From 377f549fa28510554f2611e7054dbdd16b84d6ab Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Thu, 5 Aug 2021 20:33:54 +0200 Subject: [PATCH] Remove UseServiceAccountIAM feature flag and rename feature to UseServiceAccountExternalPermissions --- cmd/kops/integration_test.go | 16 ++-------------- docs/releases/1.22-NOTES.md | 14 ++++++++++++++ k8s/crds/kops.k8s.io_clusters.yaml | 6 ++++++ pkg/apis/kops/cluster.go | 3 +++ pkg/apis/kops/v1alpha2/cluster.go | 3 +++ .../kops/v1alpha2/zz_generated.conversion.go | 2 ++ .../kops/v1alpha2/zz_generated.deepcopy.go | 5 +++++ pkg/apis/kops/zz_generated.deepcopy.go | 5 +++++ pkg/featureflag/featureflag.go | 2 -- pkg/model/BUILD.bazel | 1 - pkg/model/awsmodel/iam.go | 8 ++++---- .../components/addonmanifests/BUILD.bazel | 1 - .../addonmanifests/dnscontroller/remap.go | 2 +- pkg/model/components/addonmanifests/remap.go | 3 +-- pkg/model/context.go | 9 +++++---- pkg/model/iam/iam_builder.go | 18 +++++++++--------- tests/e2e/scenarios/lib/common.sh | 1 - ...ucket_object_cluster-completed.spec_content | 1 + .../aws-lb-controller/in-v1alpha2.yaml | 3 ++- ...ucket_object_cluster-completed.spec_content | 1 + .../public-jwks-apiserver/in-v1alpha2.yaml | 3 ++- .../k8s-1.17.yaml.template | 4 ++-- .../k8s-1.15.yaml.template | 2 +- .../k8s-1.11.yaml.template | 2 +- .../bootstrapchannelbuilder.go | 12 ++++++------ .../fi/cloudup/bootstrapchannelbuilder_test.go | 4 ++-- upup/pkg/fi/cloudup/template_functions.go | 2 +- .../service-account-iam/cluster.yaml | 3 ++- 28 files changed, 81 insertions(+), 55 deletions(-) diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go index 956bb836b2101..e655adaca16bd 100644 --- a/cmd/kops/integration_test.go +++ b/cmd/kops/integration_test.go @@ -392,14 +392,8 @@ func TestPrivateDns2(t *testing.T) { runTestTerraformAWS(t) } -// TestDiscoveryFeatureGate runs a simple configuration, but with UseServiceAccountIAM and the ServiceAccountIssuerDiscovery feature gate enabled +// TestDiscoveryFeatureGate runs a simple configuration, but with UseServiceAccountExternalPermissions and the ServiceAccountIssuerDiscovery feature gate enabled func TestDiscoveryFeatureGate(t *testing.T) { - featureflag.ParseFlags("+UseServiceAccountIAM") - unsetFeatureFlags := func() { - featureflag.ParseFlags("-UseServiceAccountIAM") - } - defer unsetFeatureFlags() - newIntegrationTest("minimal.example.com", "public-jwks-apiserver"). withServiceAccountRole("dns-controller.kube-system", true). withOIDCDiscovery(). @@ -416,14 +410,8 @@ func TestVFSServiceAccountIssuerDiscovery(t *testing.T) { } -// TestAWSLBController runs a simple configuration, but with AWS LB controller and UseServiceAccountIAM enabled +// TestAWSLBController runs a simple configuration, but with AWS LB controller and UseServiceAccountExternalPermissions enabled func TestAWSLBController(t *testing.T) { - featureflag.ParseFlags("+UseServiceAccountIAM") - unsetFeatureFlags := func() { - featureflag.ParseFlags("-UseServiceAccountIAM") - } - defer unsetFeatureFlags() - newIntegrationTest("minimal.example.com", "aws-lb-controller"). withOIDCDiscovery(). withServiceAccountRole("dns-controller.kube-system", true). diff --git a/docs/releases/1.22-NOTES.md b/docs/releases/1.22-NOTES.md index c9ce4e8989d87..91b50774826a2 100644 --- a/docs/releases/1.22-NOTES.md +++ b/docs/releases/1.22-NOTES.md @@ -21,6 +21,20 @@ spec: httpTokens: optional ``` +## External ServiceAccountPermissions + +Many of kOps addons can now make direct use of external permissions. +This can be enabled by adding the following to the Cluster spec: + +``` +spec: + iam: + useServiceAcountExternalPermissions: true +``` + +Currently this is only available using the AWS cloud provider. + + ## Other significant changes * New clusters on AWS will no longer provision an SSH public key by default. To provision diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index 6e0c7745c4044..cb52547892a2d 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -1206,6 +1206,12 @@ spec: - namespace type: object type: array + useServiceAccountExternalPermissions: + description: UseServiceAccountExternalPermissions determines if + managed ServiceAccounts will use external permissions directly. + If this is set to false, ServiceAccounts will assume external + permissions from the instances they run on. + type: boolean required: - legacy type: object diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go index 93572e939b4cb..06bf6cf1f4b2a 100644 --- a/pkg/apis/kops/cluster.go +++ b/pkg/apis/kops/cluster.go @@ -304,6 +304,9 @@ type IAMSpec struct { Legacy bool `json:"legacy"` AllowContainerRegistry bool `json:"allowContainerRegistry,omitempty"` PermissionsBoundary *string `json:"permissionsBoundary,omitempty"` + // UseServiceAccountExternalPermissions determines if managed ServiceAccounts will use external permissions directly. + // If this is set to false, ServiceAccounts will assume external permissions from the instances they run on. + UseServiceAccountExternalPermissions *bool `json:"useServiceAccountExternalPermissions,omitempty"` // ServiceAccountExternalPermissions defines the relatinship between Kubernetes ServiceAccounts and permissions with external resources. ServiceAccountExternalPermissions []ServiceAccountExternalPermission `json:"serviceAccountExternalPermissions,omitempty"` } diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go index fdb0376bcc915..279533270e8c6 100644 --- a/pkg/apis/kops/v1alpha2/cluster.go +++ b/pkg/apis/kops/v1alpha2/cluster.go @@ -301,6 +301,9 @@ type IAMSpec struct { Legacy bool `json:"legacy"` AllowContainerRegistry bool `json:"allowContainerRegistry,omitempty"` PermissionsBoundary *string `json:"permissionsBoundary,omitempty"` + // UseServiceAccountExternalPermissions determines if managed ServiceAccounts will use external permissions directly. + // If this is set to false, ServiceAccounts will assume external permissions from the instances they run on. + UseServiceAccountExternalPermissions *bool `json:"useServiceAccountExternalPermissions,omitempty"` // ServiceAccountExternalPermissions defines the relatinship between Kubernetes ServiceAccounts and permissions with external resources. ServiceAccountExternalPermissions []ServiceAccountExternalPermission `json:"serviceAccountExternalPermissions,omitempty"` } diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 6b31f4bba2f19..0aa8114ed7c9d 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -3960,6 +3960,7 @@ func autoConvert_v1alpha2_IAMSpec_To_kops_IAMSpec(in *IAMSpec, out *kops.IAMSpec out.Legacy = in.Legacy out.AllowContainerRegistry = in.AllowContainerRegistry out.PermissionsBoundary = in.PermissionsBoundary + out.UseServiceAccountExternalPermissions = in.UseServiceAccountExternalPermissions if in.ServiceAccountExternalPermissions != nil { in, out := &in.ServiceAccountExternalPermissions, &out.ServiceAccountExternalPermissions *out = make([]kops.ServiceAccountExternalPermission, len(*in)) @@ -3983,6 +3984,7 @@ func autoConvert_kops_IAMSpec_To_v1alpha2_IAMSpec(in *kops.IAMSpec, out *IAMSpec out.Legacy = in.Legacy out.AllowContainerRegistry = in.AllowContainerRegistry out.PermissionsBoundary = in.PermissionsBoundary + out.UseServiceAccountExternalPermissions = in.UseServiceAccountExternalPermissions if in.ServiceAccountExternalPermissions != nil { in, out := &in.ServiceAccountExternalPermissions, &out.ServiceAccountExternalPermissions *out = make([]ServiceAccountExternalPermission, len(*in)) diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go index 4f4474eb5f632..35e719ee55358 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go @@ -2000,6 +2000,11 @@ func (in *IAMSpec) DeepCopyInto(out *IAMSpec) { *out = new(string) **out = **in } + if in.UseServiceAccountExternalPermissions != nil { + in, out := &in.UseServiceAccountExternalPermissions, &out.UseServiceAccountExternalPermissions + *out = new(bool) + **out = **in + } if in.ServiceAccountExternalPermissions != nil { in, out := &in.ServiceAccountExternalPermissions, &out.ServiceAccountExternalPermissions *out = make([]ServiceAccountExternalPermission, len(*in)) diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go index 5444ebecd1bf0..81d525851b6df 100644 --- a/pkg/apis/kops/zz_generated.deepcopy.go +++ b/pkg/apis/kops/zz_generated.deepcopy.go @@ -2150,6 +2150,11 @@ func (in *IAMSpec) DeepCopyInto(out *IAMSpec) { *out = new(string) **out = **in } + if in.UseServiceAccountExternalPermissions != nil { + in, out := &in.UseServiceAccountExternalPermissions, &out.UseServiceAccountExternalPermissions + *out = new(bool) + **out = **in + } if in.ServiceAccountExternalPermissions != nil { in, out := &in.ServiceAccountExternalPermissions, &out.ServiceAccountExternalPermissions *out = make([]ServiceAccountExternalPermission, len(*in)) diff --git a/pkg/featureflag/featureflag.go b/pkg/featureflag/featureflag.go index d845dbb146f3c..d4a640b726765 100644 --- a/pkg/featureflag/featureflag.go +++ b/pkg/featureflag/featureflag.go @@ -87,8 +87,6 @@ var ( TerraformJSON = new("TerraformJSON", Bool(false)) // ClusterAddons activates experimental cluster-addons support ClusterAddons = new("ClusterAddons", Bool(false)) - // UseServiceAccountIAM controls whether we use pod-level IAM permissions for our system pods and kOps addons. - UseServiceAccountIAM = new("UseServiceAccountIAM", Bool(false)) // Azure toggles the Azure support. Azure = new("Azure", Bool(false)) // KopsControllerStateStore enables fetching the kops state from kops-controller, instead of requiring access to S3/GCS/etc. diff --git a/pkg/model/BUILD.bazel b/pkg/model/BUILD.bazel index 604f4452f9f76..696f33301b681 100644 --- a/pkg/model/BUILD.bazel +++ b/pkg/model/BUILD.bazel @@ -22,7 +22,6 @@ go_library( "//pkg/apis/kops/registry:go_default_library", "//pkg/apis/kops/util:go_default_library", "//pkg/apis/nodeup:go_default_library", - "//pkg/featureflag:go_default_library", "//pkg/kopscodecs:go_default_library", "//pkg/model/components:go_default_library", "//pkg/model/iam:go_default_library", diff --git a/pkg/model/awsmodel/iam.go b/pkg/model/awsmodel/iam.go index 4495b56faa023..d6bfc4ca42734 100644 --- a/pkg/model/awsmodel/iam.go +++ b/pkg/model/awsmodel/iam.go @@ -224,10 +224,10 @@ func (b *IAMModelBuilder) buildIAMRole(role iam.Subject, iamName string, c *fi.M func (b *IAMModelBuilder) buildIAMRolePolicy(role iam.Subject, iamName string, iamRole *awstasks.IAMRole, c *fi.ModelBuilderContext) error { iamPolicy := &iam.PolicyResource{ Builder: &iam.PolicyBuilder{ - Cluster: b.Cluster, - Role: role, - Region: b.Region, - UseServiceAccountIAM: b.UseServiceAccountIAM(), + Cluster: b.Cluster, + Role: role, + Region: b.Region, + UseServiceAccountExternalPermisssions: b.UseServiceAccountExternalPermissions(), }, } diff --git a/pkg/model/components/addonmanifests/BUILD.bazel b/pkg/model/components/addonmanifests/BUILD.bazel index 8efb85ce40eb3..eb6effff92b6a 100644 --- a/pkg/model/components/addonmanifests/BUILD.bazel +++ b/pkg/model/components/addonmanifests/BUILD.bazel @@ -8,7 +8,6 @@ go_library( deps = [ "//channels/pkg/api:go_default_library", "//pkg/assets:go_default_library", - "//pkg/featureflag:go_default_library", "//pkg/kubemanifest:go_default_library", "//pkg/model:go_default_library", "//pkg/model/components/addonmanifests/awscloudcontrollermanager:go_default_library", diff --git a/pkg/model/components/addonmanifests/dnscontroller/remap.go b/pkg/model/components/addonmanifests/dnscontroller/remap.go index 7625223c312e0..a2e532ab88a50 100644 --- a/pkg/model/components/addonmanifests/dnscontroller/remap.go +++ b/pkg/model/components/addonmanifests/dnscontroller/remap.go @@ -29,7 +29,7 @@ import ( // Remap remaps the dns-controller addon func Remap(context *model.KopsModelContext, addon *addonsapi.AddonSpec, objects []*kubemanifest.Object) error { - if !context.UseServiceAccountIAM() { + if !context.UseServiceAccountExternalPermissions() { return nil } diff --git a/pkg/model/components/addonmanifests/remap.go b/pkg/model/components/addonmanifests/remap.go index f52593e69f587..5f262f07e42aa 100644 --- a/pkg/model/components/addonmanifests/remap.go +++ b/pkg/model/components/addonmanifests/remap.go @@ -25,7 +25,6 @@ import ( "k8s.io/klog/v2" addonsapi "k8s.io/kops/channels/pkg/api" "k8s.io/kops/pkg/assets" - "k8s.io/kops/pkg/featureflag" "k8s.io/kops/pkg/kubemanifest" "k8s.io/kops/pkg/model" "k8s.io/kops/pkg/model/components/addonmanifests/awscloudcontrollermanager" @@ -83,7 +82,7 @@ func RemapAddonManifest(addon *addonsapi.AddonSpec, context *model.KopsModelCont } func addServiceAccountRole(context *model.KopsModelContext, objects kubemanifest.ObjectList) error { - if !featureflag.UseServiceAccountIAM.Enabled() { + if !context.UseServiceAccountExternalPermissions() { return nil } diff --git a/pkg/model/context.go b/pkg/model/context.go index 3625881953de2..2bbeb563d3235 100644 --- a/pkg/model/context.go +++ b/pkg/model/context.go @@ -24,7 +24,6 @@ import ( "k8s.io/kops/pkg/apis/kops" "k8s.io/kops/pkg/apis/kops/model" "k8s.io/kops/pkg/apis/kops/util" - "k8s.io/kops/pkg/featureflag" "k8s.io/kops/pkg/model/components" "k8s.io/kops/pkg/model/iam" nodeidentityaws "k8s.io/kops/pkg/nodeidentity/aws" @@ -414,7 +413,9 @@ func (b *KopsModelContext) NodePortRange() (utilnet.PortRange, error) { return defaultServiceNodePortRange, nil } -// UseServiceAccountIAM returns true if we are using service-account bound IAM roles. -func (b *KopsModelContext) UseServiceAccountIAM() bool { - return featureflag.UseServiceAccountIAM.Enabled() +// UseServiceAccountExternalPermissions returns true if we are using service-account bound IAM roles. +func (b *KopsModelContext) UseServiceAccountExternalPermissions() bool { + + return b.Cluster.Spec.IAM != nil && + fi.BoolValue(b.Cluster.Spec.IAM.UseServiceAccountExternalPermissions) } diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 466f1993b48cd..65f30a68992a3 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -230,13 +230,13 @@ func (l *Statement) Equal(r *Statement) bool { // PolicyBuilder struct defines all valid fields to be used when building the // AWS IAM policy document for a given instance group role. type PolicyBuilder struct { - Cluster *kops.Cluster - HostedZoneID string - KMSKeys []string - Region string - ResourceARN *string - Role Subject - UseServiceAccountIAM bool + Cluster *kops.Cluster + HostedZoneID string + KMSKeys []string + Region string + ResourceARN *string + Role Subject + UseServiceAccountExternalPermisssions bool } // BuildAWSPolicy builds a set of IAM policy statements based on the @@ -325,7 +325,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { addKMSIAMPolicies(p, stringorslice.Slice(b.KMSKeys)) } - // Protokube needs dns-controller permissions in instance role even if UseServiceAccountIAM. + // Protokube needs dns-controller permissions in instance role even if UseServiceAccountExternalPermissions. AddDNSControllerPermissions(b, p) // If cluster does not use external CCM, the master IAM Role needs CCM permissions @@ -334,7 +334,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { AddLegacyCCMPermissions(p) } - if !b.UseServiceAccountIAM { + if !b.UseServiceAccountExternalPermisssions { esc := b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) AddAWSEBSCSIDriverPermissions(p, esc) diff --git a/tests/e2e/scenarios/lib/common.sh b/tests/e2e/scenarios/lib/common.sh index 730085e53bfbd..2f36f6b183569 100644 --- a/tests/e2e/scenarios/lib/common.sh +++ b/tests/e2e/scenarios/lib/common.sh @@ -49,7 +49,6 @@ fi if [[ ${KOPS_IRSA-} = true ]]; then OVERRIDES="${OVERRIDES-} --override=cluster.spec.serviceAccountIssuerDiscovery.discoveryStore=${DISCOVERY_STORE}/${CLUSTER_NAME}/discovery" OVERRIDES="${OVERRIDES} --override=cluster.spec.serviceAccountIssuerDiscovery.enableAWSOIDCProvider=true" - KOPS_FEATURE_FLAGS="UseServiceAccountIAM,${KOPS_FEATURE_FLAGS}" fi export GO111MODULE=on diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_cluster-completed.spec_content b/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_cluster-completed.spec_content index 68b06817adf2e..f461e1333d580 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_cluster-completed.spec_content @@ -51,6 +51,7 @@ spec: version: 3.4.13 iam: legacy: false + useServiceAccountExternalPermissions: true keyStore: memfs://clusters.example.com/minimal.example.com/pki kubeAPIServer: allowPrivileged: true diff --git a/tests/integration/update_cluster/aws-lb-controller/in-v1alpha2.yaml b/tests/integration/update_cluster/aws-lb-controller/in-v1alpha2.yaml index d06363ff229ed..beaeb8d2c0953 100644 --- a/tests/integration/update_cluster/aws-lb-controller/in-v1alpha2.yaml +++ b/tests/integration/update_cluster/aws-lb-controller/in-v1alpha2.yaml @@ -22,7 +22,8 @@ spec: - instanceGroup: master-us-test-1a name: us-test-1a name: events - iam: {} + iam: + useServiceAccountExternalPermissions: true kubelet: anonymousAuth: false kubernetesVersion: v1.21.0 diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_bucket_object_cluster-completed.spec_content b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_bucket_object_cluster-completed.spec_content index f04ff284e7bc0..1912453ae129e 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_bucket_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_bucket_object_cluster-completed.spec_content @@ -56,6 +56,7 @@ spec: version: 3.4.13 iam: legacy: false + useServiceAccountExternalPermissions: true keyStore: memfs://clusters.example.com/minimal.example.com/pki kubeAPIServer: allowPrivileged: true diff --git a/tests/integration/update_cluster/public-jwks-apiserver/in-v1alpha2.yaml b/tests/integration/update_cluster/public-jwks-apiserver/in-v1alpha2.yaml index 5d7200c853cca..1b27b29ce0df2 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/in-v1alpha2.yaml +++ b/tests/integration/update_cluster/public-jwks-apiserver/in-v1alpha2.yaml @@ -18,7 +18,8 @@ spec: - instanceGroup: master-us-test-1a name: us-test-1a name: events - iam: {} + iam: + useServiceAccountExternalPermissions: true kubeAPIServer: featureGates: ServiceAccountIssuerDiscovery: "true" diff --git a/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template b/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template index f497290dfffa7..99614b4f445f7 100644 --- a/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template +++ b/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template @@ -415,12 +415,12 @@ spec: topologyKey: topology.kubernetes.io/zone nodeSelector: kubernetes.io/os: linux - {{ if not UseServiceAccountIAM }} + {{ if not UseServiceAccountExternalPermissions }} node-role.kubernetes.io/master: "" {{ end }} serviceAccountName: ebs-csi-controller-sa priorityClassName: system-cluster-critical - {{ if not UseServiceAccountIAM }} + {{ if not UseServiceAccountExternalPermissions }} tolerations: - operator: Exists {{ end }} diff --git a/upup/models/cloudup/resources/addons/cluster-autoscaler.addons.k8s.io/k8s-1.15.yaml.template b/upup/models/cloudup/resources/addons/cluster-autoscaler.addons.k8s.io/k8s-1.15.yaml.template index 5bcbf5605762c..13ecfd1926a8e 100644 --- a/upup/models/cloudup/resources/addons/cluster-autoscaler.addons.k8s.io/k8s-1.15.yaml.template +++ b/upup/models/cloudup/resources/addons/cluster-autoscaler.addons.k8s.io/k8s-1.15.yaml.template @@ -264,7 +264,7 @@ spec: topologyKey: topology.kubernetes.io/zone priorityClassName: system-cluster-critical serviceAccountName: cluster-autoscaler - {{ if not UseServiceAccountIAM }} + {{ if not UseServiceAccountExternalPermissions }} tolerations: - operator: "Exists" key: node-role.kubernetes.io/master diff --git a/upup/models/cloudup/resources/addons/node-termination-handler.aws/k8s-1.11.yaml.template b/upup/models/cloudup/resources/addons/node-termination-handler.aws/k8s-1.11.yaml.template index 0496936e9970d..afcbd839fb78a 100644 --- a/upup/models/cloudup/resources/addons/node-termination-handler.aws/k8s-1.11.yaml.template +++ b/upup/models/cloudup/resources/addons/node-termination-handler.aws/k8s-1.11.yaml.template @@ -202,7 +202,7 @@ spec: requests: cpu: {{ .CPURequest }} memory: {{ .MemoryRequest }} - {{ if not UseServiceAccountIAM }} + {{ if not