From e6f9c8118f0da36261935e5519bf0fefb2f9170d Mon Sep 17 00:00:00 2001 From: Peter Rifel Date: Sun, 30 Dec 2018 10:38:04 -0600 Subject: [PATCH 1/8] Fix alternative AWS partitions in custom instance profiles --- Gopkg.lock | 4 +- pkg/apis/kops/validation/BUILD.bazel | 1 + pkg/apis/kops/validation/instancegroup.go | 13 ++- .../kops/validation/instancegroup_test.go | 10 +++ .../aws/aws-sdk-go/aws/arn/BUILD.bazel | 9 ++ .../github.com/aws/aws-sdk-go/aws/arn/arn.go | 86 +++++++++++++++++++ 6 files changed, 115 insertions(+), 8 deletions(-) create mode 100644 vendor/github.com/aws/aws-sdk-go/aws/arn/BUILD.bazel create mode 100644 vendor/github.com/aws/aws-sdk-go/aws/arn/arn.go diff --git a/Gopkg.lock b/Gopkg.lock index aca9f31c11..5ea521a874 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -100,10 +100,11 @@ version = "v1.0.1" [[projects]] - digest = "1:bec386c02055f020566931a5dae08ec5582f1488f50b18d767d5c0edba71c434" + digest = "1:bc64ec2fe484ee175b0bd8f9306ff392d8b730ebf2de85a736bfa145be6cce13" name = "github.com/aws/aws-sdk-go" packages = [ "aws", + "aws/arn", "aws/awserr", "aws/awsutil", "aws/client", @@ -2173,6 +2174,7 @@ "github.com/MakeNowJust/heredoc", "github.com/Masterminds/sprig", "github.com/aws/aws-sdk-go/aws", + "github.com/aws/aws-sdk-go/aws/arn", "github.com/aws/aws-sdk-go/aws/awserr", "github.com/aws/aws-sdk-go/aws/client", "github.com/aws/aws-sdk-go/aws/credentials", diff --git a/pkg/apis/kops/validation/BUILD.bazel b/pkg/apis/kops/validation/BUILD.bazel index f7b2f54d2c..cd8fec42e0 100644 --- a/pkg/apis/kops/validation/BUILD.bazel +++ b/pkg/apis/kops/validation/BUILD.bazel @@ -22,6 +22,7 @@ go_library( "//pkg/util/subnet:go_default_library", "//upup/pkg/fi:go_default_library", "//upup/pkg/fi/cloudup/awsup:go_default_library", + "//vendor/github.com/aws/aws-sdk-go/aws/arn:go_default_library", "//vendor/github.com/blang/semver:go_default_library", "//vendor/github.com/golang/glog:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/validation:go_default_library", diff --git a/pkg/apis/kops/validation/instancegroup.go b/pkg/apis/kops/validation/instancegroup.go index afc4cbae81..4a1b809296 100644 --- a/pkg/apis/kops/validation/instancegroup.go +++ b/pkg/apis/kops/validation/instancegroup.go @@ -18,8 +18,9 @@ package validation import ( "fmt" - "regexp" + "strings" + "github.com/aws/aws-sdk-go/aws/arn" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/kops/pkg/apis/kops" "k8s.io/kops/pkg/apis/kops/util" @@ -171,15 +172,13 @@ func validateExtraUserData(userData *kops.UserData) error { return nil } -// format is arn:aws:iam::123456789012:instance-profile/S3Access -var validARN = regexp.MustCompile(`^arn:aws:iam::\d+:instance-profile\/\S+$`) - // validateInstanceProfile checks the String values for the AuthProfile func validateInstanceProfile(v *kops.IAMProfileSpec, fldPath *field.Path) *field.Error { if v != nil && v.Profile != nil { - arn := *v.Profile - if !validARN.MatchString(arn) { - return field.Invalid(fldPath.Child("Profile"), arn, + instanceProfileARN := *v.Profile + parsedARN, err := arn.Parse(instanceProfileARN) + if err != nil || !strings.HasPrefix(parsedARN.Resource, "instance-profile") { + return field.Invalid(fldPath.Child("Profile"), instanceProfileARN, "Instance Group IAM Instance Profile must be a valid aws arn such as arn:aws:iam::123456789012:instance-profile/KopsExampleRole") } } diff --git a/pkg/apis/kops/validation/instancegroup_test.go b/pkg/apis/kops/validation/instancegroup_test.go index e67966ca5e..fa2977e5c5 100644 --- a/pkg/apis/kops/validation/instancegroup_test.go +++ b/pkg/apis/kops/validation/instancegroup_test.go @@ -86,6 +86,16 @@ func TestValidateInstanceProfile(t *testing.T) { Profile: s("arn:aws:iam::123456789012:instance-profile/has/path/S3Access"), }, }, + { + Input: &kops.IAMProfileSpec{ + Profile: s("arn:aws-cn:iam::123456789012:instance-profile/has/path/S3Access"), + }, + }, + { + Input: &kops.IAMProfileSpec{ + Profile: s("arn:aws-us-gov:iam::123456789012:instance-profile/has/path/S3Access"), + }, + }, { Input: &kops.IAMProfileSpec{ Profile: s("42"), diff --git a/vendor/github.com/aws/aws-sdk-go/aws/arn/BUILD.bazel b/vendor/github.com/aws/aws-sdk-go/aws/arn/BUILD.bazel new file mode 100644 index 0000000000..2895f14d4e --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/arn/BUILD.bazel @@ -0,0 +1,9 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = ["arn.go"], + importmap = "k8s.io/kops/vendor/github.com/aws/aws-sdk-go/aws/arn", + importpath = "github.com/aws/aws-sdk-go/aws/arn", + visibility = ["//visibility:public"], +) diff --git a/vendor/github.com/aws/aws-sdk-go/aws/arn/arn.go b/vendor/github.com/aws/aws-sdk-go/aws/arn/arn.go new file mode 100644 index 0000000000..44aa125a18 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/arn/arn.go @@ -0,0 +1,86 @@ +// Package arn provides a parser for interacting with Amazon Resource Names. +package arn + +import ( + "errors" + "strings" +) + +const ( + arnDelimiter = ":" + arnSections = 6 + arnPrefix = "arn:" + + // zero-indexed + sectionPartition = 1 + sectionService = 2 + sectionRegion = 3 + sectionAccountID = 4 + sectionResource = 5 + + // errors + invalidPrefix = "arn: invalid prefix" + invalidSections = "arn: not enough sections" +) + +// ARN captures the individual fields of an Amazon Resource Name. +// See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html for more information. +type ARN struct { + // The partition that the resource is in. For standard AWS regions, the partition is "aws". If you have resources in + // other partitions, the partition is "aws-partitionname". For example, the partition for resources in the China + // (Beijing) region is "aws-cn". + Partition string + + // The service namespace that identifies the AWS product (for example, Amazon S3, IAM, or Amazon RDS). For a list of + // namespaces, see + // http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces. + Service string + + // The region the resource resides in. Note that the ARNs for some resources do not require a region, so this + // component might be omitted. + Region string + + // The ID of the AWS account that owns the resource, without the hyphens. For example, 123456789012. Note that the + // ARNs for some resources don't require an account number, so this component might be omitted. + AccountID string + + // The content of this part of the ARN varies by service. It often includes an indicator of the type of resource — + // for example, an IAM user or Amazon RDS database - followed by a slash (/) or a colon (:), followed by the + // resource name itself. Some services allows paths for resource names, as described in + // http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-paths. + Resource string +} + +// Parse parses an ARN into its constituent parts. +// +// Some example ARNs: +// arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment +// arn:aws:iam::123456789012:user/David +// arn:aws:rds:eu-west-1:123456789012:db:mysql-db +// arn:aws:s3:::my_corporate_bucket/exampleobject.png +func Parse(arn string) (ARN, error) { + if !strings.HasPrefix(arn, arnPrefix) { + return ARN{}, errors.New(invalidPrefix) + } + sections := strings.SplitN(arn, arnDelimiter, arnSections) + if len(sections) != arnSections { + return ARN{}, errors.New(invalidSections) + } + return ARN{ + Partition: sections[sectionPartition], + Service: sections[sectionService], + Region: sections[sectionRegion], + AccountID: sections[sectionAccountID], + Resource: sections[sectionResource], + }, nil +} + +// String returns the canonical representation of the ARN +func (arn ARN) String() string { + return arnPrefix + + arn.Partition + arnDelimiter + + arn.Service + arnDelimiter + + arn.Region + arnDelimiter + + arn.AccountID + arnDelimiter + + arn.Resource +} From f1fb335fbed9c6b8ddf625ea71c4453efe926502 Mon Sep 17 00:00:00 2001 From: Naresh Kumar Amrutham Date: Mon, 14 Jan 2019 14:40:13 -0800 Subject: [PATCH 2/8] include docker 18.06.1 missed dependency container-selinux-2 --- nodeup/pkg/model/docker.