From d3b5bfcefffe097384efa18c17a3bc9a1b733357 Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Sat, 30 Aug 2025 15:19:59 +0300 Subject: [PATCH] chore: Remove support for Kubernetes 1.28 Signed-off-by: Ciprian Hacman --- cmd/kops/create_cluster_integration_test.go | 2 - cmd/kops/integration_test.go | 31 - nodeup/pkg/model/kubelet_test.go | 2 +- pkg/apis/kops/model/features.go | 2 +- pkg/apis/kops/validation/validation.go | 6 +- pkg/apis/kops/validation/validation_test.go | 8 +- pkg/model/awsmodel/autoscalinggroup.go | 2 - pkg/model/components/apiserver.go | 4 - pkg/model/components/containerd.go | 5 - pkg/model/components/kubecontrollermanager.go | 4 - pkg/model/components/kubelet.go | 4 - pkg/model/components/kubescheduler.go | 4 - pkg/nodemodel/wellknownassets/cni.go | 16 +- pkg/nodemodel/wellknownassets/cni_test.go | 8 +- tests/e2e/pkg/tester/skip_regex.go | 28 - .../minimal-1.27/expected-v1alpha2.yaml | 94 - .../create_cluster/minimal-1.27/options.yaml | 6 - .../minimal-1.28/expected-v1alpha2.yaml | 94 - .../create_cluster/minimal-1.28/options.yaml | 6 - ...mal.example.com-ASGLifecycle_event_pattern | 1 - ....com-InstanceScheduledChange_event_pattern | 1 - ...mple.com-InstanceStateChange_event_pattern | 1 - ...example.com-SpotInterruption_event_pattern | 1 - ...am_role_masters.minimal.example.com_policy | 10 - ..._iam_role_nodes.minimal.example.com_policy | 10 - ..._policy_masters.minimal.example.com_policy | 285 - ...le_policy_nodes.minimal.example.com_policy | 37 - ...4a6ed9aa889b9e2c39cd663eb9c7157_public_key | 1 - ...t-1a.masters.minimal.example.com_user_data | 134 - ...mplate_nodes.minimal.example.com_user_data | 157 - ...s_s3_object_cluster-completed.spec_content | 225 - ...s3_object_etcd-cluster-spec-events_content | 4 - ...s_s3_object_etcd-cluster-spec-main_content | 4 - .../aws_s3_object_kops-version.txt_content | 1 - ...cdmanager-events-master-us-test-1a_content | 138 - ...etcdmanager-main-master-us-test-1a_content | 138 - ...-static-kube-apiserver-healthcheck_content | 33 - ...-controller.addons.k8s.io-k8s-1.18_content | 237 - ...-csi-driver.addons.k8s.io-k8s-1.17_content | 1151 ---- ...nimal.example.com-addons-bootstrap_content | 113 - ...ons-coredns.addons.k8s.io-k8s-1.12_content | 383 -- ...-controller.addons.k8s.io-k8s-1.12_content | 138 - ...-controller.addons.k8s.io-k8s-1.16_content | 227 - ...let-api.rbac.addons.k8s.io-k8s-1.9_content | 17 - ...m-addons-limit-range.addons.k8s.io_content | 15 - ...e-termination-handler.aws-k8s-1.11_content | 285 - ...-storage-aws.addons.k8s.io-v1.15.0_content | 118 - ...ect_nodeupconfig-master-us-test-1a_content | 332 -- .../aws_s3_object_nodeupconfig-nodes_content | 62 - ...s_sqs_queue_minimal-example-com-nth_policy | 16 - .../update_cluster/minimal-1.27/id_rsa.pub | 1 - .../minimal-1.27/in-v1alpha2.yaml | 99 - .../update_cluster/minimal-1.27/kubernetes.tf | 986 ---- ...mal.example.com-ASGLifecycle_event_pattern | 1 - ....com-InstanceScheduledChange_event_pattern | 1 - ...mple.com-InstanceStateChange_event_pattern | 1 - ...example.com-SpotInterruption_event_pattern | 1 - ...am_role_masters.minimal.example.com_policy | 10 - ..._iam_role_nodes.minimal.example.com_policy | 10 - ..._policy_masters.minimal.example.com_policy | 285 - ...le_policy_nodes.minimal.example.com_policy | 37 - ...4a6ed9aa889b9e2c39cd663eb9c7157_public_key | 1 - ...t-1a.masters.minimal.example.com_user_data | 134 - ...mplate_nodes.minimal.example.com_user_data | 157 - ...s_s3_object_cluster-completed.spec_content | 225 - ...s3_object_etcd-cluster-spec-events_content | 4 - ...s_s3_object_etcd-cluster-spec-main_content | 4 - .../aws_s3_object_kops-version.txt_content | 1 - ...cdmanager-events-master-us-test-1a_content | 138 - ...etcdmanager-main-master-us-test-1a_content | 138 - ...-static-kube-apiserver-healthcheck_content | 33 - ...-controller.addons.k8s.io-k8s-1.18_content | 237 - ...-csi-driver.addons.k8s.io-k8s-1.17_content | 1151 ---- ...nimal.example.com-addons-bootstrap_content | 113 - ...ons-coredns.addons.k8s.io-k8s-1.12_content | 383 -- ...-controller.addons.k8s.io-k8s-1.12_content | 138 - ...-controller.addons.k8s.io-k8s-1.16_content | 227 - ...let-api.rbac.addons.k8s.io-k8s-1.9_content | 17 - ...m-addons-limit-range.addons.k8s.io_content | 15 - ...e-termination-handler.aws-k8s-1.11_content | 285 - ...-storage-aws.addons.k8s.io-v1.15.0_content | 118 - ...ect_nodeupconfig-master-us-test-1a_content | 332 -- .../aws_s3_object_nodeupconfig-nodes_content | 62 - ...s_sqs_queue_minimal-example-com-nth_policy | 16 - .../update_cluster/minimal-1.28/id_rsa.pub | 1 - .../minimal-1.28/in-v1alpha2.yaml | 99 - .../update_cluster/minimal-1.28/kubernetes.tf | 986 ---- ...nal.example.com-ASGLifecycle_event_pattern | 1 - ....com-InstanceScheduledChange_event_pattern | 1 - ...mple.com-InstanceStateChange_event_pattern | 1 - ...example.com-SpotInterruption_event_pattern | 1 - ...e_bastions.privatecanal.example.com_policy | 10 - ...le_masters.privatecanal.example.com_policy | 10 - ...role_nodes.privatecanal.example.com_policy | 10 - ...y_bastions.privatecanal.example.com_policy | 10 - ...cy_masters.privatecanal.example.com_policy | 278 - ...licy_nodes.privatecanal.example.com_policy | 30 - ...4a6ed9aa889b9e2c39cd663eb9c7157_public_key | 1 - ...masters.privatecanal.example.com_user_data | 134 - ...e_nodes.privatecanal.example.com_user_data | 157 - ...s_s3_object_cluster-completed.spec_content | 222 - ...s3_object_etcd-cluster-spec-events_content | 4 - ...s_s3_object_etcd-cluster-spec-main_content | 4 - .../aws_s3_object_kops-version.txt_content | 1 - ...cdmanager-events-master-us-test-1a_content | 139 - ...etcdmanager-main-master-us-test-1a_content | 139 - ...-static-kube-apiserver-healthcheck_content | 33 - ...ect_nodeupconfig-master-us-test-1a_content | 330 -- .../aws_s3_object_nodeupconfig-nodes_content | 61 - ...-controller.addons.k8s.io-k8s-1.18_content | 237 - ...-csi-driver.addons.k8s.io-k8s-1.17_content | 1151 ---- ...canal.example.com-addons-bootstrap_content | 168 - ...ons-coredns.addons.k8s.io-k8s-1.12_content | 383 -- ...-controller.addons.k8s.io-k8s-1.12_content | 138 - ...-controller.addons.k8s.io-k8s-1.16_content | 227 - ...let-api.rbac.addons.k8s.io-k8s-1.9_content | 17 - ...m-addons-limit-range.addons.k8s.io_content | 15 - ...g.projectcalico.org.canal-k8s-1.25_content | 4907 ----------------- ...e-termination-handler.aws-k8s-1.11_content | 285 - ...-storage-aws.addons.k8s.io-v1.15.0_content | 118 - ..._queue_privatecanal-example-com-nth_policy | 16 - .../update_cluster/privatecanal/id_rsa.pub | 1 - .../privatecanal/in-v1alpha2.yaml | 98 - .../update_cluster/privatecanal/kubernetes.tf | 1467 ----- upup/pkg/fi/cloudup/apply_cluster.go | 4 +- upup/pkg/fi/cloudup/new_cluster.go | 40 - 126 files changed, 19 insertions(+), 21878 deletions(-) delete mode 100644 tests/integration/create_cluster/minimal-1.27/expected-v1alpha2.yaml delete mode 100644 tests/integration/create_cluster/minimal-1.27/options.yaml delete mode 100644 tests/integration/create_cluster/minimal-1.28/expected-v1alpha2.yaml delete mode 100644 tests/integration/create_cluster/minimal-1.28/options.yaml delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-ASGLifecycle_event_pattern delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceScheduledChange_event_pattern delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceStateChange_event_pattern delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-SpotInterruption_event_pattern delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_masters.minimal.example.com_policy delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_nodes.minimal.example.com_policy delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_policy_masters.minimal.example.com_policy delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_policy_nodes.minimal.example.com_policy delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_key_pair_kubernetes.minimal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_launch_template_nodes.minimal.example.com_user_data delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_cluster-completed.spec_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_etcd-cluster-spec-events_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_etcd-cluster-spec-main_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_kops-version.txt_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-bootstrap_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-limit-range.addons.k8s.io_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-node-termination-handler.aws-k8s-1.11_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_nodeupconfig-master-us-test-1a_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_nodeupconfig-nodes_content delete mode 100644 tests/integration/update_cluster/minimal-1.27/data/aws_sqs_queue_minimal-example-com-nth_policy delete mode 100755 tests/integration/update_cluster/minimal-1.27/id_rsa.pub delete mode 100644 tests/integration/update_cluster/minimal-1.27/in-v1alpha2.yaml delete mode 100644 tests/integration/update_cluster/minimal-1.27/kubernetes.tf delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-ASGLifecycle_event_pattern delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceScheduledChange_event_pattern delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceStateChange_event_pattern delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-SpotInterruption_event_pattern delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_masters.minimal.example.com_policy delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_nodes.minimal.example.com_policy delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_policy_masters.minimal.example.com_policy delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_policy_nodes.minimal.example.com_policy delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_key_pair_kubernetes.minimal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_launch_template_nodes.minimal.example.com_user_data delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_cluster-completed.spec_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_etcd-cluster-spec-events_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_etcd-cluster-spec-main_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_kops-version.txt_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-bootstrap_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-limit-range.addons.k8s.io_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-node-termination-handler.aws-k8s-1.11_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_nodeupconfig-master-us-test-1a_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_nodeupconfig-nodes_content delete mode 100644 tests/integration/update_cluster/minimal-1.28/data/aws_sqs_queue_minimal-example-com-nth_policy delete mode 100755 tests/integration/update_cluster/minimal-1.28/id_rsa.pub delete mode 100644 tests/integration/update_cluster/minimal-1.28/in-v1alpha2.yaml delete mode 100644 tests/integration/update_cluster/minimal-1.28/kubernetes.tf delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-ASGLifecycle_event_pattern delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-InstanceScheduledChange_event_pattern delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-InstanceStateChange_event_pattern delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-SpotInterruption_event_pattern delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_iam_role_bastions.privatecanal.example.com_policy delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_iam_role_masters.privatecanal.example.com_policy delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_iam_role_nodes.privatecanal.example.com_policy delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_bastions.privatecanal.example.com_policy delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_nodes.privatecanal.example.com_policy delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_key_pair_kubernetes.privatecanal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_launch_template_master-us-test-1a.masters.privatecanal.example.com_user_data delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_launch_template_nodes.privatecanal.example.com_user_data delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_cluster-completed.spec_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_etcd-cluster-spec-events_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_etcd-cluster-spec-main_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_kops-version.txt_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_nodeupconfig-master-us-test-1a_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_nodeupconfig-nodes_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-bootstrap_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-limit-range.addons.k8s.io_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-networking.projectcalico.org.canal-k8s-1.25_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-node-termination-handler.aws-k8s-1.11_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content delete mode 100644 tests/integration/update_cluster/privatecanal/data/aws_sqs_queue_privatecanal-example-com-nth_policy delete mode 100755 tests/integration/update_cluster/privatecanal/id_rsa.pub delete mode 100644 tests/integration/update_cluster/privatecanal/in-v1alpha2.yaml delete mode 100644 tests/integration/update_cluster/privatecanal/kubernetes.tf diff --git a/cmd/kops/create_cluster_integration_test.go b/cmd/kops/create_cluster_integration_test.go index bb625ea1fa..5f5723da7e 100644 --- a/cmd/kops/create_cluster_integration_test.go +++ b/cmd/kops/create_cluster_integration_test.go @@ -46,8 +46,6 @@ var MagicTimestamp = metav1.Time{Time: time.Date(2017, 1, 1, 0, 0, 0, 0, time.UT // TestCreateClusterMinimal runs kops create cluster minimal.example.com --zones us-test-1a func TestCreateClusterMinimal(t *testing.T) { - runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/minimal-1.27", "v1alpha2") - runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/minimal-1.28", "v1alpha2") runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/minimal-1.29", "v1alpha2") runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/minimal-1.30", "v1alpha2") runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/minimal-1.31", "v1alpha2") diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go index c4dbd2b6aa..108aebc655 100644 --- a/cmd/kops/integration_test.go +++ b/cmd/kops/integration_test.go @@ -246,28 +246,6 @@ func TestMinimalAWS(t *testing.T) { runTestTerraformAWS(t) } -// TestMinimal runs the test on a minimum configuration -func TestMinimal_v1_27(t *testing.T) { - newIntegrationTest("minimal.example.com", "minimal-1.27"). - withAddons( - awsEBSCSIAddon, - dnsControllerAddon, - awsCCMAddon, - ). - runTestTerraformAWS(t) -} - -// TestMinimal runs the test on a minimum configuration -func TestMinimal_v1_28(t *testing.T) { - newIntegrationTest("minimal.example.com", "minimal-1.28"). - withAddons( - awsEBSCSIAddon, - dnsControllerAddon, - awsCCMAddon, - ). - runTestTerraformAWS(t) -} - // TestMinimal runs the test on a minimum configuration func TestMinimal_v1_29(t *testing.T) { newIntegrationTest("minimal.example.com", "minimal-1.29"). @@ -722,15 +700,6 @@ func TestPrivateCiliumENI(t *testing.T) { runTestTerraformAWS(t) } -// TestPrivateCanal runs the test on a configuration with private topology, canal networking -func TestPrivateCanal(t *testing.T) { - newIntegrationTest("privatecanal.example.com", "privatecanal"). - withPrivate(). - withDefaultAddons30(). - withAddons(canalAddon). - runTestTerraformAWS(t) -} - const kopeioNetworkingAddon = "networking.kope.io-k8s-1.12" // TestPrivateKopeio runs the test on a configuration with private topology, kopeio networking diff --git a/nodeup/pkg/model/kubelet_test.go b/nodeup/pkg/model/kubelet_test.go index 73a64ab1f1..e86a057af2 100644 --- a/nodeup/pkg/model/kubelet_test.go +++ b/nodeup/pkg/model/kubelet_test.go @@ -48,7 +48,7 @@ func TestTaintsApplied(t *testing.T) { expectTaints []string }{ { - version: "1.28.0", + version: "1.29.0", taints: []string{"foo", "bar", "baz"}, expectTaints: []string{"foo", "bar", "baz", "node-role.kubernetes.io/control-plane=:NoSchedule"}, }, diff --git a/pkg/apis/kops/model/features.go b/pkg/apis/kops/model/features.go index 0062a96462..58c91793eb 100644 --- a/pkg/apis/kops/model/features.go +++ b/pkg/apis/kops/model/features.go @@ -73,7 +73,7 @@ func UseExternalKubeletCredentialProvider(k8sVersion *KubernetesVersion, cloudPr case kops.CloudProviderGCE: return k8sVersion.IsGTE("1.29") case kops.CloudProviderAWS: - return k8sVersion.IsGTE("1.27") + return true default: return false } diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go index 876126e849..aaa5d172aa 100644 --- a/pkg/apis/kops/validation/validation.go +++ b/pkg/apis/kops/validation/validation.go @@ -1127,11 +1127,7 @@ func validateNetworking(cluster *kops.Cluster, v *kops.NetworkingSpec, fldPath * } if v.Canal != nil { - if cluster.IsKubernetesGTE("1.28") { - allErrs = append(allErrs, field.Forbidden(fldPath.Child("canal"), "Canal is not supported for Kubernetes >= 1.28")) - } else { - allErrs = append(allErrs, validateNetworkingCanal(cluster, v.Canal, fldPath.Child("canal"))...) - } + allErrs = append(allErrs, field.Forbidden(fldPath.Child("canal"), "Canal is not supported for Kubernetes >= 1.28")) } if v.KubeRouter != nil { diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go index 8082c3e9ba..e69bb8656e 100644 --- a/pkg/apis/kops/validation/validation_test.go +++ b/pkg/apis/kops/validation/validation_test.go @@ -379,7 +379,7 @@ func TestValidateKubeControllermanager(t *testing.T) { if g.Cluster == nil { g.Cluster = &kops.Cluster{ Spec: kops.ClusterSpec{ - KubernetesVersion: "1.28.0", + KubernetesVersion: "1.29.0", }, } } @@ -436,7 +436,7 @@ func Test_Validate_Networking_Flannel(t *testing.T) { for _, g := range grid { cluster := &kops.Cluster{ Spec: kops.ClusterSpec{ - KubernetesVersion: "1.27.0", + KubernetesVersion: "1.29.0", Networking: kops.NetworkingSpec{ NetworkCIDR: "10.0.0.0/8", NonMasqueradeCIDR: "100.64.0.0/10", @@ -502,7 +502,7 @@ func Test_Validate_Networking_Kindnet(t *testing.T) { for _, g := range grid { cluster := &kops.Cluster{ Spec: kops.ClusterSpec{ - KubernetesVersion: "1.27.0", + KubernetesVersion: "1.29.0", Networking: kops.NetworkingSpec{ NetworkCIDR: "10.0.0.0/8", NonMasqueradeCIDR: "100.64.0.0/10", @@ -596,7 +596,7 @@ func Test_Validate_Networking_OverlappingCIDR(t *testing.T) { t.Run(g.Name, func(t *testing.T) { cluster := &kops.Cluster{ Spec: kops.ClusterSpec{ - KubernetesVersion: "1.27.0", + KubernetesVersion: "1.29.0", }, } cluster.Spec.Networking = g.Networking diff --git a/pkg/model/awsmodel/autoscalinggroup.go b/pkg/model/awsmodel/autoscalinggroup.go index c4114fea16..6277478891 100644 --- a/pkg/model/awsmodel/autoscalinggroup.go +++ b/pkg/model/awsmodel/autoscalinggroup.go @@ -307,8 +307,6 @@ func (b *AutoscalingGroupModelBuilder) buildLaunchTemplateTask(c *fi.CloudupMode if ig.Spec.InstanceMetadata != nil && ig.Spec.InstanceMetadata.HTTPTokens != nil { lt.HTTPTokens = fi.PtrTo(ec2types.LaunchTemplateHttpTokensState(fi.ValueOf(ig.Spec.InstanceMetadata.HTTPTokens))) - } else if b.IsKubernetesLT("1.27") { - lt.HTTPTokens = fi.PtrTo(ec2types.LaunchTemplateHttpTokensStateOptional) } switch rootVolumeType { diff --git a/pkg/model/components/apiserver.go b/pkg/model/components/apiserver.go index 16b1b8eb12..5bfd7d8eb7 100644 --- a/pkg/model/components/apiserver.go +++ b/pkg/model/components/apiserver.go @@ -194,10 +194,6 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(cluster *kops.Cluster) error if _, found := c.FeatureGates["InTreePluginAWSUnregister"]; !found && b.ControlPlaneKubernetesVersion().IsLT("1.31") { c.FeatureGates["InTreePluginAWSUnregister"] = "true" } - - if _, found := c.FeatureGates["CSIMigrationAWS"]; !found && b.ControlPlaneKubernetesVersion().IsLT("1.27") { - c.FeatureGates["CSIMigrationAWS"] = "true" - } } return nil diff --git a/pkg/model/components/containerd.go b/pkg/model/components/containerd.go index 77d2ff5bc2..98794c4650 100644 --- a/pkg/model/components/containerd.go +++ b/pkg/model/components/containerd.go @@ -42,11 +42,6 @@ func (b *ContainerdOptionsBuilder) BuildOptions(o *kops.Cluster) error { // Set version based on Kubernetes version if fi.ValueOf(containerd.Version) == "" { switch { - case b.IsKubernetesLT("1.27.2"): - containerd.Version = fi.PtrTo("1.6.20") - containerd.Runc = &kops.Runc{ - Version: fi.PtrTo("1.1.5"), - } case b.IsKubernetesLT("1.32"): containerd.Version = fi.PtrTo("1.7.28") containerd.Runc = &kops.Runc{ diff --git a/pkg/model/components/kubecontrollermanager.go b/pkg/model/components/kubecontrollermanager.go index 0c6ecb3015..d2185fe969 100644 --- a/pkg/model/components/kubecontrollermanager.go +++ b/pkg/model/components/kubecontrollermanager.go @@ -161,10 +161,6 @@ func (b *KubeControllerManagerOptionsBuilder) BuildOptions(o *kops.Cluster) erro if _, found := kcm.FeatureGates["InTreePluginAWSUnregister"]; !found && b.ControlPlaneKubernetesVersion().IsLT("1.31") { kcm.FeatureGates["InTreePluginAWSUnregister"] = "true" } - - if _, found := kcm.FeatureGates["CSIMigrationAWS"]; !found && b.ControlPlaneKubernetesVersion().IsLT("1.27") { - kcm.FeatureGates["CSIMigrationAWS"] = "true" - } } return nil diff --git a/pkg/model/components/kubelet.go b/pkg/model/components/kubelet.go index 856c0cdd83..bc6164c5db 100644 --- a/pkg/model/components/kubelet.go +++ b/pkg/model/components/kubelet.go @@ -183,10 +183,6 @@ func (b *KubeletOptionsBuilder) configureKubelet(cluster *kops.Cluster, kubelet if _, found := kubelet.FeatureGates["InTreePluginAWSUnregister"]; !found && kubernetesVersion.IsLT("1.31") { kubelet.FeatureGates["InTreePluginAWSUnregister"] = "true" } - - if _, found := kubelet.FeatureGates["CSIMigrationAWS"]; !found && kubernetesVersion.IsLT("1.27") { - kubelet.FeatureGates["CSIMigrationAWS"] = "true" - } } // Set systemd as the default cgroup driver for kubelet diff --git a/pkg/model/components/kubescheduler.go b/pkg/model/components/kubescheduler.go index 43502b0667..07ee01e65b 100644 --- a/pkg/model/components/kubescheduler.go +++ b/pkg/model/components/kubescheduler.go @@ -66,10 +66,6 @@ func (b *KubeSchedulerOptionsBuilder) BuildOptions(o *kops.Cluster) error { if _, found := config.FeatureGates["InTreePluginAWSUnregister"]; !found && b.ControlPlaneKubernetesVersion().IsLT("1.31") { config.FeatureGates["InTreePluginAWSUnregister"] = "true" } - - if _, found := config.FeatureGates["CSIMigrationAWS"]; !found && b.ControlPlaneKubernetesVersion().IsLT("1.27") { - config.FeatureGates["CSIMigrationAWS"] = "true" - } } return nil } diff --git a/pkg/nodemodel/wellknownassets/cni.go b/pkg/nodemodel/wellknownassets/cni.go index e4fd2c7d5b..55d3bb0ead 100644 --- a/pkg/nodemodel/wellknownassets/cni.go +++ b/pkg/nodemodel/wellknownassets/cni.go @@ -95,12 +95,7 @@ func FindCNIAssets(ig model.InstanceGroup, assetBuilder *assets.AssetBuilder, ar cniAssetURL = defaultCNIAssetAmd64K8s_30 case ig.KubernetesVersion().IsGTE("1.29"): cniAssetURL = defaultCNIAssetAmd64K8s_29 - case ig.KubernetesVersion().IsGTE("1.27"): - cniAssetURL = defaultCNIAssetAmd64K8s_27 - default: - cniAssetURL = defaultCNIAssetAmd64K8s_22 } - klog.V(2).Infof("Adding default ARM64 CNI plugin binaries asset: %s", cniAssetURL) case architectures.ArchitectureArm64: switch { case ig.KubernetesVersion().IsGTE("1.32"): @@ -111,16 +106,17 @@ func FindCNIAssets(ig model.InstanceGroup, assetBuilder *assets.AssetBuilder, ar cniAssetURL = defaultCNIAssetArm64K8s_30 case ig.KubernetesVersion().IsGTE("1.29"): cniAssetURL = defaultCNIAssetArm64K8s_29 - case ig.KubernetesVersion().IsGTE("1.27"): - cniAssetURL = defaultCNIAssetArm64K8s_27 - default: - cniAssetURL = defaultCNIAssetArm64K8s_22 } - klog.V(2).Infof("Adding default AMD64 CNI plugin binaries asset: %s", cniAssetURL) default: return nil, fmt.Errorf("unknown arch for CNI plugin binaries asset: %s", arch) } + if cniAssetURL == "" { + return nil, fmt.Errorf("unknown CNI plugin binaries asset: %s", arch) + } else { + klog.V(2).Infof("Adding CNI plugin binaries asset: %s", cniAssetURL) + } + u, err := url.Parse(cniAssetURL) if err != nil { return nil, fmt.Errorf("unable to parse CNI plugin binaries asset URL %q: %v", cniAssetURL, err) diff --git a/pkg/nodemodel/wellknownassets/cni_test.go b/pkg/nodemodel/wellknownassets/cni_test.go index f9744ebd34..e420e1453e 100644 --- a/pkg/nodemodel/wellknownassets/cni_test.go +++ b/pkg/nodemodel/wellknownassets/cni_test.go @@ -59,12 +59,12 @@ func Test_FindCNIAssetFromEnvironmentVariable(t *testing.T) { } } -func Test_FindCNIAssetFromDefaults122(t *testing.T) { - desiredCNIVersionURL := "https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz" - desiredCNIVersionHash := "sha256:962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7" +func Test_FindCNIAssetFromDefaults134(t *testing.T) { + desiredCNIVersionURL := "https://storage.googleapis.com/k8s-artifacts-cni/release/v1.6.1/cni-plugins-linux-amd64-v1.6.1.tgz" + desiredCNIVersionHash := "sha256:2503ce29ac445715ebe146073f45468153f9e28f45fa173cb060cfd9e735f563" cluster := &api.Cluster{} - cluster.Spec.KubernetesVersion = "v1.22.0" + cluster.Spec.KubernetesVersion = "v1.34.0" ig := &api.InstanceGroup{} diff --git a/tests/e2e/pkg/tester/skip_regex.go b/tests/e2e/pkg/tester/skip_regex.go index 2c918ae313..14e152f870 100644 --- a/tests/e2e/pkg/tester/skip_regex.go +++ b/tests/e2e/pkg/tester/skip_regex.go @@ -33,12 +33,6 @@ func (t *Tester) setSkipRegexFlag() error { return nil } - kopsVersion, err := t.getKopsVersion() - if err != nil { - return err - } - isPre28 := kopsVersion < "1.28" - cluster, err := t.getKopsCluster() if err != nil { return err @@ -54,13 +48,6 @@ func (t *Tester) setSkipRegexFlag() error { skipRegex += "|blackbox.*should.not.be.able.to.pull.image.from.invalid.registry" skipRegex += "|blackbox.*should.be.able.to.pull.from.private.registry.with.secret" - if !isPre28 { - // K8s 1.28 promoted ProxyTerminatingEndpoints to GA, but it has limited CNI support - // https://github.com/kubernetes/kubernetes/pull/117718 - // https://github.com/cilium/cilium/issues/27358 - skipRegex += "|fallback.to.local.terminating.endpoints.when.there.are.no.ready.endpoints.with.externalTrafficPolicy.Local" - } - networking := cluster.Spec.LegacyNetworking switch { case networking.Kubenet != nil, networking.Canal != nil, networking.Cilium != nil: @@ -92,21 +79,6 @@ func (t *Tester) setSkipRegexFlag() error { skipRegex += "|Services.should.implement.NodePort.and.HealthCheckNodePort.correctly.when.ExternalTrafficPolicy.changes" } - if isPre28 { - // These may be fixed in Cilium 1.13 but skipping for now - skipRegex += "|Service.with.multiple.ports.specified.in.multiple.EndpointSlices" - // https://github.com/cilium/cilium/issues/18241 - skipRegex += "|Services.should.create.endpoints.for.unready.pods" - skipRegex += "|Services.should.be.able.to.connect.to.terminating.and.unready.endpoints.if.PublishNotReadyAddresses.is.true" - } - if k8sVersion.Minor < 27 { - // Partially implemented in Cilium 1.13 but kops doesn't enable it - // Ref: https://github.com/cilium/cilium/pull/20033 - // K8s 1.27+ added [Serial] to the test case, which is skipped by default - // Ref: https://github.com/kubernetes/kubernetes/pull/113335 - skipRegex += "|should.create.a.Pod.with.SCTP.HostPort" - } - if k8sVersion.Minor < 35 { // < 35 so we revisit this in future // This test checks for kube-proxy on port 10249 (`127.0.0.1:10249/proxyMode`) diff --git a/tests/integration/create_cluster/minimal-1.27/expected-v1alpha2.yaml b/tests/integration/create_cluster/minimal-1.27/expected-v1alpha2.yaml deleted file mode 100644 index 48d5c5364f..0000000000 --- a/tests/integration/create_cluster/minimal-1.27/expected-v1alpha2.yaml +++ /dev/null @@ -1,94 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - name: minimal.example.com -spec: - api: - loadBalancer: - class: Network - type: Public - authorization: - rbac: {} - channel: stable - cloudProvider: aws - configBase: memfs://tests/minimal.example.com - etcdClusters: - - cpuRequest: 200m - etcdMembers: - - encryptedVolume: true - instanceGroup: control-plane-us-test-1a - name: a - manager: - backupRetentionDays: 90 - memoryRequest: 100Mi - name: main - - cpuRequest: 100m - etcdMembers: - - encryptedVolume: true - instanceGroup: control-plane-us-test-1a - name: a - manager: - backupRetentionDays: 90 - memoryRequest: 100Mi - name: events - iam: - allowContainerRegistry: true - legacy: false - kubelet: - anonymousAuth: false - kubernetesApiAccess: - - 0.0.0.0/0 - - ::/0 - kubernetesVersion: v1.27.0 - networkCIDR: 172.20.0.0/16 - networking: - cni: {} - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 0.0.0.0/0 - - ::/0 - subnets: - - cidr: 172.20.0.0/16 - name: us-test-1a - type: Public - zone: us-test-1a - topology: - dns: - type: None - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - labels: - kops.k8s.io/cluster: minimal.example.com - name: control-plane-us-test-1a -spec: - image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20250617 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - labels: - kops.k8s.io/cluster: minimal.example.com - name: nodes-us-test-1a -spec: - image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20250617 - machineType: t2.medium - maxSize: 1 - minSize: 1 - role: Node - subnets: - - us-test-1a diff --git a/tests/integration/create_cluster/minimal-1.27/options.yaml b/tests/integration/create_cluster/minimal-1.27/options.yaml deleted file mode 100644 index 21fd13e746..0000000000 --- a/tests/integration/create_cluster/minimal-1.27/options.yaml +++ /dev/null @@ -1,6 +0,0 @@ -ClusterName: minimal.example.com -Zones: -- us-test-1a -CloudProvider: aws -Networking: cni -KubernetesVersion: v1.27.0 \ No newline at end of file diff --git a/tests/integration/create_cluster/minimal-1.28/expected-v1alpha2.yaml b/tests/integration/create_cluster/minimal-1.28/expected-v1alpha2.yaml deleted file mode 100644 index 6a5f7216b5..0000000000 --- a/tests/integration/create_cluster/minimal-1.28/expected-v1alpha2.yaml +++ /dev/null @@ -1,94 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - name: minimal.example.com -spec: - api: - loadBalancer: - class: Network - type: Public - authorization: - rbac: {} - channel: stable - cloudProvider: aws - configBase: memfs://tests/minimal.example.com - etcdClusters: - - cpuRequest: 200m - etcdMembers: - - encryptedVolume: true - instanceGroup: control-plane-us-test-1a - name: a - manager: - backupRetentionDays: 90 - memoryRequest: 100Mi - name: main - - cpuRequest: 100m - etcdMembers: - - encryptedVolume: true - instanceGroup: control-plane-us-test-1a - name: a - manager: - backupRetentionDays: 90 - memoryRequest: 100Mi - name: events - iam: - allowContainerRegistry: true - legacy: false - kubelet: - anonymousAuth: false - kubernetesApiAccess: - - 0.0.0.0/0 - - ::/0 - kubernetesVersion: v1.28.0 - networkCIDR: 172.20.0.0/16 - networking: - cni: {} - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 0.0.0.0/0 - - ::/0 - subnets: - - cidr: 172.20.0.0/16 - name: us-test-1a - type: Public - zone: us-test-1a - topology: - dns: - type: None - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - labels: - kops.k8s.io/cluster: minimal.example.com - name: control-plane-us-test-1a -spec: - image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20250617 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - labels: - kops.k8s.io/cluster: minimal.example.com - name: nodes-us-test-1a -spec: - image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20250617 - machineType: t2.medium - maxSize: 1 - minSize: 1 - role: Node - subnets: - - us-test-1a diff --git a/tests/integration/create_cluster/minimal-1.28/options.yaml b/tests/integration/create_cluster/minimal-1.28/options.yaml deleted file mode 100644 index 0b106cbaa9..0000000000 --- a/tests/integration/create_cluster/minimal-1.28/options.yaml +++ /dev/null @@ -1,6 +0,0 @@ -ClusterName: minimal.example.com -Zones: -- us-test-1a -CloudProvider: aws -Networking: cni -KubernetesVersion: v1.28.0 \ No newline at end of file diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-ASGLifecycle_event_pattern b/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-ASGLifecycle_event_pattern deleted file mode 100644 index c8db9dbe9c..