kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
21,067 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

231 Commits

Author SHA1 Message Date
Ole Markus With 0cfea49250 Do not expose the policy actions sets out of package 2021-12-13 09:14:20 +01:00
Ole Markus With 794cb72112 Karpenter addon 
Constrain the instance types to what is supported by the AMI

Add taints and label to karpenter provisioner

Add instance types to karpenter provisioner
 2021-12-12 19:33:41 +01:00
Ciprian Hacman ea7df00719 Run hack/update-gofmt.sh 2021-12-01 22:39:50 +02:00
John Gardiner Myers b9ac79ec6e Rename fields in v1alpha3 networking API to fit acronym convention 2021-11-22 08:07:55 -08:00
John Gardiner Myers 5a42c10fd3 Rename fields in v1alpha3 cluster API to fit acronym convention 2021-11-21 16:16:32 -08:00
Kubernetes Prow Robot b47e023b1e
Merge pull request #12680 from rifelpet/fix-iam-conditions 
Fix ELB IAM conditions (part 2)
 2021-11-03 23:34:03 -07:00
Peter Rifel 9d0d1998cb
Move CLB CreateLoadBalancer* IAM actions to cluster-tagged 
Manual testing confirmed that these require aws:ResourceTag rater than aws:RequestTag
 2021-11-03 22:16:30 -05:00
Peter Rifel c3e8420731
Revert "Move some AWS IAM policy actions from tagged conditions to wildcard" 
This reverts commit 91e4767851.
 2021-11-03 21:59:43 -05:00
Kubernetes Prow Robot 1e97b0cf76
Merge pull request #12674 from rifelpet/fix-iam-conditions 
Remove tag conditions on certain AWS IAM actions
 2021-11-03 02:24:59 -07:00
Peter Rifel 91e4767851
Move some AWS IAM policy actions from tagged conditions to wildcard 
I checked these against the IAM docs for each API and moved the actions that dont support tag conditions:
https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancing.html#elasticloadbalancing-actions-as-permissions
https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancingv2.html#elasticloadbalancingv2-actions-as-permissions
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2autoscaling.html#amazonec2autoscaling-actions-as-permissions
 2021-11-02 20:06:35 -05:00
Peter Rifel dede42efd2
Fix cluster name used in IAM policies 2021-11-02 17:39:57 -05:00
Kubernetes Prow Robot 9bc5887610
Merge pull request #12638 from rifelpet/arn-partition 
Fix hardcoded ARN partitions
 2021-10-29 23:37:19 -07:00
Peter Rifel c734f5c08d
Update IAMBuilder to include the current partition in ARNs 2021-10-29 23:07:31 -05:00
Ciprian Hacman 9d1e11c73a Allow kops-controller to describe network interfaces 2021-10-30 06:50:32 +03:00
Kubernetes Prow Robot 5bfdefb43c
Merge pull request #12623 from johngmyers/cilium-ipv6-ipam 
Never masquerade IPv6 with Cilium
 2021-10-29 05:56:51 -07:00
John Gardiner Myers 7cb4fbe91e Never masquerade IPv6 with Cilium 2021-10-27 23:40:02 -07:00
Ciprian Hacman a3f4ed7502 Update node permissions 2021-10-28 07:47:09 +03:00
Ole Markus With 795ac25363 Add permissions needed for KCM to provision NLBs 2021-10-26 08:51:28 +02:00
Kubernetes Prow Robot af85e5e52e
Merge pull request #12309 from olemarkus/lbc-security 
Allow AWS LBC to attach certificates
 2021-10-23 13:16:21 -07:00
Peter Rifel 7b3fc875f9
Add ec2:DescribeLaunchTemplateVersions to CA IAM policy 2021-10-20 15:15:06 -07:00
John Gardiner Myers 8e6214c046 Stop requiring the cluster IAM substruct be present 2021-10-02 20:18:46 -07:00
justinsb db1ba01e94 Only add IPv6 IAM permissions if using IPv6 
This avoids users wondering what these permissions are for until we
need them.
 2021-09-18 13:49:40 -04:00
Ole Markus With a3a2a9c3bf Have nodeup assign an ipv6 prefix 2021-09-16 19:28:07 +02:00
Ole Markus With bdad72e9aa Allow AWS LBC to attach certificates 2021-09-11 12:50:37 +02:00
Ole Markus With 4ab75b01cb Have instances learn about their GPU capabilities 2021-09-05 20:09:04 +02:00
John Gardiner Myers 6655022ce1 Remove support for the Lyft CNI 2021-08-28 11:54:39 -07:00
Ole Markus With 38f805c5ef Make external-dns a drop-in for dns-controller 
Support TXT records
 2021-08-27 06:24:47 +02:00
Peter Rifel 3db20bed01
./hack/update-expected.sh 2021-08-20 08:41:25 -05:00
Peter Rifel 67007e1a0a
Consolidate IAM statements 2021-08-19 23:16:04 -05:00
Ole Markus With 0439bb0d76 Remove UseServiceAccountIAM feature flag and rename feature to UseServiceAccountExternalPermissions 2021-08-07 21:20:03 +02:00
Ole Markus With ce86d851aa IRSA support for CCM 
Update pkg/model/components/addonmanifests/awscloudcontroller/iam.go

