Raj Perera
eb91eab39a
Extract kubectl commands to resource yaml files and use kube module
2017-06-19 11:00:26 -04:00
Raj Perera
e663c6b61a
Address PR feedback.
...
* Consolidate variable definitions to `kargo-defaults`.
* Set `AlwaysAllow` as the default authorization mode.
* Ability to set multiple authorization modes.
* Various style fixes and typos
2017-06-19 10:24:56 -04:00
Raj Perera
9924a33d6f
Replace static references to system namespace
2017-06-16 11:21:59 -04:00
Raj Perera
992a974b1e
Merge branch 'rbac-kp' into rbac-script-cert
...
# Conflicts:
# roles/kubernetes-apps/ansible/tasks/main.yml
# roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml
# roles/kubernetes-apps/ansible/templates/kubedns-sa.yml
# roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
# roles/kubernetes/secrets/files/make-ssl.sh
2017-06-16 11:11:12 -04:00
Raj Perera
0dc38ff9b3
Basic RBAC functionality. (Based from work done by @jwfang ( #1351 ))
...
* Add a flag "authorization_method", when set to "RBAC" enables role based access control.
* Add required cluster roles and bindings for kube-dns
* Patch tiller deployment to use a service account with proper credentials.
* Add a flag to regenerate kubernetes certs on the nodes.
2017-06-16 10:28:23 -04:00
jwfang
765a5ce1ab
node identified as system:node:<node-name>
2017-06-16 17:15:37 +08:00
jwfang
0ee229488e
certs for system:kube-controller-manager system:kube-scheduler
2017-06-16 14:21:21 +08:00
jwfang
8b58394d8c
seperate kube-proxy certs for each node
2017-06-15 19:20:58 +08:00
jwfang
f3a4c31e66
add kube-node to system:nodes group, add system:kube-proxy cert for kube-proxy
2017-06-15 18:15:52 +08:00
Brad Beam
b73786c6d5
Merge pull request #1335 from bradbeam/imagerepo
...
Set default value for kube_hyperkube_image_repo
2017-06-12 09:46:17 -05:00
Brad Beam
db3e8edacd
Fixing up vault variables
2017-06-08 16:15:33 -05:00
Brad Beam
6e41634295
Set default value for kube_hyperkube_image_repo
...
Fixes #1334
2017-06-08 12:22:16 -05:00
Brad Beam
696fd690ae
Merge pull request #1092 from bradbeam/rkt_docker
...
Adding flag for docker container in kubelet w/ rkt
2017-06-06 12:58:40 -05:00
Spencer Smith
01c0ab4f06
check if cloud_provider is defined
2017-05-31 08:24:24 -04:00
Spencer Smith
7e2aafcc76
add direct path for cert in AWS with RHEL family
2017-05-26 17:32:50 -04:00
Matthew Mosesohn
9e64267867
Merge pull request #1293 from mattymo/kubelet_host_mode
...
Add host-based kubelet deployment
2017-05-19 18:07:39 +03:00
Matthew Mosesohn
cc6e3d14ce
Add host-based kubelet deployment
...
Kubelet gets copied from hyperkube container and run locally.
2017-05-19 16:54:07 +03:00
Brad Beam
b999ee60aa
Fixing typo in kubelet cluster-dns and cluster-domain flags
2017-05-16 15:43:29 -05:00
Spencer Smith
c572760a66
Merge pull request #1254 from iJanki/cert_group
...
Adding /O=system:masters to admin certificate
2017-05-05 10:58:42 -04:00
Spencer Smith
0afbc19ffb
ensure the /etc/os-release is mounted read only
2017-05-01 14:51:40 -04:00
Spencer Smith
ac9290f985
add for rkt as well
2017-04-28 17:45:10 -04:00
Spencer Smith
5657738f7e
mount os-release to ensure the node's OS is what's seen in k8s api
2017-04-28 13:40:54 -04:00
Sergii Golovatiuk
674b71b535
Ansible 2.3 support
...
- Fix when clauses in various places
- Update requirements.txt
- Fix README.md
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-26 15:22:10 +02:00
Spencer Smith
88b5065e7d
fix stray 'in' and break into multiple lines for clarity
2017-04-20 09:53:01 -04:00
Spencer Smith
b690008192
allow for correct aws default resolver
2017-04-20 09:32:03 -04:00
Matthew Mosesohn
2d6bc9536c
Merge pull request #1246 from holser/disable_dns_for_kube_services
...
