This lets us configure cross-project permissions while ourselves needing
minimal permissions, but also gives us a nice hook for future lockdown
of object-level permissions.
Automatic merge from submit-queue.
Add Cloud Controller Manager addon
This adds the CCM addon for the Kubernetes cluster.
This is a follow-up PR to https://github.com/kubernetes/kops/pull/3408.
cc @chrislovecnm @andrewsykim
Automatic merge from submit-queue.
Add Calico v2.5 support for Kubernetes v1.8+
Added support for Canal (Calico) v2.5.1, which is required to work with Kubernetes v1.8.0+.
Older versions of Calico relied on ThirdPartyResources API to store it's config data, however this is now fully deprecated in Kubernetes v1.8 and has moved over to CustomResourceDefinitions (CRD). Calico v2.5+ has been updated to use CRD, however there is a manual upgrade process involved to migrate the configuration data across: https://github.com/projectcalico/calico/blob/master/upgrade/v2.5/README.md
including a Weave Net template for Kubernetes 1.7 and above which adds
a volume-mount for the iptables lock file, which avoids collisions
between Weave components and kube-proxy that would result in a
half-configured Weave network.
This is only for version 1.7 and above because it requires the change
in https://github.com/kubernetes/kubernetes/issues/47212
Automatic merge from submit-queue.
Use system:kube-router User for clusterrole binding
Kube-router as it provides service proxy as well, it has a chicken-egg problem (can not
access api server till it can setup service proxy), so service account are not usable. certificate generated for kube-router has CN `system:kube-router`, so user `system:kube-router` need to be given necessary RBAC permissions
Fixes#3463
Automatic merge from submit-queue.
Initial bazel support
Builds on the 1.8 version bump
The "trick" is to strip the BUILD & BUILD.bazel files from the vendor-ed deps.
Will rebase after 1.8 version bump merges.
Automatic merge from submit-queue. .
Add external-dns as addon.
This superseeds route53mapper as it has multicloud support documentation and YAML taken from https://github.com/kubernetes-incubator/external-dns
Automatic merge from submit-queue. .
Support for using hostPort when using calico
For enabling hostPort we need to turn on portmap cni plugin.
In this PR I updated calico and calico-cni images to latest version which already includes the portmap binary, and then I only needed to modify the cni config file to enable it and change its extension from .conf to .conflist.
This is related to:
https://github.com/kubernetes/kops/issues/3132
I think we should do the same for kube-router, flannel and weave (are there any other cni plugin supported by kops?)
Automatic merge from submit-queue
Allow user defined endpoint to host action for Canal
Adds ability to define `Networking.Canal.DefaultEndpointToHostAction` in the Cluster Spec. This allows you to customise the behaviour of traffic routing from a pod to the host (after calico iptables chains have been processed). `ACCEPT` is the default value and is left as-is.
`If you want to allow some or all traffic from endpoint to host, set this parameter to “RETURN” or “ACCEPT”. Use “RETURN” if you have your own rules in the iptables “INPUT” chain; Calico will insert its rules at the top of that chain, then “RETURN” packets to the “INPUT” chain once it has completed processing workload endpoint egress policy.`
Kube-router was using --cluster-cidr flag to get the subnet allocated
for pod CIDR's. But now kube-router has the ability internally to infer
the CIDR allocated for the pod's by getting the information from
kubernetes API server node spec's
Currently, we are using .NonMasqueradeCIDR in the wrong fashion. We
should be using .KubeControllerManager.ClusterCIDR to prevent IP
collision with Service IPs.
fixes#2606
Most part of the changes are similar to current supported CNI networking
provider. Kube-router also support IPVS bassed service proxy which can
be used as replacement for kube-proxy. So the manifest for kube-router
included with this patch enables kube-router to provide pod-to-pod
networking, IPVS based service proxy and ingress pod firewall.
This gives the ability to a user to enable cross-subnet mode in Calico.
Also introduces a new addon that, full disclosure, I wrote.
[ottoyiu/k8s-ec2-srcdst](https://github.com/ottoyiu/k8s-ec2-srcdst)
When system is low on resources, it is possible that calico-node will be
evicted by kubernetes. That's what happened today in our cluster
bringing down all containers.
Otherwise the kops 1.5 -> kops 1.6 upgrade was failing with:
The DaemonSet "weave-net" is invalid: spec.template.metadata.labels:
Invalid value: {"name":"weave-net"}: `selector` does not match template
`labels`
Fix#2345
Kashif Saadat
Justin Santa Barbara
chrislovecnm
Manatsawin Hanmongkolchai
Mike Splain
Kubernetes Submit Queue
wlan0
Bryan Boreham
Murali Reddy
Adam Hamsik
Caleb Gilmour
Bradley
georgebuckerfield
andrewsykim
Felipe Cavalcanti
Erik Stidham
Derek VerLee
Prachetas Prabhu
Igor Canadi
Marc CARRE
Otto Yiu
Jordan Jennings
Murali Reddy
Seth Pollack
heschlie
Andrey Chernih
Dan Osborne
Alexander Brandstedt
Blake
Miao Luo
SandeepPissay