kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,946 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

44 Commits

Author SHA1 Message Date
Ole Markus With afbd057286 Use consistent naming for the remaining SGRs 2021-01-14 12:57:33 +01:00
Kubernetes Prow Robot e43efbe102
Merge pull request #10157 from rifelpet/acm-nlb 
Setup a second NLB listener when an AWS ACM certificate is used
 2020-11-10 10:36:41 -08:00
Ole Markus With fab694d290 Add ability to consistently name sgrs 
In order to let kops fully control the rules for each security group we need to be able to generate names from the info in AWS. This is similar to the approach we used for openstack

Update pkg/model/firewall.go

Co-authored-by: Ciprian Hacman <ciprianhacman@gmail.com>
 2020-11-07 10:27:19 +01:00
Peter Rifel 9242c34a38
Setup a second NLB listener on 8443 when sslCertificate is set 2020-11-06 11:09:37 -06:00
Ole Markus With 3c76610688 Remove the commented code. We can always retrieve it later 2020-11-06 09:53:10 +01:00
John Gardiner Myers 2ac17bee69 Remove code for no-longer-supported k8s releases 2020-10-29 16:45:53 -07:00
Ciprian Hacman d0349fd6bb Open etcd port only when Calico uses "etcd" datastore 2020-10-09 09:33:38 +03:00
Peter Rifel 4d9f0128a3
Upgrade to klog2 
This splits up the kubernetes 1.19 PR to make it easier to keep up to date until we get it sorted out.
 2020-08-16 20:56:48 -05:00
Ole Markus With 991549a5f4 Remove support for Romana 2020-06-03 08:23:53 +02:00
Ole Markus With a7f631e7c9 Apply suggestions from code review 
Co-Authored-By: Peter Rifel <rifelpet@users.noreply.github.com>
 2020-04-16 08:42:59 +02:00
Ole Markus With 869ab75dea Use etcd-manager for the cilium etcd cluster 2020-04-16 08:42:59 +02:00
Maciej Kwiek 74e10dadec Change Cilium templates to standalone version 
This commit doesn't include any Cilium configuration, just takes the
quick install yaml from
https://github.com/cilium/cilium/blob/v1.6.0/install/kubernetes/quick-install.yaml

Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
 2019-09-12 17:23:50 +02:00
mikesplain 9e55b8230a Update copyright notices 
Also cleans some white spaces
 2019-09-09 14:47:51 -04:00
Justin SB 3e33ac7682
Change code from glog to klog 
We don't call klog.InitFlags yet, because that will cause a flag
redefinition error until we get everyone to stop using glog.  That
will happen when we update to k8s 1.13.
 2019-05-06 12:54:51 -04:00
Rodrigo Menezes a7903adfe8 Fix for when node and master use the same SG. 2018-12-06 01:05:54 -08:00
Justin Santa Barbara 789b7c9f28 Remove duplicate security-group overrides 2018-10-02 12:46:55 -07:00
Justin Santa Barbara 81cadec4ca Simplify building of security groups 
Also add comments about why we don't set e.g. RemoveExtraRules
 2018-10-02 11:53:41 -07:00
Justin Santa Barbara 9a6653421c Support override security groups with bastion 2018-10-02 11:53:41 -07:00
Justin Santa Barbara 1e2a62992b Use JoinSuffixes for node->master traffic, also fix AmazonVPC rule 
This ensures we are consistently naming our rules
 2018-10-02 11:53:41 -07:00
Justin Santa Barbara 1906bcdf5d We need to create the cross-product of rules for SG overrides 
e.g. each master SGs need to be configured to talk to each master SG
 2018-10-02 11:53:41 -07:00
Justin Santa Barbara bfb54935ff Build security groups along with suffixes 
Fixes the case where we mix use of specified & default SGs.
 2018-10-02 11:53:41 -07:00
Rodrigo Menezes 87eec75f5b Fix blocker 2018-10-02 10:22:09 -07:00
Rodrigo Menezes a82f548ff8 Allow using existing/shared Security Groups 
Verbosely log when a user overwrites LB or IG security groups

