Change the control-plane IG role to "ControlPlane" in v1alpha3 API

2022-11-13 19:57:25 -08:00 · 2022-11-13 19:57:25 -08:00 · d39ba74bd7
parent e4606e8ed0
commit d39ba74bd7
105 changed files with 452 additions and 300 deletions
--- a/cmd/kops/create_cluster.go
+++ b/cmd/kops/create_cluster.go
@ -534,7 +534,7 @@ func RunCreateCluster(ctx context.Context, f *util.Factory, out io.Writer, c *Cr
 	var nodes []*api.InstanceGroup
 	for _, ig := range instanceGroups {
 		switch ig.Spec.Role {
-		case api.InstanceGroupRoleMaster:
+		case api.InstanceGroupRoleControlPlane:
 			masters = append(masters, ig)
 		case api.InstanceGroupRoleNode:
 			nodes = append(nodes, ig)
--- a/cmd/kops/create_instancegroup.go
+++ b/cmd/kops/create_instancegroup.go
@ -82,7 +82,7 @@ var (
 // NewCmdCreateInstanceGroup create a new cobra command object for creating a instancegroup.
 func NewCmdCreateInstanceGroup(f *util.Factory, out io.Writer) *cobra.Command {
 	options := &CreateInstanceGroupOptions{
-		Role: string(kopsapi.InstanceGroupRoleNode),
+		Role: kopsapi.InstanceGroupRoleNode.ToLowerString(),
 		Edit: true,
 	}

@ -128,7 +128,7 @@ func NewCmdCreateInstanceGroup(f *util.Factory, out io.Writer) *cobra.Command {
 		if r == kopsapi.InstanceGroupRoleAPIServer && !featureflag.APIServerNodes.Enabled() {
 			continue
 		}
-		allRoles = append(allRoles, strings.ToLower(string(r)))
+		allRoles = append(allRoles, r.ToLowerString())
 	}

 	cmd.Flags().StringVar(&options.Role, "role", options.Role, "Type of instance group to create ("+strings.Join(allRoles, ",")+")")
--- a/cmd/kops/delete_instancegroup.go
+++ b/cmd/kops/delete_instancegroup.go
@ -21,7 +21,6 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"strings"

 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -85,7 +84,7 @@ func NewCmdDeleteInstanceGroup(f *util.Factory, out io.Writer) *cobra.Command {

 			return nil
 		},
-		ValidArgsFunction: completeInstanceGroup(f, nil, &[]string{strings.ToLower(string(kops.InstanceGroupRoleMaster))}),
+		ValidArgsFunction: completeInstanceGroup(f, nil, &[]string{kops.InstanceGroupRoleControlPlane.ToLowerString()}),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := context.TODO()

@ -148,7 +147,7 @@ func RunDeleteInstanceGroup(ctx context.Context, f *util.Factory, out io.Writer,

 	fmt.Fprintf(out, "InstanceGroup %q found for deletion\n", groupName)

-	if group.Spec.Role == kops.InstanceGroupRoleMaster {
+	if group.Spec.Role == kops.InstanceGroupRoleControlPlane {
 		groups, err := clientset.InstanceGroupsFor(cluster).List(ctx, metav1.ListOptions{})
 		if err != nil {
 			return fmt.Errorf("listing InstanceGroups: %v", err)
@ -156,7 +155,7 @@ func RunDeleteInstanceGroup(ctx context.Context, f *util.Factory, out io.Writer,

 		onlyMaster := true
 		for _, ig := range groups.Items {
-			if ig.Name != groupName && ig.Spec.Role == kops.InstanceGroupRoleMaster {
+			if ig.Name != groupName && ig.Spec.Role == kops.InstanceGroupRoleControlPlane {
 				onlyMaster = false
 				break
 			}
--- a/cmd/kops/rolling-update_cluster.go
+++ b/cmd/kops/rolling-update_cluster.go
@ -184,7 +184,7 @@ func NewCmdRollingUpdateCluster(f *util.Factory, out io.Writer) *cobra.Command {

 	allRoles := make([]string, 0, len(kopsapi.AllInstanceGroupRoles))
 	for _, r := range kopsapi.AllInstanceGroupRoles {
-		allRoles = append(allRoles, strings.ToLower(string(r)))
+		allRoles = append(allRoles, r.ToLowerString())
 	}

 	cmd.Flags().BoolVarP(&options.Yes, "yes", "y", options.Yes, "Perform rolling update immediately; without --yes rolling-update executes a dry-run")
@ -279,7 +279,7 @@ func RunRollingUpdateCluster(ctx context.Context, f *util.Factory, out io.Writer
 		}
 		countByRole[instanceGroup.Spec.Role] = countByRole[instanceGroup.Spec.Role] + minSize
 	}
-	if countByRole[kopsapi.InstanceGroupRoleAPIServer]+countByRole[kopsapi.InstanceGroupRoleMaster] <= 1 {
+	if countByRole[kopsapi.InstanceGroupRoleAPIServer]+countByRole[kopsapi.InstanceGroupRoleControlPlane] <= 1 {
 		fmt.Fprintf(out, "Detected single-control-plane cluster; won't detach before draining\n")
 		options.DeregisterControlPlaneNodes = false
 	}
--- a/examples/kops-api-example/up.go
+++ b/examples/kops-api-example/up.go
@ -86,7 +86,7 @@ func up(ctx context.Context) error {
 		ig := &api.InstanceGroup{}
 		ig.ObjectMeta.Name = "master"
 		ig.Spec = api.InstanceGroupSpec{
-			Role:    api.InstanceGroupRoleMaster,
+			Role:    api.InstanceGroupRoleControlPlane,
 			Subnets: masterZones,
 		}
 		_, err := clientset.InstanceGroupsFor(cluster).Create(ctx, ig, metav1.CreateOptions{})
--- a/nodeup/pkg/model/context.go
+++ b/nodeup/pkg/model/context.go
@ -91,11 +91,11 @@ func (c *NodeupModelContext) Init() error {

 	role := c.BootConfig.InstanceGroupRole

-	if role == kops.InstanceGroupRoleMaster {
+	if role == kops.InstanceGroupRoleControlPlane {
 		c.IsMaster = true
 	}

-	if role == kops.InstanceGroupRoleMaster || role == kops.InstanceGroupRoleAPIServer {
+	if role == kops.InstanceGroupRoleControlPlane || role == kops.InstanceGroupRoleAPIServer {
 		c.HasAPIServer = true
 	}
 	return nil
--- a/pkg/apis/kops/cluster.go
+++ b/pkg/apis/kops/cluster.go
@ -1052,7 +1052,7 @@ func (in *WarmPoolSpec) IsEnabled() bool {
 func (in *WarmPoolSpec) ResolveDefaults(ig *InstanceGroup) *WarmPoolSpec {
 	igWarmPool := ig.Spec.WarmPool
 	if igWarmPool == nil {
-		if in == nil || (ig.Spec.Role == InstanceGroupRoleMaster || ig.Spec.Role == InstanceGroupRoleBastion) {
+		if in == nil || (ig.Spec.Role == InstanceGroupRoleControlPlane || ig.Spec.Role == InstanceGroupRoleBastion) {
 			var zero int64
 			return &WarmPoolSpec{
 				MaxSize: &zero,
@ -1061,7 +1061,7 @@ func (in *WarmPoolSpec) ResolveDefaults(ig *InstanceGroup) *WarmPoolSpec {
 		return in
 	}

-	if in == nil || (ig.Spec.Role == InstanceGroupRoleMaster || ig.Spec.Role == InstanceGroupRoleBastion) {
+	if in == nil || (ig.Spec.Role == InstanceGroupRoleControlPlane || ig.Spec.Role == InstanceGroupRoleBastion) {
 		return igWarmPool
 	}

--- a/pkg/apis/kops/cluster_test.go
+++ b/pkg/apis/kops/cluster_test.go
@ -131,25 +131,25 @@ func TestWarmPoolSpec_ResolveDefaults(t *testing.T) {
 			assertResolvesValue(t, tc.name, tc.nonDefaultValue, defaultCluster, nonDefaultGroup, InstanceGroupRoleNode, "{default} {nonDefault} node")
 			assertResolvesValue(t, tc.name, tc.nonDefaultValue, nonDefaultCluster, nonDefaultGroup, InstanceGroupRoleNode, "{nonDefault} {nonDefault} node")

-			assertResolvesValue(t, tc.name, expectedDefaultValue, nil, nil, InstanceGroupRoleMaster, "nil nil master")
-			assertResolvesValue(t, tc.name, expectedDefaultValue, &WarmPoolSpec{}, nil, InstanceGroupRoleMaster, "{nil} nil master")
-			assertResolvesValue(t, tc.name, expectedDefaultValue, defaultCluster, nil, InstanceGroupRoleMaster, "{default} nil master")
-			assertResolvesValue(t, tc.name, expectedDefaultValue, nonDefaultCluster, nil, InstanceGroupRoleMaster, "{nonDefault} nil master")
+			assertResolvesValue(t, tc.name, expectedDefaultValue, nil, nil, InstanceGroupRoleControlPlane, "nil nil master")
+			assertResolvesValue(t, tc.name, expectedDefaultValue, &WarmPoolSpec{}, nil, InstanceGroupRoleControlPlane, "{nil} nil master")
+			assertResolvesValue(t, tc.name, expectedDefaultValue, defaultCluster, nil, InstanceGroupRoleControlPlane, "{default} nil master")
+			assertResolvesValue(t, tc.name, expectedDefaultValue, nonDefaultCluster, nil, InstanceGroupRoleControlPlane, "{nonDefault} nil master")

-			assertResolvesValue(t, tc.name, tc.defaultValue, nil, &WarmPoolSpec{}, InstanceGroupRoleMaster, "nil {nil} master")
-			assertResolvesValue(t, tc.name, tc.defaultValue, &WarmPoolSpec{}, &WarmPoolSpec{}, InstanceGroupRoleMaster, "{nil} {nil} master")
-			assertResolvesValue(t, tc.name, tc.defaultValue, defaultCluster, &WarmPoolSpec{}, InstanceGroupRoleMaster, "{default} {nil} master")
-			assertResolvesValue(t, tc.name, tc.defaultValue, nonDefaultCluster, &WarmPoolSpec{}, InstanceGroupRoleMaster, "{nonDefault} {nil} master")
+			assertResolvesValue(t, tc.name, tc.defaultValue, nil, &WarmPoolSpec{}, InstanceGroupRoleControlPlane, "nil {nil} master")
+			assertResolvesValue(t, tc.name, tc.defaultValue, &WarmPoolSpec{}, &WarmPoolSpec{}, InstanceGroupRoleControlPlane, "{nil} {nil} master")
+			assertResolvesValue(t, tc.name, tc.defaultValue, defaultCluster, &WarmPoolSpec{}, InstanceGroupRoleControlPlane, "{default} {nil} master")
+			assertResolvesValue(t, tc.name, tc.defaultValue, nonDefaultCluster, &WarmPoolSpec{}, InstanceGroupRoleControlPlane, "{nonDefault} {nil} master")

-			assertResolvesValue(t, tc.name, tc.defaultValue, nil, defaultGroup, InstanceGroupRoleMaster, "nil {default} master")
-			assertResolvesValue(t, tc.name, tc.defaultValue, &WarmPoolSpec{}, defaultGroup, InstanceGroupRoleMaster, "{nil} {default} master")
-			assertResolvesValue(t, tc.name, tc.defaultValue, defaultCluster, defaultGroup, InstanceGroupRoleMaster, "{default} {default} master")
-			assertResolvesValue(t, tc.name, tc.defaultValue, nonDefaultCluster, defaultGroup, InstanceGroupRoleMaster, "{nonDefault} {default} master")
+			assertResolvesValue(t, tc.name, tc.defaultValue, nil, defaultGroup, InstanceGroupRoleControlPlane, "nil {default} master")
+			assertResolvesValue(t, tc.name, tc.defaultValue, &WarmPoolSpec{}, defaultGroup, InstanceGroupRoleControlPlane, "{nil} {default} master")
+			assertResolvesValue(t, tc.name, tc.defaultValue, defaultCluster, defaultGroup, InstanceGroupRoleControlPlane, "{default} {default} master")
+			assertResolvesValue(t, tc.name, tc.defaultValue, nonDefaultCluster, defaultGroup, InstanceGroupRoleControlPlane, "{nonDefault} {default} master")

-			assertResolvesValue(t, tc.name, tc.nonDefaultValue, nil, nonDefaultGroup, InstanceGroupRoleMaster, "nil {nonDefault} master")
-			assertResolvesValue(t, tc.name, tc.nonDefaultValue, &WarmPoolSpec{}, nonDefaultGroup, InstanceGroupRoleMaster, "{nil} {nonDefault} master")
-			assertResolvesValue(t, tc.name, tc.nonDefaultValue, defaultCluster, nonDefaultGroup, InstanceGroupRoleMaster, "{default} {nonDefault} master")
-			assertResolvesValue(t, tc.name, tc.nonDefaultValue, nonDefaultCluster, nonDefaultGroup, InstanceGroupRoleMaster, "{nonDefault} {nonDefault} master")
+			assertResolvesValue(t, tc.name, tc.nonDefaultValue, nil, nonDefaultGroup, InstanceGroupRoleControlPlane, "nil {nonDefault} master")
+			assertResolvesValue(t, tc.name, tc.nonDefaultValue, &WarmPoolSpec{}, nonDefaultGroup, InstanceGroupRoleControlPlane, "{nil} {nonDefault} master")
+			assertResolvesValue(t, tc.name, tc.nonDefaultValue, defaultCluster, nonDefaultGroup, InstanceGroupRoleControlPlane, "{default} {nonDefault} master")
+			assertResolvesValue(t, tc.name, tc.nonDefaultValue, nonDefaultCluster, nonDefaultGroup, InstanceGroupRoleControlPlane, "{nonDefault} {nonDefault} master")
 		})
 	}
 }
--- a/pkg/apis/kops/instancegroup.go
+++ b/pkg/apis/kops/instancegroup.go
@ -17,6 +17,8 @@ limitations under the License.
 package kops

 import (
+	"strings"
+
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@ -31,7 +33,7 @@ const (
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

-// InstanceGroup represents a group of instances (either nodes or masters) with the same configuration
+// InstanceGroup represents a group of instances with the same configuration.
 type InstanceGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@ -49,23 +51,23 @@ type InstanceGroupList struct {
 	Items []InstanceGroup `json:"items"`
 }

-// InstanceGroupRole describes the roles of the nodes in this InstanceGroup (master or nodes)
+// InstanceGroupRole describes the roles of the nodes in this InstanceGroup.
 type InstanceGroupRole string

 const (
-	// InstanceGroupRoleMaster is a master role
-	InstanceGroupRoleMaster InstanceGroupRole = "Master"
-	// InstanceGroupRoleNode is a node role
+	// InstanceGroupRoleControlPlane is a control-plane role.
+	InstanceGroupRoleControlPlane InstanceGroupRole = "ControlPlane"
+	// InstanceGroupRoleNode is a node role.
 	InstanceGroupRoleNode InstanceGroupRole = "Node"
-	// InstanceGroupRoleBastion is a bastion role
+	// InstanceGroupRoleBastion is a bastion role.
 	InstanceGroupRoleBastion InstanceGroupRole = "Bastion"
-	// InstanceGroupRoleAPIServer is an API server role
+	// InstanceGroupRoleAPIServer is an API server role.
 	InstanceGroupRoleAPIServer InstanceGroupRole = "APIServer"
 )

 // AllInstanceGroupRoles is a slice of all valid InstanceGroupRole values
 var AllInstanceGroupRoles = []InstanceGroupRole{
-	InstanceGroupRoleMaster,
+	InstanceGroupRoleControlPlane,
 	InstanceGroupRoleAPIServer,
 	InstanceGroupRoleNode,
 	InstanceGroupRoleBastion,
@ -94,7 +96,7 @@ const (
 type InstanceGroupSpec struct {
 	// Manager determines what is managing the node lifecycle
 	Manager InstanceManager `json:"manager,omitempty"`
-	// Type determines the role of instances in this instance group: masters or nodes
+	// Role determines the role of instances in this instance group.
 	Role InstanceGroupRole `json:"role,omitempty"`
 	// Image is the instance (ami etc) we should use
 	Image string `json:"image,omitempty"`
@ -329,10 +331,10 @@ type IAMProfileSpec struct {
 	Profile *string `json:"profile,omitempty"`
 }

-// IsMaster checks if instanceGroup is a master
-func (g *InstanceGroup) IsMaster() bool {
+// IsControlPlane checks if instanceGroup is a control-plane node.
+func (g *InstanceGroup) IsControlPlane() bool {
 	switch g.Spec.Role {
-	case InstanceGroupRoleMaster:
+	case InstanceGroupRoleControlPlane:
 		return true
 	default:
 		return false
@ -351,7 +353,7 @@ func (g *InstanceGroup) IsAPIServerOnly() bool {

 // hasAPIServer checks if instanceGroup runs an API Server
 func (g *InstanceGroup) HasAPIServer() bool {
-	return g.IsMaster() || g.IsAPIServerOnly()
+	return g.IsControlPlane() || g.IsAPIServerOnly()
 }

