Commit graph

508 commits

Author SHA1 Message Date
jwfang
5c56085e03 replace insecure port with secure port for apiserver_endpoint on kube-masters 2017-06-26 16:43:27 +08:00
Raj Perera
5a86194038 Replace static references to system namespace 2017-06-26 16:42:47 +08:00
Raj Perera
c8a2fe321b Basic RBAC functionality. (Based from work done by @jwfang (#1351))
* Add a flag "authorization_method", when set to "RBAC" enables role based access control.
* Add required cluster roles and bindings for kube-dns
* Patch tiller deployment to use a service account with proper credentials.
* Add a flag to regenerate kubernetes certs on the nodes.
2017-06-26 16:42:47 +08:00
jwfang
4a1a7bd078 node identified as system:node:<node-name> 2017-06-26 16:35:24 +08:00
jwfang
4fa142be0b certs for system:kube-controller-manager system:kube-scheduler 2017-06-26 16:35:24 +08:00
jwfang
8ed48f052c seperate kube-proxy certs for each node 2017-06-26 16:35:24 +08:00
jwfang
27e3998cb6 add kube-node to system:nodes group, add system:kube-proxy cert for kube-proxy 2017-06-26 16:35:24 +08:00
Brad Beam
2b9e2d7179 Merge pull request #1335 from bradbeam/imagerepo
Set default value for kube_hyperkube_image_repo
2017-06-12 09:46:17 -05:00
Brad Beam
bccbb172c6 Fixing up vault variables 2017-06-08 16:15:33 -05:00
Brad Beam
80017dac22 Set default value for kube_hyperkube_image_repo
Fixes #1334
2017-06-08 12:22:16 -05:00
Brad Beam
4d9ee730ac Merge pull request #1092 from bradbeam/rkt_docker
Adding flag for docker container in kubelet w/ rkt
2017-06-06 12:58:40 -05:00
Spencer Smith
4b955f8e9a check if cloud_provider is defined 2017-05-31 08:24:24 -04:00
Spencer Smith
4c99902a69 add direct path for cert in AWS with RHEL family 2017-05-26 17:32:50 -04:00
Matthew Mosesohn
0e1fddb11c Merge pull request #1293 from mattymo/kubelet_host_mode
Add host-based kubelet deployment
2017-05-19 18:07:39 +03:00
Matthew Mosesohn
3bb8fb6b3e Add host-based kubelet deployment
Kubelet gets copied from hyperkube container and run locally.
2017-05-19 16:54:07 +03:00
Brad Beam
db0ff8762c Fixing typo in kubelet cluster-dns and cluster-domain flags 2017-05-16 15:43:29 -05:00
Spencer Smith
82e1684aaf Merge pull request #1254 from iJanki/cert_group
Adding /O=system:masters to admin certificate
2017-05-05 10:58:42 -04:00
Spencer Smith
755c20f2f9 ensure the /etc/os-release is mounted read only 2017-05-01 14:51:40 -04:00
Spencer Smith
f608e9e4f8 add for rkt as well 2017-04-28 17:45:10 -04:00
Spencer Smith
fe7c2709f9 mount os-release to ensure the node's OS is what's seen in k8s api 2017-04-28 13:40:54 -04:00
Sergii Golovatiuk
085aeb6a0a Ansible 2.3 support
- Fix when clauses in various places
- Update requirements.txt
- Fix README.md