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2021-08-07 10:27:36 +02:00
John Gardiner Myers b94bcafe56 Remove unnecessary IAM permission 2021-07-23 14:03:41 -07:00
Ole Markus With 7c448d3535 Remove redundant call to addSnapshotPermissions 2021-07-19 21:19:05 +02:00
Ole Markus With 28bd45a8fa Add irsa support for nth 2021-07-19 15:12:35 +02:00
Ole Markus With f0390eda29 Dedicated function for ccm permissons 
Update pkg/model/iam/iam_builder.go

Co-authored-by: Peter Rifel <rifelpet@users.noreply.github.com>
 2021-07-16 19:39:57 +02:00
John Gardiner Myers 9dbf3479d6 Stop writing the certificate-only keyset.yaml 2021-07-11 11:16:11 -07:00
Ole Markus With a98bfdb64f Allow filefs to be used to mock s3 policies 2021-07-04 07:34:56 +02:00
Ole Markus With aad2912710 Add sets for the remaining addons 2021-07-01 10:37:57 +02:00
Ole Markus With df5b58b1b3 Add sets for the typical default role perms 2021-07-01 10:28:01 +02:00
Ole Markus With 37271998e1 Use sets for aws lbc permissions 2021-07-01 10:19:40 +02:00
Ole Markus With c7bd1c1529 Add s3 policies to integration tests 2021-07-01 09:26:58 +02:00
Ole Markus With 9885714957 Use NewPolicy for the non-master roles 2021-07-01 09:19:35 +02:00
Ole Markus With 19833e6b73 Use sets for ebscsidriver permissions 2021-07-01 09:02:04 +02:00
Ole Markus With d8bf4dcae1 NewPolicy function for instantiating policy struct 2021-07-01 08:39:43 +02:00
John Gardiner Myers 2faf28379a Refactor etcd-client-cilium secrets 2021-06-25 23:57:23 -07:00
Kubernetes Prow Robot 89ad2bc453
Merge pull request #11810 from hakman/ipv6_disable_calico_awssrcdstcheck 
Enable cross-subnet mode with Calico by default
 2021-06-25 01:08:45 -07:00
Ciprian Hacman a12b3145ee Enable cross-subnet mode with Calico by default 2021-06-25 07:13:20 +03:00
Kubernetes Prow Robot 17c2edc3a1
Merge pull request #11811 from olemarkus/ebs-bump 
Add back createvolume to master + bump ebs driver
 2021-06-21 02:19:03 -07:00
Kubernetes Prow Robot eb7ba5e943
Merge pull request #9229 from johngmyers/version-fullcluster 
Put versioned API of cluster into state store
 2021-06-21 01:32:52 -07:00
Ole Markus With 79a2c111f2 Remove redundant permissions 2021-06-21 08:59:54 +02:00
Ole Markus With b3f274e140 Apply permissions to master role when irsa is not used 2021-06-21 08:56:11 +02:00
Ole Markus With 778323eec9 Add missing lbc permission 2021-06-19 20:03:40 +02:00
Ole Markus With b37bc7578e Reduce master policy size for lb controller 2021-06-19 10:12:22 +02:00
Kubernetes Prow Robot 135cdf3461
Merge pull request #11789 from johngmyers/seed-rng 
Seed the random number generator on AWS
 2021-06-18 08:48:06 -07:00
Ole Markus With 33a7de60a7 Enable IRSA for EBS CSI Driver 2021-06-18 08:05:59 +02:00
John Gardiner Myers 42bf3ee85b Seed the random number generator on AWS 2021-06-17 22:59:43 -07:00
John Gardiner Myers 53695fc183 Put versioned API of cluster into state store 2021-06-16 19:33:46 -07:00
Ole Markus With 6e8e027aff Enable IRSA for Cluster Autoscaler 2021-06-16 18:03:11 +02:00
John Gardiner Myers 4fe25196d8 Trim unnecessary paths from worker node IAM 2021-06-15 21:03:13 -07:00
Kubernetes Prow Robot cfc93e5178
Merge pull request #9294 from johngmyers/refactor-nodeup-context 
Remove InstanceGroup from NodeupModelContext
 2021-06-12 13:43:01 -07:00
Matthew Wong 4e9b45b324 Allow master to touch volumes tagged with kubernetes.io/cluster/<clusterName>:owned 2021-06-09 13:52:48 -07:00
John Gardiner Myers eb09d31a3c Pass AuxConfig to nodeup 2021-06-03 21:04:21 -07:00
John Gardiner Myers 0a48b9050f Protokube needs dns-controller IAM permissions 2021-05-31 06:58:59 -07:00
John Gardiner Myers b82b129a54 Remove fallback support for legacy IAM 2021-05-30 16:52:42 -07:00
Ole Markus With 0004bcec77 Only allow deletion of snapshots owned by the cluster 2021-05-23 08:13:10 +02:00
Ole Markus With 1868313497 Add snapshot-controller 2021-05-22 09:19:35 +02:00
Ole Markus With d3581ebb84 bump aws lb controller to 2.2.0 2021-05-16 18:26:23 +02:00
Ole Markus With cd9ddd6716 Add elasticloadbalancing:ModifyTargetGroupAttributes to aws lb controller 2021-05-06 15:27:39 +02:00
Ole Markus With 6f8b3647cf Add support for IRSA in he api 
Apply suggestions from code review

