Merge pull request #8747 from geojaz/gce_bucketacls

Tweak the featureflag.GoogleCloudBucketACL.Enabled

pkg/model/gcemodel/storageacl.go

@@ -66,38 +66,37 @@ func (b *StorageAclBuilder) Build(c *fi.ModelBuilderContext) error {
 				Role:      s("READER"),
 			})
 		}
-	}
 
-	klog.Warningf("we need to split master / node roles")
-	role := kops.InstanceGroupRoleMaster
-	writeablePaths, err := iam.WriteableVFSPaths(b.Cluster, role)
-	if err != nil {
-		return err
-	}
+		klog.Warningf("we need to split master / node roles")
+		role := kops.InstanceGroupRoleMaster
+		writeablePaths, err := iam.WriteableVFSPaths(b.Cluster, role)
+		if err != nil {
+			return err
+		}
 
-	buckets := sets.NewString()
-	for _, p := range writeablePaths {
-		if gcsPath, ok := p.(*vfs.GSPath); ok {
-			bucket := gcsPath.Bucket()
-			if buckets.Has(bucket) {
-				continue
+		buckets := sets.NewString()
+		for _, p := range writeablePaths {
+			if gcsPath, ok := p.(*vfs.GSPath); ok {
+				bucket := gcsPath.Bucket()
+				if buckets.Has(bucket) {
+					continue
+				}
+
+				klog.Warningf("adding bucket level write ACL to gs://%s to support etcd backup", bucket)
+
+				c.AddTask(&gcetasks.StorageBucketAcl{
+					Name:      s("serviceaccount-backup-readwrite-" + bucket),
+					Lifecycle: b.Lifecycle,
+					Bucket:    s(bucket),
+					Entity:    s("user-" + serviceAccount),
+					Role:      s("WRITER"),
+				})
+
+				buckets.Insert(bucket)
+			} else {
+				klog.Warningf("unknown path, can't apply IAM policy: %q", p)
 			}
-
-			klog.Warningf("adding bucket level write ACL to gs://%s to support etcd backup", bucket)
-
-			c.AddTask(&gcetasks.StorageBucketAcl{
-				Name:      s("serviceaccount-backup-readwrite-" + bucket),
-				Lifecycle: b.Lifecycle,
-				Bucket:    s(bucket),
-				Entity:    s("user-" + serviceAccount),
-				Role:      s("WRITER"),
-			})
-
-			buckets.Insert(bucket)
-		} else {
-			klog.Warningf("unknown path, can't apply IAM policy: %q", p)
 		}
 	}
-
 	return nil
 }