kops: Adding new IPs to `kubernetesApiAccess` or `sshAccess` does not change security groups
1. What kops version are you running? The command kops version, will display
this information.
Version 1.12.0
2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-19T22:12:47Z", GoVersion:"go1.12.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.8", GitCommit:"a89f8c11a5f4f132503edbc4918c98518fd504e3", GitTreeState:"clean", BuildDate:"2019-04-23T04:41:47Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}
3. What cloud provider are you using?
AWS
4. What commands did you run? What is the simplest way to reproduce this issue?
Add 8.8.8.8/32 to both kubernetesApiAccess or sshAccess then
kops replace -f kops.yaml
kops update cluster ${CLUSTER_NAME} --yes
kops rolling-update cluster ${CLUSTER_NAME} --yes
5. What happened after the commands executed?
8.8.8.8/32 is added to the bastion and API ELB security groups, but not to the masters and nodes security groups.
6. What did you expect to happen?
8.8.8.8/32 should have been added to the masters and nodes security groups…
7. Please provide your cluster manifest. Execute
kops get --name my.example.com -o yaml to display your cluster manifest.
You may want to remove your cluster name and other sensitive information.
apiVersion: kops/v1alpha2
kind: Cluster
metadata:
creationTimestamp: null
name: <cluster_name>.k8s.local
spec:
DisableSubnetTags: true
api:
loadBalancer:
type: Public
authentication:
aws: {}
authorization:
rbac: {}
channel: stable
cloudLabels:
Cluster: <cluster_name>..k8s.local
cloudProvider: aws
configBase: s3://<s3bucket>/<cluster_name>.
etcdClusters:
- cpuRequest: 200m
etcdMembers:
- encryptedVolume: true
instanceGroup: master-us-west-1a-1
name: "1"
- encryptedVolume: true
instanceGroup: master-us-west-1a-2
name: "2"
- encryptedVolume: true
instanceGroup: master-us-west-1a-3
name: "3"
memoryRequest: 100Mi
name: main
- cpuRequest: 100m
etcdMembers:
- encryptedVolume: true
instanceGroup: master-us-west-1a-1
name: "1"
- encryptedVolume: true
instanceGroup: master-us-west-1a-2
name: "2"
- encryptedVolume: true
instanceGroup: master-us-west-1a-3
name: "3"
memoryRequest: 100Mi
name: events
iam:
allowContainerRegistry: true
legacy: false
kubeDNS:
provider: CoreDNS
kubelet:
anonymousAuth: false
kubernetesApiAccess:
- <some_other_ips>/32
- <some_other_ips>/32
- <some_other_ips>/32
- 8.8.8.8/32
kubernetesVersion: 1.12.8
masterPublicName: api.<cluster_name>.k8s.local
networkCIDR: 172.21.0.0/16
networkID: vpc-<id>
networking:
amazonvpc: {}
nonMasqueradeCIDR: 100.64.0.0/10
sshAccess:
- <some_other_ips>/32
- <some_other_ips>/32
- <some_other_ips>/32
- 8.8.8.8/32
subnets:
- cidr: 172.21.0.0/18
id: subnet-<id>
name: us-west-1a
type: Private
zone: us-west-1a
- cidr: 172.21.64.0/18
id: subnet-<id>
name: us-west-1c
type: Private
zone: us-west-1c
- cidr: 172.21.192.0/22
id: subnet-<id>
name: utility-us-west-1a
type: Utility
zone: us-west-1a
- cidr: 172.21.196.0/22
id: subnet-<id>
name: utility-us-west-1c
type: Utility
zone: us-west-1c
topology:
dns:
type: Public
masters: private
nodes: private
---
apiVersion: kops/v1alpha2
kind: InstanceGroup
metadata:
creationTimestamp: 2019-05-10T20:53:30Z
labels:
kops.k8s.io/cluster: <cluster_name>.k8s.local
name: bastions
spec:
image: kope.io/k8s-1.11-debian-stretch-amd64-hvm-ebs-2018-08-17
machineType: t2.micro
maxSize: 1
minSize: 1
nodeLabels:
kops.k8s.io/instancegroup: bastions
role: Bastion
subnets:
- utility-us-west-1a
---
apiVersion: kops/v1alpha2
kind: InstanceGroup
metadata:
creationTimestamp: 2019-05-16T17:44:39Z
labels:
kops.k8s.io/cluster: <cluster_name>.k8s.local
name: master-us-west-1a-1
spec:
image: coreos.com/CoreOS-stable-2079.3.0-hvm
machineType: c5.large
maxSize: 1
minSize: 1
nodeLabels:
kops.k8s.io/instancegroup: master-us-west-1a-1
role: Master
subnets:
- us-west-1a
---
apiVersion: kops/v1alpha2
kind: InstanceGroup
metadata:
creationTimestamp: 2019-05-16T17:44:40Z
labels:
kops.k8s.io/cluster: <cluster_name>.k8s.local
name: master-us-west-1a-2
spec:
image: coreos.com/CoreOS-stable-2079.3.0-hvm
machineType: c5.large
maxSize: 1
minSize: 1
nodeLabels:
kops.k8s.io/instancegroup: master-us-west-1a-2
role: Master
subnets:
- us-west-1a
---
apiVersion: kops/v1alpha2
kind: InstanceGroup
metadata:
creationTimestamp: 2019-05-16T17:44:40Z
labels:
kops.k8s.io/cluster: <cluster_name>.k8s.local
name: master-us-west-1a-3
spec:
image: coreos.com/CoreOS-stable-2079.3.0-hvm
machineType: c5.large
maxSize: 1
minSize: 1
nodeLabels:
kops.k8s.io/instancegroup: master-us-west-1a-3
role: Master
subnets:
- us-west-1a
---
apiVersion: kops/v1alpha2
kind: InstanceGroup
metadata:
creationTimestamp: 2019-05-16T17:44:40Z
labels:
kops.k8s.io/cluster: <cluster_name>.k8s.local
name: nodes
spec:
image: coreos.com/CoreOS-stable-2079.3.0-hvm
machineType: c5.4xlarge
maxSize: 4
minSize: 4
nodeLabels:
kops.k8s.io/instancegroup: nodes
role: Node
subnets:
- us-west-1a
- us-west-1c
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 16 (3 by maintainers)
same here
kops 1.15.2UPD my fault somehow I was expecting kops to generate new tf from the cluster template on my localhost. 😜I actually had to edit and “upload” new cluster definition…
kops edit clusterorkops replace ...then kops has generated normal tf needed some more coffee 😃)