diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go index ea5a48555a..5b26de2fe2 100644 --- a/cmd/kops/create_cluster.go +++ b/cmd/kops/create_cluster.go @@ -833,6 +833,10 @@ func RunCreateCluster(f *util.Factory, out io.Writer, c *CreateClusterOptions) e } } + cluster.Spec.IAM = &api.IAMSpec{ + Legacy: false, + } + sshPublicKeys := make(map[string][]byte) if c.SSHPublicKey != "" { c.SSHPublicKey = utils.ExpandPath(c.SSHPublicKey) diff --git a/cmd/kops/create_cluster_integration_test.go b/cmd/kops/create_cluster_integration_test.go index 093ff87c6e..d60e043095 100644 --- a/cmd/kops/create_cluster_integration_test.go +++ b/cmd/kops/create_cluster_integration_test.go @@ -18,17 +18,19 @@ package main import ( "bytes" - "github.com/golang/glog" "io/ioutil" + "path" + "strings" + "testing" + "time" + + "github.com/golang/glog" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kops/cmd/kops/util" "k8s.io/kops/pkg/apis/kops" "k8s.io/kops/pkg/diff" "k8s.io/kops/pkg/testutils" - "path" - "strings" - "testing" - "time" ) var MagicTimestamp = metav1.Time{Time: time.Date(2017, 1, 1, 0, 0, 0, 0, time.UTC)} @@ -182,7 +184,7 @@ func runCreateClusterIntegrationTest(t *testing.T, srcDir string, version string diffString := diff.FormatDiff(expectedYAML, actualYAML) t.Logf("diff:\n%s\n", diffString) - t.Fatalf("YAML differed from expected") + t.Fatalf("YAML differed from expected (%s)", path.Join(srcDir, expectedClusterPath)) } } diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go index 23f91fdf46..b12bad2167 100644 --- a/pkg/apis/kops/cluster.go +++ b/pkg/apis/kops/cluster.go @@ -143,6 +143,9 @@ type ClusterSpec struct { // This API component is under construction, will remove this comment // once this API is fully functional. Assets *Assets `json:"assets,omitempty"` + + // IAM field adds control over the IAM security policies applied to resources + IAM *IAMSpec `json:"iam,omitempty"` } // FileAssetSpec defines the structure for a file asset @@ -164,6 +167,11 @@ type Assets struct { FileRepository *string `json:"fileRepository,omitempty"` } +// IAMSpec adds control over the IAM security policies applied to resources +type IAMSpec struct { + Legacy bool `json:"legacy"` +} + // HookSpec is a definition hook type HookSpec struct { // Name is an optional name for the hook, otherwise the name is kops-hook- @@ -185,7 +193,7 @@ type HookSpec struct { // ExecContainerAction defines an hood action type ExecContainerAction struct { // Image is the docker image - Image string `json:"image,omitempty" ` + Image string `json:"image,omitempty"` // Command is the command supplied to the above image Command []string `json:"command,omitempty"` // Environment is a map of environment variables added to the hook diff --git a/pkg/apis/kops/v1alpha1/cluster.go b/pkg/apis/kops/v1alpha1/cluster.go index 8d94c6581e..8b89456cd6 100644 --- a/pkg/apis/kops/v1alpha1/cluster.go +++ b/pkg/apis/kops/v1alpha1/cluster.go @@ -252,6 +252,9 @@ type ClusterSpec struct { // Alternative locations for files and containers Assets *Assets `json:"assets,omitempty"` + + // IAM field adds control over the IAM security policies applied to resources + IAM *IAMSpec `json:"iam,omitempty"` } // FileAssetSpec defines the structure for a file asset @@ -273,6 +276,11 @@ type Assets struct { FileRepository *string `json:"fileRepository,omitempty"` } +// IAMSpec adds control over the IAM security policies applied to resources +type IAMSpec struct { + Legacy bool `json:"legacy"` +} + // HookSpec is a definition hook type HookSpec struct { // Name is an optional name for the hook, otherwise the name is kops-hook- diff --git a/pkg/apis/kops/v1alpha1/defaults.go b/pkg/apis/kops/v1alpha1/defaults.go index 2071b06051..2c0f12abf6 100644 --- a/pkg/apis/kops/v1alpha1/defaults.go +++ b/pkg/apis/kops/v1alpha1/defaults.go @@ -75,4 +75,10 @@ func SetDefaults_ClusterSpec(obj *ClusterSpec) { obj.Authorization.AlwaysAllow = &AlwaysAllowAuthorizationSpec{} } + if obj.IAM == nil { + obj.IAM = &IAMSpec{ + Legacy: true, + } + } + } diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go index cb85381d7c..d8b0dbf8f9 100644 --- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go @@ -91,6 +91,8 @@ func RegisterConversions(scheme *runtime.Scheme) error { Convert_kops_HTTPProxy_To_v1alpha1_HTTPProxy, Convert_v1alpha1_HookSpec_To_kops_HookSpec, Convert_kops_HookSpec_To_v1alpha1_HookSpec, + Convert_v1alpha1_IAMSpec_To_kops_IAMSpec, + Convert_kops_IAMSpec_To_v1alpha1_IAMSpec, Convert_v1alpha1_InstanceGroup_To_kops_InstanceGroup, Convert_kops_InstanceGroup_To_v1alpha1_InstanceGroup, Convert_v1alpha1_InstanceGroupList_To_kops_InstanceGroupList, @@ -700,6 +702,15 @@ func autoConvert_v1alpha1_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out * } else { out.Assets = nil } + if in.IAM != nil { + in, out := &in.IAM, &out.IAM + *out = new(kops.IAMSpec) + if err := Convert_v1alpha1_IAMSpec_To_kops_IAMSpec(*in, *out, s); err != nil { + return err + } + } else { + out.IAM = nil + } return nil } @@ -905,6 +916,15 @@ func autoConvert_kops_ClusterSpec_To_v1alpha1_ClusterSpec(in *kops.ClusterSpec, } else { out.Assets = nil } + if in.IAM != nil { + in, out := &in.IAM, &out.IAM + *out = new(IAMSpec) + if err := Convert_kops_IAMSpec_To_v1alpha1_IAMSpec(*in, *out, s); err != nil { + return err + } + } else { + out.IAM = nil + } return nil } @@ -1368,6 +1388,26 @@ func Convert_kops_HookSpec_To_v1alpha1_HookSpec(in *kops.HookSpec, out *HookSpec return autoConvert_kops_HookSpec_To_v1alpha1_HookSpec(in, out, s) } +func autoConvert_v1alpha1_IAMSpec_To_kops_IAMSpec(in *IAMSpec, out *kops.IAMSpec, s conversion.Scope) error { + out.Legacy = in.Legacy + return nil +} + +// Convert_v1alpha1_IAMSpec_To_kops_IAMSpec is an autogenerated conversion function. +func Convert_v1alpha1_IAMSpec_To_kops_IAMSpec(in *IAMSpec, out *kops.IAMSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_IAMSpec_To_kops_IAMSpec(in, out, s) +} + +func autoConvert_kops_IAMSpec_To_v1alpha1_IAMSpec(in *kops.IAMSpec, out *IAMSpec, s conversion.Scope) error { + out.Legacy = in.Legacy + return nil +} + +// Convert_kops_IAMSpec_To_v1alpha1_IAMSpec is an autogenerated conversion function. +func Convert_kops_IAMSpec_To_v1alpha1_IAMSpec(in *kops.IAMSpec, out *IAMSpec, s conversion.Scope) error { + return autoConvert_kops_IAMSpec_To_v1alpha1_IAMSpec(in, out, s) +} + func autoConvert_v1alpha1_InstanceGroup_To_kops_InstanceGroup(in *InstanceGroup, out *kops.InstanceGroup, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1alpha1_InstanceGroupSpec_To_kops_InstanceGroupSpec(&in.Spec, &out.Spec, s); err != nil { diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go index d41b2a43d9..7b7bf27094 100644 --- a/pkg/apis/kops/v1alpha2/cluster.go +++ b/pkg/apis/kops/v1alpha2/cluster.go @@ -168,6 +168,9 @@ type ClusterSpec struct { Hooks []HookSpec `json:"hooks,omitempty"` // Alternative locations for files and containers Assets *Assets `json:"assets,omitempty"` + + // IAM field adds control over the IAM security policies applied to resources + IAM *IAMSpec `json:"iam,omitempty"` } // FileAssetSpec defines the structure for a file asset @@ -189,6 +192,11 @@ type Assets struct { FileRepository *string `json:"fileRepository,omitempty"` } +// IAMSpec adds control over the IAM security policies applied to resources +type IAMSpec struct { + Legacy bool `json:"legacy"` +} + // HookSpec is a definition hook type HookSpec struct { // Name is an optional name for the hook, otherwise the name is kops-hook- diff --git a/pkg/apis/kops/v1alpha2/defaults.go b/pkg/apis/kops/v1alpha2/defaults.go