Add enable_aggregation option (defaults to false)

* Add an `enable_aggregation` variable to enable the kube-apiserver aggregation layer for adding extension apiservers to clusters * Aggregation is **disabled** by default. Typhoon recommends you not enable aggregation. Consider whether less invasive ways to achieve your goals are possible and whether those goals are well-founded * Enabling aggregation and extension apiservers increases the attack surface of a cluster and makes extensions a part of the control plane. Admins must scrutinize and trust any extension apiserver used. * Passing a v1.14 CNCF conformance test requires aggregation be enabled. Having an option for aggregation keeps compliance, but retains the stricter security posture on default clusters
2025-08-11 21:36:03 +02:00 · 2019-04-07 02:29:07 -07:00
parent 5271e410eb
commit be29f52039
17 changed files with 55 additions and 19 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -6,6 +6,9 @@ Notable changes between versions.

 * Kubernetes [v1.14.0](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md#v1140)
 * Update Calico from v3.6.0 to v3.6.1
+* Add `enable_aggregation` option for CNCF conformance
+  * Aggregation is disabled by default to retain our security stance
+  * Aggregation increases the security surface area. Extensions become part of the control plane and must be scrutinized carefully and trusted. Favor leaving aggregation disabled.

 #### AWS