kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
21,067 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

47 Commits

Author SHA1 Message Date
Peter Rifel b5264488cb
Rename stringorslice package to stringorset 2024-02-12 22:42:13 -06:00
Peter Rifel f098401c49
Rename StringOrSlice to StringOrSet, sort lists 2024-02-12 21:37:27 -06:00
Jun Mukai 0573e6d39e Fix minor typos for karpenter setup. 
`on-demand` is the right string to indicate OnDemand in Karpenter.
See: https://github.com/aws/karpenter-core/blob/main/pkg/apis/v1alpha5/labels.go#L30
As the result it does not fall back to ondemand instances.

Also add `ec2:DescribeImages` to karpenter IAM policies -- it's
noted in https://karpenter.sh/docs/getting-started/migrating-from-cas/#create-iam-roles
(the list also has DeleteLaunchTemplates but I don't think this
is necessary for kOps).
 2023-09-20 09:57:46 -07:00
Ciprian Hacman 59b7653cc3 Update min versions for kOps v1.28 2023-06-20 08:11:21 +03:00
justinsb 132a805972 Allow built-in manifests to be replaced by external addons 
We identify the external manifests by checking for our labels.
Currently that label is kOps specific, and we'll likely have to evolve
that to something ecosystem-netural.

We only support the GCE CCM addon and the kopeio-networking addon at
first.

For the GCE CCM addon, we need to replace the arguments, in particular
we likely need the Pod CIDR.  Here we need to work with the GCE CCM to
find a mechanism that can allow some of these flags to be communicated
via a more extensible mechanism (env vars or config maps, likely,
though possibly CRDs).

This is all behind the ClusterAddons feature flag at the moment, so we
can figure this out with other projects safely.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2023-01-05 20:29:56 -05:00
John Gardiner Myers ca7d82b02a v1alpha3: move AWS-specific fields to AWSSpec 2022-12-18 15:16:49 -08:00
Ciprian Hacman d29812fc6e Replace fi.Bool/Float*/Int*/StringValue() with fi.ValueOf 2022-11-19 03:45:23 +02:00
Ole Markus With 6548ca6ca7 Don't add add IAM vars to manifest if service account is not being created 
In the case IRSA is optional for an addon, we shouldn't unconditinally add the IRSA bits to the manifest.
This is also a clean up. We no longer need to expand the list of well-known SAs as we already know which roles are being built
 2022-09-04 08:28:32 +02:00
Ole Markus With 3518182e44 Add support for cert-manager dns-01 challenges 2022-09-04 08:19:22 +02:00
Ole Markus With 2a21b49eea Fix IAM permissions for Karpenter 2022-08-01 08:43:21 +02:00
Ole Markus With afd7c60d77 Make it possible to enable the shield addon for LBC 2022-06-30 16:23:08 +02:00
Steven E. Harris a1495ac4c8
Allow the AWS LB Controller to use WAFs 
By introducing a few new fields within the Cluster spec's
"awsLoadBalancerController" field, allow users to enable the AWS Load
Balancer Controller to associate WAFs with EC2 Application Load
Balancers (ALBs). It's possible to enable separately use of two kinds
of WAF: WAF Classic and the never version 2-era WAF, the latter of
which bears no distinguishing name.

Retain our default configuration of the AWS Load Balancer Controller
in which this capability remains disabled via command-line flags,
overriding the controller program's enabling of this capability by
default.

Signed-off-by: Steven E. Harris <seh@panix.com>
 2022-05-16 12:20:28 -04:00
Peter Rifel ef3a96558f Update Karpenter to v0.10.0 
./hack/update-expected.sh

Use default dns policy for webhook

Fix webhook svc target port

Fix provisioner to only contain launchTemplate
 2022-05-11 07:25:36 +02:00
Peter Rifel 7aae4d11c8
Add IRSA for kube-router 2022-05-05 21:51:01 -05:00
Steven E. Harris de1ecd844d
Allow cluster autoscaler to get EC2 instance types 
When the cluster autoscaler builds its EC2 instance type catalog
dynamically instead of using only its statically defined set, grant it
the additional IAM permissions required to fetch the instance types
from the AWS API.
 2022-04-20 12:22:28 -04:00
Ole Markus With ce2e877aeb Remove bazel files from vendor 2022-04-12 13:29:03 +02:00
AkiraFukushima e5cf940d53
Add managed-by label to addon pods 2022-02-20 18:33:51 +09:00
Ole Markus With 666cf710a2 Push partition into the policy struct 2022-01-20 17:49:36 +01:00
Ole Markus With 0a082fed12 Require tag on create for external AWS CCM 2022-01-20 15:32:46 +01:00
Ole Markus With 00f8808ab1 Log the specific yaml segment that fails. Also remove redundant full manifest logging 2021-12-20 15:04:52 +01:00
Ole Markus With 0cfea49250 Do not expose the policy actions sets out of package 2021-12-13 09:14:20 +01:00
Ole Markus With 794cb72112 Karpenter addon 
Constrain the instance types to what is supported by the AMI