index 6bc933233f..9e393f6dd1 100644 --- a/pkg/apis/kops/v1alpha2/defaults.go +++ b/pkg/apis/kops/v1alpha2/defaults.go @@ -74,4 +74,10 @@ func SetDefaults_ClusterSpec(obj *ClusterSpec) { // Before the Authorization field was introduced, the behaviour was alwaysAllow obj.Authorization.AlwaysAllow = &AlwaysAllowAuthorizationSpec{} } + + if obj.IAM == nil { + obj.IAM = &IAMSpec{ + Legacy: true, + } + } } diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 8b5cb3ae60..0f348e4021 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -95,6 +95,8 @@ func RegisterConversions(scheme *runtime.Scheme) error { Convert_kops_HTTPProxy_To_v1alpha2_HTTPProxy, Convert_v1alpha2_HookSpec_To_kops_HookSpec, Convert_kops_HookSpec_To_v1alpha2_HookSpec, + Convert_v1alpha2_IAMSpec_To_kops_IAMSpec, + Convert_kops_IAMSpec_To_v1alpha2_IAMSpec, Convert_v1alpha2_InstanceGroup_To_kops_InstanceGroup, Convert_kops_InstanceGroup_To_v1alpha2_InstanceGroup, Convert_v1alpha2_InstanceGroupList_To_kops_InstanceGroupList, @@ -738,6 +740,15 @@ func autoConvert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out * } else { out.Assets = nil } + if in.IAM != nil { + in, out := &in.IAM, &out.IAM + *out = new(kops.IAMSpec) + if err := Convert_v1alpha2_IAMSpec_To_kops_IAMSpec(*in, *out, s); err != nil { + return err + } + } else { + out.IAM = nil + } return nil } @@ -958,6 +969,15 @@ func autoConvert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(in *kops.ClusterSpec, } else { out.Assets = nil } + if in.IAM != nil { + in, out := &in.IAM, &out.IAM + *out = new(IAMSpec) + if err := Convert_kops_IAMSpec_To_v1alpha2_IAMSpec(*in, *out, s); err != nil { + return err + } + } else { + out.IAM = nil + } return nil } @@ -1466,6 +1486,26 @@ func Convert_kops_HookSpec_To_v1alpha2_HookSpec(in *kops.HookSpec, out *HookSpec return autoConvert_kops_HookSpec_To_v1alpha2_HookSpec(in, out, s) } +func autoConvert_v1alpha2_IAMSpec_To_kops_IAMSpec(in *IAMSpec, out *kops.IAMSpec, s conversion.Scope) error { + out.Legacy = in.Legacy + return nil +} + +// Convert_v1alpha2_IAMSpec_To_kops_IAMSpec is an autogenerated conversion function. +func Convert_v1alpha2_IAMSpec_To_kops_IAMSpec(in *IAMSpec, out *kops.IAMSpec, s conversion.Scope) error { + return autoConvert_v1alpha2_IAMSpec_To_kops_IAMSpec(in, out, s) +} + +func autoConvert_kops_IAMSpec_To_v1alpha2_IAMSpec(in *kops.IAMSpec, out *IAMSpec, s conversion.Scope) error { + out.Legacy = in.Legacy + return nil +} + +// Convert_kops_IAMSpec_To_v1alpha2_IAMSpec is an autogenerated conversion function. +func Convert_kops_IAMSpec_To_v1alpha2_IAMSpec(in *kops.IAMSpec, out *IAMSpec, s conversion.Scope) error { + return autoConvert_kops_IAMSpec_To_v1alpha2_IAMSpec(in, out, s) +} + func autoConvert_v1alpha2_InstanceGroup_To_kops_InstanceGroup(in *InstanceGroup, out *kops.InstanceGroup, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(&in.Spec, &out.Spec, s); err != nil { diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index b125816eef..06afa9f73a 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -78,11 +78,18 @@ type IAMPolicyBuilder struct { HostedZoneID string } +// BuildAWSIAMPolicy builds a set of IAM policy statements based on the +// instance group type and IAM Strict setting within the Cluster Spec func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) { wildcard := stringorslice.Slice([]string{"*"}) - iamPrefix := b.IAMPrefix() + // The Legacy IAM setting deploys an open policy (prior to the hardening PRs) + legacyIAM := false + if b.Cluster.Spec.IAM != nil { + legacyIAM = b.Cluster.Spec.IAM.Legacy + } + p := &IAMPolicy{ Version: IAMPolicyDefaultVersion, } @@ -231,7 +238,7 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) { } if s3Path, ok := vfsPath.