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2021-05-01 16:03:42 +02:00
Ole Markus With 1ec0bd18e8 Enable support for the ASG WarmPool lifecycle hook 
Update pkg/model/iam/iam_builder.go

Co-authored-by: Ciprian Hacman <ciprianhacman@gmail.com>
 2021-04-24 09:40:52 +02:00
Jason Haugen 36722afb0f change casing Asg->ASG 2021-04-22 13:07:01 -05:00
Jason Haugen 366634e66a change permisisons & node selector 2021-04-19 15:43:05 -05:00
Jason Haugen d07b067249 Add NTH queue-processor mode 2021-04-19 15:43:05 -05:00
Ole Markus With af92896dc7 Don't start kubelet if we are warming 2021-04-14 11:05:50 +02:00
Ole Markus With dbd23473ef Add irsa support for awslbcontroller 
This commit also introduces support for adding token projection volumes for well-known SAs.
Slightly less complicated than explicitly parsing the objects for a manifest
 2021-04-04 21:24:07 +02:00
guydog28 bd80c3f2b4 replace hard coded aws region checks with aws sdk calls 2021-03-24 15:31:05 +00:00
Kubernetes Prow Robot 15e4028c81
Merge pull request #10722 from olemarkus/apiserver-nodes 
Apiserver nodes
 2021-03-20 16:43:42 -07:00
Ole Markus With 20bd724f5e Add support for scaling out the control plane with dedicated apiserver nodes 
Ensure apiserver role can only be used on AWS (because of firewalling)

Apply api-server label to CP as well

Consolidate node not ready validation message

Guard apiserver nodes with a feature flag

Rename Apiserver role to APIServer

Add an integration test for apiserver nodes

Rename Apiserver role to APIServer

Enumerate all roles in rolling update docs

Apply suggestions from code review

Co-authored-by: Steven E. Harris <seh@panix.com>
 2021-03-20 20:57:00 +01:00
Justin SB d7683d85ce Don't add control-plane DNS permissions with UseServiceAccountIAM 
Should not be needed; dns-controller should run on the control-plane
node so there should not be a bootstrapping problem with the nodes.

Reverts #10529
 2021-03-20 14:00:46 -04:00
Ole Markus With 56330188d0 Add AWS LoadBalancerController 2021-02-11 08:47:03 +01:00
Peter Rifel a15957da2f
IRSA - continue adding route53 permisions to masters 
These are needed by protokube to create the kops-controller DNS record to allow nodes to bootstrap.

