kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
19,978 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

137 Commits

Author SHA1 Message Date
Peter Rifel 0e59715e15
Trim GCE firewall rule names to their max length 2022-04-18 18:40:39 -05:00
Ole Markus With ce2e877aeb Remove bazel files from vendor 2022-04-12 13:29:03 +02:00
Jesse Haka 617b439b38 Fix GCE service account creation 2022-03-01 11:59:42 +02:00
Kubernetes Prow Robot 02dc9dd8b3
Merge pull request #13201 from zetaab/removesa 
cleanup GCP Cluster Service Accounts
 2022-02-23 04:24:19 -08:00
Jesse Haka 67beb3fef5 add const 2022-02-23 10:52:08 +02:00
Jesse Haka 3e505a559e add missing import 2022-02-07 21:35:01 +02:00
Jesse Haka 180c3ae475
Update pkg/model/gcemodel/api_loadbalancer.go 
Co-authored-by: Peter Rifel <rifelpet@users.noreply.github.com>
 2022-02-07 21:32:05 +02:00
Jesse Haka d3fac0c1be GCP API health checks 2022-02-03 21:02:21 +02:00
John Gardiner Myers 5385381633 Use IPv6-only subnets for worker nodes in private IPv6 topology 2022-01-06 21:00:00 -08:00
justinsb 93a6871e9b gce: don't set per-IG permissions when using shared account 
If we're using a cluster-level service-account, we shouldn't try to
set bucket permissions on a per-IG level.

For compatibility with the existing behavior, we simply don't set any
permissions in this case.
 2021-12-28 10:10:16 -05:00
justinsb 8b3372ec76 Need to truncate gce serviceaccounts to max 30 characters 2021-12-17 12:57:14 -05:00
justinsb 746f886718 gce: use per instancegroup serviceaccounts 
We no longer set the cloudconfig serviceaccount on new clusters, and
instead use a per-IG setting if this is not set.
 2021-12-17 12:57:14 -05:00
justinsb 63e3d98443 gce: Use ServiceAccount task when building model 
The next step towards supporting custom ServiceAccounts per IG
 2021-12-15 11:08:51 -05:00
justinsb 4cf52d0e51 GCE: Support kops-controller, including in gossip mode 
We discover the kops-controller in gossip mode using seeding code that
calls into the GCE API, just like gossip itself does.

We refactor the gossip code into a shared gcediscovery library with
minimal dependencies.
 2021-12-04 11:51:41 -05:00
Peter Rifel 85d4bf7497 Add labels to GCE instance templates 2021-12-02 08:20:04 +02:00
Kubernetes Prow Robot 0be79b25b7
Merge pull request #12867 from hakman/gofumpt_script 
Add gofumpt scripts
 2021-12-01 22:13:32 -08:00
Peter Rifel 00a8a68f01
Fix area/provider/gcp GitHub label assignment 2021-12-01 22:43:43 -06:00
Ciprian Hacman ea7df00719 Run hack/update-gofmt.sh 2021-12-01 22:39:50 +02:00
justinsb 5e4987b246 GCE: support egress specification 
Empty or "nat" now defaults to creating a per-subnet NAT router for
private topologies.  "external" will assume that egress is configured
outside of kOps.
 2021-10-26 21:37:03 -04:00
justinsb caff7e36ad gce: open node->master ports for calico and cilium 
We're taking the opportunity to pursue a locked-down model, but this
means we need to open ports explicitly.
 2021-10-25 08:31:21 -04:00
justinsb d363bf3dad GCE: improve network & subnet terraform support 
We should use the subnet spec in the Cluster, and default to creating
a new subnet/network, but allow an existing one to be specified.
 2021-10-24 17:41:14 -04:00
justinsb 0611e4f638 gce: open kops-controller port from nodes 
This is now needed in our nodeup bootstrap with vTPM on GCE.

