diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go index 008b5396a52bd..257a40ae98433 100644 --- a/cmd/kops/integration_test.go +++ b/cmd/kops/integration_test.go @@ -131,11 +131,6 @@ func TestMinimalGCE(t *testing.T) { newIntegrationTest("minimal-gce.example.com", "minimal_gce").runTestTerraformGCE(t) } -// TestRestrictAccess runs the test on a simple SG configuration, similar to kops create cluster minimal.example.com --ssh-access=$(IPS) --admin-access=$(IPS) --master-count=3 -func TestRestrictAccess(t *testing.T) { - newIntegrationTest("restrictaccess.example.com", "restrict_access").runTestTerraformAWS(t) -} - // TestHA runs the test on a simple HA configuration, similar to kops create cluster minimal.example.com --zones us-west-1a,us-west-1b,us-west-1c --master-count=3 func TestHA(t *testing.T) { newIntegrationTest("ha.example.com", "ha").withZones(3).runTestTerraformAWS(t) @@ -149,9 +144,9 @@ func TestHighAvailabilityGCE(t *testing.T) { // TestComplex runs the test on a more complex configuration, intended to hit more of the edge cases func TestComplex(t *testing.T) { - newIntegrationTest("complex.example.com", "complex").runTestTerraformAWS(t) - newIntegrationTest("complex.example.com", "complex").runTestCloudformation(t) - newIntegrationTest("complex.example.com", "complex").withVersion("legacy-v1alpha2").runTestTerraformAWS(t) + newIntegrationTest("complex.example.com", "complex").withoutSSHKey().runTestTerraformAWS(t) + newIntegrationTest("complex.example.com", "complex").withoutSSHKey().runTestCloudformation(t) + newIntegrationTest("complex.example.com", "complex").withoutSSHKey().withVersion("legacy-v1alpha2").runTestTerraformAWS(t) } // TestExternalPolicies tests external policies output @@ -159,16 +154,6 @@ func TestExternalPolicies(t *testing.T) { newIntegrationTest("externalpolicies.example.com", "externalpolicies").runTestTerraformAWS(t) } -func TestNoSSHKey(t *testing.T) { - newIntegrationTest("nosshkey.example.com", "nosshkey").withoutSSHKey().runTestTerraformAWS(t) - newIntegrationTest("nosshkey.example.com", "nosshkey-cloudformation").withoutSSHKey().runTestCloudformation(t) -} - -// TestCrossZone tests that the cross zone setting on the API ELB is set properly -func TestCrossZone(t *testing.T) { - newIntegrationTest("crosszone.example.com", "api_elb_cross_zone").runTestTerraformAWS(t) -} - // TestMinimalCloudformation runs the test on a minimum configuration, similar to kops create cluster minimal.example.com --zones us-west-1a func TestMinimalCloudformation(t *testing.T) { newIntegrationTest("minimal.example.com", "minimal-cloudformation").runTestCloudformation(t) @@ -185,11 +170,6 @@ func TestExistingSG(t *testing.T) { newIntegrationTest("existingsg.example.com", "existing_sg").withZones(3).runTestTerraformAWS(t) } -// TestAdditionalUserData runs the test on passing additional user-data to an instance at bootstrap. -func TestAdditionalUserData(t *testing.T) { - newIntegrationTest("additionaluserdata.example.com", "additional_user-data").runTestCloudformation(t) -} - // TestBastionAdditionalUserData runs the test on passing additional user-data to a bastion instance group func TestBastionAdditionalUserData(t *testing.T) { newIntegrationTest("bastionuserdata.example.com", "bastionadditional_user-data").withPrivate().withBastionUserData().runTestTerraformAWS(t) @@ -286,12 +266,6 @@ func TestExistingIAM(t *testing.T) { newIntegrationTest("existing-iam.example.com", "existing_iam").withZones(3).withoutPolicies().withLifecycleOverrides(lifecycleOverrides).runTestTerraformAWS(t) } -// TestAdditionalCIDR runs the test on a configuration with a shared VPC -func TestAdditionalCIDR(t *testing.T) { - newIntegrationTest("additionalcidr.example.com", "additional_cidr").withVersion("v1alpha3").withZones(3).runTestTerraformAWS(t) - newIntegrationTest("additionalcidr.example.com", "additional_cidr").runTestCloudformation(t) -} - // TestPhaseNetwork tests the output of tf for the network phase func TestPhaseNetwork(t *testing.T) { newIntegrationTest("lifecyclephases.example.com", "lifecycle_phases").runTestPhase(t, cloudup.PhaseNetwork) diff --git a/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_masters.additionalcidr.example.com_policy b/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_masters.additionalcidr.example.com_policy deleted file mode 100644 index 66d5de1d5ae1e..0000000000000 --- a/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_masters.additionalcidr.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_nodes.additionalcidr.example.com_policy b/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_nodes.additionalcidr.example.com_policy deleted file mode 100644 index 66d5de1d5ae1e..0000000000000 --- a/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_nodes.additionalcidr.