dev to alpha

cluster/config-defaults.yaml

@@ -11,6 +11,13 @@ autoscaling_buffer_pods: "1"
 autoscaling_buffer_pods: "0"
 {{end}}
 
+# ALB config created by kube-aws-ingress-controller
+{{if eq .Environment "test"}}
+kube_aws_ingress_controller_ssl_policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
+{{else}}
+kube_aws_ingress_controller_ssl_policy: "ELBSecurityPolicy-2016-08"
+{{end}}
+
 # skipper resource settings
 skipper_limits_mem: "250Mi"
 skipper_requests_cpu: "150m"
@@ -201,13 +208,16 @@ teapot_admission_controller_ignore_namespaces: "^kube-system$"
 etcd_instance_count: "3"
 {{end}}
 
+# toggle host vs. sidecar etcd-proxy
+etcd_proxy_as_sidecar: "true"
+
 dynamodb_service_link_enabled: "false"
 
 cluster_dns: "coredns"
 coredns_log_svc_names: "true"
 
 coreos_image: "ami-0d1579b60bb706fb7" # Container Linux 2079.6.0 (HVM, eu-central-1)
-kuberuntu_image: "ami-0d856c4c2daf9b569" # Kuberuntu (dev) (HVM, eu-central-1)
+kuberuntu_image: "ami-0d0d49d08e198103c" # Kuberuntu (dev) (HVM, eu-central-1)
 
 # Feature toggle to allow gradual decommissioning of ingress-template-controller
 enable_ingress_template_controller: "false"
@@ -242,5 +252,9 @@ node_cidr_mask_size: "24" # Default: 24
 
 # when set to true, routes external traffic to the apiserver through a skipper sidecar
 apiserver_proxy: "true"
+# when set to true, service account tokens can be used from outside the cluster
+# requires apiserver_proxy to be set to "true"
+allow_external_service_accounts: "true"
+
 # use kube-aws-iam-controller for kube-system components
 kube_aws_iam_controller_kube_system_enable: "false"

cluster/manifests/external-dns/deployment.yaml

@@ -35,7 +35,7 @@ spec:
         - --provider=aws
         - --registry=txt
         - --txt-owner-id={{ .Region }}:{{ .LocalID }}
-        - --aws-batch-change-size=350
+        - --aws-batch-change-size=100
         resources:
           limits:
             cpu: 50m

cluster/manifests/ingress-controller/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   labels:
     application: kube-ingress-aws-controller
-    version: v0.8.6
+    version: v0.8.8
 spec:
   replicas: 1
   selector:
@@ -15,7 +15,7 @@ spec:
     metadata:
       labels:
         application: kube-ingress-aws-controller
-        version: v0.8.6
+        version: v0.8.8
 {{ if eq .ConfigItems.kube_aws_iam_controller_kube_system_enable "false"}}
       annotations:
         iam.amazonaws.com/role: "{{ .LocalID }}-app-ingr-ctrl"
@@ -29,9 +29,10 @@ spec:
       serviceAccountName: kube-ingress-aws-controller
       containers:
       - name: controller
-        image: registry.opensource.zalan.do/teapot/kube-ingress-aws-controller:v0.8.6
+        image: registry.opensource.zalan.do/teapot/kube-ingress-aws-controller:v0.8.8
         args:
         - -stack-termination-protection
+        - -ssl-policy={{ .ConfigItems.kube_aws_ingress_controller_ssl_policy }}
         env:
         - name: AWS_REGION
           value: {{ .Region }}

cluster/manifests/roles/cdp-controller-rbac.yaml

@@ -34,6 +34,27 @@ rules:
   - list
   - watch
   - patch
+- apiGroups:
+  - "zalando.org"
+  resources:
+  - awsiamroles
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+- apiGroups:
+  - "zalando.org"
+  resources:
+  - gradualdeployments
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding

cluster/node-pools/master-default/userdata.clc.yaml

@@ -59,6 +59,7 @@ systemd:
       [Install]
       WantedBy=multi-user.target
 
+{{ if ne .Cluster.ConfigItems.etcd_proxy_as_sidecar "true" }}
   - name: etcd-member.service
     enable: true
     contents: |
@@ -77,6 +78,7 @@ systemd:
 
       [Install]
       WantedBy=multi-user.target
+{{ end }}
 
   - name: docker.service
     dropins:
@@ -221,7 +223,7 @@ systemd:
     contents: |
       [Unit]
       Description=drain this k8s node to make running pods time to gracefully shut down before stopping kubelet
-      After=docker.service kubelet.service etcd-member.service
+      After=docker.service kubelet.service
 
