kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,939 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

1322 Commits

Author SHA1 Message Date
Justin Santa Barbara be9a40e42c Fixes per code review 2017-03-28 00:58:13 -04:00
Justin Santa Barbara 1e9c2cb2d8 Multiple log-opt, log-driver options for docker 
Also only change for 1.6
 2017-03-28 00:53:26 -04:00
Justin Santa Barbara e6fb0a3d67 Move kube-scheduler to code & RBAC 2017-03-28 00:26:59 -04:00
Justin Santa Barbara c9ac0cdbd8 Support GCE ForwardingRule (LoadBalancer) for API 
Also lots of GCE cleanup
 2017-03-28 00:00:20 -04:00
Justin Santa Barbara 7e8ed66620 Merge branch 'master' into tenancy 2017-03-27 21:31:16 -04:00
Justin Santa Barbara ae52277272 Update error message for golang style 2017-03-27 10:23:32 -04:00
Daniel Cohen aa1205036d Specify instance tenancy on AWS 
Allow tenancy to default to empty

Don't allow dedicated clusters to launch unsupported instances
 2017-03-21 14:13:17 -04:00
Justin Santa Barbara b9204e9911 Initial Container-Optimized OS support 
Add initial support for google's container-optimized OS (available on
GCE).
 2017-03-20 23:47:37 -04:00
Justin Santa Barbara c4fe3cbfa0 kopeio networking should not set configure-cloud-routes 2017-03-16 21:48:28 -04:00
Justin Santa Barbara cb4641fea3 Code updates 2017-03-16 02:40:50 -04:00
Justin Santa Barbara 18886749d9 Always include hash, per code review 
Thanks @kris-nova
 2017-03-09 09:35:09 -05:00
Justin Santa Barbara 270312926d Add tests for ELB names: 2017-03-09 09:18:31 -05:00
Justin Santa Barbara 69c38f721e Switch how we build ELB names, but keep a feature flag 2017-03-09 09:18:31 -05:00
Justin Santa Barbara 724bd95e0b Use Name tag to match ELBs 
Rather than using the LoadBalancerName to match, we match on the Name
tag.

Related to #2019
 2017-03-09 09:18:31 -05:00
Justin Santa Barbara 3d14d07616 Support cloud-config on GCE 2017-02-28 20:08:03 -05:00
Justin Santa Barbara 645f330dad Re-enable GCE support 
We move everything to the models.  We feature-flag it, because we
probably want to change the names etc, and we aren't going to be able to
offer smooth upgrades until that is done.
 2017-02-28 20:08:03 -05:00
Michael Taufen c24a017ed5 use --kubeconfig on kubelet instead of --api-servers in post 1.6 clusters 2017-02-27 15:49:11 -08:00
Justin Santa Barbara bf2edddb8d Merge pull request #1935 from justinsb/terraform_variable_output 
Output variables from terraform, for reuse in a module
 2017-02-24 09:06:20 -05:00
Justin Santa Barbara 7ab983a47d Choose only one subnet per AZ for API ELB 2017-02-23 12:22:22 -05:00
Justin Santa Barbara e09037dff0 Merge pull request #1969 from zytek/fix-1949 
Resolve DNS Hosted Zone ID while building IAM policy
 2017-02-23 10:21:39 -05:00
Justin Santa Barbara 08419fcae8 Merge pull request #1750 from robinpercy/cli-cloud-labels 
WIP: Exposing cloud labels as a CLI option
 2017-02-23 09:51:08 -05:00
Robin Percy f9b3c5e584 Now applying the tags to IGs at render time. 
- Previous method would have caused issues with the way tags are used
  for filtering resources.
- Updated docs and comments to only refer to instance groups, rather
  than all AWS resources
 2017-02-23 06:10:15 -08:00
Jakub Paweł Głazik cd795d0c8c Resolve DNS Hosted Zone ID while building IAM policy 
Fixes #1949
 2017-02-23 11:45:58 +01:00
Eric Hole f146ac309c Merge pull request #1925 from justinsb/fix_1793 
Additional ShouldCreate method to prevent spurious changes
 2017-02-22 22:17:05 -05:00
Johannes Würbach 01bcf416e2
Allow node -> master on tcp 10255 
This port serves the read-only kubelet api and is required by heapster
 2017-02-23 00:06:46 +01:00
Justin Santa Barbara 80a732527d Just block specific traffic from node -> master 
We _should_ block per port... but:
 * It causes e2e tests to break
 * Users expect to be able to reach pods
 * If we are running an overlay, we allow all ports anyway
 2017-02-22 13:21:49 -05:00
Justin Santa Barbara 363cf2a2aa Update cgroup hierarchies for k8s 1.6 
We're going with a much cleaner cgroup hierarchy for k8s 1.6
 2017-02-20 23:30:33 -05:00
Justin Santa Barbara 24f77f9c63 Merge pull request #1871 from zytek/iam-route53-scoping 
IAM: scope route53 permissions to DNS_ZONE only
 2017-02-17 13:42:45 -05:00
Justin Santa Barbara 45cfd8a455 Merge pull request #1886 from zacblazic/optional-apiserver-elb-timeout 
Add support for adjusting ELB idle timeout for apiserver
 2017-02-17 11:25:20 -05:00
Justin Santa Barbara 2a34e6d00e Output variables from terraform, for reuse in a module 
Issue #1026
 2017-02-17 11:05:06 -05:00
Jakub Paweł Głazik a3019905a1 Merge remote-tracking branch 'origin/master' into iam-route53-scoping 2017-02-17 10:52:04 +01:00
Eric Hole 0ce094a956 Merge pull request #1911 from justinsb/more_options_to_code 
Move more options to code
 2017-02-16 23:09:35 -05:00
Justin Santa Barbara dc9a343434 Support string-or-slice in IAM policies 
Fix #1920
 2017-02-16 22:24:28 -05:00
Justin Santa Barbara 5bba483a61 Additional ShouldCreate method to prevent spurious changes 
Fix #1793
 2017-02-16 01:53:32 -05:00
Jakub Paweł Głazik f50f010d2f Scope route53 permissions to DNS_ZONE only 2017-02-15 22:34:04 +01:00
Justin Santa Barbara 55b6d86454 Move more options to code 
User reports of kubelet flags not being passed; moved more to code.