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-ASGLifecycle_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source":["aws.autoscaling"],"detail-type":["EC2 Instance-terminate Lifecycle Action"]} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceScheduledChange_event_pattern b/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceScheduledChange_event_pattern deleted file mode 100644 index fb4ea7defd..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceScheduledChange_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source": ["aws.health"],"detail-type": ["AWS Health Event"],"detail": {"service": ["EC2"],"eventTypeCategory": ["scheduledChange"]}} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceStateChange_event_pattern b/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceStateChange_event_pattern deleted file mode 100644 index 8c2916419d..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceStateChange_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source": ["aws.ec2"],"detail-type": ["EC2 Instance State-change Notification"]} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-SpotInterruption_event_pattern b/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-SpotInterruption_event_pattern deleted file mode 100644 index 2d0e83b416..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_cloudwatch_event_rule_minimal.example.com-SpotInterruption_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source": ["aws.ec2"],"detail-type": ["EC2 Spot Instance Interruption Warning"]} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_masters.minimal.example.com_policy deleted file mode 100644 index 66d5de1d5a..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_masters.minimal.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_nodes.minimal.example.com_policy b/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_nodes.minimal.example.com_policy deleted file mode 100644 index 66d5de1d5a..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_nodes.minimal.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_policy_masters.minimal.example.com_policy deleted file mode 100644 index a07cc2b878..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ /dev/null @@ -1,285 +0,0 @@ -{ - "Statement": [ - { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "s3:Get*" - ], - "Effect": "Allow", - "Resource": "arn:aws-test:s3:::placeholder-read-bucket/tests/minimal.example.com/*" - }, - { - "Action": [ - "s3:DeleteObject", - "s3:DeleteObjectVersion", - "s3:GetObject", - "s3:PutObject" - ], - "Effect": "Allow", - "Resource": "arn:aws-test:s3:::placeholder-write-bucket/tests/minimal.example.com/backups/etcd/main/*" - }, - { - "Action": [ - "s3:DeleteObject", - "s3:DeleteObjectVersion", - "s3:GetObject", - "s3:PutObject" - ], - "Effect": "Allow", - "Resource": "arn:aws-test:s3:::placeholder-write-bucket/tests/minimal.example.com/backups/etcd/events/*" - }, - { - "Action": [ - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:s3:::placeholder-read-bucket" - ] - }, - { - "Action": [ - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:s3:::placeholder-write-bucket" - ] - }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:GetHostedZone", - "route53:ListResourceRecordSets" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones", - "route53:ListTagsForResource" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "ec2:CreateTags", - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com", - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:snapshot/*", - "arn:aws-test:ec2:*:*:volume/*" - ] - }, - { - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Condition": { - "Null": { - "aws:RequestTag/KubernetesCluster": "true" - }, - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:snapshot/*", - "arn:aws-test:ec2:*:*:volume/*" - ] - }, - { - "Action": "ec2:CreateTags", - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com", - "ec2:CreateAction": [ - "CreateSecurityGroup" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:security-group/*" - ] - }, - { - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Condition": { - "Null": { - "aws:RequestTag/KubernetesCluster": "true" - }, - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:security-group/*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeScalingActivities", - "autoscaling:DescribeTags", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeImages", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInstances", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeVpcs", - "ec2:GetInstanceTypesFromInstanceRequirements", - "ecr:BatchCheckLayerAvailability", - "ecr:BatchGetImage", - "ecr:DescribeRepositories", - "ecr:GetAuthorizationToken", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:ListImages", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "iam:CreateServiceLinkedRole", - "iam:GetServerCertificate", - "iam:ListServerCertificates", - "kms:CreateGrant", - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:GenerateRandom", - "kms:ReEncrypt*", - "sqs:DeleteMessage", - "sqs:ReceiveMessage" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:RevokeSecurityGroupIngress", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateSnapshot", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "ec2:CreateSecurityGroup", - "Effect": "Allow", - "Resource": "arn:aws-test:ec2:*:*:vpc/*" - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_policy_nodes.minimal.example.com_policy b/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_policy_nodes.minimal.example.com_policy deleted file mode 100644 index b6eaf07f36..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_iam_role_policy_nodes.minimal.example.com_policy +++ /dev/null @@ -1,37 +0,0 @@ -{ - "Statement": [ - { - "Action": [ - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:s3:::placeholder-read-bucket" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingInstances", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInstances", - "ec2:DescribeRegions", - "ecr:BatchCheckLayerAvailability", - "ecr:BatchGetImage", - "ecr:DescribeRepositories", - "ecr:GetAuthorizationToken", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:ListImages", - "iam:GetServerCertificate", - "iam:ListServerCertificates", - "kms:GenerateRandom" - ], - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_key_pair_kubernetes.minimal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key b/tests/integration/update_cluster/minimal-1.27/data/aws_key_pair_kubernetes.minimal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key deleted file mode 100644 index 81cb012783..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_key_pair_kubernetes.minimal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.27/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data deleted file mode 100644 index 7f940c91a9..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/bash -set -o errexit -set -o nounset -set -o pipefail - -NODEUP_URL_AMD64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-amd64 -NODEUP_HASH_AMD64=585fbda0f0a43184656b4bfc0cc5f0c0b85612faf43b8816acca1f99d422c924 -NODEUP_URL_ARM64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-arm64 -NODEUP_HASH_ARM64=7603675379699105a9b9915ff97718ea99b1bbb01a4c184e2f827c8a96e8e865 - -export AWS_REGION=us-test-1 - - - - -sysctl -w net.core.rmem_max=16777216 || true -sysctl -w net.core.wmem_max=16777216 || true -sysctl -w net.ipv4.tcp_rmem='4096 87380 16777216' || true -sysctl -w net.ipv4.tcp_wmem='4096 87380 16777216' || true - - -function ensure-install-dir() { - INSTALL_DIR="/opt/kops" - # On ContainerOS, we install under /var/lib/toolbox; /opt is ro and noexec - if [[ -d /var/lib/toolbox ]]; then - INSTALL_DIR="/var/lib/toolbox/kops" - fi - mkdir -p ${INSTALL_DIR}/bin - mkdir -p ${INSTALL_DIR}/conf - cd ${INSTALL_DIR} -} - -# Retry a download until we get it. args: name, sha, urls -download-or-bust() { - echo "== Downloading $1 with hash $2 from $3 ==" - local -r file="$1" - local -r hash="$2" - local -a urls - IFS=, read -r -a urls <<< "$3" - - if [[ -f "${file}" ]]; then - if ! validate-hash "${file}" "${hash}"; then - rm -f "${file}" - else - return 0 - fi - fi - - while true; do - for url in "${urls[@]}"; do - commands=( - "curl -f --compressed -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget --compression=auto -O ${file} --connect-timeout=20 --tries=6 --wait=10" - "curl -f -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget -O ${file} --connect-timeout=20 --tries=6 --wait=10" - ) - for cmd in "${commands[@]}"; do - echo "== Downloading ${url} using ${cmd} ==" - if ! (${cmd} "${url}"); then - echo "== Failed to download ${url} using ${cmd} ==" - continue - fi - if ! validate-hash "${file}" "${hash}"; then - echo "== Failed to validate hash for ${url} ==" - rm -f "${file}" - else - echo "== Downloaded ${url} with hash ${hash} ==" - return 0 - fi - done - done - - echo "== All downloads failed; sleeping before retrying ==" - sleep 60 - done -} - -validate-hash() { - local -r file="$1" - local -r expected="$2" - local actual - - actual=$(sha256sum "${file}" | awk '{ print $1 }') || true - if [[ "${actual}" != "${expected}" ]]; then - echo "== File ${file} is corrupted; hash ${actual} doesn't match expected ${expected} ==" - return 1 - fi -} - -function download-release() { - case "$(uname -m)" in - x86_64*|i?86_64*|amd64*) - NODEUP_URL="${NODEUP_URL_AMD64}" - NODEUP_HASH="${NODEUP_HASH_AMD64}" - ;; - aarch64*|arm64*) - NODEUP_URL="${NODEUP_URL_ARM64}" - NODEUP_HASH="${NODEUP_HASH_ARM64}" - ;; - *) - echo "Unsupported host arch: $(uname -m)" >&2 - exit 1 - ;; - esac - - cd ${INSTALL_DIR}/bin - download-or-bust nodeup "${NODEUP_HASH}" "${NODEUP_URL}" - - chmod +x nodeup - - echo "== Running nodeup ==" - # We can't run in the foreground because of https://github.com/docker/docker/issues/23793 - ( cd ${INSTALL_DIR}/bin; ./nodeup --install-systemd-unit --conf=${INSTALL_DIR}/conf/kube_env.yaml --v=8 ) -} - -#################################################################################### - -/bin/systemd-machine-id-setup || echo "== Failed to initialize the machine ID; ensure machine-id configured ==" - -echo "== nodeup node config starting ==" -ensure-install-dir - -cat > conf/kube_env.yaml << '__EOF_KUBE_ENV' -CloudProvider: aws -ClusterName: minimal.example.com -ConfigBase: memfs://tests/minimal.example.com -InstanceGroupName: master-us-test-1a -InstanceGroupRole: ControlPlane -NodeupConfigHash: Sa/hgUyUuopO4NABDhnhbu5FTQOM6uffmdWade1vbVw= - -__EOF_KUBE_ENV - -download-release -echo "== nodeup node config done ==" diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.27/data/aws_launch_template_nodes.minimal.example.com_user_data deleted file mode 100644 index 8156876320..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_launch_template_nodes.minimal.example.com_user_data +++ /dev/null @@ -1,157 +0,0 @@ -#!/bin/bash -set -o errexit -set -o nounset -set -o pipefail - -NODEUP_URL_AMD64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-amd64 -NODEUP_HASH_AMD64=585fbda0f0a43184656b4bfc0cc5f0c0b85612faf43b8816acca1f99d422c924 -NODEUP_URL_ARM64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-arm64 -NODEUP_HASH_ARM64=7603675379699105a9b9915ff97718ea99b1bbb01a4c184e2f827c8a96e8e865 - -export AWS_REGION=us-test-1 - - - - -sysctl -w net.core.rmem_max=16777216 || true -sysctl -w net.core.wmem_max=16777216 || true -sysctl -w net.ipv4.tcp_rmem='4096 87380 16777216' || true -sysctl -w net.ipv4.tcp_wmem='4096 87380 16777216' || true - - -function ensure-install-dir() { - INSTALL_DIR="/opt/kops" - # On ContainerOS, we install under /var/lib/toolbox; /opt is ro and noexec - if [[ -d /var/lib/toolbox ]]; then - INSTALL_DIR="/var/lib/toolbox/kops" - fi - mkdir -p ${INSTALL_DIR}/bin - mkdir -p ${INSTALL_DIR}/conf - cd ${INSTALL_DIR} -} - -# Retry a download until we get it. args: name, sha, urls -download-or-bust() { - echo "== Downloading $1 with hash $2 from $3 ==" - local -r file="$1" - local -r hash="$2" - local -a urls - IFS=, read -r -a urls <<< "$3" - - if [[ -f "${file}" ]]; then - if ! validate-hash "${file}" "${hash}"; then - rm -f "${file}" - else - return 0 - fi - fi - - while true; do - for url in "${urls[@]}"; do - commands=( - "curl -f --compressed -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget --compression=auto -O ${file} --connect-timeout=20 --tries=6 --wait=10" - "curl -f -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget -O ${file} --connect-timeout=20 --tries=6 --wait=10" - ) - for cmd in "${commands[@]}"; do - echo "== Downloading ${url} using ${cmd} ==" - if ! (${cmd} "${url}"); then - echo "== Failed to download ${url} using ${cmd} ==" - continue - fi - if ! validate-hash "${file}" "${hash}"; then - echo "== Failed to validate hash for ${url} ==" - rm -f "${file}" - else - echo "== Downloaded ${url} with hash ${hash} ==" - return 0 - fi - done - done - - echo "== All downloads failed; sleeping before retrying ==" - sleep 60 - done -} - -validate-hash() { - local -r file="$1" - local -r expected="$2" - local actual - - actual=$(sha256sum "${file}" | awk '{ print $1 }') || true - if [[ "${actual}" != "${expected}" ]]; then - echo "== File ${file} is corrupted; hash ${actual} doesn't match expected ${expected} ==" - return 1 - fi -} - -function download-release() { - case "$(uname -m)" in - x86_64*|i?86_64*|amd64*) - NODEUP_URL="${NODEUP_URL_AMD64}" - NODEUP_HASH="${NODEUP_HASH_AMD64}" - ;; - aarch64*|arm64*) - NODEUP_URL="${NODEUP_URL_ARM64}" - NODEUP_HASH="${NODEUP_HASH_ARM64}" - ;; - *) - echo "Unsupported host arch: $(uname -m)" >&2 - exit 1 - ;; - esac - - cd ${INSTALL_DIR}/bin - download-or-bust nodeup "${NODEUP_HASH}" "${NODEUP_URL}" - - chmod +x nodeup - - echo "== Running nodeup ==" - # We can't run in the foreground because of https://github.com/docker/docker/issues/23793 - ( cd ${INSTALL_DIR}/bin; ./nodeup --install-systemd-unit --conf=${INSTALL_DIR}/conf/kube_env.yaml --v=8 ) -} - -#################################################################################### - -/bin/systemd-machine-id-setup || echo "== Failed to initialize the machine ID; ensure machine-id configured ==" - -echo "== nodeup node config starting ==" -ensure-install-dir - -cat > conf/kube_env.yaml << '__EOF_KUBE_ENV' -CloudProvider: aws -ClusterName: minimal.example.com -ConfigServer: - CACertificates: | - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANqBD8NSD82AUSMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwODAwWhcNMzEwNzA3MDcw - ODAwWjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBANFI3zr0Tk8krsW8vwjfMpzJOlWQ8616vG3YPa2qAgI7V4oKwfV0yIg1 - jt+H6f4P/wkPAPTPTfRp9Iy8oHEEFw0CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNG3zVjTcLlJwDsJ4/K9DV7KohUA - MA0GCSqGSIb3DQEBCwUAA0EAB8d03fY2w7WKpfO29qI295pu2C4ca9AiVGOpgSc8 - tmQsq6rcxt3T+rb589PVtz0mw/cKTxOk6gH2CCC+yHfy2w== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANvmSa0OAlYmXKMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwOTM2WhcNMzEwNzA3MDcw - OTM2WjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBAMF6F4aZdpe0RUpyykaBpWwZCnwbffhYGOw+fs6RdLuUq7QCNmJm/Eq7 - WWOziMYDiI9SbclpD+6QiJ0N3EqppVUCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLImp6ARjPDAH6nhI+scWVt3Q9bn - MA0GCSqGSIb3DQEBCwUAA0EAVQVx5MUtuAIeePuP9o51xtpT2S6Fvfi8J4ICxnlA - 9B7UD2ushcVFPtaeoL9Gfu8aY4KJBeqqg5ojl4qmRnThjw== - -----END CERTIFICATE----- - servers: - - https://kops-controller.internal.minimal.example.com:3988/ -InstanceGroupName: nodes -InstanceGroupRole: Node -NodeupConfigHash: 4saNjAnGATsLWDIyb+PJfD0iv7Uryq6SEaY0x/JwRq8= - -__EOF_KUBE_ENV - -download-release -echo "== nodeup node config done ==" diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_cluster-completed.spec_content deleted file mode 100644 index a1f4f7cb76..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_cluster-completed.spec_content +++ /dev/null @@ -1,225 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - name: minimal.example.com -spec: - api: - dns: {} - authorization: - rbac: {} - channel: stable - cloudConfig: - awsEBSCSIDriver: - version: v1.47.0 - manageStorageClasses: true - cloudControllerManager: - allocateNodeCIDRs: true - clusterCIDR: 100.96.0.0/11 - clusterName: minimal.example.com - configureCloudRoutes: false - image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.9 - leaderElection: - leaderElect: true - cloudProvider: aws - clusterDNSDomain: cluster.local - configBase: memfs://tests/minimal.example.com - containerd: - logLevel: info - runc: - version: 1.3.0 - version: 1.7.28 - dnsZone: Z1AFAKE1ZON3YO - etcdClusters: - - backups: - backupStore: memfs://tests/minimal.example.com/backups/etcd/main - cpuRequest: 200m - etcdMembers: - - encryptedVolume: true - instanceGroup: master-us-test-1a - name: a - manager: - backupRetentionDays: 90 - memoryRequest: 100Mi - name: main - version: 3.5.21 - - backups: - backupStore: memfs://tests/minimal.example.com/backups/etcd/events - cpuRequest: 100m - etcdMembers: - - encryptedVolume: true - instanceGroup: master-us-test-1a - name: a - manager: - backupRetentionDays: 90 - memoryRequest: 100Mi - name: events - version: 3.5.21 - externalDns: - provider: dns-controller - iam: - allowContainerRegistry: true - legacy: false - keyStore: memfs://tests/minimal.example.com/pki - kubeAPIServer: - allowPrivileged: true - anonymousAuth: false - apiAudiences: - - kubernetes.svc.default - apiServerCount: 1 - authorizationMode: Node,RBAC - bindAddress: 0.0.0.0 - cloudProvider: external - enableAdmissionPlugins: - - DefaultStorageClass - - DefaultTolerationSeconds - - LimitRanger - - MutatingAdmissionWebhook - - NamespaceLifecycle - - NodeRestriction - - ResourceQuota - - RuntimeClass - - ServiceAccount - - ValidatingAdmissionPolicy - - ValidatingAdmissionWebhook - etcdServers: - - https://127.0.0.1:4001 - etcdServersOverrides: - - /events#https://127.0.0.1:4002 - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-apiserver:v1.27.2 - kubeletPreferredAddressTypes: - - InternalIP - - Hostname - - ExternalIP - logLevel: 2 - requestheaderAllowedNames: - - aggregator - requestheaderExtraHeaderPrefixes: - - X-Remote-Extra- - requestheaderGroupHeaders: - - X-Remote-Group - requestheaderUsernameHeaders: - - X-Remote-User - securePort: 443 - serviceAccountIssuer: https://api.internal.minimal.example.com - serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks - serviceClusterIPRange: 100.64.0.0/13 - storageBackend: etcd3 - kubeControllerManager: - allocateNodeCIDRs: true - attachDetachReconcileSyncPeriod: 1m0s - cloudProvider: external - clusterCIDR: 100.96.0.0/11 - clusterName: minimal.example.com - configureCloudRoutes: false - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-controller-manager:v1.27.2 - leaderElection: - leaderElect: true - logLevel: 2 - useServiceAccountCredentials: true - kubeDNS: - cacheMaxConcurrent: 150 - cacheMaxSize: 1000 - cpuRequest: 100m - domain: cluster.local - memoryLimit: 170Mi - memoryRequest: 70Mi - nodeLocalDNS: - cpuRequest: 25m - enabled: false - image: registry.k8s.io/dns/k8s-dns-node-cache:1.26.0 - memoryRequest: 5Mi - provider: CoreDNS - serverIP: 100.64.0.10 - kubeProxy: - clusterCIDR: 100.96.0.0/11 - cpuRequest: 100m - image: registry.k8s.io/kube-proxy:v1.27.2 - logLevel: 2 - kubeScheduler: - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-scheduler:v1.27.2 - leaderElection: - leaderElect: true - logLevel: 2 - kubelet: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s - kubernetesApiAccess: - - 0.0.0.0/0 - - ::/0 - kubernetesVersion: 1.27.2 - masterKubelet: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s - masterPublicName: api.minimal.example.com - networkCIDR: 172.20.0.0/16 - networking: - cni: {} - nodeTerminationHandler: - cpuRequest: 50m - deleteSQSMsgIfNodeNotFound: false - enableRebalanceDraining: false - enableRebalanceMonitoring: false - enableScheduledEventDraining: true - enableSpotInterruptionDraining: true - enabled: true - excludeFromLoadBalancers: true - managedASGTag: aws-node-termination-handler/managed - memoryRequest: 64Mi - podTerminationGracePeriod: -1 - prometheusEnable: false - taintNode: false - version: v1.22.0 - nonMasqueradeCIDR: 100.64.0.0/10 - podCIDR: 100.96.0.0/11 - secretStore: memfs://tests/minimal.example.com/secrets - serviceClusterIPRange: 100.64.0.0/13 - sshAccess: - - 0.0.0.0/0 - - ::/0 - subnets: - - cidr: 172.20.32.0/19 - name: us-test-1a - type: Public - zone: us-test-1a - topology: - dns: - type: Public diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_etcd-cluster-spec-events_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_etcd-cluster-spec-events_content deleted file mode 100644 index 4e70b7f195..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_etcd-cluster-spec-events_content +++ /dev/null @@ -1,4 +0,0 @@ -{ - "memberCount": 1, - "etcdVersion": "3.5.21" -} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_etcd-cluster-spec-main_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_etcd-cluster-spec-main_content deleted file mode 100644 index 4e70b7f195..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_etcd-cluster-spec-main_content +++ /dev/null @@ -1,4 +0,0 @@ -{ - "memberCount": 1, - "etcdVersion": "3.5.21" -} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_kops-version.txt_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_kops-version.txt_content deleted file mode 100644 index b7340298dc..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_kops-version.txt_content +++ /dev/null @@ -1 +0,0 @@ -1.21.0-alpha.1 diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content deleted file mode 100644 index 8c62093d11..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content +++ /dev/null @@ -1,138 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - creationTimestamp: null - labels: - k8s-app: etcd-manager-events - name: etcd-manager-events - namespace: kube-system -spec: - containers: - - command: - - /bin/sh - - -c - - mkfifo /tmp/pipe; (tee -a /var/log/etcd.log < /tmp/pipe & ) ; exec /ko-app/etcd-manager - --backup-store=memfs://tests/minimal.example.com/backups/etcd/events --client-urls=https://__name__:4002 - --cluster-name=etcd-events --containerized=true --dns-suffix=.internal.minimal.example.com - --grpc-port=3997 --peer-urls=https://__name__:2381 --quarantine-client-urls=https://__name__:3995 - --v=6 --volume-name-tag=k8s.io/etcd/events --volume-provider=aws --volume-tag=k8s.io/etcd/events - --volume-tag=k8s.io/role/control-plane=1 --volume-tag=kubernetes.io/cluster/minimal.example.com=owned - > /tmp/pipe 2>&1 - env: - - name: ETCD_MANAGER_DAILY_BACKUPS_RETENTION - value: 90d - image: registry.k8s.io/etcd-manager/etcd-manager-slim:v3.0.20250803 - name: etcd-manager - resources: - requests: - cpu: 100m - memory: 100Mi - securityContext: - privileged: true - volumeMounts: - - mountPath: /rootfs - name: rootfs - - mountPath: /run - name: run - - mountPath: /etc/kubernetes/pki/etcd-manager - name: pki - - mountPath: /opt - name: opt - - mountPath: /var/log/etcd.log - name: varlogetcd - hostNetwork: true - hostPID: true - initContainers: - - args: - - --target-dir=/opt/kops-utils/ - - --src=/ko-app/kops-utils-cp - command: - - /ko-app/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: kops-utils-cp - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.4.13 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.4.13 - name: init-etcd-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.5.21 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.5.21 - name: init-etcd-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.4.3 - - --src=/opt/etcd-v3.4.13/etcd - - --src=/opt/etcd-v3.4.13/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.5.0 - - --target-dir=/opt/etcd-v3.5.1 - - --target-dir=/opt/etcd-v3.5.13 - - --target-dir=/opt/etcd-v3.5.17 - - --target-dir=/opt/etcd-v3.5.3 - - --target-dir=/opt/etcd-v3.5.4 - - --target-dir=/opt/etcd-v3.5.6 - - --target-dir=/opt/etcd-v3.5.7 - - --target-dir=/opt/etcd-v3.5.9 - - --src=/opt/etcd-v3.5.21/etcd - - --src=/opt/etcd-v3.5.21/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - priorityClassName: system-cluster-critical - tolerations: - - key: CriticalAddonsOnly - operator: Exists - volumes: - - hostPath: - path: / - type: Directory - name: rootfs - - hostPath: - path: /run - type: DirectoryOrCreate - name: run - - hostPath: - path: /etc/kubernetes/pki/etcd-manager-events - type: DirectoryOrCreate - name: pki - - emptyDir: {} - name: opt - - hostPath: - path: /var/log/etcd-events.log - type: FileOrCreate - name: varlogetcd -status: {} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content deleted file mode 100644 index 9df1760835..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content +++ /dev/null @@ -1,138 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - creationTimestamp: null - labels: - k8s-app: etcd-manager-main - name: etcd-manager-main - namespace: kube-system -spec: - containers: - - command: - - /bin/sh - - -c - - mkfifo /tmp/pipe; (tee -a /var/log/etcd.log < /tmp/pipe & ) ; exec /ko-app/etcd-manager - --backup-store=memfs://tests/minimal.example.com/backups/etcd/main --client-urls=https://__name__:4001 - --cluster-name=etcd --containerized=true --dns-suffix=.internal.minimal.example.com - --grpc-port=3996 --peer-urls=https://__name__:2380 --quarantine-client-urls=https://__name__:3994 - --v=6 --volume-name-tag=k8s.io/etcd/main --volume-provider=aws --volume-tag=k8s.io/etcd/main - --volume-tag=k8s.io/role/control-plane=1 --volume-tag=kubernetes.io/cluster/minimal.example.com=owned - > /tmp/pipe 2>&1 - env: - - name: ETCD_MANAGER_DAILY_BACKUPS_RETENTION - value: 90d - image: registry.k8s.io/etcd-manager/etcd-manager-slim:v3.0.20250803 - name: etcd-manager - resources: - requests: - cpu: 200m - memory: 100Mi - securityContext: - privileged: true - volumeMounts: - - mountPath: /rootfs - name: rootfs - - mountPath: /run - name: run - - mountPath: /etc/kubernetes/pki/etcd-manager - name: pki - - mountPath: /opt - name: opt - - mountPath: /var/log/etcd.log - name: varlogetcd - hostNetwork: true - hostPID: true - initContainers: - - args: - - --target-dir=/opt/kops-utils/ - - --src=/ko-app/kops-utils-cp - command: - - /ko-app/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: kops-utils-cp - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.4.13 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.4.13 - name: init-etcd-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.5.21 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.5.21 - name: init-etcd-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.4.3 - - --src=/opt/etcd-v3.4.13/etcd - - --src=/opt/etcd-v3.4.13/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.5.0 - - --target-dir=/opt/etcd-v3.5.1 - - --target-dir=/opt/etcd-v3.5.13 - - --target-dir=/opt/etcd-v3.5.17 - - --target-dir=/opt/etcd-v3.5.3 - - --target-dir=/opt/etcd-v3.5.4 - - --target-dir=/opt/etcd-v3.5.6 - - --target-dir=/opt/etcd-v3.5.7 - - --target-dir=/opt/etcd-v3.5.9 - - --src=/opt/etcd-v3.5.21/etcd - - --src=/opt/etcd-v3.5.21/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - priorityClassName: system-cluster-critical - tolerations: - - key: CriticalAddonsOnly - operator: Exists - volumes: - - hostPath: - path: / - type: Directory - name: rootfs - - hostPath: - path: /run - type: DirectoryOrCreate - name: run - - hostPath: - path: /etc/kubernetes/pki/etcd-manager-main - type: DirectoryOrCreate - name: pki - - emptyDir: {} - name: opt - - hostPath: - path: /var/log/etcd.log - type: FileOrCreate - name: varlogetcd -status: {} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content deleted file mode 100644 index bcd77bc0ce..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - creationTimestamp: null -spec: - containers: - - args: - - --ca-cert=/secrets/ca.crt - - --client-cert=/secrets/client.crt - - --client-key=/secrets/client.key - image: registry.k8s.io/kops/kube-apiserver-healthcheck:1.34.0-alpha.1 - livenessProbe: - httpGet: - host: 127.0.0.1 - path: /.kube-apiserver-healthcheck/healthz - port: 3990 - initialDelaySeconds: 5 - timeoutSeconds: 5 - name: healthcheck - resources: {} - securityContext: - runAsNonRoot: true - runAsUser: 10012 - volumeMounts: - - mountPath: /secrets - name: healthcheck-secrets - readOnly: true - volumes: - - hostPath: - path: /etc/kubernetes/kube-apiserver-healthcheck/secrets - type: Directory - name: healthcheck-secrets -status: {} diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content deleted file mode 100644 index b7e62c8d98..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content +++ /dev/null @@ -1,237 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - k8s-app: aws-cloud-controller-manager - name: aws-cloud-controller-manager - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: aws-cloud-controller-manager - template: - metadata: - creationTimestamp: null - labels: - k8s-app: aws-cloud-controller-manager - kops.k8s.io/managed-by: kops - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - containers: - - args: - - --allocate-node-cidrs=true - - --cluster-cidr=100.96.0.0/11 - - --cluster-name=minimal.example.com - - --configure-cloud-routes=false - - --leader-elect=true - - --v=2 - - --cloud-provider=aws - - --use-service-account-credentials=true - - --cloud-config=/etc/kubernetes/cloud.config - env: - - name: KUBERNETES_SERVICE_HOST - value: 127.0.0.1 - image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.9 - imagePullPolicy: IfNotPresent - name: aws-cloud-controller-manager - resources: - requests: - cpu: 200m - volumeMounts: - - mountPath: /etc/kubernetes/cloud.config - name: cloudconfig - readOnly: true - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - serviceAccountName: aws-cloud-controller-manager - tolerations: - - effect: NoSchedule - key: node.cloudprovider.kubernetes.io/uninitialized - value: "true" - - effect: NoSchedule - key: node.kubernetes.io/not-ready - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - - effect: NoSchedule - key: node-role.kubernetes.io/master - volumes: - - hostPath: - path: /etc/kubernetes/cloud.config - type: "" - name: cloudconfig - updateStrategy: - type: RollingUpdate - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: aws-cloud-controller-manager - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: cloud-controller-manager:apiserver-authentication-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- apiGroup: "" - kind: ServiceAccount - name: aws-cloud-controller-manager - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: system:cloud-controller-manager -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiGroups: - - "" - resources: - - nodes - verbs: - - '*' -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -- apiGroups: - - "" - resources: - - services - verbs: - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - services/status - verbs: - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - get - - list - - watch - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - list - - watch - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - - watch -- apiGroups: - - "" - resourceNames: - - node-controller - - service-controller - - route-controller - resources: - - serviceaccounts/token - verbs: - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: system:cloud-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:cloud-controller-manager -subjects: -- apiGroup: "" - kind: ServiceAccount - name: aws-cloud-controller-manager - namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content deleted file mode 100644 index ff7ee9d06e..