 // IsBastion checks if instanceGroup is a bastion
@ -371,6 +373,15 @@ func (g *InstanceGroup) AddInstanceGroupNodeLabel() {
 	g.Spec.NodeLabels[NodeLabelInstanceGroup] = g.Name
 }

+func (r InstanceGroupRole) ToLowerString() string {
+	switch r {
+	case InstanceGroupRoleControlPlane:
+		return "control-plane"
+	default:
+		return strings.ToLower(string(r))
+	}
+}
+
 // LoadBalancer defines a load balancer
 type LoadBalancerSpec struct {
 	// LoadBalancerName to associate with this instance group (AWS ELB)
--- a/pkg/apis/kops/parse.go
+++ b/pkg/apis/kops/parse.go
@ -33,10 +33,10 @@ func ParseInstanceGroupRole(input string, lenient bool) (InstanceGroupRole, bool
 		// Accept pluralized "bastions" for "bastion"
 		findRole = strings.TrimSuffix(findRole, "s")
 	}
+	findRole = strings.Replace(findRole, "controlplane", "control-plane", 1)

 	for _, role := range AllInstanceGroupRoles {
-		s := string(role)
-		s = strings.ToLower(s)
+		s := role.ToLowerString()
 		if lenient {
 			s = strings.TrimSuffix(s, "s")
 		}
@ -44,6 +44,11 @@ func ParseInstanceGroupRole(input string, lenient bool) (InstanceGroupRole, bool
 			return role, true
 		}
 	}
+
+	if lenient && strings.ToLower(findRole) == "master" {
+		return InstanceGroupRoleControlPlane, true
+	}
+
 	return "", false
 }

--- a/pkg/apis/kops/parse_test.go
+++ b/pkg/apis/kops/parse_test.go
@ -53,7 +53,15 @@ func Test_ParseInstanceGroupRole(t *testing.T) {
 		},
 		{
 			"Masters", true,
-			InstanceGroupRoleMaster, true,
+			InstanceGroupRoleControlPlane, true,
+		},
+		{
+			"ControlPlanes", true,
+			InstanceGroupRoleControlPlane, true,
+		},
+		{
+			"Control-Planes", true,
+			InstanceGroupRoleControlPlane, true,
 		},
 		{
 			"NotARole", true,
--- a/pkg/apis/kops/v1alpha2/conversion.go
+++ b/pkg/apis/kops/v1alpha2/conversion.go
@ -75,6 +75,26 @@ func Convert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *kops
 	if err := autoConvert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in, out, s); err != nil {
 		return err
 	}
+	if in.AdditionalPolicies != nil {
+		policies := make(map[string]string, len(*in.AdditionalPolicies))
+		for k, v := range *in.AdditionalPolicies {
+			if k == "master" {
+				k = "control-plane"
+			}
+			policies[k] = v
+		}
+		out.AdditionalPolicies = &policies
+	}
+	if in.ExternalPolicies != nil {
+		policies := make(map[string][]string, len(*in.ExternalPolicies))
+		for k, v := range *in.ExternalPolicies {
+			if k == "master" {
+				k = "control-plane"
+			}
+			policies[k] = v
+		}
+		out.ExternalPolicies = &policies
+	}
 	if in.LegacyAPI != nil {
 		if err := autoConvert_v1alpha2_APISpec_To_kops_APISpec(in.LegacyAPI, &out.API, s); err != nil {
 			return err
@ -137,6 +157,26 @@ func Convert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(in *kops.ClusterSpec, out
 	if err := autoConvert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(in, out, s); err != nil {
 		return err
 	}
+	if in.AdditionalPolicies != nil {
+		policies := make(map[string]string, len(*in.AdditionalPolicies))
+		for k, v := range *in.AdditionalPolicies {
+			if k == "control-plane" {
+				k = "master"
+			}
+			policies[k] = v
+		}
+		out.AdditionalPolicies = &policies
+	}
+	if in.ExternalPolicies != nil {
+		policies := make(map[string][]string, len(*in.ExternalPolicies))
+		for k, v := range *in.ExternalPolicies {
+			if k == "control-plane" {
+				k = "master"
+			}
+			policies[k] = v
+		}
+		out.ExternalPolicies = &policies
+	}
 	out.LegacyAPI = &APISpec{}
 	if err := autoConvert_kops_APISpec_To_v1alpha2_APISpec(&in.API, out.LegacyAPI, s); err != nil {
 		return err
@ -204,6 +244,55 @@ func Convert_kops_ExternalDNSConfig_To_v1alpha2_ExternalDNSConfig(in *kops.Exter
 	return nil
 }

+// Convert_v1alpha2_HookSpec_To_kops_HookSpec is an autogenerated conversion function.
+func Convert_v1alpha2_HookSpec_To_kops_HookSpec(in *HookSpec, out *kops.HookSpec, s conversion.Scope) error {
+	if err := autoConvert_v1alpha2_HookSpec_To_kops_HookSpec(in, out, s); err != nil {
+		return err
+	}
+	if in.Roles != nil {
+		for i := range in.Roles {
+			if in.Roles[i] == "Master" {
+				out.Roles[i] = kops.InstanceGroupRoleControlPlane
+			}
+		}
+	}
+	return nil
+}
+
+func Convert_kops_HookSpec_To_v1alpha2_HookSpec(in *kops.HookSpec, out *HookSpec, s conversion.Scope) error {
+	if err := autoConvert_kops_HookSpec_To_v1alpha2_HookSpec(in, out, s); err != nil {
+		return err
+	}
+	if in.Roles != nil {
+		for i := range in.Roles {
+			if in.Roles[i] == kops.InstanceGroupRoleControlPlane {
+				out.Roles[i] = "Master"
+			}
+		}
+	}
+	return nil
+}
+
+func Convert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(in *InstanceGroupSpec, out *kops.InstanceGroupSpec, s conversion.Scope) error {
+	if err := autoConvert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(in, out, s); err != nil {
+		return err
+	}
+	if in.Role == "Master" {
+		out.Role = kops.InstanceGroupRoleControlPlane
+	}
+	return nil
+}
+
+func Convert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(in *kops.InstanceGroupSpec, out *InstanceGroupSpec, s conversion.Scope) error {
+	if err := autoConvert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(in, out, s); err != nil {
+		return err
+	}
+	if in.Role == kops.InstanceGroupRoleControlPlane {
+		out.Role = "Master"
+	}
+	return nil
+}
+
 func Convert_v1alpha2_TopologySpec_To_kops_TopologySpec(in *TopologySpec, out *kops.TopologySpec, s conversion.Scope) error {
 	if err := autoConvert_v1alpha2_TopologySpec_To_kops_TopologySpec(in, out, s); err != nil {
 		return err
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@ -514,16 +514,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*HookSpec)(nil), (*kops.HookSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha2_HookSpec_To_kops_HookSpec(a.(*HookSpec), b.(*kops.HookSpec), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*kops.HookSpec)(nil), (*HookSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_kops_HookSpec_To_v1alpha2_HookSpec(a.(*kops.HookSpec), b.(*HookSpec), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*HubbleSpec)(nil), (*kops.HubbleSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha2_HubbleSpec_To_kops_HubbleSpec(a.(*HubbleSpec), b.(*kops.HubbleSpec), scope)
 	}); err != nil {
@ -574,16 +564,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*InstanceGroupSpec)(nil), (*kops.InstanceGroupSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(a.(*InstanceGroupSpec), b.(*kops.InstanceGroupSpec), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*kops.InstanceGroupSpec)(nil), (*InstanceGroupSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(a.(*kops.InstanceGroupSpec), b.(*InstanceGroupSpec), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*InstanceMetadataOptions)(nil), (*kops.InstanceMetadataOptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha2_InstanceMetadataOptions_To_kops_InstanceMetadataOptions(a.(*InstanceMetadataOptions), b.(*kops.InstanceMetadataOptions), scope)
 	}); err != nil {
@ -1204,6 +1184,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*kops.HookSpec)(nil), (*HookSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_kops_HookSpec_To_v1alpha2_HookSpec(a.(*kops.HookSpec), b.(*HookSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddConversionFunc((*kops.InstanceGroupSpec)(nil), (*InstanceGroupSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(a.(*kops.InstanceGroupSpec), b.(*InstanceGroupSpec), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddConversionFunc((*kops.TopologySpec)(nil), (*TopologySpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_kops_TopologySpec_To_v1alpha2_TopologySpec(a.(*kops.TopologySpec), b.(*TopologySpec), scope)
 	}); err != nil {
@ -1229,6 +1219,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*HookSpec)(nil), (*kops.HookSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha2_HookSpec_To_kops_HookSpec(a.(*HookSpec), b.(*kops.HookSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddConversionFunc((*InstanceGroupSpec)(nil), (*kops.InstanceGroupSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(a.(*InstanceGroupSpec), b.(*kops.InstanceGroupSpec), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddConversionFunc((*TopologySpec)(nil), (*kops.TopologySpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha2_TopologySpec_To_kops_TopologySpec(a.(*TopologySpec), b.(*kops.TopologySpec), scope)
 	}); err != nil {
@ -4129,11 +4129,6 @@ func autoConvert_v1alpha2_HookSpec_To_kops_HookSpec(in *HookSpec, out *kops.Hook
 	return nil
 }

-// Convert_v1alpha2_HookSpec_To_kops_HookSpec is an autogenerated conversion function.
-func Convert_v1alpha2_HookSpec_To_kops_HookSpec(in *HookSpec, out *kops.HookSpec, s conversion.Scope) error {
-	return autoConvert_v1alpha2_HookSpec_To_kops_HookSpec(in, out, s)
-}
-
 func autoConvert_kops_HookSpec_To_v1alpha2_HookSpec(in *kops.HookSpec, out *HookSpec, s conversion.Scope) error {
 	out.Name = in.Name
 	out.Enabled = in.Enabled
@ -4162,11 +4157,6 @@ func autoConvert_kops_HookSpec_To_v1alpha2_HookSpec(in *kops.HookSpec, out *Hook
 	return nil
 }

-// Convert_kops_HookSpec_To_v1alpha2_HookSpec is an autogenerated conversion function.
-func Convert_kops_HookSpec_To_v1alpha2_HookSpec(in *kops.HookSpec, out *HookSpec, s conversion.Scope) error {
-	return autoConvert_kops_HookSpec_To_v1alpha2_HookSpec(in, out, s)
-}
-
 func autoConvert_v1alpha2_HubbleSpec_To_kops_HubbleSpec(in *HubbleSpec, out *kops.HubbleSpec, s conversion.Scope) error {
 	out.Enabled = in.Enabled
 	out.Metrics = in.Metrics
@ -4507,11 +4497,6 @@ func autoConvert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(in *Instan
 	return nil
 }

-// Convert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec is an autogenerated conversion function.
-func Convert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(in *InstanceGroupSpec, out *kops.InstanceGroupSpec, s conversion.Scope) error {
-	return autoConvert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(in, out, s)
-}
-
 func autoConvert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(in *kops.InstanceGroupSpec, out *InstanceGroupSpec, s conversion.Scope) error {
 	out.Manager = InstanceManager(in.Manager)
 	out.Role = InstanceGroupRole(in.Role)
@ -4693,11 +4678,6 @@ func autoConvert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(in *kops.I
 	return nil
 }

-// Convert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec is an autogenerated conversion function.
-func Convert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(in *kops.InstanceGroupSpec, out *InstanceGroupSpec, s conversion.Scope) error {
-	return autoConvert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(in, out, s)
-}
-
 func autoConvert_v1alpha2_InstanceMetadataOptions_To_kops_InstanceMetadataOptions(in *InstanceMetadataOptions, out *kops.InstanceMetadataOptions, s conversion.Scope) error {
 	out.HTTPPutResponseHopLimit = in.HTTPPutResponseHopLimit
 	out.HTTPTokens = in.HTTPTokens
--- a/pkg/apis/kops/v1alpha3/instancegroup.go
+++ b/pkg/apis/kops/v1alpha3/instancegroup.go
@ -21,6 +21,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

+// InstanceGroup represents a group of instances with the same configuration.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:printcolumn:name="role",type="string",JSONPath=".spec.role",description="Role",priority=0
@ -29,7 +30,6 @@ import (
 // +kubebuilder:printcolumn:name="max",type="integer",JSONPath=".spec.maxSize",description="Max",priority=0
 // +kubebuilder:printcolumn:name="zones",type="string",JSONPath=".spec.zones",description="Zones",priority=0
 // +kubebuilder:resource:shortName=ig
-// InstanceGroup represents a group of instances (either nodes or masters) with the same configuration
 type InstanceGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@ -47,7 +47,7 @@ type InstanceGroupList struct {
 	Items []InstanceGroup `json:"items"`
 }

-// InstanceGroupRole string describes the roles of the nodes in this InstanceGroup (master or nodes)
+// InstanceGroupRole string describes the roles of the nodes in this InstanceGroup.
 type InstanceGroupRole string

 type InstanceManager string
@ -56,7 +56,7 @@ type InstanceManager string
 type InstanceGroupSpec struct {
 	// Manager determines what is managing the node lifecycle
 	Manager InstanceManager `json:"manager,omitempty"`
-	// Type determines the role of instances in this instance group: masters or nodes
+	// Role determines the role of instances in this instance group.
 	Role InstanceGroupRole `json:"role,omitempty"`
 	// Image is the instance (ami etc) we should use
 	Image string `json:"image,omitempty"`
--- a/pkg/apis/kops/validation/instancegroup.go
+++ b/pkg/apis/kops/validation/instancegroup.go
@ -45,7 +45,7 @@ func ValidateInstanceGroup(g *kops.InstanceGroup, cloud fi.Cloud, strict bool) f
 	switch g.Spec.Role {
 	case "":
 		allErrs = append(allErrs, field.Required(field.NewPath("spec", "role"), "Role must be set"))
-	case kops.InstanceGroupRoleMaster:
+	case kops.InstanceGroupRoleControlPlane:
 		if len(g.Spec.Subnets) == 0 {
 			allErrs = append(allErrs, field.Required(field.NewPath("spec", "subnets"), "master InstanceGroup must specify at least one Subnet"))
 		}
@ -137,7 +137,7 @@ func ValidateInstanceGroup(g *kops.InstanceGroup, cloud fi.Cloud, strict bool) f
 	allErrs = append(allErrs, validateInstanceProfile(g.Spec.IAM, field.NewPath("spec", "iam"))...)

 	if g.Spec.RollingUpdate != nil {
-		allErrs = append(allErrs, validateRollingUpdate(g.Spec.RollingUpdate, field.NewPath("spec", "rollingUpdate"), g.Spec.Role == kops.InstanceGroupRoleMaster)...)
+		allErrs = append(allErrs, validateRollingUpdate(g.Spec.RollingUpdate, field.NewPath("spec", "rollingUpdate"), g.Spec.Role == kops.InstanceGroupRoleControlPlane)...)
 	}

 	if g.Spec.NodeLabels != nil {
@ -219,7 +219,7 @@ func validateVolumeMountSpec(path *field.Path, spec kops.VolumeMountSpec) field.
 func CrossValidateInstanceGroup(g *kops.InstanceGroup, cluster *kops.Cluster, cloud fi.Cloud, strict bool) field.ErrorList {
 	allErrs := ValidateInstanceGroup(g, cloud, strict)

-	if g.Spec.Role == kops.InstanceGroupRoleMaster {
+	if g.Spec.Role == kops.InstanceGroupRoleControlPlane {
 		allErrs = append(allErrs, ValidateMasterInstanceGroup(g, cluster)...)
 	}

--- a/pkg/apis/kops/validation/instancegroup_test.go
+++ b/pkg/apis/kops/validation/instancegroup_test.go
@ -131,7 +131,7 @@ func TestValidMasterInstanceGroup(t *testing.T) {
 					Name: "eu-central-1a",
 				},
 				Spec: kops.InstanceGroupSpec{
-					Role: kops.InstanceGroupRoleMaster,
+					Role: kops.InstanceGroupRoleControlPlane,
 				},
 			},
 			ExpectedErrors: 0,
@ -166,7 +166,7 @@ func TestValidMasterInstanceGroup(t *testing.T) {
 					Name: "eu-central-1d",
 				},
 				Spec: kops.InstanceGroupSpec{
-					Role: kops.InstanceGroupRoleMaster,
+					Role: kops.InstanceGroupRoleControlPlane,
 				},
 			},
 			ExpectedErrors: 1,
@ -394,7 +394,7 @@ func TestValidInstanceGroup(t *testing.T) {
 					Name: "eu-central-1a",
 				},
 				Spec: kops.InstanceGroupSpec{
-					Role:    kops.InstanceGroupRoleMaster,
+					Role:    kops.InstanceGroupRoleControlPlane,
 					Subnets: []string{"eu-central-1a"},
 					MaxSize: fi.PtrTo(int32(1)),
 					MinSize: fi.PtrTo(int32(1)),
--- a/pkg/apis/kops/validation/legacy.go
+++ b/pkg/apis/kops/validation/legacy.go
@ -477,7 +477,7 @@ func DeepValidate(c *kops.Cluster, groups []*kops.InstanceGroup, strict bool, cl
 	masterGroupCount := 0
 	nodeGroupCount := 0
 	for _, g := range groups {
-		if g.IsMaster() {
+		if g.IsControlPlane() {
 			masterGroupCount++
 		} else {
 			nodeGroupCount++
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@ -1081,7 +1081,7 @@ func validateAdditionalPolicy(role string, policy string, fldPath *field.Path) f

 	var valid []string
 	for _, r := range kops.AllInstanceGroupRoles {
-		valid = append(valid, strings.ToLower(string(r)))
+		valid = append(valid, r.ToLowerString())
 	}
 	allErrs = append(allErrs, IsValidValue(fldPath, &role, valid)...)

