kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
13,777 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

50 Commits

Author SHA1 Message Date
Ciprian Hacman bd7176f45f Replace convenience functions with fi.* alternatives 2021-04-30 11:26:48 +03:00
John Gardiner Myers 428041bc0f Add cluster-level warmPool settings 2021-04-25 20:22:04 -07:00
John Gardiner Myers 5ad32230bb Fix typo 2021-04-25 13:42:12 -07:00
John Gardiner Myers 044b5f6d0d Allow disabling warm pool by setting WarmPool.MaxSize to 0 2021-04-24 16:35:46 -07:00
Ole Markus With 1ec0bd18e8 Enable support for the ASG WarmPool lifecycle hook 
Update pkg/model/iam/iam_builder.go

Co-authored-by: Ciprian Hacman <ciprianhacman@gmail.com>
 2021-04-24 09:40:52 +02:00
guydog28 bd80c3f2b4 replace hard coded aws region checks with aws sdk calls 2021-03-24 15:31:05 +00:00
Ole Markus With 20bd724f5e Add support for scaling out the control plane with dedicated apiserver nodes 
Ensure apiserver role can only be used on AWS (because of firewalling)

Apply api-server label to CP as well

Consolidate node not ready validation message

Guard apiserver nodes with a feature flag

Rename Apiserver role to APIServer

Add an integration test for apiserver nodes

Rename Apiserver role to APIServer

Enumerate all roles in rolling update docs

Apply suggestions from code review

Co-authored-by: Steven E. Harris <seh@panix.com>
 2021-03-20 20:57:00 +01:00
Peter Rifel 7c900b7fae Generate and upload keys.json + discovery.json to public store 
Generate and upload keys.json + discovery.json to public store

Don't enable anonymous auth on publicjwks

Remove tests that won't work using FS VFS anymore
 2021-03-19 20:03:26 +01:00
Ciprian Hacman 925350f836 Sort external policies when checking for changes 2021-02-27 11:36:07 +02:00
Peter Rifel d52fd9f76c
Add tagging support to AWS Instance Profiles and OIDC Providers 2021-02-15 16:48:43 -06:00
Peter Rifel 4ee5d7a543
Add tagging support for AWS IAM Roles 2020-12-23 15:11:07 -06:00
Justin SB 1945a656a0 Remove deprecated ResourceHolder 
Cleaning up what is now dead code.
 2020-12-19 23:15:37 -05:00
John Gardiner Myers 4f5def8610 Address review comment 2020-12-03 23:24:43 -08:00
Kubernetes Prow Robot 50e61d6bc9
Merge pull request #9924 from hakman/additional-policies-shared-roles 
Only add additional policies to kops managed IAMRoles
 2020-09-15 20:03:19 -07:00
Kubernetes Prow Robot a93febf5a6
Merge pull request #9911 from hakman/fix-gossip 
Allow the BootstrapClient task to run after Protokube
 2020-09-13 21:10:57 -07:00
Ciprian Hacman 07be801a12 Only add additional policies to kops managed IAMRoles 2020-09-12 08:36:24 +03:00
Ciprian Hacman c1e0991153 Skip the iamPolicy.DNSZone task when using gossip 2020-09-10 22:55:36 +03:00
Evgeny Zislis 608a561f8c
only apply external policy tasks on non-shared iam 2020-09-10 12:58:54 +03:00
Justin SB 6fa8be2716 JSON formatting of IAM: Workaround for optional fields 
AWS IAM is very strict and doesn't support `Resource: []` for example.
We implement a custom MarshalJSON method to work around that.
 2020-09-09 09:57:07 -04:00
Justin Santa Barbara d8895c57ec Add version logic to UseServiceAccountIAM 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:07 -04:00
Justin SB a61ecf4c58 Refactor to use interface for iam Subjects 
Hat-tip to johngmyers for the idea!
 2020-09-09 09:57:07 -04:00
Justin SB f05980f6ba IAM Policy: rely on stub resolution/unification 
This avoids the hacky search through the list of tasks.
 2020-09-09 09:57:06 -04:00
Justin SB 8498ac9dbb Create PublicJWKS feature flag 
This should be much easier to start and to get under testing; it only
works with a load balancer, it sets the apiserver into anonymous-auth
allowed, it grants the anonymous auth user permission to read our jwks
tokens.  But it shouldn't need a second bucket or anything of that
nature.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:06 -04:00
Kubernetes Prow Robot 8a81d94c7b
Merge pull request #9773 from victorfrancax1/7286 
Adding support for permission boundaries for AWS IAM Roles
 2020-08-19 06:51:11 -07:00
Victor Ferreira 3aaa9a7c0f feat(aws): adding support to permission boundaries for IAM Roles 2020-08-19 01:16:13 -03:00
Peter Rifel 4d9f0128a3
Upgrade to klog2 
This splits up the kubernetes 1.19 PR to make it easier to keep up to date until we get it sorted out.
 2020-08-16 20:56:48 -05:00
Matt Ouille f025ff0e70
Add External Policies (AWS managed policy attachments) 2020-02-16 21:54:12 -08:00
tanjunchen 8acb51e061 pkg/apis/ pkg/commands/ pkg/model/ staticcheck 2019-12-30 21:13:40 +08:00
mikesplain 9e55b8230a Update copyright notices 
Also cleans some white spaces
 2019-09-09 14:47:51 -04:00
Justin SB 3e33ac7682
Change code from glog to klog 
We don't call klog.InitFlags yet, because that will cause a flag
redefinition error until we get everyone to stop using glog.  That
will happen when we update to k8s 1.13.
 2019-05-06 12:54:51 -04:00
Lars Lehtonen 677f19f32d pkg/model: Fix dropped error 2019-04-11 19:35:36 -07:00
Justin Santa Barbara 8f15a58e8c Validate IAM additionalPolicies 
We now validate them with the cluster, so we should give early and
clear feedback if the IAM policy is not valid.
 2018-07-27 15:22:24 -04:00
k8s-ci-robot d7486e490f
Merge pull request #5533 from justinsb/hotfix_5522 
Check errors when parsing JSON on IAM policies
 2018-07-27 12:20:56 -07:00
Justin Santa Barbara f3fb513852 Remove unnecessary reflect.ValueOf 
We can replace with a simpler string cast
 2018-07-27 00:58:14 -04:00
Justin Santa Barbara 3ddf598448 Check errors when parsing JSON on IAM policies 
We weren't checking the error code, and this led to #5522
 2018-07-27 00:54:57 -04:00
Peter Rifel 5f0b63100d Add support for using existing instance profiles 2018-06-08 10:33:09 -07:00
Rohith c8e4a1caf8 Kubernetes Calico TLS 
The current implementation when Etcd TLS was added does not support using calico as the configuration and client certificates are not present. This PR updates the calico manifests and adds the distribution of the client certificate
 2018-02-14 23:41:45 +00:00
Albert c52472cfa8 Add support for cn-northwest-1. 2017-12-27 15:37:09 +08:00
chrislovecnm 2e6b7eedb9 Revision to IAM Policies created by Kops, and wrapped in Cluster Spec 
IAM Legacy flag.
 2017-09-15 08:05:23 +01:00
Justin Santa Barbara 3dfe48e5ae Wiring up lifecycle 2017-07-15 22:03:54 -04:00
Justin Santa Barbara bde69b5b3e Rename RoleType to ExportWithID in IAMRole 
Tweaks for #2508
 2017-05-16 10:21:11 -04:00
Pierre-Alexandre St-Jean 347dccfa25 Added instance role as terraform output 
Added:
- Instance role name
- Instance role arn