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_policy_masters.additionalcidr.example.com_policy b/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_policy_masters.additionalcidr.example.com_policy deleted file mode 100644 index 340dff1ef9d7e..0000000000000 --- a/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_policy_masters.additionalcidr.example.com_policy +++ /dev/null @@ -1,102 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:*" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "ec2:DescribeLaunchTemplateVersions" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:*" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:GetChange" - ], - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:BatchGetImage" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_policy_nodes.additionalcidr.example.com_policy b/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_policy_nodes.additionalcidr.example.com_policy deleted file mode 100644 index ef2600b49733f..0000000000000 --- a/tests/integration/update_cluster/additional_cidr/data/aws_iam_role_policy_nodes.additionalcidr.example.com_policy +++ /dev/null @@ -1,68 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:GetChange" - ], - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:BatchGetImage" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/tests/integration/update_cluster/additional_cidr/data/aws_key_pair_kubernetes.additionalcidr.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key b/tests/integration/update_cluster/additional_cidr/data/aws_key_pair_kubernetes.additionalcidr.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key deleted file mode 100644 index 81cb0127830e7..0000000000000 --- a/tests/integration/update_cluster/additional_cidr/data/aws_key_pair_kubernetes.additionalcidr.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/additional_cidr/id_rsa.pub b/tests/integration/update_cluster/additional_cidr/id_rsa.pub deleted file mode 100755 index 81cb0127830e7..0000000000000 --- a/tests/integration/update_cluster/additional_cidr/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/additional_cidr/in-v1alpha2.yaml b/tests/integration/update_cluster/additional_cidr/in-v1alpha2.yaml deleted file mode 100644 index fdc2d68c3ecae..0000000000000 --- a/tests/integration/update_cluster/additional_cidr/in-v1alpha2.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2016-12-10T22:42:27Z" - name: additionalcidr.example.com -spec: - kubernetesApiAccess: - - 0.0.0.0/0 - channel: stable - cloudProvider: aws - configBase: memfs://clusters.example.com/additionalcidr.example.com - etcdClusters: - - etcdMembers: - - instanceGroup: master-us-test-1b - name: us-test-1b - name: main - - etcdMembers: - - instanceGroup: master-us-test-1b - name: us-test-1b - name: events - kubelet: - anonymousAuth: false - kubernetesVersion: v1.14.0 - masterInternalName: api.internal.additionalcidr.example.com - masterPublicName: api.additionalcidr.example.com - networkCIDR: 10.0.0.0/16 - additionalNetworkCIDRs: - - 10.1.0.0/16 - networking: - kubenet: {} - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 0.0.0.0/0 - topology: - masters: public - nodes: public - subnets: - - cidr: 10.0.1.0/24 - name: us-test-1a - type: Public - zone: us-test-1a - - cidr: 10.1.1.0/24 - name: us-test-1b - type: Public - zone: us-test-1b - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: nodes - labels: - kops.k8s.io/cluster: additionalcidr.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: t2.medium - maxSize: 2 - minSize: 2 - role: Node - subnets: - - us-test-1b - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: master-us-test-1b - labels: - kops.k8s.io/cluster: additionalcidr.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1b - - diff --git a/tests/integration/update_cluster/additional_cidr/in-v1alpha3.yaml b/tests/integration/update_cluster/additional_cidr/in-v1alpha3.yaml deleted file mode 100644 index 680c12d962bc1..0000000000000 --- a/tests/integration/update_cluster/additional_cidr/in-v1alpha3.yaml +++ /dev/null @@ -1,133 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2016-12-10T22:42:27Z" - name: additionalcidr.example.com -spec: - kubernetesApiAccess: - - 0.0.0.0/0 - channel: stable - cloudProvider: aws - configBase: memfs://clusters.example.com/additionalcidr.example.com - etcdClusters: - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - - instanceGroup: master-us-test-1b - name: us-test-1b - - instanceGroup: master-us-test-1c - name: us-test-1c - name: main - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - - instanceGroup: master-us-test-1b - name: us-test-1b - - instanceGroup: master-us-test-1c - name: us-test-1c - name: events - kubelet: - anonymousAuth: false - kubernetesVersion: v1.14.0 - masterInternalName: api.internal.additionalcidr.example.com - masterPublicName: api.additionalcidr.example.com - networkCIDR: 10.0.0.0/16 - additionalNetworkCIDRs: - - 10.1.0.0/16 - networking: - kubenet: {} - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 0.0.0.0/0 - topology: - masters: public - nodes: public - subnets: - - cidr: 10.0.1.0/24 - name: us-test-1a - type: Public - zone: us-test-1a - - cidr: 10.1.1.0/24 - name: us-test-1b - type: Public - zone: us-test-1b - - cidr: 10.1.2.0/24 - name: us-test-1c - type: Public - zone: us-test-1c - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: nodes - labels: - kops.k8s.io/cluster: additionalcidr.