Also remove the cadvisor port, it is no longer running on the control-plane nodes.
 2021-10-24 13:47:16 -04:00
justinsb af76c4c20a gce: allow router to refer to network object 
This allows for our execution model to work a little more smoothly.
 2021-10-24 09:19:06 -04:00
justinsb 860b033ddc gce: allow network to be marked as shared 2021-10-23 23:54:39 -04:00
justinsb e2f7895700 GCE: When using calico, need to open up ipip protocol 
We need to open up the ipip protocol, which wasn't previously enabled.

Future work could construct the firewall rules in a common library,
and then adapt them to the various clouds.
 2021-09-21 21:20:24 -04:00
justinsb 3e83b771d6 GCE: For IPAlias or Custom Routes, we must recognize source by CIDR 
SourceTags are not recognized when using IPAlias or custom routes (aka
kubenet), so we must recognize by CIDR instead.
 2021-09-21 08:20:17 -04:00
justinsb 76f816f483 GCE: Always have IPv6 rules in "ipv6 mode" 
If we don't specify some SourceRanges, it defaults to 0.0.0.0/0, which
is IPv4 and confusing.
 2021-09-20 09:26:28 -04:00
Justin SB 0722124e8e Initial IPv6 support for GCE 
Supporting IPv6 values where they can be set by the user, and ensuring
that IPv4 and IPv6 firewall rules are split because on GCP they cannot
be in the same rule.
 2021-08-21 20:09:31 -04:00
John Gardiner Myers 7c9e7e9286 Make Lifecycle field non-pointer 2021-06-02 23:02:16 -07:00
John Gardiner Myers 43d8d97e7c Set lifecycle in GCE APILoadBalancerBuilder 2021-05-31 10:39:34 -07:00
Kubernetes Prow Robot b0664176bc
Merge pull request #11259 from olemarkus/warm-life-cycle-hook 
Make nodeup able to complete the warming life cycle hook
 2021-04-24 02:05:15 -07:00
Ole Markus With 1ec0bd18e8 Enable support for the ASG WarmPool lifecycle hook 
Update pkg/model/iam/iam_builder.go

Co-authored-by: Ciprian Hacman <ciprianhacman@gmail.com>
 2021-04-24 09:40:52 +02:00
Kenji Kaneda f37330f53d Add GCE Router task 
This commit picks up the change from the previous attempt
(https://github.com/kubernetes/kops/pull/6828).

- Add Router to GCE tasks
- Add the HasExternalIP field to InstanceTemplate
- Create a RouterTask and set HasExternalIP to false when
  a private topology is specified.

https://github.com/kubernetes/kops/issues/6827
 2021-04-23 23:03:38 -07:00
Kubernetes Prow Robot 9bc1c0ed77
Merge pull request #10477 from justinsb/refactor_gce_instancetemplate 
Refactor GCE InstanceTemplate
 2020-12-21 17:48:28 -08:00
Justin SB 1945a656a0 Remove deprecated ResourceHolder 
Cleaning up what is now dead code.
 2020-12-19 23:15:37 -05:00
Justin SB f12c3f95f8 Refactor GCE InstanceTemplate 
Clearer, and for future cluster-api support.
 2020-12-19 17:14:51 -05:00
Justin SB 45d11ba12c Replace (some) deprecated ResourceHolder with Resource 
This removes more of the deprecated type, but it also simplifies
refactoring the GCE InstanceTemplate.
 2020-12-19 09:51:43 -05:00
Justin SB a61ecf4c58 Refactor to use interface for iam Subjects 
Hat-tip to johngmyers for the idea!
 2020-09-09 09:57:07 -04:00
Justin SB 8498ac9dbb Create PublicJWKS feature flag 
This should be much easier to start and to get under testing; it only
works with a load balancer, it sets the apiserver into anonymous-auth
allowed, it grants the anonymous auth user permission to read our jwks
tokens.  But it shouldn't need a second bucket or anything of that
nature.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:06 -04:00
Peter Rifel 4d9f0128a3
Upgrade to klog2 
This splits up the kubernetes 1.19 PR to make it easier to keep up to date until we get it sorted out.
 2020-08-16 20:56:48 -05:00
Kubernetes Prow Robot f9262b91e7
Merge pull request #9450 from johngmyers/refactor-apiserver-lb 
Refactor how api-server addresses are exported from tasks
 2020-06-28 22:08:15 -07:00
John Gardiner Myers 86f157fa27 Refactor how api-server addresses are exported from tasks 2020-06-26 21:38:39 -07:00
John Gardiner Myers 013f9bf914 Create bootstrap script in a Task 2020-06-26 19:11:40 -07:00
John Gardiner Myers cef5b175c7 Rename BootstrapScript to BootstrapScriptBuilder 2020-06-26 10:57:36 -07:00
John Gardiner Myers 843e5b9b16 Move GCEServiceAccount into CloudConfig 2020-05-03 20:35:32 -07:00
eric-hole c59314a799 Adds some initial tests. Fixes some logic 
Need to fix service account implementation first

