- Doctor w-rw-rw-
- Jun 24, 2008
-
|
Does anyone know anything about kubernetes, specifically kube-aws?
I'm trying to set up a pipeline to go from a Jenkinsfile/Dockerfile github to Jenkins to AWS, but I'm getting hung up by the fact that despite following the tutorial, I get this when I run kube-aws validate (with the proper s3 URI):
code:-----------------------------------------------------
Validation Report: {
Capabilities: ["CAPABILITY_NAMED_IAM"],
CapabilitiesReason: "The following resource(s) require capabilities: [AWS::CloudFormation::Stack]",
Description: "kube-aws Kubernetes cluster parahumans-cluster"
}
{
Capabilities: ["CAPABILITY_IAM"],
CapabilitiesReason: "The following resource(s) require capabilities: [AWS::IAM::Role]",
Description: "kube-aws Kubernetes cluster parahumans-cluster"
}
{
Capabilities: ["CAPABILITY_IAM"],
CapabilitiesReason: "The following resource(s) require capabilities: [AWS::IAM::Role]",
Description: "kube-aws Kubernetes node pool parahumans-cluster nodepool1",
Parameters: [{
Description: "The name of a control-plane stack used to import values into this stack",
NoEcho: false,
ParameterKey: "ControlPlaneStackName"
}]
}
stack template is valid.
Validation OK!
I don't know enough things about things to figure out how to debug that beyond attaching policies, which I've already given generously to the user - specifically:
code:{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1493599746000",
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:Encrypt",
"cloudformation:*",
"iam:*"
],
"Resource": [
"*"
]
}
]
}
In addition to S3/EC2 full access.
|
#
¿
May 1, 2017 02:19
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
#
¿
May 2, 2024 10:29
|
|
- Doctor w-rw-rw-
- Jun 24, 2008
-
|
EC2: security groups are your friend. Trivial to limit IPs it can be accessed from.
If those aren't available, iptables/firewalld. No experience with GCE, so I dunno.
On AWS I always set up rngd (for more available randomness) and fail2ban with a SSH ban rule, at the very least.
There's probably some way to do fail2ban with VNC, but to be honest you should not be running VNC unencrypted on a standard port (people are gonna portscan the ever-loving poo poo out of it), and instead consider making it only accessible from localhost and requiring a SSH tunnel. If that isn't an option...dunno.
|
#
¿
May 3, 2017 10:51
|
|