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: t2.medium - maxSize: 2 - minSize: 2 - role: Node - subnets: - - us-test-1b - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: master-us-test-1a - labels: - kops.k8s.io/cluster: additionalcidr.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: master-us-test-1b - labels: - kops.k8s.io/cluster: additionalcidr.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1b - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: master-us-test-1c - labels: - kops.k8s.io/cluster: additionalcidr.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1c diff --git a/tests/integration/update_cluster/additional_user-data/id_rsa.pub b/tests/integration/update_cluster/additional_user-data/id_rsa.pub deleted file mode 100755 index 81cb0127830e7..0000000000000 --- a/tests/integration/update_cluster/additional_user-data/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/additional_user-data/in-v1alpha2.yaml b/tests/integration/update_cluster/additional_user-data/in-v1alpha2.yaml deleted file mode 100644 index 1be6152eae10a..0000000000000 --- a/tests/integration/update_cluster/additional_user-data/in-v1alpha2.yaml +++ /dev/null @@ -1,99 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2016-12-10T22:42:27Z" - name: additionaluserdata.example.com -spec: - additionalPolicies: - master: | - [ - { - "Action": [ "s3:GetObject" ], - "Resource": [ "arn:aws:s3:::somebucket/someobject" ], - "Effect": "Allow" - } - ] - kubernetesApiAccess: - - 0.0.0.0/0 - channel: stable - cloudProvider: aws - configBase: memfs://clusters.example.com/additionaluserdata.example.com - etcdClusters: - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: main - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: events - kubelet: - anonymousAuth: false - kubernetesVersion: v1.14.0 - masterInternalName: api.internal.additionaluserdata.example.com - masterPublicName: api.additionaluserdata.example.com - networkCIDR: 172.20.0.0/16 - networking: - kubenet: {} - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 0.0.0.0/0 - topology: - masters: public - nodes: public - subnets: - - cidr: 172.20.32.0/19 - name: us-test-1a - type: Public - zone: us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: nodes - labels: - kops.k8s.io/cluster: additionaluserdata.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: t2.medium - maxSize: 2 - minSize: 2 - role: Node - subnets: - - us-test-1a - additionalUserData: - - name: myscript.sh - type: text/x-shellscript - content: | - #!/bin/sh - echo "nodes: The time is now $(date -R)!" | tee /root/output.txt - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: master-us-test-1a - labels: - kops.k8s.io/cluster: additionaluserdata.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1a - additionalUserData: - - name: myscript.sh - type: text/x-shellscript - content: | - #!/bin/sh - echo "master: The time is now $(date -R)!" | tee /root/output.txt - diff --git a/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_masters.crosszone.example.com_policy b/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_masters.crosszone.example.com_policy deleted file mode 100644 index 66d5de1d5ae1e..0000000000000 --- a/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_masters.crosszone.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_nodes.crosszone.example.com_policy b/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_nodes.crosszone.example.com_policy deleted file mode 100644 index 66d5de1d5ae1e..0000000000000 --- a/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_nodes.crosszone.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_policy_masters.crosszone.example.com_policy b/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_policy_masters.crosszone.example.com_policy deleted file mode 100644 index 340dff1ef9d7e..0000000000000 --- a/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_policy_masters.crosszone.example.com_policy +++ /dev/null @@ -1,102 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:*" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "ec2:DescribeLaunchTemplateVersions" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:*" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:GetChange" - ], - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:BatchGetImage" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_policy_nodes.crosszone.example.com_policy b/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_policy_nodes.crosszone.example.com_policy deleted file mode 100644 index ef2600b49733f..0000000000000 --- a/tests/integration/update_cluster/api_elb_cross_zone/data/aws_iam_role_policy_nodes.crosszone.example.com_policy +++ /dev/null @@ -1,68 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:GetChange" - ], - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:BatchGetImage" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/tests/integration/update_cluster/api_elb_cross_zone/data/aws_key_pair_kubernetes.crosszone.