@ -1109,7 +1109,7 @@ func validateExternalPolicies(role string, policies []string, fldPath *field.Pat

 	var valid []string
 	for _, r := range kops.AllInstanceGroupRoles {
-		valid = append(valid, strings.ToLower(string(r)))
+		valid = append(valid, r.ToLowerString())
 	}
 	allErrs = append(allErrs, IsValidValue(fldPath, &role, valid)...)

--- a/pkg/apis/kops/validation/validation_test.go
+++ b/pkg/apis/kops/validation/validation_test.go
@ -405,7 +405,7 @@ func Test_Validate_AdditionalPolicies(t *testing.T) {
 		},
 		{
 			Input: map[string]string{
-				"master": `[ { "Action": [ "s3:GetObject" ], "Resource": [ "*" ], "Effect": "Allow" } ]`,
+				"control-plane": `[ { "Action": [ "s3:GetObject" ], "Resource": [ "*" ], "Effect": "Allow" } ]`,
 			},
 		},
 		{
@ -416,21 +416,21 @@ func Test_Validate_AdditionalPolicies(t *testing.T) {
 		},
 		{
 			Input: map[string]string{
-				"master": `badjson`,
+				"control-plane": `badjson`,
 			},
-			ExpectedErrors: []string{"Invalid value::spec.additionalPolicies[master]"},
+			ExpectedErrors: []string{"Invalid value::spec.additionalPolicies[control-plane]"},
 		},
 		{
 			Input: map[string]string{
-				"master": `[ { "Action": [ "s3:GetObject" ], "Resource": [ "*" ] } ]`,
+				"control-plane": `[ { "Action": [ "s3:GetObject" ], "Resource": [ "*" ] } ]`,
 			},
-			ExpectedErrors: []string{"Required value::spec.additionalPolicies[master][0].Effect"},
+			ExpectedErrors: []string{"Required value::spec.additionalPolicies[control-plane][0].Effect"},
 		},
 		{
 			Input: map[string]string{
-				"master": `[ { "Action": [ "s3:GetObject" ], "Resource": [ "*" ], "Effect": "allow" } ]`,
+				"control-plane": `[ { "Action": [ "s3:GetObject" ], "Resource": [ "*" ], "Effect": "allow" } ]`,
 			},
-			ExpectedErrors: []string{"Unsupported value::spec.additionalPolicies[master][0].Effect"},
+			ExpectedErrors: []string{"Unsupported value::spec.additionalPolicies[control-plane][0].Effect"},
 		},
 	}
 	for _, g := range grid {
--- a/pkg/instancegroups/instancegroups.go
+++ b/pkg/instancegroups/instancegroups.go
@ -136,8 +136,8 @@ func (c *RollingUpdateCluster) rollingUpdateInstanceGroup(group *cloudinstances.
 		maxSurge = 0
 	}

-	if group.InstanceGroup.Spec.Role == api.InstanceGroupRoleMaster && maxSurge != 0 {
-		// Masters are incapable of surging because they rely on registering themselves through
+	if group.InstanceGroup.Spec.Role == api.InstanceGroupRoleControlPlane && maxSurge != 0 {
+		// Control plane nodes are incapable of surging because they rely on registering themselves through
 		// the local apiserver. That apiserver depends on the local etcd, which relies on being
 		// joined to the etcd cluster.
 		maxSurge = 0
@ -556,7 +556,7 @@ func hasFailureRelevantToGroup(failures []*validation.ValidationError, group *cl
 		}

 		// if there is a failure in the same instance group or a failure which has cluster wide impact
-		if (failure.InstanceGroup.IsMaster()) || (failure.InstanceGroup == group.InstanceGroup) {
+		if (failure.InstanceGroup.IsControlPlane()) || (failure.InstanceGroup == group.InstanceGroup) {
 			return true
 		}
 	}
@ -657,7 +657,7 @@ func (c *RollingUpdateCluster) drainNode(u *cloudinstances.CloudInstance) error
 		if u.CloudInstanceGroup != nil && u.CloudInstanceGroup.InstanceGroup != nil {
 			role := u.CloudInstanceGroup.InstanceGroup.Spec.Role
 			switch role {
-			case api.InstanceGroupRoleAPIServer, api.InstanceGroupRoleMaster:
+			case api.InstanceGroupRoleAPIServer, api.InstanceGroupRoleControlPlane:
 				klog.Infof("skipping deregistration of instance %q, as part of instancegroup with role %q", u.ID, role)
 				shouldDeregister = false
 			}
@ -703,7 +703,7 @@ func (c *RollingUpdateCluster) deleteNode(node *corev1.Node) error {
 // UpdateSingleInstance performs a rolling update on a single instance
 func (c *RollingUpdateCluster) UpdateSingleInstance(cloudMember *cloudinstances.CloudInstance, detach bool) error {
 	if detach {
-		if cloudMember.CloudInstanceGroup.InstanceGroup.IsMaster() {
+		if cloudMember.CloudInstanceGroup.InstanceGroup.IsControlPlane() {
 			klog.Warning("cannot detach master instances. Assuming --surge=false")
 		} else if cloudMember.CloudInstanceGroup.InstanceGroup.Spec.Manager != api.InstanceManagerKarpenter {
 			err := c.detachInstance(cloudMember)
--- a/pkg/instancegroups/rollingupdate.go
+++ b/pkg/instancegroups/rollingupdate.go
@ -124,7 +124,7 @@ func (c *RollingUpdateCluster) RollingUpdate(groups map[string]*cloudinstances.C
 			nodeGroups[k] = group
 		case api.InstanceGroupRoleAPIServer:
 			apiServerGroups[k] = group
-		case api.InstanceGroupRoleMaster:
+		case api.InstanceGroupRoleControlPlane:
 			masterGroups[k] = group
 		case api.InstanceGroupRoleBastion:
 			bastionGroups[k] = group
--- a/pkg/instancegroups/rollingupdate_os_test.go
+++ b/pkg/instancegroups/rollingupdate_os_test.go
@ -126,7 +126,7 @@ func makeGroupOS(t *testing.T, groups map[string]*cloudinstances.CloudInstanceGr
 	switch role {
 	case kopsapi.InstanceGroupRoleNode:
 		newIg = testutils.BuildMinimalNodeInstanceGroup("nodes-"+subnet, subnet)
-	case kopsapi.InstanceGroupRoleMaster:
+	case kopsapi.InstanceGroupRoleControlPlane:
 		newIg = testutils.BuildMinimalMasterInstanceGroup(subnet)
 	case kopsapi.InstanceGroupRoleBastion:
 		newIg = testutils.BuildMinimalBastionInstanceGroup("bastion-"+subnet, subnet)
@ -192,9 +192,9 @@ func getGroupsAllNeedUpdateOS(t *testing.T, c *RollingUpdateCluster) (map[string
 	igList := &kopsapi.InstanceGroupList{}
 	makeGroupOS(t, groups, igList, c, c.Cluster.Spec.Subnets[0].Name, kopsapi.InstanceGroupRoleNode, 3, 3)
 	makeGroupOS(t, groups, igList, c, c.Cluster.Spec.Subnets[1].Name, kopsapi.InstanceGroupRoleNode, 3, 3)
-	makeGroupOS(t, groups, igList, c, c.Cluster.Spec.Subnets[0].Name, kopsapi.InstanceGroupRoleMaster, 1, 1)
-	makeGroupOS(t, groups, igList, c, c.Cluster.Spec.Subnets[1].Name, kopsapi.InstanceGroupRoleMaster, 1, 1)
-	makeGroupOS(t, groups, igList, c, c.Cluster.Spec.Subnets[2].Name, kopsapi.InstanceGroupRoleMaster, 1, 1)
+	makeGroupOS(t, groups, igList, c, c.Cluster.Spec.Subnets[0].Name, kopsapi.InstanceGroupRoleControlPlane, 1, 1)
+	makeGroupOS(t, groups, igList, c, c.Cluster.Spec.Subnets[1].Name, kopsapi.InstanceGroupRoleControlPlane, 1, 1)
+	makeGroupOS(t, groups, igList, c, c.Cluster.Spec.Subnets[2].Name, kopsapi.InstanceGroupRoleControlPlane, 1, 1)
 	makeGroupOS(t, groups, igList, c, c.Cluster.Spec.Subnets[0].Name, kopsapi.InstanceGroupRoleBastion, 1, 1)
 	return groups, igList
 }
--- a/pkg/instancegroups/rollingupdate_test.go
+++ b/pkg/instancegroups/rollingupdate_test.go
@ -192,7 +192,7 @@ func getGroups(k8sClient kubernetes.Interface, cloud awsup.AWSCloud) map[string]
 	groups := make(map[string]*cloudinstances.CloudInstanceGroup)
 	makeGroup(groups, k8sClient, cloud, "node-1", kopsapi.InstanceGroupRoleNode, 3, 0)
 	makeGroup(groups, k8sClient, cloud, "node-2", kopsapi.InstanceGroupRoleNode, 3, 0)
-	makeGroup(groups, k8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleMaster, 2, 0)
+	makeGroup(groups, k8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleControlPlane, 2, 0)
 	makeGroup(groups, k8sClient, cloud, "bastion-1", kopsapi.InstanceGroupRoleBastion, 1, 0)
 	return groups
 }
@ -201,7 +201,7 @@ func getGroupsAllNeedUpdate(k8sClient kubernetes.Interface, cloud awsup.AWSCloud
 	groups := make(map[string]*cloudinstances.CloudInstanceGroup)
 	makeGroup(groups, k8sClient, cloud, "node-1", kopsapi.InstanceGroupRoleNode, 3, 3)
 	makeGroup(groups, k8sClient, cloud, "node-2", kopsapi.InstanceGroupRoleNode, 3, 3)
-	makeGroup(groups, k8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleMaster, 2, 2)
+	makeGroup(groups, k8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleControlPlane, 2, 2)
 	makeGroup(groups, k8sClient, cloud, "bastion-1", kopsapi.InstanceGroupRoleBastion, 1, 1)
 	return groups
 }
@ -480,7 +480,7 @@ func TestRollingUpdateNonRelatedInstanceGroupFailure(t *testing.T) {
 	groups := make(map[string]*cloudinstances.CloudInstanceGroup)
 	makeGroup(groups, c.K8sClient, cloud, "node-1", kopsapi.InstanceGroupRoleNode, 3, 3)
 	makeGroup(groups, c.K8sClient, cloud, "node-2", kopsapi.InstanceGroupRoleNode, 3, 0)
-	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleMaster, 2, 0)
+	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleControlPlane, 2, 0)
 	makeGroup(groups, c.K8sClient, cloud, "bastion-1", kopsapi.InstanceGroupRoleBastion, 1, 0)

 	c.ClusterValidator = &instanceGroupNodeSpecificErrorClusterValidator{
@ -502,7 +502,7 @@ func TestRollingUpdateRelatedInstanceGroupFailure(t *testing.T) {
 	groups := make(map[string]*cloudinstances.CloudInstanceGroup)
 	makeGroup(groups, c.K8sClient, cloud, "node-1", kopsapi.InstanceGroupRoleNode, 3, 3)
 	makeGroup(groups, c.K8sClient, cloud, "node-2", kopsapi.InstanceGroupRoleNode, 3, 0)
-	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleMaster, 2, 0)
+	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleControlPlane, 2, 0)
 	makeGroup(groups, c.K8sClient, cloud, "bastion-1", kopsapi.InstanceGroupRoleBastion, 1, 0)

 	c.ClusterValidator = &instanceGroupNodeSpecificErrorClusterValidator{
@ -524,7 +524,7 @@ func TestRollingUpdateMasterGroupFailure(t *testing.T) {
 	groups := make(map[string]*cloudinstances.CloudInstanceGroup)
 	makeGroup(groups, c.K8sClient, cloud, "node-1", kopsapi.InstanceGroupRoleNode, 3, 3)
 	makeGroup(groups, c.K8sClient, cloud, "node-2", kopsapi.InstanceGroupRoleNode, 3, 0)
-	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleMaster, 2, 0)
+	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleControlPlane, 2, 0)
 	makeGroup(groups, c.K8sClient, cloud, "bastion-1", kopsapi.InstanceGroupRoleBastion, 1, 0)

 	c.ClusterValidator = &instanceGroupNodeSpecificErrorClusterValidator{
@ -546,7 +546,7 @@ func TestRollingUpdateValidationErrorInstanceGroupNil(t *testing.T) {
 	groups := make(map[string]*cloudinstances.CloudInstanceGroup)
 	makeGroup(groups, c.K8sClient, cloud, "node-1", kopsapi.InstanceGroupRoleNode, 3, 3)
 	makeGroup(groups, c.K8sClient, cloud, "node-2", kopsapi.InstanceGroupRoleNode, 3, 0)
-	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleMaster, 2, 0)
+	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleControlPlane, 2, 0)
 	makeGroup(groups, c.K8sClient, cloud, "bastion-1", kopsapi.InstanceGroupRoleBastion, 1, 0)

 	c.ClusterValidator = &instanceGroupNodeSpecificErrorClusterValidator{
@ -720,7 +720,7 @@ func TestAddAnnotatedNodesToNeedsUpdate(t *testing.T) {
 	c, cloud := getTestSetup()

 	groups := make(map[string]*cloudinstances.CloudInstanceGroup)
-	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleMaster, 2, 1)
+	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleControlPlane, 2, 1)
 	makeGroup(groups, c.K8sClient, cloud, "node-1", kopsapi.InstanceGroupRoleNode, 2, 1)
 	makeGroup(groups, c.K8sClient, cloud, "node-2", kopsapi.InstanceGroupRoleNode, 2, 1)

@ -740,7 +740,7 @@ func TestAddAnnotatedNodesToNeedsUpdateCloudonly(t *testing.T) {
 	c, cloud := getTestSetup()

 	groups := make(map[string]*cloudinstances.CloudInstanceGroup)
-	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleMaster, 2, 1)
+	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleControlPlane, 2, 1)
 	makeGroup(groups, c.K8sClient, cloud, "node-1", kopsapi.InstanceGroupRoleNode, 2, 1)
 	makeGroup(groups, c.K8sClient, cloud, "node-2", kopsapi.InstanceGroupRoleNode, 2, 1)

@ -845,7 +845,7 @@ func TestRollingUpdateMaxSurgeIgnoredForMaster(t *testing.T) {
 	}

 	groups := make(map[string]*cloudinstances.CloudInstanceGroup)
-	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleMaster, 3, 2)
+	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleControlPlane, 3, 2)
 	err := c.RollingUpdate(groups, &kopsapi.InstanceGroupList{})
 	assert.NoError(t, err, "rolling update")

@ -1194,7 +1194,7 @@ func TestRollingUpdateMaxUnavailableAllNeedUpdateMaster(t *testing.T) {
 	}

 	groups := make(map[string]*cloudinstances.CloudInstanceGroup)
-	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleMaster, 7, 7)
+	makeGroup(groups, c.K8sClient, cloud, "master-1", kopsapi.InstanceGroupRoleControlPlane, 7, 7)

 	err := c.RollingUpdate(groups, &kopsapi.InstanceGroupList{})
 	assert.NoError(t, err, "rolling update")
--- a/pkg/model/awsmodel/api_loadbalancer.go
+++ b/pkg/model/awsmodel/api_loadbalancer.go
@ -436,7 +436,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 	}

