kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
19,932 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

140 Commits

Author SHA1 Message Date
John Gardiner Myers 7c1ed8de66 Refactor kube-apiserver kubelet-api certificate 2021-07-16 23:07:14 -07:00
John Gardiner Myers 68bb8f5ddb Refactor kube-apiserver static credentials 2021-07-16 22:55:50 -07:00
John Gardiner Myers c8b1a586b8 Refactor kube-apiserver server certificate 2021-07-16 22:42:23 -07:00
John Gardiner Myers 68041a4f73 Issue certs using CA KeypairID in NodeupConfig 2021-07-10 23:23:12 -07:00
John Gardiner Myers 6ddccf5f79 Refactor some users of FindPrimaryKeypair 2021-07-10 23:23:12 -07:00
John Gardiner Myers d58a19e1bd Refactor service-account signing key 2021-07-10 17:31:59 -07:00
John Gardiner Myers 1e0c6cb1aa Refactor apiserver-aggregator-ca 2021-07-01 22:25:47 -07:00
John Gardiner Myers 7162a7473a Remove dead code 2021-07-01 13:58:51 -07:00
John Gardiner Myers 3de05a500e Refactor etcd-clients-ca keyset for api-server 2021-06-30 18:55:30 -07:00
John Gardiner Myers e1df9f09dd Refactor service-account public keys 2021-06-27 08:45:06 -07:00
John Gardiner Myers 60ae29c93c Refactor EncryptionConfig 2021-06-27 08:45:05 -07:00
John Gardiner Myers 1312163edd Update nodes with an APIServer when APIServer spec changes 2021-06-27 08:45:04 -07:00
John Gardiner Myers fc94505a76 Include multiple certs in aws-iam-authenticator trust bundle 2021-06-21 07:35:50 -07:00
John Gardiner Myers 12465ac27c Simplify extraction of service-account public keys 2021-06-05 16:38:28 -07:00
John Gardiner Myers 6b2250a9af Have apiserver trust all service-account keys 2021-06-05 16:38:08 -07:00
Alexander Block bb52334222 Make the events etcd cluster optional 2021-05-20 08:05:42 +02:00
John Gardiner Myers d3469d6ec2 Remove code for no-longer-supported k8s versions 2021-05-07 23:40:03 -07:00
Ole Markus With bd731ce989 Use secure kubelet auth 
Without secure node auth enabled, commands like `kubectl logs` may fail
with certain configurations.

Previously, we checked if anonymousAuth was enabled on the kubelet
before securing node communication, but this isn't really relevant. We
can still authenticate even if anonymous access is allowed.
 2021-04-13 08:59:39 +02:00
Ole Markus With 20bd724f5e Add support for scaling out the control plane with dedicated apiserver nodes 
Ensure apiserver role can only be used on AWS (because of firewalling)

