kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
21,459 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

233 Commits

Author SHA1 Message Date
justinsb e3db4694ec refactor: simplify signature of AddS3Permissions function 
We were returning a value but really we were modifying the passed-in
value in-place.
 2024-07-04 11:44:20 -04:00
Aaron U'Ren 821ab18649
iam_builder.go: ensure kube-router src/dst permissions 2024-03-31 13:16:28 -05:00
Peter Rifel 3f74f21b7e
Update IAM Policy Principal.Service to stringorset 2024-02-14 17:39:43 -06:00
Peter Rifel b5264488cb
Rename stringorslice package to stringorset 2024-02-12 22:42:13 -06:00
Peter Rifel f098401c49
Rename StringOrSlice to StringOrSet, sort lists 2024-02-12 21:37:27 -06:00
Peter Rifel 21804bf631
Migrate to non-deprecated Sets implementation 2024-02-12 21:12:27 -06:00
Kubernetes Prow Robot 120220913d
Merge pull request #16219 from ameukam/servicelinkrole-elasticlb 
Add permission needed for service-linked role creation
 2024-01-05 02:08:56 +01:00
Arnaud Meukam ce340c6059
Add permission needed for service-linked role creation 
Attempting to fix:
  - https://github.com/kubernetes/kops/issues/16218

by adding the permission needed for the AWS CCM to create a service-linked role for the elastic lb service.

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
 2024-01-04 23:19:14 +01:00
Peter Rifel 349de70cda
Add comment to remove unused IAM permissions in the future 2024-01-03 21:19:05 -06:00
Ciprian Hacman e95dab5408 aws: Add KMS to EBS CSI Driver 2023-12-13 03:13:04 +02:00
Ciprian Hacman 24a8bc39d5 aws: Always add KMS permissions to control plane 2023-12-13 02:56:23 +02:00
Dan Ports ae1584c6f0 Add Cognito permissions for AWS LBC. 2023-09-14 12:15:30 -04:00
John Gardiner Myers 9ced296724 AWS and GCP always use external CCM 2023-09-04 15:54:16 -07:00
John Gardiner Myers 3756bdad5b v1alpha3: Move secretStore and keyStore uder configStore 2023-07-22 16:04:24 -07:00
John Gardiner Myers 57b0d8e9cd v1alpha3: Move configBase to configStore.base 2023-07-22 15:57:35 -07:00
John Gardiner Myers 6836673cca Stop using redundant configStore setting 2023-07-20 19:10:21 -07:00
John Gardiner Myers 977aacc356 Remove dead code for non-kops-controller bootstrap 2023-07-16 07:40:25 -07:00
John Gardiner Myers aef6fbdd29 Refactor UseKopsControllerForNodeBootstrap() 2023-07-11 09:45:45 -07:00
Ciprian Hacman 59b7653cc3 Update min versions for kOps v1.28 2023-06-20 08:11:21 +03:00
Jesse Haka 382855d7d1 remove s3 access from nodes if using none dns 2023-02-12 21:51:16 +02:00
John Gardiner Myers 1de02c56f1 Use state store for nodeup.Config in Gossip clusters 2023-01-11 21:19:24 -08:00
John Gardiner Myers ca7d82b02a v1alpha3: move AWS-specific fields to AWSSpec 2022-12-18 15:16:49 -08:00
John Gardiner Myers 7c3e32369a Refactor Context into separate cloudup and nodeup types 2022-12-17 17:42:46 -08:00
Kubernetes Prow Robot f827ec7f54
Merge pull request #14721 from johngmyers/nth-default-queue 
Change default for NTH Queue Processor mode to enabled
 2022-12-06 03:18:36 -08:00
John Gardiner Myers be43dc2784 Extract NTH Queue mode enable check to struct receiver 2022-12-04 15:55:58 -08:00
John Gardiner Myers 235aa61594 v1alpha3: move networking fields under networking 2022-12-02 19:19:59 -08:00
Ciprian Hacman dbef6209c2 Remove support for using Vault as state store 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2022-11-30 18:38:21 +02:00
John Gardiner Myers 76f71512cc v1alpha3: fix miscellaneous capitalization 2022-11-28 21:37:21 -08:00
John Gardiner Myers 0424c474a3 Don't disable AWS src/dst checks in Calico IPv6 2022-11-25 20:57:48 -08:00
Denis Moiseev e7c3dee038 Add `ec2:DescribeAvailabilityZones` to the AWS CCM permissions list 
To workaround the issue with subnets auto-discovery [1]
AWS ccm needs to have permission to retrieve information about
availability zones (specifically to detect outpost, wavelength, and local zones [2]).

