Add enable_aggregation option (defaults to false)
* Add an `enable_aggregation` variable to enable the kube-apiserver aggregation layer for adding extension apiservers to clusters * Aggregation is **disabled** by default. Typhoon recommends you not enable aggregation. Consider whether less invasive ways to achieve your goals are possible and whether those goals are well-founded * Enabling aggregation and extension apiservers increases the attack surface of a cluster and makes extensions a part of the control plane. Admins must scrutinize and trust any extension apiserver used. * Passing a v1.14 CNCF conformance test requires aggregation be enabled. Having an option for aggregation keeps compliance, but retains the stricter security posture on default clusters
This commit is contained in:
parent
5271e410eb
commit
be29f52039
|
@ -6,6 +6,9 @@ Notable changes between versions.
|
||||||
|
|
||||||
* Kubernetes [v1.14.0](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md#v1140)
|
* Kubernetes [v1.14.0](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md#v1140)
|
||||||
* Update Calico from v3.6.0 to v3.6.1
|
* Update Calico from v3.6.0 to v3.6.1
|
||||||
|
* Add `enable_aggregation` option for CNCF conformance
|
||||||
|
* Aggregation is disabled by default to retain our security stance
|
||||||
|
* Aggregation increases the security surface area. Extensions become part of the control plane and must be scrutinized carefully and trusted. Favor leaving aggregation disabled.
|
||||||
|
|
||||||
#### AWS
|
#### AWS
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootkube" {
|
module "bootkube" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3"
|
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4"
|
||||||
|
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||||
|
@ -12,4 +12,5 @@ module "bootkube" {
|
||||||
service_cidr = "${var.service_cidr}"
|
service_cidr = "${var.service_cidr}"
|
||||||
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
||||||
enable_reporting = "${var.enable_reporting}"
|
enable_reporting = "${var.enable_reporting}"
|
||||||
|
enable_aggregation = "${var.enable_aggregation}"
|
||||||
}
|
}
|
||||||
|
|
|
@ -146,3 +146,9 @@ variable "enable_reporting" {
|
||||||
description = "Enable usage or analytics reporting to upstreams (Calico)"
|
description = "Enable usage or analytics reporting to upstreams (Calico)"
|
||||||
default = "false"
|
default = "false"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "enable_aggregation" {
|
||||||
|
description = "Enable the Kubernetes Aggregation Layer (defaults to false)"
|
||||||
|
type = "string"
|
||||||
|
default = "false"
|
||||||
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootkube" {
|
module "bootkube" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3"
|
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4"
|
||||||
|
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootkube" {
|
module "bootkube" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3"
|
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4"
|
||||||
|
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||||
|
@ -11,4 +11,5 @@ module "bootkube" {
|
||||||
service_cidr = "${var.service_cidr}"
|
service_cidr = "${var.service_cidr}"
|
||||||
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
||||||
enable_reporting = "${var.enable_reporting}"
|
enable_reporting = "${var.enable_reporting}"
|
||||||
|
enable_aggregation = "${var.enable_aggregation}"
|
||||||
}
|
}
|
||||||
|
|
|
@ -121,3 +121,9 @@ variable "enable_reporting" {
|
||||||
description = "Enable usage or analytics reporting to upstreams (Calico)"
|
description = "Enable usage or analytics reporting to upstreams (Calico)"
|
||||||
default = "false"
|
default = "false"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "enable_aggregation" {
|
||||||
|
description = "Enable the Kubernetes Aggregation Layer (defaults to false)"
|
||||||
|
type = "string"
|
||||||
|
default = "false"
|
||||||
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootkube" {
|
module "bootkube" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3"
|
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4"
|
||||||
|
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
api_servers = ["${var.k8s_domain_name}"]
|
api_servers = ["${var.k8s_domain_name}"]
|
||||||
|
@ -13,4 +13,5 @@ module "bootkube" {
|
||||||
service_cidr = "${var.service_cidr}"
|
service_cidr = "${var.service_cidr}"
|
||||||
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
||||||
enable_reporting = "${var.enable_reporting}"
|
enable_reporting = "${var.enable_reporting}"
|
||||||
|
enable_aggregation = "${var.enable_aggregation}"
|
||||||
}
|
}
|
||||||
|
|
|
@ -153,3 +153,9 @@ variable "enable_reporting" {
|
||||||
description = "Enable usage or analytics reporting to upstreams (Calico)"
|
description = "Enable usage or analytics reporting to upstreams (Calico)"
|
||||||
default = "false"
|
default = "false"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "enable_aggregation" {
|
||||||
|
description = "Enable the Kubernetes Aggregation Layer (defaults to false)"
|
||||||
|
type = "string"