(*vfs.S3Path); ok { - addS3Permissions(p, iamPrefix, s3Path, b.Role) + addS3Permissions(p, iamPrefix, s3Path, b.Role, legacyIAM) } else if _, ok := vfsPath.(*vfs.MemFSPath); ok { // Tests -ignore - nothing we can do in terms of IAM policy glog.Warningf("ignoring memfs path %q for IAM policy builder", vfsPath) @@ -275,7 +282,7 @@ func addRoute53ListHostedZonesPermission(p *IAMPolicy) { // addS3Permissions updates the IAM Policy with statements granting tailored // access to S3 assets, depending on the instance role -func addS3Permissions(p *IAMPolicy, iamPrefix string, s3Path *vfs.S3Path, role api.InstanceGroupRole) { +func addS3Permissions(p *IAMPolicy, iamPrefix string, s3Path *vfs.S3Path, role api.InstanceGroupRole, legacyIAM bool) { // Note that the config store may itself be a subdirectory of a bucket iamS3Path := s3Path.Bucket() + "/" + s3Path.Key() iamS3Path = strings.TrimSuffix(iamS3Path, "/") @@ -297,30 +304,42 @@ func addS3Permissions(p *IAMPolicy, iamPrefix string, s3Path *vfs.S3Path, role a ), }) - if role == api.InstanceGroupRoleMaster { - p.Statement = append(p.Statement, &IAMStatement{ - Effect: IAMStatementEffectAllow, - Action: stringorslice.Slice([]string{"s3:Get*"}), - Resource: stringorslice.Of( - strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/*"}, ""), - ), - }) - } else if role == api.InstanceGroupRoleNode { - p.Statement = append(p.Statement, &IAMStatement{ - Effect: IAMStatementEffectAllow, - Action: stringorslice.Slice([]string{"s3:Get*"}), - Resource: stringorslice.Of( - strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/addons/*"}, ""), - strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/instancegroup/*"}, ""), - strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/issued/*"}, ""), - strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/ssh/*"}, ""), - strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/kube-proxy/*"}, ""), - strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/kubelet/*"}, ""), - strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/secrets/*"}, ""), - strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/cluster.spec"}, ""), - strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/config"}, ""), - ), - }) + if legacyIAM { + if role == api.InstanceGroupRoleMaster || role == api.InstanceGroupRoleNode { + p.Statement = append(p.Statement, &IAMStatement{ + Effect: IAMStatementEffectAllow, + Action: stringorslice.Slice([]string{"s3:*"}), + Resource: stringorslice.Of( + strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/*"}, ""), + ), + }) + } + } else { + if role == api.InstanceGroupRoleMaster { + p.Statement = append(p.Statement, &IAMStatement{ + Effect: IAMStatementEffectAllow, + Action: stringorslice.Slice([]string{"s3:Get*"}), + Resource: stringorslice.Of( + strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/*"}, ""), + ), + }) + } else if role == api.InstanceGroupRoleNode { + p.Statement = append(p.Statement, &IAMStatement{ + Effect: IAMStatementEffectAllow, + Action: stringorslice.Slice([]string{"s3:Get*"}), + Resource: stringorslice.Of( + strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/addons/*"}, ""), + strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/instancegroup/*"}, ""), + strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/issued/*"}, ""), + strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/ssh/*"}, ""), + strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/kube-proxy/*"}, ""), + strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/kubelet/*"}, ""), + strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/secrets/*"}, ""), + strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/cluster.spec"}, ""), + strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/config"}, ""), + ), + }) + } } } diff --git a/pkg/model/iam/iam_builder_test.go