       [Service]
       Type=oneshot
@@ -575,7 +577,7 @@ storage:
             - -enable-prometheus-metrics
             - -write-timeout-server=60m
             - -inline-routes
-            - 'z: JWTPayloadAnyKV("iss", "kubernetes/serviceaccount") -> enableAccessLog() -> "https://127.0.0.1:443"; h: Path("/kube-system/healthz") -> setPath("/healthz") -> disableAccessLog() -> "http://127.0.0.1:8080"; all: * -> disableAccessLog() -> "https://127.0.0.1:443";'
+            - 's: JWTPayloadAllKV("iss", "kubernetes/serviceaccount") -> enableAccessLog() -> {{ if eq .ConfigItems.allow_external_service_accounts "true" }}"https://127.0.0.1:443"{{ else }}status(401) -> <shunt>{{ end }}; h: Path("/kube-system/healthz") -> setPath("/healthz") -> disableAccessLog() -> "http://127.0.0.1:8080"; all: * -> disableAccessLog() -> "https://127.0.0.1:443";'
             ports:
             - containerPort: 8443
             readinessProbe:
@@ -596,6 +598,18 @@ storage:
             - mountPath: /etc/kubernetes/ssl
               name: ssl-certs-kubernetes
               readOnly: true
+{{ if eq .Cluster.ConfigItems.etcd_proxy_as_sidecar "true"}}
+          - name: etcd-proxy
+            image: registry.opensource.zalan.do/teapot/etcd-proxy:master-3
+            args:
+            - {{ .Cluster.ConfigItems.etcd_endpoints }}
+            ports:
+            - containerPort: 2379
+            resources:
+              requests:
+                cpu: 25m
+                memory: 25Mi
+{{ end }}
           volumes:
           - hostPath:
               path: /etc/kubernetes/ssl

cluster/node-pools/master-ubuntu-default/userdata.yaml

@@ -1,13 +1,17 @@
 #cloud-config
 runcmd:
   - [ systemctl, start, gen-controller-manager-config.service ]
+{{ if ne .Cluster.ConfigItems.etcd_proxy_as_sidecar "true"}}
   - [ systemctl, start, etcd-member.service ]
+{{ end }}
 
 write_files:
+{{ if ne .Cluster.ConfigItems.etcd_proxy_as_sidecar "true"}}
   - owner: root:root
     path: /etc/etcd-member/environment
     content: |
       ETCD_ENDPOINT={{ .Cluster.ConfigItems.etcd_endpoints }}
+{{ end }}
 
   - owner: root:root
     path: /etc/kubernetes/secrets.env
@@ -311,7 +315,7 @@ write_files:
           - -enable-prometheus-metrics
           - -write-timeout-server=60m
           - -inline-routes
-          - 'z: JWTPayloadAnyKV("iss", "kubernetes/serviceaccount") -> enableAccessLog() -> "https://127.0.0.1:443"; h: Path("/kube-system/healthz") -> setPath("/healthz") -> disableAccessLog() -> "http://127.0.0.1:8080"; all: * -> disableAccessLog() -> "https://127.0.0.1:443";'
+          - 's: JWTPayloadAllKV("iss", "kubernetes/serviceaccount") -> enableAccessLog() -> {{ if eq .ConfigItems.allow_external_service_accounts "true" }}"https://127.0.0.1:443"{{ else }}status(401) -> <shunt>{{ end }}; h: Path("/kube-system/healthz") -> setPath("/healthz") -> disableAccessLog() -> "http://127.0.0.1:8080"; all: * -> disableAccessLog() -> "https://127.0.0.1:443";'
           ports:
           - containerPort: 8443
           readinessProbe:
@@ -332,6 +336,18 @@ write_files:
           - mountPath: /etc/kubernetes/ssl
             name: ssl-certs-kubernetes
             readOnly: true
+{{ if eq .Cluster.ConfigItems.etcd_proxy_as_sidecar "true"}}
+        - name: etcd-proxy
+          image: registry.opensource.zalan.do/teapot/etcd-proxy:master-3
+          args:
+          - {{ .Cluster.ConfigItems.etcd_endpoints }}
+          ports:
+          - containerPort: 2379
+          resources:
+            requests:
+              cpu: 25m
+              memory: 25Mi
+{{ end }}
         volumes:
         - hostPath:
             path: /etc/kubernetes/ssl