#kops (2019-07)

Discussions related to kops for kubernetes Archive: https://archive.sweetops.com/kops/

2019-07-25

s2504s avatar
s2504s

Just have tested upgrading Works well

2019-07-24

s2504s avatar
s2504s

Thank you for explanation. I assumed that. Now that is not a problem.

s2504s avatar
s2504s

Guys, if I made the manual changes in the terraform.tf file which I exported from kops, will kops upgrade procedure work properly? Or will this procedure discard my changes and apply a configuration that stored in kops? E.g. I use one NAT gw for 3 AZ (other two NAT gws I have removed from terraform.tf manually)

Will revert the kops upgrade procedure two nat gws back? Right?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I don’t have enough context

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the [terraform.tf](http://terraform\.tf) file? …that could be anything

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

s2504s avatar
s2504s

Oh, sorry, I ment kubernetes.tf :)

2019-07-23

s2504s avatar
s2504s

Hi everyone! I have the new question again I am trying to set up k8s cluster using kops. I know that official documentation says that I should provide the user with Iam permissions

AmazonEC2FullAccess
AmazonRoute53FullAccess
AmazonS3FullAccess
IAMFullAccess
AmazonVPCFullAccess

But these permissions include FullAccess. This is very insecure. Do you have any the minimal rule sets that exclude FullAccess?

s2504s avatar
s2504s

I would like to know how do you, guys, make this setup Because, some time, we need to set up k8s cluster into the customer account and customer’s admins are afraid the FullAccess policies

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

You’re not giving this level of access to kops

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

you are giving this level of access to the person or process responsible for provisioning kops

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the user will need CRUD for EC2, ELBs, EBS, EIP, S3, VPC, and at that point, they are basically admins

2019-07-17

Fernanda Martins avatar
Fernanda Martins

I also…looking at KOPS configured with Public DNS but… I also wonder if thats good given that it creates records in etcd…. do you anything about this?

2019-07-15

Fernanda Martins avatar
Fernanda Martins

Hello All, I was reading Kubernetes Security Best Practices and it mentions the practice to use private topology with private VPC. Does anyone here uses a public website of sorts on top of Kops private topology? How is that working out?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Fernanda Martins exactly, so best practice is to run all the masters and nodes on a private topology, but then use an Ingress to expose a service

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so a service will sit on a private “cluster ip”, and the (public) ingress will send traffic to that service.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

technically, an ingress can be public or private. in your case, you’d want a public ingress.

Fernanda Martins avatar
Fernanda Martins

That what essentially KOPS does because I see some private subnets and public ones tied with Load Balancer…

:--1:1
Fernanda Martins avatar
Fernanda Martins

But I wonder if the public ones are configured in the best way…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

There’s never a single best way; I guess it depends on the organization. For our use-case, we stick with the kops strategy.

2019-07-03

Jan avatar

We are about to explore upgrading kops and k8s to 1.12.x from 1.11.x

Jan avatar

I have done the upgrades many times with Kops, not within the scope of geodesic

Jan avatar

Anyone else done so yet?

Jan avatar
kubernetes/kops

Kubernetes Operations (kops) - Production Grade K8s Installation, Upgrades, and Management - kubernetes/kops

Jan avatar

it does sound a lot safer to spin up a new cluster

Jan avatar

yup

Jan avatar

100%

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We are looking at upgrading from Kops 1.11 to 1.12. The upgrade instructions mention that it is a disruptive upgrade without going into details of how much. Is there anyone who has gone through it and can share their experience? cc @Jeremy (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Long thread below that

Jan avatar

thanks, I went over that

Jan avatar

honestly at this point im thinking I will build the capability to do full cluster backup and restore

Jan avatar

try the update path as described in kops

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

probably better to rebuild if you can

Jan avatar

if it goes tits up then re-roll the version we have

Jan avatar

and restore

Jan avatar

since the migration of data from one cluster to another requires downtime as is

Jan avatar

feels like a better route

Jan avatar

will need some planning and testing as we several prod workloads across 3 regions

Jan avatar

will be fun though

    keyboard_arrow_up