k0sproject / k0s Goto Github PK

View Code? Open in Web Editor NEW

2.9K 2.9K 344.0 135.46 MB

k0s - The Zero Friction Kubernetes

Home Page: https://docs.k0sproject.io

License: Other

Makefile 1.01% Go 94.27% Dockerfile 0.56% Shell 0.74% HCL 3.38% PowerShell 0.04%

kubernetes

k0s's People

Contributors

Stargazers

Watchers

Forkers

trawler jnummelin phroggyy mikhail-sakhnov ncopa s0j adamparco isgasho makhov pwfoo webwurst warmchang sadpdtchr rushins xiaoxiao-clound mattmattox doytsujin rockdriven vicdecode zhutony gning meet-ai cybernetics kokizzu kennethehmsen blutest papiguy amasser cloudxo moyu6027 ctmcisco binoychitale bobhenkel sjz shaunstanislauslau laith-leo hmmtayds jacobjohansen skymysky 8adre jjainschigg-r lucasmartinsjf dorucioclea unamem charlesraymond1 slachiewicz tinyzimmer rheehot catwithtudou toravir usrbinkat g-asura jackwiy danielxlee xuze1993 mryangwenming mu-l heartshare nkgfirecream makocchi-git simhaonline woodscumming wenziwu willcode2surf org-mars chanwit lcostea devopstoday11 clix-dev-llc jasmingacic chasemp dut3062796s bignuoli charlesqing limengcanyu jangocheng zhangdinet skyformat99 zeta1999 yaoshuyin junneyang kevtainer enenum ttys3 ikingye chenqi1989 panuhorsmalahti akurtasinski hintcnuie hmilkovi tmassey noureddinex maniacs-ops timbuchwaldt movd ediboko1980 yuces sirivong sarangzcloud hhy5277

k0s's Issues

Figure out proper config for containerd

Containerd needs to be configured with a toml config file. The defaults an be dumped with containerd config default

We need to check which parts we'd need to configure, or make configurable through mke. Then when mke is launching containerd, it should first dump the config file and the launch containerd with containerd --config /path/to/config.toml

Worker config

We probably need similar config yaml for worker as we now have for controller. Some things we could be configuring:

node labels
node taints
some containerd options (storage location etc.)
some kubelet options (cfs stuff, feature gates)

Metrics server

MKE should include metrics-server deployment.

Embed kubelet-rubber-stampr or something similar

We need to have kubelet to get a properly signed serving cert, otherwise configuring adjacent components such as metric server will get messy as by default kebelet is running with self-signed serving cert:

Server certificate
subject=CN = controller0@1597052929

issuer=CN = controller0-ca@1597052929

re-arrange the component directory/package structure into server and worker

split the the components into directories as:

pkg/component/
pkg/component/server/
pkg/component/worker/

CVE-2020-10752 (High) detected in k8s.io/apiserver/pkg/util/webhook-e4973e079a1129e83001d8368911eec19d9231fa

CVE-2020-10752 - High Severity Vulnerability

Vulnerable Library - k8s.io/apiserver/pkg/util/webhook-e4973e079a1129e83001d8368911eec19d9231fa

Library for writing a Kubernetes-style API server.

Dependency Hierarchy:

sigs.k8s.io/cli-utils/cmd/apply-e371bd5ca8c7066347c8b9eb10230a54ef69f3d3 (Root Library)
- sigs.k8s.io/cli-utils/cmd/printers
  - sigs.k8s.io/cli-utils/pkg/apply-e371bd5ca8c7066347c8b9eb10230a54ef69f3d3
    - k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1-d584e1e2a2c1093f69508daf16b7c58a282bb4c6
      - k8s.io/apiextensions-apiserver/pkg/apis/apiextensions
        
        ❌ k8s.io/apiserver/pkg/util/webhook-e4973e079a1129e83001d8368911eec19d9231fa (Vulnerable Library)

Found in HEAD commit: 6fe2a96165d709fe20a7eb7820114857561c2eac

Vulnerability Details

A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into the API Server with the leaked token.