Apply api-server label to CP as well

Consolidate node not ready validation message

Guard apiserver nodes with a feature flag

Rename Apiserver role to APIServer

Add an integration test for apiserver nodes

Rename Apiserver role to APIServer

Enumerate all roles in rolling update docs

Apply suggestions from code review

Co-authored-by: Steven E. Harris <seh@panix.com>
 2021-03-20 20:57:00 +01:00
shil dc03028e5d Update the logic to set kubeAPIServer.ClientCAFile 2021-02-02 12:10:43 -08:00
shil a0350a0dfa Use the kubeApiServerConfig clientCAFile field 2021-02-01 15:26:09 -08:00
Rodrigo Menezes da773ba35c Allow setting CPU limit and Mem request / limit for kube API 2020-11-23 10:03:34 -08:00
John Gardiner Myers 2ac17bee69 Remove code for no-longer-supported k8s releases 2020-10-29 16:45:53 -07:00
Ole Markus With 192d6a46f9 Errors when encryptionConfig is enabled, but no encryptionconfig secret 
When encryptionConfig is enabled, but the secret is missing, there is no
visible errors anywhere. kube-apiserver just goes into a crashloop
without any complains. This PR adds warnings both on the client side and
through nodeup.
 2020-09-08 17:46:18 +02:00
Justin SB 786423f617 Expose JWKS via a feature-flag 
When the PublicJWKS feature-flag is set, we expose the apiserver JWKS
document publicly (including enabling anonymous access).  This is a
stepping stone to a more hardened configuration where we copy the JWKS
document to S3/GCS/etc.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-08-30 10:15:11 -04:00
John Gardiner Myers 70926d43fc Use a stable key for signing service account tokens 2020-07-11 13:18:50 -07:00
John Gardiner Myers f4f4763dc2 Refactor more certs to be issued by nodeup 2020-06-28 23:12:13 -07:00
Ciprian Hacman 70a3a2e978 ARM64 support - Update side-loading for multi-arch 2020-06-19 04:42:11 +03:00
John Gardiner Myers c8b523e8b6 Issue aws-iam-authenticator cert in nodeup 2020-06-16 21:05:11 -07:00
Kubernetes Prow Robot eb39ab7349
Merge pull request #9355 from johngmyers/move-port 
Move host-network services off of port 8080
 2020-06-16 09:10:04 -07:00
John Gardiner Myers 9d7a93e124 Issue kubelet-api cert in nodeup 2020-06-13 16:35:44 -07:00
John Gardiner Myers 4bf8302f14 Move kube-apiserver-healthcheck to port 3990 2020-06-12 22:00:14 -07:00
ZouYu 2fc52ec6be fix some go-lint warning 
Signed-off-by: ZouYu <zouy.fnst@cn.fujitsu.com>
 2020-06-09 08:52:50 +08:00
John Gardiner Myers e88e0cf7ec Remove code supporting dropped k8s versions 2020-06-04 12:11:51 -07:00
John Gardiner Myers a3e7ca2469 Disable static tokens by default as of Kubernetes 1.18 2020-06-01 15:12:09 -07:00
Justin SB 75fd939a62
kube-apiserver: healthcheck via sidecar container 
kube-apiserver doesn't expose the healthcheck via a dedicated
endpoint, instead relying on anonyomous-access being enabled.  That
has previously forced us to enable the unauthenticated endpoint on
127.0.0.1:8080.

Instead we now run a small sidecar container, which
proxies /healthz and /readyz requests (only) adding appropriate
authentication using a client certificate.

This will also enable better load balancer checks in future, as these
have previously been hampered by the custom CA certificate.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-05-07 08:06:52 -04:00
Ciprian Hacman fa516ed5f8
Simplify condition 
Co-Authored-By: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-04-05 20:57:09 +03:00
Ciprian Hacman ad8e1ceff7 Remove basic authentication support for k8s 1.19+ 2020-04-05 17:47:26 +03:00
John Gardiner Myers 3e95a88717 Fix Test_KubeAPIServer_Builder to use a supported version of Kubernetes 2020-02-21 22:46:36 -08:00
Justin SB 0cb35638f2
Stop logging to /var/log/kops-controller.log 
Writing to a hostPath from a non-root container requires file
ownership changes, which is difficult to roll out today.  See
discussion in #8454

We were primarily using the logfile for e2e diagnostics, so we're
going to look into collecting the information via other means instead.

