This repository has been archived by the owner on Sep 30, 2020. It is now read-only.
Simple toggle to stop the automatic assignment of public IP's for all the nodes. #4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
the nodes. This toggle requires the operator to bootstrap the VPC with a NAT gateway.
|
LGTM and Btw, one gotcha I'm aware of using NAT gateways is that it is limited to 10 Gbps/gateway(http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html#nat-gateway-basics). |
|
Going to merge. Thanks for your contribution @pieterlange ! |
|
There's more than one gotcha for this, which is why i left actual NAT gateway creation up to the operator. :) The NAT gateway also only lives in one availability zone so now the operator also has to deal with that. In general i think if you have these kinds of problems (including the 10Gbps/gateway problem), the organization should have the resources to help fix this. ;-) When node pool functionality arrives i think it's worth it to add NAT gateway creation to kube-aws. Thanks for the merge! |
tyrannasaurusbanks
pushed a commit
to tyrannasaurusbanks/kube-aws
that referenced
this pull request
Apr 19, 2017
…update-to-latest-kube-aws-master to hcom-flavour * commit '175217133f75b3c251536bc0d51ccafd2b1a5de4': Fix the dead-lock while bootstrapping etcd cluster when wait signal is enabled. Resolves kubernetes-retired#525 Fix elasticFileSystemId to be propagated to node pools Resolves kubernetes-retired#487 'Cluster-dump' feature to export Kubernetes Resources to S3 Follow-up for the multi API endpoints support This fixes the issue which prevented a k8s cluster from being properly configured when multiple API endpoints are defined in cluster.yaml. Fix incorrect validations on apiEndpoints Ref kubernetes-retired#520 (comment) Wait until kube-system becomes ready Resolves kubernetes-retired#467
mumoshu
pushed a commit
that referenced
this pull request
Jun 20, 2017
Motivation is to avoid serious memory leak on etcd nodes as in * coreos/bugs#1927
mumoshu
added a commit
that referenced
this pull request
Jun 20, 2017
…ocker Use docker instead of rkt for regular etcdadm tasks (#4)
camilb
added a commit
to camilb/kube-aws
that referenced
this pull request
Jun 22, 2017
* kubernetes-incubator/master: Removed unused sysctl override Fix node drain error when trying to evict pods from jobs Use docker instead of rkt for regular etcdadm tasks (kubernetes-retired#4)
kylehodgetts
referenced
this pull request
in HotelsDotCom/kube-aws
Mar 27, 2018
Motivation is to avoid serious memory leak on etcd nodes as in * coreos/bugs#1927
kylehodgetts
referenced
this pull request
in HotelsDotCom/kube-aws
Mar 27, 2018
…m/etcdadm-rkt-to-docker Use docker instead of rkt for regular etcdadm tasks (#4)
dominicgunn
added a commit
that referenced
this pull request
Sep 16, 2020
* KIAM updates to support assumeRoleArn functionalilty * Add compute.internal to etcd san when using private zones, because the aws controller does not support private zones * Fix issue with node names in the clusters * Fix tests * Whitespace. * Forced rebuild. * Update cloud-config-controller * Update cloud-config-controller * Update test * Remove verbose json output. * Allow dnsmasq to be backed by a local copy of CoreDNS This commit allows the user to specify that dnsmasq should be backed by a pod-local copy of CoreDNS rather than relying on the global CoreDNS service. If enabled, the dnsmasq-node DaemonSet will be configured to use a local copy of CoreDNS for its resolution while setting the global CoreDNS service as a fallback. This is handy in situations where the number of DNS requests within a cluster grows large and causes resolution issues as dnsmasq reaches out to the global CoreDNS service. Additionally, several values passed to dnsmasq are now configurable including its `--cache-size` and `--dns-forward-max`. See [this postmortem](https://github.com/zalando-incubator/kubernetes-on-aws/blob/dev/docs/postmortems/jan-2019-dns-outage.md) for an investigation into this situation which was instrumental in understanding issues we were facing. Many thanks to dominicgunn for providing the manifests which I codified into this commit. --- These features can be enabled and tuned by setting the following values within cluster.yaml: ```yaml kubeDns: dnsmasq: coreDNSLocal: # When enabled, this will run a copy of CoreDNS within each DNS-masq pod and # configure the utility to use it for resolution. enabled: true # Defines the resource requests/limits for the coredns-local container. # cpu and/or memory constraints can be removed by setting the appropriate value(s) # to an empty string. resources: requests: cpu: 50m memory: 100Mi limits: cpu: 50m memory: 100Mi # The size of dnsmasq's cache. cacheSize: 50000 # The maximum number of concurrent DNS queries. dnsForwardMax: 500 # This option gives a default value for time-to-live (in seconds) which dnsmasq # uses to cache negative replies even in the absence of an SOA record. negTTL: 60 ``` * Always create required dnsmasq resources The dnsmasq-node ServiceAccount must exist whether or not CoreDNS-local has been enabled. Therefore, it is created alongside the DaemonSet rather than as part of the coredns-local manifest. Additionally, always create dnsmasq-node-coredns-local.yaml If this file does not exist (as would be the case if the CoreDNS local feature has not been enabled), controller nodes will fail to come up with the error: > error: the path "/srv/kubernetes/manifests/dnsmasq-node-coredns-local.yaml" does not exist This is caused when `kubectl delete` is called against the file because of the line `remove "${mfdir}/dnsmasq-node-coredns-local.yaml`. This manifest must always be generated because the CoreDNS-local feature cannot be enabled and then later disabled without otherwise requiring manual operator intervention. Co-authored-by: Dominic Gunn <dominic@fable.sh> Co-authored-by: Dominic Gunn <4493719+dominicgunn@users.noreply.github.com> Co-authored-by: Kevin Richardson <kevin@kevinrichardson.co>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This toggle still requires the operator to bootstrap the VPC with a NAT gateway, but i think it's fair to expect the operator to do this manually/with external tooling.
I might send a subsequent PR to add functionality to create a NAT gateway from kube-aws. Gateway initialization takes several (sometimes 5+) minutes though, so i'm slightly worried cluster bootstrap might be affected.