-	masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleMaster)
+	masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleControlPlane)
 	if err != nil {
 		return err
 	}
--- a/pkg/model/awsmodel/autoscalinggroup.go
+++ b/pkg/model/awsmodel/autoscalinggroup.go
@ -455,7 +455,7 @@ func (b *AutoscalingGroupModelBuilder) buildAutoScalingGroupTask(c *fi.ModelBuil
 		if b.UseLoadBalancerForAPI() && ig.HasAPIServer() {
 			if b.UseNetworkLoadBalancer() {
 				t.TargetGroups = append(t.TargetGroups, b.LinkToTargetGroup("tcp"))
-				if b.Cluster.UsesNoneDNS() && ig.IsMaster() {
+				if b.Cluster.UsesNoneDNS() && ig.IsControlPlane() {
 					t.TargetGroups = append(t.TargetGroups, b.LinkToTargetGroup("kops-controller"))
 				}
 				if b.Cluster.Spec.API.LoadBalancer.SSLCertificate != "" {
--- a/pkg/model/awsmodel/autoscalinggroup_test.go
+++ b/pkg/model/awsmodel/autoscalinggroup_test.go
@ -151,7 +151,7 @@ func TestAPIServerAdditionalSecurityGroupsWithNLB(t *testing.T) {
 			Name: "master1",
 		},
 		Spec: kops.InstanceGroupSpec{
-			Role:                     kops.InstanceGroupRoleMaster,
+			Role:                     kops.InstanceGroupRoleControlPlane,
 			Subnets:                  subnets,
 			AdditionalSecurityGroups: []string{"sg-234567890abcdef01"},
 		},
@ -242,7 +242,7 @@ func TestAPIServerAdditionalSecurityGroupsWithNLB(t *testing.T) {
 	launchTemplateForGroup := func(t *testing.T, ig *kops.InstanceGroup) *awstasks.LaunchTemplate {
 		t.Helper()
 		subdomain := ig.Name
-		if ig.Spec.Role == kops.InstanceGroupRoleMaster {
+		if ig.Spec.Role == kops.InstanceGroupRoleControlPlane {
 			subdomain = ig.Name + ".masters"
 		}
 		task, ok := c.Tasks[fmt.Sprintf("LaunchTemplate/%s.%s", subdomain, cluster.Name)]
--- a/pkg/model/awsmodel/bastion.go
+++ b/pkg/model/awsmodel/bastion.go
@ -63,7 +63,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	if err != nil {
 		return err
 	}
-	masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleMaster)
+	masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleControlPlane)
 	if err != nil {
 		return err
 	}
--- a/pkg/model/awsmodel/external_access.go
+++ b/pkg/model/awsmodel/external_access.go
@ -43,7 +43,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		klog.Warningf("SSHAccess is empty")
 	}

-	masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleMaster)
+	masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleControlPlane)
 	if err != nil {
 		return err
 	}
--- a/pkg/model/awsmodel/firewall.go
+++ b/pkg/model/awsmodel/firewall.go
@ -232,7 +232,7 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu
 }

 func (b *FirewallModelBuilder) buildMasterRules(c *fi.ModelBuilderContext, nodeGroups []SecurityGroupInfo) ([]SecurityGroupInfo, error) {
-	masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleMaster)
+	masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleControlPlane)
 	if err != nil {
 		return nil, err
 	}
@ -303,7 +303,7 @@ type SecurityGroupInfo struct {

 func (b *AWSModelContext) GetSecurityGroups(role kops.InstanceGroupRole) ([]SecurityGroupInfo, error) {
 	var baseGroup *awstasks.SecurityGroup
-	if role == kops.InstanceGroupRoleMaster {
+	if role == kops.InstanceGroupRoleControlPlane {
 		name := b.SecurityGroupName(role)
 		baseGroup = &awstasks.SecurityGroup{
 			Name:        fi.PtrTo(name),
--- a/pkg/model/awsmodel/iam.go
+++ b/pkg/model/awsmodel/iam.go
@ -267,7 +267,7 @@ func (b *IAMModelBuilder) roleKey(role iam.Subject) (string, bool) {
 	// This isn't great, but we have to be backwards compatible with the old names.
 	switch role.(type) {
 	case *iam.NodeRoleMaster:
-		return strings.ToLower(string(kops.InstanceGroupRoleMaster)), false
+		return "master", false
 	case *iam.NodeRoleAPIServer:
 		return strings.ToLower(string(kops.InstanceGroupRoleAPIServer)), false
 	case *iam.NodeRoleNode:
@ -325,7 +325,11 @@ func (b *IAMModelBuilder) buildIAMTasks(role iam.Subject, iamName string, c *fi.

 				if b.Cluster.Spec.ExternalPolicies != nil {
 					p := *(b.Cluster.Spec.ExternalPolicies)
-					externalPolicies = append(externalPolicies, p[roleKey]...)
+					key := roleKey
+					if key == "master" {
+						key = "control-plane"
+					}
+					externalPolicies = append(externalPolicies, p[key]...)
 				}
 				sort.Strings(externalPolicies)

--- a/pkg/model/awsmodel/spotinst.go
+++ b/pkg/model/awsmodel/spotinst.go
@ -157,7 +157,7 @@ func (b *SpotInstanceGroupModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		switch ig.Spec.Role {

 		// Create both Master and Bastion instance groups as Elastigroups.
-		case kops.InstanceGroupRoleMaster, kops.InstanceGroupRoleBastion:
+		case kops.InstanceGroupRoleControlPlane, kops.InstanceGroupRoleBastion:
 			err = b.buildElastigroup(c, ig)

 		// Create Node instance groups as Elastigroups or a single Ocean with
@ -844,7 +844,7 @@ func (b *SpotInstanceGroupModelBuilder) buildAutoScalerOpts(clusterID string, ig
 	}

 	switch ig.Spec.Role {
-	case kops.InstanceGroupRoleMaster:
+	case kops.InstanceGroupRoleControlPlane:
 		return opts, nil

 	case kops.InstanceGroupRoleBastion:
@ -1110,7 +1110,7 @@ func defaultSpotPercentage(ig *kops.InstanceGroup) *float64 {
 	var percentage float64

 	switch ig.Spec.Role {
-	case kops.InstanceGroupRoleMaster, kops.InstanceGroupRoleBastion:
+	case kops.InstanceGroupRoleControlPlane, kops.InstanceGroupRoleBastion:
 		percentage = 0
 	case kops.InstanceGroupRoleNode:
 		percentage = 100
--- a/pkg/model/azuremodel/api_loadbalancer_test.go
+++ b/pkg/model/azuremodel/api_loadbalancer_test.go
@ -28,7 +28,7 @@ func TestAPILoadBalancerModelBuilder_Build(t *testing.T) {
 	b := APILoadBalancerModelBuilder{
 		AzureModelContext: newTestAzureModelContext(),
 	}
-	b.InstanceGroups[0].Spec.Role = kops.InstanceGroupRoleMaster
+	b.InstanceGroups[0].Spec.Role = kops.InstanceGroupRoleControlPlane
 	c := &fi.ModelBuilderContext{
 		Tasks: make(map[string]fi.Task),
 	}
@ -56,7 +56,7 @@ func TestSubnetForLoadbalancer(t *testing.T) {
 			Type: kops.SubnetTypeUtility,
 		},
 	}
-	b.InstanceGroups[0].Spec.Role = kops.InstanceGroupRoleMaster
+	b.InstanceGroups[0].Spec.Role = kops.InstanceGroupRoleControlPlane
 	b.InstanceGroups[0].Spec.Subnets = []string{
 		"master",
 	}
--- a/pkg/model/azuremodel/context.go
+++ b/pkg/model/azuremodel/context.go
@ -115,7 +115,10 @@ func (c *AzureModelContext) CloudTagsForInstanceGroup(ig *kops.InstanceGroup) ma
 	}

 	// The system tags take priority because the cluster likely breaks without them...
-	labels[azure.TagNameRolePrefix+strings.ToLower(string(ig.Spec.Role))] = "1"
+	labels[azure.TagNameRolePrefix+ig.Spec.Role.ToLowerString()] = "1"
+	if ig.Spec.Role == kops.InstanceGroupRoleControlPlane {
+		labels[azure.TagNameRolePrefix+"master"] = "1"
+	}

 	// Set the tag used by kops-controller to identify the instance group to which the VM ScaleSet belongs.
 	labels[nodeidentityazure.InstanceGroupNameTag] = ig.Name
--- a/pkg/model/azuremodel/vmscaleset.go
+++ b/pkg/model/azuremodel/vmscaleset.go
@ -136,7 +136,7 @@ func (b *VMScaleSetModelBuilder) buildVMScaleSetTask(
 		return nil, fmt.Errorf("unexpected subnet type: for InstanceGroup %q; type was %s", ig.Name, subnet.Type)
 	}

-	if ig.Spec.Role == kops.InstanceGroupRoleMaster && b.Cluster.Spec.API.LoadBalancer != nil {
+	if ig.Spec.Role == kops.InstanceGroupRoleControlPlane && b.Cluster.Spec.API.LoadBalancer != nil {
 		t.LoadBalancer = &azuretasks.LoadBalancer{
 			Name: to.StringPtr(b.NameForLoadBalancer()),
 		}
--- a/pkg/model/azuremodel/vmscaleset_test.go
+++ b/pkg/model/azuremodel/vmscaleset_test.go
@ -84,7 +84,7 @@ func TestGetCapacity(t *testing.T) {
 	}{
 		{
 			spec: kops.InstanceGroupSpec{
-				Role:    kops.InstanceGroupRoleMaster,
+				Role:    kops.InstanceGroupRoleControlPlane,
 				MinSize: fi.PtrTo(int32(3)),
 				MaxSize: fi.PtrTo(int32(3)),
 			},
@ -93,7 +93,7 @@ func TestGetCapacity(t *testing.T) {
 		},
 		{
 			spec: kops.InstanceGroupSpec{
-				Role: kops.InstanceGroupRoleMaster,
+				Role: kops.InstanceGroupRoleControlPlane,
 			},
 			success:  true,
 			capacity: 1,
@ -107,7 +107,7 @@ func TestGetCapacity(t *testing.T) {
 		},
 		{
 			spec: kops.InstanceGroupSpec{
-				Role:    kops.InstanceGroupRoleMaster,
+				Role:    kops.InstanceGroupRoleControlPlane,
 				MinSize: fi.PtrTo(int32(1)),
 				MaxSize: fi.PtrTo(int32(2)),
 			},
@ -167,7 +167,7 @@ func TestGetStorageProfile(t *testing.T) {
 		{
 			spec: kops.InstanceGroupSpec{
 				Image: "Canonical:UbuntuServer:18.04-LTS:latest",
-				Role:  kops.InstanceGroupRoleMaster,
+				Role:  kops.InstanceGroupRoleControlPlane,
 			},
 			profile: &compute.VirtualMachineScaleSetStorageProfile{
 				ImageReference: &compute.ImageReference{
--- a/pkg/model/bootstrapscript.go
+++ b/pkg/model/bootstrapscript.go
@ -183,7 +183,7 @@ func (b *BootstrapScript) buildEnvironmentVariables(cluster *kops.Cluster) (map[
 		}
 	}

-	if cluster.Spec.GetCloudProvider() == kops.CloudProviderHetzner && (b.ig.IsMaster() || cluster.IsGossip()) {
+	if cluster.Spec.GetCloudProvider() == kops.CloudProviderHetzner && (b.ig.IsControlPlane() || cluster.IsGossip()) {
 		hcloudToken := os.Getenv("HCLOUD_TOKEN")
 		if hcloudToken != "" {
 			env["HCLOUD_TOKEN"] = hcloudToken
@ -307,7 +307,7 @@ func (b *BootstrapScriptBuilder) ResourceNodeUp(c *fi.ModelBuilderContext, ig *k
 	c.AddTask(&fitasks.ManagedFile{
 		Name:      fi.PtrTo("nodeupconfig-" + ig.Name),
 		Lifecycle: b.Lifecycle,
-		Location:  fi.PtrTo("igconfig/" + strings.ToLower(string(ig.Spec.Role)) + "/" + ig.Name + "/nodeupconfig.yaml"),
+		Location:  fi.PtrTo("igconfig/" + ig.Spec.Role.ToLowerString() + "/" + ig.Name + "/nodeupconfig.yaml"),
 		Contents:  &task.nodeupConfig,
 	})
 	return &task.resource, nil
@ -390,7 +390,7 @@ func (b *BootstrapScript) Run(c *fi.Context) error {
 				}
 			}

-			if b.ig.IsMaster() {
+			if b.ig.IsControlPlane() {
 				spec["encryptionConfig"] = cs.EncryptionConfig
 				spec["etcdClusters"] = make(map[string]kops.EtcdClusterSpec)
 				spec["kubeAPIServer"] = cs.KubeAPIServer
--- a/pkg/model/bootstrapscript_test.go
+++ b/pkg/model/bootstrapscript_test.go
@ -85,28 +85,28 @@ func TestBootstrapUserData(t *testing.T) {
 		FileAssetSpecRoles []kops.InstanceGroupRole
 	}{
 		{
-			Role:               "Master",
+			Role:               "ControlPlane",
 			ExpectedFileIndex:  0,
 			HookSpecRoles:      []kops.InstanceGroupRole{""},
 			FileAssetSpecRoles: []kops.InstanceGroupRole{""},
 		},
 		{
-			Role:               "Master",
+			Role:               "ControlPlane",
 			ExpectedFileIndex:  0,
 			HookSpecRoles:      []kops.InstanceGroupRole{"Node"},
 			FileAssetSpecRoles: []kops.InstanceGroupRole{"Node"},
 		},
 		{
-			Role:               "Master",
+			Role:               "ControlPlane",
 			ExpectedFileIndex:  1,
-			HookSpecRoles:      []kops.InstanceGroupRole{"Master"},
-			FileAssetSpecRoles: []kops.InstanceGroupRole{"Master"},
+			HookSpecRoles:      []kops.InstanceGroupRole{"ControlPlane"},
+			FileAssetSpecRoles: []kops.InstanceGroupRole{"ControlPlane"},
 		},
 		{
-			Role:               "Master",
+			Role:               "ControlPlane",
 			ExpectedFileIndex:  2,
-			HookSpecRoles:      []kops.InstanceGroupRole{"Master", "Node"},
-			FileAssetSpecRoles: []kops.InstanceGroupRole{"Master", "Node"},
+			HookSpecRoles:      []kops.InstanceGroupRole{"ControlPlane", "Node"},
+			FileAssetSpecRoles: []kops.InstanceGroupRole{"ControlPlane", "Node"},
 		},
 		{
 			Role:               "Node",
@ -123,14 +123,14 @@ func TestBootstrapUserData(t *testing.T) {
 		{
 			Role:               "Node",
 			ExpectedFileIndex:  3,
-			HookSpecRoles:      []kops.InstanceGroupRole{"Master"},
-			FileAssetSpecRoles: []kops.InstanceGroupRole{"Master"},
+			HookSpecRoles:      []kops.InstanceGroupRole{"ControlPlane"},
+			FileAssetSpecRoles: []kops.InstanceGroupRole{"ControlPlane"},
 		},
 		{
 			Role:               "Node",
 			ExpectedFileIndex:  5,
-			HookSpecRoles:      []kops.InstanceGroupRole{"Master", "Node"},
-			FileAssetSpecRoles: []kops.InstanceGroupRole{"Master", "Node"},
+			HookSpecRoles:      []kops.InstanceGroupRole{"ControlPlane", "Node"},
+			FileAssetSpecRoles: []kops.InstanceGroupRole{"ControlPlane", "Node"},
 		},
 	}

--- a/pkg/model/components/apiserver.go
+++ b/pkg/model/components/apiserver.go
@ -201,7 +201,7 @@ func (b *KubeAPIServerOptionsBuilder) buildAPIServerCount(clusterSpec *kops.Clus

 	//count := 0
 	//for _, ig := range b.InstanceGroups {
-	//	if !ig.IsMaster() {
+	//	if !ig.IsControlPlane() {
 	//		continue
 	//	}
 	//	size := fi.ValueOf(ig.Spec.MaxSize)
--- a/pkg/model/components/context.go
+++ b/pkg/model/components/context.go
@ -28,7 +28,6 @@ import (
 	"k8s.io/kops/pkg/assets"
 	"k8s.io/kops/pkg/k8sversion"
 	"k8s.io/kops/upup/pkg/fi"
-	"k8s.io/kops/upup/pkg/fi/cloudup/gce"
 	"k8s.io/kops/util/pkg/vfs"

 	"github.com/blang/semver/v4"
@ -168,11 +167,6 @@ func Image(component string, clusterSpec *kops.ClusterSpec, assetsBuilder *asset
 	return image, nil
 }

-// GCETagForRole returns the (network) tag for GCE instances in the given instance group role.
-func GCETagForRole(clusterName string, role kops.InstanceGroupRole) string {
-	return gce.SafeClusterName(clusterName) + "-" + gce.GceLabelNameRolePrefix + strings.ToLower(string(role))
-}
-
 // IsCertManagerEnabled returns true if the cluster has the capability to handle cert-manager PKI
 func IsCertManagerEnabled(cluster *kops.Cluster) bool {
 	return cluster.Spec.CertManager != nil && fi.ValueOf(cluster.Spec.CertManager.Enabled)
--- a/pkg/model/components/etcdmanager/model.go
+++ b/pkg/model/components/etcdmanager/model.go
@ -383,7 +383,7 @@ func (b *EtcdManagerBuilder) buildPod(etcdCluster kops.EtcdClusterSpec, instance
 			config.VolumeTag = []string{
 				fmt.Sprintf("kubernetes.io/cluster/%s=owned", b.Cluster.Name),
 				awsup.TagNameEtcdClusterPrefix + etcdCluster.Name,
-				awsup.TagNameRolePrefix + "master=1",
+				awsup.TagNameRolePrefix + "control-plane=1",
 			}
 			config.VolumeNameTag = awsup.TagNameEtcdClusterPrefix + etcdCluster.Name