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ /dev/null @@ -1,1151 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller - namespace: kube-system -spec: - maxUnavailable: 1 - selector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - ---- - -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-attacher-role -rules: -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - patch -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments/status - verbs: - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node-role -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - patch - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-provisioner-role -rules: -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - create - - patch - - delete -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch - - update -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - get - - list -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents - verbs: - - get - - list -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattributesclasses - verbs: - - get - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-resizer-role -rules: -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - patch -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - persistentvolumeclaims/status - verbs: - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattributesclasses - verbs: - - get - - list - - watch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-snapshotter-role -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - get - - list - - watch - - update - - patch - - create -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents/status - verbs: - - update - - patch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotcontents - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotcontents/status - verbs: - - update - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-attacher-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-attacher-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node-getter-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-csi-node-role -subjects: -- kind: ServiceAccount - name: ebs-csi-node-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-provisioner-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-provisioner-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-resizer-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-resizer-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-snapshotter-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-snapshotter-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-leases-role - namespace: kube-system -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - watch - - list - - delete - - update - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-leases-rolebinding - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ebs-csi-leases-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app: ebs-csi-controller - app.kubernetes.io/managed-by: kops - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller - namespace: kube-system -spec: - ports: - - name: metrics - port: 3301 - targetPort: 3301 - selector: - app: ebs-csi-controller - type: ClusterIP - ---- - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node - namespace: kube-system -spec: - revisionHistoryLimit: 10 - selector: - matchLabels: - app: ebs-csi-node - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - template: - metadata: - creationTimestamp: null - labels: - app: ebs-csi-node - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - kops.k8s.io/managed-by: kops - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: topology.kubernetes.io/zone - operator: Exists - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - - auto - - hybrid - - key: node.kubernetes.io/instance-type - operator: NotIn - values: - - a1.medium - - a1.large - - a1.xlarge - - a1.2xlarge - - a1.4xlarge - containers: - - args: - - node - - --endpoint=$(CSI_ENDPOINT) - - --csi-mount-point-prefix=/var/lib/kubelet/plugins/kubernetes.io/csi/ebs.csi.aws.com/ - - --logging-format=text - - --v=5 - env: - - name: AWS_REGION - value: us-test-1 - - name: CSI_ENDPOINT - value: unix:/csi/csi.sock - - name: CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.47.0 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /bin/aws-ebs-csi-driver - - pre-stop-hook - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - name: ebs-plugin - ports: - - containerPort: 9808 - name: healthz - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: healthz - periodSeconds: 5 - timeoutSeconds: 3 - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - privileged: true - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/lib/kubelet - mountPropagation: Bidirectional - name: kubelet-dir - - mountPath: /csi - name: plugin-dir - - mountPath: /dev - name: device-dir - - args: - - --csi-address=$(ADDRESS) - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --v=5 - env: - - name: ADDRESS - value: /csi/csi.sock - - name: DRIVER_REG_SOCK_PATH - value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.14.0 - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /csi-node-driver-registrar - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --mode=kubelet-registration-probe - initialDelaySeconds: 30 - periodSeconds: 90 - timeoutSeconds: 15 - name: node-driver-registrar - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /csi - name: plugin-dir - - mountPath: /registration - name: registration-dir - - mountPath: /var/lib/kubelet/plugins/ebs.csi.aws.com/ - name: probe-dir - - args: - - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.16.0 - imagePullPolicy: IfNotPresent - name: liveness-probe - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /csi - name: plugin-dir - hostNetwork: false - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - securityContext: - fsGroup: 0 - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - serviceAccountName: ebs-csi-node-sa - terminationGracePeriodSeconds: 30 - tolerations: - - operator: Exists - volumes: - - hostPath: - path: /var/lib/kubelet - type: Directory - name: kubelet-dir - - hostPath: - path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ - type: DirectoryOrCreate - name: plugin-dir - - hostPath: - path: /var/lib/kubelet/plugins_registry/ - type: Directory - name: registration-dir - - hostPath: - path: /dev - type: Directory - name: device-dir - - emptyDir: {} - name: probe-dir - updateStrategy: - rollingUpdate: - maxUnavailable: 10% - type: RollingUpdate - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller - namespace: kube-system -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - strategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - creationTimestamp: null - labels: - app: ebs-csi-controller - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - kops.k8s.io/managed-by: kops - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - - auto - - hybrid - weight: 1 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: kubernetes.io/os - operator: In - values: - - linux - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - - key: kubernetes.io/os - operator: In - values: - - linux - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - ebs-csi-controller - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - args: - - controller - - --endpoint=$(CSI_ENDPOINT) - - --k8s-tag-cluster-id=minimal.example.com - - --extra-tags=KubernetesCluster=minimal.example.com - - --http-endpoint=0.0.0.0:3301 - - --batching=true - - --logging-format=text - - --v=5 - env: - - name: AWS_REGION - value: us-test-1 - - name: CSI_ENDPOINT - value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - - name: CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: key_id - name: aws-secret - optional: true - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: access_key - name: aws-secret - optional: true - - name: AWS_EC2_ENDPOINT - valueFrom: - configMapKeyRef: - key: endpoint - name: aws-meta - optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.47.0 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - name: ebs-plugin - ports: - - containerPort: 9808 - name: healthz - protocol: TCP - - containerPort: 3301 - name: metrics - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=60s - - --csi-address=$(ADDRESS) - - --v=5 - - --feature-gates=Topology=true - - --extra-create-metadata - - --leader-election=true - - --default-fstype=ext4 - - --kube-api-qps=20 - - --kube-api-burst=100 - - --worker-threads=100 - - --retry-interval-max=30m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - image: registry.k8s.io/sig-storage/csi-provisioner:v5.3.0 - imagePullPolicy: IfNotPresent - name: csi-provisioner - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=6m - - --csi-address=$(ADDRESS) - - --v=5 - - --leader-election=true - - --kube-api-qps=20 - - --kube-api-burst=100 - - --worker-threads=100 - - --retry-interval-max=5m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - image: registry.k8s.io/sig-storage/csi-attacher:v4.9.0 - imagePullPolicy: IfNotPresent - name: csi-attacher - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=60s - - --csi-address=$(ADDRESS) - - --v=5 - - --leader-election=true - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: public.ecr.aws/ebs-csi-driver/volume-modifier-for-k8s:v0.7.0 - imagePullPolicy: IfNotPresent - name: volumemodifier - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=60s - - --extra-modify-metadata - - --csi-address=$(ADDRESS) - - --v=5 - - --handle-volume-inuse-error=false - - --leader-election=true - - --kube-api-qps=20 - - --kube-api-burst=100 - - --workers=100 - - --retry-interval-max=30m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - image: registry.k8s.io/sig-storage/csi-resizer:v1.14.0 - imagePullPolicy: IfNotPresent - name: csi-resizer - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.16.0 - imagePullPolicy: IfNotPresent - name: liveness-probe - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /csi - name: socket-dir - hostNetwork: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - serviceAccountName: ebs-csi-controller-sa - tolerations: - - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - volumes: - - emptyDir: {} - name: socket-dir - ---- - -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs.csi.aws.com -spec: - attachRequired: true - podInfoOnMount: false diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-bootstrap_content deleted file mode 100644 index 4f080a87ac..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ /dev/null @@ -1,113 +0,0 @@ -kind: Addons -metadata: - creationTimestamp: null - name: bootstrap -spec: - addons: - - id: k8s-1.16 - manifest: kops-controller.addons.k8s.io/k8s-1.16.yaml - manifestHash: 44cac7d5e9087cebd7acf1ef581425bbceb93a95b4b2d89d0cd3082a51085f71 - name: kops-controller.addons.k8s.io - needsRollingUpdate: control-plane - selector: - k8s-addon: kops-controller.addons.k8s.io - version: 9.99.0 - - id: k8s-1.12 - manifest: coredns.addons.k8s.io/k8s-1.12.yaml - manifestHash: 776ca39fa0034ba09a4335cf3ee1bfa9c136407aaed07223555934e6907edd91 - name: coredns.addons.k8s.io - selector: - k8s-addon: coredns.addons.k8s.io - version: 9.99.0 - - id: k8s-1.9 - manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml - manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81 - name: kubelet-api.rbac.addons.k8s.io - selector: - k8s-addon: kubelet-api.rbac.addons.k8s.io - version: 9.99.0 - - manifest: limit-range.addons.k8s.io/v1.5.0.yaml - manifestHash: 2d55c3bc5e354e84a3730a65b42f39aba630a59dc8d32b30859fcce3d3178bc2 - name: limit-range.addons.k8s.io - selector: - k8s-addon: limit-range.addons.k8s.io - version: 9.99.0 - - id: k8s-1.12 - manifest: dns-controller.addons.k8s.io/k8s-1.12.yaml - manifestHash: 4547fd9281fdef75bb50e82a90136a721fe7bd01a42d58dbe837a422cf54466d - name: dns-controller.addons.k8s.io - selector: - k8s-addon: dns-controller.addons.k8s.io - version: 9.99.0 - - id: k8s-1.11 - manifest: node-termination-handler.aws/k8s-1.11.yaml - manifestHash: 1d0968eea99ca0d78400867a76af8b1dfe93ef2ff9640f0d755b21b2db7fec41 - name: node-termination-handler.aws - prune: - kinds: - - kind: ConfigMap - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - kind: Service - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - kind: ServiceAccount - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: apps - kind: DaemonSet - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: apps - kind: Deployment - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: apps - kind: StatefulSet - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: policy - kind: PodDisruptionBudget - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: rbac.authorization.k8s.io - kind: ClusterRole - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: ClusterRoleBinding - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: Role - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: RoleBinding - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - selector: - k8s-addon: node-termination-handler.aws - version: 9.99.0 - - id: v1.15.0 - manifest: storage-aws.addons.k8s.io/v1.15.0.yaml - manifestHash: 4e2cda50cd5048133aad1b5e28becb60f4629d3f9e09c514a2757c27998b4200 - name: storage-aws.addons.k8s.io - selector: - k8s-addon: storage-aws.addons.k8s.io - version: 9.99.0 - - id: k8s-1.18 - manifest: aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml - manifestHash: fdcbb173585218f08cf29f1fe3ca94cdc47b8b85a0f722db8f16eb25dccc7e97 - name: aws-cloud-controller.addons.k8s.io - selector: - k8s-addon: aws-cloud-controller.addons.k8s.io - version: 9.99.0 - - id: k8s-1.17 - manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 93c7269843ed2f8acef3f95774cf1f1d9851d88d157e0b0da04336741694393f - name: aws-ebs-csi-driver.addons.k8s.io - selector: - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - version: 9.99.0 diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content deleted file mode 100644 index 4c4816a315..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content +++ /dev/null @@ -1,383 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - kubernetes.io/cluster-service: "true" - name: coredns - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns -rules: -- apiGroups: - - "" - resources: - - endpoints - - services - - pods - - namespaces - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:coredns -subjects: -- kind: ServiceAccount - name: coredns - namespace: kube-system - ---- - -apiVersion: v1 -data: - Corefile: |- - .:53 { - errors - health { - lameduck 5s - } - ready - kubernetes cluster.local. in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - ttl 30 - } - prometheus :9153 - forward . /etc/resolv.conf { - max_concurrent 1000 - } - cache 30 - loop - reload - loadbalance - } -kind: ConfigMap -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - addonmanager.kubernetes.io/mode: EnsureExists - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: CoreDNS - name: coredns - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: kube-dns - strategy: - rollingUpdate: - maxSurge: 10% - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - creationTimestamp: null - labels: - k8s-app: kube-dns - kops.k8s.io/managed-by: kops - spec: - containers: - - args: - - -conf - - /etc/coredns/Corefile - image: registry.k8s.io/coredns/coredns:v1.11.4 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /health - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 - successThreshold: 1 - timeoutSeconds: 5 - name: coredns - ports: - - containerPort: 53 - name: dns - protocol: UDP - - containerPort: 53 - name: dns-tcp - protocol: TCP - - containerPort: 9153 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8181 - scheme: HTTP - resources: - limits: - memory: 170Mi - requests: - cpu: 100m - memory: 70Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_BIND_SERVICE - drop: - - all - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /etc/coredns - name: config-volume - readOnly: true - dnsPolicy: Default - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: coredns - tolerations: - - key: CriticalAddonsOnly - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - k8s-app: kube-dns - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - k8s-app: kube-dns - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - volumes: - - configMap: - name: coredns - name: config-volume - ---- - -apiVersion: v1 -kind: Service -metadata: - annotations: - prometheus.io/port: "9153" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: CoreDNS - name: kube-dns - namespace: kube-system - resourceVersion: "0" -spec: - clusterIP: 100.64.0.10 - ports: - - name: dns - port: 53 - protocol: UDP - - name: dns-tcp - port: 53 - protocol: TCP - - name: metrics - port: 9153 - protocol: TCP - selector: - k8s-app: kube-dns - ---- - -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: kube-dns - namespace: kube-system -spec: - maxUnavailable: 50% - selector: - matchLabels: - k8s-app: kube-dns - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns-autoscaler - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns-autoscaler -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - replicationcontrollers/scale - verbs: - - get - - update -- apiGroups: - - extensions - - apps - resources: - - deployments/scale - - replicasets/scale - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns-autoscaler -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: coredns-autoscaler -subjects: -- kind: ServiceAccount - name: coredns-autoscaler - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - k8s-app: coredns-autoscaler - kubernetes.io/cluster-service: "true" - name: coredns-autoscaler - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: coredns-autoscaler - template: - metadata: - creationTimestamp: null - labels: - k8s-app: coredns-autoscaler - kops.k8s.io/managed-by: kops - spec: - containers: - - command: - - /cluster-proportional-autoscaler - - --namespace=kube-system - - --configmap=coredns-autoscaler - - --target=Deployment/coredns - - --default-params={"linear":{"coresPerReplica":256,"nodesPerReplica":16,"preventSinglePointFailure":true}} - - --logtostderr=true - - --v=2 - image: registry.k8s.io/cpa/cluster-proportional-autoscaler:v1.9.0 - name: autoscaler - resources: - requests: - cpu: 20m - memory: 10Mi - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: coredns-autoscaler - tolerations: - - key: CriticalAddonsOnly - operator: Exists diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content deleted file mode 100644 index 4997c5166f..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content +++ /dev/null @@ -1,138 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - k8s-app: dns-controller - version: v1.34.0-alpha.1 - name: dns-controller - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - k8s-app: dns-controller - strategy: - type: Recreate - template: - metadata: - creationTimestamp: null - labels: - k8s-addon: dns-controller.addons.k8s.io - k8s-app: dns-controller - kops.k8s.io/managed-by: kops - version: v1.34.0-alpha.1 - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - containers: - - args: - - --watch-ingress=false - - --dns=aws-route53 - - --zone=*/Z1AFAKE1ZON3YO - - --internal-ipv4 - - --zone=*/* - - -v=2 - command: null - env: - - name: KUBERNETES_SERVICE_HOST - value: 127.0.0.1 - image: registry.k8s.io/kops/dns-controller:1.34.0-alpha.1 - name: dns-controller - resources: - requests: - cpu: 50m - memory: 50Mi - securityContext: - runAsNonRoot: true - dnsPolicy: Default - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - serviceAccount: dns-controller - tolerations: - - key: node.cloudprovider.kubernetes.io/uninitialized - operator: Exists - - key: node.kubernetes.io/not-ready - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: node-role.kubernetes.io/master - operator: Exists - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - name: dns-controller - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - name: kops:dns-controller -rules: -- apiGroups: - - "" - resources: - - endpoints - - services - - pods - - ingress - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - name: kops:dns-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kops:dns-controller -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:serviceaccount:kube-system:dns-controller diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content deleted file mode 100644 index 9bb33ec848..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content +++ /dev/null @@ -1,227 +0,0 @@ -apiVersion: v1 -data: - config.yaml: | - {"clusterName":"minimal.example.com","cloud":"aws","configBase":"memfs://tests/minimal.example.com","secretStore":"memfs://tests/minimal.example.com/secrets","server":{"Listen":":3988","provider":{"aws":{"nodesRoles":["nodes.minimal.example.com"],"Region":"us-test-1"}},"serverKeyPath":"/etc/kubernetes/kops-controller/pki/kops-controller.key","serverCertificatePath":"/etc/kubernetes/kops-controller/pki/kops-controller.crt","caBasePath":"/etc/kubernetes/kops-controller/pki","signingCAs":["kubernetes-ca"],"certNames":["kubelet","kubelet-server","kube-proxy"]}} -kind: ConfigMap -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - k8s-app: kops-controller - version: v1.34.0-alpha.1 - name: kops-controller - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: kops-controller - template: - metadata: - annotations: - dns.alpha.kubernetes.io/internal: kops-controller.internal.minimal.example.com - creationTimestamp: null - labels: - k8s-addon: kops-controller.addons.k8s.io - k8s-app: kops-controller - kops.k8s.io/managed-by: kops - version: v1.34.0-alpha.1 - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: kops.k8s.io/kops-controller-pki - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - - key: kops.k8s.io/kops-controller-pki - operator: Exists - containers: - - args: - - --v=2 - - --conf=/etc/kubernetes/kops-controller/config/config.yaml - command: null - env: - - name: KUBERNETES_SERVICE_HOST - value: 127.0.0.1 - - name: KOPS_RUN_TOO_NEW_VERSION - value: "1" - image: registry.k8s.io/kops/kops-controller:1.34.0-alpha.1 - name: kops-controller - resources: - requests: - cpu: 50m - memory: 50Mi - securityContext: - runAsNonRoot: true - runAsUser: 10011 - volumeMounts: - - mountPath: /etc/kubernetes/kops-controller/config/ - name: kops-controller-config - - mountPath: /etc/kubernetes/kops-controller/pki/ - name: kops-controller-pki - dnsPolicy: Default - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - serviceAccount: kops-controller - tolerations: - - key: node.cloudprovider.kubernetes.io/uninitialized - operator: Exists - - key: node.kubernetes.io/not-ready - operator: Exists - - key: node-role.kubernetes.io/master - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - volumes: - - configMap: - name: kops-controller - name: kops-controller-config - - hostPath: - path: /etc/kubernetes/kops-controller/ - type: Directory - name: kops-controller-pki - updateStrategy: - type: OnDelete - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kops-controller -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:serviceaccount:kube-system:kops-controller - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - get - - list - - watch - - create -- apiGroups: - - "" - - coordination.k8s.io - resourceNames: - - kops-controller-leader - resources: - - configmaps - - leases - verbs: - - get - - list - - watch - - patch - - update - - delete -- apiGroups: - - "" - - coordination.k8s.io - resources: - - configmaps - - leases - verbs: - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kops-controller -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:serviceaccount:kube-system:kops-controller diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content deleted file mode 100644 index 36761e1c56..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kubelet-api.rbac.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kubelet-api.rbac.addons.k8s.io - name: kops:system:kubelet-api-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:kubelet-api-admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: kubelet-api diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-limit-range.addons.k8s.io_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-limit-range.addons.k8s.io_content deleted file mode 100644 index 4dcdce48b9..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-limit-range.addons.k8s.io_content +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: LimitRange -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: limit-range.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: limit-range.addons.k8s.io - name: limits - namespace: default -spec: - limits: - - defaultRequest: - cpu: 100m - type: Container diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-node-termination-handler.aws-k8s-1.11_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-node-termination-handler.aws-k8s-1.11_content deleted file mode 100644 index f1361e7994..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-node-termination-handler.aws-k8s-1.11_content +++ /dev/null @@ -1,285 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - k8s-app: aws-node-termination-handler - name: aws-node-termination-handler - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - name: aws-node-termination-handler -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - patch - - update -- apiGroups: - - "" - resources: - - pods - verbs: - - list - - get -- apiGroups: - - "" - resources: - - pods/eviction - verbs: - - create -- apiGroups: - - extensions - resources: - - daemonsets - verbs: - - get -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - get -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - name: aws-node-termination-handler -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: aws-node-termination-handler -subjects: -- kind: ServiceAccount - name: aws-node-termination-handler - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/component: deployment - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - k8s-app: aws-node-termination-handler - name: aws-node-termination-handler - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kubernetes.io/os: linux - template: - metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: deployment - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - k8s-app: aws-node-termination-handler - kops.k8s.io/managed-by: kops - kops.k8s.io/nth-mode: sqs - kubernetes.io/os: linux - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - containers: - - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ENABLE_PROBES_SERVER - value: "true" - - name: PROBES_SERVER_PORT - value: "8080" - - name: PROBES_SERVER_ENDPOINT - value: /healthz - - name: LOG_LEVEL - value: info - - name: JSON_LOGGING - value: "true" - - name: LOG_FORMAT_VERSION - value: "2" - - name: ENABLE_PROMETHEUS_SERVER - value: "false" - - name: PROMETHEUS_SERVER_PORT - value: "9092" - - name: CHECK_TAG_BEFORE_DRAINING - value: "true" - - name: MANAGED_TAG - value: aws-node-termination-handler/managed - - name: USE_PROVIDER_ID - value: "true" - - name: DRY_RUN - value: "false" - - name: CORDON_ONLY - value: "false" - - name: TAINT_NODE - value: "false" - - name: EXCLUDE_FROM_LOAD_BALANCERS - value: "true" - - name: DELETE_LOCAL_DATA - value: "true" - - name: IGNORE_DAEMON_SETS - value: "true" - - name: POD_TERMINATION_GRACE_PERIOD - value: "-1" - - name: NODE_TERMINATION_GRACE_PERIOD - value: "120" - - name: EMIT_KUBERNETES_EVENTS - value: "true" - - name: COMPLETE_LIFECYCLE_ACTION_DELAY_SECONDS - value: "-1" - - name: ENABLE_SQS_TERMINATION_DRAINING - value: "true" - - name: QUEUE_URL - value: https://sqs.us-test-1.amazonaws.com/123456789012/minimal-example-com-nth - - name: DELETE_SQS_MSG_IF_NODE_NOT_FOUND - value: "false" - - name: WORKERS - value: "10" - image: public.ecr.aws/aws-ec2/aws-node-termination-handler:v1.22.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 - name: aws-node-termination-handler - ports: - - containerPort: 8080 - name: liveness-probe - protocol: TCP - - containerPort: 9092 - name: metrics - protocol: TCP - resources: - requests: - cpu: 50m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1000 - serviceAccountName: aws-node-termination-handler - tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: node-role.kubernetes.io/master - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kops.k8s.io/nth-mode: sqs - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kops.k8s.io/nth-mode: sqs - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - ---- - -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - k8s-addon: node-termination-handler.aws - name: aws-node-termination-handler - namespace: kube-system -spec: - maxUnavailable: 1 - selector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kops.k8s.io/nth-mode: sqs diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content deleted file mode 100644 index bea3e88be3..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_minimal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content +++ /dev/null @@ -1,118 +0,0 @@ -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: default -parameters: - type: gp2 -provisioner: kubernetes.io/aws-ebs - ---- - -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - annotations: - storageclass.kubernetes.io/is-default-class: "false" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: gp2 -parameters: - type: gp2 -provisioner: kubernetes.io/aws-ebs - ---- - -allowVolumeExpansion: true -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - annotations: - storageclass.kubernetes.io/is-default-class: "false" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: kops-ssd-1-17 -parameters: - encrypted: "true" - type: gp2 -provisioner: kubernetes.io/aws-ebs -volumeBindingMode: WaitForFirstConsumer - ---- - -allowVolumeExpansion: true -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - annotations: - storageclass.kubernetes.io/is-default-class: "true" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: kops-csi-1-21 -parameters: - encrypted: "true" - type: gp3 -provisioner: ebs.csi.aws.com -volumeBindingMode: WaitForFirstConsumer - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: system:aws-cloud-provider -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: system:aws-cloud-provider -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:aws-cloud-provider -subjects: -- kind: ServiceAccount - name: aws-cloud-provider - namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_nodeupconfig-master-us-test-1a_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_nodeupconfig-master-us-test-1a_content deleted file mode 100644 index a790d4e24c..