Change DNS policy for kubernetes components
2017-04-20 16:12:52 +03:00
Sergii Golovatiuk
01dc6b2f0e
Add aws to default_resolver
...
When VPC is used, external DNS might not be available. This patch change
behavior to use metadata service instead of external DNS when
upstream_dns_servers is not specified.
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-20 11:47:19 +02:00
Sergii Golovatiuk
d8aa2d0a9e
Change DNS policy for kubernetes components
...
According to code apiserver, scheduler, controller-manager, proxy don't
use resolution of objects they created. It's not harmful to change
policy to have external resolver.
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-20 11:22:57 +02:00
Matthew Mosesohn
19bb97d24d
Merge pull request #1238 from Starefossen/fix/namespace-template-file
...
Move namespace file to template directory
2017-04-20 12:19:55 +03:00
Matthew Mosesohn
9f4f168804
Merge pull request #1241 from bradbeam/rktcnidir
...
Explicitly create cni bin dir
2017-04-20 12:19:26 +03:00
Sergii Golovatiuk
e796cdbb27
Fix restart kube-controller ( #1242 )
...
kubernetesUnitPrefix was changed to k8s_* in 1.5. This patch reflects
this change in kargo
2017-04-20 11:26:01 +03:00
Brad Beam
b60a897265
Explicitly create cni bin dir
...
If this path doesnt exist, it will cause kubelet to fail to start when
using rkt
2017-04-19 16:00:44 +00:00
Hans Kristian Flaatten
d68cfeed6e
Move namespace file to template directory
2017-04-19 13:37:02 +02:00
Spencer Smith
c3c9e955e5
Merge pull request #1232 from rsmitty/custom-flags
...
add ability for custom flags
2017-04-17 14:01:32 -04:00
Spencer Smith
72d5db92a8
remove stray spaces in templating
2017-04-17 12:24:24 -04:00
Spencer Smith
3f302c8d47
ensure spacing on string of flags
2017-04-17 12:13:39 -04:00
Spencer Smith
04a769bb37
ensure spacing on string of flags
2017-04-17 11:11:10 -04:00
Spencer Smith
f9d4a1c1d8
update to safeguard against accidentally passing string instead of list
2017-04-17 11:09:34 -04:00
Matthew Mosesohn
3e7db46195
Merge pull request #1233 from gbolo/master
...
allow admission control plug-ins to be easily customized
2017-04-17 12:59:49 +03:00
gbolo
49be805001
allow admission control plug-ins to be easily customized
2017-04-16 22:03:45 -04:00
Spencer Smith
94596388f7
add ability for custom flags
2017-04-14 17:33:04 -04:00
Matthew Mosesohn
ae7f59e249
Skip vault cert task evaluation completely when using script cert generation
2017-04-13 19:29:07 +03:00
Matthew Mosesohn
1c45d37348
Update kubelet.j2
2017-04-06 22:59:18 +03:00
Matthew Mosesohn
b521255ec9
Unbreak 1.5 deployment with kubelet
...
1.5 kubelet fails to start when using unknown params
2017-04-06 21:07:48 +03:00
Matthew Mosesohn
75ea001bfe
Merge pull request #1208 from mattymo/1.6-flannel
...
Update to k8s 1.6 with flannel and centos fixes
2017-04-06 13:04:02 +03:00
Matthew Mosesohn
ff2fb9196f
Fix flannel for 1.6 and apply fixes to enable containerized kubelet
2017-04-06 10:06:21 +04:00
Matthew Mosesohn
acae0fe4a3
Merge pull request #1205 from holser/resolv_updates
...
Refactoring resolv.conf
2017-04-05 14:22:52 +03:00
Sergii Golovatiuk
2670eefcd4
Refactoring resolv.conf
...
- Renaming templates for netchecker
- Add dnsPolicy: ClusterFirstWithHostNet to kube-proxy
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-05 09:28:01 +02:00
Matthew Mosesohn
c0cae9e8a0
Merge pull request #1204 from mattymo/resolvconf-nodes
...
Restart kubelet when updating /etc/resolv.conf on all k8s nodes
2017-04-04 22:03:44 +03:00
Matthew Mosesohn
f8cf6b4f7c
Merge pull request #1186 from holser/resolv_conf
...
Set ClusterFirstWithHostNet for Pods with hostnetwork: true
2017-04-04 20:49:55 +03:00