Also found & fixed the likely root-cause issue: we have two copies of
the cluster spec and were not being precise about which one we wanted to
use at all times.
 2017-02-15 13:11:12 -05:00
Zac Blazic 60043c3457
Add idle timeout to api load balancer 
Defaults to 5 minutes, but can be adjusted by editing the
cluster spec and performing a cluster update.
 2017-02-14 21:34:57 +02:00
Justin Santa Barbara 1c7818833a Merge pull request #1813 from aledbf/coreos 
Initial (experimental) CoreOS support
 2017-02-14 11:08:40 -05:00
Manuel de Brito Fontes 1619766862 Address comments 2017-02-13 11:21:30 -03:00
Matthew Mihok bc235765d1 Adding basic flannel support 2017-02-11 16:26:18 -05:00
Manuel de Brito Fontes da2630638b Fix build 2017-02-11 13:57:30 -03:00
Justin Santa Barbara 1bacf8271e Initial (experimental) CoreOS support 
* Detect CoreOS
* Move key manifests to code, to tolerate read-only mounts
* Misc refactorings so more code can be shared
* Change lots of ints to int32s in the models
* Run nodeup as a oneshot systemd service, rather than relying on
cloud-init behaviour which varies across distros
 2017-02-11 13:57:30 -03:00
Stephen Schlie 991fc5bc7c Integrating Canal (Flannel + Calico) for CNI (#1459) 
* Integrating Canal (Flannel + Calico) for CNI

Initial steps to integrate Canal as a CNI provider for kops

Removed CNI in help as per chrislovecnm

* Integration tests, getting closer to working

- Added some integration tests for Canal
- Finding more places Canal needed to be added
- Sneaking in update to Calico Policy Controller

* Add updated conversion file

* turned back on canal integration tests

* fixed some rebase issues

* Fixed tests and flannel version

* Fixed canal yaml, and some rebasing errors

- Added some env vars to the install-cni container to get the proper
  node name handed off

* Added resource limits

- set resource limits on containers for Canal
- Ran through basic calico tutorials to verify functionality

* Updating Calico parts to Calico 2.0.2
 2017-02-11 11:03:23 -05:00
Justin Santa Barbara 1172fb2b95 Add Eviction flags 
Otherwise we were not evicting based on low inodes

Also add the notion of a flag-default, so we can pass fewer spurious
flags, and gget closer to the component model
 2017-01-31 23:12:35 -05:00
Justin Santa Barbara 2bfed0d2b1 Remove additional IAM policies that have been removed 
This uses an explicit deletion approach, where we set the policy to
empty, and use that to signal that the policy should be deleted.  This
is acceptable because IAM policies can't be empty anyway.