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_nodeupconfig-master-us-test-1a_content +++ /dev/null @@ -1,332 +0,0 @@ -APIServerConfig: - API: - dns: {} - publicName: api.minimal.example.com - ClusterDNSDomain: cluster.local - KubeAPIServer: - allowPrivileged: true - anonymousAuth: false - apiAudiences: - - kubernetes.svc.default - apiServerCount: 1 - authorizationMode: Node,RBAC - bindAddress: 0.0.0.0 - cloudProvider: external - enableAdmissionPlugins: - - DefaultStorageClass - - DefaultTolerationSeconds - - LimitRanger - - MutatingAdmissionWebhook - - NamespaceLifecycle - - NodeRestriction - - ResourceQuota - - RuntimeClass - - ServiceAccount - - ValidatingAdmissionPolicy - - ValidatingAdmissionWebhook - etcdServers: - - https://127.0.0.1:4001 - etcdServersOverrides: - - /events#https://127.0.0.1:4002 - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-apiserver:v1.27.2 - kubeletPreferredAddressTypes: - - InternalIP - - Hostname - - ExternalIP - logLevel: 2 - requestheaderAllowedNames: - - aggregator - requestheaderExtraHeaderPrefixes: - - X-Remote-Extra- - requestheaderGroupHeaders: - - X-Remote-Group - requestheaderUsernameHeaders: - - X-Remote-User - securePort: 443 - serviceAccountIssuer: https://api.internal.minimal.example.com - serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks - serviceClusterIPRange: 100.64.0.0/13 - storageBackend: etcd3 - ServiceAccountPublicKeys: | - -----BEGIN RSA PUBLIC KEY----- - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKm - XVSysPKgE80QSU4tZ6m49pAEeIMsvwvDMaLsb2v6JvXe0qvCmueU+/sCAwEAAQ== - -----END RSA PUBLIC KEY----- - -----BEGIN RSA PUBLIC KEY----- - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKOE64nZbH+GM91AIrqf7HEk4hvzqsZF - Ftxc+8xir1XC3mI/RhCCrs6AdVRZNZ26A6uHArhi33c2kHQkCjyLA7sCAwEAAQ== - -----END RSA PUBLIC KEY----- -Assets: - amd64: - - a0d12afcab3b2836de4a427558d067bebdff040e9b306b0512c93d9d2a066579@https://dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubelet,https://cdn.dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubelet - - 4f38ee903f35b300d3b005a9c6bfb9a46a57f92e89ae602ef9c129b91dc6c5a5@https://dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubectl,https://cdn.dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubectl - - 7644623e4ec9ad443ab352a8a5800a5180ee28741288be805286ba72bb8e7164@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/amd64/ecr-credential-provider-linux-amd64 - - f3a841324845ca6bf0d4091b4fc7f97e18a623172158b72fc3fdcdb9d42d2d37@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz - - 7a8c262deb63becc877e82d23749e4f99f4a17e8e660f9b8c257ca87a5c056b6@https://github.com/containerd/containerd/releases/download/v1.7.28/containerd-1.7.28-linux-amd64.tar.gz - - 028986516ab5646370edce981df2d8e8a8d12188deaf837142a02097000ae2f2@https://github.com/opencontainers/runc/releases/download/v1.3.0/runc.amd64 - - f90ed6dcef534e6d1ae17907dc7eb40614b8945ad4af7f0e98d2be7cde8165c6@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-amd64 - - 9992e7eb2a2e93f799e5a9e98eb718637433524bc65f630357201a79f49b13d0@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-amd64 - arm64: - - 810cd9a611e9f084e57c9ee466e33c324b2228d4249ff38c2588a0cc3224f10d@https://dl.k8s.io/release/v1.27.2/bin/linux/arm64/kubelet,https://cdn.dl.k8s.io/release/v1.27.2/bin/linux/arm64/kubelet - - 1b0966692e398efe71fe59f913eaec44ffd4468cc1acd00bf91c29fa8ff8f578@https://dl.k8s.io/release/v1.27.2/bin/linux/arm64/kubectl,https://cdn.dl.k8s.io/release/v1.27.2/bin/linux/arm64/kubectl - - 1980e3a038cb16da48a137743b31fb81de6c0b59fa06c206c2bc20ce0a52f849@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/arm64/ecr-credential-provider-linux-arm64 - - 525e2b62ba92a1b6f3dc9612449a84aa61652e680f7ebf4eff579795fe464b57@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz - - 97457594ff8549cb82d664306593cafd3d2c781c706f9fffed885a46d8919bec@https://github.com/containerd/containerd/releases/download/v1.7.28/containerd-1.7.28-linux-arm64.tar.gz - - 85c5e4e4f72e442c8c17bac07527cd4f961ee48e4f2b71797f7533c94f4a52b9@https://github.com/opencontainers/runc/releases/download/v1.3.0/runc.arm64 - - 2f599c3d54f4c4bdbcc95aaf0c7b513a845d8f9503ec5b34c9f86aa1bc34fc0c@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-arm64 - - 9d842e3636a95de2315cdea2be7a282355aac0658ef0b86d5dc2449066538f13@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-arm64 -CAs: - apiserver-aggregator-ca: | - -----BEGIN CERTIFICATE----- - MIIBgjCCASygAwIBAgIMFo3gINaZLHjisEcbMA0GCSqGSIb3DQEBCwUAMCIxIDAe - BgNVBAMTF2FwaXNlcnZlci1hZ2dyZWdhdG9yLWNhMB4XDTIxMDYzMDA0NTExMloX - DTMxMDYzMDA0NTExMlowIjEgMB4GA1UEAxMXYXBpc2VydmVyLWFnZ3JlZ2F0b3It - Y2EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAyyE71AOU3go5XFegLQ6fidI0LhhM - x7CzpTzh2xWKcHUfbNI7itgJvC/+GlyG5W+DF5V7ba0IJiQLsFve0oLdewIDAQAB - o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU - ALfqF5ZmfqvqORuJIFilZYKF3d0wDQYJKoZIhvcNAQELBQADQQAHAomFKsF4jvYX - WM/UzQXDj9nSAFTf8dBPCXyZZNotsOH7+P6W4mMiuVs8bAuGiXGUdbsQ2lpiT/Rk - CzMeMdr4 - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBgjCCASygAwIBAgIMFo3gM0nxQpiX/agfMA0GCSqGSIb3DQEBCwUAMCIxIDAe - BgNVBAMTF2FwaXNlcnZlci1hZ2dyZWdhdG9yLWNhMB4XDTIxMDYzMDA0NTIzMVoX - DTMxMDYzMDA0NTIzMVowIjEgMB4GA1UEAxMXYXBpc2VydmVyLWFnZ3JlZ2F0b3It - Y2EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAyyE71AOU3go5XFegLQ6fidI0LhhM - x7CzpTzh2xWKcHUfbNI7itgJvC/+GlyG5W+DF5V7ba0IJiQLsFve0oLdewIDAQAB - o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU - ALfqF5ZmfqvqORuJIFilZYKF3d0wDQYJKoZIhvcNAQELBQADQQCXsoezoxXu2CEN - QdlXZOfmBT6cqxIX/RMHXhpHwRiqPsTO8IO2bVA8CSzxNwMuSv/ZtrMHoh8+PcVW - HLtkTXH8 - -----END CERTIFICATE----- - etcd-clients-ca: | - -----BEGIN CERTIFICATE----- - MIIBcjCCARygAwIBAgIMFo1ogHnr26DL9YkqMA0GCSqGSIb3DQEBCwUAMBoxGDAW - BgNVBAMTD2V0Y2QtY2xpZW50cy1jYTAeFw0yMTA2MjgxNjE5MDFaFw0zMTA2Mjgx - NjE5MDFaMBoxGDAWBgNVBAMTD2V0Y2QtY2xpZW50cy1jYTBcMA0GCSqGSIb3DQEB - AQUAA0sAMEgCQQDYlt4Xx03Cp8QooPrloaVWznx9aQDSpl1UsrDyoBPNEElOLWep - uPaQBHiDLL8LwzGi7G9r+ib13tKrwprnlPv7AgMBAAGjQjBAMA4GA1UdDwEB/wQE - AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQjlt4Ue54AbJPWlDpRM51s - x+PeBDANBgkqhkiG9w0BAQsFAANBAAZAdf8ROEVkr3Rf7I+s+CQOil2toadlKWOY - qCeJ2XaEROfp9aUTEIU1MGM3g57MPyAPPU7mURskuOQz6B1UFaY= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBcjCCARygAwIBAgIMFo1olfBnC/CsT+dqMA0GCSqGSIb3DQEBCwUAMBoxGDAW - BgNVBAMTD2V0Y2QtY2xpZW50cy1jYTAeFw0yMTA2MjgxNjIwMzNaFw0zMTA2Mjgx - NjIwMzNaMBoxGDAWBgNVBAMTD2V0Y2QtY2xpZW50cy1jYTBcMA0GCSqGSIb3DQEB - AQUAA0sAMEgCQQDYlt4Xx03Cp8QooPrloaVWznx9aQDSpl1UsrDyoBPNEElOLWep - uPaQBHiDLL8LwzGi7G9r+ib13tKrwprnlPv7AgMBAAGjQjBAMA4GA1UdDwEB/wQE - AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQjlt4Ue54AbJPWlDpRM51s - x+PeBDANBgkqhkiG9w0BAQsFAANBAF1xUz77PlUVUnd9duF8F7plou0TONC9R6/E - YQ8C6vM1b+9NSDGjCW8YmwEU2fBgskb/BBX2lwVZ32/RUEju4Co= - -----END CERTIFICATE----- - etcd-manager-ca-events: | - -----BEGIN CERTIFICATE----- - MIIBgDCCASqgAwIBAgIMFo+bKjm04vB4rNtaMA0GCSqGSIb3DQEBCwUAMCExHzAd - BgNVBAMTFmV0Y2QtbWFuYWdlci1jYS1ldmVudHMwHhcNMjEwNzA1MjAwOTU2WhcN - MzEwNzA1MjAwOTU2WjAhMR8wHQYDVQQDExZldGNkLW1hbmFnZXItY2EtZXZlbnRz - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKiC8tndMlEFZ7qzeKxeKqFVjaYpsh/H - g7RxWo15+1kgH3suO0lxp9+RxSVv97hnsfbySTPZVhy2cIQj7eZtZt8CAwEAAaNC - MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBg6 - CEZkQNnRkARBwFce03AEWa+sMA0GCSqGSIb3DQEBCwUAA0EAJMnBThok/uUe8q8O - sS5q19KUuE8YCTUzMDj36EBKf6NX4NoakCa1h6kfQVtlMtEIMWQZCjbm8xGK5ffs - GS/VUw== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBgDCCASqgAwIBAgIMFo+bQ+EgIiBmGghjMA0GCSqGSIb3DQEBCwUAMCExHzAd - BgNVBAMTFmV0Y2QtbWFuYWdlci1jYS1ldmVudHMwHhcNMjEwNzA1MjAxMTQ2WhcN - MzEwNzA1MjAxMTQ2WjAhMR8wHQYDVQQDExZldGNkLW1hbmFnZXItY2EtZXZlbnRz - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKFhHVVxxDGv8d1jBvtdSxz7KIVoBOjL - DMxsmTsINiQkTQaFlb+XPlnY1ar4+RhE519AFUkqfhypk4Zxqf1YFXUCAwEAAaNC - MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNuW - LLH5c8kDubDbr6BHgedW0iJ9MA0GCSqGSIb3DQEBCwUAA0EAiKUoBoaGu7XzboFE - hjfKlX0TujqWuW3qMxDEJwj4dVzlSLrAoB/G01MJ+xxYKh456n48aG6N827UPXhV - cPfVNg== - -----END CERTIFICATE----- - etcd-manager-ca-main: | - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bKjm1c3jfv6hIMA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtbWFuYWdlci1jYS1tYWluMB4XDTIxMDcwNTIwMDk1NloXDTMx - MDcwNTIwMDk1NlowHzEdMBsGA1UEAxMUZXRjZC1tYW5hZ2VyLWNhLW1haW4wXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAxbkDbGYmCSShpRG3r+lzTOFujyuruRfjOhYm - ZRX4w1Utd5y63dUc98sjc9GGUYMHd+0k1ql/a48tGhnK6N6jJwIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWZLkbBFx - GAgPU4i62c52unSo7RswDQYJKoZIhvcNAQELBQADQQAj6Pgd0va/8FtkyMlnohLu - Gf4v8RJO6zk3Y6jJ4+cwWziipFM1ielMzSOZfFcCZgH3m5Io40is4hPSqyq2TOA6 - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bQ+Eg8Si30gr4MA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtbWFuYWdlci1jYS1tYWluMB4XDTIxMDcwNTIwMTE0NloXDTMx - MDcwNTIwMTE0NlowHzEdMBsGA1UEAxMUZXRjZC1tYW5hZ2VyLWNhLW1haW4wXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAw33jzcd/iosN04b0WXbDt7B0c3sJ3aafcGLP - vG3xRB9N5bYr9+qZAq3mzAFkxscn4j1ce5b1/GKTDEAClmZgdQIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUE/h+3gDP - DvKwHRyiYlXM8voZ1wowDQYJKoZIhvcNAQELBQADQQBXuimeEoAOu5HN4hG7NqL9 - t40K3ZRhRZv3JQWnRVJCBDjg1rD0GQJR/n+DoWvbeijI5C9pNjr2pWSIYR1eYCvd - -----END CERTIFICATE----- - etcd-peers-ca-events: | - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bKjmxTPh3/lYJMA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtcGVlcnMtY2EtZXZlbnRzMB4XDTIxMDcwNTIwMDk1NloXDTMx - MDcwNTIwMDk1NlowHzEdMBsGA1UEAxMUZXRjZC1wZWVycy1jYS1ldmVudHMwXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAv5g4HF2xmrYyouJfY9jXx1M3gPLD/pupvxPY - xyjJw5pNCy5M5XGS3iTqRD5RDE0fWudVHFZKLIe8WPc06NApXwIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUf6xiDI+O - Yph1ziCGr2hZaQYt+fUwDQYJKoZIhvcNAQELBQADQQBBxj5hqEQstonTb8lnqeGB - DEYtUeAk4eR/HzvUMjF52LVGuvN3XVt+JTrFeKNvb6/RDUbBNRj3azalcUkpPh6V - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bQ+Eq69jgzpKwMA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtcGVlcnMtY2EtZXZlbnRzMB4XDTIxMDcwNTIwMTE0NloXDTMx - MDcwNTIwMTE0NlowHzEdMBsGA1UEAxMUZXRjZC1wZWVycy1jYS1ldmVudHMwXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAo5Nj2CjX1qp3mEPw1H5nHAFWLoGNSLSlRFJW - 03NxaNPMFzL5PrCoyOXrX8/MWczuZYw0Crf8EPOOQWi2+W0XLwIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxauhhKQh - cvdZND78rHe0RQVTTiswDQYJKoZIhvcNAQELBQADQQB+cq4jIS9q0zXslaRa+ViI - J+dviA3sMygbmSJO0s4DxYmoazKJblux5q0ASSvS9iL1l9ShuZ1dWyp2tpZawHyb - -----END CERTIFICATE----- - etcd-peers-ca-main: | - -----BEGIN CERTIFICATE----- - MIIBeDCCASKgAwIBAgIMFo+bKjmuLDDLcDHsMA0GCSqGSIb3DQEBCwUAMB0xGzAZ - BgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjAeFw0yMTA3MDUyMDA5NTZaFw0zMTA3 - MDUyMDA5NTZaMB0xGzAZBgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjBcMA0GCSqG - SIb3DQEBAQUAA0sAMEgCQQCyRaXWpwgN6INQqws9p/BvPElJv2Rno9dVTFhlQqDA - aUJXe7MBmiO4NJcW76EozeBh5ztR3/4NE1FM2x8TisS3AgMBAAGjQjBAMA4GA1Ud - DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQtE1d49uSvpURf - OQ25Vlu6liY20DANBgkqhkiG9w0BAQsFAANBAAgLVaetJZcfOA3OIMMvQbz2Ydrt - uWF9BKkIad8jrcIrm3IkOtR8bKGmDIIaRKuG/ZUOL6NMe2fky3AAfKwleL4= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBeDCCASKgAwIBAgIMFo+bQ+EuVthBfuZvMA0GCSqGSIb3DQEBCwUAMB0xGzAZ - BgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjAeFw0yMTA3MDUyMDExNDZaFw0zMTA3 - MDUyMDExNDZaMB0xGzAZBgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjBcMA0GCSqG - SIb3DQEBAQUAA0sAMEgCQQCxNbycDZNx5V1ZOiXxZSvaFpHRwKeHDfcuMUitdoPt - naVMlMTGDWAMuCVmFHFAWohIYynemEegmZkZ15S7AErfAgMBAAGjQjBAMA4GA1Ud - DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTAjQ8T4HclPIsC - qipEfUIcLP6jqTANBgkqhkiG9w0BAQsFAANBAJdZ17TN3HlWrH7HQgfR12UBwz8K - G9DurDznVaBVUYaHY8Sg5AvAXeb+yIF2JMmRR+bK+/G1QYY2D3/P31Ic2Oo= - -----END CERTIFICATE----- - kubernetes-ca: | - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANqBD8NSD82AUSMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwODAwWhcNMzEwNzA3MDcw - ODAwWjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBANFI3zr0Tk8krsW8vwjfMpzJOlWQ8616vG3YPa2qAgI7V4oKwfV0yIg1 - jt+H6f4P/wkPAPTPTfRp9Iy8oHEEFw0CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNG3zVjTcLlJwDsJ4/K9DV7KohUA - MA0GCSqGSIb3DQEBCwUAA0EAB8d03fY2w7WKpfO29qI295pu2C4ca9AiVGOpgSc8 - tmQsq6rcxt3T+rb589PVtz0mw/cKTxOk6gH2CCC+yHfy2w== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANvmSa0OAlYmXKMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwOTM2WhcNMzEwNzA3MDcw - OTM2WjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBAMF6F4aZdpe0RUpyykaBpWwZCnwbffhYGOw+fs6RdLuUq7QCNmJm/Eq7 - WWOziMYDiI9SbclpD+6QiJ0N3EqppVUCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLImp6ARjPDAH6nhI+scWVt3Q9bn - MA0GCSqGSIb3DQEBCwUAA0EAVQVx5MUtuAIeePuP9o51xtpT2S6Fvfi8J4ICxnlA - 9B7UD2ushcVFPtaeoL9Gfu8aY4KJBeqqg5ojl4qmRnThjw== - -----END CERTIFICATE----- -ClusterName: minimal.example.com -ControlPlaneConfig: - KubeControllerManager: - allocateNodeCIDRs: true - attachDetachReconcileSyncPeriod: 1m0s - cloudProvider: external - clusterCIDR: 100.96.0.0/11 - clusterName: minimal.example.com - configureCloudRoutes: false - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-controller-manager:v1.27.2 - leaderElection: - leaderElect: true - logLevel: 2 - useServiceAccountCredentials: true - KubeScheduler: - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-scheduler:v1.27.2 - leaderElection: - leaderElect: true - logLevel: 2 -DNSZone: Z1AFAKE1ZON3YO -EtcdClusterNames: -- main -- events -FileAssets: -- content: | - apiVersion: kubescheduler.config.k8s.io/v1 - clientConnection: - kubeconfig: /var/lib/kube-scheduler/kubeconfig - kind: KubeSchedulerConfiguration - path: /var/lib/kube-scheduler/config.yaml -Hooks: -- null -- null -InstallCNIAssets: true -KeypairIDs: - apiserver-aggregator-ca: "6980187172486667078076483355" - etcd-clients-ca: "6979622252718071085282986282" - etcd-manager-ca-events: "6982279354000777253151890266" - etcd-manager-ca-main: "6982279354000936168671127624" - etcd-peers-ca-events: "6982279353999767935825892873" - etcd-peers-ca-main: "6982279353998887468930183660" - kubernetes-ca: "6982820025135291416230495506" - service-account: "2" -KubeProxy: - clusterCIDR: 100.96.0.0/11 - cpuRequest: 100m - image: registry.k8s.io/kube-proxy:v1.27.2 - logLevel: 2 -KubeletConfig: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - nodeLabels: - kops.k8s.io/instancegroup: master-us-test-1a - kops.k8s.io/kops-controller-pki: "" - node-role.kubernetes.io/control-plane: "" - node.kubernetes.io/exclude-from-external-load-balancers: "" - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s - taints: - - node-role.kubernetes.io/control-plane=:NoSchedule -KubernetesVersion: 1.27.2 -Networking: - nonMasqueradeCIDR: 100.64.0.0/10 - serviceClusterIPRange: 100.64.0.0/13 -UpdatePolicy: automatic -channels: -- memfs://tests/minimal.example.com/addons/bootstrap-channel.yaml -configStore: - keypairs: memfs://tests/minimal.example.com/pki - secrets: memfs://tests/minimal.example.com/secrets -containerdConfig: - logLevel: info - runc: - version: 1.3.0 - version: 1.7.28 -etcdManifests: -- memfs://tests/minimal.example.com/manifests/etcd/main-master-us-test-1a.yaml -- memfs://tests/minimal.example.com/manifests/etcd/events-master-us-test-1a.yaml -staticManifests: -- key: kube-apiserver-healthcheck - path: manifests/static/kube-apiserver-healthcheck.yaml -usesLegacyGossip: false -usesNoneDNS: false diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_nodeupconfig-nodes_content b/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_nodeupconfig-nodes_content deleted file mode 100644 index 4be38315b6..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_s3_object_nodeupconfig-nodes_content +++ /dev/null @@ -1,62 +0,0 @@ -Assets: - amd64: - - a0d12afcab3b2836de4a427558d067bebdff040e9b306b0512c93d9d2a066579@https://dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubelet,https://cdn.dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubelet - - 4f38ee903f35b300d3b005a9c6bfb9a46a57f92e89ae602ef9c129b91dc6c5a5@https://dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubectl,https://cdn.dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubectl - - 7644623e4ec9ad443ab352a8a5800a5180ee28741288be805286ba72bb8e7164@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/amd64/ecr-credential-provider-linux-amd64 - - f3a841324845ca6bf0d4091b4fc7f97e18a623172158b72fc3fdcdb9d42d2d37@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz - - 7a8c262deb63becc877e82d23749e4f99f4a17e8e660f9b8c257ca87a5c056b6@https://github.com/containerd/containerd/releases/download/v1.7.28/containerd-1.7.28-linux-amd64.tar.gz - - 028986516ab5646370edce981df2d8e8a8d12188deaf837142a02097000ae2f2@https://github.com/opencontainers/runc/releases/download/v1.3.0/runc.amd64 - arm64: - - 810cd9a611e9f084e57c9ee466e33c324b2228d4249ff38c2588a0cc3224f10d@https://dl.k8s.io/release/v1.27.2/bin/linux/arm64/kubelet,https://cdn.dl.k8s.io/release/v1.27.2/bin/linux/arm64/kubelet - - 1b0966692e398efe71fe59f913eaec44ffd4468cc1acd00bf91c29fa8ff8f578@https://dl.k8s.io/release/v1.27.2/bin/linux/arm64/kubectl,https://cdn.dl.k8s.io/release/v1.27.2/bin/linux/arm64/kubectl - - 1980e3a038cb16da48a137743b31fb81de6c0b59fa06c206c2bc20ce0a52f849@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/arm64/ecr-credential-provider-linux-arm64 - - 525e2b62ba92a1b6f3dc9612449a84aa61652e680f7ebf4eff579795fe464b57@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz - - 97457594ff8549cb82d664306593cafd3d2c781c706f9fffed885a46d8919bec@https://github.com/containerd/containerd/releases/download/v1.7.28/containerd-1.7.28-linux-arm64.tar.gz - - 85c5e4e4f72e442c8c17bac07527cd4f961ee48e4f2b71797f7533c94f4a52b9@https://github.com/opencontainers/runc/releases/download/v1.3.0/runc.arm64 -CAs: {} -ClusterName: minimal.example.com -Hooks: -- null -- null -InstallCNIAssets: true -KeypairIDs: - kubernetes-ca: "6982820025135291416230495506" -KubeProxy: - clusterCIDR: 100.96.0.0/11 - cpuRequest: 100m - image: registry.k8s.io/kube-proxy:v1.27.2 - logLevel: 2 -KubeletConfig: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - nodeLabels: - kops.k8s.io/instancegroup: nodes-us-test-1a - node-role.kubernetes.io/node: "" - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s -KubernetesVersion: 1.27.2 -Networking: - nonMasqueradeCIDR: 100.64.0.0/10 - serviceClusterIPRange: 100.64.0.0/13 -UpdatePolicy: automatic -containerdConfig: - logLevel: info - runc: - version: 1.3.0 - version: 1.7.28 -usesLegacyGossip: false -usesNoneDNS: false diff --git a/tests/integration/update_cluster/minimal-1.27/data/aws_sqs_queue_minimal-example-com-nth_policy b/tests/integration/update_cluster/minimal-1.27/data/aws_sqs_queue_minimal-example-com-nth_policy deleted file mode 100644 index c5b2b25812..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/data/aws_sqs_queue_minimal-example-com-nth_policy +++ /dev/null @@ -1,16 +0,0 @@ -{ - "Statement": [ - { - "Action": "sqs:SendMessage", - "Effect": "Allow", - "Principal": { - "Service": [ - "events.amazonaws.com", - "sqs.amazonaws.com" - ] - }, - "Resource": "arn:aws-test:sqs:us-test-1:123456789012:minimal-example-com-nth" - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/minimal-1.27/id_rsa.pub b/tests/integration/update_cluster/minimal-1.27/id_rsa.pub deleted file mode 100755 index 81cb012783..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/minimal-1.27/in-v1alpha2.yaml b/tests/integration/update_cluster/minimal-1.27/in-v1alpha2.yaml deleted file mode 100644 index f6a5263a58..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/in-v1alpha2.yaml +++ /dev/null @@ -1,99 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - name: minimal.example.com -spec: - api: - dns: {} - authorization: - rbac: {} - channel: stable - cloudProvider: aws - configBase: memfs://tests/minimal.example.com - etcdClusters: - - cpuRequest: 200m - etcdMembers: - - encryptedVolume: true - instanceGroup: master-us-test-1a - name: a - memoryRequest: 100Mi - name: main - - cpuRequest: 100m - etcdMembers: - - encryptedVolume: true - instanceGroup: master-us-test-1a - name: a - memoryRequest: 100Mi - name: events - iam: - allowContainerRegistry: true - legacy: false - kubelet: - anonymousAuth: false - kubernetesApiAccess: - - 0.0.0.0/0 - - ::/0 - kubernetesVersion: v1.27.2 - masterPublicName: api.minimal.example.com - networkCIDR: 172.20.0.0/16 - networking: - cni: {} - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 0.0.0.0/0 - - ::/0 - subnets: - - cidr: 172.20.32.0/19 - name: us-test-1a - type: Public - zone: us-test-1a - topology: - dns: - type: Public - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - labels: - kops.k8s.io/cluster: minimal.example.com - name: master-us-test-1a -spec: - image: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220404 - instanceMetadata: - httpPutResponseHopLimit: 3 - httpTokens: required - machineType: m3.medium - maxSize: 1 - minSize: 1 - nodeLabels: - kops.k8s.io/instancegroup: master-us-test-1a - role: Master - subnets: - - us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - labels: - kops.k8s.io/cluster: minimal.example.com - name: nodes -spec: - image: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220404 - instanceMetadata: - httpPutResponseHopLimit: 1 - httpTokens: required - machineType: t2.medium - maxSize: 1 - minSize: 1 - nodeLabels: - kops.k8s.io/instancegroup: nodes-us-test-1a - role: Node - subnets: - - us-test-1a diff --git a/tests/integration/update_cluster/minimal-1.27/kubernetes.tf b/tests/integration/update_cluster/minimal-1.27/kubernetes.tf deleted file mode 100644 index 175f6b0eed..0000000000 --- a/tests/integration/update_cluster/minimal-1.27/kubernetes.tf +++ /dev/null @@ -1,986 +0,0 @@ -locals { - cluster_name = "minimal.example.com" - master_autoscaling_group_ids = [aws_autoscaling_group.master-us-test-1a-masters-minimal-example-com.id] - master_security_group_ids = [aws_security_group.masters-minimal-example-com.id] - masters_role_arn = aws_iam_role.masters-minimal-example-com.arn - masters_role_name = aws_iam_role.masters-minimal-example-com.name - node_autoscaling_group_ids = [aws_autoscaling_group.nodes-minimal-example-com.id] - node_security_group_ids = [aws_security_group.nodes-minimal-example-com.id] - node_subnet_ids = [aws_subnet.us-test-1a-minimal-example-com.id] - nodes_role_arn = aws_iam_role.nodes-minimal-example-com.arn - nodes_role_name = aws_iam_role.nodes-minimal-example-com.name - region = "us-test-1" - route_table_public_id = aws_route_table.minimal-example-com.id - subnet_us-test-1a_id = aws_subnet.us-test-1a-minimal-example-com.id - vpc_cidr_block = aws_vpc.minimal-example-com.cidr_block - vpc_id = aws_vpc.minimal-example-com.id - vpc_ipv6_cidr_block = aws_vpc.minimal-example-com.ipv6_cidr_block - vpc_ipv6_cidr_length = local.vpc_ipv6_cidr_block == "" ? null : tonumber(regex(".*/(\\d+)", local.vpc_ipv6_cidr_block)[0]) -} - -output "cluster_name" { - value = "minimal.example.com" -} - -output "master_autoscaling_group_ids" { - value = [aws_autoscaling_group.master-us-test-1a-masters-minimal-example-com.id] -} - -output "master_security_group_ids" { - value = [aws_security_group.masters-minimal-example-com.id] -} - -output "masters_role_arn" { - value = aws_iam_role.masters-minimal-example-com.arn -} - -output "masters_role_name" { - value = aws_iam_role.masters-minimal-example-com.name -} - -output "node_autoscaling_group_ids" { - value = [aws_autoscaling_group.nodes-minimal-example-com.id] -} - -output "node_security_group_ids" { - value = [aws_security_group.nodes-minimal-example-com.id] -} - -output "node_subnet_ids" { - value = [aws_subnet.us-test-1a-minimal-example-com.id] -} - -output "nodes_role_arn" { - value = aws_iam_role.nodes-minimal-example-com.arn -} - -output "nodes_role_name" { - value = aws_iam_role.nodes-minimal-example-com.name -} - -output "region" { - value = "us-test-1" -} - -output "route_table_public_id" { - value = aws_route_table.minimal-example-com.id -} - -output "subnet_us-test-1a_id" { - value = aws_subnet.us-test-1a-minimal-example-com.id -} - -output "vpc_cidr_block" { - value = aws_vpc.minimal-example-com.cidr_block -} - -output "vpc_id" { - value = aws_vpc.minimal-example-com.id -} - -output "vpc_ipv6_cidr_block" { - value = aws_vpc.minimal-example-com.ipv6_cidr_block -} - -output "vpc_ipv6_cidr_length" { - value = local.vpc_ipv6_cidr_block == "" ? null : tonumber(regex(".*/(\\d+)", local.vpc_ipv6_cidr_block)[0]) -} - -provider "aws" { - region = "us-test-1" -} - -provider "aws" { - alias = "files" - region = "us-test-1" -} - -resource "aws_autoscaling_group" "master-us-test-1a-masters-minimal-example-com" { - enabled_metrics = ["GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances"] - launch_template { - id = aws_launch_template.master-us-test-1a-masters-minimal-example-com.id - version = aws_launch_template.master-us-test-1a-masters-minimal-example-com.latest_version - } - max_instance_lifetime = 0 - max_size = 1 - metrics_granularity = "1Minute" - min_size = 1 - name = "master-us-test-1a.masters.minimal.example.com" - protect_from_scale_in = false - tag { - key = "KubernetesCluster" - propagate_at_launch = true - value = "minimal.example.com" - } - tag { - key = "Name" - propagate_at_launch = true - value = "master-us-test-1a.masters.minimal.example.com" - } - tag { - key = "aws-node-termination-handler/managed" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" - propagate_at_launch = true - value = "master-us-test-1a" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/role/control-plane" - propagate_at_launch = true - value = "1" - } - tag { - key = "k8s.io/role/master" - propagate_at_launch = true - value = "1" - } - tag { - key = "kops.k8s.io/instancegroup" - propagate_at_launch = true - value = "master-us-test-1a" - } - tag { - key = "kubernetes.io/cluster/minimal.example.com" - propagate_at_launch = true - value = "owned" - } - vpc_zone_identifier = [aws_subnet.us-test-1a-minimal-example-com.id] -} - -resource "aws_autoscaling_group" "nodes-minimal-example-com" { - enabled_metrics = ["GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances"] - launch_template { - id = aws_launch_template.nodes-minimal-example-com.id - version = aws_launch_template.nodes-minimal-example-com.latest_version - } - max_instance_lifetime = 0 - max_size = 1 - metrics_granularity = "1Minute" - min_size = 1 - name = "nodes.minimal.example.com" - protect_from_scale_in = false - tag { - key = "KubernetesCluster" - propagate_at_launch = true - value = "minimal.example.com" - } - tag { - key = "Name" - propagate_at_launch = true - value = "nodes.minimal.example.com" - } - tag { - key = "aws-node-termination-handler/managed" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" - propagate_at_launch = true - value = "nodes-us-test-1a" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/role/node" - propagate_at_launch = true - value = "1" - } - tag { - key = "kops.k8s.io/instancegroup" - propagate_at_launch = true - value = "nodes" - } - tag { - key = "kubernetes.io/cluster/minimal.example.com" - propagate_at_launch = true - value = "owned" - } - vpc_zone_identifier = [aws_subnet.us-test-1a-minimal-example-com.id] -} - -resource "aws_autoscaling_lifecycle_hook" "master-us-test-1a-NTHLifecycleHook" { - autoscaling_group_name = aws_autoscaling_group.master-us-test-1a-masters-minimal-example-com.id - default_result = "CONTINUE" - heartbeat_timeout = 300 - lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" - name = "master-us-test-1a-NTHLifecycleHook" -} - -resource "aws_autoscaling_lifecycle_hook" "nodes-NTHLifecycleHook" { - autoscaling_group_name = aws_autoscaling_group.nodes-minimal-example-com.id - default_result = "CONTINUE" - heartbeat_timeout = 300 - lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" - name = "nodes-NTHLifecycleHook" -} - -resource "aws_cloudwatch_event_rule" "minimal-example-com-ASGLifecycle" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_minimal.example.com-ASGLifecycle_event_pattern") - name = "minimal.example.com-ASGLifecycle" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com-ASGLifecycle" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_rule" "minimal-example-com-InstanceScheduledChange" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceScheduledChange_event_pattern") - name = "minimal.example.com-InstanceScheduledChange" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com-InstanceScheduledChange" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_rule" "minimal-example-com-InstanceStateChange" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceStateChange_event_pattern") - name = "minimal.example.com-InstanceStateChange" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com-InstanceStateChange" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_rule" "minimal-example-com-SpotInterruption" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_minimal.example.com-SpotInterruption_event_pattern") - name = "minimal.example.com-SpotInterruption" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com-SpotInterruption" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_target" "minimal-example-com-ASGLifecycle-Target" { - arn = aws_sqs_queue.minimal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.minimal-example-com-ASGLifecycle.id -} - -resource "aws_cloudwatch_event_target" "minimal-example-com-InstanceScheduledChange-Target" { - arn = aws_sqs_queue.minimal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.minimal-example-com-InstanceScheduledChange.id -} - -resource "aws_cloudwatch_event_target" "minimal-example-com-InstanceStateChange-Target" { - arn = aws_sqs_queue.minimal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.minimal-example-com-InstanceStateChange.id -} - -resource "aws_cloudwatch_event_target" "minimal-example-com-SpotInterruption-Target" { - arn = aws_sqs_queue.minimal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.minimal-example-com-SpotInterruption.id -} - -resource "aws_ebs_volume" "a-etcd-events-minimal-example-com" { - availability_zone = "us-test-1a" - encrypted = true - iops = 3000 - size = 20 - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "a.etcd-events.minimal.example.com" - "k8s.io/etcd/events" = "a/a" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - throughput = 125 - type = "gp3" -} - -resource "aws_ebs_volume" "a-etcd-main-minimal-example-com" { - availability_zone = "us-test-1a" - encrypted = true - iops = 3000 - size = 20 - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "a.etcd-main.minimal.example.com" - "k8s.io/etcd/main" = "a/a" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - throughput = 125 - type = "gp3" -} - -resource "aws_iam_instance_profile" "masters-minimal-example-com" { - name = "masters.minimal.example.com" - role = aws_iam_role.masters-minimal-example-com.name - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "masters.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_iam_instance_profile" "nodes-minimal-example-com" { - name = "nodes.minimal.example.com" - role = aws_iam_role.nodes-minimal-example-com.name - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_iam_role" "masters-minimal-example-com" { - assume_role_policy = file("${path.module}/data/aws_iam_role_masters.minimal.example.com_policy") - name = "masters.minimal.example.com" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "masters.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_iam_role" "nodes-minimal-example-com" { - assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.minimal.example.com_policy") - name = "nodes.minimal.example.com" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_iam_role_policy" "masters-minimal-example-com" { - name = "masters.minimal.example.com" - policy = file("${path.module}/data/aws_iam_role_policy_masters.minimal.example.com_policy") - role = aws_iam_role.masters-minimal-example-com.name -} - -resource "aws_iam_role_policy" "nodes-minimal-example-com" { - name = "nodes.minimal.example.com" - policy = file("${path.module}/data/aws_iam_role_policy_nodes.minimal.example.com_policy") - role = aws_iam_role.nodes-minimal-example-com.name -} - -resource "aws_internet_gateway" "minimal-example-com" { - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - vpc_id = aws_vpc.minimal-example-com.id -} - -resource "aws_key_pair" "kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" { - key_name = "kubernetes.minimal.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57" - public_key = file("${path.module}/data/aws_key_pair_kubernetes.minimal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key") - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" { - block_device_mappings { - device_name = "/dev/xvda" - ebs { - delete_on_termination = true - encrypted = true - iops = 3000 - throughput = 125 - volume_size = 64 - volume_type = "gp3" - } - } - block_device_mappings { - device_name = "/dev/sdc" - virtual_name = "ephemeral0" - } - iam_instance_profile { - name = aws_iam_instance_profile.masters-minimal-example-com.id - } - image_id = "ami-12345678" - instance_type = "m3.medium" - key_name = aws_key_pair.kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id - lifecycle { - create_before_destroy = true - } - metadata_options { - http_endpoint = "enabled" - http_protocol_ipv6 = "disabled" - http_put_response_hop_limit = 3 - http_tokens = "required" - } - monitoring { - enabled = false - } - name = "master-us-test-1a.masters.minimal.example.com" - network_interfaces { - associate_public_ip_address = true - delete_on_termination = true - ipv6_address_count = 0 - security_groups = [aws_security_group.masters-minimal-example-com.id] - } - tag_specifications { - resource_type = "instance" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "master-us-test-1a.masters.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "master-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" = "" - "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = "" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kops.k8s.io/instancegroup" = "master-us-test-1a" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - } - tag_specifications { - resource_type = "volume" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "master-us-test-1a.masters.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "master-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" = "" - "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = "" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kops.k8s.io/instancegroup" = "master-us-test-1a" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - } - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "master-us-test-1a.masters.