chore(tests): fix them up

2018-11-24 17:03:50 -08:00 · 2018-11-24 17:03:50 -08:00 · 19811d9759
parent f4de628519
commit 19811d9759
26 changed files with 31 additions and 47 deletions
--- a/cmd/kops/create_cluster.go
+++ b/cmd/kops/create_cluster.go
@ -1064,17 +1064,19 @@ func RunCreateCluster(f *util.Factory, out io.Writer, c *CreateClusterOptions) e

 	kv, err := k8sversion.Parse(cluster.Spec.KubernetesVersion)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to parse kubernetes version: %s", err.Error())
 	}

 	// check if we should set anonymousAuth to false on k8s versions gte than 1.10
 	// we do 1.10 since this is a really critical issues and 1.10 has support
-	if cluster.Spec.Kubelet == nil {
-		cluster.Spec.Kubelet = &api.KubeletConfigSpec{}
-	}
+	if kv.IsGTE("1.10") {
+		if cluster.Spec.Kubelet == nil {
+			cluster.Spec.Kubelet = &api.KubeletConfigSpec{}
+		}

-	if kv.IsGTE("1.10") && cluster.Spec.Kubelet.AnonymousAuth == nil {
-		cluster.Spec.Kubelet.AnonymousAuth = fi.Bool(false)
+		if cluster.Spec.Kubelet.AnonymousAuth == nil {
+			cluster.Spec.Kubelet.AnonymousAuth = fi.Bool(false)
+		}
 	}

 	// Populate the API access, so that it can be discoverable
--- a/tests/integration/create_cluster/complex/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/complex/expected-v1alpha2.yaml
@ -23,7 +23,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.7.1
--- a/tests/integration/create_cluster/ha/expected-v1alpha1.yaml
+++ b/tests/integration/create_cluster/ha/expected-v1alpha1.yaml
@ -33,7 +33,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesVersion: v1.6.0-alpha.3
  masterPublicName: api.ha.example.com
  networkCIDR: 172.20.0.0/16
--- a/tests/integration/create_cluster/ha/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/ha/expected-v1alpha2.yaml
@ -31,7 +31,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.6.0-alpha.3
--- a/tests/integration/create_cluster/ha_encrypt/expected-v1alpha1.yaml
+++ b/tests/integration/create_cluster/ha_encrypt/expected-v1alpha1.yaml
@ -39,7 +39,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesVersion: v1.6.0-alpha.3
  masterPublicName: api.ha.example.com
  networkCIDR: 172.20.0.0/16
--- a/tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml
@ -37,7 +37,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.6.0-alpha.3
--- a/tests/integration/create_cluster/ha_gce/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/ha_gce/expected-v1alpha2.yaml
@ -31,7 +31,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.8.0-beta.1
--- a/tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml
@ -39,7 +39,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.4.8
--- a/tests/integration/create_cluster/ingwspecified/expected-v1alpha1.yaml
+++ b/tests/integration/create_cluster/ingwspecified/expected-v1alpha1.yaml
@ -26,7 +26,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesVersion: v1.4.8
  masterPublicName: api.private.example.com
  networkCIDR: 172.20.0.0/16
--- a/tests/integration/create_cluster/ingwspecified/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/ingwspecified/expected-v1alpha2.yaml
@ -24,7 +24,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.4.8
--- a/tests/integration/create_cluster/minimal/expected-v1alpha1.yaml
+++ b/tests/integration/create_cluster/minimal/expected-v1alpha1.yaml
@ -25,8 +25,7 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
-  kubernetesVersion: v1.12.0
+  kubernetesVersion: v1.11.0
  masterPublicName: api.minimal.example.com
  networkCIDR: 172.20.0.0/16
  networking:
--- a/tests/integration/create_cluster/minimal/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/minimal/expected-v1alpha2.yaml
@ -23,10 +23,9 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
-  kubernetesVersion: v1.12.0
+  kubernetesVersion: v1.11.0
  masterPublicName: api.minimal.example.com
  networkCIDR: 172.20.0.0/16
  networking:
--- a/tests/integration/create_cluster/minimal/options.yaml
+++ b/tests/integration/create_cluster/minimal/options.yaml
@ -2,4 +2,4 @@ ClusterName: minimal.example.com
 Zones:
 - us-test-1a
 Cloud: aws
-KubernetesVersion: v1.12.0
+KubernetesVersion: v1.11.0
--- a/tests/integration/create_cluster/ngwspecified/expected-v1alpha1.yaml
+++ b/tests/integration/create_cluster/ngwspecified/expected-v1alpha1.yaml
@ -26,7 +26,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesVersion: v1.4.8
  masterPublicName: api.private.example.com
  networkCIDR: 172.20.0.0/16
--- a/tests/integration/create_cluster/ngwspecified/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/ngwspecified/expected-v1alpha2.yaml
@ -24,7 +24,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.4.8
--- a/tests/integration/create_cluster/overrides/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/overrides/expected-v1alpha2.yaml
@ -23,7 +23,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.7.5
--- a/tests/integration/create_cluster/private/expected-v1alpha1.yaml
+++ b/tests/integration/create_cluster/private/expected-v1alpha1.yaml
@ -30,7 +30,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesVersion: v1.4.8
  masterPublicName: api.private.example.com
  networkCIDR: 172.20.0.0/16
--- a/tests/integration/create_cluster/private/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/private/expected-v1alpha2.yaml
@ -28,7 +28,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.4.8
--- a/tests/integration/create_cluster/private_shared_subnets/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/private_shared_subnets/expected-v1alpha2.yaml
@ -24,7 +24,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.4.8
--- a/tests/integration/create_cluster/shared_subnets/expected-v1alpha1.yaml
+++ b/tests/integration/create_cluster/shared_subnets/expected-v1alpha1.yaml
@ -25,7 +25,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesVersion: v1.4.8
  masterPublicName: api.subnet.example.com
  networkCIDR: 10.0.0.0/12
--- a/tests/integration/create_cluster/shared_subnets/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/shared_subnets/expected-v1alpha2.yaml
@ -23,7 +23,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.4.8
--- a/tests/integration/create_cluster/shared_subnets_vpc_lookup/expected-v1alpha1.yaml
+++ b/tests/integration/create_cluster/shared_subnets_vpc_lookup/expected-v1alpha1.yaml
@ -25,7 +25,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesVersion: v1.4.8
  masterPublicName: api.subnet.example.com
  networkCIDR: 10.0.0.0/12
--- a/tests/integration/create_cluster/shared_subnets_vpc_lookup/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/shared_subnets_vpc_lookup/expected-v1alpha2.yaml
@ -23,7 +23,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.4.8
--- a/tests/integration/create_cluster/shared_vpc/expected-v1alpha1.yaml
+++ b/tests/integration/create_cluster/shared_vpc/expected-v1alpha1.yaml
@ -25,7 +25,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesVersion: v1.4.8
  masterPublicName: api.vpc.example.com
  networkCIDR: 10.0.0.0/12
--- a/tests/integration/create_cluster/shared_vpc/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/shared_vpc/expected-v1alpha2.yaml
@ -23,7 +23,6 @@ spec:
  iam:
    allowContainerRegistry: true
    legacy: false
-  kubelet: {}
  kubernetesApiAccess:
  - 0.0.0.0/0
  kubernetesVersion: v1.4.8
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -280,7 +280,6 @@ func (c *ApplyClusterCmd) Run() error {
 		cluster.Spec.KubernetesVersion = versionWithoutV
 	}