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key b/tests/integration/update_cluster/api_elb_cross_zone/data/aws_key_pair_kubernetes.crosszone.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key deleted file mode 100644 index 81cb0127830e7..0000000000000 --- a/tests/integration/update_cluster/api_elb_cross_zone/data/aws_key_pair_kubernetes.crosszone.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/api_elb_cross_zone/id_rsa.pub b/tests/integration/update_cluster/api_elb_cross_zone/id_rsa.pub deleted file mode 100755 index 81cb0127830e7..0000000000000 --- a/tests/integration/update_cluster/api_elb_cross_zone/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/api_elb_cross_zone/in-v1alpha2.yaml b/tests/integration/update_cluster/api_elb_cross_zone/in-v1alpha2.yaml deleted file mode 100644 index be1f4ab1dec97..0000000000000 --- a/tests/integration/update_cluster/api_elb_cross_zone/in-v1alpha2.yaml +++ /dev/null @@ -1,98 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2016-12-10T22:42:27Z" - name: crosszone.example.com -spec: - api: - loadBalancer: - type: Public - additionalSecurityGroups: - - sg-exampleid3 - - sg-exampleid4 - crossZoneLoadBalancing: true - kubernetesApiAccess: - - 0.0.0.0/0 - channel: stable - cloudProvider: aws - cloudLabels: - Owner: John Doe - foo/bar: fib+baz - configBase: memfs://clusters.example.com/crosszone.example.com - etcdClusters: - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: main - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: events - kubeAPIServer: - serviceNodePortRange: 28000-32767 - kubelet: - anonymousAuth: false - kubernetesVersion: v1.14.0 - masterInternalName: api.internal.crosszone.example.com - masterPublicName: api.crosszone.example.com - networkCIDR: 172.20.0.0/16 - networking: - kubenet: {} - nodePortAccess: - - 1.2.3.4/32 - - 10.20.30.0/24 - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 0.0.0.0/0 - topology: - masters: public - nodes: public - subnets: - - cidr: 172.20.32.0/19 - name: us-test-1a - type: Public - zone: us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: nodes - labels: - kops.k8s.io/cluster: crosszone.example.com -spec: - additionalSecurityGroups: - - sg-exampleid3 - - sg-exampleid4 - associatePublicIp: true - suspendProcesses: - - AZRebalance - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: t2.medium - maxSize: 2 - minSize: 2 - role: Node - subnets: - - us-test-1a - detailedInstanceMonitoring: true - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: master-us-test-1a - labels: - kops.k8s.io/cluster: crosszone.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1a diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index 305334c541ba2..5a653e54a12ce 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -241,7 +241,6 @@ }, "ImageId": "ami-12345678", "InstanceType": "m3.medium", - "KeyName": "kubernetes.complex.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57", "NetworkInterfaces": [ { "AssociatePublicIpAddress": true, @@ -356,7 +355,6 @@ }, "ImageId": "ami-12345678", "InstanceType": "t2.medium", - "KeyName": "kubernetes.complex.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57", "NetworkInterfaces": [ { "AssociatePublicIpAddress": true, @@ -567,7 +565,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngresshttpsapielb00000": { + "AWSEC2SecurityGroupIngresshttpsapielb111024": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -576,7 +574,19 @@ "FromPort": 443, "ToPort": 443, "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" + "CidrIp": "1.1.1.0/24" + } + }, + "AWSEC2SecurityGroupIngresshttpsapielb20010850040": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupapielbcomplexexamplecom" + }, + "FromPort": 443, + "ToPort": 443, + "IpProtocol": "tcp", + "CidrIp": "2001:0:8500::/40" } }, "AWSEC2SecurityGroupIngresshttpselbtomaster": { @@ -593,7 +603,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressicmppmtuapielb00000": { + "AWSEC2SecurityGroupIngressicmppmtuapielb111024": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -602,7 +612,19 @@ "FromPort": 3, "ToPort": 4, "IpProtocol": "icmp", - "CidrIp": "0.0.0.0/0" + "CidrIp": "1.1.1.0/24" + } + }, + "AWSEC2SecurityGroupIngressicmppmtuapielb20010850040": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupapielbcomplexexamplecom" + }, + "FromPort": 3, + "ToPort": 4, + "IpProtocol": "icmp", + "CidrIp": "2001:0:8500::/40" } }, "AWSEC2SecurityGroupIngressnodeporttcpexternaltonode102030024": { @@ -709,7 +731,7 @@ "IpProtocol": "udp" } }, - "AWSEC2SecurityGroupIngresssshexternaltomaster00000": { + "AWSEC2SecurityGroupIngresssshexternaltomaster111132": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -718,10 +740,22 @@ "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" + "CidrIp": "1.1.1.1/32" + } + }, + "AWSEC2SecurityGroupIngresssshexternaltomaster2001085a348": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "2001:0:85a3::/48" } }, - "AWSEC2SecurityGroupIngresssshexternaltonode00000": { + "AWSEC2SecurityGroupIngresssshexternaltonode111132": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -730,7 +764,19 @@ "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" + "CidrIp": "1.1.1.1/32" + } + }, + "AWSEC2SecurityGroupIngresssshexternaltonode2001085a348": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "2001:0:85a3::/48" } }, "AWSEC2SecurityGroupapielbcomplexexamplecom": { @@ -877,6 +923,15 @@ ] } }, + "AWSEC2VPCCidrBlock1010016": { + "Type": "AWS::EC2::VPCCidrBlock", + "Properties": { + "VpcId": { + "Ref": "AWSEC2VPCcomplexexamplecom" + }, + "CidrBlock": "10.1.0.0/16" + } + }, "AWSEC2VPCDHCPOptionsAssociationcomplexexamplecom": { "Type": "AWS::EC2::VPCDHCPOptionsAssociation", "Properties": { @@ -1041,7 +1096,7 @@ "ConnectionSettings": { "IdleTimeout": 300 }, - "CrossZone": false, + "CrossZone": true, "Tags": [ { "Key": "KubernetesCluster", diff --git a/tests/integration/update_cluster/complex/data/aws_launch_template_master-us-test-1a.masters.complex.example.com_user_data b/tests/integration/update_cluster/complex/data/aws_launch_template_master-us-test-1a.masters.complex.example.com_user_data index 27b9556c3e663..a444bc8d5a339 100644 --- a/tests/integration/update_cluster/complex/data/aws_launch_template_master-us-test-1a.masters.complex.example.com_user_data +++ b/tests/integration/update_cluster/complex/data/aws_launch_template_master-us-test-1a.masters.complex.example.com_user_data @@ -1,3 +1,12 @@ +Content-Type: multipart/mixed; boundary="MIMEBOUNDARY" +MIME-Version: 1.0 + +--MIMEBOUNDARY +Content-Disposition: attachment; filename="nodeup.sh" +Content-Transfer-Encoding: 7bit +Content-Type: text/x-shellscript +Mime-Version: 1.0 + #!/bin/bash # Copyright 2016 The Kubernetes Authors All rights reserved. # @@ -314,3 +323,14 @@ __EOF_KUBE_ENV download-release echo "== nodeup node config done ==" + +--MIMEBOUNDARY +Content-Disposition: attachment; filename="myscript.sh" +Content-Transfer-Encoding: 7bit +Content-Type: text/x-shellscript +Mime-Version: 1.0 + +#!/bin/sh +echo "nodes: The time is now $(date -R)!" | tee /root/output.txt + +--MIMEBOUNDARY-- diff --git a/tests/integration/update_cluster/complex/data/aws_launch_template_nodes.complex.example.com_user_data b/tests/integration/update_cluster/complex/data/aws_launch_template_nodes.complex.example.com_user_data index 0fe40f44ed532..ded8ba0628dac 100644 --- a/tests/integration/update_cluster/complex/data/aws_launch_template_nodes.complex.example.com_user_data +++ b/tests/integration/update_cluster/complex/data/aws_launch_template_nodes.complex.example.com_user_data @@ -1,3 +1,12 @@ +Content-Type: multipart/mixed; boundary="MIMEBOUNDARY" +MIME-Version: 1.0 + +--MIMEBOUNDARY +Content-Disposition: attachment; filename="nodeup.sh" +Content-Transfer-Encoding: 7bit +Content-Type: text/x-shellscript +Mime-Version: 1.0 + #!/bin/bash # Copyright 2016 The Kubernetes Authors All rights reserved. # @@ -219,3 +228,14 @@ __EOF_KUBE_ENV download-release echo "== nodeup node config done ==" + +--MIMEBOUNDARY +Content-Disposition: attachment; filename="myscript.sh" +Content-Transfer-Encoding: 7bit +Content-Type: text/x-shellscript +Mime-Version: 1.0 + +#!/bin/sh +echo "nodes: The time is now $(date -R)!" | tee /root/output.txt + +--MIMEBOUNDARY-- diff --git a/tests/integration/update_cluster/complex/in-legacy-v1alpha2.yaml b/tests/integration/update_cluster/complex/in-legacy-v1alpha2.yaml index 2de2d20f333c4..e8e5de2a8a58f 100644 --- a/tests/integration/update_cluster/complex/in-legacy-v1alpha2.yaml +++ b/tests/integration/update_cluster/complex/in-legacy-v1alpha2.yaml @@ -10,8 +10,10 @@ spec: additionalSecurityGroups: - sg-exampleid3 - sg-exampleid4 + crossZoneLoadBalancing: true kubernetesApiAccess: - - 0.0.0.0/0 + - 1.1.1.0/24 + - 2001:0:8500::/40 channel: stable cloudProvider: aws cloudLabels: @@ -36,6 +38,8 @@ spec: masterInternalName: api.internal.complex.example.com masterPublicName: api.complex.example.com networkCIDR: 172.20.0.0/16 + additionalNetworkCIDRs: + - 10.1.0.0/16 networking: kubenet: {} nodePortAccess: @@ -43,7 +47,9 @@ spec: - 10.20.30.0/24 nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: - - 0.0.0.0/0 + - 1.1.1.1/32 + - 2001:0:85a3::/48 + sshKeyName: "" topology: masters: public nodes: public @@ -83,6 +89,12 @@ spec: deleteOnTermination: false size: 20 type: gp2 + additionalUserData: + - name: myscript.sh + type: text/x-shellscript + content: | + #!/bin/sh + echo "nodes: The time is now $(date -R)!" | tee /root/output.txt --- @@ -102,3 +114,9 @@ spec: role: Master subnets: - us-test-1a + additionalUserData: + - name: myscript.sh + type: text/x-shellscript + content: | + #!