- Nov 29, 2017
-
-
Steven Hardy authored
* Allow setting --bind-address for apiserver hyperkube This is required if you wish to configure a loadbalancer (e.g haproxy) running on the master nodes without choosing a different port for the vip from that used by the API - in this case you need the API to bind to a specific interface, then haproxy can bind the same port on the VIP: root@overcloud-controller-0 ~]# netstat -taupen | grep 6443 tcp 0 0 192.168.24.6:6443 0.0.0.0:* LISTEN 0 680613 134504/haproxy tcp 0 0 192.168.24.16:6443 0.0.0.0:* LISTEN 0 653329 131423/hyperkube tcp 0 0 192.168.24.16:6443 192.168.24.16:58404 ESTABLISHED 0 652991 131423/hyperkube tcp 0 0 192.168.24.16:58404 192.168.24.16:6443 ESTABLISHED 0 652986 131423/hyperkube This can be achieved e.g via: kube_apiserver_bind_address: 192.168.24.16 * Address code review feedback * Update kube-apiserver.manifest.j2
-
- Nov 23, 2017
-
-
Bob Killen authored
-
- Nov 14, 2017
-
-
Matthew Mosesohn authored
-
- Nov 07, 2017
-
-
Chad Swenson authored
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to: 1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS) 2. Add apiserver client cert/key to the "Wait for apiserver up" checks 3. Update apiserver liveness probe to use HTTPS ports 4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately) 5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well. Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check. Options: 1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not. 2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port) 3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest) Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
-
- Oct 31, 2017
-
-
Spencer Smith authored
-
- Oct 27, 2017
-
-
Matthew Mosesohn authored
-
- Oct 26, 2017
-
-
Matthew Mosesohn authored
It is now enabled by default in 1.8 with the api changed to networking.k8s.io/v1 instead of extensions/v1beta1.
-
Matthew Mosesohn authored
This should be done after kubeconfig is set for admin and before network plugins are up.
-
- Oct 18, 2017
-
-
Jan Jungnickel authored
Fixes #1129
-
- Oct 15, 2017
-
-
Matthew Mosesohn authored
* Disable basic and token auth by default * Add recommended security params * allow basic auth to fail in tests * Enable TLS authentication for kubelet
-
- Oct 13, 2017
-
-
Matthew Mosesohn authored
* add istio addon * add addons to a ci job
-
- Oct 05, 2017
-
-
Matthew Mosesohn authored
* Upgrade to kubernetes v1.8.0 hyperkube no longer contains rsync, so now use cp * Enable node authorization mode * change kube-proxy cert group name
-
- Oct 04, 2017
-
-
Matthew Mosesohn authored
These facts can be generated in defaults with a performance boost. Also cleaned up duplicate etcd var names.
-
- Oct 03, 2017
-
-
Matthew Mosesohn authored
-
- Oct 01, 2017
-
-
Julian Poschmann authored
-
- Sep 26, 2017
-
-
Matthew Mosesohn authored
* Enable upgrade to kubeadm * fix kubedns upgrade * try upgrade route * use init/upgrade strategy for kubeadm and ignore kubedns svc * Use bin_dir for kubeadm * delete more secrets * fix waiting for terminating pods * Manually enforce kube-proxy for kubeadm deploy * remove proxy. update to kubeadm 1.8.0rc1
-
- Sep 16, 2017
-
-
Matthew Mosesohn authored
* Enable HA deploy of kubeadm * raise delay to 60s for starting gce hosts
-
- Sep 13, 2017
-
-
Matthew Mosesohn authored
* kubeadm support * move k8s master to a subtask * disable k8s secrets when using kubeadm * fix etcd cert serial var * move simple auth users to master role * make a kubeadm-specific env file for kubelet * add non-ha CI job * change ci boolean vars to json format * fixup * Update create-gce.yml * Update create-gce.yml * Update create-gce.yml
-
- Sep 01, 2017
-
-
Brad Beam authored
-
- Aug 31, 2017
-
-
Brad Beam authored
-
- Aug 25, 2017
-
-
Chad Swenson authored
* Updates Controller Manager/Kubelet with Flannel's required configuration for CNI * Removes old Flannel installation * Install CNI enabled Flannel DaemonSet/ConfigMap/CNI bins and config (with portmap plugin) on host * Uses RBAC if enabled * Fixed an issue that could occur if br_netfilter is not a module and net.bridge.bridge-nf-call-iptables sysctl was not set
-
Hassan Zamani authored
-
- Jul 17, 2017
-
-
jwfang authored
-
- Jun 16, 2017
-
-
Spencer Smith authored
-
- Jun 12, 2017
-
-
Gregory Storme authored
-
- May 31, 2017
-
-
Spencer Smith authored
-
- May 27, 2017
-
-
Spencer Smith authored
-
- Apr 20, 2017
-
-
Sergii Golovatiuk authored
According to code apiserver, scheduler, controller-manager, proxy don't use resolution of objects they created. It's not harmful to change policy to have external resolver. Signed-off-by:
Sergii Golovatiuk <sgolovatiuk@mirantis.com>
-
- Apr 19, 2017
-
-
Hans Kristian Flaatten authored
-
- Apr 17, 2017
-
-
Spencer Smith authored
-
Spencer Smith authored
-
Spencer Smith authored
-
gbolo authored
-
- Apr 15, 2017
-
-
Spencer Smith authored
-
- Apr 06, 2017
-
-
Matthew Mosesohn authored
-
- Apr 05, 2017
-
-
Sergii Golovatiuk authored
- Renaming templates for netchecker - Add dnsPolicy: ClusterFirstWithHostNet to kube-proxy Signed-off-by:
Sergii Golovatiuk <sgolovatiuk@mirantis.com>
-
- Apr 04, 2017
-
-
Sergii Golovatiuk authored
In kubernetes 1.6 ClusterFirstWithHostNet was added as an option. In accordance to it kubelet will generate resolv.conf based on own resolv.conf. However, this doesn't create 'options', thus the proper solution requires some investigation. This patch sets the same resolv.conf for kubelet as host Signed-off-by:
Sergii Golovatiuk <sgolovatiuk@mirantis.com>
-
- Mar 23, 2017
-
-
Vladimir Rutsky authored
Non-brekable space is 0xc2 0xa0 byte sequence in UTF-8. To find one: $ git grep -I -P '\xc2\xa0' To replace with regular space: $ git grep -l -I -P '\xc2\xa0' | xargs sed -i 's/\xc2\xa0/ /g' This commit doesn't include changes that will overlap with commit f1c59a91.
-
- Mar 17, 2017
-
-
Aleksandr Didenko authored
By default Calico CNI does not create any network access policies or profiles if 'policy' is enabled in CNI config. And without any policies/profiles network access to/from PODs is blocked. K8s related policies are created by calico-policy-controller in such case. So we need to start it as soon as possible, before any real workloads. This patch also fixes kube-api port in calico-policy-controller yaml template. Closes #1132
-
- Mar 14, 2017
-
-
Vincent Schwarzer authored
It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
-