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/nodeup/pkg/model/docker.go b/nodeup/pkg/model/docker.go index cbcd352b35..13d301e162 100644 --- a/nodeup/pkg/model/docker.go +++ b/nodeup/pkg/model/docker.go @@ -540,7 +540,17 @@ var dockerVersions = []dockerVersion{ Dependencies: []string{"bridge-utils", "libapparmor1", "libltdl7", "perl"}, }, - // 18.06.1 - CentOS / Rhel7 + // 18.06.1 - CentOS / Rhel7 (two packages) + { + DockerVersion: "18.06.1", + Name: "container-selinux-2", + Distros: []distros.Distribution{distros.DistributionRhel7, distros.DistributionCentos7}, + Architectures: []Architecture{ArchitectureAmd64}, + Version: "18.06.1.ce", + Source: "http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.68-1.el7.noarch.rpm", + Hash: "d9f87f7f4f2e8e611f556d873a17b8c0c580fec0", + Dependencies: []string{"policycoreutils-python"}, + }, { DockerVersion: "18.06.1", Name: "docker-ce", From c5c26fe4d268db574084c4ffc2ed81a82efe98b9 Mon Sep 17 00:00:00 2001 From: Naresh Kumar Amrutham Date: Tue, 15 Jan 2019 10:01:28 -0800 Subject: [PATCH 3/8] include dependency container-selinux for docker v17.09 --- nodeup/pkg/model/docker.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nodeup/pkg/model/docker.go b/nodeup/pkg/model/docker.go index 13d301e162..f8fa534315 100644 --- a/nodeup/pkg/model/docker.go +++ b/nodeup/pkg/model/docker.go @@ -502,6 +502,16 @@ var dockerVersions = []dockerVersion{ }, // 17.09.0 - Centos / Rhel7 + { + DockerVersion: "17.09.0", + Name: "container-selinux-2", + Distros: []distros.Distribution{distros.DistributionRhel7, distros.DistributionCentos7}, + Architectures: []Architecture{ArchitectureAmd64}, + Version: "17.09.0.ce", + Source: "http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.68-1.el7.noarch.rpm", + Hash: "d9f87f7f4f2e8e611f556d873a17b8c0c580fec0", + Dependencies: []string{"policycoreutils-python"}, + }, { DockerVersion: "17.09.0", Name: "docker-ce", From 6a0bdfda312fa692ca46a224789e83a45eaa877d Mon Sep 17 00:00:00 2001 From: Naresh Kumar Amrutham Date: Tue, 15 Jan 2019 10:04:41 -0800 Subject: [PATCH 4/8] fixed comment --- nodeup/pkg/model/docker.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodeup/pkg/model/docker.go b/nodeup/pkg/model/docker.go index f8fa534315..1c362813fc 100644 --- a/nodeup/pkg/model/docker.go +++ b/nodeup/pkg/model/docker.go @@ -501,7 +501,7 @@ var dockerVersions = []dockerVersion{ //Recommends: aufs-tools, ca-certificates, cgroupfs-mount | cgroup-lite, git, xz-utils, apparmor }, - // 17.09.0 - Centos / Rhel7 + // 17.09.0 - Centos / Rhel7 (two packages) { DockerVersion: "17.09.0", Name: "container-selinux-2", From f1e62c3cc7ba9661770ae533a2df32f00026d88b Mon Sep 17 00:00:00 2001 From: Josh Branham Date: Tue, 15 Jan 2019 15:54:53 -0500 Subject: [PATCH 5/8] Add note regarding upgrading to CoreDNS --- docs/cluster_spec.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md index f7decd8fde..d52c09245f 100644 --- a/docs/cluster_spec.md +++ b/docs/cluster_spec.md @@ -377,6 +377,8 @@ Specifying KubeDNS will install kube-dns as the default service discovery. This will install [CoreDNS](https://coredns.io/) instead of kube-dns. +**Note:** If you are upgrading to CoreDNS, kube-dns will be left in place and must be removed manually. You can scale the kube-dns and kube-dns-autoscaler deployments in the `kube-system` namespace to 0 as a starting point + ### kubeControllerManager This block contains configurations for the `controller-manager`. From 30e35a293ef8606084ab99744cca702fee3711de Mon Sep 17 00:00:00 2001 From: Josh Branham Date: Tue, 15 Jan 2019 18:39:36 -0500 Subject: [PATCH 6/8] Refactor --- docs/cluster_spec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md