Publish Date: 2020-06-12

URL: CVE-2020-10752

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Kubelet & containerd processes leak

Pretty much every time I terminate my mke worker ... process with ctrl-c, both kubelet and containerd processes leak.

Default Pod Security Policies

At least 2 PSPs, restricted and privileged.

Make sure we can shutdown child processes gracefully

Maybe needs #3 as it's not really a trivial problem

Calico as default CNI

Implement expiry for join tokens

Currently the join tokens are never-expiring. We should enable a flag (e.g. --expiry 72h) for the mke token create command. The actual expiry is handled by the tokencleaner controller on controllermanager which we already enable.

supervisor: run some of the processes as non-root

Some of the process does not need to run as root, so we should run them as different users. we also need to investigate if we need to detach those from the controlling tty.

CVE-2019-11254 (Medium) detected in gopkg.in/yaml.v2-v2.2.7

CVE-2019-11254 - Medium Severity Vulnerability

Vulnerable Library - gopkg.in/yaml.v2-v2.2.7

YAML support for the Go language.

Dependency Hierarchy:

❌ gopkg.in/yaml.v2-v2.2.7 (Vulnerable Library)

Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a

Vulnerability Details

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Publish Date: 2020-04-01

URL: CVE-2019-11254

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/go-yaml/yaml/tree/v2.2.8

Release Date: 2020-04-01

Fix Resolution: yaml-v2.2.8

CVE-2018-1098 (High) detected in github.com/google/certificate-transparency-go-v1.0.21

CVE-2018-1098 - High Severity Vulnerability

Vulnerable Library - github.com/google/certificate-transparency-go-v1.0.21

Auditing for TLS certificates, Go code.

Dependency Hierarchy:

github.com/cloudflare/cfssl/csr-v1.4.1 (Root Library)
- github.com/cloudflare/cfssl/helpers-v1.4.1
  - ❌ github.com/google/certificate-transparency-go-v1.0.21 (Vulnerable Library)

Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a

Vulnerability Details

A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.

Publish Date: 2018-04-03

URL: CVE-2018-1098

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1098

Release Date: 2018-04-03

Fix Resolution: v3.4.0-rc.0

Configure kernel automatically

See: https://github.com/rancher/k3s/blob/0aeea78060bed1829713f7a8a0eb9898af4bd6e3/pkg/agent/syssetup/setup.go#L30-L44

Make sure all embedded bins are statically compiled

This way we're in total control of all the bits and pieces. And, maybe even more importantly, we can run everything smoothly on any distro. ;)

kine
containerd
kubelet
mke

Option to run workloads on controllers

Add `--config path/to/config.yaml`

Currently we just assume there's mke.yaml in the cwd... :)

command for running mke as simple single node

Implement mke single or similar, which will respawn and supervise itself as both server and worker. This makes it simple to bootstrap and run mke as single node cluster on your development machine for testing.

Build option for "fat" binary

Which should contain all required container images.

Option to "apply" kubernetes manifests from a local folder

Similar to what K3s does.

Support windows workers

Configurations for calico

We need to make some calico setting configurable through the config yaml. At least the following:

mode (ipip/vxlan)
mtu

The config could look something like:

apiVersion: mke.mirantis.com/v1beta1
kind: Cluster
metadata:
  name: foobar
spec:
  network:
    provider: calico
    calico:
      mtu: 1234
      mode: vxlan

Default to vxlan and 1450 MTU.

Look for suitable process manager to use

mke bin needs to spawn few child processes (containerd and kubelet at least) and make sure they stay up-and-running. This is what process manager does so we should check if there's some nifty golang lib that could handle this. We'd need to make sure that e.g. signal hangling works as expected and we do not create too many zombies and what-nots.

Etcd as backend

We want to support real etcd as storage for control plane. Just another supervised process in controlplane, but requires specific CA and certs (both serving and client certs).

