kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
11,679 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

65 Commits

Author SHA1 Message Date
John Gardiner Myers 70926d43fc Use a stable key for signing service account tokens 2020-07-11 13:18:50 -07:00
John Gardiner Myers f4f4763dc2 Refactor more certs to be issued by nodeup 2020-06-28 23:12:13 -07:00
Ciprian Hacman 70a3a2e978 ARM64 support - Update side-loading for multi-arch 2020-06-19 04:42:11 +03:00
John Gardiner Myers c8b523e8b6 Issue aws-iam-authenticator cert in nodeup 2020-06-16 21:05:11 -07:00
Kubernetes Prow Robot eb39ab7349
Merge pull request #9355 from johngmyers/move-port 
Move host-network services off of port 8080
 2020-06-16 09:10:04 -07:00
John Gardiner Myers 9d7a93e124 Issue kubelet-api cert in nodeup 2020-06-13 16:35:44 -07:00
John Gardiner Myers 4bf8302f14 Move kube-apiserver-healthcheck to port 3990 2020-06-12 22:00:14 -07:00
ZouYu 2fc52ec6be fix some go-lint warning 
Signed-off-by: ZouYu <zouy.fnst@cn.fujitsu.com>
 2020-06-09 08:52:50 +08:00
John Gardiner Myers e88e0cf7ec Remove code supporting dropped k8s versions 2020-06-04 12:11:51 -07:00
John Gardiner Myers a3e7ca2469 Disable static tokens by default as of Kubernetes 1.18 2020-06-01 15:12:09 -07:00
Justin SB 75fd939a62
kube-apiserver: healthcheck via sidecar container 
kube-apiserver doesn't expose the healthcheck via a dedicated
endpoint, instead relying on anonyomous-access being enabled.  That
has previously forced us to enable the unauthenticated endpoint on
127.0.0.1:8080.

Instead we now run a small sidecar container, which
proxies /healthz and /readyz requests (only) adding appropriate
authentication using a client certificate.

This will also enable better load balancer checks in future, as these
have previously been hampered by the custom CA certificate.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-05-07 08:06:52 -04:00
Ciprian Hacman fa516ed5f8
Simplify condition 
Co-Authored-By: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-04-05 20:57:09 +03:00
Ciprian Hacman ad8e1ceff7 Remove basic authentication support for k8s 1.19+ 2020-04-05 17:47:26 +03:00
John Gardiner Myers 3e95a88717 Fix Test_KubeAPIServer_Builder to use a supported version of Kubernetes 2020-02-21 22:46:36 -08:00
Justin SB 0cb35638f2
Stop logging to /var/log/kops-controller.log 
Writing to a hostPath from a non-root container requires file
ownership changes, which is difficult to roll out today.  See
discussion in #8454

We were primarily using the logfile for e2e diagnostics, so we're
going to look into collecting the information via other means instead.

We also haven't yet shipped this logfile in a released version (though
we have shipped it in beta releases)
 2020-02-04 06:41:25 -05:00
John Gardiner Myers 6e9dc8fc0f Remove code for unsupported k8s versions from nodeup 2020-01-12 19:30:34 -08:00
Kubernetes Prow Robot 95f4f83fbe
Merge pull request #7900 from zacblazic/use-encryption-provider-config-flag 
Use non-experimental version of encryption provider config flag in 1.13+
 2020-01-05 10:31:40 -08:00
tanjunchen 7e25f9831d nodeup/pkg/ pkg/ staticcheck 2019-12-31 15:03:39 +08:00
John Gardiner Myers eaa13e734d Fix truncation of admission control plugins list 2019-11-30 19:30:49 -08:00
Kubernetes Prow Robot 482fce5d54
Merge pull request #7424 from mmerrill3/feature/dynamic-audit-config 
Implementing audit dynamic configuration (#7392)
 2019-11-26 01:01:10 -08:00
Zac Blazic 28d3eb4e37 Use `--encryption-provider-config` when kubernetes 1.13+ 
The alpha version of encryption at rest used the following flag:
`--experimental-encryption-provider-config`. As of kubernetes 1.13,
`--encryption-provider-config` should be used instead.
 2019-11-08 18:24:05 +02:00
tanjunchen a19fb935e4 fix-up static-check 2019-10-29 14:06:12 +08:00
mmerrill3 5cf94c8ddf Implementing audit dynamic configuration (#7392) 
Signed-off-by: mmerrill3 <michael.merrill@vonage.com>
 2019-10-24 10:21:27 -04:00
mikesplain 9e55b8230a Update copyright notices 
Also cleans some white spaces
 2019-09-09 14:47:51 -04:00
Kubernetes Prow Robot dd6b0314fc
Merge pull request #6897 from vainu-arto/set-priority-for-static-pods 
Set priority for static pods
 2019-07-12 00:41:07 -07:00
Kashif Saadat 2b61ace49c goimports update 2019-07-03 16:43:20 +01:00
Austin Moore 67d9f5f190
Move getProxyEnvVars into a util package 2019-06-05 15:59:19 -04:00
Justin SB fe487df586
Use klog logging from 1.15 
klog can now support logging both to a file and to streams, so we get the output both in docker & logfiles.

