We don't call klog.InitFlags yet, because that will cause a flag
redefinition error until we get everyone to stop using glog. That
will happen when we update to k8s 1.13.
Although amazon-vpc-cni-k8s adds tag to ENI, kops does not add the
permission. Hence it does not work by default.
This patch adds the permission for CreateTag on ENI to
amazon-vpc-cni-k8s's nodes policy.
https://github.com/lyft/cni-ipvlan-vpc-k8s
This cni solution is slightly different in that it doesn't require running a daemonset
It requires:
* a config file in /etc/cni/net.d
* the binaries in /opt/cni/bin
* adding the --node-ip param to the kubelet
This code is modeled after the AmazonVPC cni bits.
I've left the setup of the required subnets as an exercise to the reader.
Without this permission, controller-manager gets the following error:
failed to ensure load balancer for service XXX: Error trying to
deregister targets in target group:
"AccessDenied: User: arn:aws:sts::XXX:assumed-role/masters...
is not authorized to perform: elasticloadbalancing:DeregisterTargets
on resource: arn:aws:elasticloadbalancing:XXX
The etcd-manager will (ideally) take over etcd management. To provide a
nice migration path, and because we want etcd backups, we're creating a
standalone image that just backs up etcd in the etcd-manager format.
This isn't really ready for actual usage, but should be harmless because
it runs as a sidecar container.
The current implementation when Etcd TLS was added does not support using calico as the configuration and client certificates are not present. This PR updates the calico manifests and adds the distribution of the client certificate
Automatic merge from submit-queue
add autoscaling:DescribeLaunchConfigurations permission
As of 0.6.1, Cluster Autoscaler supports [scaling node groups from/to 0](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider/aws#scaling-a-node-group-to-0), but requires the `autoscaling:DescribeLaunchConfigurations` permission.
It'd be great to have this in kops since this permission needs to be re-added back to the master policy every time the cluster is updated.
Automatic merge from submit-queue
Limit the IAM EC2 policy for the master nodes
Related to: https://github.com/kubernetes/kops/pull/3158
The EC2 policy for the master nodes are quite open currently, allowing them to create/delete/modify resources that are not associated with the cluster the node originates from. I've come up with a potential solution using condition keys to validate that the `ec2:ResourceTag/KubernetesCluster` matches the cluster name.
Kubernetes Prow Robot
Michal Schott
Maciej Kwiek
Raymond Finch
Peter Rifel
Justin SB
Ryan Bonham
Chris Stein
Kenjiro Nakayama
Chris Phillips
Jay Eno
Kelly Campbell
Kashif Saadat
Justin Santa Barbara
Maciej Kwiek
Rohith
Shane Starcher
Caleb Gilmour
Mikael Knutsson
Albert
Kubernetes Submit Queue
Manuel de Brito Fontes
Eric Hole
Robin Percy
Fabricio Toresan
chrislovecnm
rushtehrani