[1] https://github.com/kubernetes/cloud-provider-aws/issues/442
[2] https://github.com/kubernetes/cloud-provider-aws/pull/499
 2022-11-25 11:04:27 +01:00
Ciprian Hacman d29812fc6e Replace fi.Bool/Float*/Int*/StringValue() with fi.ValueOf 2022-11-19 03:45:23 +02:00
Kubernetes Prow Robot 6f2ded7fb2
Merge pull request #14501 from hakman/kops-controller_for_config 
Boot nodes without state store access
 2022-11-16 08:32:50 -08:00
Ole Markus With e5142f6818 Add missing create tags permissions for cilium operator in ENI mode 2022-11-15 15:51:36 +01:00
Ciprian Hacman 18b5dcd297 Boot nodes without state store access 2022-11-15 14:40:14 +02:00
Thomas Colomb 9b28c14213 cluster-autoscaler : Add iam permission autoscaling:DescribeScalingActivities needed since 1.24 version 2022-09-23 13:20:21 +02:00
Kubernetes Prow Robot d705765426
Merge pull request #14253 from olemarkus/missing-legacy-ccm-permissions 
Add back missing permissions for legacy CCM. Again.
 2022-09-10 23:55:24 -07:00
John Gardiner Myers 34e32a41c8 AWS LBC needs ec2:DescribeVpcPeeringConnections for IPv6 2022-09-10 14:55:27 -07:00
Ole Markus With f226b03abf Add back missing permissions for legacy CCM. Again. 2022-09-10 19:54:49 +02:00
Ole Markus With afd7c60d77 Make it possible to enable the shield addon for LBC 2022-06-30 16:23:08 +02:00
Steven E. Harris a1495ac4c8
Allow the AWS LB Controller to use WAFs 
By introducing a few new fields within the Cluster spec's
"awsLoadBalancerController" field, allow users to enable the AWS Load
Balancer Controller to associate WAFs with EC2 Application Load
Balancers (ALBs). It's possible to enable separately use of two kinds
of WAF: WAF Classic and the never version 2-era WAF, the latter of
which bears no distinguishing name.

Retain our default configuration of the AWS Load Balancer Controller
in which this capability remains disabled via command-line flags,
overriding the controller program's enabling of this capability by
default.

Signed-off-by: Steven E. Harris <seh@panix.com>
 2022-05-16 12:20:28 -04:00
Peter Rifel 7aae4d11c8
Add IRSA for kube-router 2022-05-05 21:51:01 -05:00
Steven E. Harris de1ecd844d
Allow cluster autoscaler to get EC2 instance types 
When the cluster autoscaler builds its EC2 instance type catalog
dynamically instead of using only its statically defined set, grant it
the additional IAM permissions required to fetch the instance types
from the AWS API.
 2022-04-20 12:22:28 -04:00
Ole Markus With b080abcd88 Add missing permissions to aws lbc for IP targeting 2022-03-16 13:28:20 +01:00
Ole Markus With cd247f0b3a Add missing permissions to aws lbc for irsa 2022-02-18 15:26:05 +01:00
Ole Markus With 9d476c0e9c Add CreateSecurityGroup permission for vpcs 2022-01-20 17:49:36 +01:00
Ole Markus With 666cf710a2 Push partition into the policy struct 2022-01-20 17:49:36 +01:00
Ole Markus With 0a082fed12 Require tag on create for external AWS CCM 2022-01-20 15:32:46 +01:00
Kubernetes Prow Robot 4eb54f2260
Merge pull request #13114 from olemarkus/nodeup-describe-regions 
Add DescribeRegions to nodeup privs
 2022-01-18 22:14:05 -08:00
Kubernetes Prow Robot fda6210e29
Merge pull request #13104 from olemarkus/tag-on-create-func 
Create helper function for ec2 create/tag-on-create IAM permissions
 2022-01-18 19:30:06 -08:00
Ole Markus With b80488906f Add DescribeRegions to nodeup privs 2022-01-17 09:34:29 +01:00