Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Amazon Web Services - Cloud Giant Hits Hard
 
  • Post
  • Reply
Doctor w-rw-rw-
Jun 24, 2008
 Does anyone know anything about kubernetes, specifically kube-aws?

I'm trying to set up a pipeline to go from a Jenkinsfile/Dockerfile github to Jenkins to AWS, but I'm getting hung up by the fact that despite following the tutorial, I get this when I run kube-aws validate (with the proper s3 URI):

code:
-----------------------------------------------------
Validation Report: {
  Capabilities: ["CAPABILITY_NAMED_IAM"],
  CapabilitiesReason: "The following resource(s) require capabilities: [AWS::CloudFormation::Stack]",
  Description: "kube-aws Kubernetes cluster parahumans-cluster"
}
{
  Capabilities: ["CAPABILITY_IAM"],
  CapabilitiesReason: "The following resource(s) require capabilities: [AWS::IAM::Role]",
  Description: "kube-aws Kubernetes cluster parahumans-cluster"
}
{
  Capabilities: ["CAPABILITY_IAM"],
  CapabilitiesReason: "The following resource(s) require capabilities: [AWS::IAM::Role]",
  Description: "kube-aws Kubernetes node pool parahumans-cluster nodepool1",
  Parameters: [{
      Description: "The name of a control-plane stack used to import values into this stack",
      NoEcho: false,
      ParameterKey: "ControlPlaneStackName"
    }]
}
stack template is valid.

Validation OK!
I don't know enough things about things to figure out how to debug that beyond attaching policies, which I've already given generously to the user - specifically:
code:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1493599746000",
            "Effect": "Allow",
            "Action": [
                "kms:CreateKey",
                "kms:Encrypt",
                "cloudformation:*",
                "iam:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
In addition to S3/EC2 full access.

* # ¿ May 1, 2017 02:19
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 2, 2024 10:29
  • Quote
Doctor w-rw-rw-
Jun 24, 2008
 EC2: security groups are your friend. Trivial to limit IPs it can be accessed from.
If those aren't available, iptables/firewalld. No experience with GCE, so I dunno.

On AWS I always set up rngd (for more available randomness) and fail2ban with a SSH ban rule, at the very least.

There's probably some way to do fail2ban with VNC, but to be honest you should not be running VNC unencrypted on a standard port (people are gonna portscan the ever-loving poo poo out of it), and instead consider making it only accessible from localhost and requiring a SSH tunnel. If that isn't an option...dunno.

* # ¿ May 3, 2017 10:51
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Amazon Web Services - Cloud Giant Hits Hard