diff --git a/clusters/aws/kops/clusters/dev-example/values.yaml b/clusters/aws/kops/clusters/dev-example/values.yaml index a1b1079b9..fd82f8961 100644 --- a/clusters/aws/kops/clusters/dev-example/values.yaml +++ b/clusters/aws/kops/clusters/dev-example/values.yaml @@ -1,6 +1,6 @@ kopsName: dev-example.us-east-1 s3BucketName: kubernetes-ops-1234-kops-state-store -kubernetesVersion: 1.11.7 +kubernetesVersion: 1.13.10 dnsZone: k8s.local awsRegion: us-east-1 vpc: vpc-id-from-the-terraform-output @@ -50,17 +50,9 @@ kubernetesApiAccess: iam: allowContainerRegistry: true -# etcd -etcd: - version: 3.2.18 - networkCIDR: 10.10.0.0/16 networkPortion: "10.10" -docker: - overrides: false - bridgeIP: 172.26.0.1/16 - enableBastionGroup1: true enableThreatstackMasterGroup1: false diff --git a/clusters/aws/kops/clusters/dev/values.yaml b/clusters/aws/kops/clusters/dev/values.yaml index f996d0e2f..7b2fc7513 100644 --- a/clusters/aws/kops/clusters/dev/values.yaml +++ b/clusters/aws/kops/clusters/dev/values.yaml @@ -1,6 +1,6 @@ kopsName: dev.us-east-1 s3BucketName: kubernetes-ops-1234-kops-state-store -kubernetesVersion: 1.11.7 +kubernetesVersion: 1.13.10 dnsZone: k8s.local awsRegion: us-east-1 vpc: vpc-id-from-the-terraform-output @@ -50,17 +50,9 @@ kubernetesApiAccess: iam: allowContainerRegistry: true -# etcd -etcd: - version: 3.2.18 - networkCIDR: 10.10.0.0/16 networkPortion: "10.10" -docker: - overrides: false - bridgeIP: 172.26.0.1/16 - enableBastionGroup1: true enableThreatstackMasterGroup1: false diff --git a/clusters/aws/kops/clusters/prod/values.yaml b/clusters/aws/kops/clusters/prod/values.yaml index 05f188c6a..7b5abd209 100644 --- a/clusters/aws/kops/clusters/prod/values.yaml +++ b/clusters/aws/kops/clusters/prod/values.yaml @@ -1,6 +1,6 @@ kopsName: prod.us-east-1 s3BucketName: kubernetes-ops-1234-kops-state-store -kubernetesVersion: 1.11.7 +kubernetesVersion: 1.13.10 dnsZone: k8s.local awsRegion: us-east-1 vpc: vpc-id-from-the-terraform-output @@ -50,17 +50,9 @@ kubernetesApiAccess: iam: allowContainerRegistry: true -# etcd -etcd: - version: 3.2.18 - networkCIDR: 10.13.0.0/16 networkPortion: "10.13" -docker: - overrides: false - bridgeIP: 172.26.0.1/16 - enableBastionGroup1: true enableThreatstackMasterGroup1: false diff --git a/clusters/aws/kops/clusters/qa/values.yaml b/clusters/aws/kops/clusters/qa/values.yaml index bb3560d40..5d014e034 100644 --- a/clusters/aws/kops/clusters/qa/values.yaml +++ b/clusters/aws/kops/clusters/qa/values.yaml @@ -1,6 +1,6 @@ kopsName: qa.us-east-1 s3BucketName: kubernetes-ops-1234-kops-state-store -kubernetesVersion: 1.11.7 +kubernetesVersion: 1.13.10 dnsZone: k8s.local awsRegion: us-east-1 vpc: vpc-id-from-the-terraform-output @@ -50,17 +50,9 @@ kubernetesApiAccess: iam: allowContainerRegistry: true -# etcd -etcd: - version: 3.2.18 - networkCIDR: 10.11.0.0/16 networkPortion: "10.11" -docker: - overrides: false - bridgeIP: 172.26.0.1/16 - enableBastionGroup1: true enableThreatstackMasterGroup1: false diff --git a/clusters/aws/kops/clusters/staging/values.yaml b/clusters/aws/kops/clusters/staging/values.yaml index 10996769f..879a7b504 100644 --- a/clusters/aws/kops/clusters/staging/values.yaml +++ b/clusters/aws/kops/clusters/staging/values.yaml @@ -1,6 +1,6 @@ kopsName: staging.us-east-1 s3BucketName: kubernetes-ops-1234-kops-state-store -kubernetesVersion: 1.11.7 +kubernetesVersion: 1.13.10 dnsZone: k8s.local awsRegion: us-east-1 vpc: vpc-id-from-the-terraform-output @@ -50,17 +50,9 @@ kubernetesApiAccess: iam: allowContainerRegistry: true -# etcd -etcd: - version: 3.2.18 - networkCIDR: 10.12.0.0/16 networkPortion: "10.12" -docker: - overrides: false - bridgeIP: 172.26.0.1/16 - enableBastionGroup1: true enableThreatstackMasterGroup1: false diff --git a/clusters/aws/kops/clusters/values.yaml b/clusters/aws/kops/clusters/values.yaml new file mode 100644 index 000000000..be13a1293 --- /dev/null +++ b/clusters/aws/kops/clusters/values.yaml @@ -0,0 +1,8 @@ +--- +# etcd +etcd: + version: 3.3.10 + +docker: + overrides: false + bridgeIP: 172.26.0.1/16 diff --git a/clusters/aws/kops/kops.sh b/clusters/aws/kops/kops.sh index 6f002f6b8..fca7ddd96 100755 --- a/clusters/aws/kops/kops.sh +++ b/clusters/aws/kops/kops.sh @@ -7,7 +7,7 @@ ########################################## TIME_NOW=$(date +"%x %r %Z") -KOPS_VERSION="1.11." +KOPS_VERSION="1.13." ########################################## ##### Functions @@ -34,11 +34,12 @@ check_kops_version() create() { # Checks - VALUES_FILE_PATH="./clusters/${kops_name}/values.yaml" + VALUES_FILE_PATH_COMMONS="./clusters/values.yaml" + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" TEMPLATE_FILE_PATH="./template/cluster.yml" - if [ ! -f ${VALUES_FILE_PATH} ]; then - echo "File does not exist: ${VALUES_FILE_PATH}" + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" exit 1 fi @@ -47,21 +48,21 @@ create() exit 1 fi - kops_state_store=s3://$(cat ${VALUES_FILE_PATH} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') export KOPS_STATE_STORE=${kops_state_store} echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" if [ "${dry_run}" == "false" ]; then echo "[INFO] Not a dry run" echo "[INFO] Templating out" - kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH} > ./kops-templated-${kops_name}.yaml + kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH_COMMONS} --values ${VALUES_FILE_PATH_ENVIRONMENT} > ./kops-templated-${kops_name}.yaml cat kops-templated-${kops_name}.yaml echo "[INFO] Creating the cluster" kops create -f ./kops-templated-${kops_name}.yaml - dns_zone=$(cat ${VALUES_FILE_PATH} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') - cluster_name=$(cat ${VALUES_FILE_PATH} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} yes y | ssh-keygen -t rsa -b 4096 -C "kops@kops.com" -f ./ssh-keys/id_rsa_kops_script -q -N "" >/dev/null @@ -79,7 +80,7 @@ create() else echo "[INFO] Dry run" - kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH} + kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH_COMMONS} --values ${VALUES_FILE_PATH_ENVIRONMENT} fi echo "Finished" @@ -89,11 +90,11 @@ create() read() { # Checks - VALUES_FILE_PATH="./clusters/${kops_name}/values.yaml" + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" TEMPLATE_FILE_PATH="./template/cluster.yml" - if [ ! -f ${VALUES_FILE_PATH} ]; then - echo "File does not exist: ${VALUES_FILE_PATH}" + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" exit 1 fi @@ -102,12 +103,12 @@ read() exit 1 fi - kops_state_store=s3://$(cat ${VALUES_FILE_PATH} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') export KOPS_STATE_STORE=${kops_state_store} echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" - dns_zone=$(cat ${VALUES_FILE_PATH} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') - cluster_name=$(cat ${VALUES_FILE_PATH} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} echo "[INFO] Get clusters" kops --name ${cluster_name} get cluster @@ -119,11 +120,12 @@ read() template() { # Checks - VALUES_FILE_PATH="./clusters/${kops_name}/values.yaml" + VALUES_FILE_PATH_COMMONS="./clusters/values.yaml" + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" TEMPLATE_FILE_PATH="./template/cluster.yml" - if [ ! -f ${VALUES_FILE_PATH} ]; then - echo "File does not exist: ${VALUES_FILE_PATH}" + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" exit 1 fi @@ -132,12 +134,12 @@ template() exit 1 fi - kops_state_store=s3://$(cat ${VALUES_FILE_PATH} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') export KOPS_STATE_STORE=${kops_state_store} echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" echo "[INFO] Dry run" - kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH} + kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH_COMMONS} --values ${VALUES_FILE_PATH_ENVIRONMENT} echo "Finished" } @@ -148,11 +150,12 @@ update() # echo "[INFO] Updating cluster named: ${cluster_name}" # Checks - VALUES_FILE_PATH="./clusters/${kops_name}/values.yaml" + VALUES_FILE_PATH_COMMONS="./clusters/values.yaml" + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" TEMPLATE_FILE_PATH="./template/cluster.yml" - if [ ! -f ${VALUES_FILE_PATH} ]; then - echo "File does not exist: ${VALUES_FILE_PATH}" + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" exit 1 fi @@ -161,18 +164,18 @@ update() exit 1 fi - kops_state_store=s3://$(cat ${VALUES_FILE_PATH} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') export KOPS_STATE_STORE=${kops_state_store} echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" if [ "${dry_run}" == "false" ]; then echo "[INFO] Not a dry run" echo "[INFO] Templating out" - kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH} > ./kops-templated-${kops_name}.yaml + kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH_COMMONS} --values ${VALUES_FILE_PATH_ENVIRONMENT} > ./kops-templated-${kops_name}.yaml cat kops-templated-${kops_name}.yaml - dns_zone=$(cat ${VALUES_FILE_PATH} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') - cluster_name=$(cat ${VALUES_FILE_PATH} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} echo "[INFO] Updating cluster named: ${cluster_name}" echo "[INFO] Updating the cluster" @@ -189,11 +192,11 @@ update() else echo "[INFO] Dry run" echo "[INFO] Templating out" - kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH} > ./kops-templated-${kops_name}.yaml + kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH_COMMONS} --values ${VALUES_FILE_PATH_ENVIRONMENT} > ./kops-templated-${kops_name}.yaml cat kops-templated-${kops_name}.yaml - dns_zone=$(cat ${VALUES_FILE_PATH} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') - cluster_name=$(cat ${VALUES_FILE_PATH} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} echo "[INFO] Updating cluster named: ${cluster_name}" echo "[INFO] Updating the cluster" @@ -214,11 +217,11 @@ update() rolling_update() { # Checks - VALUES_FILE_PATH="./clusters/${kops_name}/values.yaml" + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" TEMPLATE_FILE_PATH="./template/cluster.yml" - if [ ! -f ${VALUES_FILE_PATH} ]; then - echo "File does not exist: ${VALUES_FILE_PATH}" + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" exit 1 fi @@ -227,7 +230,7 @@ rolling_update() exit 1 fi - kops_state_store=s3://$(cat ${VALUES_FILE_PATH} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') export KOPS_STATE_STORE=${kops_state_store} echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" @@ -240,8 +243,8 @@ rolling_update() if [ "${dry_run}" == "false" ]; then echo "[INFO] Not a dry run" - dns_zone=$(cat ${VALUES_FILE_PATH} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') - cluster_name=$(cat ${VALUES_FILE_PATH} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} echo "[INFO] Rolling cluster named: ${cluster_name}" kops --name ${cluster_name} rolling-update cluster --yes ${USE_CLOUD_ONLY_FLAG} @@ -252,8 +255,8 @@ rolling_update() else echo "[INFO] Dry run" - dns_zone=$(cat ${VALUES_FILE_PATH} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') - cluster_name=$(cat ${VALUES_FILE_PATH} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} echo "[INFO] Rolling cluster named: ${cluster_name}" kops --name ${cluster_name} rolling-update cluster ${USE_CLOUD_ONLY_FLAG} @@ -268,11 +271,11 @@ rolling_update() delete() { # Checks - VALUES_FILE_PATH="./clusters/${kops_name}/values.yaml" + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" TEMPLATE_FILE_PATH="./template/cluster.yml" - if [ ! -f ${VALUES_FILE_PATH} ]; then - echo "File does not exist: ${VALUES_FILE_PATH}" + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" exit 1 fi @@ -281,12 +284,12 @@ delete() exit 1 fi - kops_state_store=s3://$(cat ${VALUES_FILE_PATH} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') export KOPS_STATE_STORE=${kops_state_store} echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" - dns_zone=$(cat ${VALUES_FILE_PATH} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') - cluster_name=$(cat ${VALUES_FILE_PATH} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} echo "[INFO] Deleting cluster named: ${cluster_name}" if [ "${dry_run}" == "false" ]; then @@ -303,11 +306,11 @@ delete() get_bastion() { # Checks - VALUES_FILE_PATH="./clusters/${kops_name}/values.yaml" + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" TEMPLATE_FILE_PATH="./template/cluster.yml" - if [ ! -f ${VALUES_FILE_PATH} ]; then - echo "File does not exist: ${VALUES_FILE_PATH}" + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" exit 1 fi @@ -316,14 +319,14 @@ get_bastion() exit 1 fi - kops_state_store=s3://$(cat ${VALUES_FILE_PATH} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') export KOPS_STATE_STORE=${kops_state_store} echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" - dns_zone=$(cat ${VALUES_FILE_PATH} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') - cluster_name=$(cat ${VALUES_FILE_PATH} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]') - region=$(cat ${VALUES_FILE_PATH} | grep "awsRegion: " | awk '{print $2}' | tr -d '[:space:]') - network_cidr=$(cat ${VALUES_FILE_PATH} | grep "networkCIDR: " | awk '{print $2}' | tr -d '[:space:]') + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]') + region=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "awsRegion: " | awk '{print $2}' | tr -d '[:space:]') + network_cidr=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "networkCIDR: " | awk '{print $2}' | tr -d '[:space:]') echo "[INFO] Getting bastion host for cluster named: ${cluster_name}" diff --git a/clusters/aws/kops/template/cluster.yml b/clusters/aws/kops/template/cluster.yml index c558bf5c1..55a0fc033 100644 --- a/clusters/aws/kops/template/cluster.yml +++ b/clusters/aws/kops/template/cluster.yml @@ -1,5 +1,5 @@ # -# using kops cli 1.11.1 +# using kops cli 1.13.0 # {{- $awsRegion := .awsRegion }} {{- $networkPortion := .networkPortion }} @@ -13,6 +13,21 @@ kind: Cluster metadata: name: {{ .kopsName }}.{{ .dnsZone }} spec: + hooks: + # Adding here since the kubeAPIServer.DisableBasicAuth is not working in this kops version yet + - before: + - kubelet.service + manifest: | + Type=oneshot + ExecStart=/usr/bin/sed -i 's/\-\-basic-auth-file=\/srv\/kubernetes\/basic_auth.csv//' /etc/kubernetes/manifests/kube-apiserver.manifest + name: remove_basic_auth + # Adding here since the kubeAPIServer.DisableBasicAuth is not working in this kops version yet + - before: + - kubelet.service + manifest: | + Type=oneshot + ExecStart=/usr/bin/sed -i 's/\-\-token-auth-file=\/srv\/kubernetes\/known_tokens.csv //' /etc/kubernetes/manifests/kube-apiserver.manifest + name: remove_token_auth fileAssets: # https://github.com/kubernetes/kops/blob/master/docs/cluster_spec.md#audit-logging - name: apiserver-audit-policy @@ -103,7 +118,7 @@ spec: dns: {} loadBalancer: type: Internal - idleTimeoutSeconds: 300 + idleTimeoutSeconds: 1800 authorization: rbac: {} {{- if .docker.overrides }} @@ -120,6 +135,8 @@ spec: etcdClusters: # https://github.com/kubernetes/kops/blob/master/docs/cluster_spec.md#etcdclusters-v3--tls - enableEtcdTLS: true + cpuRequest: 200m + memoryRequest: 128Mi etcdMembers: {{- range $key, $value := .availabilityZonesEtcd }} - instanceGroup: master-{{ $awsRegion }}{{ $value.masterZoneName }} @@ -128,6 +145,8 @@ spec: name: main version: {{ .etcd.version }} - enableEtcdTLS: true + cpuRequest: 200m + memoryRequest: 128Mi etcdMembers: {{- range $key, $value := .availabilityZonesEtcd }} - instanceGroup: master-{{ $awsRegion }}{{ $value.masterZoneName }} @@ -140,11 +159,16 @@ spec: allowContainerRegistry: {{ .iam.allowContainerRegistry }} legacy: false kubeAPIServer: + # configs: https://github.com/kubernetes/kops/blob/master/pkg/apis/kops/componentconfig.go auditLogPath: /var/log/kube-apiserver-audit.log - auditLogMaxAge: 10 - auditLogMaxBackups: 1 + auditLogMaxAge: 30 + auditLogMaxBackups: 10 auditLogMaxSize: 100 auditPolicyFile: /srv/kubernetes/audit.yaml + AnonymousAuth: false + DisableBasicAuth: false + tlsMinVersion: VersionTLS12 + tlsCipherSuites: ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384"] # https://github.com/kubernetes/kops/blob/master/docs/cluster_spec.md#runtimeconfig # runtimeConfig: # batch/v2alpha1: "true" @@ -163,9 +187,14 @@ spec: - ResourceQuota - NodeRestriction - Priority + kubeControllerManager: + tlsMinVersion: VersionTLS12 + tlsCipherSuites: ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384"] kubelet: # https://github.com/kubernetes/kops/blob/master/docs/security.md#kubelet-api anonymousAuth: false + tlsMinVersion: VersionTLS12 + tlsCipherSuites: ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384"] # kubeReserved: # cpu: "100m" # memory: "100Mi"