A few gotchas:

* The output previously was all on stdout, now it on stderr.  That is more correct
* If something writes to stdout or stderr outside of klog, it will no longer end up in the logfile.
* There's some oddities still to be ironed out about the flag syntax https://github.com/kubernetes/klog/issues/60
 2019-05-10 00:17:30 -04:00
Arto Jantunen 48974521e1 Set priority classes for static pods 
For the master pods (apiserver, controller manager, scheduler) this is
unlikely to ever matter (the masters aren't expected to run out of
resources and need to evict things) but evictions of kube-proxy from worker
nodes are easy to trigger in clusters with PodPriority enabled. Since these
are static pods the configuration is also somewhat difficult to change.
 2019-05-09 16:03:08 +03:00
Kubernetes Prow Robot b91db4f360
Merge pull request #6706 from granular-ryanbonham/apiserver_cpurequest 
Add ability to specify cpuRequest for API Server
 2019-04-10 08:04:13 -07:00
Justin SB c7b921fe05
Increase apiserver timeout to 45 seconds 
Fix #6702

Parallel to upstream issue #71054
 2019-04-07 11:55:33 -07:00
Ryan Bonham 8584fd731d Fix type mismatch 2019-03-29 14:32:29 -05:00
Ryan Bonham ac5a2ec2a0 Fix syntax error 2019-03-29 14:19:59 -05:00
Ryan Bonham 67c2f50732 Handle unset KubeAPIServer.CPURequest 2019-03-29 14:07:05 -05:00
Ryan Bonham a75dcdda35 Add Ability to set cpu request for api server 2019-03-29 13:56:21 -05:00
Justin SB 31f408c978
Support etcd-manager in kops 1.12 
In 1.12 (kops & kubenetes):

* We default etcd-manager on
* We default to etcd3
* We default to full TLS for etcd (client and peer)
* We stop allowing external access to etcd
 2019-03-14 23:13:06 -04:00
Derek Lemon -T (delemon - AEROTEK INC at Cisco) 4f0169bb79 codegen 2019-01-16 09:30:40 -07:00
Justin SB 26bd75aecb
Bulk spelling fixes 
Experimenting with my own spelling checker, these are the typos it caught.
 2018-12-20 17:43:56 -05:00
fernando.carletti 4b27e6c8ee
Add flag to disable Basic Auth. 2018-10-16 19:04:38 -05:00
Rob Graham 4b07a07ad5 Merge branch 'master' into issue-4252-dns 2018-07-23 14:00:09 +01:00
Rob Graham 8ccf42f4a2 GH-4252 Better name for the config value and also add to v1alpha1 API 2018-07-23 13:48:35 +01:00
Christian Kampka 581eec3eca Don't mount volume for auditLog when STDOUT is configured as path 
Fixes #4202
 2018-07-16 22:53:58 +02:00
k8s-ci-robot 35b7d5791d
Merge pull request #5424 from rdrgmnzs/fix_aws-authenticator_read_perms 
Fix the issue described in #5412 where the authenticator is no longer…
 2018-07-11 15:29:26 -07:00
Rodrigo Menezes a31c0186da add comment 2018-07-10 10:27:13 -07:00
Rodrigo Menezes b296e6fcbf Fix the issue described in #5412 where the authenticator is no longer able to read the K8s CAs. 2018-07-09 23:57:58 -07:00
Rodrigo Menezes f5e3d434fb fix cert location 2018-07-09 15:04:13 -07:00
Rodrigo Menezes 414b3a780b Rename hept.io authenticator to aws authenticator 2018-07-08 10:10:19 -07:00
Rob Graham ae327e1e8c wrestling with the api stuff 2018-07-02 15:16:37 +01:00
Rob Graham cc589ae538 Reworked to use loadbalancer only if config is specified 2018-07-02 12:02:50 +01:00
Rob Graham 64974fdd5b GH-4252 Only manage internal DNS zone if configuration has been specified 2018-06-22 15:05:47 +01:00