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "master-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" = "" - "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = "" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kops.k8s.io/instancegroup" = "master-us-test-1a" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - user_data = filebase64("${path.module}/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data") -} - -resource "aws_launch_template" "nodes-minimal-example-com" { - block_device_mappings { - device_name = "/dev/xvda" - ebs { - delete_on_termination = true - encrypted = true - iops = 3000 - throughput = 125 - volume_size = 128 - volume_type = "gp3" - } - } - iam_instance_profile { - name = aws_iam_instance_profile.nodes-minimal-example-com.id - } - image_id = "ami-12345678" - instance_type = "t2.medium" - key_name = aws_key_pair.kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id - lifecycle { - create_before_destroy = true - } - metadata_options { - http_endpoint = "enabled" - http_protocol_ipv6 = "disabled" - http_put_response_hop_limit = 1 - http_tokens = "required" - } - monitoring { - enabled = false - } - name = "nodes.minimal.example.com" - network_interfaces { - associate_public_ip_address = true - delete_on_termination = true - ipv6_address_count = 0 - security_groups = [aws_security_group.nodes-minimal-example-com.id] - } - tag_specifications { - resource_type = "instance" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "nodes-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = "" - "k8s.io/role/node" = "1" - "kops.k8s.io/instancegroup" = "nodes" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - } - tag_specifications { - resource_type = "volume" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "nodes-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = "" - "k8s.io/role/node" = "1" - "kops.k8s.io/instancegroup" = "nodes" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - } - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "nodes-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = "" - "k8s.io/role/node" = "1" - "kops.k8s.io/instancegroup" = "nodes" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - user_data = filebase64("${path.module}/data/aws_launch_template_nodes.minimal.example.com_user_data") -} - -resource "aws_route" "route-0-0-0-0--0" { - destination_cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.minimal-example-com.id - route_table_id = aws_route_table.minimal-example-com.id -} - -resource "aws_route" "route-__--0" { - destination_ipv6_cidr_block = "::/0" - gateway_id = aws_internet_gateway.minimal-example-com.id - route_table_id = aws_route_table.minimal-example-com.id -} - -resource "aws_route_table" "minimal-example-com" { - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - "kubernetes.io/kops/role" = "public" - } - vpc_id = aws_vpc.minimal-example-com.id -} - -resource "aws_route_table_association" "us-test-1a-minimal-example-com" { - route_table_id = aws_route_table.minimal-example-com.id - subnet_id = aws_subnet.us-test-1a-minimal-example-com.id -} - -resource "aws_s3_object" "cluster-completed-spec" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_cluster-completed.spec_content") - key = "tests/minimal.example.com/cluster-completed.spec" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "etcd-cluster-spec-events" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_etcd-cluster-spec-events_content") - key = "tests/minimal.example.com/backups/etcd/events/control/etcd-cluster-spec" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "etcd-cluster-spec-main" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_etcd-cluster-spec-main_content") - key = "tests/minimal.example.com/backups/etcd/main/control/etcd-cluster-spec" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "kops-version-txt" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_kops-version.txt_content") - key = "tests/minimal.example.com/kops-version.txt" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "manifests-etcdmanager-events-master-us-test-1a" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content") - key = "tests/minimal.example.com/manifests/etcd/events-master-us-test-1a.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "manifests-etcdmanager-main-master-us-test-1a" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content") - key = "tests/minimal.example.com/manifests/etcd/main-master-us-test-1a.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "manifests-static-kube-apiserver-healthcheck" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content") - key = "tests/minimal.example.com/manifests/static/kube-apiserver-healthcheck.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-aws-cloud-controller-addons-k8s-io-k8s-1-18" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content") - key = "tests/minimal.example.com/addons/aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-aws-ebs-csi-driver-addons-k8s-io-k8s-1-17" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content") - key = "tests/minimal.example.com/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-bootstrap" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-bootstrap_content") - key = "tests/minimal.example.com/addons/bootstrap-channel.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-coredns-addons-k8s-io-k8s-1-12" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content") - key = "tests/minimal.example.com/addons/coredns.addons.k8s.io/k8s-1.12.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-dns-controller-addons-k8s-io-k8s-1-12" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content") - key = "tests/minimal.example.com/addons/dns-controller.addons.k8s.io/k8s-1.12.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-kops-controller-addons-k8s-io-k8s-1-16" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content") - key = "tests/minimal.example.com/addons/kops-controller.addons.k8s.io/k8s-1.16.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-kubelet-api-rbac-addons-k8s-io-k8s-1-9" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content") - key = "tests/minimal.example.com/addons/kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-limit-range-addons-k8s-io" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-limit-range.addons.k8s.io_content") - key = "tests/minimal.example.com/addons/limit-range.addons.k8s.io/v1.5.0.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-node-termination-handler-aws-k8s-1-11" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-node-termination-handler.aws-k8s-1.11_content") - key = "tests/minimal.example.com/addons/node-termination-handler.aws/k8s-1.11.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-storage-aws-addons-k8s-io-v1-15-0" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content") - key = "tests/minimal.example.com/addons/storage-aws.addons.k8s.io/v1.15.0.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "nodeupconfig-master-us-test-1a" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_nodeupconfig-master-us-test-1a_content") - key = "tests/minimal.example.com/igconfig/control-plane/master-us-test-1a/nodeupconfig.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "nodeupconfig-nodes" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_nodeupconfig-nodes_content") - key = "tests/minimal.example.com/igconfig/node/nodes/nodeupconfig.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_security_group" "masters-minimal-example-com" { - description = "Security group for masters" - name = "masters.minimal.example.com" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "masters.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - vpc_id = aws_vpc.minimal-example-com.id -} - -resource "aws_security_group" "nodes-minimal-example-com" { - description = "Security group for nodes" - name = "nodes.minimal.example.com" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - vpc_id = aws_vpc.minimal-example-com.id -} - -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-minimal-example-com" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-minimal-example-com" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-example-com" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 443 - type = "ingress" -} - -resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-masters-minimal-example-com" { - from_port = 22 - ipv6_cidr_blocks = ["::/0"] - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-nodes-minimal-example-com" { - from_port = 22 - ipv6_cidr_blocks = ["::/0"] - protocol = "tcp" - security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-masters-minimal-example-com" { - from_port = 443 - ipv6_cidr_blocks = ["::/0"] - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 443 - type = "ingress" -} - -resource "aws_security_group_rule" "from-masters-minimal-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-masters-minimal-example-com-egress-all-0to0-__--0" { - from_port = 0 - ipv6_cidr_blocks = ["::/0"] - protocol = "-1" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-masters-minimal-example-com-ingress-all-0to0-masters-minimal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-minimal-example-com.id - source_security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "from-masters-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-minimal-example-com.id - source_security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-egress-all-0to0-__--0" { - from_port = 0 - ipv6_cidr_blocks = ["::/0"] - protocol = "-1" - security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-minimal-example-com.id - source_security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-1to2379-masters-minimal-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - source_security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-2382to4000-masters-minimal-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - source_security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-4003to65535-masters-minimal-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - source_security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-udp-1to65535-masters-minimal-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-minimal-example-com.id - source_security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_sqs_queue" "minimal-example-com-nth" { - message_retention_seconds = 300 - name = "minimal-example-com-nth" - policy = file("${path.module}/data/aws_sqs_queue_minimal-example-com-nth_policy") - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal-example-com-nth" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_subnet" "us-test-1a-minimal-example-com" { - availability_zone = "us-test-1a" - cidr_block = "172.20.32.0/19" - enable_resource_name_dns_a_record_on_launch = true - private_dns_hostname_type_on_launch = "resource-name" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "us-test-1a.minimal.example.com" - "SubnetType" = "Public" - "kubernetes.io/cluster/minimal.example.com" = "owned" - "kubernetes.io/role/elb" = "1" - "kubernetes.io/role/internal-elb" = "1" - } - vpc_id = aws_vpc.minimal-example-com.id -} - -resource "aws_vpc" "minimal-example-com" { - assign_generated_ipv6_cidr_block = true - cidr_block = "172.20.0.0/16" - enable_dns_hostnames = true - enable_dns_support = true - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_vpc_dhcp_options" "minimal-example-com" { - domain_name = "us-test-1.compute.internal" - domain_name_servers = ["AmazonProvidedDNS"] - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_vpc_dhcp_options_association" "minimal-example-com" { - dhcp_options_id = aws_vpc_dhcp_options.minimal-example-com.id - vpc_id = aws_vpc.minimal-example-com.id -} - -terraform { - required_version = ">= 0.15.0" - required_providers { - aws = { - "configuration_aliases" = [aws.files] - "source" = "hashicorp/aws" - "version" = ">= 5.0.0" - } - } -} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-ASGLifecycle_event_pattern b/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-ASGLifecycle_event_pattern deleted file mode 100644 index c8db9dbe9c..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-ASGLifecycle_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source":["aws.autoscaling"],"detail-type":["EC2 Instance-terminate Lifecycle Action"]} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceScheduledChange_event_pattern b/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceScheduledChange_event_pattern deleted file mode 100644 index fb4ea7defd..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceScheduledChange_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source": ["aws.health"],"detail-type": ["AWS Health Event"],"detail": {"service": ["EC2"],"eventTypeCategory": ["scheduledChange"]}} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceStateChange_event_pattern b/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceStateChange_event_pattern deleted file mode 100644 index 8c2916419d..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceStateChange_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source": ["aws.ec2"],"detail-type": ["EC2 Instance State-change Notification"]} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-SpotInterruption_event_pattern b/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-SpotInterruption_event_pattern deleted file mode 100644 index 2d0e83b416..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_cloudwatch_event_rule_minimal.example.com-SpotInterruption_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source": ["aws.ec2"],"detail-type": ["EC2 Spot Instance Interruption Warning"]} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_masters.minimal.example.com_policy deleted file mode 100644 index 66d5de1d5a..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_masters.minimal.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_nodes.minimal.example.com_policy b/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_nodes.minimal.example.com_policy deleted file mode 100644 index 66d5de1d5a..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_nodes.minimal.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_policy_masters.minimal.example.com_policy deleted file mode 100644 index a07cc2b878..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ /dev/null @@ -1,285 +0,0 @@ -{ - "Statement": [ - { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "s3:Get*" - ], - "Effect": "Allow", - "Resource": "arn:aws-test:s3:::placeholder-read-bucket/tests/minimal.example.com/*" - }, - { - "Action": [ - "s3:DeleteObject", - "s3:DeleteObjectVersion", - "s3:GetObject", - "s3:PutObject" - ], - "Effect": "Allow", - "Resource": "arn:aws-test:s3:::placeholder-write-bucket/tests/minimal.example.com/backups/etcd/main/*" - }, - { - "Action": [ - "s3:DeleteObject", - "s3:DeleteObjectVersion", - "s3:GetObject", - "s3:PutObject" - ], - "Effect": "Allow", - "Resource": "arn:aws-test:s3:::placeholder-write-bucket/tests/minimal.example.com/backups/etcd/events/*" - }, - { - "Action": [ - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:s3:::placeholder-read-bucket" - ] - }, - { - "Action": [ - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:s3:::placeholder-write-bucket" - ] - }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:GetHostedZone", - "route53:ListResourceRecordSets" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones", - "route53:ListTagsForResource" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "ec2:CreateTags", - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com", - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:snapshot/*", - "arn:aws-test:ec2:*:*:volume/*" - ] - }, - { - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Condition": { - "Null": { - "aws:RequestTag/KubernetesCluster": "true" - }, - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:snapshot/*", - "arn:aws-test:ec2:*:*:volume/*" - ] - }, - { - "Action": "ec2:CreateTags", - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com", - "ec2:CreateAction": [ - "CreateSecurityGroup" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:security-group/*" - ] - }, - { - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Condition": { - "Null": { - "aws:RequestTag/KubernetesCluster": "true" - }, - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:security-group/*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeScalingActivities", - "autoscaling:DescribeTags", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeImages", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInstances", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeVpcs", - "ec2:GetInstanceTypesFromInstanceRequirements", - "ecr:BatchCheckLayerAvailability", - "ecr:BatchGetImage", - "ecr:DescribeRepositories", - "ecr:GetAuthorizationToken", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:ListImages", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "iam:CreateServiceLinkedRole", - "iam:GetServerCertificate", - "iam:ListServerCertificates", - "kms:CreateGrant", - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:GenerateRandom", - "kms:ReEncrypt*", - "sqs:DeleteMessage", - "sqs:ReceiveMessage" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:RevokeSecurityGroupIngress", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateSnapshot", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "ec2:CreateSecurityGroup", - "Effect": "Allow", - "Resource": "arn:aws-test:ec2:*:*:vpc/*" - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_policy_nodes.minimal.example.com_policy b/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_policy_nodes.minimal.example.com_policy deleted file mode 100644 index b6eaf07f36..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_iam_role_policy_nodes.minimal.example.com_policy +++ /dev/null @@ -1,37 +0,0 @@ -{ - "Statement": [ - { - "Action": [ - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:s3:::placeholder-read-bucket" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingInstances", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInstances", - "ec2:DescribeRegions", - "ecr:BatchCheckLayerAvailability", - "ecr:BatchGetImage", - "ecr:DescribeRepositories", - "ecr:GetAuthorizationToken", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:ListImages", - "iam:GetServerCertificate", - "iam:ListServerCertificates", - "kms:GenerateRandom" - ], - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_key_pair_kubernetes.minimal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key b/tests/integration/update_cluster/minimal-1.28/data/aws_key_pair_kubernetes.minimal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key deleted file mode 100644 index 81cb012783..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_key_pair_kubernetes.minimal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.28/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data deleted file mode 100644 index 4abcc6fd1e..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/bash -set -o errexit -set -o nounset -set -o pipefail - -NODEUP_URL_AMD64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-amd64 -NODEUP_HASH_AMD64=585fbda0f0a43184656b4bfc0cc5f0c0b85612faf43b8816acca1f99d422c924 -NODEUP_URL_ARM64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-arm64 -NODEUP_HASH_ARM64=7603675379699105a9b9915ff97718ea99b1bbb01a4c184e2f827c8a96e8e865 - -export AWS_REGION=us-test-1 - - - - -sysctl -w net.core.rmem_max=16777216 || true -sysctl -w net.core.wmem_max=16777216 || true -sysctl -w net.ipv4.tcp_rmem='4096 87380 16777216' || true -sysctl -w net.ipv4.tcp_wmem='4096 87380 16777216' || true - - -function ensure-install-dir() { - INSTALL_DIR="/opt/kops" - # On ContainerOS, we install under /var/lib/toolbox; /opt is ro and noexec - if [[ -d /var/lib/toolbox ]]; then - INSTALL_DIR="/var/lib/toolbox/kops" - fi - mkdir -p ${INSTALL_DIR}/bin - mkdir -p ${INSTALL_DIR}/conf - cd ${INSTALL_DIR} -} - -# Retry a download until we get it. args: name, sha, urls -download-or-bust() { - echo "== Downloading $1 with hash $2 from $3 ==" - local -r file="$1" - local -r hash="$2" - local -a urls - IFS=, read -r -a urls <<< "$3" - - if [[ -f "${file}" ]]; then - if ! validate-hash "${file}" "${hash}"; then - rm -f "${file}" - else - return 0 - fi - fi - - while true; do - for url in "${urls[@]}"; do - commands=( - "curl -f --compressed -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget --compression=auto -O ${file} --connect-timeout=20 --tries=6 --wait=10" - "curl -f -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget -O ${file} --connect-timeout=20 --tries=6 --wait=10" - ) - for cmd in "${commands[@]}"; do - echo "== Downloading ${url} using ${cmd} ==" - if ! (${cmd} "${url}"); then - echo "== Failed to download ${url} using ${cmd} ==" - continue - fi - if ! validate-hash "${file}" "${hash}"; then - echo "== Failed to validate hash for ${url} ==" - rm -f "${file}" - else - echo "== Downloaded ${url} with hash ${hash} ==" - return 0 - fi - done - done - - echo "== All downloads failed; sleeping before retrying ==" - sleep 60 - done -} - -validate-hash() { - local -r file="$1" - local -r expected="$2" - local actual - - actual=$(sha256sum "${file}" | awk '{ print $1 }') || true - if [[ "${actual}" != "${expected}" ]]; then - echo "== File ${file} is corrupted; hash ${actual} doesn't match expected ${expected} ==" - return 1 - fi -} - -function download-release() { - case "$(uname -m)" in - x86_64*|i?86_64*|amd64*) - NODEUP_URL="${NODEUP_URL_AMD64}" - NODEUP_HASH="${NODEUP_HASH_AMD64}" - ;; - aarch64*|arm64*) - NODEUP_URL="${NODEUP_URL_ARM64}" - NODEUP_HASH="${NODEUP_HASH_ARM64}" - ;; - *) - echo "Unsupported host arch: $(uname -m)" >&2 - exit 1 - ;; - esac - - cd ${INSTALL_DIR}/bin - download-or-bust nodeup "${NODEUP_HASH}" "${NODEUP_URL}" - - chmod +x nodeup - - echo "== Running nodeup ==" - # We can't run in the foreground because of https://github.com/docker/docker/issues/23793 - ( cd ${INSTALL_DIR}/bin; ./nodeup --install-systemd-unit --conf=${INSTALL_DIR}/conf/kube_env.yaml --v=8 ) -} - -#################################################################################### - -/bin/systemd-machine-id-setup || echo "== Failed to initialize the machine ID; ensure machine-id configured ==" - -echo "== nodeup node config starting ==" -ensure-install-dir - -cat > conf/kube_env.yaml << '__EOF_KUBE_ENV' -CloudProvider: aws -ClusterName: minimal.example.com -ConfigBase: memfs://tests/minimal.example.com -InstanceGroupName: master-us-test-1a -InstanceGroupRole: ControlPlane -NodeupConfigHash: Sj8EDlrNAMivsWEzj3cc6cphoH6xBh7oL6QVgT2Iu/k= - -__EOF_KUBE_ENV - -download-release -echo "== nodeup node config done ==" diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.28/data/aws_launch_template_nodes.minimal.example.com_user_data deleted file mode 100644 index ac3f0b66f6..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_launch_template_nodes.minimal.example.com_user_data +++ /dev/null @@ -1,157 +0,0 @@ -#!/bin/bash -set -o errexit -set -o nounset -set -o pipefail - -NODEUP_URL_AMD64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-amd64 -NODEUP_HASH_AMD64=585fbda0f0a43184656b4bfc0cc5f0c0b85612faf43b8816acca1f99d422c924 -NODEUP_URL_ARM64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-arm64 -NODEUP_HASH_ARM64=7603675379699105a9b9915ff97718ea99b1bbb01a4c184e2f827c8a96e8e865 - -export AWS_REGION=us-test-1 - - - - -sysctl -w net.core.rmem_max=16777216 || true -sysctl -w net.core.wmem_max=16777216 || true -sysctl -w net.ipv4.tcp_rmem='4096 87380 16777216' || true -sysctl -w net.ipv4.tcp_wmem='4096 87380 16777216' || true - - -function ensure-install-dir() { - INSTALL_DIR="/opt/kops" - # On ContainerOS, we install under /var/lib/toolbox; /opt is ro and noexec - if [[ -d /var/lib/toolbox ]]; then - INSTALL_DIR="/var/lib/toolbox/kops" - fi - mkdir -p ${INSTALL_DIR}/bin - mkdir -p ${INSTALL_DIR}/conf - cd ${INSTALL_DIR} -} - -# Retry a download until we get it. args: name, sha, urls -download-or-bust() { - echo "== Downloading $1 with hash $2 from $3 ==" - local -r file="$1" - local -r hash="$2" - local -a urls - IFS=, read -r -a urls <<< "$3" - - if [[ -f "${file}" ]]; then - if ! validate-hash "${file}" "${hash}"; then - rm -f "${file}" - else - return 0 - fi - fi - - while true; do - for url in "${urls[@]}"; do - commands=( - "curl -f --compressed -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget --compression=auto -O ${file} --connect-timeout=20 --tries=6 --wait=10" - "curl -f -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget -O ${file} --connect-timeout=20 --tries=6 --wait=10" - ) - for cmd in "${commands[@]}"; do - echo "== Downloading ${url} using ${cmd} ==" - if ! (${cmd} "${url}"); then - echo "== Failed to download ${url} using ${cmd} ==" - continue - fi - if ! validate-hash "${file}" "${hash}"; then - echo "== Failed to validate hash for ${url} ==" - rm -f "${file}" - else - echo "== Downloaded ${url} with hash ${hash} ==" - return 0 - fi - done - done - - echo "== All downloads failed; sleeping before retrying ==" - sleep 60 - done -} - -validate-hash() { - local -r file="$1" - local -r expected="$2" - local actual - - actual=$(sha256sum "${file}" | awk '{ print $1 }') || true - if [[ "${actual}" != "${expected}" ]]; then - echo "== File ${file} is corrupted; hash ${actual} doesn't match expected ${expected} ==" - return 1 - fi -} - -function download-release() { - case "$(uname -m)" in - x86_64*|i?86_64*|amd64*) - NODEUP_URL="${NODEUP_URL_AMD64}" - NODEUP_HASH="${NODEUP_HASH_AMD64}" - ;; - aarch64*|arm64*) - NODEUP_URL="${NODEUP_URL_ARM64}" - NODEUP_HASH="${NODEUP_HASH_ARM64}" - ;; - *) - echo "Unsupported host arch: $(uname -m)" >&2 - exit 1 - ;; - esac - - cd ${INSTALL_DIR}/bin - download-or-bust nodeup "${NODEUP_HASH}" "${NODEUP_URL}" - - chmod +x nodeup - - echo "== Running nodeup ==" - # We can't run in the foreground because of https://github.com/docker/docker/issues/23793 - ( cd ${INSTALL_DIR}/bin; ./nodeup --install-systemd-unit --conf=${INSTALL_DIR}/conf/kube_env.yaml --v=8 ) -} - -#################################################################################### - -/bin/systemd-machine-id-setup || echo "== Failed to initialize the machine ID; ensure machine-id configured ==" - -echo "== nodeup node config starting ==" -ensure-install-dir - -cat > conf/kube_env.yaml << '__EOF_KUBE_ENV' -CloudProvider: aws -ClusterName: minimal.example.com -ConfigServer: - CACertificates: | - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANqBD8NSD82AUSMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwODAwWhcNMzEwNzA3MDcw - ODAwWjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBANFI3zr0Tk8krsW8vwjfMpzJOlWQ8616vG3YPa2qAgI7V4oKwfV0yIg1 - jt+H6f4P/wkPAPTPTfRp9Iy8oHEEFw0CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNG3zVjTcLlJwDsJ4/K9DV7KohUA - MA0GCSqGSIb3DQEBCwUAA0EAB8d03fY2w7WKpfO29qI295pu2C4ca9AiVGOpgSc8 - tmQsq6rcxt3T+rb589PVtz0mw/cKTxOk6gH2CCC+yHfy2w== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANvmSa0OAlYmXKMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwOTM2WhcNMzEwNzA3MDcw - OTM2WjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBAMF6F4aZdpe0RUpyykaBpWwZCnwbffhYGOw+fs6RdLuUq7QCNmJm/Eq7 - WWOziMYDiI9SbclpD+6QiJ0N3EqppVUCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLImp6ARjPDAH6nhI+scWVt3Q9bn - MA0GCSqGSIb3DQEBCwUAA0EAVQVx5MUtuAIeePuP9o51xtpT2S6Fvfi8J4ICxnlA - 9B7UD2ushcVFPtaeoL9Gfu8aY4KJBeqqg5ojl4qmRnThjw== - -----END CERTIFICATE----- - servers: - - https://kops-controller.internal.minimal.example.com:3988/ -InstanceGroupName: nodes -InstanceGroupRole: Node -NodeupConfigHash: 7mYrPiHlaO+JW9sKYSuvfF1BaoG/sIa0vSR7ZHk5uX0= - -__EOF_KUBE_ENV - -download-release -echo "== nodeup node config done ==" diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_cluster-completed.spec_content deleted file mode 100644 index 62334fd4b2..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_cluster-completed.spec_content +++ /dev/null @@ -1,225 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - name: minimal.example.com -spec: - api: - dns: {} - authorization: - rbac: {} - channel: stable - cloudConfig: - awsEBSCSIDriver: - version: v1.47.0 - manageStorageClasses: true - cloudControllerManager: - allocateNodeCIDRs: true - clusterCIDR: 100.96.0.0/11 - clusterName: minimal.example.com - configureCloudRoutes: false - image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.28.9 - leaderElection: - leaderElect: true - cloudProvider: aws - clusterDNSDomain: cluster.local - configBase: memfs://tests/minimal.example.com - containerd: - logLevel: info - runc: - version: 1.3.0 - version: 1.7.28 - dnsZone: Z1AFAKE1ZON3YO - etcdClusters: - - backups: - backupStore: memfs://tests/minimal.example.com/backups/etcd/main - cpuRequest: 200m - etcdMembers: - - encryptedVolume: true - instanceGroup: master-us-test-1a - name: a - manager: - backupRetentionDays: 90 - memoryRequest: 100Mi - name: main - version: 3.5.21 - - backups: - backupStore: memfs://tests/minimal.example.com/backups/etcd/events - cpuRequest: 100m - etcdMembers: - - encryptedVolume: true - instanceGroup: master-us-test-1a - name: a - manager: - backupRetentionDays: 90 - memoryRequest: 100Mi - name: events - version: 3.5.21 - externalDns: - provider: dns-controller - iam: - allowContainerRegistry: true - legacy: false - keyStore: memfs://tests/minimal.example.com/pki - kubeAPIServer: - allowPrivileged: true - anonymousAuth: false - apiAudiences: - - kubernetes.svc.default - apiServerCount: 1 - authorizationMode: Node,RBAC - bindAddress: 0.0.0.0 - cloudProvider: external - enableAdmissionPlugins: - - DefaultStorageClass - - DefaultTolerationSeconds - - LimitRanger - - MutatingAdmissionWebhook - - NamespaceLifecycle - - NodeRestriction - - ResourceQuota - - RuntimeClass - - ServiceAccount - - ValidatingAdmissionPolicy - - ValidatingAdmissionWebhook - etcdServers: - - https://127.0.0.1:4001 - etcdServersOverrides: - - /events#https://127.0.0.1:4002 - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-apiserver:v1.28.0 - kubeletPreferredAddressTypes: - - InternalIP - - Hostname - - ExternalIP - logLevel: 2 - requestheaderAllowedNames: - - aggregator - requestheaderExtraHeaderPrefixes: - - X-Remote-Extra- - requestheaderGroupHeaders: - - X-Remote-Group - requestheaderUsernameHeaders: - - X-Remote-User - securePort: 443 - serviceAccountIssuer: https://api.internal.minimal.example.com - serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks - serviceClusterIPRange: 100.64.0.0/13 - storageBackend: etcd3 - kubeControllerManager: - allocateNodeCIDRs: true - attachDetachReconcileSyncPeriod: 1m0s - cloudProvider: external - clusterCIDR: 100.96.0.0/11 - clusterName: minimal.example.com - configureCloudRoutes: false - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-controller-manager:v1.28.0 - leaderElection: - leaderElect: true - logLevel: 2 - useServiceAccountCredentials: true - kubeDNS: - cacheMaxConcurrent: 150 - cacheMaxSize: 1000 - cpuRequest: 100m - domain: cluster.local - memoryLimit: 170Mi - memoryRequest: 70Mi - nodeLocalDNS: - cpuRequest: 25m - enabled: false - image: registry.k8s.io/dns/k8s-dns-node-cache:1.26.0 - memoryRequest: 5Mi - provider: CoreDNS - serverIP: 100.64.0.10 - kubeProxy: - clusterCIDR: 100.96.0.0/11 - cpuRequest: 100m - image: registry.k8s.io/kube-proxy:v1.28.0 - logLevel: 2 - kubeScheduler: - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-scheduler:v1.28.0 - leaderElection: - leaderElect: true - logLevel: 2 - kubelet: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s - kubernetesApiAccess: - - 0.0.0.0/0 - - ::/0 - kubernetesVersion: 1.28.0 - masterKubelet: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s - masterPublicName: api.minimal.example.com - networkCIDR: 172.20.0.0/16 - networking: - cni: {} - nodeTerminationHandler: - cpuRequest: 50m - deleteSQSMsgIfNodeNotFound: false - enableRebalanceDraining: false - enableRebalanceMonitoring: false - enableScheduledEventDraining: true - enableSpotInterruptionDraining: true - enabled: true - excludeFromLoadBalancers: true - managedASGTag: aws-node-termination-handler/managed - memoryRequest: 64Mi - podTerminationGracePeriod: -1 - prometheusEnable: false - taintNode: false - version: v1.22.0 - nonMasqueradeCIDR: 100.64.0.0/10 - podCIDR: 100.96.0.0/11 - secretStore: memfs://tests/minimal.example.com/secrets - serviceClusterIPRange: 100.64.0.0/13 - sshAccess: - - 0.0.0.0/0 - - ::/0 - subnets: - - cidr: 172.20.32.0/19 - name: us-test-1a - type: Public - zone: us-test-1a - topology: - dns: - type: Public diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_etcd-cluster-spec-events_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_etcd-cluster-spec-events_content deleted file mode 100644 index 4e70b7f195..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_etcd-cluster-spec-events_content +++ /dev/null @@ -1,4 +0,0 @@ -{ - "memberCount": 1, - "etcdVersion": "3.5.21" -} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_etcd-cluster-spec-main_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_etcd-cluster-spec-main_content deleted file mode 100644 index 4e70b7f195..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_etcd-cluster-spec-main_content +++ /dev/null @@ -1,4 +0,0 @@ -{ - "memberCount": 1, - "etcdVersion": "3.5.21" -} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_kops-version.txt_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_kops-version.txt_content deleted file mode 100644 index b7340298dc..