Comments (11)
Thanks for your support.
Cheers
from kops.
@happycouak This is by design, for security reasons. Giving access to the S3 bucket to nodes, would allow pods to read anything from the bucket, including secrets.
from kops.
@hakman thanks, make sens.
So is there a proper way to have nodeup bootrap nodes machines without manually updating etc/sysconfig/kops-configuration ?
from kops.
Also I note that except for S3 creds, metadata actually store all cloud credentials, so I wonder what would be the worst case if the node is compromised between cloud credentials and S3 access.
from kops.
@zetaab do you remember the reason? Should --dns=none
fix this?
from kops.
@hakman yes, when using --dns=none
there are no credentials in normal nodes.
@happycouak I recommend using --dns=none
always when using kOps with OpenStack.
Also it is weird for me that you are exporting AWS envs like:
export AWS_DEFAULT_REGION=xxx
export AWS_REGION=xxx
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
instead you should have openstack credentials (and S3_*) exported. Afaik kOps will not work without that
from kops.
The context is that the Openstack cloud I am using does not offer object storage service, so a S3 bucket is used to store kops states. Is it a supported target ?
Also you are right AWS* envs are useless, I unset them, and redeploy the whole cluster with --dns=none and everything works well.
Now all credentials are absent from cloud-init metadata and /etc/sysconfig/kops-configuration.
Last question: how are those creds are transfered to nodes ?
from kops.
nodes does not need any openstack credentials in node level. However, there are kubernetes secrets in kube-system namespace that are used by csi-cinder in normal nodes. Other components that uses credentials are located in control-planes
from kops.
Thanks, I get it regarding openstack credentials store in secret "openstack-project", but how S3 credentials are passed ton node during deployment ?
from kops.
Thanks, I get it regarding openstack credentials store in secret "openstack-project", but how S3 credentials are passed ton node during deployment ?
S3 creds are not passed to the node at all. The node config is retrieved from kops-controller, which runs on the control-plane and can read from S3.
from kops.
nodes does not need S3 credentials for anything, so nodes does not have those.
from kops.
Related Issues (20)
- create example cluster in a domain don't propagate DNS HOT 1
- kops 1.28.2 fails to create a cluster when using spotinst feature flags HOT 4
- AWS VPC CNI Ubuntu 22.04 MACAddressPolicy HOT 5
- nodeup will fail in nodes HOT 6
- 1.28 release notes missing from menu
- AWS: Unable to update nlb security group rules for existing nlbs HOT 13
- Add support to configure "concurrent-horizontal-pod-autoscaler-syncs" flag for HPA Controller in KCM
- Add support to configure "concurrent-job-syncs" flag for Job Controller in KCM
- cannot apply changes to Subnet: *gcetasks.Subnet HOT 2
- ulimit changed in pods between kops 1.28 -> master HOT 2
- create docs are self-inconsistent HOT 1
- Unable to configure disruption controls for karpenter HOT 6
- I wish for Dualstack support on Openstack HOT 2
- Expose imageMinimumGCAge and imageMaximumGCAge kubelet config
- Support dns=none with Terraform
- DNS None clusters fails OIDC e2e test
- [al2023][amazon-vpc-cni] Additional configuration required
- Private dns=none clusters incorrectly creating bastion DNS name tasks
- Treatment of overlapping ServiceCIDR and PodCIDRs HOT 1
- Inconsistencies between qualified names on AWS nodes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kops.