We also haven't yet shipped this logfile in a released version (though
we have shipped it in beta releases)
 2020-02-04 06:41:25 -05:00
John Gardiner Myers 6e9dc8fc0f Remove code for unsupported k8s versions from nodeup 2020-01-12 19:30:34 -08:00
Kubernetes Prow Robot 95f4f83fbe
Merge pull request #7900 from zacblazic/use-encryption-provider-config-flag 
Use non-experimental version of encryption provider config flag in 1.13+
 2020-01-05 10:31:40 -08:00
tanjunchen 7e25f9831d nodeup/pkg/ pkg/ staticcheck 2019-12-31 15:03:39 +08:00
John Gardiner Myers eaa13e734d Fix truncation of admission control plugins list 2019-11-30 19:30:49 -08:00
Kubernetes Prow Robot 482fce5d54
Merge pull request #7424 from mmerrill3/feature/dynamic-audit-config 
Implementing audit dynamic configuration (#7392)
 2019-11-26 01:01:10 -08:00
Zac Blazic 28d3eb4e37 Use `--encryption-provider-config` when kubernetes 1.13+ 
The alpha version of encryption at rest used the following flag:
`--experimental-encryption-provider-config`. As of kubernetes 1.13,
`--encryption-provider-config` should be used instead.
 2019-11-08 18:24:05 +02:00
tanjunchen a19fb935e4 fix-up static-check 2019-10-29 14:06:12 +08:00
mmerrill3 5cf94c8ddf Implementing audit dynamic configuration (#7392) 
Signed-off-by: mmerrill3 <michael.merrill@vonage.com>
 2019-10-24 10:21:27 -04:00
mikesplain 9e55b8230a Update copyright notices 
Also cleans some white spaces
 2019-09-09 14:47:51 -04:00
Kubernetes Prow Robot dd6b0314fc
Merge pull request #6897 from vainu-arto/set-priority-for-static-pods 
Set priority for static pods
 2019-07-12 00:41:07 -07:00
Kashif Saadat 2b61ace49c goimports update 2019-07-03 16:43:20 +01:00
Austin Moore 67d9f5f190
Move getProxyEnvVars into a util package 2019-06-05 15:59:19 -04:00
Justin SB fe487df586
Use klog logging from 1.15 
klog can now support logging both to a file and to streams, so we get the output both in docker & logfiles.

A few gotchas:

* The output previously was all on stdout, now it on stderr.  That is more correct
* If something writes to stdout or stderr outside of klog, it will no longer end up in the logfile.
* There's some oddities still to be ironed out about the flag syntax https://github.com/kubernetes/klog/issues/60
 2019-05-10 00:17:30 -04:00
Arto Jantunen 48974521e1 Set priority classes for static pods 
For the master pods (apiserver, controller manager, scheduler) this is
unlikely to ever matter (the masters aren't expected to run out of
resources and need to evict things) but evictions of kube-proxy from worker
nodes are easy to trigger in clusters with PodPriority enabled. Since these
are static pods the configuration is also somewhat difficult to change.
 2019-05-09 16:03:08 +03:00
Kubernetes Prow Robot b91db4f360
Merge pull request #6706 from granular-ryanbonham/apiserver_cpurequest 
Add ability to specify cpuRequest for API Server
 2019-04-10 08:04:13 -07:00
Justin SB c7b921fe05
Increase apiserver timeout to 45 seconds 
Fix #6702

Parallel to upstream issue #71054
 2019-04-07 11:55:33 -07:00
Ryan Bonham 8584fd731d Fix type mismatch 2019-03-29 14:32:29 -05:00
Ryan Bonham ac5a2ec2a0 Fix syntax error 2019-03-29 14:19:59 -05:00
Ryan Bonham 67c2f50732 Handle unset KubeAPIServer.CPURequest 2019-03-29 14:07:05 -05:00
Ryan Bonham a75dcdda35 Add Ability to set cpu request for api server 2019-03-29 13:56:21 -05:00
Justin SB 31f408c978
Support etcd-manager in kops 1.12 
In 1.12 (kops & kubenetes):