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_kops-version.txt_content +++ /dev/null @@ -1 +0,0 @@ -1.21.0-alpha.1 diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content deleted file mode 100644 index 8c62093d11..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content +++ /dev/null @@ -1,138 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - creationTimestamp: null - labels: - k8s-app: etcd-manager-events - name: etcd-manager-events - namespace: kube-system -spec: - containers: - - command: - - /bin/sh - - -c - - mkfifo /tmp/pipe; (tee -a /var/log/etcd.log < /tmp/pipe & ) ; exec /ko-app/etcd-manager - --backup-store=memfs://tests/minimal.example.com/backups/etcd/events --client-urls=https://__name__:4002 - --cluster-name=etcd-events --containerized=true --dns-suffix=.internal.minimal.example.com - --grpc-port=3997 --peer-urls=https://__name__:2381 --quarantine-client-urls=https://__name__:3995 - --v=6 --volume-name-tag=k8s.io/etcd/events --volume-provider=aws --volume-tag=k8s.io/etcd/events - --volume-tag=k8s.io/role/control-plane=1 --volume-tag=kubernetes.io/cluster/minimal.example.com=owned - > /tmp/pipe 2>&1 - env: - - name: ETCD_MANAGER_DAILY_BACKUPS_RETENTION - value: 90d - image: registry.k8s.io/etcd-manager/etcd-manager-slim:v3.0.20250803 - name: etcd-manager - resources: - requests: - cpu: 100m - memory: 100Mi - securityContext: - privileged: true - volumeMounts: - - mountPath: /rootfs - name: rootfs - - mountPath: /run - name: run - - mountPath: /etc/kubernetes/pki/etcd-manager - name: pki - - mountPath: /opt - name: opt - - mountPath: /var/log/etcd.log - name: varlogetcd - hostNetwork: true - hostPID: true - initContainers: - - args: - - --target-dir=/opt/kops-utils/ - - --src=/ko-app/kops-utils-cp - command: - - /ko-app/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: kops-utils-cp - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.4.13 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.4.13 - name: init-etcd-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.5.21 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.5.21 - name: init-etcd-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.4.3 - - --src=/opt/etcd-v3.4.13/etcd - - --src=/opt/etcd-v3.4.13/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.5.0 - - --target-dir=/opt/etcd-v3.5.1 - - --target-dir=/opt/etcd-v3.5.13 - - --target-dir=/opt/etcd-v3.5.17 - - --target-dir=/opt/etcd-v3.5.3 - - --target-dir=/opt/etcd-v3.5.4 - - --target-dir=/opt/etcd-v3.5.6 - - --target-dir=/opt/etcd-v3.5.7 - - --target-dir=/opt/etcd-v3.5.9 - - --src=/opt/etcd-v3.5.21/etcd - - --src=/opt/etcd-v3.5.21/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - priorityClassName: system-cluster-critical - tolerations: - - key: CriticalAddonsOnly - operator: Exists - volumes: - - hostPath: - path: / - type: Directory - name: rootfs - - hostPath: - path: /run - type: DirectoryOrCreate - name: run - - hostPath: - path: /etc/kubernetes/pki/etcd-manager-events - type: DirectoryOrCreate - name: pki - - emptyDir: {} - name: opt - - hostPath: - path: /var/log/etcd-events.log - type: FileOrCreate - name: varlogetcd -status: {} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content deleted file mode 100644 index 9df1760835..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content +++ /dev/null @@ -1,138 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - creationTimestamp: null - labels: - k8s-app: etcd-manager-main - name: etcd-manager-main - namespace: kube-system -spec: - containers: - - command: - - /bin/sh - - -c - - mkfifo /tmp/pipe; (tee -a /var/log/etcd.log < /tmp/pipe & ) ; exec /ko-app/etcd-manager - --backup-store=memfs://tests/minimal.example.com/backups/etcd/main --client-urls=https://__name__:4001 - --cluster-name=etcd --containerized=true --dns-suffix=.internal.minimal.example.com - --grpc-port=3996 --peer-urls=https://__name__:2380 --quarantine-client-urls=https://__name__:3994 - --v=6 --volume-name-tag=k8s.io/etcd/main --volume-provider=aws --volume-tag=k8s.io/etcd/main - --volume-tag=k8s.io/role/control-plane=1 --volume-tag=kubernetes.io/cluster/minimal.example.com=owned - > /tmp/pipe 2>&1 - env: - - name: ETCD_MANAGER_DAILY_BACKUPS_RETENTION - value: 90d - image: registry.k8s.io/etcd-manager/etcd-manager-slim:v3.0.20250803 - name: etcd-manager - resources: - requests: - cpu: 200m - memory: 100Mi - securityContext: - privileged: true - volumeMounts: - - mountPath: /rootfs - name: rootfs - - mountPath: /run - name: run - - mountPath: /etc/kubernetes/pki/etcd-manager - name: pki - - mountPath: /opt - name: opt - - mountPath: /var/log/etcd.log - name: varlogetcd - hostNetwork: true - hostPID: true - initContainers: - - args: - - --target-dir=/opt/kops-utils/ - - --src=/ko-app/kops-utils-cp - command: - - /ko-app/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: kops-utils-cp - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.4.13 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.4.13 - name: init-etcd-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.5.21 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.5.21 - name: init-etcd-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.4.3 - - --src=/opt/etcd-v3.4.13/etcd - - --src=/opt/etcd-v3.4.13/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.5.0 - - --target-dir=/opt/etcd-v3.5.1 - - --target-dir=/opt/etcd-v3.5.13 - - --target-dir=/opt/etcd-v3.5.17 - - --target-dir=/opt/etcd-v3.5.3 - - --target-dir=/opt/etcd-v3.5.4 - - --target-dir=/opt/etcd-v3.5.6 - - --target-dir=/opt/etcd-v3.5.7 - - --target-dir=/opt/etcd-v3.5.9 - - --src=/opt/etcd-v3.5.21/etcd - - --src=/opt/etcd-v3.5.21/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - priorityClassName: system-cluster-critical - tolerations: - - key: CriticalAddonsOnly - operator: Exists - volumes: - - hostPath: - path: / - type: Directory - name: rootfs - - hostPath: - path: /run - type: DirectoryOrCreate - name: run - - hostPath: - path: /etc/kubernetes/pki/etcd-manager-main - type: DirectoryOrCreate - name: pki - - emptyDir: {} - name: opt - - hostPath: - path: /var/log/etcd.log - type: FileOrCreate - name: varlogetcd -status: {} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content deleted file mode 100644 index bcd77bc0ce..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - creationTimestamp: null -spec: - containers: - - args: - - --ca-cert=/secrets/ca.crt - - --client-cert=/secrets/client.crt - - --client-key=/secrets/client.key - image: registry.k8s.io/kops/kube-apiserver-healthcheck:1.34.0-alpha.1 - livenessProbe: - httpGet: - host: 127.0.0.1 - path: /.kube-apiserver-healthcheck/healthz - port: 3990 - initialDelaySeconds: 5 - timeoutSeconds: 5 - name: healthcheck - resources: {} - securityContext: - runAsNonRoot: true - runAsUser: 10012 - volumeMounts: - - mountPath: /secrets - name: healthcheck-secrets - readOnly: true - volumes: - - hostPath: - path: /etc/kubernetes/kube-apiserver-healthcheck/secrets - type: Directory - name: healthcheck-secrets -status: {} diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content deleted file mode 100644 index 2347d7a598..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content +++ /dev/null @@ -1,237 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - k8s-app: aws-cloud-controller-manager - name: aws-cloud-controller-manager - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: aws-cloud-controller-manager - template: - metadata: - creationTimestamp: null - labels: - k8s-app: aws-cloud-controller-manager - kops.k8s.io/managed-by: kops - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - containers: - - args: - - --allocate-node-cidrs=true - - --cluster-cidr=100.96.0.0/11 - - --cluster-name=minimal.example.com - - --configure-cloud-routes=false - - --leader-elect=true - - --v=2 - - --cloud-provider=aws - - --use-service-account-credentials=true - - --cloud-config=/etc/kubernetes/cloud.config - env: - - name: KUBERNETES_SERVICE_HOST - value: 127.0.0.1 - image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.28.9 - imagePullPolicy: IfNotPresent - name: aws-cloud-controller-manager - resources: - requests: - cpu: 200m - volumeMounts: - - mountPath: /etc/kubernetes/cloud.config - name: cloudconfig - readOnly: true - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - serviceAccountName: aws-cloud-controller-manager - tolerations: - - effect: NoSchedule - key: node.cloudprovider.kubernetes.io/uninitialized - value: "true" - - effect: NoSchedule - key: node.kubernetes.io/not-ready - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - - effect: NoSchedule - key: node-role.kubernetes.io/master - volumes: - - hostPath: - path: /etc/kubernetes/cloud.config - type: "" - name: cloudconfig - updateStrategy: - type: RollingUpdate - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: aws-cloud-controller-manager - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: cloud-controller-manager:apiserver-authentication-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- apiGroup: "" - kind: ServiceAccount - name: aws-cloud-controller-manager - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: system:cloud-controller-manager -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiGroups: - - "" - resources: - - nodes - verbs: - - '*' -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -- apiGroups: - - "" - resources: - - services - verbs: - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - services/status - verbs: - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - get - - list - - watch - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - list - - watch - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - - watch -- apiGroups: - - "" - resourceNames: - - node-controller - - service-controller - - route-controller - resources: - - serviceaccounts/token - verbs: - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: system:cloud-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:cloud-controller-manager -subjects: -- apiGroup: "" - kind: ServiceAccount - name: aws-cloud-controller-manager - namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content deleted file mode 100644 index ff7ee9d06e..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ /dev/null @@ -1,1151 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller - namespace: kube-system -spec: - maxUnavailable: 1 - selector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - ---- - -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-attacher-role -rules: -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - patch -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments/status - verbs: - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node-role -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - patch - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-provisioner-role -rules: -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - create - - patch - - delete -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch - - update -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - get - - list -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents - verbs: - - get - - list -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattributesclasses - verbs: - - get - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-resizer-role -rules: -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - patch -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - persistentvolumeclaims/status - verbs: - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattributesclasses - verbs: - - get - - list - - watch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-snapshotter-role -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - get - - list - - watch - - update - - patch - - create -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents/status - verbs: - - update - - patch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotcontents - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotcontents/status - verbs: - - update - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-attacher-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-attacher-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node-getter-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-csi-node-role -subjects: -- kind: ServiceAccount - name: ebs-csi-node-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-provisioner-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-provisioner-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-resizer-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-resizer-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-snapshotter-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-snapshotter-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-leases-role - namespace: kube-system -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - watch - - list - - delete - - update - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-leases-rolebinding - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ebs-csi-leases-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app: ebs-csi-controller - app.kubernetes.io/managed-by: kops - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller - namespace: kube-system -spec: - ports: - - name: metrics - port: 3301 - targetPort: 3301 - selector: - app: ebs-csi-controller - type: ClusterIP - ---- - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node - namespace: kube-system -spec: - revisionHistoryLimit: 10 - selector: - matchLabels: - app: ebs-csi-node - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - template: - metadata: - creationTimestamp: null - labels: - app: ebs-csi-node - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - kops.k8s.io/managed-by: kops - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: topology.kubernetes.io/zone - operator: Exists - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - - auto - - hybrid - - key: node.kubernetes.io/instance-type - operator: NotIn - values: - - a1.medium - - a1.large - - a1.xlarge - - a1.2xlarge - - a1.4xlarge - containers: - - args: - - node - - --endpoint=$(CSI_ENDPOINT) - - --csi-mount-point-prefix=/var/lib/kubelet/plugins/kubernetes.io/csi/ebs.csi.aws.com/ - - --logging-format=text - - --v=5 - env: - - name: AWS_REGION - value: us-test-1 - - name: CSI_ENDPOINT - value: unix:/csi/csi.sock - - name: CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.47.0 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /bin/aws-ebs-csi-driver - - pre-stop-hook - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - name: ebs-plugin - ports: - - containerPort: 9808 - name: healthz - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: healthz - periodSeconds: 5 - timeoutSeconds: 3 - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - privileged: true - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/lib/kubelet - mountPropagation: Bidirectional - name: kubelet-dir - - mountPath: /csi - name: plugin-dir - - mountPath: /dev - name: device-dir - - args: - - --csi-address=$(ADDRESS) - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --v=5 - env: - - name: ADDRESS - value: /csi/csi.sock - - name: DRIVER_REG_SOCK_PATH - value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.14.0 - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /csi-node-driver-registrar - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --mode=kubelet-registration-probe - initialDelaySeconds: 30 - periodSeconds: 90 - timeoutSeconds: 15 - name: node-driver-registrar - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /csi - name: plugin-dir - - mountPath: /registration - name: registration-dir - - mountPath: /var/lib/kubelet/plugins/ebs.csi.aws.com/ - name: probe-dir - - args: - - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.16.0 - imagePullPolicy: IfNotPresent - name: liveness-probe - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /csi - name: plugin-dir - hostNetwork: false - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - securityContext: - fsGroup: 0 - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - serviceAccountName: ebs-csi-node-sa - terminationGracePeriodSeconds: 30 - tolerations: - - operator: Exists - volumes: - - hostPath: - path: /var/lib/kubelet - type: Directory - name: kubelet-dir - - hostPath: - path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ - type: DirectoryOrCreate - name: plugin-dir - - hostPath: - path: /var/lib/kubelet/plugins_registry/ - type: Directory - name: registration-dir - - hostPath: - path: /dev - type: Directory - name: device-dir - - emptyDir: {} - name: probe-dir - updateStrategy: - rollingUpdate: - maxUnavailable: 10% - type: RollingUpdate - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller - namespace: kube-system -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - strategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - creationTimestamp: null - labels: - app: ebs-csi-controller - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - kops.k8s.io/managed-by: kops - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - - auto - - hybrid - weight: 1 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: kubernetes.io/os - operator: In - values: - - linux - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - - key: kubernetes.io/os - operator: In - values: - - linux - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - ebs-csi-controller - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - args: - - controller - - --endpoint=$(CSI_ENDPOINT) - - --k8s-tag-cluster-id=minimal.example.com - - --extra-tags=KubernetesCluster=minimal.example.com - - --http-endpoint=0.0.0.0:3301 - - --batching=true - - --logging-format=text - - --v=5 - env: - - name: AWS_REGION - value: us-test-1 - - name: CSI_ENDPOINT - value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - - name: CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: key_id - name: aws-secret - optional: true - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: access_key - name: aws-secret - optional: true - - name: AWS_EC2_ENDPOINT - valueFrom: - configMapKeyRef: - key: endpoint - name: aws-meta - optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.47.0 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - name: ebs-plugin - ports: - - containerPort: 9808 - name: healthz - protocol: TCP - - containerPort: 3301 - name: metrics - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=60s - - --csi-address=$(ADDRESS) - - --v=5 - - --feature-gates=Topology=true - - --extra-create-metadata - - --leader-election=true - - --default-fstype=ext4 - - --kube-api-qps=20 - - --kube-api-burst=100 - - --worker-threads=100 - - --retry-interval-max=30m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - image: registry.k8s.io/sig-storage/csi-provisioner:v5.3.0 - imagePullPolicy: IfNotPresent - name: csi-provisioner - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=6m - - --csi-address=$(ADDRESS) - - --v=5 - - --leader-election=true - - --kube-api-qps=20 - - --kube-api-burst=100 - - --worker-threads=100 - - --retry-interval-max=5m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - image: registry.k8s.io/sig-storage/csi-attacher:v4.9.0 - imagePullPolicy: IfNotPresent - name: csi-attacher - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=60s - - --csi-address=$(ADDRESS) - - --v=5 - - --leader-election=true - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: public.ecr.aws/ebs-csi-driver/volume-modifier-for-k8s:v0.7.0 - imagePullPolicy: IfNotPresent - name: volumemodifier - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=60s - - --extra-modify-metadata - - --csi-address=$(ADDRESS) - - --v=5 - - --handle-volume-inuse-error=false - - --leader-election=true - - --kube-api-qps=20 - - --kube-api-burst=100 - - --workers=100 - - --retry-interval-max=30m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - image: registry.k8s.io/sig-storage/csi-resizer:v1.14.0 - imagePullPolicy: IfNotPresent - name: csi-resizer - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.16.0 - imagePullPolicy: IfNotPresent - name: liveness-probe - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /csi - name: socket-dir - hostNetwork: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - serviceAccountName: ebs-csi-controller-sa - tolerations: - - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - volumes: - - emptyDir: {} - name: socket-dir - ---- - -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs.csi.aws.com -spec: - attachRequired: true - podInfoOnMount: false diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-bootstrap_content deleted file mode 100644 index e416fbdbd5..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ /dev/null @@ -1,113 +0,0 @@ -kind: Addons -metadata: - creationTimestamp: null - name: bootstrap -spec: - addons: - - id: k8s-1.16 - manifest: kops-controller.addons.k8s.io/k8s-1.16.yaml - manifestHash: 44cac7d5e9087cebd7acf1ef581425bbceb93a95b4b2d89d0cd3082a51085f71 - name: kops-controller.addons.k8s.io - needsRollingUpdate: control-plane - selector: - k8s-addon: kops-controller.addons.k8s.io - version: 9.99.0 - - id: k8s-1.12 - manifest: coredns.addons.k8s.io/k8s-1.12.yaml - manifestHash: 776ca39fa0034ba09a4335cf3ee1bfa9c136407aaed07223555934e6907edd91 - name: coredns.addons.k8s.io - selector: - k8s-addon: coredns.addons.k8s.io - version: 9.99.0 - - id: k8s-1.9 - manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml - manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81 - name: kubelet-api.rbac.addons.k8s.io - selector: - k8s-addon: kubelet-api.rbac.addons.k8s.io - version: 9.99.0 - - manifest: limit-range.addons.k8s.io/v1.5.0.yaml - manifestHash: 2d55c3bc5e354e84a3730a65b42f39aba630a59dc8d32b30859fcce3d3178bc2 - name: limit-range.addons.k8s.io - selector: - k8s-addon: limit-range.addons.k8s.io - version: 9.99.0 - - id: k8s-1.12 - manifest: dns-controller.addons.k8s.io/k8s-1.12.yaml - manifestHash: 4547fd9281fdef75bb50e82a90136a721fe7bd01a42d58dbe837a422cf54466d - name: dns-controller.addons.k8s.io - selector: - k8s-addon: dns-controller.addons.k8s.io - version: 9.99.0 - - id: k8s-1.11 - manifest: node-termination-handler.aws/k8s-1.11.yaml - manifestHash: 1d0968eea99ca0d78400867a76af8b1dfe93ef2ff9640f0d755b21b2db7fec41 - name: node-termination-handler.aws - prune: - kinds: - - kind: ConfigMap - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - kind: Service - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - kind: ServiceAccount - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: apps - kind: DaemonSet - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: apps - kind: Deployment - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: apps - kind: StatefulSet - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: policy - kind: PodDisruptionBudget - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: rbac.authorization.k8s.io - kind: ClusterRole - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: ClusterRoleBinding - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: Role - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: RoleBinding - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - selector: - k8s-addon: node-termination-handler.aws - version: 9.99.0 - - id: v1.15.0 - manifest: storage-aws.addons.k8s.io/v1.15.0.yaml - manifestHash: 4e2cda50cd5048133aad1b5e28becb60f4629d3f9e09c514a2757c27998b4200 - name: storage-aws.addons.k8s.io - selector: - k8s-addon: storage-aws.addons.k8s.io - version: 9.99.0 - - id: k8s-1.18 - manifest: aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml - manifestHash: 0aeebf155056b98bdbf8be473e8b798eed3ca86cb94b806a12a55638b444a930 - name: aws-cloud-controller.addons.k8s.io - selector: - k8s-addon: aws-cloud-controller.addons.k8s.io - version: 9.99.0 - - id: k8s-1.17 - manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 93c7269843ed2f8acef3f95774cf1f1d9851d88d157e0b0da04336741694393f - name: aws-ebs-csi-driver.addons.k8s.io - selector: - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - version: 9.99.0 diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content deleted file mode 100644 index 4c4816a315..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content +++ /dev/null @@ -1,383 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - kubernetes.io/cluster-service: "true" - name: coredns - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns -rules: -- apiGroups: - - "" - resources: - - endpoints - - services - - pods - - namespaces - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:coredns -subjects: -- kind: ServiceAccount - name: coredns - namespace: kube-system - ---- - -apiVersion: v1 -data: - Corefile: |- - .:53 { - errors - health { - lameduck 5s - } - ready - kubernetes cluster.local. in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - ttl 30 - } - prometheus :9153 - forward . /etc/resolv.conf { - max_concurrent 1000 - } - cache 30 - loop - reload - loadbalance - } -kind: ConfigMap -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - addonmanager.kubernetes.io/mode: EnsureExists - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: CoreDNS - name: coredns - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: kube-dns - strategy: - rollingUpdate: - maxSurge: 10% - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - creationTimestamp: null - labels: - k8s-app: kube-dns - kops.k8s.io/managed-by: kops - spec: - containers: - - args: - - -conf - - /etc/coredns/Corefile - image: registry.k8s.io/coredns/coredns:v1.11.4 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /health - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 - successThreshold: 1 - timeoutSeconds: 5 - name: coredns - ports: - - containerPort: 53 - name: dns - protocol: UDP - - containerPort: 53 - name: dns-tcp - protocol: TCP - - containerPort: 9153 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8181 - scheme: HTTP - resources: - limits: - memory: 170Mi - requests: - cpu: 100m - memory: 70Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_BIND_SERVICE - drop: - - all - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /etc/coredns - name: config-volume - readOnly: true - dnsPolicy: Default - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: coredns - tolerations: - - key: CriticalAddonsOnly - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - k8s-app: kube-dns - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - k8s-app: kube-dns - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - volumes: - - configMap: - name: coredns - name: config-volume - ---- - -apiVersion: v1 -kind: Service -metadata: - annotations: - prometheus.io/port: "9153" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: CoreDNS - name: kube-dns - namespace: kube-system - resourceVersion: "0" -spec: - clusterIP: 100.64.0.10 - ports: - - name: dns - port: 53 - protocol: UDP - - name: dns-tcp - port: 53 - protocol: TCP - - name: metrics - port: 9153 - protocol: TCP - selector: - k8s-app: kube-dns - ---- - -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: kube-dns - namespace: kube-system -spec: - maxUnavailable: 50% - selector: - matchLabels: - k8s-app: kube-dns - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns-autoscaler - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns-autoscaler -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - replicationcontrollers/scale - verbs: - - get - - update -- apiGroups: - - extensions - - apps - resources: - - deployments/scale - - replicasets/scale - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns-autoscaler -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: coredns-autoscaler -subjects: -- kind: ServiceAccount - name: coredns-autoscaler - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - k8s-app: coredns-autoscaler - kubernetes.io/cluster-service: "true" - name: coredns-autoscaler - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: coredns-autoscaler - template: - metadata: - creationTimestamp: null - labels: - k8s-app: coredns-autoscaler - kops.k8s.io/managed-by: kops - spec: - containers: - - command: - - /cluster-proportional-autoscaler - - --namespace=kube-system - - --configmap=coredns-autoscaler - - --target=Deployment/coredns - - --default-params={"linear":{"coresPerReplica":256,"nodesPerReplica":16,"preventSinglePointFailure":true}} - - --logtostderr=true - - --v=2 - image: registry.k8s.io/cpa/cluster-proportional-autoscaler:v1.9.0 - name: autoscaler - resources: - requests: - cpu: 20m - memory: 10Mi - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: coredns-autoscaler - tolerations: - - key: CriticalAddonsOnly - operator: Exists diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content deleted file mode 100644 index 4997c5166f..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content +++ /dev/null @@ -1,138 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - k8s-app: dns-controller - version: v1.34.0-alpha.1 - name: dns-controller - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - k8s-app: dns-controller - strategy: - type: Recreate - template: - metadata: - creationTimestamp: null - labels: - k8s-addon: dns-controller.addons.k8s.io - k8s-app: dns-controller - kops.k8s.io/managed-by: kops - version: v1.34.0-alpha.1 - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - containers: - - args: - - --watch-ingress=false - - --dns=aws-route53 - - --zone=*/Z1AFAKE1ZON3YO - - --internal-ipv4 - - --zone=*/* - - -v=2 - command: null - env: - - name: KUBERNETES_SERVICE_HOST - value: 127.0.0.1 - image: registry.k8s.io/kops/dns-controller:1.34.0-alpha.1 - name: dns-controller - resources: - requests: - cpu: 50m - memory: 50Mi - securityContext: - runAsNonRoot: true - dnsPolicy: Default - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - serviceAccount: dns-controller - tolerations: - - key: node.cloudprovider.kubernetes.io/uninitialized - operator: Exists - - key: node.kubernetes.io/not-ready - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: node-role.kubernetes.io/master - operator: Exists - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - name: dns-controller - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - name: kops:dns-controller -rules: -- apiGroups: - - "" - resources: - - endpoints - - services - - pods - - ingress - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - name: kops:dns-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kops:dns-controller -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:serviceaccount:kube-system:dns-controller diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content deleted file mode 100644 index 9bb33ec848..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content +++ /dev/null @@ -1,227 +0,0 @@ -apiVersion: v1 -data: - config.yaml: | - {"clusterName":"minimal.example.com","cloud":"aws","configBase":"memfs://tests/minimal.example.com","secretStore":"memfs://tests/minimal.example.com/secrets","server":{"Listen":":3988","provider":{"aws":{"nodesRoles":["nodes.minimal.example.com"],"Region":"us-test-1"}},"serverKeyPath":"/etc/kubernetes/kops-controller/pki/kops-controller.key","serverCertificatePath":"/etc/kubernetes/kops-controller/pki/kops-controller.crt","caBasePath":"/etc/kubernetes/kops-controller/pki","signingCAs":["kubernetes-ca"],"certNames":["kubelet","kubelet-server","kube-proxy"]}} -kind: ConfigMap -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - k8s-app: kops-controller - version: v1.34.0-alpha.1 - name: kops-controller - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: kops-controller - template: - metadata: - annotations: - dns.alpha.kubernetes.io/internal: kops-controller.internal.minimal.example.com - creationTimestamp: null - labels: - k8s-addon: kops-controller.addons.k8s.io - k8s-app: kops-controller - kops.k8s.io/managed-by: kops - version: v1.34.0-alpha.1 - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: kops.k8s.io/kops-controller-pki - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - - key: kops.k8s.io/kops-controller-pki - operator: Exists - containers: - - args: - - --v=2 - - --conf=/etc/kubernetes/kops-controller/config/config.yaml - command: null - env: - - name: KUBERNETES_SERVICE_HOST - value: 127.0.0.1 - - name: KOPS_RUN_TOO_NEW_VERSION - value: "1" - image: registry.k8s.io/kops/kops-controller:1.34.0-alpha.1 - name: kops-controller - resources: - requests: - cpu: 50m - memory: 50Mi - securityContext: - runAsNonRoot: true - runAsUser: 10011 - volumeMounts: - - mountPath: /etc/kubernetes/kops-controller/config/ - name: kops-controller-config - - mountPath: /etc/kubernetes/kops-controller/pki/ - name: kops-controller-pki - dnsPolicy: Default - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - serviceAccount: kops-controller - tolerations: - - key: node.cloudprovider.kubernetes.io/uninitialized - operator: Exists - - key: node.kubernetes.io/not-ready - operator: Exists - - key: node-role.kubernetes.io/master - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - volumes: - - configMap: - name: kops-controller - name: kops-controller-config - - hostPath: - path: /etc/kubernetes/kops-controller/ - type: Directory - name: kops-controller-pki - updateStrategy: - type: OnDelete - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kops-controller -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:serviceaccount:kube-system:kops-controller - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - get - - list - - watch - - create -- apiGroups: - - "" - - coordination.k8s.io - resourceNames: - - kops-controller-leader - resources: - - configmaps - - leases - verbs: - - get - - list - - watch - - patch - - update - - delete -- apiGroups: - - "" - - coordination.k8s.io - resources: - - configmaps - - leases - verbs: - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kops-controller -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:serviceaccount:kube-system:kops-controller diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content deleted file mode 100644 index 36761e1c56..