kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,492 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

30 Commits

Author SHA1 Message Date
Fabricio Toresan d4eef657d6 Changing the prefix of the ResourceTag condition to match the one specified in the ASG documentation 2017-11-18 09:17:07 -02:00
Kashif Saadat 029d0c0393 Add Node IAM permissions to access kube-router key in S3. 2017-11-09 09:57:02 +00:00
chrislovecnm d71f53d4b5 fixing panic with iam unit tests 2017-11-06 13:36:45 -07:00
Caleb Gilmour d2b8741455 Add additional Describe permissions required for Romana CNI 2017-11-06 09:31:09 +00:00
Kashif Saadat 1dea528a0e Update IAM roles documentation based on recent changes. 2017-10-30 16:41:55 +00:00
Kashif Saadat 5bfb22ac92 Make the IAM ECR Permissions optional, can be specified within the Cluster Spec. 2017-10-24 09:20:17 +01:00
Kashif Saadat 28c4b7aca9 Add IAM Permissions so nodes can access AWS ECR 2017-10-23 10:11:27 +01:00
chrislovecnm 2e6b7eedb9 Revision to IAM Policies created by Kops, and wrapped in Cluster Spec 
IAM Legacy flag.
 2017-09-15 08:05:23 +01:00
Kubernetes Submit Queue ec074bb473 Merge pull request #3346 from rushtehrani/update-autoscaling-policy 
Automatic merge from submit-queue

add autoscaling:DescribeLaunchConfigurations permission

As of 0.6.1, Cluster Autoscaler supports [scaling node groups from/to 0](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider/aws#scaling-a-node-group-to-0), but requires the `autoscaling:DescribeLaunchConfigurations` permission.  

It'd be great to have this in kops since this permission needs to be re-added back to the master policy every time the cluster is updated.
 2017-09-14 18:17:42 -07:00
Justin Santa Barbara 7b5510028a Add CreateSecurityGroup permission 
Also document the available filtering for the methods we use.
 2017-09-10 19:14:41 -04:00
rushtehrani db505adb65 add autoscaling:DescribeLaunchConfigurations action 2017-09-05 23:41:19 -07:00
Kubernetes Submit Queue fdce8b4b7b Merge pull request #3186 from KashifSaadat/limit-master-ec2-policy 
Automatic merge from submit-queue

Limit the IAM EC2 policy for the master nodes

Related to: https://github.com/kubernetes/kops/pull/3158

The EC2 policy for the master nodes are quite open currently, allowing them to create/delete/modify resources that are not associated with the cluster the node originates from. I've come up with a potential solution using condition keys to validate that the `ec2:ResourceTag/KubernetesCluster` matches the cluster name.
 2017-08-28 02:00:46 -07:00
Kashif Saadat d6e5a62678 Limit the IAM EC2 policy for the master nodes, wrapped in 'Spec.IAM.LegacyIAM' API flag. 2017-08-26 11:46:09 +01:00
Rohith 0dc4e5e4dc Kops Secrets on Nodes 
The current implementation permits nodes access to /secrets/* thought the nodes themselve do [not](https://github.com/gambol99/kops/blob/secrets/nodeup/pkg/model/secrets.go#L77-L79) require access. This PR changed the ACL on the iam policy to deny access for nodes to /secrets/*
 2017-08-25 19:47:37 +01:00
Kashif Saadat 0e5c393f10 Rename IAM switch to legacy, default to false for new cluster creations. 2017-08-22 13:27:55 +01:00
Kashif Saadat 0aac9b7f8d Allow the strict IAM policies to be optional, default to original behaviour (not-strict) 2017-08-22 13:27:54 +01:00
Kashif Saadat fd0ce236dc Remove node requirement to access private ca and master keys in S3 2017-08-11 16:12:32 +01:00
Kashif Saadat cd149414df Tighten down S3 IAM policy statements 2017-08-11 11:51:46 +01:00
amdonov e0428207cc Properly set IAM prefix for GovCloud 2017-07-08 00:03:22 -04:00
Justin Santa Barbara 3c6689b5b0 Always grant route53 ListHostedZones permission 2017-06-19 14:16:35 -04:00
Justin Santa Barbara 5955467be0 Default to loadbalancer ingress for gossip dns 
DNS ingress won't work anyway.
 2017-06-19 14:16:35 -04:00
Justin Santa Barbara 864a999602 Fix automatic private DNS zone creation 
We have to defer creation of the IAM policy until we have created the
hosted zone.

Fix #2444
 2017-04-29 17:01:18 -04:00
Justin Santa Barbara cb4641fea3 Code updates 2017-03-16 02:40:50 -04:00
Jakub Paweł Głazik cd795d0c8c Resolve DNS Hosted Zone ID while building IAM policy 
Fixes #1949
 2017-02-23 11:45:58 +01:00
Jakub Paweł Głazik a3019905a1 Merge remote-tracking branch 'origin/master' into iam-route53-scoping 2017-02-17 10:52:04 +01:00
Justin Santa Barbara dc9a343434 Support string-or-slice in IAM policies 
Fix #1920
 2017-02-16 22:24:28 -05:00
Jakub Paweł Głazik f50f010d2f Scope route53 permissions to DNS_ZONE only 2017-02-15 22:34:04 +01:00
Sergio Ballesteros 9e9c0c105b Add autoscaling policy to master role 2017-01-25 17:18:10 +01:00
Justin Santa Barbara 51a4adb555 Create stub IAM policy for bastions 2016-12-18 21:56:57 -05:00
Justin Santa Barbara fed68310fa Schema v1alpha2 
* Zones are now subnets
* Utility subnet is no longer part of Zone
* Bastion InstanceGroup type added instead
* Etcd clusters defined in terms of InstanceGroups, not zones
* AdminAccess split into SSHAccess & APIAccess
* Dropped unused Multizone flag
 2016-12-18 21:56:57 -05:00