@ -395,7 +395,7 @@ func (b *EtcdManagerBuilder) buildPod(etcdCluster kops.EtcdClusterSpec, instance
 				// allowed as a tag key in Azure.
 				fmt.Sprintf("kubernetes.io_cluster_%s=owned", b.Cluster.Name),
 				azure.TagNameEtcdClusterPrefix + etcdCluster.Name,
-				azure.TagNameRolePrefix + "master=1",
+				azure.TagNameRolePrefix + "control_plane=1",
 			}
 			config.VolumeNameTag = azure.TagNameEtcdClusterPrefix + etcdCluster.Name

@ -435,7 +435,7 @@ func (b *EtcdManagerBuilder) buildPod(etcdCluster kops.EtcdClusterSpec, instance

 			config.VolumeTag = []string{
 				openstack.TagNameEtcdClusterPrefix + etcdCluster.Name,
-				openstack.TagNameRolePrefix + "master=1",
+				openstack.TagNameRolePrefix + "control-plane=1",
 				fmt.Sprintf("%s=%s", openstack.TagClusterName, b.Cluster.Name),
 			}
 			config.VolumeNameTag = openstack.TagNameEtcdClusterPrefix + etcdCluster.Name
--- a/pkg/model/components/kubeapiserver/model.go
+++ b/pkg/model/components/kubeapiserver/model.go
@ -64,7 +64,7 @@ func (b *KubeApiserverBuilder) Build(c *fi.ModelBuilderContext) error {
 	b.AssetBuilder.StaticManifests = append(b.AssetBuilder.StaticManifests, &assets.StaticManifest{
 		Key:   key,
 		Path:  location,
-		Roles: []kops.InstanceGroupRole{kops.InstanceGroupRoleMaster, kops.InstanceGroupRoleAPIServer},
+		Roles: []kops.InstanceGroupRole{kops.InstanceGroupRoleControlPlane, kops.InstanceGroupRoleAPIServer},
 	})
 	return nil
 }
--- a/pkg/model/components/kubescheduler/model.go
+++ b/pkg/model/components/kubescheduler/model.go
@ -59,7 +59,7 @@ func (b *KubeSchedulerBuilder) Build(c *fi.ModelBuilderContext) error {
 	b.AssetBuilder.StaticFiles = append(b.AssetBuilder.StaticFiles, &assets.StaticFile{
 		Path:    KubeSchedulerConfigPath,
 		Content: string(configYAML),
-		Roles:   []kops.InstanceGroupRole{kops.InstanceGroupRoleMaster, kops.InstanceGroupRoleAPIServer},
+		Roles:   []kops.InstanceGroupRole{kops.InstanceGroupRoleControlPlane, kops.InstanceGroupRoleAPIServer},
 	})
 	return nil
 }
--- a/pkg/model/context.go
+++ b/pkg/model/context.go
@ -113,7 +113,7 @@ func (b *KopsModelContext) FindZonesForInstanceGroup(ig *kops.InstanceGroup) ([]
 func (b *KopsModelContext) MasterInstanceGroups() []*kops.InstanceGroup {
 	var groups []*kops.InstanceGroup
 	for _, ig := range b.InstanceGroups {
-		if !ig.IsMaster() {
+		if !ig.IsControlPlane() {
 			continue
 		}
 		groups = append(groups, ig)
@ -168,8 +168,9 @@ func (b *KopsModelContext) CloudTagsForInstanceGroup(ig *kops.InstanceGroup) (ma

 	// The system tags take priority because the cluster likely breaks without them...

-	if ig.Spec.Role == kops.InstanceGroupRoleMaster {
-		labels[awstasks.CloudTagInstanceGroupRolePrefix+strings.ToLower(string(kops.InstanceGroupRoleMaster))] = "1"
+	if ig.Spec.Role == kops.InstanceGroupRoleControlPlane {
+		labels[awstasks.CloudTagInstanceGroupRolePrefix+"master"] = "1"
+		labels[awstasks.CloudTagInstanceGroupRolePrefix+kops.InstanceGroupRoleControlPlane.ToLowerString()] = "1"
 	}

 	if ig.Spec.Role == kops.InstanceGroupRoleAPIServer {
@ -342,7 +343,7 @@ func (b *KopsModelContext) IsIPv6Only() bool {

 func (b *KopsModelContext) UseIPv6ForAPI() bool {
 	for _, ig := range b.InstanceGroups {
-		if ig.Spec.Role != kops.InstanceGroupRoleMaster && ig.Spec.Role != kops.InstanceGroupRoleAPIServer {
+		if ig.Spec.Role != kops.InstanceGroupRoleControlPlane && ig.Spec.Role != kops.InstanceGroupRoleAPIServer {
 			break
 		}
 		for _, igSubnetName := range ig.Spec.Subnets {
--- a/pkg/model/defaults/volumes.go
+++ b/pkg/model/defaults/volumes.go
@ -34,7 +34,7 @@ const (
 // DefaultInstanceGroupVolumeSize returns the default volume size for nodes in an InstanceGroup with the specified role
 func DefaultInstanceGroupVolumeSize(role kops.InstanceGroupRole) (int32, error) {
 	switch role {
-	case kops.InstanceGroupRoleMaster:
+	case kops.InstanceGroupRoleControlPlane:
 		return DefaultVolumeSizeMaster, nil
 	case kops.InstanceGroupRoleAPIServer:
 		return DefaultVolumeSizeNode, nil
--- a/pkg/model/domodel/droplets.go
+++ b/pkg/model/domodel/droplets.go
@ -69,7 +69,7 @@ func (d *DropletBuilder) Build(c *fi.ModelBuilderContext) error {
 			Tags:   []string{clusterTag},
 		}

-		if ig.IsMaster() {
+		if ig.IsControlPlane() {
 			masterIndexCount++
 			// create tag based on etcd name. etcd name is now prefixed with etcd-
 			// Ref: https://github.com/kubernetes/kops/commit/31f8cbd571964f19d3c31024ddba918998d29929
--- a/pkg/model/gcemodel/api_loadbalancer.go
+++ b/pkg/model/gcemodel/api_loadbalancer.go
@ -92,7 +92,7 @@ func createPublicLB(b *APILoadBalancerBuilder, c *fi.ModelBuilderContext) error
 			Lifecycle:    b.Lifecycle,
 			Network:      network,
 			SourceRanges: b.Cluster.Spec.API.Access,
-			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)},
+			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
 			Allowed:      []string{"tcp:443"},
 		})
 	}
@ -113,7 +113,7 @@ func createInternalLB(b *APILoadBalancerBuilder, c *fi.ModelBuilderContext) erro
 	c.AddTask(hc)
 	var igms []*gcetasks.InstanceGroupManager
 	for _, ig := range b.InstanceGroups {
-		if ig.Spec.Role != kops.InstanceGroupRoleMaster {
+		if ig.Spec.Role != kops.InstanceGroupRoleControlPlane {
 			continue
 		}
 		if len(ig.Spec.Zones) > 1 {
--- a/pkg/model/gcemodel/autoscalinggroup.go
+++ b/pkg/model/gcemodel/autoscalinggroup.go
@ -133,21 +133,25 @@ func (b *AutoscalingGroupModelBuilder) buildInstanceTemplate(c *fi.ModelBuilderC
 			}

 			switch ig.Spec.Role {
-			case kops.InstanceGroupRoleMaster:
+			case kops.InstanceGroupRoleControlPlane:
 				// Grant DNS permissions
 				// TODO: migrate to IAM permissions instead of oldschool scopes?
 				t.Scopes = append(t.Scopes, "https://www.googleapis.com/auth/ndev.clouddns.readwrite")
-				t.Tags = append(t.Tags, b.GCETagForRole(kops.InstanceGroupRoleMaster))
+				t.Tags = append(t.Tags, b.GCETagForRole(kops.InstanceGroupRoleControlPlane))
+				t.Tags = append(t.Tags, b.GCETagForRole("master"))

 			case kops.InstanceGroupRoleNode:
 				t.Tags = append(t.Tags, b.GCETagForRole(kops.InstanceGroupRoleNode))
 			}
-			roleLabel := gce.GceLabelNameRolePrefix + gce.EncodeGCELabel(strings.ToLower(string(ig.Spec.Role)))
+			roleLabel := gce.GceLabelNameRolePrefix + ig.Spec.Role.ToLowerString()
 			t.Labels = map[string]string{
 				gce.GceLabelNameKubernetesCluster: gce.SafeClusterName(b.ClusterName()),
 				roleLabel:                         "",
 				gce.GceLabelNameInstanceGroup:     ig.ObjectMeta.Name,
 			}
+			if ig.Spec.Role == kops.InstanceGroupRoleControlPlane {
+				t.Labels[gce.GceLabelNameRolePrefix+"master"] = ""
+			}

 			if gce.UsesIPAliases(b.Cluster) {
 				t.CanIPForward = fi.PtrTo(false)
@ -273,7 +277,7 @@ func (b *AutoscalingGroupModelBuilder) Build(c *fi.ModelBuilderContext) error {

 			// Attach masters to load balancer if we're using one
 			switch ig.Spec.Role {
-			case kops.InstanceGroupRoleMaster:
+			case kops.InstanceGroupRoleControlPlane:
 				if b.UseLoadBalancerForAPI() {
 					lbSpec := b.Cluster.Spec.API.LoadBalancer
 					if lbSpec != nil {
--- a/pkg/model/gcemodel/context.go
+++ b/pkg/model/gcemodel/context.go
@ -156,7 +156,7 @@ func (c *GCEModelContext) LinkToServiceAccount(ig *kops.InstanceGroup) *gcetasks

 	name := ""
 	switch role {
-	case kops.InstanceGroupRoleAPIServer, kops.InstanceGroupRoleMaster:
+	case kops.InstanceGroupRoleAPIServer, kops.InstanceGroupRoleControlPlane:
 		name = gce.ControlPlane

 	case kops.InstanceGroupRoleBastion:
--- a/pkg/model/gcemodel/external_access.go
+++ b/pkg/model/gcemodel/external_access.go
@ -55,7 +55,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 		b.AddFirewallRulesTasks(c, "ssh-external-to-master", &gcetasks.FirewallRule{
 			Lifecycle:    b.Lifecycle,
-			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)},
+			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
 			Allowed:      []string{"tcp:22"},
 			SourceRanges: b.Cluster.Spec.SSHAccess,
 			Network:      network,
@ -107,7 +107,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 		b.AddFirewallRulesTasks(c, "kubernetes-master-https", &gcetasks.FirewallRule{
 			Lifecycle:    b.Lifecycle,
-			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)},
+			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
 			Allowed:      []string{"tcp:443"},
 			SourceRanges: b.Cluster.Spec.API.Access,
 			Network:      network,
--- a/pkg/model/gcemodel/firewall.go
+++ b/pkg/model/gcemodel/firewall.go
@ -72,8 +72,8 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			Name:       s(b.NameForFirewallRule("master-to-master")),
 			Lifecycle:  b.Lifecycle,
 			Network:    network,
-			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)},
-			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)},
+			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
+			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
 			Allowed:    allProtocols,
 		}
 		c.AddTask(t)
@ -89,7 +89,7 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			Name:       s(b.NameForFirewallRule("master-to-node")),
 			Lifecycle:  b.Lifecycle,
 			Network:    network,
-			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)},
+			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
 			Allowed:    allProtocols,
 		}
@ -107,7 +107,7 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			Lifecycle:  b.Lifecycle,
 			Network:    network,
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleMaster)},
+			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
 			Allowed: []string{
 				fmt.Sprintf("tcp:%d", wellknownports.KubeAPIServer),
 				fmt.Sprintf("tcp:%d", wellknownports.KopsControllerPort),
--- a/pkg/model/gcemodel/service_accounts.go
+++ b/pkg/model/gcemodel/service_accounts.go
@ -65,7 +65,7 @@ func (b *ServiceAccountsBuilder) Build(c *fi.ModelBuilderContext) error {
 			Lifecycle:   b.Lifecycle,
 		}
 		switch ig.Spec.Role {
-		case kops.InstanceGroupRoleAPIServer, kops.InstanceGroupRoleMaster:
+		case kops.InstanceGroupRoleAPIServer, kops.InstanceGroupRoleControlPlane:
 			serviceAccount.Description = fi.PtrTo("kubernetes control-plane instances")
 		case kops.InstanceGroupRoleNode:
 			serviceAccount.Description = fi.PtrTo("kubernetes worker nodes")
@ -79,7 +79,7 @@ func (b *ServiceAccountsBuilder) Build(c *fi.ModelBuilderContext) error {
 		role := ig.Spec.Role
 		if role == kops.InstanceGroupRoleAPIServer {
 			// Because these share a serviceaccount, we share a role
-			role = kops.InstanceGroupRoleMaster
+			role = kops.InstanceGroupRoleControlPlane
 		}

 		if err := b.addInstanceGroupServiceAccountPermissions(c, *serviceAccount.Email, role); err != nil {
@ -98,7 +98,7 @@ func (b *ServiceAccountsBuilder) addInstanceGroupServiceAccountPermissions(c *fi
 	// If we can find a solution, we can easily switch to a custom role.

 	switch role {
-	case kops.InstanceGroupRoleMaster:
+	case kops.InstanceGroupRoleControlPlane:
 		// We reuse the GKE role
 		c.AddTask(&gcetasks.ProjectIAMBinding{
 			Name:      s("serviceaccount-control-plane"),
--- a/pkg/model/gcemodel/storageacl.go
+++ b/pkg/model/gcemodel/storageacl.go
@ -76,7 +76,7 @@ func (b *StorageAclBuilder) Build(c *fi.ModelBuilderContext) error {
 		}

 		klog.Warningf("we need to split master / node roles")
-		nodeRole, err := iam.BuildNodeRoleSubject(kops.InstanceGroupRoleMaster, false)
+		nodeRole, err := iam.BuildNodeRoleSubject(kops.InstanceGroupRoleControlPlane, false)
 		if err != nil {
 			return err
 		}
--- a/pkg/model/hetznermodel/firewall.go
+++ b/pkg/model/hetznermodel/firewall.go
@ -47,7 +47,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 	controlPlaneLabelSelector := []string{
 		fmt.Sprintf("%s=%s", hetzner.TagKubernetesClusterName, b.ClusterName()),
-		fmt.Sprintf("%s=%s", hetzner.TagKubernetesInstanceRole, string(kops.InstanceGroupRoleMaster)),
+		fmt.Sprintf("%s=%s", hetzner.TagKubernetesInstanceRole, string(kops.InstanceGroupRoleControlPlane)),
 	}
 	controlPlaneFirewall := &hetznertasks.Firewall{
 		Name:      fi.PtrTo("control-plane." + b.ClusterName()),
--- a/pkg/model/hetznermodel/loadbalancer.go
+++ b/pkg/model/hetznermodel/loadbalancer.go
@ -39,7 +39,7 @@ var _ fi.ModelBuilder = &LoadBalancerModelBuilder{}
 func (b *LoadBalancerModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	controlPlaneLabelSelector := []string{
 		fmt.Sprintf("%s=%s", hetzner.TagKubernetesClusterName, b.ClusterName()),
-		fmt.Sprintf("%s=%s", hetzner.TagKubernetesInstanceRole, string(kops.InstanceGroupRoleMaster)),
+		fmt.Sprintf("%s=%s", hetzner.TagKubernetesInstanceRole, string(kops.InstanceGroupRoleControlPlane)),
 	}
 	loadbalancer := hetznertasks.LoadBalancer{
 		Name:      fi.PtrTo("api." + b.ClusterName()),
--- a/pkg/model/iam/subject.go
+++ b/pkg/model/iam/subject.go
@ -88,7 +88,7 @@ func (g *GenericServiceAccount) BuildAWSPolicy(*PolicyBuilder) (*Policy, error)
 // BuildNodeRoleSubject returns a Subject implementation for the specified InstanceGroupRole.
 func BuildNodeRoleSubject(igRole kops.InstanceGroupRole, enableLifecycleHookPermissions bool) (Subject, error) {
 	switch igRole {
-	case kops.InstanceGroupRoleMaster:
+	case kops.InstanceGroupRoleControlPlane:
 		return &NodeRoleMaster{}, nil
 	case kops.InstanceGroupRoleAPIServer:
 		return &NodeRoleAPIServer{
--- a/pkg/model/master_volumes.go
+++ b/pkg/model/master_volumes.go
@ -163,7 +163,8 @@ func (b *MasterVolumeBuilder) addAWSVolume(c *fi.ModelBuilderContext, name strin
 	// tags[awsup.TagClusterName] = b.C.cluster.Name
 	// This is the configuration of the etcd cluster
 	tags[awsup.TagNameEtcdClusterPrefix+etcd.Name] = m.Name + "/" + strings.Join(allMembers, ",")
-	// This says "only mount on a master"
+	// This says "only mount on a control plane node"
+	tags[awsup.TagNameRolePrefix+"control-plane"] = "1"
 	tags[awsup.TagNameRolePrefix+"master"] = "1"