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kubelet-api.rbac.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kubelet-api.rbac.addons.k8s.io - name: kops:system:kubelet-api-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:kubelet-api-admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: kubelet-api diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-limit-range.addons.k8s.io_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-limit-range.addons.k8s.io_content deleted file mode 100644 index 4dcdce48b9..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-limit-range.addons.k8s.io_content +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: LimitRange -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: limit-range.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: limit-range.addons.k8s.io - name: limits - namespace: default -spec: - limits: - - defaultRequest: - cpu: 100m - type: Container diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-node-termination-handler.aws-k8s-1.11_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-node-termination-handler.aws-k8s-1.11_content deleted file mode 100644 index f1361e7994..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-node-termination-handler.aws-k8s-1.11_content +++ /dev/null @@ -1,285 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - k8s-app: aws-node-termination-handler - name: aws-node-termination-handler - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - name: aws-node-termination-handler -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - patch - - update -- apiGroups: - - "" - resources: - - pods - verbs: - - list - - get -- apiGroups: - - "" - resources: - - pods/eviction - verbs: - - create -- apiGroups: - - extensions - resources: - - daemonsets - verbs: - - get -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - get -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - name: aws-node-termination-handler -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: aws-node-termination-handler -subjects: -- kind: ServiceAccount - name: aws-node-termination-handler - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/component: deployment - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - k8s-app: aws-node-termination-handler - name: aws-node-termination-handler - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kubernetes.io/os: linux - template: - metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: deployment - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - k8s-app: aws-node-termination-handler - kops.k8s.io/managed-by: kops - kops.k8s.io/nth-mode: sqs - kubernetes.io/os: linux - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - containers: - - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ENABLE_PROBES_SERVER - value: "true" - - name: PROBES_SERVER_PORT - value: "8080" - - name: PROBES_SERVER_ENDPOINT - value: /healthz - - name: LOG_LEVEL - value: info - - name: JSON_LOGGING - value: "true" - - name: LOG_FORMAT_VERSION - value: "2" - - name: ENABLE_PROMETHEUS_SERVER - value: "false" - - name: PROMETHEUS_SERVER_PORT - value: "9092" - - name: CHECK_TAG_BEFORE_DRAINING - value: "true" - - name: MANAGED_TAG - value: aws-node-termination-handler/managed - - name: USE_PROVIDER_ID - value: "true" - - name: DRY_RUN - value: "false" - - name: CORDON_ONLY - value: "false" - - name: TAINT_NODE - value: "false" - - name: EXCLUDE_FROM_LOAD_BALANCERS - value: "true" - - name: DELETE_LOCAL_DATA - value: "true" - - name: IGNORE_DAEMON_SETS - value: "true" - - name: POD_TERMINATION_GRACE_PERIOD - value: "-1" - - name: NODE_TERMINATION_GRACE_PERIOD - value: "120" - - name: EMIT_KUBERNETES_EVENTS - value: "true" - - name: COMPLETE_LIFECYCLE_ACTION_DELAY_SECONDS - value: "-1" - - name: ENABLE_SQS_TERMINATION_DRAINING - value: "true" - - name: QUEUE_URL - value: https://sqs.us-test-1.amazonaws.com/123456789012/minimal-example-com-nth - - name: DELETE_SQS_MSG_IF_NODE_NOT_FOUND - value: "false" - - name: WORKERS - value: "10" - image: public.ecr.aws/aws-ec2/aws-node-termination-handler:v1.22.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 - name: aws-node-termination-handler - ports: - - containerPort: 8080 - name: liveness-probe - protocol: TCP - - containerPort: 9092 - name: metrics - protocol: TCP - resources: - requests: - cpu: 50m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1000 - serviceAccountName: aws-node-termination-handler - tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: node-role.kubernetes.io/master - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kops.k8s.io/nth-mode: sqs - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kops.k8s.io/nth-mode: sqs - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - ---- - -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - k8s-addon: node-termination-handler.aws - name: aws-node-termination-handler - namespace: kube-system -spec: - maxUnavailable: 1 - selector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kops.k8s.io/nth-mode: sqs diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content deleted file mode 100644 index bea3e88be3..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_minimal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content +++ /dev/null @@ -1,118 +0,0 @@ -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: default -parameters: - type: gp2 -provisioner: kubernetes.io/aws-ebs - ---- - -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - annotations: - storageclass.kubernetes.io/is-default-class: "false" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: gp2 -parameters: - type: gp2 -provisioner: kubernetes.io/aws-ebs - ---- - -allowVolumeExpansion: true -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - annotations: - storageclass.kubernetes.io/is-default-class: "false" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: kops-ssd-1-17 -parameters: - encrypted: "true" - type: gp2 -provisioner: kubernetes.io/aws-ebs -volumeBindingMode: WaitForFirstConsumer - ---- - -allowVolumeExpansion: true -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - annotations: - storageclass.kubernetes.io/is-default-class: "true" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: kops-csi-1-21 -parameters: - encrypted: "true" - type: gp3 -provisioner: ebs.csi.aws.com -volumeBindingMode: WaitForFirstConsumer - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: system:aws-cloud-provider -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: system:aws-cloud-provider -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:aws-cloud-provider -subjects: -- kind: ServiceAccount - name: aws-cloud-provider - namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_nodeupconfig-master-us-test-1a_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_nodeupconfig-master-us-test-1a_content deleted file mode 100644 index 4788f88f10..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_nodeupconfig-master-us-test-1a_content +++ /dev/null @@ -1,332 +0,0 @@ -APIServerConfig: - API: - dns: {} - publicName: api.minimal.example.com - ClusterDNSDomain: cluster.local - KubeAPIServer: - allowPrivileged: true - anonymousAuth: false - apiAudiences: - - kubernetes.svc.default - apiServerCount: 1 - authorizationMode: Node,RBAC - bindAddress: 0.0.0.0 - cloudProvider: external - enableAdmissionPlugins: - - DefaultStorageClass - - DefaultTolerationSeconds - - LimitRanger - - MutatingAdmissionWebhook - - NamespaceLifecycle - - NodeRestriction - - ResourceQuota - - RuntimeClass - - ServiceAccount - - ValidatingAdmissionPolicy - - ValidatingAdmissionWebhook - etcdServers: - - https://127.0.0.1:4001 - etcdServersOverrides: - - /events#https://127.0.0.1:4002 - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-apiserver:v1.28.0 - kubeletPreferredAddressTypes: - - InternalIP - - Hostname - - ExternalIP - logLevel: 2 - requestheaderAllowedNames: - - aggregator - requestheaderExtraHeaderPrefixes: - - X-Remote-Extra- - requestheaderGroupHeaders: - - X-Remote-Group - requestheaderUsernameHeaders: - - X-Remote-User - securePort: 443 - serviceAccountIssuer: https://api.internal.minimal.example.com - serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks - serviceClusterIPRange: 100.64.0.0/13 - storageBackend: etcd3 - ServiceAccountPublicKeys: | - -----BEGIN RSA PUBLIC KEY----- - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKm - XVSysPKgE80QSU4tZ6m49pAEeIMsvwvDMaLsb2v6JvXe0qvCmueU+/sCAwEAAQ== - -----END RSA PUBLIC KEY----- - -----BEGIN RSA PUBLIC KEY----- - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKOE64nZbH+GM91AIrqf7HEk4hvzqsZF - Ftxc+8xir1XC3mI/RhCCrs6AdVRZNZ26A6uHArhi33c2kHQkCjyLA7sCAwEAAQ== - -----END RSA PUBLIC KEY----- -Assets: - amd64: - - bfb6b977100963f2879a33e5fbaa59a5276ba829a957a6819c936e9c1465f981@https://dl.k8s.io/release/v1.28.0/bin/linux/amd64/kubelet,https://cdn.dl.k8s.io/release/v1.28.0/bin/linux/amd64/kubelet - - 4717660fd1466ec72d59000bb1d9f5cdc91fac31d491043ca62b34398e0799ce@https://dl.k8s.io/release/v1.28.0/bin/linux/amd64/kubectl,https://cdn.dl.k8s.io/release/v1.28.0/bin/linux/amd64/kubectl - - 7644623e4ec9ad443ab352a8a5800a5180ee28741288be805286ba72bb8e7164@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/amd64/ecr-credential-provider-linux-amd64 - - f3a841324845ca6bf0d4091b4fc7f97e18a623172158b72fc3fdcdb9d42d2d37@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz - - 7a8c262deb63becc877e82d23749e4f99f4a17e8e660f9b8c257ca87a5c056b6@https://github.com/containerd/containerd/releases/download/v1.7.28/containerd-1.7.28-linux-amd64.tar.gz - - 028986516ab5646370edce981df2d8e8a8d12188deaf837142a02097000ae2f2@https://github.com/opencontainers/runc/releases/download/v1.3.0/runc.amd64 - - f90ed6dcef534e6d1ae17907dc7eb40614b8945ad4af7f0e98d2be7cde8165c6@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-amd64 - - 9992e7eb2a2e93f799e5a9e98eb718637433524bc65f630357201a79f49b13d0@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-amd64 - arm64: - - 05dd12e35783cab4960e885ec0e7d0e461989b94297e7bea9018ccbd15c4dce9@https://dl.k8s.io/release/v1.28.0/bin/linux/arm64/kubelet,https://cdn.dl.k8s.io/release/v1.28.0/bin/linux/arm64/kubelet - - f5484bd9cac66b183c653abed30226b561f537d15346c605cc81d98095f1717c@https://dl.k8s.io/release/v1.28.0/bin/linux/arm64/kubectl,https://cdn.dl.k8s.io/release/v1.28.0/bin/linux/arm64/kubectl - - 1980e3a038cb16da48a137743b31fb81de6c0b59fa06c206c2bc20ce0a52f849@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/arm64/ecr-credential-provider-linux-arm64 - - 525e2b62ba92a1b6f3dc9612449a84aa61652e680f7ebf4eff579795fe464b57@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz - - 97457594ff8549cb82d664306593cafd3d2c781c706f9fffed885a46d8919bec@https://github.com/containerd/containerd/releases/download/v1.7.28/containerd-1.7.28-linux-arm64.tar.gz - - 85c5e4e4f72e442c8c17bac07527cd4f961ee48e4f2b71797f7533c94f4a52b9@https://github.com/opencontainers/runc/releases/download/v1.3.0/runc.arm64 - - 2f599c3d54f4c4bdbcc95aaf0c7b513a845d8f9503ec5b34c9f86aa1bc34fc0c@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-arm64 - - 9d842e3636a95de2315cdea2be7a282355aac0658ef0b86d5dc2449066538f13@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-arm64 -CAs: - apiserver-aggregator-ca: | - -----BEGIN CERTIFICATE----- - MIIBgjCCASygAwIBAgIMFo3gINaZLHjisEcbMA0GCSqGSIb3DQEBCwUAMCIxIDAe - BgNVBAMTF2FwaXNlcnZlci1hZ2dyZWdhdG9yLWNhMB4XDTIxMDYzMDA0NTExMloX - DTMxMDYzMDA0NTExMlowIjEgMB4GA1UEAxMXYXBpc2VydmVyLWFnZ3JlZ2F0b3It - Y2EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAyyE71AOU3go5XFegLQ6fidI0LhhM - x7CzpTzh2xWKcHUfbNI7itgJvC/+GlyG5W+DF5V7ba0IJiQLsFve0oLdewIDAQAB - o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU - ALfqF5ZmfqvqORuJIFilZYKF3d0wDQYJKoZIhvcNAQELBQADQQAHAomFKsF4jvYX - WM/UzQXDj9nSAFTf8dBPCXyZZNotsOH7+P6W4mMiuVs8bAuGiXGUdbsQ2lpiT/Rk - CzMeMdr4 - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBgjCCASygAwIBAgIMFo3gM0nxQpiX/agfMA0GCSqGSIb3DQEBCwUAMCIxIDAe - BgNVBAMTF2FwaXNlcnZlci1hZ2dyZWdhdG9yLWNhMB4XDTIxMDYzMDA0NTIzMVoX - DTMxMDYzMDA0NTIzMVowIjEgMB4GA1UEAxMXYXBpc2VydmVyLWFnZ3JlZ2F0b3It - Y2EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAyyE71AOU3go5XFegLQ6fidI0LhhM - x7CzpTzh2xWKcHUfbNI7itgJvC/+GlyG5W+DF5V7ba0IJiQLsFve0oLdewIDAQAB - o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU - ALfqF5ZmfqvqORuJIFilZYKF3d0wDQYJKoZIhvcNAQELBQADQQCXsoezoxXu2CEN - QdlXZOfmBT6cqxIX/RMHXhpHwRiqPsTO8IO2bVA8CSzxNwMuSv/ZtrMHoh8+PcVW - HLtkTXH8 - -----END CERTIFICATE----- - etcd-clients-ca: | - -----BEGIN CERTIFICATE----- - MIIBcjCCARygAwIBAgIMFo1ogHnr26DL9YkqMA0GCSqGSIb3DQEBCwUAMBoxGDAW - BgNVBAMTD2V0Y2QtY2xpZW50cy1jYTAeFw0yMTA2MjgxNjE5MDFaFw0zMTA2Mjgx - NjE5MDFaMBoxGDAWBgNVBAMTD2V0Y2QtY2xpZW50cy1jYTBcMA0GCSqGSIb3DQEB - AQUAA0sAMEgCQQDYlt4Xx03Cp8QooPrloaVWznx9aQDSpl1UsrDyoBPNEElOLWep - uPaQBHiDLL8LwzGi7G9r+ib13tKrwprnlPv7AgMBAAGjQjBAMA4GA1UdDwEB/wQE - AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQjlt4Ue54AbJPWlDpRM51s - x+PeBDANBgkqhkiG9w0BAQsFAANBAAZAdf8ROEVkr3Rf7I+s+CQOil2toadlKWOY - qCeJ2XaEROfp9aUTEIU1MGM3g57MPyAPPU7mURskuOQz6B1UFaY= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBcjCCARygAwIBAgIMFo1olfBnC/CsT+dqMA0GCSqGSIb3DQEBCwUAMBoxGDAW - BgNVBAMTD2V0Y2QtY2xpZW50cy1jYTAeFw0yMTA2MjgxNjIwMzNaFw0zMTA2Mjgx - NjIwMzNaMBoxGDAWBgNVBAMTD2V0Y2QtY2xpZW50cy1jYTBcMA0GCSqGSIb3DQEB - AQUAA0sAMEgCQQDYlt4Xx03Cp8QooPrloaVWznx9aQDSpl1UsrDyoBPNEElOLWep - uPaQBHiDLL8LwzGi7G9r+ib13tKrwprnlPv7AgMBAAGjQjBAMA4GA1UdDwEB/wQE - AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQjlt4Ue54AbJPWlDpRM51s - x+PeBDANBgkqhkiG9w0BAQsFAANBAF1xUz77PlUVUnd9duF8F7plou0TONC9R6/E - YQ8C6vM1b+9NSDGjCW8YmwEU2fBgskb/BBX2lwVZ32/RUEju4Co= - -----END CERTIFICATE----- - etcd-manager-ca-events: | - -----BEGIN CERTIFICATE----- - MIIBgDCCASqgAwIBAgIMFo+bKjm04vB4rNtaMA0GCSqGSIb3DQEBCwUAMCExHzAd - BgNVBAMTFmV0Y2QtbWFuYWdlci1jYS1ldmVudHMwHhcNMjEwNzA1MjAwOTU2WhcN - MzEwNzA1MjAwOTU2WjAhMR8wHQYDVQQDExZldGNkLW1hbmFnZXItY2EtZXZlbnRz - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKiC8tndMlEFZ7qzeKxeKqFVjaYpsh/H - g7RxWo15+1kgH3suO0lxp9+RxSVv97hnsfbySTPZVhy2cIQj7eZtZt8CAwEAAaNC - MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBg6 - CEZkQNnRkARBwFce03AEWa+sMA0GCSqGSIb3DQEBCwUAA0EAJMnBThok/uUe8q8O - sS5q19KUuE8YCTUzMDj36EBKf6NX4NoakCa1h6kfQVtlMtEIMWQZCjbm8xGK5ffs - GS/VUw== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBgDCCASqgAwIBAgIMFo+bQ+EgIiBmGghjMA0GCSqGSIb3DQEBCwUAMCExHzAd - BgNVBAMTFmV0Y2QtbWFuYWdlci1jYS1ldmVudHMwHhcNMjEwNzA1MjAxMTQ2WhcN - MzEwNzA1MjAxMTQ2WjAhMR8wHQYDVQQDExZldGNkLW1hbmFnZXItY2EtZXZlbnRz - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKFhHVVxxDGv8d1jBvtdSxz7KIVoBOjL - DMxsmTsINiQkTQaFlb+XPlnY1ar4+RhE519AFUkqfhypk4Zxqf1YFXUCAwEAAaNC - MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNuW - LLH5c8kDubDbr6BHgedW0iJ9MA0GCSqGSIb3DQEBCwUAA0EAiKUoBoaGu7XzboFE - hjfKlX0TujqWuW3qMxDEJwj4dVzlSLrAoB/G01MJ+xxYKh456n48aG6N827UPXhV - cPfVNg== - -----END CERTIFICATE----- - etcd-manager-ca-main: | - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bKjm1c3jfv6hIMA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtbWFuYWdlci1jYS1tYWluMB4XDTIxMDcwNTIwMDk1NloXDTMx - MDcwNTIwMDk1NlowHzEdMBsGA1UEAxMUZXRjZC1tYW5hZ2VyLWNhLW1haW4wXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAxbkDbGYmCSShpRG3r+lzTOFujyuruRfjOhYm - ZRX4w1Utd5y63dUc98sjc9GGUYMHd+0k1ql/a48tGhnK6N6jJwIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWZLkbBFx - GAgPU4i62c52unSo7RswDQYJKoZIhvcNAQELBQADQQAj6Pgd0va/8FtkyMlnohLu - Gf4v8RJO6zk3Y6jJ4+cwWziipFM1ielMzSOZfFcCZgH3m5Io40is4hPSqyq2TOA6 - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bQ+Eg8Si30gr4MA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtbWFuYWdlci1jYS1tYWluMB4XDTIxMDcwNTIwMTE0NloXDTMx - MDcwNTIwMTE0NlowHzEdMBsGA1UEAxMUZXRjZC1tYW5hZ2VyLWNhLW1haW4wXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAw33jzcd/iosN04b0WXbDt7B0c3sJ3aafcGLP - vG3xRB9N5bYr9+qZAq3mzAFkxscn4j1ce5b1/GKTDEAClmZgdQIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUE/h+3gDP - DvKwHRyiYlXM8voZ1wowDQYJKoZIhvcNAQELBQADQQBXuimeEoAOu5HN4hG7NqL9 - t40K3ZRhRZv3JQWnRVJCBDjg1rD0GQJR/n+DoWvbeijI5C9pNjr2pWSIYR1eYCvd - -----END CERTIFICATE----- - etcd-peers-ca-events: | - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bKjmxTPh3/lYJMA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtcGVlcnMtY2EtZXZlbnRzMB4XDTIxMDcwNTIwMDk1NloXDTMx - MDcwNTIwMDk1NlowHzEdMBsGA1UEAxMUZXRjZC1wZWVycy1jYS1ldmVudHMwXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAv5g4HF2xmrYyouJfY9jXx1M3gPLD/pupvxPY - xyjJw5pNCy5M5XGS3iTqRD5RDE0fWudVHFZKLIe8WPc06NApXwIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUf6xiDI+O - Yph1ziCGr2hZaQYt+fUwDQYJKoZIhvcNAQELBQADQQBBxj5hqEQstonTb8lnqeGB - DEYtUeAk4eR/HzvUMjF52LVGuvN3XVt+JTrFeKNvb6/RDUbBNRj3azalcUkpPh6V - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bQ+Eq69jgzpKwMA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtcGVlcnMtY2EtZXZlbnRzMB4XDTIxMDcwNTIwMTE0NloXDTMx - MDcwNTIwMTE0NlowHzEdMBsGA1UEAxMUZXRjZC1wZWVycy1jYS1ldmVudHMwXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAo5Nj2CjX1qp3mEPw1H5nHAFWLoGNSLSlRFJW - 03NxaNPMFzL5PrCoyOXrX8/MWczuZYw0Crf8EPOOQWi2+W0XLwIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxauhhKQh - cvdZND78rHe0RQVTTiswDQYJKoZIhvcNAQELBQADQQB+cq4jIS9q0zXslaRa+ViI - J+dviA3sMygbmSJO0s4DxYmoazKJblux5q0ASSvS9iL1l9ShuZ1dWyp2tpZawHyb - -----END CERTIFICATE----- - etcd-peers-ca-main: | - -----BEGIN CERTIFICATE----- - MIIBeDCCASKgAwIBAgIMFo+bKjmuLDDLcDHsMA0GCSqGSIb3DQEBCwUAMB0xGzAZ - BgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjAeFw0yMTA3MDUyMDA5NTZaFw0zMTA3 - MDUyMDA5NTZaMB0xGzAZBgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjBcMA0GCSqG - SIb3DQEBAQUAA0sAMEgCQQCyRaXWpwgN6INQqws9p/BvPElJv2Rno9dVTFhlQqDA - aUJXe7MBmiO4NJcW76EozeBh5ztR3/4NE1FM2x8TisS3AgMBAAGjQjBAMA4GA1Ud - DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQtE1d49uSvpURf - OQ25Vlu6liY20DANBgkqhkiG9w0BAQsFAANBAAgLVaetJZcfOA3OIMMvQbz2Ydrt - uWF9BKkIad8jrcIrm3IkOtR8bKGmDIIaRKuG/ZUOL6NMe2fky3AAfKwleL4= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBeDCCASKgAwIBAgIMFo+bQ+EuVthBfuZvMA0GCSqGSIb3DQEBCwUAMB0xGzAZ - BgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjAeFw0yMTA3MDUyMDExNDZaFw0zMTA3 - MDUyMDExNDZaMB0xGzAZBgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjBcMA0GCSqG - SIb3DQEBAQUAA0sAMEgCQQCxNbycDZNx5V1ZOiXxZSvaFpHRwKeHDfcuMUitdoPt - naVMlMTGDWAMuCVmFHFAWohIYynemEegmZkZ15S7AErfAgMBAAGjQjBAMA4GA1Ud - DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTAjQ8T4HclPIsC - qipEfUIcLP6jqTANBgkqhkiG9w0BAQsFAANBAJdZ17TN3HlWrH7HQgfR12UBwz8K - G9DurDznVaBVUYaHY8Sg5AvAXeb+yIF2JMmRR+bK+/G1QYY2D3/P31Ic2Oo= - -----END CERTIFICATE----- - kubernetes-ca: | - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANqBD8NSD82AUSMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwODAwWhcNMzEwNzA3MDcw - ODAwWjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBANFI3zr0Tk8krsW8vwjfMpzJOlWQ8616vG3YPa2qAgI7V4oKwfV0yIg1 - jt+H6f4P/wkPAPTPTfRp9Iy8oHEEFw0CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNG3zVjTcLlJwDsJ4/K9DV7KohUA - MA0GCSqGSIb3DQEBCwUAA0EAB8d03fY2w7WKpfO29qI295pu2C4ca9AiVGOpgSc8 - tmQsq6rcxt3T+rb589PVtz0mw/cKTxOk6gH2CCC+yHfy2w== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANvmSa0OAlYmXKMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwOTM2WhcNMzEwNzA3MDcw - OTM2WjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBAMF6F4aZdpe0RUpyykaBpWwZCnwbffhYGOw+fs6RdLuUq7QCNmJm/Eq7 - WWOziMYDiI9SbclpD+6QiJ0N3EqppVUCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLImp6ARjPDAH6nhI+scWVt3Q9bn - MA0GCSqGSIb3DQEBCwUAA0EAVQVx5MUtuAIeePuP9o51xtpT2S6Fvfi8J4ICxnlA - 9B7UD2ushcVFPtaeoL9Gfu8aY4KJBeqqg5ojl4qmRnThjw== - -----END CERTIFICATE----- -ClusterName: minimal.example.com -ControlPlaneConfig: - KubeControllerManager: - allocateNodeCIDRs: true - attachDetachReconcileSyncPeriod: 1m0s - cloudProvider: external - clusterCIDR: 100.96.0.0/11 - clusterName: minimal.example.com - configureCloudRoutes: false - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-controller-manager:v1.28.0 - leaderElection: - leaderElect: true - logLevel: 2 - useServiceAccountCredentials: true - KubeScheduler: - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-scheduler:v1.28.0 - leaderElection: - leaderElect: true - logLevel: 2 -DNSZone: Z1AFAKE1ZON3YO -EtcdClusterNames: -- main -- events -FileAssets: -- content: | - apiVersion: kubescheduler.config.k8s.io/v1 - clientConnection: - kubeconfig: /var/lib/kube-scheduler/kubeconfig - kind: KubeSchedulerConfiguration - path: /var/lib/kube-scheduler/config.yaml -Hooks: -- null -- null -InstallCNIAssets: true -KeypairIDs: - apiserver-aggregator-ca: "6980187172486667078076483355" - etcd-clients-ca: "6979622252718071085282986282" - etcd-manager-ca-events: "6982279354000777253151890266" - etcd-manager-ca-main: "6982279354000936168671127624" - etcd-peers-ca-events: "6982279353999767935825892873" - etcd-peers-ca-main: "6982279353998887468930183660" - kubernetes-ca: "6982820025135291416230495506" - service-account: "2" -KubeProxy: - clusterCIDR: 100.96.0.0/11 - cpuRequest: 100m - image: registry.k8s.io/kube-proxy:v1.28.0 - logLevel: 2 -KubeletConfig: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - nodeLabels: - kops.k8s.io/instancegroup: master-us-test-1a - kops.k8s.io/kops-controller-pki: "" - node-role.kubernetes.io/control-plane: "" - node.kubernetes.io/exclude-from-external-load-balancers: "" - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s - taints: - - node-role.kubernetes.io/control-plane=:NoSchedule -KubernetesVersion: 1.28.0 -Networking: - nonMasqueradeCIDR: 100.64.0.0/10 - serviceClusterIPRange: 100.64.0.0/13 -UpdatePolicy: automatic -channels: -- memfs://tests/minimal.example.com/addons/bootstrap-channel.yaml -configStore: - keypairs: memfs://tests/minimal.example.com/pki - secrets: memfs://tests/minimal.example.com/secrets -containerdConfig: - logLevel: info - runc: - version: 1.3.0 - version: 1.7.28 -etcdManifests: -- memfs://tests/minimal.example.com/manifests/etcd/main-master-us-test-1a.yaml -- memfs://tests/minimal.example.com/manifests/etcd/events-master-us-test-1a.yaml -staticManifests: -- key: kube-apiserver-healthcheck - path: manifests/static/kube-apiserver-healthcheck.yaml -usesLegacyGossip: false -usesNoneDNS: false diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_nodeupconfig-nodes_content b/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_nodeupconfig-nodes_content deleted file mode 100644 index 666c84aa46..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_s3_object_nodeupconfig-nodes_content +++ /dev/null @@ -1,62 +0,0 @@ -Assets: - amd64: - - bfb6b977100963f2879a33e5fbaa59a5276ba829a957a6819c936e9c1465f981@https://dl.k8s.io/release/v1.28.0/bin/linux/amd64/kubelet,https://cdn.dl.k8s.io/release/v1.28.0/bin/linux/amd64/kubelet - - 4717660fd1466ec72d59000bb1d9f5cdc91fac31d491043ca62b34398e0799ce@https://dl.k8s.io/release/v1.28.0/bin/linux/amd64/kubectl,https://cdn.dl.k8s.io/release/v1.28.0/bin/linux/amd64/kubectl - - 7644623e4ec9ad443ab352a8a5800a5180ee28741288be805286ba72bb8e7164@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/amd64/ecr-credential-provider-linux-amd64 - - f3a841324845ca6bf0d4091b4fc7f97e18a623172158b72fc3fdcdb9d42d2d37@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz - - 7a8c262deb63becc877e82d23749e4f99f4a17e8e660f9b8c257ca87a5c056b6@https://github.com/containerd/containerd/releases/download/v1.7.28/containerd-1.7.28-linux-amd64.tar.gz - - 028986516ab5646370edce981df2d8e8a8d12188deaf837142a02097000ae2f2@https://github.com/opencontainers/runc/releases/download/v1.3.0/runc.amd64 - arm64: - - 05dd12e35783cab4960e885ec0e7d0e461989b94297e7bea9018ccbd15c4dce9@https://dl.k8s.io/release/v1.28.0/bin/linux/arm64/kubelet,https://cdn.dl.k8s.io/release/v1.28.0/bin/linux/arm64/kubelet - - f5484bd9cac66b183c653abed30226b561f537d15346c605cc81d98095f1717c@https://dl.k8s.io/release/v1.28.0/bin/linux/arm64/kubectl,https://cdn.dl.k8s.io/release/v1.28.0/bin/linux/arm64/kubectl - - 1980e3a038cb16da48a137743b31fb81de6c0b59fa06c206c2bc20ce0a52f849@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/arm64/ecr-credential-provider-linux-arm64 - - 525e2b62ba92a1b6f3dc9612449a84aa61652e680f7ebf4eff579795fe464b57@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz - - 97457594ff8549cb82d664306593cafd3d2c781c706f9fffed885a46d8919bec@https://github.com/containerd/containerd/releases/download/v1.7.28/containerd-1.7.28-linux-arm64.tar.gz - - 85c5e4e4f72e442c8c17bac07527cd4f961ee48e4f2b71797f7533c94f4a52b9@https://github.com/opencontainers/runc/releases/download/v1.3.0/runc.arm64 -CAs: {} -ClusterName: minimal.example.com -Hooks: -- null -- null -InstallCNIAssets: true -KeypairIDs: - kubernetes-ca: "6982820025135291416230495506" -KubeProxy: - clusterCIDR: 100.96.0.0/11 - cpuRequest: 100m - image: registry.k8s.io/kube-proxy:v1.28.0 - logLevel: 2 -KubeletConfig: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - nodeLabels: - kops.k8s.io/instancegroup: nodes-us-test-1a - node-role.kubernetes.io/node: "" - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s -KubernetesVersion: 1.28.0 -Networking: - nonMasqueradeCIDR: 100.64.0.0/10 - serviceClusterIPRange: 100.64.0.0/13 -UpdatePolicy: automatic -containerdConfig: - logLevel: info - runc: - version: 1.3.0 - version: 1.7.28 -usesLegacyGossip: false -usesNoneDNS: false diff --git a/tests/integration/update_cluster/minimal-1.28/data/aws_sqs_queue_minimal-example-com-nth_policy b/tests/integration/update_cluster/minimal-1.28/data/aws_sqs_queue_minimal-example-com-nth_policy deleted file mode 100644 index c5b2b25812..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/data/aws_sqs_queue_minimal-example-com-nth_policy +++ /dev/null @@ -1,16 +0,0 @@ -{ - "Statement": [ - { - "Action": "sqs:SendMessage", - "Effect": "Allow", - "Principal": { - "Service": [ - "events.amazonaws.com", - "sqs.amazonaws.com" - ] - }, - "Resource": "arn:aws-test:sqs:us-test-1:123456789012:minimal-example-com-nth" - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/minimal-1.28/id_rsa.pub b/tests/integration/update_cluster/minimal-1.28/id_rsa.pub deleted file mode 100755 index 81cb012783..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/minimal-1.28/in-v1alpha2.yaml b/tests/integration/update_cluster/minimal-1.28/in-v1alpha2.yaml deleted file mode 100644 index 22b0d32bb9..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/in-v1alpha2.yaml +++ /dev/null @@ -1,99 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - name: minimal.example.com -spec: - api: - dns: {} - authorization: - rbac: {} - channel: stable - cloudProvider: aws - configBase: memfs://tests/minimal.example.com - etcdClusters: - - cpuRequest: 200m - etcdMembers: - - encryptedVolume: true - instanceGroup: master-us-test-1a - name: a - memoryRequest: 100Mi - name: main - - cpuRequest: 100m - etcdMembers: - - encryptedVolume: true - instanceGroup: master-us-test-1a - name: a - memoryRequest: 100Mi - name: events - iam: - allowContainerRegistry: true - legacy: false - kubelet: - anonymousAuth: false - kubernetesApiAccess: - - 0.0.0.0/0 - - ::/0 - kubernetesVersion: v1.28.0 - masterPublicName: api.minimal.example.com - networkCIDR: 172.20.0.0/16 - networking: - cni: {} - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 0.0.0.0/0 - - ::/0 - subnets: - - cidr: 172.20.32.0/19 - name: us-test-1a - type: Public - zone: us-test-1a - topology: - dns: - type: Public - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - labels: - kops.k8s.io/cluster: minimal.example.com - name: master-us-test-1a -spec: - image: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220404 - instanceMetadata: - httpPutResponseHopLimit: 3 - httpTokens: required - machineType: m3.medium - maxSize: 1 - minSize: 1 - nodeLabels: - kops.k8s.io/instancegroup: master-us-test-1a - role: Master - subnets: - - us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2017-01-01T00:00:00Z" - labels: - kops.k8s.io/cluster: minimal.example.com - name: nodes -spec: - image: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220404 - instanceMetadata: - httpPutResponseHopLimit: 1 - httpTokens: required - machineType: t2.medium - maxSize: 1 - minSize: 1 - nodeLabels: - kops.k8s.io/instancegroup: nodes-us-test-1a - role: Node - subnets: - - us-test-1a diff --git a/tests/integration/update_cluster/minimal-1.28/kubernetes.tf b/tests/integration/update_cluster/minimal-1.28/kubernetes.tf deleted file mode 100644 index 175f6b0eed..0000000000 --- a/tests/integration/update_cluster/minimal-1.28/kubernetes.tf +++ /dev/null @@ -1,986 +0,0 @@ -locals { - cluster_name = "minimal.example.com" - master_autoscaling_group_ids = [aws_autoscaling_group.master-us-test-1a-masters-minimal-example-com.id] - master_security_group_ids = [aws_security_group.masters-minimal-example-com.id] - masters_role_arn = aws_iam_role.masters-minimal-example-com.arn - masters_role_name = aws_iam_role.masters-minimal-example-com.name - node_autoscaling_group_ids = [aws_autoscaling_group.nodes-minimal-example-com.id] - node_security_group_ids = [aws_security_group.nodes-minimal-example-com.id] - node_subnet_ids = [aws_subnet.us-test-1a-minimal-example-com.id] - nodes_role_arn = aws_iam_role.nodes-minimal-example-com.arn - nodes_role_name = aws_iam_role.nodes-minimal-example-com.name - region = "us-test-1" - route_table_public_id = aws_route_table.minimal-example-com.id - subnet_us-test-1a_id = aws_subnet.us-test-1a-minimal-example-com.id - vpc_cidr_block = aws_vpc.minimal-example-com.cidr_block - vpc_id = aws_vpc.minimal-example-com.id - vpc_ipv6_cidr_block = aws_vpc.minimal-example-com.ipv6_cidr_block - vpc_ipv6_cidr_length = local.vpc_ipv6_cidr_block == "" ? null : tonumber(regex(".*/(\\d+)", local.vpc_ipv6_cidr_block)[0]) -} - -output "cluster_name" { - value = "minimal.example.com" -} - -output "master_autoscaling_group_ids" { - value = [aws_autoscaling_group.master-us-test-1a-masters-minimal-example-com.id] -} - -output "master_security_group_ids" { - value = [aws_security_group.masters-minimal-example-com.id] -} - -output "masters_role_arn" { - value = aws_iam_role.masters-minimal-example-com.arn -} - -output "masters_role_name" { - value = aws_iam_role.masters-minimal-example-com.name -} - -output "node_autoscaling_group_ids" { - value = [aws_autoscaling_group.nodes-minimal-example-com.id] -} - -output "node_security_group_ids" { - value = [aws_security_group.nodes-minimal-example-com.id] -} - -output "node_subnet_ids" { - value = [aws_subnet.us-test-1a-minimal-example-com.id] -} - -output "nodes_role_arn" { - value = aws_iam_role.nodes-minimal-example-com.arn -} - -output "nodes_role_name" { - value = aws_iam_role.nodes-minimal-example-com.name -} - -output "region" { - value = "us-test-1" -} - -output "route_table_public_id" { - value = aws_route_table.minimal-example-com.id -} - -output "subnet_us-test-1a_id" { - value = aws_subnet.us-test-1a-minimal-example-com.id -} - -output "vpc_cidr_block" { - value = aws_vpc.minimal-example-com.cidr_block -} - -output "vpc_id" { - value = aws_vpc.minimal-example-com.id -} - -output "vpc_ipv6_cidr_block" { - value = aws_vpc.minimal-example-com.ipv6_cidr_block -} - -output "vpc_ipv6_cidr_length" { - value = local.vpc_ipv6_cidr_block == "" ? null : tonumber(regex(".