CVE-2020-8559 (Medium) detected in k8s.io/apimachinery/pkg/util/net-9540e4cac147e4ad5de8b0c2207079df573a2df3, k8s.io/apimachinery/pkg/util/httpstream/spdy-9540e4cac147e4ad5de8b0c2207079df573a2df3

CVE-2020-8559 - Medium Severity Vulnerability

Vulnerable Libraries - k8s.io/apimachinery/pkg/util/net-9540e4cac147e4ad5de8b0c2207079df573a2df3, k8s.io/apimachinery/pkg/util/httpstream/spdy-9540e4cac147e4ad5de8b0c2207079df573a2df3

k8s.io/apimachinery/pkg/util/net-9540e4cac147e4ad5de8b0c2207079df573a2df3

Dependency Hierarchy:

sigs.k8s.io/cli-utils/cmd/printers (Root Library)
- k8s.io/cli-runtime/pkg/genericclioptions-b4586cbefd3668543b8b2b56845419e39ad1792f
  - k8s.io/apimachinery/pkg/api/meta-9540e4cac147e4ad5de8b0c2207079df573a2df3
    - k8s.io/apimachinery/pkg/apis/meta/v1-9540e4cac147e4ad5de8b0c2207079df573a2df3
      - k8s.io/apimachinery/pkg/watch-9540e4cac147e4ad5de8b0c2207079df573a2df3
        
        ❌ k8s.io/apimachinery/pkg/util/net-9540e4cac147e4ad5de8b0c2207079df573a2df3 (Vulnerable Library)

k8s.io/apimachinery/pkg/util/httpstream/spdy-9540e4cac147e4ad5de8b0c2207079df573a2df3

Dependency Hierarchy:

sigs.k8s.io/cli-utils/cmd/printers (Root Library)
- k8s.io/cli-runtime/pkg/genericclioptions-b4586cbefd3668543b8b2b56845419e39ad1792f
  - k8s.io/client-go/tools/clientcmd-36233866f1c7c0ad3bdac1fc466cb5de3746cfa2
    - k8s.io/client-go/tools/auth-36233866f1c7c0ad3bdac1fc466cb5de3746cfa2
      - k8s.io/client-go/rest-36233866f1c7c0ad3bdac1fc466cb5de3746cfa2
        
        k8s.io/client-go/plugin/pkg/client/auth/exec-36233866f1c7c0ad3bdac1fc466cb5de3746cfa2
        
        k8s.io/client-go/transport-36233866f1c7c0ad3bdac1fc466cb5de3746cfa2
        
        ❌ k8s.io/apimachinery/pkg/util/httpstream/spdy-9540e4cac147e4ad5de8b0c2207079df573a2df3 (Vulnerable Library)

Found in HEAD commit: dfc52923fce4373bce79baa9a6333b3354dde77f

Vulnerability Details

The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Publish Date: 2020-07-21

URL: CVE-2020-8559

CVSS 3 Score Details (6.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: kubernetes/kubernetes#92914

Release Date: 2020-07-21

Fix Resolution: v1.18.6,v1.17.9,v1.16.13

Each component should be able to "register" the bins it needs

Currently we dump all bins to disk. This means that when we run worker, we get control plane bins to disk too. So we'd need something where each component can tell which bins it needs so we dump only the ones we really need.

Logs: Label each log line with the component it's coming from

Integration testing

We should do some basic integration testing for mke. Maybe we could utilize footloose like we do for launchpad:

So essentially we could do something like this:

build the mke bin
create couple footloose "nodes"
- mount the local dir into footloose nodes, to make mke bin instantly available
run controller and worker
ensure we get the node(s) in kube api in Ready condition in tolerable time
footloose destroy

Which containerd shim we really need

Currently we have 3 shim bins embedded, we only will need probably one.

More isolated containers

We could provide option for users to run better isolated containers via kata, gvisor, firecracker or some other tech out there.

CVE-2020-7919 (High) detected in github.com/zmap/zlint-v1.0.0

CVE-2020-7919 - High Severity Vulnerability

Vulnerable Library - github.com/zmap/zlint-v1.0.0

X.509 Certificate Linter based on CA/B Forum Baseline Requirements and RFC 5280

Dependency Hierarchy:

github.com/cloudflare/cfssl/cli/sign-v1.4.1 (Root Library)
- github.com/cloudflare/cfssl/signer/universal-v1.4.1
  - github.com/cloudflare/cfssl/signer/remote-v1.4.1
    - github.com/cloudflare/cfssl/signer-v1.4.1
      - ❌ github.com/zmap/zlint-v1.0.0 (Vulnerable Library)

Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a

Vulnerability Details

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.