We probably should use a tag-based "garbage-collection" approach, but
IAM objects can't be tagged, so we're pretty much always going to be
doing something name based.

Fix #1642
 2017-01-31 10:46:45 -05:00
Justin Santa Barbara baa5e7a6de Merge pull request #1707 from justinsb/iam_attach 
Attach additional IAM policies to same role
 2017-01-31 10:43:28 -05:00
Justin Santa Barbara 37bfe29406 Merge pull request #1444 from tsupertramp/allow-adding-existing-security-groups 
Allow adding existing security groups
 2017-01-31 00:27:40 -05:00
Justin Santa Barbara 1924f9af25 Merge pull request #1620 from ese/autoscaler 
Provide iam policy for autoscaler addon
 2017-01-30 22:01:05 -05:00
Thomas Peitz 640d28dce4 Rename json:additionalSecurityGroupIDs to additionalSecurityGroups 2017-01-30 18:58:49 +01:00
Thomas Peitz 96f71b8fab Allow additional NodeSecurityGroupIDs, MasterSecurityGroupIDs 2017-01-30 18:58:48 +01:00
Justin Santa Barbara 4c92aa558f Attach additional IAM policies to same role 2017-01-30 09:52:48 -05:00
Chris Love d77796ee28 Merge pull request #1673 from justinsb/issue_786 
Relax DNS requirements on shared VPCs
 2017-01-29 01:36:24 -07:00
Justin Santa Barbara 7b694d4b04 Fixes per code review 2017-01-29 02:55:31 -05:00
Justin Santa Barbara ba5434caf0 Relax DNS requirements on shared VPCs 
Don't require EnableDNSHostnames on a shared VPC in >= 1.5.0

Create a feature flag for tolerating EnableDNSSupport=false.

