The aws-operator manages Kubernetes clusters running on AWS
Clone or download
pipo02mix Add policy in workers to allow modify and list hostzones (#1327)
* Add policy in workers to allow modify and list hostzones

* improve description
Latest commit 84f3c93 Dec 5, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci circleci: restore ClusterState tests (#1317) Nov 27, 2018
client/aws removes unused resources package (#1260) Nov 9, 2018
flag IPAM with initial support for multi-AZ Nov 8, 2018
helm/aws-operator-chart Add support for multiple availability zones (#1267) Nov 22, 2018
integration vendor: update (#1318) Nov 28, 2018
pkg/awstags awstags, v17: make encryption key creation idempotent (#1177) Sep 26, 2018
policies Sort permissions in policy JSON (#1315) Nov 26, 2018
server removes k8s health endpoint (#1143) Aug 31, 2018
service Add policy in workers to allow modify and list hostzones (#1327) Dec 5, 2018
third_party/licenses Add MIT licence for ebs-automatic-nvme-mapping (#1006) Jun 12, 2018
vendor Updated kubernetes (CVE-2018-1002105) (#1333) Dec 4, 2018
.dockerignore removes unused templates folder (#1216) Oct 22, 2018
.gitignore IPAM with initial support for multi-AZ Nov 8, 2018
CONTRIBUTING.md Remove MAINTAINERS from project root (#678) Jan 26, 2018
DCO Make aws-operator open sourced under Apache License 2.0 Feb 23, 2017
Dockerfile removes unused templates folder (#1216) Oct 22, 2018
Gopkg.lock Updated kubernetes (CVE-2018-1002105) (#1333) Dec 4, 2018
Gopkg.toml uses tenantcluster lib for statusresource (#1326) Dec 3, 2018
LICENSE Make aws-operator open sourced under Apache License 2.0 Feb 23, 2017
README.md uses e2etests for scaling tests (#1008) Jun 14, 2018
main.go adds trusted advisor collector to collector set and removes legacy co… Nov 20, 2018

README.md

CircleCI Docker Repository on Quay

aws-operator

The aws-operator manages Kubernetes clusters running on AWS.

Getting Project

Download the latest release: https://github.com/giantswarm/aws-operator/releases/latest

Clone the git repository: https://github.com/giantswarm/aws-operator.git

Download the latest docker image from here: https://quay.io/repository/giantswarm/aws-operator

How to build

Build the standard way.

go build github.com/giantswarm/aws-operator

Architecture

The operator uses our operatorkit framework. It manages an awsconfig CRD using a generated client stored in our apiextensions repo. Releases are versioned using version bundles.

The operator provisions guest Kubernetes clusters running on AWS. It runs in a host Kubernetes cluster also running on AWS.

CloudFormation

The guest Kubernetes clusters are provisioned using AWS CloudFormation. The resources are split between 3 CloudFormation stacks.

  • guest-main manages the guest cluster resources.
  • host-setup manages an IAM role used for VPC peering.
  • host-main manages network routes for the VPC peering connection.

The host cluster may run in a separate AWS account. If so resources are created in both the host and guest AWS accounts.

Other AWS Resources

As well as the CloudFormation stacks we also provision a KMS key and S3 bucket per cluster. This is to upload cloudconfigs for the cluster nodes. The cloudconfigs contain TLS certificates which are encrypted using the KMS key.

Kubernetes Resources

The operator also creates a Kubernetes namespace per guest cluster with a service and endpoints. These are used by the host cluster to access the guest cluster.

Certificates

Authentication for the cluster components and end-users uses TLS certificates. These are provisioned using Hashicorp Vault and are managed by our cert-operator.

Secret

Here the AWS IAM credentials have to be inserted.

service:
  aws:
    accesskey:
      id: 'TODO'
      secret: 'TODO'

Here the base64 representation of the data structure above has to be inserted.

apiVersion: v1
kind: Secret
metadata:
  name: aws-operator-secret
  namespace: giantswarm
type: Opaque
data:
  secret.yml: 'TODO'

To create the secret manually do this.

kubectl create -f ./path/to/secret.yml

We also need a key to hold the SSH public key

apiVersion: v1
kind: Secret
metadata:
  name: aws-operator-ssh-key-secret
  namespace: giantswarm
type: Opaque
data:
  id_rsa.pub: 'TODO'

Contact

Contributing & Reporting Bugs

See CONTRIBUTING for details on submitting patches, the contribution workflow as well as reporting bugs.

License

aws-operator is under the Apache 2.0 license. See the LICENSE file for details.

Credit