Skip to content
  1. Nov 29, 2017
    • Steven Hardy's avatar
      Allow setting --bind-address for apiserver hyperkube (#1985) · d39a88d6
      Steven Hardy authored
      * Allow setting --bind-address for apiserver hyperkube
      
      This is required if you wish to configure a loadbalancer (e.g haproxy)
      running on the master nodes without choosing a different port for the
      vip from that used by the API - in this case you need the API to bind to
      a specific interface, then haproxy can bind the same port on the VIP:
      
      root@overcloud-controller-0 ~]# netstat -taupen | grep 6443
      tcp        0      0 192.168.24.6:6443       0.0.0.0:*               LISTEN      0          680613     134504/haproxy
      tcp        0      0 192.168.24.16:6443      0.0.0.0:*               LISTEN      0          653329     131423/hyperkube
      tcp        0      0 192.168.24.16:6443      192.168.24.16:58404     ESTABLISHED 0          652991     131423/hyperkube
      tcp        0      0 192.168.24.16:58404     192.168.24.16:6443      ESTABLISHED 0          652986     131423/hyperkube
      
      This can be achieved e.g via:
      
      kube_apiserver_bind_address: 192.168.24.16
      
      * Address code review feedback
      
      * Update kube-apiserver.manifest.j2
      d39a88d6
  2. Nov 23, 2017
  3. Nov 14, 2017
  4. Nov 07, 2017
    • Chad Swenson's avatar
      Support for disabling apiserver insecure port · 0c7e1889
      Chad Swenson authored
      This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to:
      
      1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS)
      2. Add apiserver client cert/key to the "Wait for apiserver up" checks
      3. Update apiserver liveness probe to use HTTPS ports
      4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately)
      5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well.
      
      Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check.
      
      Options:
      
      1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not.
      2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port)
      3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest)
      
      Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
      0c7e1889
  5. Oct 31, 2017
  6. Oct 27, 2017
  7. Oct 26, 2017
  8. Oct 18, 2017
  9. Oct 15, 2017
  10. Oct 13, 2017
  11. Oct 05, 2017
  12. Oct 04, 2017
  13. Oct 03, 2017
  14. Oct 01, 2017
  15. Sep 26, 2017
    • Matthew Mosesohn's avatar
      Upgrade to kubeadm (#1667) · bd272e0b
      Matthew Mosesohn authored
      * Enable upgrade to kubeadm
      
      * fix kubedns upgrade
      
      * try upgrade route
      
      * use init/upgrade strategy for kubeadm and ignore kubedns svc
      
      * Use bin_dir for kubeadm
      
      * delete more secrets
      
      * fix waiting for terminating pods
      
      * Manually enforce kube-proxy for kubeadm deploy
      
      * remove proxy. update to kubeadm 1.8.0rc1
      bd272e0b
  16. Sep 16, 2017
  17. Sep 13, 2017
    • Matthew Mosesohn's avatar
      kubeadm support (#1631) · 67447260
      Matthew Mosesohn authored
      * kubeadm support
      
      * move k8s master to a subtask
      * disable k8s secrets when using kubeadm
      * fix etcd cert serial var
      * move simple auth users to master role
      * make a kubeadm-specific env file for kubelet
      * add non-ha CI job
      
      * change ci boolean vars to json format
      
      * fixup
      
      * Update create-gce.yml
      
      * Update create-gce.yml
      
      * Update create-gce.yml
      67447260
  18. Sep 01, 2017
  19. Aug 31, 2017
  20. Aug 25, 2017
  21. Jul 17, 2017
  22. Jun 16, 2017
  23. Jun 12, 2017
  24. May 31, 2017
  25. May 27, 2017
  26. Apr 20, 2017
  27. Apr 19, 2017
  28. Apr 17, 2017
  29. Apr 15, 2017
  30. Apr 06, 2017
  31. Apr 05, 2017
  32. Apr 04, 2017
  33. Mar 23, 2017
    • Vladimir Rutsky's avatar
      replace non-breakable space with regular space · c4e57477
      Vladimir Rutsky authored
      Non-brekable space is 0xc2 0xa0 byte sequence in UTF-8.
      
      To find one:
      
          $ git grep -I -P '\xc2\xa0'
      
      To replace with regular space:
      
          $ git grep -l -I -P '\xc2\xa0' | xargs sed -i 's/\xc2\xa0/ /g'
      
      This commit doesn't include changes that will overlap with commit f1c59a91.
      c4e57477
  34. Mar 17, 2017
    • Aleksandr Didenko's avatar
      Move calico-policy-controller into separate role · 3a399040
      Aleksandr Didenko authored
      By default Calico CNI does not create any network access policies
      or profiles if 'policy' is enabled in CNI config. And without any
      policies/profiles network access to/from PODs is blocked.
      
      K8s related policies are created by calico-policy-controller in
      such case. So we need to start it as soon as possible, before any
      real workloads.
      
      This patch also fixes kube-api port in calico-policy-controller
      yaml template.
      
      Closes #1132
      3a399040
  35. Mar 14, 2017
    • Vincent Schwarzer's avatar
      Granular authentication Control · 026da060
      Vincent Schwarzer authored
      It is now possible to deactivate selected authentication methods
      (basic auth, token auth) inside the cluster by adding
      removing the required arguments to the Kube API Server and generating
      the secrets accordingly.
      
      The x509 authentification is currently not optional because disabling it
      would affect the kubectl clients deployed on the master nodes.
      026da060
Loading