Add taints and label to karpenter provisioner

Add instance types to karpenter provisioner
 2021-12-12 19:33:41 +01:00
John Gardiner Myers c5e1dea184 Remove code for no-longer-supported k8s version 2021-12-11 16:30:51 -08:00
Ciprian Hacman ea7df00719 Run hack/update-gofmt.sh 2021-12-01 22:39:50 +02:00
Peter Rifel c734f5c08d
Update IAMBuilder to include the current partition in ARNs 2021-10-29 23:07:31 -05:00
Ole Markus With b3982e1033 Apply suggestions from code review 
Co-authored-by: Peter Rifel <rifelpet@users.noreply.github.com>
 2021-08-27 06:45:50 +02:00
Ole Markus With 0152c23c1e Remove externaldns feature flag 2021-08-27 06:30:01 +02:00
Ole Markus With 0439bb0d76 Remove UseServiceAccountIAM feature flag and rename feature to UseServiceAccountExternalPermissions 2021-08-07 21:20:03 +02:00
Ole Markus With ce86d851aa IRSA support for CCM 
Update pkg/model/components/addonmanifests/awscloudcontroller/iam.go

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2021-08-07 10:27:36 +02:00
Ole Markus With 2042912a5b Remap IRSA for DaemonSets too 2021-08-07 07:41:47 +02:00
Ole Markus With 28bd45a8fa Add irsa support for nth 2021-07-19 15:12:35 +02:00
Ole Markus With f0390eda29 Dedicated function for ccm permissons 
Update pkg/model/iam/iam_builder.go

Co-authored-by: Peter Rifel <rifelpet@users.noreply.github.com>
 2021-07-16 19:39:57 +02:00
Ole Markus With aad2912710 Add sets for the remaining addons 2021-07-01 10:37:57 +02:00
Ole Markus With df5b58b1b3 Add sets for the typical default role perms 2021-07-01 10:28:01 +02:00
Ole Markus With 37271998e1 Use sets for aws lbc permissions 2021-07-01 10:19:40 +02:00
Ole Markus With 19833e6b73 Use sets for ebscsidriver permissions 2021-07-01 09:02:04 +02:00
Ole Markus With d8bf4dcae1 NewPolicy function for instantiating policy struct 2021-07-01 08:39:43 +02:00
Ciprian Hacman 2f3bad686a Remove version from addons 2021-06-25 19:25:01 +03:00
Ole Markus With b37bc7578e Reduce master policy size for lb controller 2021-06-19 10:12:22 +02:00
Ole Markus With 33a7de60a7 Enable IRSA for EBS CSI Driver 2021-06-18 08:05:59 +02:00
Ole Markus With 7b850555eb Don't add volume multiple times to a pod 2021-06-18 07:31:33 +02:00
Ole Markus With 6e8e027aff Enable IRSA for Cluster Autoscaler 2021-06-16 18:03:11 +02:00
Ole Markus With 5d4f6e6dee Don't add IRSA env vars if feature flag is not enabled 2021-05-06 11:18:07 +02:00
Ole Markus With dbd23473ef Add irsa support for awslbcontroller 
This commit also introduces support for adding token projection volumes for well-known SAs.
Slightly less complicated than explicitly parsing the objects for a manifest
 2021-04-04 21:24:07 +02:00
Ole Markus With bca857326f Add standard labels to all resources 2021-02-28 07:43:58 +01:00
Justin SB a61ecf4c58 Refactor to use interface for iam Subjects 
Hat-tip to johngmyers for the idea!
 2020-09-09 09:57:07 -04:00
Justin SB 8498ac9dbb Create PublicJWKS feature flag 
This should be much easier to start and to get under testing; it only
works with a load balancer, it sets the apiserver into anonymous-auth
allowed, it grants the anonymous auth user permission to read our jwks
tokens.  But it shouldn't need a second bucket or anything of that
nature.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:06 -04:00