 	// We always add an owned tags (these can't be shared)
@ -322,7 +323,8 @@ func (b *MasterVolumeBuilder) addOpenstackVolume(c *fi.ModelBuilderContext, name
 	}
 	// This is the configuration of the etcd cluster
 	tags[openstack.TagNameEtcdClusterPrefix+etcd.Name] = m.Name + "/" + strings.Join(allMembers, ",")
-	// This says "only mount on a master"
+	// This says "only mount on a control plane node"
+	tags[openstack.TagNameRolePrefix+openstack.TagRoleControlPlane] = "1"
 	tags[openstack.TagNameRolePrefix+"master"] = "1"

 	// override zone
@ -355,8 +357,9 @@ func (b *MasterVolumeBuilder) addAzureVolume(
 	tags := map[string]*string{
 		// This is the configuration of the etcd cluster.
 		azure.TagNameEtcdClusterPrefix + etcd.Name: fi.PtrTo(m.Name + "/" + strings.Join(allMembers, ",")),
-		// This says "only mount on a master".
-		azure.TagNameRolePrefix + azure.TagRoleMaster: fi.PtrTo("1"),
+		// This says "only mount on a control plane node".
+		azure.TagNameRolePrefix + azure.TagRoleControlPlane: fi.PtrTo("1"),
+		azure.TagNameRolePrefix + azure.TagRoleMaster:       fi.PtrTo("1"),
 		// We always add an owned tags (these can't be shared).
 		// Use dash (_) as a splitter. Other CSPs use slash (/), but slash is not
 		// allowed as a tag key in Azure.
--- a/pkg/model/names.go
+++ b/pkg/model/names.go
@ -38,7 +38,7 @@ func (b *KopsModelContext) SecurityGroupName(role kops.InstanceGroupRole) string
 		return "bastion." + b.ClusterName()
 	case kops.InstanceGroupRoleNode:
 		return "nodes." + b.ClusterName()
-	case kops.InstanceGroupRoleMaster, kops.InstanceGroupRoleAPIServer:
+	case kops.InstanceGroupRoleControlPlane, kops.InstanceGroupRoleAPIServer:
 		return "masters." + b.ClusterName()
 	default:
 		klog.Fatalf("unknown role: %v", role)
@ -55,7 +55,7 @@ func (b *KopsModelContext) LinkToSecurityGroup(role kops.InstanceGroupRole) *aws
 // AutoscalingGroupName derives the autoscaling group name for us
 func (b *KopsModelContext) AutoscalingGroupName(ig *kops.InstanceGroup) string {
 	switch ig.Spec.Role {
-	case kops.InstanceGroupRoleMaster:
+	case kops.InstanceGroupRoleControlPlane:
 		// We need to keep this back-compatible, so we introduce the masters name,
 		// though the IG name suffices for uniqueness, and with sensible naming masters
 		// should be redundant...
@ -143,7 +143,7 @@ func (b *KopsModelContext) NameForDNSZone() string {
 func (b *KopsModelContext) IAMName(role kops.InstanceGroupRole) string {
 	var rolename string
 	switch role {
-	case kops.InstanceGroupRoleMaster:
+	case kops.InstanceGroupRoleControlPlane:
 		rolename = "masters." + b.ClusterName()
 	case kops.InstanceGroupRoleAPIServer:
 		rolename = "apiservers." + b.ClusterName()
--- a/pkg/model/openstackmodel/firewall.go
+++ b/pkg/model/openstackmodel/firewall.go
@ -87,7 +87,7 @@ func (b *FirewallModelBuilder) addDirectionalGroupRule(c *fi.ModelBuilderContext

 // addSSHRules - sets the ssh rules based on the presence of a bastion
 func (b *FirewallModelBuilder) addSSHRules(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
-	masterName := b.SecurityGroupName(kops.InstanceGroupRoleMaster)
+	masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
 	nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
 	bastionName := b.SecurityGroupName(kops.InstanceGroupRoleBastion)
 	masterSG := sgMap[masterName]
@ -147,7 +147,7 @@ func (b *FirewallModelBuilder) addSSHRules(c *fi.ModelBuilderContext, sgMap map[

 // addETCDRules - Add ETCD access rules based on which CNI might need to access __ETCD_ENDPOINTS__
 func (b *FirewallModelBuilder) addETCDRules(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
-	masterName := b.SecurityGroupName(kops.InstanceGroupRoleMaster)
+	masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
 	nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
 	masterSG := sgMap[masterName]
 	nodeSG := sgMap[nodeName]
@ -231,7 +231,7 @@ func (b *FirewallModelBuilder) addNodePortRules(c *fi.ModelBuilderContext, sgMap

 // addHTTPSRules - Add rules to 443 access given the presence of a loadbalancer or not
 func (b *FirewallModelBuilder) addHTTPSRules(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup, useVIPACL bool) error {
-	masterName := b.SecurityGroupName(kops.InstanceGroupRoleMaster)
+	masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
 	nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
 	lbSGName := b.Cluster.Spec.API.PublicName
 	lbSG := sgMap[lbSGName]
@ -329,7 +329,7 @@ func (b *FirewallModelBuilder) addHTTPSRules(c *fi.ModelBuilderContext, sgMap ma
 // addKubeletRules - Add rules to 10250 port
 func (b *FirewallModelBuilder) addKubeletRules(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
 	// TODO: This is the default port for kubelet and may be overridden
-	masterName := b.SecurityGroupName(kops.InstanceGroupRoleMaster)
+	masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
 	nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
 	masterSG := sgMap[masterName]
 	nodeSG := sgMap[nodeName]
@ -353,7 +353,7 @@ func (b *FirewallModelBuilder) addKubeletRules(c *fi.ModelBuilderContext, sgMap

 // addNodeExporterAndOccmRules - Allow 9100 TCP port from nodesg, allow 10258 from nodes to master - expose occm metrics
 func (b *FirewallModelBuilder) addNodeExporterAndOccmRules(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
-	masterName := b.SecurityGroupName(kops.InstanceGroupRoleMaster)
+	masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
 	nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
 	masterSG := sgMap[masterName]
 	nodeSG := sgMap[nodeName]
@ -383,7 +383,7 @@ func (b *FirewallModelBuilder) addNodeExporterAndOccmRules(c *fi.ModelBuilderCon

 // addDNSRules - Add DNS rules for internal DNS queries
 func (b *FirewallModelBuilder) addDNSRules(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
-	masterName := b.SecurityGroupName(kops.InstanceGroupRoleMaster)
+	masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
 	nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
 	masterSG := sgMap[masterName]
 	nodeSG := sgMap[nodeName]
@ -451,7 +451,7 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
 		}
 	}

-	masterName := b.SecurityGroupName(kops.InstanceGroupRoleMaster)
+	masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
 	nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
 	masterSG := sgMap[masterName]
 	nodeSG := sgMap[nodeName]
@ -502,7 +502,7 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
 // addProtokubeRules - Add rules for protokube if gossip DNS is enabled
 func (b *FirewallModelBuilder) addProtokubeRules(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
 	if b.Cluster.IsGossip() {
-		masterName := b.SecurityGroupName(kops.InstanceGroupRoleMaster)
+		masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
 		nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
 		masterSG := sgMap[masterName]
 		nodeSG := sgMap[nodeName]
@ -606,7 +606,7 @@ func (b *FirewallModelBuilder) addDefaultEgress(c *fi.ModelBuilderContext, sgMap

 // Build - schedule security groups and security group rule tasks for Openstack
 func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
-	roles := []kops.InstanceGroupRole{kops.InstanceGroupRoleMaster, kops.InstanceGroupRoleNode}
+	roles := []kops.InstanceGroupRole{kops.InstanceGroupRoleControlPlane, kops.InstanceGroupRoleNode}
 	if b.UsesSSHBastion() {
 		roles = append(roles, kops.InstanceGroupRoleBastion)
 	}
@ -640,7 +640,7 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			sg.RemoveExtraRules = []string{"port=22"}
 		} else if role == kops.InstanceGroupRoleNode {
 			sg.RemoveExtraRules = []string{"port=22", "port=10250"}
-		} else if role == kops.InstanceGroupRoleMaster {
+		} else if role == kops.InstanceGroupRoleControlPlane {
 			sg.RemoveExtraRules = []string{"port=22", "port=443", "port=10250"}
 		}
 		c.AddTask(sg)
--- a/pkg/model/openstackmodel/servergroup.go
+++ b/pkg/model/openstackmodel/servergroup.go
@ -105,7 +105,7 @@ func (b *ServerGroupModelBuilder) buildInstances(c *fi.ModelBuilderContext, sg *
 	securityGroupName := b.SecurityGroupName(ig.Spec.Role)
 	securityGroups = append(securityGroups, b.LinkToSecurityGroup(securityGroupName))

-	if b.Cluster.Spec.CloudProvider.Openstack.Loadbalancer == nil && ig.Spec.Role == kops.InstanceGroupRoleMaster {
+	if b.Cluster.Spec.CloudProvider.Openstack.Loadbalancer == nil && ig.Spec.Role == kops.InstanceGroupRoleControlPlane {
 		securityGroups = append(securityGroups, b.LinkToSecurityGroup(b.Cluster.Spec.API.PublicName))
 	}

@ -204,7 +204,7 @@ func (b *ServerGroupModelBuilder) buildInstances(c *fi.ModelBuilderContext, sg *
 				}
 				c.AddTask(t)
 				instanceTask.FloatingIP = t
-			case kops.InstanceGroupRoleMaster:
+			case kops.InstanceGroupRoleControlPlane:

 				if b.Cluster.Spec.Topology == nil || b.Cluster.Spec.Topology.ControlPlane != kops.TopologyPrivate {
 					t := &openstacktasks.FloatingIP{
@ -264,7 +264,7 @@ func (b *ServerGroupModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			return err
 		}

-		if ig.Spec.Role == kops.InstanceGroupRoleMaster {
+		if ig.Spec.Role == kops.InstanceGroupRoleControlPlane {
 			masters = append(masters, sgTask)
 		}
 	}
--- a/pkg/model/openstackmodel/servergroup_test.go
+++ b/pkg/model/openstackmodel/servergroup_test.go
@ -77,7 +77,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image-master",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -144,7 +144,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -233,7 +233,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master-a",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -261,7 +261,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master-b",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -289,7 +289,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master-c",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -349,7 +349,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image-master",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -424,7 +424,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master-a",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -452,7 +452,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master-b",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -480,7 +480,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master-c",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -545,7 +545,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master-a",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -573,7 +573,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master-b",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -601,7 +601,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master-c",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image",
 						MinSize:     i32(1),
 						MaxSize:     i32(1),
@ -669,7 +669,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:        kops.InstanceGroupRoleMaster,
+						Role:        kops.InstanceGroupRoleControlPlane,
 						Image:       "image",
 						MinSize:     i32(3),
 						MaxSize:     i32(3),
@ -745,7 +745,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:              kops.InstanceGroupRoleMaster,
+						Role:              kops.InstanceGroupRoleControlPlane,
 						Image:             "image-master",
 						MinSize:           i32(1),
 						MaxSize:           i32(1),
@ -811,7 +811,7 @@ func getServerGroupModelBuilderTestInput() []serverGroupModelBuilderTestInput {
 						Name: "master",
 					},
 					Spec: kops.InstanceGroupSpec{
-						Role:              kops.InstanceGroupRoleMaster,
+						Role:              kops.InstanceGroupRoleControlPlane,
 						Image:             "image",
 						MinSize:           i32(1),
 						MaxSize:           i32(1),
--- a/pkg/nodeidentity/hetzner/identify.go
+++ b/pkg/nodeidentity/hetzner/identify.go
@ -99,7 +99,7 @@ func (i *nodeIdentifier) IdentifyNode(ctx context.Context, node *corev1.Node) (*
 	for key, value := range server.Labels {
 		if key == hetzner.TagKubernetesInstanceRole {
 			switch kops.InstanceGroupRole(value) {
-			case kops.InstanceGroupRoleMaster:
+			case kops.InstanceGroupRoleControlPlane:
 				labels[nodelabels.RoleLabelControlPlane20] = ""
 			case kops.InstanceGroupRoleNode:
 				labels[nodelabels.RoleLabelNode16] = ""
--- a/pkg/nodelabels/builder.go
+++ b/pkg/nodelabels/builder.go
@ -38,7 +38,7 @@ const (
 // BuildNodeLabels returns the node labels for the specified instance group
 // This moved from the kubelet to a central controller in kubernetes 1.16
 func BuildNodeLabels(cluster *kops.Cluster, instanceGroup *kops.InstanceGroup) map[string]string {
-	isControlPlane := instanceGroup.Spec.Role == kops.InstanceGroupRoleMaster
+	isControlPlane := instanceGroup.Spec.Role == kops.InstanceGroupRoleControlPlane

 	isAPIServer := instanceGroup.Spec.Role == kops.InstanceGroupRoleAPIServer

--- a/pkg/nodelabels/builder_test.go
+++ b/pkg/nodelabels/builder_test.go
@ -51,7 +51,7 @@ func TestBuildNodeLabels(t *testing.T) {
 			},
 			ig: &kops.InstanceGroup{
 				Spec: kops.InstanceGroupSpec{
-					Role: kops.InstanceGroupRoleMaster,
+					Role: kops.InstanceGroupRoleControlPlane,
 					Kubelet: &kops.KubeletConfigSpec{
 						NodeLabels: map[string]string{
 							"node1": "override1",
--- a/pkg/resources/aws/aws.go
+++ b/pkg/resources/aws/aws.go
@ -541,13 +541,21 @@ func DumpInstance(op *resources.DumpOperation, r *resources.Resource) error {
 			i.PrivateAddresses = append(i.PrivateAddresses, *ec2Instance.PrivateIpAddress)
 		}
 	}
+	isControlPlane := false
 	for _, tag := range ec2Instance.Tags {
 		key := aws.StringValue(tag.Key)
 		if !strings.HasPrefix(key, awsup.TagNameRolePrefix) {
 			continue
 		}
 		role := strings.TrimPrefix(key, awsup.TagNameRolePrefix)
-		i.Roles = append(i.Roles, role)
+		if role == "master" || role == "control-plane" {
+			isControlPlane = true
+		} else {
+			i.Roles = append(i.Roles, role)
+		}
+	}
+	if isControlPlane {
+		i.Roles = append(i.Roles, "control-plane")
 	}

 	imageID := aws.StringValue(ec2Instance.ImageId)
--- a/pkg/resources/digitalocean/resources.go
+++ b/pkg/resources/digitalocean/resources.go
@ -370,7 +370,7 @@ func dumpDroplet(op *resources.DumpOperation, r *resources.Resource) error {
 	}
 	for _, tag := range droplet.Tags {
 		if strings.HasPrefix(tag, "KubernetesCluster-Master") {
-			i.Roles = []string{string(kops.InstanceGroupRoleMaster)}
+			i.Roles = []string{string(kops.InstanceGroupRoleControlPlane)}
 			break
 		}
 	}
--- a/pkg/resources/spotinst/resources.go
+++ b/pkg/resources/spotinst/resources.go
@ -417,7 +417,7 @@ func getGroupNameByRole(cluster *kops.Cluster, ig *kops.InstanceGroup) string {
 	var groupName string

 	switch ig.Spec.Role {
-	case kops.InstanceGroupRoleMaster:
+	case kops.InstanceGroupRoleControlPlane:
 		groupName = ig.ObjectMeta.Name + ".masters." + cluster.ObjectMeta.Name
 	case kops.InstanceGroupRoleNode:
 		groupName = ig.ObjectMeta.Name + "." + cluster.ObjectMeta.Name
--- a/pkg/testutils/cluster.go
+++ b/pkg/testutils/cluster.go
@ -113,7 +113,7 @@ func BuildMinimalBastionInstanceGroup(name string, subnets ...string) kops.Insta
 func BuildMinimalMasterInstanceGroup(subnet string) kops.InstanceGroup {
 	g := kops.InstanceGroup{}
 	g.ObjectMeta.Name = "master-" + subnet
-	g.Spec.Role = kops.InstanceGroupRoleMaster
+	g.Spec.Role = kops.InstanceGroupRoleControlPlane
 	g.Spec.Subnets = []string{subnet}
 	g.Spec.Image = "ami-1234abcd"