/bin/sh + echo "nodes: The time is now $(date -R)!" | tee /root/output.txt diff --git a/tests/integration/update_cluster/complex/in-v1alpha2.yaml b/tests/integration/update_cluster/complex/in-v1alpha2.yaml index f5bcaa7f302bb..c06578f074367 100644 --- a/tests/integration/update_cluster/complex/in-v1alpha2.yaml +++ b/tests/integration/update_cluster/complex/in-v1alpha2.yaml @@ -10,8 +10,10 @@ spec: additionalSecurityGroups: - sg-exampleid3 - sg-exampleid4 + crossZoneLoadBalancing: true kubernetesApiAccess: - - 0.0.0.0/0 + - 1.1.1.0/24 + - 2001:0:8500::/40 channel: stable cloudProvider: aws cloudLabels: @@ -36,6 +38,8 @@ spec: masterInternalName: api.internal.complex.example.com masterPublicName: api.complex.example.com networkCIDR: 172.20.0.0/16 + additionalNetworkCIDRs: + - 10.1.0.0/16 networking: kubenet: {} nodePortAccess: @@ -43,7 +47,9 @@ spec: - 10.20.30.0/24 nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: - - 0.0.0.0/0 + - 1.1.1.1/32 + - 2001:0:85a3::/48 + sshKeyName: "" topology: masters: public nodes: public diff --git a/tests/integration/update_cluster/complex/kubernetes.tf b/tests/integration/update_cluster/complex/kubernetes.tf index bc39165329ced..9f9a1fc434c73 100644 --- a/tests/integration/update_cluster/complex/kubernetes.tf +++ b/tests/integration/update_cluster/complex/kubernetes.tf @@ -215,7 +215,7 @@ resource "aws_ebs_volume" "us-test-1a-etcd-main-complex-example-com" { } resource "aws_elb" "api-complex-example-com" { - cross_zone_load_balancing = false + cross_zone_load_balancing = true health_check { healthy_threshold = 2 interval = 10 @@ -286,11 +286,6 @@ resource "aws_internet_gateway" "complex-example-com" { vpc_id = aws_vpc.complex-example-com.id } -resource "aws_key_pair" "kubernetes-complex-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" { - key_name = "kubernetes.complex.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57" - public_key = file("${path.module}/data/aws_key_pair_kubernetes.complex.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key") -} - resource "aws_launch_template" "master-us-test-1a-masters-complex-example-com" { block_device_mappings { device_name = "/dev/xvda" @@ -309,7 +304,6 @@ resource "aws_launch_template" "master-us-test-1a-masters-complex-example-com" { } image_id = "ami-12345678" instance_type = "m3.medium" - key_name = aws_key_pair.kubernetes-complex-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id lifecycle { create_before_destroy = true } @@ -368,7 +362,6 @@ resource "aws_launch_template" "nodes-complex-example-com" { } image_id = "ami-12345678" instance_type = "t2.medium" - key_name = aws_key_pair.kubernetes-complex-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id lifecycle { create_before_destroy = true } @@ -475,8 +468,17 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] +resource "aws_security_group_rule" "https-api-elb-1-1-1-0--24" { + cidr_blocks = ["1.1.1.0/24"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-complex-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "https-api-elb-2001_0_8500__--40" { + cidr_blocks = ["2001:0:8500::/40"] from_port = 443 protocol = "tcp" security_group_id = aws_security_group.api-elb-complex-example-com.id @@ -493,8 +495,17 @@ resource "aws_security_group_rule" "https-elb-to-master" { type = "ingress" } -resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] +resource "aws_security_group_rule" "icmp-pmtu-api-elb-1-1-1-0--24" { + cidr_blocks = ["1.1.1.0/24"] + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-complex-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-api-elb-2001_0_8500__--40" { + cidr_blocks = ["2001:0:8500::/40"] from_port = 3 protocol = "icmp" security_group_id = aws_security_group.api-elb-complex-example-com.id @@ -592,8 +603,8 @@ resource "aws_security_group_rule" "nodeport-udp-external-to-node-10-20-30-0--24 type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] +resource "aws_security_group_rule" "ssh-external-to-master-1-1-1-1--32" { + cidr_blocks = ["1.1.1.1/32"] from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-complex-example-com.id @@ -601,8 +612,26 @@ resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] +resource "aws_security_group_rule" "ssh-external-to-master-2001_0_85a3__--48" { + cidr_blocks = ["2001:0:85a3::/48"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-complex-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "ssh-external-to-node-1-1-1-1--32" { + cidr_blocks = ["1.1.1.1/32"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-complex-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "ssh-external-to-node-2001_0_85a3__--48" { + cidr_blocks = ["2001:0:85a3::/48"] from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-complex-example-com.id @@ -681,6 +710,11 @@ resource "aws_vpc_dhcp_options" "complex-example-com" { } } +resource "aws_vpc_ipv4_cidr_block_association" "cidr-10-1-0-0--16" { + cidr_block = "10.1.0.0/16" + vpc_id = aws_vpc.complex-example-com.id +} + resource "aws_vpc" "complex-example-com" { cidr_block = "172.20.0.0/16" enable_dns_hostnames = true diff --git a/tests/integration/update_cluster/nosshkey-cloudformation/in-v1alpha2.yaml b/tests/integration/update_cluster/nosshkey-cloudformation/in-v1alpha2.yaml deleted file mode 100644 index 5d5a3dffeb21c..0000000000000 --- a/tests/integration/update_cluster/nosshkey-cloudformation/in-v1alpha2.