Change SecurityGroup to SecurityGroupOverride

Allow using existing/shared Security Groups

Update tests
 2018-10-02 00:51:39 -07:00
k8s-ci-robot fc1bed4353
Merge pull request #4224 from nebril/cilium-support 
Add Cilium as CNI plugin
 2018-03-26 07:49:02 -07:00
Justin Santa Barbara 12873d3868 SecurityGroups: ensure owned security groups are tagged 2018-03-24 22:19:54 -04:00
Maciej Kwiek bca52dede9 Add Cilium as CNI plugin 
Signed-off-by: Maciej Kwiek <maciej@covalent.io>
 2018-03-20 13:07:26 +01:00
Manuel de Brito Fontes 2e05dd17aa Add support for Amazon VPC CNI plugin 2017-12-17 18:08:24 -03:00
Justin Santa Barbara 581e954062 Block etcd peer port from nodes 
Ports 2380 & 2381 should not be exposed to nodes.

Fix #3746
 2017-11-25 16:36:46 -05:00
Adam Sunderland fd8fe5ea18 Add node-to-master IPIP to kuberouter 2017-10-30 09:51:21 -05:00
Caleb Gilmour 79d331e590 Add support for Romana as a networking option 2017-09-13 22:48:18 +00:00
Justin Santa Barbara 15d6834113 Flannel: support choosing a backend type 
We support udp, which has to the default for backwards-compatibility,
but also new clusters will now use vxlan.
 2017-08-30 21:16:21 -04:00
Rohith 74f59612c7 Fixes 
- added the master option back the protokube, updating the nodeup model and protokube code
- removed any comments no related to the PR as suggested
- reverted the ordering of the mutex in the AWSVolumes in protokube
 2017-08-06 18:52:38 +01:00
Rohith a73d255b03 Etcd TLS Options 
The current implementation does not put any transport security on the etcd cluster. The PR provides and optional flag to enable TLS the etcd cluster

- cleaned up and fixed any formatting issues on the journey
- added two new certificates (server/client) for etcd peers and a client certificate for kubeapi and others perhaps (perhaps calico?)
- disabled the protokube service for nodes completely is not required; note this was first raised in https://github.com/kubernetes/kops/pull/3091, but figured it would be easier to place in here given the relation
- updated protokube codebase to reflect the changes, removing the master option as its no longer required
- added additional integretion tests for the protokube manifests;
- note, still need to add documentation, but opening the PR to get feedback
- one outstanding issue is the migration from http -> https for preexisting clusters, i'm gonna hit the coreos board to ask for the best options
 2017-08-06 17:06:46 +01:00
Justin Santa Barbara 3dfe48e5ae Wiring up lifecycle 2017-07-15 22:03:54 -04:00
Justin Santa Barbara 645f330dad Re-enable GCE support 
We move everything to the models.  We feature-flag it, because we
probably want to change the names etc, and we aren't going to be able to
offer smooth upgrades until that is done.
 2017-02-28 20:08:03 -05:00
Johannes Würbach 01bcf416e2
Allow node -> master on tcp 10255 
This port serves the read-only kubelet api and is required by heapster
 2017-02-23 00:06:46 +01:00
Justin Santa Barbara 80a732527d Just block specific traffic from node -> master 
We _should_ block per port... but:
 * It causes e2e tests to break
 * Users expect to be able to reach pods
 * If we are running an overlay, we allow all ports anyway
 2017-02-22 13:21:49 -05:00
Matthew Mihok bc235765d1 Adding basic flannel support 2017-02-11 16:26:18 -05:00
Justin Santa Barbara 7140117780 Separate protocol rule naming from AWS rules 2017-01-09 11:35:18 -05:00
Justin Santa Barbara 71c52db994 Open etcd for calico 2017-01-09 10:52:33 -05:00
Justin Santa Barbara a52f1e7342 Security rules for calico & weave 2017-01-09 10:52:33 -05:00
Justin Santa Barbara ec1e99f1d2 Lock down master security group rules 2017-01-09 10:52:33 -05:00
Justin Santa Barbara 50296f1a30 Fix file headers 2016-12-19 00:23:20 -05:00
Justin Santa Barbara fed68310fa Schema v1alpha2 
* Zones are now subnets
* Utility subnet is no longer part of Zone
* Bastion InstanceGroup type added instead
* Etcd clusters defined in terms of InstanceGroups, not zones
* AdminAccess split into SSHAccess & APIAccess
* Dropped unused Multizone flag
 2016-12-18 21:56:57 -05:00