Issue #786
 2017-01-29 00:09:09 -05:00
Chris Love 887b418abc Merge pull request #1624 from justinsb/clarify_ignore_associate 
Clarify ignoring AssociatePublicIP message
 2017-01-28 21:57:25 -07:00
Justin Santa Barbara 4407e91625 Allow clearing of maxPrice 
Issue #1562
 2017-01-28 20:10:54 -05:00
Justin Santa Barbara 2ae3e38f95 Clarify ignoring AssociatePublicIP message 2017-01-25 11:45:58 -05:00
Sergio Ballesteros 9e9c0c105b Add autoscaling policy to master role 2017-01-25 17:18:10 +01:00
Chris Love 849815b638 Merge pull request #1601 from justinsb/validate_subnet_no_mixing 
validation: Validate we specify ids for all subnets
 2017-01-24 23:01:41 -07:00
Justin Santa Barbara f0c2e8206b Merge pull request #1603 from justinsb/dont_createroutetable_when_all_shared 
Don't create route table at all if all subnets are shared
 2017-01-24 22:39:27 -05:00
Justin Santa Barbara 9e015285f8 validation: Validate we specify ids for all subnets 
Move our validation to the apimachinery style.  And then add a
validation that we specify IDs either for all subnets or no subnets.
 2017-01-24 12:38:52 -05:00
Justin Santa Barbara 3185d115cb Don't create route table at all if all subnets are shared 
We don't link it up anyway, so we shouldn't try to create it
 2017-01-24 11:13:05 -05:00
chrislovecnm 2144f43981 updated per review, improving testing 2017-01-23 11:48:42 -07:00
chrislovecnm e7cd49814a Fixing bug and adding more tests 2017-01-23 11:01:31 -07:00
Justin Santa Barbara d4122c03c7 Use instance group subnets instead of topology type 
It looks like we can infer this from the instance group types, keeping
topology as an argument to `kops create cluster`.
 2017-01-20 23:16:48 -05:00
Kris Nova ef5e2fdae8 Merge pull request #1561 from justinsb/resolve_by_ip_first 
Resolve nodes by IP before trying by name
 2017-01-20 20:04:41 -07:00
Justin Santa Barbara 686e4efa3b Egress follow up 
* Round trip to v1alpha1
* Enable test
 2017-01-20 00:40:41 -05:00
Justin Santa Barbara 35f878c620 Resolve nodes by IP before trying by name 
Fix #1556
 2017-01-20 00:00:26 -05:00
Justin Santa Barbara a60e10eacd Merge pull request #1366 from reactiveops/kris-and-eric-1282 
Specify Existing NAT Gateways to Use in Cluster Creation
 2017-01-19 21:06:12 -05:00
Eric Hole 1e3d94392c Major redo/squash of the work to get egress added to the API and hooked up. 
One commit from the always incredible @kris-nova was incorporated here, it was to
check for tags in `kutil/delete_cluster.go`. She was a major driver and instrumental in getting
this to where we aere now!
 2017-01-19 16:57:42 -05:00
Justin Santa Barbara 165ead4fac Merge pull request #1170 from yissacharcw/extensible-iam-roles 
Add support for extensible IAM permissions
 2017-01-19 12:45:55 -05:00
chrislovecnm 2f86c3ae34 Tweaking function comments 2017-01-18 14:17:34 -08:00
chrislovecnm 48a4cd1b91 pr review updates 2017-01-18 12:58:30 -08:00
chrislovecnm 3cabfb25d0 Updates to add new flag used by Kubernetes Controller manager: attach-detach-reconcile-sync-period 2017-01-18 12:29:29 -08:00
Kris Nova d41c655d9f Adding notes from call 2017-01-17 09:35:38 -07:00
Kris Nova 2d76602a3b Merge branch 'kris-and-eric-1282' of github.com:reactiveops/kops into eric-kris 2017-01-17 08:28:27 -07:00
Justin Santa Barbara 09cb9b654c Change int to int32 in API 
We shouldn't be using the variable-sized int in the API
 2017-01-15 18:23:44 -05:00
Yissachar Radcliffe 1981f42e69 Format 2017-01-11 11:05:36 -05:00
Yissachar Radcliffe 773335e342 Create separate IAM policies instead of editing existing one 2017-01-11 11:05:36 -05:00
Yissachar Radcliffe 13ac2d49d3 Add support for extensible IAM permissions 2017-01-11 11:02:44 -05:00
Eric Hole a03ba42b56 Merge branch 'master' into kris-and-eric-1282 2017-01-09 22:01:59 -05:00
Justin Santa Barbara 6393290f47 Merge pull request #1313 from justinsb/security_to_master 
Lock down master security group rules
 2017-01-09 12:23:17 -05:00
Justin Santa Barbara 7140117780 Separate protocol rule naming from AWS rules 2017-01-09 11:35:18 -05:00
Justin Santa Barbara 71c52db994 Open etcd for calico 2017-01-09 10:52:33 -05:00
Justin Santa Barbara a52f1e7342 Security rules for calico & weave 2017-01-09 10:52:33 -05:00
Justin Santa Barbara ec1e99f1d2 Lock down master security group rules 2017-01-09 10:52:33 -05:00
Justin Santa Barbara 271367ba0f Don't add DNSZone task twice 2017-01-09 09:32:52 -05:00
Justin Santa Barbara 61011650dd Support private hosted zones in DNS 2017-01-09 09:32:52 -05:00
Kris Nova 09f77d6753 Fixing hosted zone errors with bastion, and cleaning up dns model logic 2017-01-08 15:11:08 -05:00
Eric Hole bcaf929256 Rebased the new EIP/NGW code and integrated with 1282 code. Working CI. 2017-01-08 13:20:32 -05:00
Eric Hole 0f84494dbd Merge branch 'master' into kris-and-eric-1282 2017-01-08 11:10:13 -05:00
Eric Hole 3de7bfb93f First pass at Shared NGW docs. 2017-01-08 09:35:56 -05:00
Eric Hole cab1251161 New API fields ngwId and ngwEip. 2017-01-08 09:35:20 -05:00
Justin Santa Barbara 8cdd8bb7da Discover existing ElasticIP & NatGateway without tagging 
This should allow for round-tripping with terraform (which can't
practically do remote-resource tagging)
 2017-01-08 01:52:15 -05:00
Justin Santa Barbara e3b444c912 Fix double initialization of DNSZone 
And, while we are it, clean up DNSZone so that it has separate notions
of TaskName, DNSName and HostedZoneID.  We conflated the three
previously, which we don't want to do at the task layer.  We don't want
to conflate the TaskName and the DNSName so that we can create a private
& public hosted zone with the same DNSName.  We don't want to "smuggle"
the hosted zone ID in the DNSName because it doesn't belong in the task
layer.

