Merge pull request #11641 from johngmyers/remove-legacy-iam

Remove fallback support for legacy IAM
kubernetes · May 31, 2021 · e265251 · e265251
2 parents 9725853 + b82b129
commit e265251
Show file tree

Hide file tree

Showing 6 changed files with 173 additions and 307 deletions.
diff --git a/docs/contributing/adding_a_feature.md b/docs/contributing/adding_a_feature.md
@@ -114,12 +114,7 @@ are built by `BuildAWSPolicyMaster()` in pkg/model/iam/iam_builder.go:
 ```
 
 ```go
-func addCiliumEniPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool) {
-	if legacyIAM {
-		// Legacy IAM provides ec2:*, so no additional permissions required
-		return
-	}
-
+func addCiliumEniPermissions(p *Policy, resource stringorslice.StringOrSlice) {
 	p.Statement = append(p.Statement,
 		&Statement{
 			Effect: StatementEffectAllow,

diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
@@ -221,14 +221,10 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie
 		}
 	}
 
-	if (spec.IAM == nil || spec.IAM.Legacy) && !featureflag.LegacyIAM.Enabled() {
+	if spec.IAM == nil || spec.IAM.Legacy {
 		allErrs = append(allErrs, field.Forbidden(fieldPath.Child("iam", "legacy"), "legacy IAM permissions are no longer supported"))
 	}
 
-	if (spec.IAM == nil || spec.IAM.Legacy) && featureflag.UseServiceAccountIAM.Enabled() {
-		allErrs = append(allErrs, field.Forbidden(fieldPath.Child("iam", "legacy"), "legacy IAM permissions are not supported with UseServiceAccountIAM"))
-	}
-
 	if spec.RollingUpdate != nil {
 		allErrs = append(allErrs, validateRollingUpdate(spec.RollingUpdate, fieldPath.Child("rollingUpdate"), false)...)
 	}

diff --git a/pkg/featureflag/featureflag.go b/pkg/featureflag/featureflag.go
@@ -87,8 +87,6 @@ var (
 	SkipEtcdVersionCheck = New("SkipEtcdVersionCheck", Bool(false))
 	// TerraformJSON outputs terraform in JSON instead of hcl output. JSON output can be also parsed by terraform 0.12
 	TerraformJSON = New("TerraformJSON", Bool(false))
-	// LegacyIAM will permit use of legacy IAM permissions.
-	LegacyIAM = New("LegacyIAM", Bool(false))
 	// ClusterAddons activates experimental cluster-addons support
 	ClusterAddons = New("ClusterAddons", Bool(false))
 	// UseServiceAccountIAM controls whether we use pod-level IAM permissions for our system pods and kOps addons.