|
||||||
|
default = "false"
|
||||||
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootkube" {
|
module "bootkube" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3"
|
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4"
|
||||||
|
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
api_servers = ["${var.k8s_domain_name}"]
|
api_servers = ["${var.k8s_domain_name}"]
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootkube" {
|
module "bootkube" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3"
|
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4"
|
||||||
|
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||||
|
@ -12,4 +12,5 @@ module "bootkube" {
|
||||||
service_cidr = "${var.service_cidr}"
|
service_cidr = "${var.service_cidr}"
|
||||||
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
||||||
enable_reporting = "${var.enable_reporting}"
|
enable_reporting = "${var.enable_reporting}"
|
||||||
|
enable_aggregation = "${var.enable_aggregation}"
|
||||||
}
|
}
|
||||||
|
|
|
@ -55,13 +55,13 @@ resource "digitalocean_firewall" "controllers" {
|
||||||
# etcd, kube-apiserver, kubelet
|
# etcd, kube-apiserver, kubelet
|
||||||
inbound_rule = [
|
inbound_rule = [
|
||||||
{
|
{
|
||||||
protocol = "tcp"
|
protocol = "tcp"
|
||||||
port_range = "2379-2380"
|
port_range = "2379-2380"
|
||||||
source_tags = ["${digitalocean_tag.controllers.name}"]
|
source_tags = ["${digitalocean_tag.controllers.name}"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
protocol = "tcp"
|
protocol = "tcp"
|
||||||
port_range = "2381"
|
port_range = "2381"
|
||||||
source_tags = ["${digitalocean_tag.workers.name}"]
|
source_tags = ["${digitalocean_tag.workers.name}"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -90,10 +90,9 @@ resource "digitalocean_firewall" "workers" {
|
||||||
source_addresses = ["0.0.0.0/0", "::/0"]
|
source_addresses = ["0.0.0.0/0", "::/0"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
protocol = "tcp"
|
protocol = "tcp"
|
||||||
port_range = "10254"
|
port_range = "10254"
|
||||||
source_addresses = ["0.0.0.0/0"]
|
source_addresses = ["0.0.0.0/0"]
|
||||||
},
|
},
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -31,11 +31,10 @@ output "workers_ipv6" {
|
||||||
|
|
||||||
output "controller_tag" {
|
output "controller_tag" {
|
||||||
description = "Tag applied to controller droplets"
|
description = "Tag applied to controller droplets"
|
||||||
value = "${digitalocean_tag.controllers.name}"
|
value = "${digitalocean_tag.controllers.name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
output "worker_tag" {
|
output "worker_tag" {
|
||||||
description = "Tag applied to worker droplets"
|
description = "Tag applied to worker droplets"
|
||||||
value = "${digitalocean_tag.workers.name}"
|
value = "${digitalocean_tag.workers.name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -98,3 +98,9 @@ variable "enable_reporting" {
|
||||||
description = "Enable usage or analytics reporting to upstreams (Calico)"
|
description = "Enable usage or analytics reporting to upstreams (Calico)"
|
||||||
default = "false"
|
default = "false"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "enable_aggregation" {
|
||||||
|
description = "Enable the Kubernetes Aggregation Layer (defaults to false)"
|
||||||
|
type = "string"
|
||||||
|
default = "false"
|
||||||
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootkube" {
|
module "bootkube" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3"
|
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4"
|
||||||
|
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootkube" {
|
module "bootkube" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3"
|
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4"
|
||||||
|
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||||
|
@ -12,6 +12,7 @@ module "bootkube" {
|
||||||
service_cidr = "${var.service_cidr}"
|
service_cidr = "${var.service_cidr}"
|
||||||
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
||||||
enable_reporting = "${var.enable_reporting}"
|
enable_reporting = "${var.enable_reporting}"
|
||||||
|
enable_aggregation = "${var.enable_aggregation}"
|
||||||
|
|
||||||
// temporary
|
// temporary
|
||||||
apiserver_port = 443
|
apiserver_port = 443
|
||||||
|
|
|
@ -121,3 +121,9 @@ variable "enable_reporting" {
|
||||||
description = "Enable usage or analytics reporting to upstreams (Calico)"
|
description = "Enable usage or analytics reporting to upstreams (Calico)"
|
||||||
default = "false"
|
default = "false"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "enable_aggregation" {
|
||||||
|
description = "Enable the Kubernetes Aggregation Layer (defaults to false)"
|
||||||
|
type = "string"
|
||||||
|
default = "false"
|
||||||
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootkube" {
|
module "bootkube" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=ce5db83663b1de2096afc1787c2b622bc08987b3"
|
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=feb6e4cb3e479b20dfc269f65e76ceb62d8d2ec4"
|
||||||
|
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||||
|
|
Loading…
Reference in New Issue