Fixing tests and iterating on the serviceaccount logic

Run the gce_byo_sa test
 2020-04-04 21:20:31 -07:00
eric-hole b3d65ffce0 Adds a gce-service-account flag so you BYO service-account 
Generated code and some cleanup

Not sure where that code went

Tests for service account

fixes case on gceserviceaccount
 2020-04-04 21:15:56 -07:00
eric-hole 1f508e7e17 Tweak the featureflag.GoogleCloudBucketACL.Enabled 2020-03-14 20:47:11 -07:00
Peter Rifel a999b3ea61 fix OWNERS labels format 
These need to be lists
 2020-03-10 22:47:50 -05:00
tanjunchen 52537053cc simplify code and remove unused code 2019-12-17 00:28:35 +08:00
hwdef b0c63b4cd9 pkg: fix static check 2019-10-24 14:16:41 +08:00
Justin SB 728e582360
Fill out kops controller functionality 
k8s 1.16 requires that we move label setting away from the kubelet, to
a central controller.  kops-controller is that controller.
 2019-09-25 12:04:34 -04:00
mikesplain 9e55b8230a Update copyright notices 
Also cleans some white spaces
 2019-09-09 14:47:51 -04:00
Justin SB 62f7c26f98
Support "gce" networking mode, which uses ip aliases 2019-07-19 07:54:13 -04:00
Justin SB 76d03b3f71
Generated files: glog -> klog 2019-05-06 12:56:03 -04:00
Justin SB 3e33ac7682
Change code from glog to klog 
We don't call klog.InitFlags yet, because that will cause a flag
redefinition error until we get everyone to stop using glog.  That
will happen when we update to k8s 1.13.
 2019-05-06 12:54:51 -04:00
Rohith b1aa7892c7 Launch Template Feature Flag 
- adding a feature flags to allow users to switch over to launch templates completely
 2019-02-26 10:17:10 +00:00
Justin Santa Barbara 168cf56ebe GCE: storage-rw scope for instances that need it 2018-06-14 17:50:26 -04:00
Justin Santa Barbara ba6d14d1a8 GCE: Grant bucket permissions for etcd-manager 
Unfortunately it has to be bucket level, because that is all that GCS
supports.
 2018-06-14 17:50:16 -04:00
Povilas Versockas 8bfa93c304 Add public ssh keys for GCE 2018-04-21 20:15:29 +03:00
Justin Santa Barbara e158f84e9f Set AWS_REGION into bootstrapscript 
Fix #4451
 2018-04-12 17:39:24 -04:00
Justin Santa Barbara 0872cb74d7 Allow GCE network to be reconfigured 2017-12-02 02:43:21 -05:00
chrislovecnm 609e268a1d gazelle updates with new bazel version 2017-11-05 17:41:53 -07:00
chrislovecnm 1e418c3e13 more goimport updates 2017-11-04 10:03:02 -06:00
chrislovecnm 8d1ee1fa16 updating files for goimports 2017-11-01 12:51:43 -06:00
Justin Santa Barbara d1ee8026ac GCE: Tasks for object & bucket level permissions 
We also switch to setting a bucket-level ACL permission, as this
requires less permissions.
 2017-10-29 18:08:08 -04:00
Justin Santa Barbara dbbe3f373b GCE: Set up permissions for cross-project configurations 
This ensures that the cluster can read the kops state store files, even
if the GCS bucket is in a different project.

