Node metadata-concealment in GCE

[geojaz]

Fixes metadata-concealment tests in GCE

[BeforeEach] [sig-auth] Metadata Concealment
  /home/eric/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:177
STEP: Creating a kubernetes client
Mar  8 11:59:04.521: INFO: >>> kubeConfig: /tmp/kops683649553/kubeconfig
STEP: Building a namespace api object, basename metadata-concealment
Mar  8 11:59:04.692: INFO: No PodSecurityPolicies found; assuming PodSecurityPolicy is disabled.
STEP: Waiting for a default service account to be provisioned in namespace
[It] should run a check-metadata-concealment job to completion
  /home/eric/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/auth/metadata_concealment.go:34
STEP: Creating a job
STEP: Ensuring job reaches completions
[AfterEach] [sig-auth] Metadata Concealment
  /home/eric/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:178
Mar  8 11:59:08.820: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready
STEP: Destroying namespace "metadata-concealment-6800" for this suite.

•
------------------------------
{"msg":"PASSED [sig-auth] Metadata Concealment should run a check-metadata-concealment job to completion","total":-1,"completed":1,"skipped":92,"failed":0}
Mar  8 11:59:08.907: INFO: Running AfterSuite actions on all nodes


Mar  8 11:59:04.715: INFO: Running AfterSuite actions on all nodes
Mar  8 11:59:08.940: INFO: Running AfterSuite actions on node 1


Ran 1 of 4840 Specs in 79.225 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 4839 Skipped


Ginkgo ran 1 suite in 1m26.774641541s
Test Suite Passed
2020/03/08 11:59:08 process.go:155: Step '_output/bin/ginkgo --nodes=30 _output/bin/e2e.test -- --kubeconfig=/tmp/kops683649553/kubeconfig --ginkgo.flakeAttempts=1 --provider=gce --gce-project=my-project --gce-zone=us-central1-c --gce-region=us-central1 --gce-multizone=
false --host=https://35.226.24.160 --cluster-tag=eric.k8s.local --repo-root=. --num-nodes=0 --ginkgo.skip=\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:.+\]|\[HPA\]|Dashboard|Services.*functioning.*NodePort --ginkgo.focus=Concealment' finished in 1m26.800749736s

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: geojaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [geojaz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hakman]

/retest

[rifelpet]

could you add terraform support as well? you should just need to add the Labels field to terraformInstanceCommon below and pipe the value through, as well as update this integration tests

[geojaz]

thanks for catching the omission in TF. I'll send back another one soon

[geojaz]

/retest

[geojaz]

/hold cancel

[geojaz]

@rifelpet is that what you were looking for re: terraform?

[rifelpet]

yea, perfect 👍

[geojaz]

I think this one is good for review now!
/assign @justinsb

[geojaz]

/hold

[geojaz]

/hold cancel

[rifelpet]

/retest

[rifelpet]

this looks good to me now. my only concern is whether this requires users to take any external action when upgrading to the kops version that will include this PR. Will they need to enable something on the GCP side for this? If so we should mention it in the release notes.

[geojaz]

I think you're right- new IGs/clusters should default to this mode. I can create a release note and doc it.

I guess we should also probably make it possible to "upgrade" to this by enabling it in existing IGs. Based on the current level of support for GCE, I think we could document how to enable this proxy if you want it, but try to steer folks towards using new IGs.

I'll have to take another look to see what make most sense.

[geojaz]

@rifelpet added the release note with disclosure and upgrade instructions. how's that look?

[rifelpet]

looks good. I think kops will apply the addon even for existing clusters that dont have the label, but the DaemonSet's labelSelector will prevent pods from getting scheduled on any nodes anyways, so i think thats fine.

/lgtm

[johngmyers]

/test pull-kops-verify-staticcheck

[geojaz]

Yes, it will create the addon, it'll just wait for the selector. I'm ok with that i think