See these logs: https://storage.googleapis.com/kubernetes-jenkins/logs/e2e-kops-grid-scenario-public-jwks/1345956556562239488/artifacts/ip-172-20-48-1.sa-east-1.compute.internal/protokube.log

```
I0104 05:03:51.264472    6482 dnscache.go:74] querying all DNS zones (no cached results)
I0104 05:03:51.264570    6482 route53.go:53] AWS request: route53 ListHostedZones
W0104 05:03:51.389485    6482 dnscontroller.go:124] Unexpected error in DNS controller, will retry: error querying for zones: error querying for DNS zones: AccessDenied: User: arn:aws:sts::768319786644:assumed-role/masters.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io/i-05b1db10d1a5b8637 is not authorized to perform: route53:ListHostedZones
```

and the nodeup logs on nodes that couldn't join the cluster:

```
Jan 04 04:55:53.500187 ip-172-20-38-84 nodeup[2070]: W0104 04:55:53.500117    2070 executor.go:131] error running task "BootstrapClient/BootstrapClient" (9m52s remaining to succeed): Post "https://kops-controller.internal.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io:3988/bootstrap": dial tcp: lookup kops-controller.internal.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io on 127.0.0.53:53: no such host
```
 2021-01-04 21:03:53 -06:00
Ciprian Hacman ab9d30a015 Order by name fields in CalicoNetworkingSpec 2020-12-11 18:23:49 +02:00
Ciprian Hacman a3a0b91b5f Order policy document sections alphabetically 2020-11-04 16:15:00 +02:00
John Gardiner Myers 2ac17bee69 Remove code for no-longer-supported k8s releases 2020-10-29 16:45:53 -07:00
Ciprian Hacman 2c15acfa44 Enable Calico AWS src/dest check permissions when CrossSubnet is set 2020-10-10 04:17:19 +03:00
Ciprian Hacman d0349fd6bb Open etcd port only when Calico uses "etcd" datastore 2020-10-09 09:33:38 +03:00
monicagangwar a63ccd5163 [calico] awsSrcDstCheck to disable src/dest checks in AWS 
* replacing k8s-ec2-srcdst with calico's config awsSrcDstCheck and
  flag FELIX_AWSSRCDSTCHECK
* documentation and iam changes for calico awsSrcDstCheck
 2020-10-08 17:17:23 +05:30
Justin SB 6fa8be2716 JSON formatting of IAM: Workaround for optional fields 
AWS IAM is very strict and doesn't support `Resource: []` for example.
We implement a custom MarshalJSON method to work around that.
 2020-09-09 09:57:07 -04:00
Justin Santa Barbara d8895c57ec Add version logic to UseServiceAccountIAM 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:07 -04:00
Justin SB a61ecf4c58 Refactor to use interface for iam Subjects 
Hat-tip to johngmyers for the idea!
 2020-09-09 09:57:07 -04:00
Justin SB 8498ac9dbb Create PublicJWKS feature flag 
This should be much easier to start and to get under testing; it only
works with a load balancer, it sets the apiserver into anonymous-auth
allowed, it grants the anonymous auth user permission to read our jwks
tokens.  But it shouldn't need a second bucket or anything of that
nature.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-09-09 09:57:06 -04:00
Justin SB 5d1e7bcf82 Refactor IAM route53 construction 
This helps for the JWKS / ServiceAccount role support.
 2020-09-01 11:34:42 -04:00
John Gardiner Myers ba96a84926 Don't give access to calico-client key when not needed 2020-08-18 13:45:27 -07:00
John Gardiner Myers 07220797b4 Issue the cilium etcd client cert out of kops-controller 2020-08-17 21:15:34 -07:00
John Gardiner Myers b6947ccaee Use kops-controller to issue kube-router cert 2020-08-16 23:40:38 -07:00
John Gardiner Myers 8e43c1d637 Use kops-controller to issue kube-proxy cert 2020-08-16 23:36:42 -07:00
Peter Rifel 4d9f0128a3
Upgrade to klog2 
This splits up the kubernetes 1.19 PR to make it easier to keep up to date until we get it sorted out.
 2020-08-16 20:56:48 -05:00
John Gardiner Myers c5871df319 Get kubelet certificate from kops-controller 2020-08-15 10:30:20 -07:00
Ole Markus With 2fd6e52af7
Apply suggestions from code review 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-06-27 07:43:30 +02:00
Ole Markus With 51235b2edc Deploy cilium etcd credentials if the cilium cluster exists 2020-06-27 07:11:19 +02:00