Apply suggestions from code review

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>

k8s/crds/kops.k8s.io_clusters.yaml

@@ -1175,15 +1175,21 @@ spec:
                           description: AWS grants permissions to AWS resources.
                           properties:
                             inlinePolicy:
+                              description: InlinePolicy is an IAM Policy that will
+                                be attached inline to the IAM Role.
                               type: string
                             policyARNs:
+                              description: PolicyARNs is a list of existing IAM Policies.
                               items:
                                 type: string
                               type: array
                           type: object
                         name:
+                          description: Name is the name of the Kubernetes ServiceAccount.
                           type: string
                         namespace:
+                          description: Namespace is the namespace of the Kubernetes
+                            ServiceAccount.
                           type: string
                       required:
                       - name

pkg/apis/kops/cluster.go

@@ -220,7 +220,9 @@ type ServiceAccountIssuerDiscoveryConfig struct {
 
 // ServiceAccountExternalPermissions grants a ServiceAccount permissions to external resources.
 type ServiceAccountExternalPermission struct {
+	// Name is the name of the Kubernetes ServiceAccount.
 	Name string `json:"name"`
+	// Namespace is the namespace of the Kubernetes ServiceAccount.
 	Namespace string `json:"namespace"`
 	// AWS grants permissions to AWS resources.
 	AWS *AWSPermission `json:"aws,omitempty"`
@@ -228,7 +230,9 @@ type ServiceAccountExternalPermission struct {
 
 // AWSPermission grants permissions to AWS resources.
 type AWSPermission struct {
+	// PolicyARNs is a list of existing IAM Policies.
 	PolicyARNs []string `json:"policyARNs,omitempty"`
+	// InlinePolicy is an IAM Policy that will be attached inline to the IAM Role.
 	InlinePolicy string `json:"inlinePolicy,omitempty"`
 }
 

pkg/apis/kops/v1alpha2/cluster.go

@@ -219,7 +219,9 @@ type ServiceAccountIssuerDiscoveryConfig struct {
 
 // ServiceAccountExternalPermissions grants a ServiceAccount permissions to external resources.
 type ServiceAccountExternalPermission struct {
+	// Name is the name of the Kubernetes ServiceAccount.
 	Name string `json:"name"`
+	// Namespace is the namespace of the Kubernetes ServiceAccount.
 	Namespace string `json:"namespace"`
 	// AWS grants permissions to AWS resources.
 	AWS *AWSPermission `json:"aws,omitempty"`
@@ -227,7 +229,9 @@ type ServiceAccountExternalPermission struct {
 
 // AWSPermission grants permissions to AWS resources.
 type AWSPermission struct {
+	// PolicyARNs is a list of existing IAM Policies.
 	PolicyARNs []string `json:"policyARNs,omitempty"`
+	// InlinePolicy is an IAM Policy that will be attached inline to the IAM Role.
 	InlinePolicy string `json:"inlinePolicy,omitempty"`
 }
 

pkg/apis/kops/validation/validation.go

@@ -257,7 +257,7 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie
 	if spec.IAM != nil {
 		if len(spec.IAM.ServiceAccountExternalPermissions) > 0 {
 			if spec.ServiceAccountIssuerDiscovery == nil || !spec.ServiceAccountIssuerDiscovery.EnableAWSOIDCProvider {
-				allErrs = append(allErrs, field.Required(fieldPath.Child("serviceAccountIssuerDiscovery", "enableAWSOIDCProvider"), "serviceAccountExternalPermissions requires AWS OIDC Provider to be enabled"))
+				allErrs = append(allErrs, field.Forbidden(fieldPath.Child("iam", "serviceAccountExternalPermissions"), "serviceAccountExternalPermissions requires AWS OIDC Provider to be enabled"))
 			}
 			allErrs = append(allErrs, validateSAExternalPermissions(spec.IAM.ServiceAccountExternalPermissions, fieldPath.Child("iam", "serviceAccountExternalPermissions"))...)
 		}