-	// TODO: consider moving this somewhere, it's duplicated on create
 	kv, err := k8sversion.Parse(cluster.Spec.KubernetesVersion)
 	if err != nil {
 		return err
@ -288,21 +287,27 @@ func (c *ApplyClusterCmd) Run() error {

 	// check if we should recommend turning off anonymousAuth on k8s versions gte than 1.10
 	// we do 1.10 since this is a really critical issues and 1.10 has it
-	if cluster.Spec.Kubelet == nil {
-		cluster.Spec.Kubelet = &kops.KubeletConfigSpec{}
-	}
+	if kv.IsGTE("1.10") {
+		// we do a check here because setting modifying the kubelet object messes with the output
+		warn := false
+		if cluster.Spec.Kubelet == nil {
+			warn = true
+		} else if cluster.Spec.Kubelet.AnonymousAuth == nil {
+			warn = true
+		}

-	if kv.IsGTE("1.10") && cluster.Spec.Kubelet.AnonymousAuth == nil {
-		fmt.Println("")
-		fmt.Printf(starline)
-		fmt.Println("")
-		fmt.Println("Kubelet anonymousAuth is currently turned on. This allows RBAC escalation and remote code execution possibilites.")
-		fmt.Println("It is highly recommended you turn it off by setting 'spec.kubelet.anonymousAuth' to 'false' via 'kops edit cluster'")
-		fmt.Println("")
-		fmt.Println("See https://github.com/kubernetes/kops/blob/master/docs/security.md#kubelet-api")
-		fmt.Println("")
-		fmt.Printf(starline)
-		fmt.Println("")
+		if warn {
+			fmt.Println("")
+			fmt.Printf(starline)
+			fmt.Println("")
+			fmt.Println("Kubelet anonymousAuth is currently turned on. This allows RBAC escalation and remote code execution possibilites.")
+			fmt.Println("It is highly recommended you turn it off by setting 'spec.kubelet.anonymousAuth' to 'false' via 'kops edit cluster'")
+			fmt.Println("")
+			fmt.Println("See https://github.com/kubernetes/kops/blob/master/docs/security.md#kubelet-api")
+			fmt.Println("")
+			fmt.Printf(starline)
+			fmt.Println("")
+		}
 	}

 	if err := c.AddFileAssets(assetBuilder); err != nil {