--- a/pkg/validation/validate_cluster.go
+++ b/pkg/validation/validate_cluster.go
@ -142,7 +142,7 @@ func (v *clusterValidatorImpl) Validate() (*ValidationCluster, error) {
 			message := fmt.Sprintf("Validation Failed\n\n"+
 				"The %[1]v Kubernetes deployment has not updated the Kubernetes cluster's API DNS entry to the correct IP address."+
 				"  The API DNS IP address is the placeholder address that kops creates: %[2]v."+
-				"  Please wait about 5-10 minutes for a master to start, %[1]v to launch, and DNS to propagate."+
+				"  Please wait about 5-10 minutes for a control plane node to start, %[1]v to launch, and DNS to propagate."+
 				"  The protokube container and %[1]v deployment logs may contain more diagnostic information."+
 				"  Etcd and the API DNS entries must be updated for a kops Kubernetes cluster to start.", dnsProvider, hasPlaceHolderIPAddress)
 			validation.addError(&ValidationError{
@ -333,7 +333,7 @@ func (v *ValidationCluster) validateNodes(cloudGroups map[string]*cloudinstances

 			nodeInstanceGroupMapping[node.Name] = cloudGroup.InstanceGroup

-			role := strings.ToLower(string(cloudGroup.InstanceGroup.Spec.Role))
+			role := cloudGroup.InstanceGroup.Spec.Role.ToLowerString()
 			if role == "" {
 				role = "node"
 			}
@ -355,7 +355,7 @@ func (v *ValidationCluster) validateNodes(cloudGroups map[string]*cloudinstances
 			}

 			switch n.Role {
-			case "master", "apiserver", "node":
+			case "control-plane", "apiserver", "node":
 				if !ready {
 					v.addError(&ValidationError{
 						Kind:          "Node",
--- a/pkg/validation/validate_cluster_test.go
+++ b/pkg/validation/validate_cluster_test.go
@ -86,7 +86,7 @@ func testValidate(t *testing.T, groups map[string]*cloudinstances.CloudInstanceG
 					Name: "master-1",
 				},
 				Spec: kopsapi.InstanceGroupSpec{
-					Role: kopsapi.InstanceGroupRoleMaster,
+					Role: kopsapi.InstanceGroupRoleControlPlane,
 				},
 			},
 			MinSize: 1,
@ -342,7 +342,7 @@ func Test_ValidateMastersNotEnough(t *testing.T) {
 				Name: "master-1",
 			},
 			Spec: kopsapi.InstanceGroupSpec{
-				Role: kopsapi.InstanceGroupRoleMaster,
+				Role: kopsapi.InstanceGroupRoleControlPlane,
 			},
 		},
 		MinSize:    2,
@ -396,7 +396,7 @@ func Test_ValidateMasterNotReady(t *testing.T) {
 				Name: "master-1",
 			},
 			Spec: kopsapi.InstanceGroupSpec{
-				Role: kopsapi.InstanceGroupRoleMaster,
+				Role: kopsapi.InstanceGroupRoleControlPlane,
 			},
 		},
 		MinSize:    2,
@ -435,7 +435,7 @@ func Test_ValidateMasterNotReady(t *testing.T) {
 		!assert.Equal(t, &ValidationError{
 			Kind:          "Node",
 			Name:          "master-1b",
-			Message:       "node \"master-1b\" of role \"master\" is not ready",
+			Message:       "node \"master-1b\" of role \"control-plane\" is not ready",
 			InstanceGroup: groups["node-1"].InstanceGroup,
 		}, v.Failures[0]) {
 		printDebug(t, v)
@ -450,7 +450,7 @@ func Test_ValidateMasterStaticPods(t *testing.T) {
 				Name: "master-1",
 			},
 			Spec: kopsapi.InstanceGroupSpec{
-				Role: kopsapi.InstanceGroupRoleMaster,
+				Role: kopsapi.InstanceGroupRoleControlPlane,
 			},
 		},
 		MinSize:    1,
@ -523,7 +523,7 @@ func Test_ValidateMasterStaticPods(t *testing.T) {
 		{
 			Kind:          "Node",
 			Name:          "master-1c",
-			Message:       "node \"master-1c\" of role \"master\" is not ready",
+			Message:       "node \"master-1c\" of role \"control-plane\" is not ready",
 			InstanceGroup: groups["node-1"].InstanceGroup,
 		},
 	}
--- a/tests/e2e/pkg/tester/tester.go
+++ b/tests/e2e/pkg/tester/tester.go
@ -327,7 +327,7 @@ func (t *Tester) getSchedulableZones() ([]string, error) {

 	var schedulable []*api.InstanceGroup
 	for _, ig := range igs {
-		if unversioned.InstanceGroupRole(ig.Spec.Role) == unversioned.InstanceGroupRoleMaster {
+		if unversioned.InstanceGroupRole(ig.Spec.Role) == unversioned.InstanceGroupRoleControlPlane {
 			continue
 		}
 		if unversioned.InstanceGroupRole(ig.Spec.Role) == unversioned.InstanceGroupRoleAPIServer {
--- a/tests/integration/conversion/aws/v1alpha2.yaml
+++ b/tests/integration/conversion/aws/v1alpha2.yaml
@ -5,6 +5,9 @@ metadata:
  name: minimal.example.com
 spec:
  DisableSubnetTags: true
+  additionalPolicies:
+    master: '[ { "Action": [ "s3:GetObject" ], "Resource": [ "*" ], "Effect": "Allow"
+      } ]'
  additionalSans:
  - proxy.api.minimal.example.com
  addons:
@ -34,12 +37,17 @@ spec:
    name: events
  externalDns:
    disable: true
+  externalPolicies:
+    master:
+    - arn:aws-test:iam::123456789000:policy/test-policy
  hooks:
  - disabled: true
    name: hookDisabled
  - name: hookDefault
  - disabled: false
    name: hookEnabled
+    roles:
+    - Master
  iam:
    legacy: false
  kubernetesApiAccess:
--- a/tests/integration/conversion/aws/v1alpha3.yaml
+++ b/tests/integration/conversion/aws/v1alpha3.yaml
@ -4,6 +4,9 @@ metadata:
  creationTimestamp: "2016-12-10T22:42:27Z"
  name: minimal.example.com
 spec:
+  additionalPolicies:
+    control-plane: '[ { "Action": [ "s3:GetObject" ], "Resource": [ "*" ], "Effect":
+      "Allow" } ]'
  addons:
  - manifest: s3://somebucket/example.yaml
  api:
@ -37,12 +40,17 @@ spec:
    name: events
  externalDNS:
    provider: none
+  externalPolicies:
+    control-plane:
+    - arn:aws-test:iam::123456789000:policy/test-policy
  hooks:
  - enabled: false
    name: hookDisabled
  - name: hookDefault
  - enabled: true
    name: hookEnabled
+    roles:
+    - ControlPlane
  iam: {}
  kubernetesVersion: v1.21.0
  networkCIDR: 172.20.0.0/16
@ -96,6 +104,6 @@ spec:
  machineType: m3.medium
  maxSize: 1
  minSize: 1
-  role: Master
+  role: ControlPlane
  subnets:
  - us-test-1a
--- a/tests/integration/conversion/azure/v1alpha3.yaml
+++ b/tests/integration/conversion/azure/v1alpha3.yaml
@ -89,6 +89,6 @@ spec:
  machineType: m3.medium
  maxSize: 1
  minSize: 1
-  role: Master
+  role: ControlPlane
  subnets:
  - us-test-1a
--- a/tests/integration/conversion/canal/v1alpha3.yaml
+++ b/tests/integration/conversion/canal/v1alpha3.yaml
@ -85,6 +85,6 @@ spec:
  machineType: m3.medium
  maxSize: 1
  minSize: 1
-  role: Master
+  role: ControlPlane
  subnets:
  - us-test-1a
--- a/tests/integration/conversion/cilium/v1alpha3.yaml
+++ b/tests/integration/conversion/cilium/v1alpha3.yaml
@ -86,6 +86,6 @@ spec:
  machineType: m3.medium
  maxSize: 1
  minSize: 1
-  role: Master
+  role: ControlPlane
  subnets:
  - us-test-1a
--- a/tests/integration/conversion/do/v1alpha3.yaml
+++ b/tests/integration/conversion/do/v1alpha3.yaml
@ -83,6 +83,6 @@ spec:
  machineType: m3.medium
  maxSize: 1
  minSize: 1
-  role: Master
+  role: ControlPlane
  subnets:
  - us-test-1a
--- a/tests/integration/conversion/gce/v1alpha3.yaml
+++ b/tests/integration/conversion/gce/v1alpha3.yaml
@ -84,6 +84,6 @@ spec:
  machineType: m3.medium
  maxSize: 1
  minSize: 1
-  role: Master
+  role: ControlPlane
  subnets:
  - us-test-1a
--- a/tests/integration/conversion/minimal/v1alpha3.yaml
+++ b/tests/integration/conversion/minimal/v1alpha3.yaml
@ -84,6 +84,6 @@ spec:
  machineType: m3.medium
  maxSize: 1
  minSize: 1
-  role: Master
+  role: ControlPlane
  subnets:
  - us-test-1a
--- a/tests/integration/conversion/openstack/v1alpha3.yaml
+++ b/tests/integration/conversion/openstack/v1alpha3.yaml
@ -98,6 +98,6 @@ spec:
  machineType: m3.medium
  maxSize: 1
  minSize: 1
-  role: Master
+  role: ControlPlane
  subnets:
  - us-test-1a
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -1206,7 +1206,7 @@ func newNodeUpConfigBuilder(cluster *kops.Cluster, assetBuilder *assets.AssetBui
 	}

 	for _, role := range kops.AllInstanceGroupRoles {
-		isMaster := role == kops.InstanceGroupRoleMaster
+		isMaster := role == kops.InstanceGroupRoleControlPlane
 		isAPIServer := role == kops.InstanceGroupRoleAPIServer

 		images[role] = make(map[architectures.Architecture][]*nodeup.Image)
@ -1333,7 +1333,7 @@ func (n *nodeUpConfigBuilder) BuildConfig(ig *kops.InstanceGroup, apiserverAddit
 	}

 	useGossip := cluster.IsGossip()
-	isMaster := role == kops.InstanceGroupRoleMaster
+	isMaster := role == kops.InstanceGroupRoleControlPlane
 	hasAPIServer := isMaster || role == kops.InstanceGroupRoleAPIServer

 	config, bootConfig := nodeup.NewConfig(cluster, ig)
@ -1574,7 +1574,7 @@ func (n *nodeUpConfigBuilder) buildContainerdConfig(ig *kops.InstanceGroup) *kop

 // buildWarmPoolImages returns a list of container images that should be pre-pulled during instance pre-initialization
 func (n *nodeUpConfigBuilder) buildWarmPoolImages(ig *kops.InstanceGroup) []string {
-	if ig == nil || ig.Spec.Role == kops.InstanceGroupRoleMaster {
+	if ig == nil || ig.Spec.Role == kops.InstanceGroupRoleControlPlane {
 		return nil
 	}

--- a/upup/pkg/fi/cloudup/awstasks/autoscalinggroup.go
+++ b/upup/pkg/fi/cloudup/awstasks/autoscalinggroup.go
@ -1006,6 +1006,9 @@ func (_ *AutoscalingGroup) RenderTerraform(t *terraform.TerraformTarget, a, e, c
 	for k := range e.Tags {
 		if strings.HasPrefix(k, CloudTagInstanceGroupRolePrefix) {
 			suffix := strings.TrimPrefix(k, CloudTagInstanceGroupRolePrefix)
+			if suffix == "control-plane" {
+				suffix = "master"
+			}
 			if role != "" && role != suffix {
 				return fmt.Errorf("Found multiple role tags: %q vs %q", role, suffix)
 			}
--- a/upup/pkg/fi/cloudup/awsup/aws_cloud.go
+++ b/upup/pkg/fi/cloudup/awsup/aws_cloud.go
@ -98,6 +98,7 @@ const (
 	TagNameEtcdClusterPrefix = "k8s.io/etcd/"
 )

+const TagRoleControlPlane = "control-plane"
 const TagRoleMaster = "master"

 // TagNameKopsRole is the AWS tag used to identify the role an object plays for a cluster
@ -1232,13 +1233,22 @@ func buildCloudInstance(i *autoscaling.Instance, instances map[string]*ec2.Insta

 func addCloudInstanceData(cm *cloudinstances.CloudInstance, instance *ec2.Instance) {
 	cm.MachineType = aws.StringValue(instance.InstanceType)
+	isControlPlane := false
 	for _, tag := range instance.Tags {
 		key := aws.StringValue(tag.Key)
 		if !strings.HasPrefix(key, TagNameRolePrefix) {
 			continue
 		}
 		role := strings.TrimPrefix(key, TagNameRolePrefix)
-		cm.Roles = append(cm.Roles, role)
+		if role == "master" || role == "control-plane" {
+			isControlPlane = true
+		} else {
+			cm.Roles = append(cm.Roles, role)
+			cm.PrivateIP = aws.StringValue(instance.PrivateIpAddress)
+		}
+	}
+	if isControlPlane {
+		cm.Roles = append(cm.Roles, "control-plane")
 		cm.PrivateIP = aws.StringValue(instance.PrivateIpAddress)
 	}
 }
@ -2303,7 +2313,7 @@ func (c *awsCloudImplementation) DefaultInstanceType(cluster *kops.Cluster, ig *
 	var candidates []string

 	switch ig.Spec.Role {
-	case kops.InstanceGroupRoleMaster, kops.InstanceGroupRoleNode, kops.InstanceGroupRoleAPIServer:
+	case kops.InstanceGroupRoleControlPlane, kops.InstanceGroupRoleNode, kops.InstanceGroupRoleAPIServer:
 		// t3.medium is the cheapest instance with 4GB of mem, unlimited by default, fast and has decent network
 		// c5.large and c4.large are a good second option in case t3.medium is not available in the AZ
 		candidates = []string{"t3.medium", "c5.large", "c4.large", "t4g.medium"}
--- a/upup/pkg/fi/cloudup/awsup/instancegroups.go
+++ b/upup/pkg/fi/cloudup/awsup/instancegroups.go
@ -29,7 +29,7 @@ func matchInstanceGroup(name string, clusterName string, instancegroups []*kops.
 	for _, g := range instancegroups {
 		var groupName string
 		switch g.Spec.Role {
-		case kops.InstanceGroupRoleMaster:
+		case kops.InstanceGroupRoleControlPlane:
 			groupName = g.ObjectMeta.Name + ".masters." + clusterName
 		case kops.InstanceGroupRoleAPIServer:
 			groupName = g.ObjectMeta.Name + ".apiservers." + clusterName
--- a/upup/pkg/fi/cloudup/awsup/mock_aws_cloud.go
+++ b/upup/pkg/fi/cloudup/awsup/mock_aws_cloud.go
@ -326,7 +326,7 @@ func (c *MockAWSCloud) GetApiIngressStatus(cluster *kops.Cluster) ([]fi.ApiIngre
 // DefaultInstanceType determines an instance type for the specified cluster & instance group
 func (c *MockAWSCloud) DefaultInstanceType(cluster *kops.Cluster, ig *kops.InstanceGroup) (string, error) {
 	switch ig.Spec.Role {
-	case kops.InstanceGroupRoleMaster, kops.InstanceGroupRoleAPIServer:
+	case kops.InstanceGroupRoleControlPlane, kops.InstanceGroupRoleAPIServer:
 		return "m3.medium", nil
 	case kops.InstanceGroupRoleNode:
 		return "t2.medium", nil
--- a/upup/pkg/fi/cloudup/awsup/status.go
+++ b/upup/pkg/fi/cloudup/awsup/status.go
@ -90,7 +90,7 @@ func findEtcdStatus(c AWSCloud, cluster *kops.Cluster) ([]kops.EtcdClusterStatus
 				if err != nil {
 					return nil, fmt.Errorf("error parsing etcd cluster tag %q on volume %q: %v", v, volumeID, err)
 				}
-			} else if k == TagNameRolePrefix+TagRoleMaster {
+			} else if k == TagNameRolePrefix+TagRoleMaster || k == TagNameRolePrefix+TagRoleControlPlane {
 				master = true
 			}
 		}
--- a/upup/pkg/fi/cloudup/azure/azure_cloud.go
+++ b/upup/pkg/fi/cloudup/azure/azure_cloud.go
@ -34,6 +34,7 @@ const (
 	// Use dash (_) as a splitter. Other CSPs use slash (/), but slash is not
 	// allowed as a tag key in Azure.
 	TagNameRolePrefix        = "k8s.io_role_"
+	TagRoleControlPlane      = "control_plane"
 	TagRoleMaster            = "master"
 	TagNameEtcdClusterPrefix = "k8s.io_etcd_"
 )
@ -221,8 +222,9 @@ func (c *azureCloudImplementation) GetApiIngressStatus(cluster *kops.Cluster) ([
 		var vmssName string
 		for _, scaleSet := range scaleSets {
 			val, ok := scaleSet.Tags[TagClusterName]
-			val2, ok2 := scaleSet.Tags[TagNameRolePrefix+TagRoleMaster]
-			if ok && *val == cluster.Name && ok2 && *val2 == "1" {
+			val2, ok2 := scaleSet.Tags[TagNameRolePrefix+TagRoleControlPlane]
+			val3, ok3 := scaleSet.Tags[TagNameRolePrefix+TagRoleMaster]
+			if ok && *val == cluster.Name && (ok2 && *val2 == "1" || ok3 && *val3 == "1") {
 				vmssName = *scaleSet.Name
 				break
 			}
--- a/upup/pkg/fi/cloudup/azure/status.go
+++ b/upup/pkg/fi/cloudup/azure/status.go
@ -62,7 +62,7 @@ func (c *azureCloudImplementation) findEtcdStatus(disks []compute.Disk) ([]kops.
 			master          bool
 		)
 		for k, v := range disk.Tags {
-			if k == TagNameRolePrefix+TagRoleMaster {
+			if k == TagNameRolePrefix+TagRoleControlPlane || k == TagNameRolePrefix+TagRoleMaster {
 				master = true
 				continue
 			}
@ -208,7 +208,7 @@ func keyedByName(instancegroups []*kops.InstanceGroup, clusterName string) (map[
 	for _, ig := range instancegroups {
 		var name string
 		switch ig.Spec.Role {
-		case kops.InstanceGroupRoleMaster:
+		case kops.InstanceGroupRoleControlPlane:
 			name = ig.Name + ".masters." + clusterName
 		case kops.InstanceGroupRoleNode, kops.InstanceGroupRoleBastion:
 			name = ig.Name + "." + clusterName
--- a/upup/pkg/fi/cloudup/azure/status_test.go
+++ b/upup/pkg/fi/cloudup/azure/status_test.go
@ -81,6 +81,7 @@ func TestFindEtcdStatus(t *testing.T) {
 			Name: to.StringPtr("d0"),
 			Tags: map[string]*string{
 				TagClusterName:                             to.StringPtr(clusterName),
+				TagNameRolePrefix + TagRoleControlPlane:    to.StringPtr("1"),
 				TagNameRolePrefix + TagRoleMaster:          to.StringPtr("1"),
 				TagNameEtcdClusterPrefix + etcdClusterName: to.StringPtr("a/a,b,c"),
 			},
@ -89,6 +90,7 @@ func TestFindEtcdStatus(t *testing.T) {
 			Name: to.StringPtr("d1"),
 			Tags: map[string]*string{
 				TagClusterName:                             to.StringPtr(clusterName),
+				TagNameRolePrefix + TagRoleControlPlane:    to.StringPtr("1"),
 				TagNameRolePrefix + TagRoleMaster:          to.StringPtr("1"),
 				TagNameEtcdClusterPrefix + etcdClusterName: to.StringPtr("b/a,b,c"),
 			},
@ -97,6 +99,7 @@ func TestFindEtcdStatus(t *testing.T) {
 			Name: to.StringPtr("d2"),
 			Tags: map[string]*string{
 				TagClusterName:                             to.StringPtr(clusterName),
+				TagNameRolePrefix + TagRoleControlPlane:    to.StringPtr("1"),
 				TagNameRolePrefix + TagRoleMaster:          to.StringPtr("1"),
 				TagNameEtcdClusterPrefix + etcdClusterName: to.StringPtr("c/a,b,c"),
 			},
@ -228,7 +231,7 @@ func TestGetCloudGroups(t *testing.T) {
 				Name: masterIG,
 			},
 			Spec: kops.InstanceGroupSpec{
-				Role: kops.InstanceGroupRoleMaster,
+				Role: kops.InstanceGroupRoleControlPlane,
 			},
 		},
 		{
--- a/upup/pkg/fi/cloudup/do/cloud.go
+++ b/upup/pkg/fi/cloudup/do/cloud.go
@ -42,7 +42,6 @@ import (
 const (
 	TagKubernetesClusterIndex        = "k8s-index"
 	TagNameEtcdClusterPrefix         = "etcdCluster-"
-	TagNameRolePrefix                = "k8s.io/role/"
 	TagKubernetesClusterNamePrefix   = "KubernetesCluster"
 	TagKubernetesClusterMasterPrefix = "KubernetesCluster-Master"
 	TagKubernetesInstanceGroup       = "kops-instancegroup"
@ -499,7 +498,7 @@ func matchInstanceGroup(name string, clusterName string, instancegroups []*kops.
 		var groupName string