* We default etcd-manager on
* We default to etcd3
* We default to full TLS for etcd (client and peer)
* We stop allowing external access to etcd
 2019-03-14 23:13:06 -04:00
Derek Lemon -T (delemon - AEROTEK INC at Cisco) 4f0169bb79 codegen 2019-01-16 09:30:40 -07:00
Justin SB 26bd75aecb
Bulk spelling fixes 
Experimenting with my own spelling checker, these are the typos it caught.
 2018-12-20 17:43:56 -05:00
fernando.carletti 4b27e6c8ee
Add flag to disable Basic Auth. 2018-10-16 19:04:38 -05:00
Rob Graham 4b07a07ad5 Merge branch 'master' into issue-4252-dns 2018-07-23 14:00:09 +01:00
Rob Graham 8ccf42f4a2 GH-4252 Better name for the config value and also add to v1alpha1 API 2018-07-23 13:48:35 +01:00
Christian Kampka 581eec3eca Don't mount volume for auditLog when STDOUT is configured as path 
Fixes #4202
 2018-07-16 22:53:58 +02:00
k8s-ci-robot 35b7d5791d
Merge pull request #5424 from rdrgmnzs/fix_aws-authenticator_read_perms 
Fix the issue described in #5412 where the authenticator is no longer…
 2018-07-11 15:29:26 -07:00
Rodrigo Menezes a31c0186da add comment 2018-07-10 10:27:13 -07:00
Rodrigo Menezes b296e6fcbf Fix the issue described in #5412 where the authenticator is no longer able to read the K8s CAs. 2018-07-09 23:57:58 -07:00
Rodrigo Menezes f5e3d434fb fix cert location 2018-07-09 15:04:13 -07:00
Rodrigo Menezes 414b3a780b Rename hept.io authenticator to aws authenticator 2018-07-08 10:10:19 -07:00
Rob Graham ae327e1e8c wrestling with the api stuff 2018-07-02 15:16:37 +01:00
Rob Graham cc589ae538 Reworked to use loadbalancer only if config is specified 2018-07-02 12:02:50 +01:00
Rob Graham 64974fdd5b GH-4252 Only manage internal DNS zone if configuration has been specified 2018-06-22 15:05:47 +01:00
k8s-ci-robot 8fad9da430
Merge pull request #5352 from gambol99/nodeup_clean 
Nodeup clean
 2018-06-21 09:23:47 -07:00
Rohith c9db958696 - cleanup up elements, imports and comments 2018-06-20 09:26:31 +01:00
Rohith f4e90e1035 Removing Duplication 
- removing the duplication code (i think by me :-)) and reusing the BuildCertificateTaskd and BuildPrivateKeyTask
 2018-06-19 23:15:53 +01:00
Rohith b62d6df115 Admission Controller Fix 
A previous PR https://github.com/kubernetes/kops/pull/5221/ introduced the --enable-admission-plugins for >= 1.10.0 as recommended, it does however cause an issue if you already have AdmissionControl is specified in the Spec as both flags get rendered
 2018-06-02 19:46:55 +01:00
Rohith f31f544ff2 File Permissions Private Key 
- adjusting the file permissions on the heptio authenticator to 0600
 2018-06-01 15:34:37 +01:00
Rodrigo Menezes f0476776b1 fix file perms 2018-05-31 21:11:06 -07:00
Rodrigo Menezes 5ce8f9e712 Setup heptio authenticator 2018-05-23 17:48:33 -07:00
Kashif Saadat ac25853cd5 - Add etcdClusterSpec Image & Version in bootstrap data for Master nodes 
- Reuse execWithTee fn for ETCD Command (tee & mkfifo in different path for newer image versions)
 2018-02-10 12:14:36 +00:00
Justin Santa Barbara 7ca593b994 exec target command, but still pipe it to tee 
Equivalent of https://github.com/kubernetes/kubernetes/pull/57756
 2018-01-25 10:15:24 -05:00
Justin Santa Barbara a879521ba3 Initial aggregation support 
Create the keypairs, which are supposed to be signed by a different CA.

Set the `--requestheader-...` flags on apiserver.

Fix #3152
Fix #2691
 2017-10-22 14:41:38 -04:00
Justin Santa Barbara 95d4f3eb59 More code updates for 1.8 2017-10-01 21:13:00 -04:00
Justin Santa Barbara 3478031533 API types changed package 2017-10-01 14:03:56 -04:00
Justin Santa Barbara 383194780a Create helper function for critical pod annotations 
In particularly I think we want a toleration also; easiest to put the
code in one function.
 2017-09-30 17:38:20 -04:00
Julian V. Modesto ae9d332b93 Set critical pod annotations 2017-09-30 01:28:59 -04:00
Rohith a7abb07d56 Component Manifests 
The current kube manifest redirect all the logs into host located log files, this PR uses the tee command to pipe into both local logs (retaining the current) and docker stdout (which will be picked up by the journald or which every logging your using. Note also permits as to now need the logs via the kubectl command.

- renamed some of the files to make things cleaner
- redirecting the logs from the kubernetes components into local file and stdout
- cleaned up any vetting or linting error i came across
 2017-09-27 15:48:41 +01:00