as terraform outputs, this can then be references later on to
use as sts:assume role, create after this one
 2017-05-05 16:21:43 -04:00
Justin Santa Barbara 864a999602 Fix automatic private DNS zone creation 
We have to defer creation of the IAM policy until we have created the
hosted zone.

Fix #2444
 2017-04-29 17:01:18 -04:00
Jakub Paweł Głazik cd795d0c8c Resolve DNS Hosted Zone ID while building IAM policy 
Fixes #1949
 2017-02-23 11:45:58 +01:00
Justin Santa Barbara 2bfed0d2b1 Remove additional IAM policies that have been removed 
This uses an explicit deletion approach, where we set the policy to
empty, and use that to signal that the policy should be deleted.  This
is acceptable because IAM policies can't be empty anyway.

We probably should use a tag-based "garbage-collection" approach, but
IAM objects can't be tagged, so we're pretty much always going to be
doing something name based.

Fix #1642
 2017-01-31 10:46:45 -05:00
Justin Santa Barbara 4c92aa558f Attach additional IAM policies to same role 2017-01-30 09:52:48 -05:00
Yissachar Radcliffe 1981f42e69 Format 2017-01-11 11:05:36 -05:00
Yissachar Radcliffe 773335e342 Create separate IAM policies instead of editing existing one 2017-01-11 11:05:36 -05:00
Justin Santa Barbara 50296f1a30 Fix file headers 2016-12-19 00:23:20 -05:00
Justin Santa Barbara fed68310fa Schema v1alpha2 
* Zones are now subnets
* Utility subnet is no longer part of Zone
* Bastion InstanceGroup type added instead
* Etcd clusters defined in terms of InstanceGroups, not zones
* AdminAccess split into SSHAccess & APIAccess
* Dropped unused Multizone flag
 2016-12-18 21:56:57 -05:00