Comments (11)
happycouak
commented on May 26, 2024
1
Thanks for your support.
Cheers
from kops.
hakman
commented on May 26, 2024
@happycouak This is by design, for security reasons. Giving access to the S3 bucket to nodes, would allow pods to read anything from the bucket, including secrets.
from kops.
happycouak
commented on May 26, 2024
@hakman thanks, make sens.
So is there a proper way to have nodeup bootrap nodes machines without manually updating etc/sysconfig/kops-configuration ?
from kops.
happycouak
commented on May 26, 2024
Also I note that except for S3 creds, metadata actually store all cloud credentials, so I wonder what would be the worst case if the node is compromised between cloud credentials and S3 access.
from kops.
hakman
commented on May 26, 2024
@zetaab do you remember the reason? Should --dns=none fix this?
from kops.
zetaab
commented on May 26, 2024
@hakman yes, when using --dns=none there are no credentials in normal nodes.
@happycouak I recommend using --dns=none always when using kOps with OpenStack.
Also it is weird for me that you are exporting AWS envs like:
export AWS_DEFAULT_REGION=xxx
export AWS_REGION=xxx
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
instead you should have openstack credentials (and S3_*) exported. Afaik kOps will not work without that
from kops.
happycouak
commented on May 26, 2024
The context is that the Openstack cloud I am using does not offer object storage service, so a S3 bucket is used to store kops states. Is it a supported target ?
Also you are right AWS* envs are useless, I unset them, and redeploy the whole cluster with --dns=none and everything works well.
Now all credentials are absent from cloud-init metadata and /etc/sysconfig/kops-configuration.
Last question: how are those creds are transfered to nodes ?
from kops.
zetaab
commented on May 26, 2024
nodes does not need any openstack credentials in node level. However, there are kubernetes secrets in kube-system namespace that are used by csi-cinder in normal nodes. Other components that uses credentials are located in control-planes
from kops.
happycouak
commented on May 26, 2024
Thanks, I get it regarding openstack credentials store in secret "openstack-project", but how S3 credentials are passed ton node during deployment ?
from kops.
hakman
commented on May 26, 2024
Thanks, I get it regarding openstack credentials store in secret "openstack-project", but how S3 credentials are passed ton node during deployment ?
S3 creds are not passed to the node at all. The node config is retrieved from kops-controller, which runs on the control-plane and can read from S3.
from kops.
zetaab
commented on May 26, 2024
nodes does not need S3 credentials for anything, so nodes does not have those.
from kops.
Related Issues (20)
- create example cluster in a domain don't propagate DNS HOT 1
- kops 1.28.2 fails to create a cluster when using spotinst feature flags HOT 4
- AWS VPC CNI Ubuntu 22.04 MACAddressPolicy HOT 5
- nodeup will fail in nodes HOT 6
- 1.28 release notes missing from menu
- AWS: Unable to update nlb security group rules for existing nlbs HOT 13
- Add support to configure "concurrent-horizontal-pod-autoscaler-syncs" flag for HPA Controller in KCM
- Add support to configure "concurrent-job-syncs" flag for Job Controller in KCM
- cannot apply changes to Subnet: *gcetasks.Subnet HOT 2
- ulimit changed in pods between kops 1.28 -> master HOT 2
- create docs are self-inconsistent HOT 1
- Unable to configure disruption controls for karpenter HOT 6
- I wish for Dualstack support on Openstack HOT 2
- Expose imageMinimumGCAge and imageMaximumGCAge kubelet config
- Support dns=none with Terraform
- DNS None clusters fails OIDC e2e test
- [al2023][amazon-vpc-cni] Additional configuration required
- Private dns=none clusters incorrectly creating bastion DNS name tasks
- Treatment of overlapping ServiceCIDR and PodCIDRs HOT 1
- Inconsistencies between qualified names on AWS nodes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kops.