b/pkg/model/iam/iam_builder_test.go index ef8293a4b5..7439e0b00b 100644 --- a/pkg/model/iam/iam_builder_test.go +++ b/pkg/model/iam/iam_builder_test.go @@ -97,10 +97,12 @@ func TestS3PolicyGeneration(t *testing.T) { grid := []struct { Role kops.InstanceGroupRole + LegacyIAM bool IAMPolicy IAMPolicy }{ { - Role: "Master", + Role: "Master", + LegacyIAM: false, IAMPolicy: IAMPolicy{ Statement: append(defaultS3Statements, &IAMStatement{ Effect: IAMStatementEffectAllow, @@ -114,7 +116,23 @@ func TestS3PolicyGeneration(t *testing.T) { }, }, { - Role: "Node", + Role: "Master", + LegacyIAM: true, + IAMPolicy: IAMPolicy{ + Statement: append(defaultS3Statements, &IAMStatement{ + Effect: IAMStatementEffectAllow, + Action: stringorslice.Slice([]string{ + "s3:*", + }), + Resource: stringorslice.Of( + "arn:aws:s3:::bucket-name/cluster-name.k8s.local/*", + ), + }), + }, + }, + { + Role: "Node", + LegacyIAM: false, IAMPolicy: IAMPolicy{ Statement: append(defaultS3Statements, &IAMStatement{ Effect: IAMStatementEffectAllow, @@ -136,7 +154,30 @@ func TestS3PolicyGeneration(t *testing.T) { }, }, { - Role: "Bastion", + Role: "Node", + LegacyIAM: true, + IAMPolicy: IAMPolicy{ + Statement: append(defaultS3Statements, &IAMStatement{ + Effect: IAMStatementEffectAllow, + Action: stringorslice.Slice([]string{ + "s3:*", + }), + Resource: stringorslice.Of( + "arn:aws:s3:::bucket-name/cluster-name.k8s.local/*", + ), + }), + }, + }, + { + Role: "Bastion", + LegacyIAM: false, + IAMPolicy: IAMPolicy{ + Statement: defaultS3Statements, + }, + }, + { + Role: "Bastion", + LegacyIAM: true, IAMPolicy: IAMPolicy{ Statement: defaultS3Statements, }, @@ -157,7 +198,7 @@ func TestS3PolicyGeneration(t *testing.T) { continue } - addS3Permissions(ip, "arn:aws", s3Path, x.Role) + addS3Permissions(ip, "arn:aws", s3Path, x.Role, x.LegacyIAM) expectedPolicy, err := x.IAMPolicy.AsJSON() if err != nil { diff --git a/tests/integration/create_cluster/complex/expected-v1alpha2.yaml b/tests/integration/create_cluster/complex/expected-v1alpha2.yaml index 0b39bdd0f0..42eec055a4 100644 --- a/tests/integration/create_cluster/complex/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/complex/expected-v1alpha2.yaml @@ -20,6 +20,8 @@ spec: - instanceGroup: master-us-test-1a name: a name: events + iam: + legacy: false kubernetesApiAccess: - 0.0.0.0/0 kubernetesVersion: v1.7.1 diff --git a/tests/integration/create_cluster/ha/expected-v1alpha1.yaml b/tests/integration/create_cluster/ha/expected-v1alpha1.yaml index b19e2d939f..f30c6c8690 100644 --- a/tests/integration/create_cluster/ha/expected-v1alpha1.yaml +++ b/tests/integration/create_cluster/ha/expected-v1alpha1.yaml @@ -30,6 +30,8 @@ spec: - name: c zone: us-test-1c name: events + iam: + legacy: false kubernetesVersion: v1.6.0-alpha.3 masterPublicName: api.ha.example.com networkCIDR: 172.20.0.0/16 diff --git a/tests/integration/create_cluster/ha/expected-v1alpha2.yaml b/tests/integration/create_cluster/ha/expected-v1alpha2.yaml index ad934ba187..2790180527 100644 --- a/tests/integration/create_cluster/ha/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/ha/expected-v1alpha2.yaml @@ -28,6 +28,8 @@ spec: - instanceGroup: master-us-test-1c name: c name: events + iam: + legacy: false kubernetesApiAccess: - 0.0.0.0/0 kubernetesVersion: v1.6.0-alpha.3 diff --git a/tests/integration/create_cluster/ha_encrypt/expected-v1alpha1.yaml b/tests/integration/create_cluster/ha_encrypt/expected-v1alpha1.yaml index 1b698240d6..97f1d85f18 100644 --- a/tests/integration/create_cluster/ha_encrypt/expected-v1alpha1.yaml +++ b/tests/integration/create_cluster/ha_encrypt/expected-v1alpha1.yaml @@ -36,6 +36,8 @@ spec: name: c zone: us-test-1c name: events + iam: + legacy: false kubernetesVersion: v1.6.0-alpha.3 masterPublicName: api.ha.example.com networkCIDR: 172.20.0.0/16 diff --git a/tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml b/tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml index cc6cfbe56f..bd6e17ea8d 100644 --- a/tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml @@ -34,6 +34,8 @@ spec: instanceGroup: master-us-test-1c name: c name: events + iam: + legacy: false kubernetesApiAccess: - 0.0.0.0/0 kubernetesVersion: v1.6.0-alpha.3 diff --git a/tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml b/tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml index 038394bb00..4a614b35fa 100644 --- a/tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml @@ -36,6 +36,8 @@ spec: - instanceGroup: master-us-test-1a-3 name: a-3 name: events + iam: + legacy: false kubernetesApiAccess: - 0.0.0.0/0 kubernetesVersion: v1.4.8 diff --git a/tests/integration/create_cluster/minimal/expected-v1alpha1.yaml b/tests/integration/create_cluster/minimal/expected-v1alpha1.yaml index 475345007b..d0efe7d3ac 100644 --- a/tests/integration/create_cluster/minimal/expected-v1alpha1.yaml +++ b/tests/integration/create_cluster/minimal/expected-v1alpha1.yaml @@ -22,6 +22,8 @@ spec: - name: a zone: us-test-1a name: events + iam: + legacy: false kubernetesVersion: v1.4.8 masterPublicName: api.minimal.example.com networkCIDR: 172.20.0.0/16 diff --git a/tests/integration/create_cluster/minimal/expected-v1alpha2.yaml b/tests/integration/create_cluster/minimal/expected-v1alpha2.yaml index 1ae576be71..be82e866a0 100644 --- a/tests/integration/create_cluster/minimal/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/minimal/expected-v1alpha2.yaml @@ -20,6 +20,8 @@ spec: - instanceGroup: master-us-test-1a name: a name: events + iam: + legacy: false kubernetesApiAccess: - 0.0.0.0/0 kubernetesVersion: v1.4.8 diff --git a/tests/integration/create_cluster/ngwspecified/expected-v1alpha1.yaml b/tests/integration/create_cluster/ngwspecified/expected-v1alpha1.yaml index 2145e85140..529ffa009e 100644 --- a/tests/integration/create_cluster/ngwspecified/expected-v1alpha1.yaml +++ b/tests/integration/create_cluster/ngwspecified/expected-v1alpha1.yaml @@ -23,6 +23,8 @@ spec: - name: a zone: us-test-1a name: events + iam: + legacy: false kubernetesVersion: v1.4.8 masterPublicName: api.private.example.com networkCIDR: 172.20.0.0/16 diff --git a/tests/integration/create_cluster/ngwspecified/expected-v1alpha2.yaml b/tests/integration/create_cluster/ngwspecified/expected-v1alpha2.yaml index b0fb601546..9e6baeb666 100644 --- a/tests/integration/create_cluster/ngwspecified/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/ngwspecified/expected-v1alpha2.yaml @@ -21,6 +21,8 @@ spec: - instanceGroup: master-us-test-1a name: a name: events + iam: + legacy: false kubernetesApiAccess: - 0.0.0.0/0 kubernetesVersion: v1.4.8 diff --git a/tests/integration/create_cluster/private/expected-v1alpha1.yaml b/tests/integration/create_cluster/private/expected-v1alpha1.yaml index bd75637319..d4b4326823 100644 --- a/tests/integration/create_cluster/private/expected-v1alpha1.yaml +++ b/tests/integration/create_cluster/private/expected-v1alpha1.yaml @@ -27,6 +27,8 @@ spec: - name: a zone: us-test-1a name: events + iam: + legacy: false kubernetesVersion: v1.4.8 masterPublicName: api.private.example.com networkCIDR: 172.20.0.0/16 diff --git a/tests/integration/create_cluster/private/expected-v1alpha2.yaml b/tests/integration/create_cluster/private/expected-v1alpha2.yaml index e5ee0a81f7..38536d80d5 100644 --- a/tests/integration/create_cluster/private/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/private/expected-v1alpha2.yaml @@ -25,6 +25,8 @@ spec: - instanceGroup: master-us-test-1a name: a name: events + iam: + legacy: false kubernetesApiAccess: - 0.0.0.0/0 kubernetesVersion: v1.4.8