Fix #1374
 2017-01-07 00:07:19 -05:00
Kris Nova 336237e879 Bug fixes and bastion reworking 2017-01-05 07:45:52 -07:00
Justin Santa Barbara 2912dee6e1 Rename -> AccessSpec, ELB -> LoadBalancer 
Also add docs
 2017-01-04 23:04:30 -05:00
Justin Santa Barbara 02f92979a6 Fixes per code review 2017-01-04 23:04:30 -05:00
Justin Santa Barbara 9314575953 Working on expressing how we expose services like the API 2017-01-04 23:04:30 -05:00
Kris Nova 1b769b48c8 Adding notes from our meeting 2017-01-04 10:01:51 -07:00
Justin Santa Barbara 09e834849d Specify storage-backend=etcd2 explicitly 
The default may change to etcd3, but we want to stick with etcd2 until
upgrade has been fully vetted.
 2017-01-04 11:27:31 -05:00
Justin Santa Barbara 5c7a1c7138 Don't specify configure-cidr for k8s >= 1.5 2017-01-03 13:06:08 -05:00
Justin Santa Barbara 9545c5dbd7 Lock down bastion->master/nodes 
Only open port 22 (SSH)

Fix #1312
 2017-01-03 11:20:01 -05:00
Chris Love 99ea01c7f8 Merge pull request #1294 from justinsb/dont_set_master_pod_cidr_in_15 
Only set PodCIDR on master in <= 1.4
 2016-12-28 14:40:02 -07:00
Justin Santa Barbara d449f40a37 Pre-create DNS records with placeholder values 
Fixes #928
 2016-12-28 13:33:23 -05:00
Justin Santa Barbara 8f9be902ce Only set PodCIDR on master in <= 1.4 2016-12-28 13:26:45 -05:00
Justin Santa Barbara 3aae164d80 Only specify --configure-cbr0 when running with k8s <= 1.4 2016-12-27 21:09:06 -05:00
Justin Santa Barbara ef14a1d172 Private DNS initial implementation - via feature flag 2016-12-26 14:03:31 -05:00
Justin Santa Barbara 846b7601db Configure DockerVersion in Docker Spec 
And automatically choose 1.12.3 for k8s >= 1.5, 1.11.2 for < 1.5

Fix #849
 2016-12-20 00:34:40 -05:00
Justin Santa Barbara 8ce09c65e9 Fixes per code review 2016-12-19 01:18:28 -05:00
Justin Santa Barbara 50296f1a30 Fix file headers 2016-12-19 00:23:20 -05:00
Justin Santa Barbara a03ea54365 Rename SubnetName -> Name 
No schema impact
 2016-12-19 00:01:38 -05:00
Justin Santa Barbara 91b77ae11e Multi-version testing; fix few edge cases 
By testing with data from various schema versions, we effectively check
that they are equivalent.

Also this uncovered a few places where we were not strictly ordering
things - add some sorts in there.
 2016-12-18 23:14:29 -05:00
Justin Santa Barbara 4475d68c2e Remove dead code 2016-12-18 21:56:57 -05:00
Justin Santa Barbara 51a4adb555 Create stub IAM policy for bastions 2016-12-18 21:56:57 -05:00
Justin Santa Barbara ef6d1fddf5 Update tests for new TF output 2016-12-18 21:56:57 -05:00
Justin Santa Barbara b7522cea28 Fix API ELB security group rules 2016-12-18 21:56:57 -05:00
Justin Santa Barbara 125b9badd8 Don't name bastion groups 'bastions.bastion...' 2016-12-18 21:56:57 -05:00
Justin Santa Barbara 1ef2c367c1 Reintroduce subnet assignemnt logic 2016-12-18 21:56:57 -05:00
Justin Santa Barbara fed68310fa Schema v1alpha2 
* Zones are now subnets
* Utility subnet is no longer part of Zone
* Bastion InstanceGroup type added instead
* Etcd clusters defined in terms of InstanceGroups, not zones
* AdminAccess split into SSHAccess & APIAccess
* Dropped unused Multizone flag
 2016-12-18 21:56:57 -05:00
Justin Santa Barbara 132a001a40 Fixes per code review 2016-12-05 02:30:53 -05:00
Justin Santa Barbara d1ea4f969a Make sure we set APIServerCount 
It looks like it got lost in a refactor.  Add a unit test, and move
initialization to code (and have the code self-check as well).

Also we can now have a fairly long code comment about the reasons why
this is such a mess...

Fix #371
 2016-12-05 02:30:53 -05:00