We automatically set up an IAM access policy that grants access.
 2017-10-28 03:24:18 -04:00
Justin Santa Barbara d71bd09a6c GCE: Limit length of InstanceTemplate 
We explicitly set a separate prefix for the names, and we ensure it is
not too long
 2017-10-10 09:48:38 -04:00
Kubernetes Submit Queue 518e97d97b Merge pull request #3510 from justinsb/bazel 
Automatic merge from submit-queue.

Initial bazel support

Builds on the 1.8 version bump

The "trick" is to strip the BUILD & BUILD.bazel files from the vendor-ed deps.

Will rebase after 1.8 version bump merges.
 2017-10-03 01:19:27 -07:00
Kubernetes Submit Queue 48e61b9523 Merge pull request #3507 from justinsb/gce_rolling_update 
Automatic merge from submit-queue.

rolling-update - initial GCE support
 2017-10-03 00:05:03 -07:00
Justin Santa Barbara 737f2fcd80 rolling-update - initial GCE support 2017-10-02 23:07:35 -04:00
Justin Santa Barbara 0143be7c4f autogen: BUILD and BUILD.bazel 2017-10-02 14:27:21 -04:00
Justin Santa Barbara 66b174321f Cleanup signature of default volume-size method 
Because the default doesn't depend on the user-specified value, it's
misleading to pass it in.
 2017-09-30 21:24:51 -04:00
Justin Santa Barbara 7fd1196708 Add Zones field to InstanceGroup 
The Zones field can specify zones where they are not specified on a
Subnet, for example on GCE where we have regional subnets.
 2017-09-30 19:44:35 -04:00
chrislovecnm c4c63b2b0c using same disk sizes for gce 2017-09-29 16:07:38 -06:00
Justin Santa Barbara ecc78c06bd Create GCE networks in auto mode, not legacy mode 
auto mode allows for conversion to custom mode at the API level, and
legacy mode is deprecated.
 2017-09-23 16:32:52 -04:00
Justin Santa Barbara 1eb2bed921 GCE: Don't open NodePort range to all by default 
We set a redundant SourceTag filter if there are no SourceRanges set.
 2017-09-17 15:22:20 -04:00
Justin Santa Barbara b29f3a7505 Honor ServiceNodePortRange when opening NodePort access 2017-09-15 00:39:41 -04:00
Justin Santa Barbara 9d31ed1b08 nodePortAccess, experimental spec override flag 
This will allow us to set CIDRs for nodeport access, which in turn will
allow e2e tests that require nodeport access to pass.

Then add a feature-flagged flag to `kops create cluster` to allow
arbitrary setting of spec values; currently the only value supported is
cluster.spec.nodePortAccess
 2017-09-04 14:27:31 -04:00
Kashif Saadat e0461b92a9 Add ability to store partial cluster and instancegroup spec in userdata, 
so component config changes are detected and causes nodes to be updated
 2017-08-09 14:15:02 +01:00
Derek VerLee ffa95b8112 Add support for cluster using http forward proxy 2017-08-07 14:30:42 -04:00
Justin Santa Barbara 3dfe48e5ae Wiring up lifecycle 2017-07-15 22:03:54 -04:00
Justin Santa Barbara be9a40e42c Fixes per code review 2017-03-28 00:58:13 -04:00
Justin Santa Barbara c9ac0cdbd8 Support GCE ForwardingRule (LoadBalancer) for API 
Also lots of GCE cleanup
 2017-03-28 00:00:20 -04:00
Justin Santa Barbara cb4641fea3 Code updates 2017-03-16 02:40:50 -04:00
Justin Santa Barbara 3d14d07616 Support cloud-config on GCE 2017-02-28 20:08:03 -05:00
Justin Santa Barbara 645f330dad Re-enable GCE support 
We move everything to the models.  We feature-flag it, because we
probably want to change the names etc, and we aren't going to be able to
offer smooth upgrades until that is done.
 2017-02-28 20:08:03 -05:00