Publish Date: 2020-03-16

URL: CVE-2020-7919

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7919

Release Date: 2020-03-16

Fix Resolution: go - 1.12.16,1.13.7;crypto - v0.0.0-20200128174031-69ecbb4d6d5d

TLS for Kine/etcd

We should generate proper CA/certs for Kine and etcd.

Consider the need for node-local dns cache

It was a thing e.g. in Pharos: https://github.com/kontena/pharos-docs/tree/master/networking#node_local_dns_cache-optional-default-true

Spawn kubelet as mke child

Same as for containerd in #4 but for kubelet.

fix path for kine database

It looks like kine creates database in local directory. We should move that to the working directory, /var/lib/mke and make that configurable.

Document current configurable options

We already have basic config yaml structure in place. We should properly document it and while doing so create the very basic /docs structure.

CoreDNS

We should automatically deploy CoreDNS in HA mode (when possible).

CVE-2018-16886 (High) detected in github.com/google/certificate-transparency-go-v1.0.21

CVE-2018-16886 - High Severity Vulnerability

Vulnerable Library - github.com/google/certificate-transparency-go-v1.0.21

Auditing for TLS certificates, Go code.

Dependency Hierarchy:

github.com/cloudflare/cfssl/csr-v1.4.1 (Root Library)
- github.com/cloudflare/cfssl/helpers-v1.4.1
  - ❌ github.com/google/certificate-transparency-go-v1.0.21 (Vulnerable Library)

Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a

Vulnerability Details

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

Publish Date: 2019-01-14

URL: CVE-2018-16886

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-16886

Release Date: 2019-01-14

Fix Resolution: 3.2.26,3.3.11

Health checking for supervised processes

Currently there's no health checking done for any of the managed child processes. Maybe mke could have some simple-ish ways to ping the healthz endpoints of each of the childs?

Of course if a healthcheck fails, we should restart the process. Definitely needs some backoff so we don't create busyloops with this.

CVE-2018-1099 (Medium) detected in github.com/google/certificate-transparency-go-v1.0.21

CVE-2018-1099 - Medium Severity Vulnerability

Vulnerable Library - github.com/google/certificate-transparency-go-v1.0.21

Auditing for TLS certificates, Go code.

Dependency Hierarchy:

github.com/cloudflare/cfssl/csr-v1.4.1 (Root Library)
- github.com/cloudflare/cfssl/helpers-v1.4.1
  - ❌ github.com/google/certificate-transparency-go-v1.0.21 (Vulnerable Library)

Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a

Vulnerability Details

DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).

Publish Date: 2018-04-03

URL: CVE-2018-1099

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1099

Release Date: 2018-04-03

Fix Resolution: v3.4.0-rc.0

Bundle conntrack

We should use bundled conntrack if host does not have it installed.

Maybe we could use this: https://github.com/florianl/go-conntrack

CVE-2020-14040 (High) detected in multiple libraries

CVE-2020-14040 - High Severity Vulnerability

Vulnerable Libraries - golang.org/x/text/encoding/unicode-v0.3.2, github.com/zmap/zlint-v1.0.0, golang.org/x/text/transform-v0.3.2, golang.org/x/text/encoding-v0.3.2, github.com/google/certificate-transparency-go-v1.0.21

golang.org/x/text/encoding/unicode-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

k8s.io/cli-runtime/pkg/genericclioptions-v0.17.2 (Root Library)
- k8s.io/cli-runtime/pkg/resource-v0.17.2
  - ❌ golang.org/x/text/encoding/unicode-v0.3.2 (Vulnerable Library)

github.com/zmap/zlint-v1.0.0

X.509 Certificate Linter based on CA/B Forum Baseline Requirements and RFC 5280

Dependency Hierarchy:

github.com/cloudflare/cfssl/cli/sign-v1.4.1 (Root Library)
- github.com/cloudflare/cfssl/signer/universal-v1.4.1
  - github.com/cloudflare/cfssl/signer/remote-v1.4.1
    - github.com/cloudflare/cfssl/signer-v1.4.1
      - ❌ github.com/zmap/zlint-v1.0.0 (Vulnerable Library)

golang.org/x/text/transform-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

k8s.io/api/core/v1-v0.17.2 (Root Library)
- k8s.io/apimachinery/pkg/apis/meta/v1-v0.17.2
  - k8s.io/apimachinery/pkg/watch-v0.17.2
    - k8s.io/apimachinery/pkg/util/net-v0.17.2
      - golang.org/x/net/http2-244492dfa37ae2ce87222fd06250a03160745faa
        
        golang.org/x/net/http/httpguts-244492dfa37ae2ce87222fd06250a03160745faa
        
        golang.org/x/net/idna-244492dfa37ae2ce87222fd06250a03160745faa
        
        github.com/golang/text/secure/bidirule-v0.3.2
        
        ❌ github.com/golang/text/transform-v0.3.2 (Vulnerable Library)

golang.org/x/text/encoding-v0.3.2

[mirror] Go text processing support

Dependency Hierarchy:

k8s.io/cli-runtime/pkg/genericclioptions-v0.17.2 (Root Library)
- k8s.io/cli-runtime/pkg/resource-v0.17.2
  - golang.org/x/text/encoding/unicode-v0.3.2
    - ❌ golang.org/x/text/encoding-v0.3.2 (Vulnerable Library)

github.com/google/certificate-transparency-go-v1.0.21

Auditing for TLS certificates, Go code.

Dependency Hierarchy:

github.com/cloudflare/cfssl/csr-v1.4.1 (Root Library)
- github.com/cloudflare/cfssl/helpers-v1.4.1
  - ❌ github.com/google/certificate-transparency-go-v1.0.21 (Vulnerable Library)

Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a

Vulnerability Details

Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040

Release Date: 2020-06-17

Fix Resolution: v0.3.3

No need to extract bins many times

Elastic mke control plane

We want to make mke control plane elastic, so there should be a way to easily boot up second controlplane "instance" on some other node. Requires that there's a way to somehow sync all the needed certs and other details between the nodes.

Create a basic build pipeline

Push/PR --> trigger build
For this ^ we do not yet have tests to run, but eventually we should have.

Tag --> trigger release build (i.e. build bin + make release in GH with bins as artifacts)

Custom network provider

Not everyone is gonna want to use calico, so we'd need to support a custom CNI provider. Maybe the config could be something like:

apiVersion: mke.mirantis.com/v1beta1
kind: Cluster
metadata:
  name: foobar
spec:
  network:
    provider: custom

It is then up to the user to make the CNI work. Fairly easy by pushing their CNI manifests into /var/lib/mke/manifests :)

Wireguard for Calico

New Calico suppeort wireguard, we should make that as an option to configure for Calico.

Configurable pod ip range and service cird

Currently both are hardcoded. 😂

Note that when changing the service CIDR, we need to "statically" reserve a IP for the DNS service. Currently it's 10.96.0.10 and set to coreDNS here

We also need to change the api service certs to include the first address of the service CIDR as SAN, the cluster internal api service is at that address.

Spawn containerd as mke child

ContainerD has to be up-and-running so mke has to supervise that.

k0sproject / k0s Goto Github PK

k0s's People

Contributors

Stargazers

Watchers

Forkers

k0s's Issues

CVE-2020-10752 - High Severity Vulnerability

CVE-2019-11254 - Medium Severity Vulnerability

CVE-2018-1098 - High Severity Vulnerability

CVE-2020-8559 - Medium Severity Vulnerability

CVE-2020-7919 - High Severity Vulnerability

CVE-2018-16886 - High Severity Vulnerability

CVE-2018-1099 - Medium Severity Vulnerability

CVE-2020-14040 - High Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org