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2016-12-10T22:42:27Z" - name: nosshkey.example.com -spec: - kubernetesApiAccess: - - 0.0.0.0/0 - channel: stable - cloudProvider: aws - configBase: memfs://clusters.example.com/nosshkey.example.com - etcdClusters: - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: main - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: events - kubelet: - anonymousAuth: false - kubernetesVersion: v1.11.10 - masterInternalName: api.internal.nosshkey.example.com - masterPublicName: api.nosshkey.example.com - networkCIDR: 172.20.0.0/16 - networking: - kubenet: {} - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 0.0.0.0/0 - sshKeyName: "" - topology: - masters: public - nodes: public - subnets: - - cidr: 172.20.32.0/19 - name: us-test-1a - type: Public - zone: us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: nodes - labels: - kops.k8s.io/cluster: nosshkey.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: t2.medium - maxSize: 2 - minSize: 2 - role: Node - subnets: - - us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: master-us-test-1a - labels: - kops.k8s.io/cluster: nosshkey.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1a - - diff --git a/tests/integration/update_cluster/nosshkey/data/aws_iam_role_masters.nosshkey.example.com_policy b/tests/integration/update_cluster/nosshkey/data/aws_iam_role_masters.nosshkey.example.com_policy deleted file mode 100644 index 66d5de1d5ae1e..0000000000000 --- a/tests/integration/update_cluster/nosshkey/data/aws_iam_role_masters.nosshkey.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/nosshkey/data/aws_iam_role_nodes.nosshkey.example.com_policy b/tests/integration/update_cluster/nosshkey/data/aws_iam_role_nodes.nosshkey.example.com_policy deleted file mode 100644 index 66d5de1d5ae1e..0000000000000 --- a/tests/integration/update_cluster/nosshkey/data/aws_iam_role_nodes.nosshkey.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/nosshkey/data/aws_iam_role_policy_masters.nosshkey.example.com_policy b/tests/integration/update_cluster/nosshkey/data/aws_iam_role_policy_masters.nosshkey.example.com_policy deleted file mode 100644 index 340dff1ef9d7e..0000000000000 --- a/tests/integration/update_cluster/nosshkey/data/aws_iam_role_policy_masters.nosshkey.example.com_policy +++ /dev/null @@ -1,102 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:*" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "ec2:DescribeLaunchTemplateVersions" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:*" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:GetChange" - ], - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:BatchGetImage" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/tests/integration/update_cluster/nosshkey/data/aws_iam_role_policy_nodes.nosshkey.example.com_policy b/tests/integration/update_cluster/nosshkey/data/aws_iam_role_policy_nodes.nosshkey.example.com_policy deleted file mode 100644 index ef2600b49733f..0000000000000 --- a/tests/integration/update_cluster/nosshkey/data/aws_iam_role_policy_nodes.nosshkey.example.com_policy +++ /dev/null @@ -1,68 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:GetChange" - ], - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:BatchGetImage" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/tests/integration/update_cluster/nosshkey/in-v1alpha2.yaml b/tests/integration/update_cluster/nosshkey/in-v1alpha2.yaml deleted file mode 100644 index 24bdecabc5be7..0000000000000 --- a/tests/integration/update_cluster/nosshkey/in-v1alpha2.yaml +++ /dev/null @@ -1,98 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2016-12-10T22:42:27Z" - name: nosshkey.example.com -spec: - api: - loadBalancer: - type: Public - additionalSecurityGroups: - - sg-exampleid3 - - sg-exampleid4 - kubernetesApiAccess: - - 0.0.0.0/0 - channel: stable - cloudProvider: aws - cloudLabels: - Owner: John Doe - foo/bar: fib+baz - configBase: memfs://clusters.example.com/nosshkey.example.com - etcdClusters: - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: main - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: events - kubelet: - anonymousAuth: false - kubeAPIServer: - serviceNodePortRange: 28000-32767 - kubernetesVersion: v1.11.10 - masterInternalName: api.internal.nosshkey.example.com - masterPublicName: api.nosshkey.example.com - networkCIDR: 172.20.0.0/16 - networking: - kubenet: {} - nodePortAccess: - - 1.2.3.4/32 - - 10.20.30.0/24 - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 0.0.0.0/0 - sshKeyName: "" - topology: - masters: public - nodes: public - subnets: - - cidr: 172.20.32.0/19 - name: us-test-1a - type: Public - zone: us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: nodes - labels: - kops.k8s.io/cluster: nosshkey.example.com -spec: - additionalSecurityGroups: - - sg-exampleid3 - - sg-exampleid4 - associatePublicIp: true - suspendProcesses: - - AZRebalance - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: t2.medium - maxSize: 2 - minSize: 2 - role: Node - subnets: - - us-test-1a - detailedInstanceMonitoring: true - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: master-us-test-1a - labels: - kops.k8s.io/cluster: nosshkey.