UseServiceAccountExternalPermissions }} nodeSelector: node-role.kubernetes.io/master: "" tolerations: diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go index b1ad3157bef79..7737b3a3923d7 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go @@ -442,7 +442,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann } // Generate dns-controller ServiceAccount IAM permissions - if b.UseServiceAccountIAM() { + if b.UseServiceAccountExternalPermissions() { serviceAccountRoles = append(serviceAccountRoles, &dnscontroller.ServiceAccount{}) } } @@ -502,7 +502,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann } } - if b.UseServiceAccountIAM() { + if b.UseServiceAccountExternalPermissions() { serviceAccountRoles = append(serviceAccountRoles, &clusterautoscaler.ServiceAccount{}) } @@ -562,7 +562,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann }) } - if b.UseServiceAccountIAM() { + if b.UseServiceAccountExternalPermissions() { serviceAccountRoles = append(serviceAccountRoles, &nodeterminationhandler.ServiceAccount{}) } } @@ -604,7 +604,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann } // Generate aws-load-balancer-controller ServiceAccount IAM permissions - if b.UseServiceAccountIAM() { + if b.UseServiceAccountExternalPermissions() { serviceAccountRoles = append(serviceAccountRoles, &awsloadbalancercontroller.ServiceAccount{}) } } @@ -906,7 +906,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann Id: id, }) } - if b.UseServiceAccountIAM() { + if b.UseServiceAccountExternalPermissions() { serviceAccountRoles = append(serviceAccountRoles, &awscloudcontrollermanager.ServiceAccount{}) } } @@ -925,7 +925,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann } // Generate aws-load-balancer-controller ServiceAccount IAM permissions - if b.UseServiceAccountIAM() { + if b.UseServiceAccountExternalPermissions() { serviceAccountRoles = append(serviceAccountRoles, &awsebscsidriver.ServiceAccount{}) } } diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder_test.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder_test.go index dd9289b7697cb..fa99d13102f0e 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder_test.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder_test.go @@ -59,9 +59,9 @@ func TestBootstrapChannelBuilder_ServiceAccountIAM(t *testing.T) { h.SetupMockAWS() - featureflag.ParseFlags("+UseServiceAccountIAM") + featureflag.ParseFlags("+UseServiceAccountExternalPermissions") unsetFeatureFlag := func() { - featureflag.ParseFlags("-UseServiceAccountIAM") + featureflag.ParseFlags("-UseServiceAccountExternalPermissions") } defer unsetFeatureFlag() runChannelBuilderTest(t, "service-account-iam", []string{"dns-controller.addons.k8s.io-k8s-1.12", "kops-controller.addons.k8s.io-k8s-1.16"}) diff --git a/upup/pkg/fi/cloudup/template_functions.go b/upup/pkg/fi/cloudup/template_functions.go index c453e5d824e0d..2091548356e4b 100644 --- a/upup/pkg/fi/cloudup/template_functions.go +++ b/upup/pkg/fi/cloudup/template_functions.go @@ -234,7 +234,7 @@ func (tf *TemplateFunctions) AddTo(dest template.FuncMap, secretStore fi.SecretS } dest["IsIPv6Only"] = tf.IsIPv6Only - dest["UseServiceAccountIAM"] = tf.UseServiceAccountIAM + dest["UseServiceAccountExternalPermissions"] = tf.UseServiceAccountExternalPermissions if cluster.Spec.NodeTerminationHandler != nil { dest["DefaultQueueName"] = func() string { diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/service-account-iam/cluster.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/service-account-iam/cluster.yaml index 527e61d85b058..3f34508a9cd61 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/service-account-iam/cluster.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/service-account-iam/cluster.yaml @@ -20,7 +20,8 @@ spec: - instanceGroup: master-us-test-1a name: master-us-test-1a name: events - iam: {} + iam: + useServiceAccountExternalPermissions: true kubernetesVersion: v1.20.6 masterInternalName: api.internal.minimal.example.com masterPublicName: api.minimal.example.com