index d52c09245f..1add0e3977 100644 --- a/docs/cluster_spec.md +++ b/docs/cluster_spec.md @@ -377,7 +377,7 @@ Specifying KubeDNS will install kube-dns as the default service discovery. This will install [CoreDNS](https://coredns.io/) instead of kube-dns. -**Note:** If you are upgrading to CoreDNS, kube-dns will be left in place and must be removed manually. You can scale the kube-dns and kube-dns-autoscaler deployments in the `kube-system` namespace to 0 as a starting point +**Note:** If you are upgrading to CoreDNS, kube-dns will be left in place and must be removed manually (you can scale the kube-dns and kube-dns-autoscaler deployments in the `kube-system` namespace to 0 as a starting point). The `kube-dns` service itself should be left, as this retains the ClusterIP and eliminates the possibility of DNS outages in your cluster. ### kubeControllerManager This block contains configurations for the `controller-manager`. From 32f196fd712edd685206d06e746e78674763d299 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 16 Jan 2019 16:49:46 -0500 Subject: [PATCH 7/8] Remove Initializers from default admission plugins --- pkg/model/components/apiserver.go | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/pkg/model/components/apiserver.go b/pkg/model/components/apiserver.go index 040c2fdf40..14abb2aa67 100644 --- a/pkg/model/components/apiserver.go +++ b/pkg/model/components/apiserver.go @@ -255,7 +255,7 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error { } // Based on recommendations from: // https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use - if b.IsKubernetesGTE("1.10") { + if b.IsKubernetesGTE("1.10") && b.IsKubernetesLT("1.12") { c.EnableAdmissionPlugins = []string{ "Initializers", "NamespaceLifecycle", @@ -270,6 +270,22 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error { "ResourceQuota", } } + // Based on recommendations from: + // https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use + if b.IsKubernetesGTE("1.12") { + c.EnableAdmissionPlugins = []string{ + "NamespaceLifecycle", + "LimitRanger", + "ServiceAccount", + "PersistentVolumeLabel", + "DefaultStorageClass", + "DefaultTolerationSeconds", + "MutatingAdmissionWebhook", + "ValidatingAdmissionWebhook", + "NodeRestriction", + "ResourceQuota", + } + } // We make sure to disable AnonymousAuth from when it was introduced if b.IsKubernetesGTE("1.5") { From c9371add5c777118d5103218de1d3868f0b93984 Mon Sep 17 00:00:00 2001 From: Josh Branham Date: Thu, 17 Jan 2019 11:52:23 -0500 Subject: [PATCH 8/8] Add comment for resetting autoscaling --- docs/cluster_spec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md index 1add0e3977..b00e39ad21 100644 --- a/docs/cluster_spec.md +++ b/docs/cluster_spec.md @@ -377,7 +377,7 @@ Specifying KubeDNS will install kube-dns as the default service discovery. This will install [CoreDNS](https://coredns.io/) instead of kube-dns. -**Note:** If you are upgrading to CoreDNS, kube-dns will be left in place and must be removed manually (you can scale the kube-dns and kube-dns-autoscaler deployments in the `kube-system` namespace to 0 as a starting point). The `kube-dns` service itself should be left, as this retains the ClusterIP and eliminates the possibility of DNS outages in your cluster. +**Note:** If you are upgrading to CoreDNS, kube-dns will be left in place and must be removed manually (you can scale the kube-dns and kube-dns-autoscaler deployments in the `kube-system` namespace to 0 as a starting point). The `kube-dns` Service itself should be left in place, as this retains the ClusterIP and eliminates the possibility of DNS outages in your cluster. If you would like to continue autoscaling, update the `kube-dns-autoscaler` Deployment container command for `--target=Deployment/kube-dns` to be `--target=Deployment/coredns`. ### kubeControllerManager This block contains configurations for the `controller-manager`.