-prefix` and `--oidc-groups-prefix`.
By passing these it's possible to override the default prefixes used to map the OIDC user with the username in kubernetes.
### See
See: https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server
### IMPORTANT
I'm far from a kubernetes/KOPS, this is not tested so someone needs to have a look and see if something is missing or if this can cause troubles! (don't want to accidentally cause the destruction of the universe 💥 )
It's basically the same done in this other PR: https://github.com/kubernetes/kops/pull/1438/files
I did **not** change the `zz_generated.conversion.go` files as according to comment at the top of them they're autogenerated:
```go
// This file was autogenerated by conversion-gen. Do not edit it manually!
```
(I wonder if they should be `.gitignore`d)
### Fixes
This should fix [#4007: field oidcUsernamePrefix is not recognized in cluster configuration file](https://github.com/kubernetes/kops/issues/4007)
Automatic merge from submit-queue.
Allow additional SGs to be added to API loadbalancer
Allow adding precreated additional security groups to the API loadbalancer using cluster spec:
```yaml
spec:
api:
loadBalancer:
type: Public
additionalSecurityGroups:
- sg-exampleid3
- sg-exampleid4
```
- [x] Adding additionalSecurityGroups cluster spec
- [x] Adding validation for repeated security groups
- [x] Adding validation for API loadbalancer security groups
- [x] Integration test for API loadbalancer and its security groups
- [x] Update API docs and cluster.spec docs
Automatic merge from submit-queue.
Add additionalNetworkCIDRs to support VPCs with multiple CIDRs in AWS
Add additionalNetworkCIDRs to support VPCs with multiple CIDRs in AWS.
@justinsb I cannot find anywhere that does a check on an existing VPC to see if the networkCIDR matches what is on the VPC defined, I was looking for that so I can add a similar check for this. Am I missing something or is there really no check like that?
Todd DeShetler
k8s-ci-robot
Steve Ruckdashel
Peter Rifel
Justin Santa Barbara
chrislovecnm
Reid Wiggins
Kubernetes Submit Queue
Eric Hole
Thomas Peitz
Aldo "xoen" Giambelluca
Henry Muru Paenga
Manuel de Brito Fontes
Joel Bastos
Rodrigo Menezes
Abdullah Almariah
krogon-dp