Merge pull request #8498 from justinsb/cherrypick_8493_release-1.17

Cherry pick of #8493 onto release-1.17
kubernetes · Feb 7, 2020 · e3e1b32 · e3e1b32
2 parents de0cf1b + 3cc1be6
commit e3e1b32
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/pkg/acls/gce/BUILD.bazel b/pkg/acls/gce/BUILD.bazel
@@ -12,5 +12,6 @@ go_library(
         "//upup/pkg/fi/cloudup/gce:go_default_library",
         "//util/pkg/vfs:go_default_library",
         "//vendor/google.golang.org/api/storage/v1:go_default_library",
+        "//vendor/k8s.io/klog:go_default_library",
     ],
 )
diff --git a/pkg/acls/gce/storage.go b/pkg/acls/gce/storage.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 
 	storage "google.golang.org/api/storage/v1"
+	"k8s.io/klog"
 	"k8s.io/kops/pkg/acls"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/upup/pkg/fi/cloudup"
@@ -52,6 +53,16 @@ func (s *gcsAclStrategy) GetACL(p vfs.Path, cluster *kops.Cluster) (vfs.ACL, err
 		return nil, fmt.Errorf("error querying bucket %q: %v", bucketName, err)
 	}
 
+	bucketPolicyOnly := false
+	if bucket.IamConfiguration != nil && bucket.IamConfiguration.BucketPolicyOnly != nil {
+		bucketPolicyOnly = bucket.IamConfiguration.BucketPolicyOnly.Enabled
+	}
+
+	if bucketPolicyOnly {
+		klog.V(2).Infof("bucket gs://%s has bucket-policy only; won't try to set ACLs", bucketName)
+		return nil, nil
+	}
+
 	// TODO: Cache?
 	cloud, err := cloudup.BuildCloud(cluster)
 	if err != nil {