kOps addons
- Managed addons, which are configurable through the cluster spec
- Static addons, which are manifest files that are applied as-is
The following addons are managed by kOps and will be upgraded following the kOps and kubernetes lifecycle, and configured based on your cluster spec. kOps will consider both the configuration of the addon itself as well as what other settings you may have configured where applicable.
AWS Load Balancer Controller
AWS Load Balancer Controller offers additional functionality for provisioning ELBs.
Read more in the official documentation.
Cluster autoscaler
Introduced |
---|
Kops 1.19 |
Cluster autoscaler can be enabled to automatically adjust the size of the kubernetes cluster.
clusterAutoscaler:
enabled: true
expander: least-waste
balanceSimilarNodeGroups: false
awsUseStaticInstanceList: false
scaleDownUtilizationThreshold: 0.5
skipNodesWithLocalStorage: true
skipNodesWithSystemPods: true
newPodScaleUpDelay: 0s
scaleDownDelayAfterAdd: 10m0s
image: <the latest supported image for the specified kubernetes version>
cpuRequest: "100m"
memoryRequest: "300Mi"
Read more about cluster autoscaler in the official documentation.
Disabling cluster autoscaler for a given instance group
Introduced |
---|
Kops 1.20 |
You can disable the autoscaler for a given instance group by adding the following to the instance group spec.
spec:
autoscale: false
Cert-manager
Introduced | Minimum K8s Version |
---|---|
Kops 1.20 | K8s 1.16 |
Cert-manager handles x509 certificates for your cluster.
spec:
certManager:
enabled: true
defaultIssuer: yourDefaultIssuer
Warning: cert-manager only supports one installation per cluster. If you are already running cert-manager, you need to either remove this installation prior to enabling this addon, or mark cert-manger as not being managed by kOps (see below). As long as you are using v1 versions of the cert-manager resources, it is safe to remove existing installs and replace it with this addon
Self-provisioned cert-manager
The following cert-manager configuration allows provisioning cert-manager externally and allows all dependent plugins to be deployed. Please note that addons might run into errors until cert-manager is deployed.
spec:
certManager:
enabled: true
managed: false
Metrics server
Introduced |
---|
Kops 1.19 |
Metrics Server is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines.
Read more about Metrics Server in the .
Secure TLS
Introduced |
---|
Kops 1.20 |
By default, API server will not verify the metrics server TLS certificate. To enable TLS verification, set the following in the cluster spec:
spec:
enabled: true
metricsServer:
enabled: true
insecure: false
This requires that cert-manager is installed in the cluster.
Node local DNS cache
Introduced | Minimum K8s Version |
---|---|
Kops 1.18 | K8s 1.15 |
NodeLocal DNSCache can be enabled if you are using CoreDNS. It is used to improve the Cluster DNS performance by running a dns caching agent on cluster nodes as a DaemonSet.
memoryRequest
and cpuRequest
for the node-local-dns
pods can also be configured. If not set, they will be configured by default to 5Mi
and 25m
respectively.
If forwardToKubeDNS
is enabled, kubedns will be used as a default upstream
spec:
kubeDNS:
provider: CoreDNS
nodeLocalDNS:
enabled: true
cpuRequest: 25m
Node termination handler
ensures that the Kubernetes control plane responds appropriately to events that can cause your EC2 instance to become unavailable, such as EC2 maintenance events, EC2 Spot interruptions, and EC2 instance rebalance recommendations. If not handled, your application code may not stop gracefully, take longer to recover full availability, or accidentally schedule work to nodes that are going down.
spec:
nodeTerminationHandler:
enabled: true
enableSQSTerminationDraining: true
managedASGTag: "aws-node-termination-handler/managed"
Queue Processor Mode
Introduced |
---|
Kops 1.21 |
If enableSQSTerminationDraining
is true Node Termination Handler will operate in Queue Processor mode. In addition to the events mentioned above, Queue Processor mode allows Node Termination Handler to take care of ASG Scale-In, AZ-Rebalance, Unhealthy Instances, EC2 Instance Termination via the API or Console, and more. kOps will provision the necessary infrastructure: an SQS queue, EventBridge rules, and ASG Lifecycle hooks. managedASGTag
can be configured with Queue Processor mode to distinguish resource ownership between multiple clusters.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:ListRules",
"events:ListTargetsByRule",
"events:ListTagsForResource",
"events:PutEvents",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"events:TagResource",
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ListQueueTags"
],
"Resource": "*"
}
]
}
Warning: If you switch between the two operating modes on an existing cluster, the old resources have to be manually deleted. For IMDS to Queue Processor, this means deleting the k8s nth daemonset. For Queue Processor to IMDS, this means deleting the Kubernetes NTH deployment and the AWS resources: the SQS queue, EventBridge rules, and ASG Lifecycle hooks.
Node Problem Detector
Introduced |
---|
Kops 1.22 |
Node Problem Detector aims to make various node problems visible to the upstream layers in the cluster management stack. It is a daemon that runs on each node, detects node problems and reports them to apiserver.
Snapshot controller
Introduced | Minimum K8s Version |
---|---|
Kops 1.21 | K8s 1.20 |
Snapshot controller implements the volume snapshot features of the Container Storage Interface (CSI).
You can enable the snapshot controller by adding the following to the cluster spec:
spec:
enabled: true
Note that the in-tree volume drivers do not support this feature. If you are running a cluster on AWS, you can enable the EBS CSI driver by adding the following:
spec:
cloudConfig:
awsEBSCSIDriver:
enabled: true
Custom addons
The command does not support specifying addons to be added to the cluster when it is created. Instead they can be added after cluster creation using kubectl. Alternatively when creating a cluster from a yaml manifest, addons can be specified using spec.addons
.
spec:
addons:
- manifest: s3://my-kops-addons/addon.yaml
The docs about the addon management describe in more detail how to define a addon resource with regards to versioning. Here is a minimal example of an addon manifest that would install two different addons.
kind: Addons
metadata:
name: example
spec:
addons:
- name: foo.addons.org.io
version: 0.0.1
selector:
k8s-addon: foo.addons.org.io
manifest: foo.addons.org.io/v0.0.1.yaml
- name: bar.addons.org.io
version: 0.0.1
selector:
k8s-addon: bar.addons.org.io
manifest: bar.addons.org.io/v0.0.1.yaml
In this example the folder structure should look like this;
The yaml files in the foo/bar folders can be any kubernetes resource. Typically this file structure would be pushed to S3 or another of the supported backends and then referenced as above in spec.addons
. In order for master nodes to be able to access the S3 bucket containing the addon manifests, one might have to add additional iam policies to the master nodes using spec.additionalPolicies
, like so:
spec:
additionalPolicies:
master: |
[
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::my-kops-addons/*"]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": ["arn:aws:s3:::my-kops-addons"]
}