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1a diff --git a/tests/integration/update_cluster/restrict_access/data/aws_iam_role_masters.restrictaccess.example.com_policy b/tests/integration/update_cluster/restrict_access/data/aws_iam_role_masters.restrictaccess.example.com_policy deleted file mode 100644 index 66d5de1d5ae1e..0000000000000 --- a/tests/integration/update_cluster/restrict_access/data/aws_iam_role_masters.restrictaccess.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/restrict_access/data/aws_iam_role_nodes.restrictaccess.example.com_policy b/tests/integration/update_cluster/restrict_access/data/aws_iam_role_nodes.restrictaccess.example.com_policy deleted file mode 100644 index 66d5de1d5ae1e..0000000000000 --- a/tests/integration/update_cluster/restrict_access/data/aws_iam_role_nodes.restrictaccess.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/restrict_access/data/aws_iam_role_policy_masters.restrictaccess.example.com_policy b/tests/integration/update_cluster/restrict_access/data/aws_iam_role_policy_masters.restrictaccess.example.com_policy deleted file mode 100644 index 340dff1ef9d7e..0000000000000 --- a/tests/integration/update_cluster/restrict_access/data/aws_iam_role_policy_masters.restrictaccess.example.com_policy +++ /dev/null @@ -1,102 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:*" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "ec2:DescribeLaunchTemplateVersions" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:*" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:GetChange" - ], - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:BatchGetImage" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/tests/integration/update_cluster/restrict_access/data/aws_iam_role_policy_nodes.restrictaccess.example.com_policy b/tests/integration/update_cluster/restrict_access/data/aws_iam_role_policy_nodes.restrictaccess.example.com_policy deleted file mode 100644 index ef2600b49733f..0000000000000 --- a/tests/integration/update_cluster/restrict_access/data/aws_iam_role_policy_nodes.restrictaccess.example.com_policy +++ /dev/null @@ -1,68 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:GetChange" - ], - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:BatchGetImage" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/tests/integration/update_cluster/restrict_access/data/aws_key_pair_kubernetes.restrictaccess.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key b/tests/integration/update_cluster/restrict_access/data/aws_key_pair_kubernetes.restrictaccess.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key deleted file mode 100644 index 81cb0127830e7..0000000000000 --- a/tests/integration/update_cluster/restrict_access/data/aws_key_pair_kubernetes.restrictaccess.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/restrict_access/id_rsa.pub b/tests/integration/update_cluster/restrict_access/id_rsa.pub deleted file mode 100755 index 81cb0127830e7..0000000000000 --- a/tests/integration/update_cluster/restrict_access/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/restrict_access/in-v1alpha2.yaml b/tests/integration/update_cluster/restrict_access/in-v1alpha2.yaml deleted file mode 100644 index 0be25a9337662..0000000000000 --- a/tests/integration/update_cluster/restrict_access/in-v1alpha2.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2016-12-10T22:42:27Z" - name: restrictaccess.example.com -spec: - kubernetesApiAccess: - - 1.1.1.0/24 - - 2001:0:8500::/40 - channel: stable - cloudProvider: aws - configBase: memfs://clusters.example.com/restrictaccess.example.com - etcdClusters: - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: main - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: events - kubelet: - anonymousAuth: false - kubernetesVersion: v1.14.0 - masterInternalName: api.internal.restrictaccess.example.com - masterPublicName: api.restrictaccess.example.com - networkCIDR: 172.20.0.0/16 - networking: - kubenet: {} - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 1.1.1.1/32 - - 2001:0:85a3::/48 - topology: - masters: public - nodes: public - subnets: - - cidr: 172.20.32.0/19 - name: us-test-1a - type: Public - zone: us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: nodes - labels: - kops.k8s.io/cluster: restrictaccess.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: t2.medium - maxSize: 2 - minSize: 2 - role: Node - subnets: - - us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-10T22:42:28Z" - name: master-us-test-1a - labels: - kops.k8s.io/cluster: restrictaccess.example.com -spec: - associatePublicIp: true - image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1a - -