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-26 15:22:10 +02:00
Spencer Smith
04818b9d94 fix stray 'in' and break into multiple lines for clarity 2017-04-20 09:53:01 -04:00
Spencer Smith
21b10784f4 allow for correct aws default resolver 2017-04-20 09:32:03 -04:00
Matthew Mosesohn
cb52d78845 Merge pull request #1246 from holser/disable_dns_for_kube_services
Change DNS policy for kubernetes components
2017-04-20 16:12:52 +03:00
Sergii Golovatiuk
f061ce63b3 Add aws to default_resolver
When VPC is used, external DNS might not be available. This patch change
behavior to use metadata service instead of external DNS when
upstream_dns_servers is not specified.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-20 11:47:19 +02:00
Sergii Golovatiuk
0a687a22ff Change DNS policy for kubernetes components
According to code apiserver, scheduler, controller-manager, proxy don't
use resolution of objects they created. It's not harmful to change
policy to have external resolver.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-20 11:22:57 +02:00
Matthew Mosesohn
fc5ca5090e Merge pull request #1238 from Starefossen/fix/namespace-template-file
Move namespace file to template directory
2017-04-20 12:19:55 +03:00
Matthew Mosesohn
8d5d973a64 Merge pull request #1241 from bradbeam/rktcnidir
Explicitly create cni bin dir
2017-04-20 12:19:26 +03:00
Sergii Golovatiuk
1268c9b642 Fix restart kube-controller (#1242)
kubernetesUnitPrefix was changed to k8s_* in 1.5. This patch reflects
this change in kargo
2017-04-20 11:26:01 +03:00
Brad Beam
0dc4967e43 Explicitly create cni bin dir
If this path doesnt exist, it will cause kubelet to fail to start when
using rkt
2017-04-19 16:00:44 +00:00
Hans Kristian Flaatten
12bbb243b2 Move namespace file to template directory 2017-04-19 13:37:02 +02:00
Spencer Smith
e76ed88ea2 Merge pull request #1232 from rsmitty/custom-flags
add ability for custom flags
2017-04-17 14:01:32 -04:00
Spencer Smith
1d848dc211 remove stray spaces in templating 2017-04-17 12:24:24 -04:00
Spencer Smith
daa728e3cf ensure spacing on string of flags 2017-04-17 12:13:39 -04:00
Spencer Smith
0fb9469249 ensure spacing on string of flags 2017-04-17 11:11:10 -04:00
Spencer Smith
c1192b1154 update to safeguard against accidentally passing string instead of list 2017-04-17 11:09:34 -04:00
Matthew Mosesohn
f500f32771 Merge pull request #1233 from gbolo/master
allow admission control plug-ins to be easily customized
2017-04-17 12:59:49 +03:00
gbolo
c05d141128 allow admission control plug-ins to be easily customized 2017-04-16 22:03:45 -04:00
Spencer Smith
7656ae2887 add ability for custom flags 2017-04-14 17:33:04 -04:00
Matthew Mosesohn
74c43c290a Skip vault cert task evaluation completely when using script cert generation 2017-04-13 19:29:07 +03:00
Matthew Mosesohn
72749b8e73 Update kubelet.j2 2017-04-06 22:59:18 +03:00
Matthew Mosesohn
d74770147e Unbreak 1.5 deployment with kubelet
1.5 kubelet fails to start when using unknown params
2017-04-06 21:07:48 +03:00
Matthew Mosesohn
06c8399c6e Merge pull request #1208 from mattymo/1.6-flannel
Update to k8s 1.6 with flannel and centos fixes
2017-04-06 13:04:02 +03:00
Matthew Mosesohn
655721268d Fix flannel for 1.6 and apply fixes to enable containerized kubelet 2017-04-06 10:06:21 +04:00
Matthew Mosesohn
b50839bb9f Merge pull request #1205 from holser/resolv_updates
Refactoring resolv.conf
2017-04-05 14:22:52 +03:00
Sergii Golovatiuk
16dd412d89 Refactoring resolv.conf
- Renaming templates for netchecker
- Add dnsPolicy: ClusterFirstWithHostNet to kube-proxy

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-05 09:28:01 +02:00
Matthew Mosesohn
b9461abeec Merge pull request #1204 from mattymo/resolvconf-nodes
Restart kubelet when updating /etc/resolv.conf on all k8s nodes
2017-04-04 22:03:44 +03:00
Matthew Mosesohn
91be2aa8bb Merge pull request #1186 from holser/resolv_conf
Set ClusterFirstWithHostNet for Pods with hostnetwork: true
2017-04-04 20:49:55 +03:00
Matthew Mosesohn
927a95fb65 Restart kubelet when updating /etc/resolv.conf on all k8s nodes 2017-04-04 20:43:47 +03:00
Sergii Golovatiuk
829b0948a3 Set ClusterFirstWithHostNet for Pods with hostnetwork: true
In kubernetes 1.6 ClusterFirstWithHostNet was added as an option. In
accordance to it kubelet will generate resolv.conf based on own
resolv.conf. However, this doesn't create 'options', thus the proper
solution requires some investigation.

This patch sets the same resolv.conf for kubelet as host

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-04 16:34:13 +02:00