 		switch g.Spec.Role {
-		case kops.InstanceGroupRoleMaster, kops.InstanceGroupRoleNode:
+		case kops.InstanceGroupRoleControlPlane, kops.InstanceGroupRoleNode:
 			groupName = clusterName + "-" + g.ObjectMeta.Name
 		default:
 			klog.Warningf("Ignoring InstanceGroup of unknown role %q", g.Spec.Role)
--- a/upup/pkg/fi/cloudup/gce/gcediscovery/resolver.go
+++ b/upup/pkg/fi/cloudup/gce/gcediscovery/resolver.go
@ -230,7 +230,7 @@ func (r *Discovery) Resolve(ctx context.Context, name string) ([]string, error)
 	var requiredTags []string

 	// We assume we are trying to resolve a component that runs on the control plane
-	requiredTags = append(requiredTags, gce.TagForRole(r.clusterName, kops.InstanceGroupRoleMaster))
+	requiredTags = append(requiredTags, gce.TagForRole(r.clusterName, kops.InstanceGroupRoleControlPlane))

 	if err := r.findInstances(ctx, func(i *compute.Instance) (bool, error) {
 		// Make sure the instance has any required tags
--- a/upup/pkg/fi/cloudup/gce/labels.go
+++ b/upup/pkg/fi/cloudup/gce/labels.go
@ -67,5 +67,5 @@ func DecodeGCELabel(s string) (string, error) {

 // TagForRole return the instance (network) tag used for instances with the given role.
 func TagForRole(clusterName string, role kops.InstanceGroupRole) string {
-	return ClusterPrefixedName(GceLabelNameRolePrefix+strings.ToLower(string(role)), clusterName, 63)
+	return ClusterPrefixedName(GceLabelNameRolePrefix+role.ToLowerString(), clusterName, 63)
 }
--- a/upup/pkg/fi/cloudup/gce/status.go
+++ b/upup/pkg/fi/cloudup/gce/status.go
@ -112,7 +112,7 @@ func (c *gceCloudImplementation) findEtcdStatus(cluster *kops.Cluster) ([]kops.E
 				etcdClusterSpec = spec
 			} else if strings.HasPrefix(k, GceLabelNameRolePrefix) {
 				roleName := strings.TrimPrefix(k, GceLabelNameRolePrefix)
-				if roleName == "master" {
+				if roleName == "master" || roleName == "control-plane" {
 					master = true
 				}
 			}
--- a/upup/pkg/fi/cloudup/new_cluster.go
+++ b/upup/pkg/fi/cloudup/new_cluster.go
@ -441,7 +441,7 @@ func NewCluster(opt *NewClusterOptions, clientset simple.Clientset) (*NewCluster
 		}

 		// TODO: Clean up
-		if g.IsMaster() {
+		if g.IsControlPlane() {
 			if g.Spec.MachineType == "" {
 				g.Spec.MachineType, err = defaultMachineType(cloud, &cluster, ig)
 				if err != nil {
@ -480,7 +480,7 @@ func NewCluster(opt *NewClusterOptions, clientset simple.Clientset) (*NewCluster
 			}
 		}

-		if ig.IsMaster() {
+		if ig.IsControlPlane() {
 			if len(ig.Spec.Subnets) == 0 {
 				return nil, fmt.Errorf("master InstanceGroup %s did not specify any Subnets", g.ObjectMeta.Name)
 			}
@ -861,7 +861,7 @@ func setupMasters(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetMap
 			}

 			g := &api.InstanceGroup{}
-			g.Spec.Role = api.InstanceGroupRoleMaster
+			g.Spec.Role = api.InstanceGroupRoleControlPlane
 			g.Spec.MinSize = fi.PtrTo(int32(1))
 			g.Spec.MaxSize = fi.PtrTo(int32(1))
 			g.ObjectMeta.Name = "master-" + name
--- a/upup/pkg/fi/cloudup/openstack/cloud.go
+++ b/upup/pkg/fi/cloudup/openstack/cloud.go
@ -64,6 +64,7 @@ const (
 	TagNameEtcdClusterPrefix = "k8s.io/etcd/"
 	TagNameRolePrefix        = "k8s.io/role/"
 	TagClusterName           = "KubernetesCluster"
+	TagRoleControlPlane      = "control-plane"
 	TagRoleMaster            = "master"
 	TagKopsInstanceGroup     = "KopsInstanceGroup"
 	TagKopsNetwork           = "KopsNetwork"
@ -726,14 +727,14 @@ func getIPIngressStatus(c OpenstackCloud, cluster *kops.Cluster) (ingresses []fi
 	done, err := vfs.RetryWithBackoff(readBackoff, func() (bool, error) {
 		instances, err := c.ListInstances(servers.ListOpts{})
 		if err != nil {
-			return false, fmt.Errorf("GetApiIngressStatus: Failed to list master nodes: %v", err)
+			return false, fmt.Errorf("GetApiIngressStatus: Failed to list control plane nodes: %v", err)
 		}
 		for _, instance := range instances {
 			val, ok := instance.Metadata["k8s"]
 			val2, ok2 := instance.Metadata["KopsRole"]
 			if ok && val == cluster.Name && ok2 {
 				role, success := kops.ParseInstanceGroupRole(val2, false)
-				if success && role == kops.InstanceGroupRoleMaster {
+				if success && role == kops.InstanceGroupRoleControlPlane {
 					if cluster.Spec.Topology != nil && cluster.Spec.Topology.ControlPlane == kops.TopologyPrivate {
 						ifName := instance.Metadata[TagKopsNetwork]
 						address, err := GetServerFixedIP(&instance, ifName)
--- a/upup/pkg/fi/cloudup/openstack/cloud_test.go
+++ b/upup/pkg/fi/cloudup/openstack/cloud_test.go
@ -161,7 +161,7 @@ func Test_OpenstackCloud_GetApiIngressStatus(t *testing.T) {
 					ID: "master1_no_lb_no_floating",
 					Metadata: map[string]string{
 						"k8s":      "cluster.k8s.local",
-						"KopsRole": "Master",
+						"KopsRole": "ControlPlane",
 					},
 					Addresses: map[string]interface{}{
 						"1": []Address{
@ -178,7 +178,7 @@ func Test_OpenstackCloud_GetApiIngressStatus(t *testing.T) {
 					ID: "master2_no_lb_no_floating",
 					Metadata: map[string]string{
 						"k8s":      "cluster.k8s.local",
-						"KopsRole": "Master",
+						"KopsRole": "ControlPlane",
 					},
 					Addresses: map[string]interface{}{
 						"1": []Address{
@ -233,7 +233,7 @@ func Test_OpenstackCloud_GetApiIngressStatus(t *testing.T) {
 					ID: "master1_no_lb_floating",
 					Metadata: map[string]string{
 						"k8s":      "cluster.k8s.local",
-						"KopsRole": "Master",
+						"KopsRole": "ControlPlane",
 					},
 					Addresses: map[string]interface{}{
 						"1": []map[string]interface{}{
@ -250,7 +250,7 @@ func Test_OpenstackCloud_GetApiIngressStatus(t *testing.T) {
 					ID: "master2_no_lb_floating",
 					Metadata: map[string]string{
 						"k8s":      "cluster.k8s.local",
-						"KopsRole": "Master",
+						"KopsRole": "ControlPlane",
 					},
 					Addresses: map[string]interface{}{
 						"1": []map[string]string{
--- a/upup/pkg/fi/cloudup/openstack/server_group.go
+++ b/upup/pkg/fi/cloudup/openstack/server_group.go
@ -91,7 +91,7 @@ func matchInstanceGroup(name string, clusterName string, instancegroups []*kops.
 		var groupName string

 		switch g.Spec.Role {
-		case kops.InstanceGroupRoleMaster, kops.InstanceGroupRoleNode, kops.InstanceGroupRoleBastion:
+		case kops.InstanceGroupRoleControlPlane, kops.InstanceGroupRoleNode, kops.InstanceGroupRoleBastion:
 			groupName = clusterName + "-" + g.ObjectMeta.Name
 		default:
 			klog.Warningf("Ignoring InstanceGroup of unknown role %q", g.Spec.Role)
--- a/upup/pkg/fi/cloudup/openstack/status.go
+++ b/upup/pkg/fi/cloudup/openstack/status.go
@ -83,7 +83,7 @@ func findEtcdStatus(c OpenstackCloud, cluster *kops.Cluster) ([]kops.EtcdCluster
 				if err != nil {
 					return nil, fmt.Errorf("error parsing etcd cluster tag %q on volume %q: %v", v, volumeID, err)
 				}
-			} else if k == TagNameRolePrefix+TagRoleMaster {
+			} else if k == TagNameRolePrefix+TagRoleControlPlane || k == TagNameRolePrefix+TagRoleMaster {
 				master = true
 			}
 		}
--- a/upup/pkg/fi/cloudup/openstack/utils.go
+++ b/upup/pkg/fi/cloudup/openstack/utils.go
@ -71,7 +71,7 @@ func defaultInstanceType(c OpenstackCloud, cluster *kops.Cluster, ig *kops.Insta

 	var candidates flavorList
 	switch ig.Spec.Role {
-	case kops.InstanceGroupRoleMaster:
+	case kops.InstanceGroupRoleControlPlane:
 		// Requirements based on awsCloudImplementation.DefaultInstanceType
 		for _, flavor := range fList {
 			if flavor.RAM >= 4096 && flavor.VCPUs >= 1 {
--- a/upup/pkg/fi/cloudup/populate_instancegroup_spec.go
+++ b/upup/pkg/fi/cloudup/populate_instancegroup_spec.go
@ -79,7 +79,7 @@ func PopulateInstanceGroupSpec(cluster *kops.Cluster, input *kops.InstanceGroup,
 	igSpec := &ig.Spec

 	// TODO: Clean up
-	if ig.IsMaster() {
+	if ig.IsControlPlane() {
 		if ig.Spec.MachineType == "" {
 			ig.Spec.MachineType, err = defaultMachineType(cloud, cluster, ig)
 			if err != nil {
@ -146,7 +146,7 @@ func PopulateInstanceGroupSpec(cluster *kops.Cluster, input *kops.InstanceGroup,
 		}
 	}

-	if ig.IsMaster() {
+	if ig.IsControlPlane() {
 		if len(ig.Spec.Subnets) == 0 {
 			return nil, fmt.Errorf("master InstanceGroup %s did not specify any Subnets", ig.ObjectMeta.Name)
 		}
@ -231,7 +231,7 @@ func PopulateInstanceGroupSpec(cluster *kops.Cluster, input *kops.InstanceGroup,

 	var igKubeletConfig *kops.KubeletConfigSpec
 	// Start with the cluster kubelet config
-	if ig.IsMaster() {
+	if ig.IsControlPlane() {
 		if cluster.Spec.MasterKubelet != nil {
 			igKubeletConfig = cluster.Spec.MasterKubelet.DeepCopy()
 		} else {
@ -269,7 +269,7 @@ func PopulateInstanceGroupSpec(cluster *kops.Cluster, input *kops.InstanceGroup,
 	}

 	{
-		if ig.IsMaster() {
+		if ig.IsControlPlane() {
 			// (Even though the value is empty, we still expect <Key>=<Value>:<Effect>)
 			if cluster.IsKubernetesLT("1.24") {
 				taints.Insert(nodelabels.RoleLabelMaster16 + "=:" + string(v1.TaintEffectNoSchedule))
@ -310,7 +310,7 @@ func defaultMachineType(cloud fi.Cloud, cluster *kops.Cluster, ig *kops.Instance

 	case kops.CloudProviderGCE:
 		switch ig.Spec.Role {
-		case kops.InstanceGroupRoleMaster:
+		case kops.InstanceGroupRoleControlPlane:
 			return defaultMasterMachineTypeGCE, nil

 		case kops.InstanceGroupRoleNode:
@ -322,7 +322,7 @@ func defaultMachineType(cloud fi.Cloud, cluster *kops.Cluster, ig *kops.Instance

 	case kops.CloudProviderDO:
 		switch ig.Spec.Role {
-		case kops.InstanceGroupRoleMaster:
+		case kops.InstanceGroupRoleControlPlane:
 			return defaultMasterMachineTypeDO, nil

 		case kops.InstanceGroupRoleNode:
@ -332,7 +332,7 @@ func defaultMachineType(cloud fi.Cloud, cluster *kops.Cluster, ig *kops.Instance

 	case kops.CloudProviderHetzner:
 		switch ig.Spec.Role {
-		case kops.InstanceGroupRoleMaster:
+		case kops.InstanceGroupRoleControlPlane:
 			return defaultMasterMachineTypeHetzner, nil

 		case kops.InstanceGroupRoleNode:
@ -351,7 +351,7 @@ func defaultMachineType(cloud fi.Cloud, cluster *kops.Cluster, ig *kops.Instance

 	case kops.CloudProviderAzure:
 		switch ig.Spec.Role {
-		case kops.InstanceGroupRoleMaster:
+		case kops.InstanceGroupRoleControlPlane:
 			return defaultMasterMachineTypeAzure, nil

 		case kops.InstanceGroupRoleNode:
--- a/upup/pkg/fi/cloudup/populate_instancegroup_spec_test.go
+++ b/upup/pkg/fi/cloudup/populate_instancegroup_spec_test.go
@ -41,7 +41,7 @@ func buildMinimalNodeInstanceGroup(subnets ...string) *kopsapi.InstanceGroup {
 func buildMinimalMasterInstanceGroup(subnet string) *kopsapi.InstanceGroup {
 	g := &kopsapi.InstanceGroup{}
 	g.ObjectMeta.Name = "master-" + subnet
-	g.Spec.Role = kopsapi.InstanceGroupRoleMaster
+	g.Spec.Role = kopsapi.InstanceGroupRoleControlPlane
 	g.Spec.MinSize = fi.PtrTo(int32(1))
 	g.Spec.MaxSize = fi.PtrTo(int32(1))
 	g.Spec.Image = "my-image"
--- a/Show More
+++ b/Show More