*/(\\d+)", local.vpc_ipv6_cidr_block)[0]) -} - -provider "aws" { - region = "us-test-1" -} - -provider "aws" { - alias = "files" - region = "us-test-1" -} - -resource "aws_autoscaling_group" "master-us-test-1a-masters-minimal-example-com" { - enabled_metrics = ["GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances"] - launch_template { - id = aws_launch_template.master-us-test-1a-masters-minimal-example-com.id - version = aws_launch_template.master-us-test-1a-masters-minimal-example-com.latest_version - } - max_instance_lifetime = 0 - max_size = 1 - metrics_granularity = "1Minute" - min_size = 1 - name = "master-us-test-1a.masters.minimal.example.com" - protect_from_scale_in = false - tag { - key = "KubernetesCluster" - propagate_at_launch = true - value = "minimal.example.com" - } - tag { - key = "Name" - propagate_at_launch = true - value = "master-us-test-1a.masters.minimal.example.com" - } - tag { - key = "aws-node-termination-handler/managed" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" - propagate_at_launch = true - value = "master-us-test-1a" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/role/control-plane" - propagate_at_launch = true - value = "1" - } - tag { - key = "k8s.io/role/master" - propagate_at_launch = true - value = "1" - } - tag { - key = "kops.k8s.io/instancegroup" - propagate_at_launch = true - value = "master-us-test-1a" - } - tag { - key = "kubernetes.io/cluster/minimal.example.com" - propagate_at_launch = true - value = "owned" - } - vpc_zone_identifier = [aws_subnet.us-test-1a-minimal-example-com.id] -} - -resource "aws_autoscaling_group" "nodes-minimal-example-com" { - enabled_metrics = ["GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances"] - launch_template { - id = aws_launch_template.nodes-minimal-example-com.id - version = aws_launch_template.nodes-minimal-example-com.latest_version - } - max_instance_lifetime = 0 - max_size = 1 - metrics_granularity = "1Minute" - min_size = 1 - name = "nodes.minimal.example.com" - protect_from_scale_in = false - tag { - key = "KubernetesCluster" - propagate_at_launch = true - value = "minimal.example.com" - } - tag { - key = "Name" - propagate_at_launch = true - value = "nodes.minimal.example.com" - } - tag { - key = "aws-node-termination-handler/managed" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" - propagate_at_launch = true - value = "nodes-us-test-1a" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/role/node" - propagate_at_launch = true - value = "1" - } - tag { - key = "kops.k8s.io/instancegroup" - propagate_at_launch = true - value = "nodes" - } - tag { - key = "kubernetes.io/cluster/minimal.example.com" - propagate_at_launch = true - value = "owned" - } - vpc_zone_identifier = [aws_subnet.us-test-1a-minimal-example-com.id] -} - -resource "aws_autoscaling_lifecycle_hook" "master-us-test-1a-NTHLifecycleHook" { - autoscaling_group_name = aws_autoscaling_group.master-us-test-1a-masters-minimal-example-com.id - default_result = "CONTINUE" - heartbeat_timeout = 300 - lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" - name = "master-us-test-1a-NTHLifecycleHook" -} - -resource "aws_autoscaling_lifecycle_hook" "nodes-NTHLifecycleHook" { - autoscaling_group_name = aws_autoscaling_group.nodes-minimal-example-com.id - default_result = "CONTINUE" - heartbeat_timeout = 300 - lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" - name = "nodes-NTHLifecycleHook" -} - -resource "aws_cloudwatch_event_rule" "minimal-example-com-ASGLifecycle" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_minimal.example.com-ASGLifecycle_event_pattern") - name = "minimal.example.com-ASGLifecycle" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com-ASGLifecycle" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_rule" "minimal-example-com-InstanceScheduledChange" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceScheduledChange_event_pattern") - name = "minimal.example.com-InstanceScheduledChange" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com-InstanceScheduledChange" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_rule" "minimal-example-com-InstanceStateChange" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_minimal.example.com-InstanceStateChange_event_pattern") - name = "minimal.example.com-InstanceStateChange" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com-InstanceStateChange" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_rule" "minimal-example-com-SpotInterruption" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_minimal.example.com-SpotInterruption_event_pattern") - name = "minimal.example.com-SpotInterruption" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com-SpotInterruption" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_target" "minimal-example-com-ASGLifecycle-Target" { - arn = aws_sqs_queue.minimal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.minimal-example-com-ASGLifecycle.id -} - -resource "aws_cloudwatch_event_target" "minimal-example-com-InstanceScheduledChange-Target" { - arn = aws_sqs_queue.minimal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.minimal-example-com-InstanceScheduledChange.id -} - -resource "aws_cloudwatch_event_target" "minimal-example-com-InstanceStateChange-Target" { - arn = aws_sqs_queue.minimal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.minimal-example-com-InstanceStateChange.id -} - -resource "aws_cloudwatch_event_target" "minimal-example-com-SpotInterruption-Target" { - arn = aws_sqs_queue.minimal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.minimal-example-com-SpotInterruption.id -} - -resource "aws_ebs_volume" "a-etcd-events-minimal-example-com" { - availability_zone = "us-test-1a" - encrypted = true - iops = 3000 - size = 20 - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "a.etcd-events.minimal.example.com" - "k8s.io/etcd/events" = "a/a" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - throughput = 125 - type = "gp3" -} - -resource "aws_ebs_volume" "a-etcd-main-minimal-example-com" { - availability_zone = "us-test-1a" - encrypted = true - iops = 3000 - size = 20 - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "a.etcd-main.minimal.example.com" - "k8s.io/etcd/main" = "a/a" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - throughput = 125 - type = "gp3" -} - -resource "aws_iam_instance_profile" "masters-minimal-example-com" { - name = "masters.minimal.example.com" - role = aws_iam_role.masters-minimal-example-com.name - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "masters.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_iam_instance_profile" "nodes-minimal-example-com" { - name = "nodes.minimal.example.com" - role = aws_iam_role.nodes-minimal-example-com.name - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_iam_role" "masters-minimal-example-com" { - assume_role_policy = file("${path.module}/data/aws_iam_role_masters.minimal.example.com_policy") - name = "masters.minimal.example.com" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "masters.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_iam_role" "nodes-minimal-example-com" { - assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.minimal.example.com_policy") - name = "nodes.minimal.example.com" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_iam_role_policy" "masters-minimal-example-com" { - name = "masters.minimal.example.com" - policy = file("${path.module}/data/aws_iam_role_policy_masters.minimal.example.com_policy") - role = aws_iam_role.masters-minimal-example-com.name -} - -resource "aws_iam_role_policy" "nodes-minimal-example-com" { - name = "nodes.minimal.example.com" - policy = file("${path.module}/data/aws_iam_role_policy_nodes.minimal.example.com_policy") - role = aws_iam_role.nodes-minimal-example-com.name -} - -resource "aws_internet_gateway" "minimal-example-com" { - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - vpc_id = aws_vpc.minimal-example-com.id -} - -resource "aws_key_pair" "kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" { - key_name = "kubernetes.minimal.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57" - public_key = file("${path.module}/data/aws_key_pair_kubernetes.minimal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key") - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_launch_template" "master-us-test-1a-masters-minimal-example-com" { - block_device_mappings { - device_name = "/dev/xvda" - ebs { - delete_on_termination = true - encrypted = true - iops = 3000 - throughput = 125 - volume_size = 64 - volume_type = "gp3" - } - } - block_device_mappings { - device_name = "/dev/sdc" - virtual_name = "ephemeral0" - } - iam_instance_profile { - name = aws_iam_instance_profile.masters-minimal-example-com.id - } - image_id = "ami-12345678" - instance_type = "m3.medium" - key_name = aws_key_pair.kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id - lifecycle { - create_before_destroy = true - } - metadata_options { - http_endpoint = "enabled" - http_protocol_ipv6 = "disabled" - http_put_response_hop_limit = 3 - http_tokens = "required" - } - monitoring { - enabled = false - } - name = "master-us-test-1a.masters.minimal.example.com" - network_interfaces { - associate_public_ip_address = true - delete_on_termination = true - ipv6_address_count = 0 - security_groups = [aws_security_group.masters-minimal-example-com.id] - } - tag_specifications { - resource_type = "instance" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "master-us-test-1a.masters.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "master-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" = "" - "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = "" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kops.k8s.io/instancegroup" = "master-us-test-1a" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - } - tag_specifications { - resource_type = "volume" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "master-us-test-1a.masters.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "master-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" = "" - "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = "" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kops.k8s.io/instancegroup" = "master-us-test-1a" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - } - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "master-us-test-1a.masters.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "master-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" = "" - "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = "" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kops.k8s.io/instancegroup" = "master-us-test-1a" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - user_data = filebase64("${path.module}/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data") -} - -resource "aws_launch_template" "nodes-minimal-example-com" { - block_device_mappings { - device_name = "/dev/xvda" - ebs { - delete_on_termination = true - encrypted = true - iops = 3000 - throughput = 125 - volume_size = 128 - volume_type = "gp3" - } - } - iam_instance_profile { - name = aws_iam_instance_profile.nodes-minimal-example-com.id - } - image_id = "ami-12345678" - instance_type = "t2.medium" - key_name = aws_key_pair.kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id - lifecycle { - create_before_destroy = true - } - metadata_options { - http_endpoint = "enabled" - http_protocol_ipv6 = "disabled" - http_put_response_hop_limit = 1 - http_tokens = "required" - } - monitoring { - enabled = false - } - name = "nodes.minimal.example.com" - network_interfaces { - associate_public_ip_address = true - delete_on_termination = true - ipv6_address_count = 0 - security_groups = [aws_security_group.nodes-minimal-example-com.id] - } - tag_specifications { - resource_type = "instance" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "nodes-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = "" - "k8s.io/role/node" = "1" - "kops.k8s.io/instancegroup" = "nodes" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - } - tag_specifications { - resource_type = "volume" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "nodes-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = "" - "k8s.io/role/node" = "1" - "kops.k8s.io/instancegroup" = "nodes" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - } - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup" = "nodes-us-test-1a" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = "" - "k8s.io/role/node" = "1" - "kops.k8s.io/instancegroup" = "nodes" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - user_data = filebase64("${path.module}/data/aws_launch_template_nodes.minimal.example.com_user_data") -} - -resource "aws_route" "route-0-0-0-0--0" { - destination_cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.minimal-example-com.id - route_table_id = aws_route_table.minimal-example-com.id -} - -resource "aws_route" "route-__--0" { - destination_ipv6_cidr_block = "::/0" - gateway_id = aws_internet_gateway.minimal-example-com.id - route_table_id = aws_route_table.minimal-example-com.id -} - -resource "aws_route_table" "minimal-example-com" { - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - "kubernetes.io/kops/role" = "public" - } - vpc_id = aws_vpc.minimal-example-com.id -} - -resource "aws_route_table_association" "us-test-1a-minimal-example-com" { - route_table_id = aws_route_table.minimal-example-com.id - subnet_id = aws_subnet.us-test-1a-minimal-example-com.id -} - -resource "aws_s3_object" "cluster-completed-spec" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_cluster-completed.spec_content") - key = "tests/minimal.example.com/cluster-completed.spec" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "etcd-cluster-spec-events" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_etcd-cluster-spec-events_content") - key = "tests/minimal.example.com/backups/etcd/events/control/etcd-cluster-spec" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "etcd-cluster-spec-main" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_etcd-cluster-spec-main_content") - key = "tests/minimal.example.com/backups/etcd/main/control/etcd-cluster-spec" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "kops-version-txt" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_kops-version.txt_content") - key = "tests/minimal.example.com/kops-version.txt" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "manifests-etcdmanager-events-master-us-test-1a" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content") - key = "tests/minimal.example.com/manifests/etcd/events-master-us-test-1a.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "manifests-etcdmanager-main-master-us-test-1a" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content") - key = "tests/minimal.example.com/manifests/etcd/main-master-us-test-1a.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "manifests-static-kube-apiserver-healthcheck" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content") - key = "tests/minimal.example.com/manifests/static/kube-apiserver-healthcheck.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-aws-cloud-controller-addons-k8s-io-k8s-1-18" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content") - key = "tests/minimal.example.com/addons/aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-aws-ebs-csi-driver-addons-k8s-io-k8s-1-17" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content") - key = "tests/minimal.example.com/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-bootstrap" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-bootstrap_content") - key = "tests/minimal.example.com/addons/bootstrap-channel.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-coredns-addons-k8s-io-k8s-1-12" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content") - key = "tests/minimal.example.com/addons/coredns.addons.k8s.io/k8s-1.12.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-dns-controller-addons-k8s-io-k8s-1-12" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content") - key = "tests/minimal.example.com/addons/dns-controller.addons.k8s.io/k8s-1.12.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-kops-controller-addons-k8s-io-k8s-1-16" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content") - key = "tests/minimal.example.com/addons/kops-controller.addons.k8s.io/k8s-1.16.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-kubelet-api-rbac-addons-k8s-io-k8s-1-9" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content") - key = "tests/minimal.example.com/addons/kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-limit-range-addons-k8s-io" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-limit-range.addons.k8s.io_content") - key = "tests/minimal.example.com/addons/limit-range.addons.k8s.io/v1.5.0.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-node-termination-handler-aws-k8s-1-11" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-node-termination-handler.aws-k8s-1.11_content") - key = "tests/minimal.example.com/addons/node-termination-handler.aws/k8s-1.11.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "minimal-example-com-addons-storage-aws-addons-k8s-io-v1-15-0" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_minimal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content") - key = "tests/minimal.example.com/addons/storage-aws.addons.k8s.io/v1.15.0.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "nodeupconfig-master-us-test-1a" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_nodeupconfig-master-us-test-1a_content") - key = "tests/minimal.example.com/igconfig/control-plane/master-us-test-1a/nodeupconfig.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "nodeupconfig-nodes" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_nodeupconfig-nodes_content") - key = "tests/minimal.example.com/igconfig/node/nodes/nodeupconfig.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_security_group" "masters-minimal-example-com" { - description = "Security group for masters" - name = "masters.minimal.example.com" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "masters.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - vpc_id = aws_vpc.minimal-example-com.id -} - -resource "aws_security_group" "nodes-minimal-example-com" { - description = "Security group for nodes" - name = "nodes.minimal.example.com" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "nodes.minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - vpc_id = aws_vpc.minimal-example-com.id -} - -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-minimal-example-com" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-minimal-example-com" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-example-com" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 443 - type = "ingress" -} - -resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-masters-minimal-example-com" { - from_port = 22 - ipv6_cidr_blocks = ["::/0"] - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-nodes-minimal-example-com" { - from_port = 22 - ipv6_cidr_blocks = ["::/0"] - protocol = "tcp" - security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-masters-minimal-example-com" { - from_port = 443 - ipv6_cidr_blocks = ["::/0"] - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 443 - type = "ingress" -} - -resource "aws_security_group_rule" "from-masters-minimal-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-masters-minimal-example-com-egress-all-0to0-__--0" { - from_port = 0 - ipv6_cidr_blocks = ["::/0"] - protocol = "-1" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-masters-minimal-example-com-ingress-all-0to0-masters-minimal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-minimal-example-com.id - source_security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "from-masters-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-minimal-example-com.id - source_security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-egress-all-0to0-__--0" { - from_port = 0 - ipv6_cidr_blocks = ["::/0"] - protocol = "-1" - security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-minimal-example-com.id - source_security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-1to2379-masters-minimal-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - source_security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-2382to4000-masters-minimal-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - source_security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-4003to65535-masters-minimal-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - source_security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-udp-1to65535-masters-minimal-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-minimal-example-com.id - source_security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_sqs_queue" "minimal-example-com-nth" { - message_retention_seconds = 300 - name = "minimal-example-com-nth" - policy = file("${path.module}/data/aws_sqs_queue_minimal-example-com-nth_policy") - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal-example-com-nth" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_subnet" "us-test-1a-minimal-example-com" { - availability_zone = "us-test-1a" - cidr_block = "172.20.32.0/19" - enable_resource_name_dns_a_record_on_launch = true - private_dns_hostname_type_on_launch = "resource-name" - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "us-test-1a.minimal.example.com" - "SubnetType" = "Public" - "kubernetes.io/cluster/minimal.example.com" = "owned" - "kubernetes.io/role/elb" = "1" - "kubernetes.io/role/internal-elb" = "1" - } - vpc_id = aws_vpc.minimal-example-com.id -} - -resource "aws_vpc" "minimal-example-com" { - assign_generated_ipv6_cidr_block = true - cidr_block = "172.20.0.0/16" - enable_dns_hostnames = true - enable_dns_support = true - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_vpc_dhcp_options" "minimal-example-com" { - domain_name = "us-test-1.compute.internal" - domain_name_servers = ["AmazonProvidedDNS"] - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } -} - -resource "aws_vpc_dhcp_options_association" "minimal-example-com" { - dhcp_options_id = aws_vpc_dhcp_options.minimal-example-com.id - vpc_id = aws_vpc.minimal-example-com.id -} - -terraform { - required_version = ">= 0.15.0" - required_providers { - aws = { - "configuration_aliases" = [aws.files] - "source" = "hashicorp/aws" - "version" = ">= 5.0.0" - } - } -} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-ASGLifecycle_event_pattern b/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-ASGLifecycle_event_pattern deleted file mode 100644 index c8db9dbe9c..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-ASGLifecycle_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source":["aws.autoscaling"],"detail-type":["EC2 Instance-terminate Lifecycle Action"]} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-InstanceScheduledChange_event_pattern b/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-InstanceScheduledChange_event_pattern deleted file mode 100644 index fb4ea7defd..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-InstanceScheduledChange_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source": ["aws.health"],"detail-type": ["AWS Health Event"],"detail": {"service": ["EC2"],"eventTypeCategory": ["scheduledChange"]}} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-InstanceStateChange_event_pattern b/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-InstanceStateChange_event_pattern deleted file mode 100644 index 8c2916419d..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-InstanceStateChange_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source": ["aws.ec2"],"detail-type": ["EC2 Instance State-change Notification"]} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-SpotInterruption_event_pattern b/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-SpotInterruption_event_pattern deleted file mode 100644 index 2d0e83b416..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_cloudwatch_event_rule_privatecanal.example.com-SpotInterruption_event_pattern +++ /dev/null @@ -1 +0,0 @@ -{"source": ["aws.ec2"],"detail-type": ["EC2 Spot Instance Interruption Warning"]} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_bastions.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_bastions.privatecanal.example.com_policy deleted file mode 100644 index 66d5de1d5a..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_bastions.privatecanal.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_masters.privatecanal.example.com_policy deleted file mode 100644 index 66d5de1d5a..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_masters.privatecanal.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_nodes.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_nodes.privatecanal.example.com_policy deleted file mode 100644 index 66d5de1d5a..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_nodes.privatecanal.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { "Service": "ec2.amazonaws.com"}, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_bastions.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_bastions.privatecanal.example.com_policy deleted file mode 100644 index 54912e12a5..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_bastions.privatecanal.example.com_policy +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Statement": [ - { - "Action": "ec2:DescribeRegions", - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy deleted file mode 100644 index 31c06bf414..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy +++ /dev/null @@ -1,278 +0,0 @@ -{ - "Statement": [ - { - "Action": "ec2:AttachVolume", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecanal.example.com", - "aws:ResourceTag/k8s.io/role/master": "1" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "s3:Get*" - ], - "Effect": "Allow", - "Resource": "arn:aws-test:s3:::placeholder-read-bucket/clusters.example.com/privatecanal.example.com/*" - }, - { - "Action": [ - "s3:DeleteObject", - "s3:DeleteObjectVersion", - "s3:GetObject", - "s3:PutObject" - ], - "Effect": "Allow", - "Resource": "arn:aws-test:s3:::placeholder-write-bucket/clusters.example.com/privatecanal.example.com/backups/etcd/main/*" - }, - { - "Action": [ - "s3:DeleteObject", - "s3:DeleteObjectVersion", - "s3:GetObject", - "s3:PutObject" - ], - "Effect": "Allow", - "Resource": "arn:aws-test:s3:::placeholder-write-bucket/clusters.example.com/privatecanal.example.com/backups/etcd/events/*" - }, - { - "Action": [ - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:s3:::placeholder-read-bucket" - ] - }, - { - "Action": [ - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:s3:::placeholder-write-bucket" - ] - }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:GetHostedZone", - "route53:ListResourceRecordSets" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones", - "route53:ListTagsForResource" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "ec2:CreateTags", - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecanal.example.com", - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:snapshot/*", - "arn:aws-test:ec2:*:*:volume/*" - ] - }, - { - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Condition": { - "Null": { - "aws:RequestTag/KubernetesCluster": "true" - }, - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:snapshot/*", - "arn:aws-test:ec2:*:*:volume/*" - ] - }, - { - "Action": "ec2:CreateTags", - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecanal.example.com", - "ec2:CreateAction": [ - "CreateSecurityGroup" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:security-group/*" - ] - }, - { - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Condition": { - "Null": { - "aws:RequestTag/KubernetesCluster": "true" - }, - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws-test:ec2:*:*:security-group/*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeScalingActivities", - "autoscaling:DescribeTags", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeImages", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInstances", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeVpcs", - "ec2:GetInstanceTypesFromInstanceRequirements", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "iam:CreateServiceLinkedRole", - "iam:GetServerCertificate", - "iam:ListServerCertificates", - "kms:CreateGrant", - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:GenerateRandom", - "kms:ReEncrypt*", - "sqs:DeleteMessage", - "sqs:ReceiveMessage" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:RevokeSecurityGroupIngress", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateSnapshot", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "ec2:CreateSecurityGroup", - "Effect": "Allow", - "Resource": "arn:aws-test:ec2:*:*:vpc/*" - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_nodes.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_nodes.privatecanal.example.com_policy deleted file mode 100644 index 153ab3c7f6..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_nodes.privatecanal.example.com_policy +++ /dev/null @@ -1,30 +0,0 @@ -{ - "Statement": [ - { - "Action": [ - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws-test:s3:::placeholder-read-bucket" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingInstances", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInstances", - "ec2:DescribeRegions", - "iam:GetServerCertificate", - "iam:ListServerCertificates", - "kms:GenerateRandom" - ], - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_key_pair_kubernetes.privatecanal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key b/tests/integration/update_cluster/privatecanal/data/aws_key_pair_kubernetes.privatecanal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key deleted file mode 100644 index 81cb012783..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_key_pair_kubernetes.privatecanal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/privatecanal/data/aws_launch_template_master-us-test-1a.masters.privatecanal.example.com_user_data b/tests/integration/update_cluster/privatecanal/data/aws_launch_template_master-us-test-1a.masters.privatecanal.example.com_user_data deleted file mode 100644 index 9a48be4bbd..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_launch_template_master-us-test-1a.masters.privatecanal.example.com_user_data +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/bash -set -o errexit -set -o nounset -set -o pipefail - -NODEUP_URL_AMD64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-amd64 -NODEUP_HASH_AMD64=585fbda0f0a43184656b4bfc0cc5f0c0b85612faf43b8816acca1f99d422c924 -NODEUP_URL_ARM64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-arm64 -NODEUP_HASH_ARM64=7603675379699105a9b9915ff97718ea99b1bbb01a4c184e2f827c8a96e8e865 - -export AWS_REGION=us-test-1 - - - - -sysctl -w net.core.rmem_max=16777216 || true -sysctl -w net.core.wmem_max=16777216 || true -sysctl -w net.ipv4.tcp_rmem='4096 87380 16777216' || true -sysctl -w net.ipv4.tcp_wmem='4096 87380 16777216' || true - - -function ensure-install-dir() { - INSTALL_DIR="/opt/kops" - # On ContainerOS, we install under /var/lib/toolbox; /opt is ro and noexec - if [[ -d /var/lib/toolbox ]]; then - INSTALL_DIR="/var/lib/toolbox/kops" - fi - mkdir -p ${INSTALL_DIR}/bin - mkdir -p ${INSTALL_DIR}/conf - cd ${INSTALL_DIR} -} - -# Retry a download until we get it. args: name, sha, urls -download-or-bust() { - echo "== Downloading $1 with hash $2 from $3 ==" - local -r file="$1" - local -r hash="$2" - local -a urls - IFS=, read -r -a urls <<< "$3" - - if [[ -f "${file}" ]]; then - if ! validate-hash "${file}" "${hash}"; then - rm -f "${file}" - else - return 0 - fi - fi - - while true; do - for url in "${urls[@]}"; do - commands=( - "curl -f --compressed -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget --compression=auto -O ${file} --connect-timeout=20 --tries=6 --wait=10" - "curl -f -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget -O ${file} --connect-timeout=20 --tries=6 --wait=10" - ) - for cmd in "${commands[@]}"; do - echo "== Downloading ${url} using ${cmd} ==" - if ! (${cmd} "${url}"); then - echo "== Failed to download ${url} using ${cmd} ==" - continue - fi - if ! validate-hash "${file}" "${hash}"; then - echo "== Failed to validate hash for ${url} ==" - rm -f "${file}" - else - echo "== Downloaded ${url} with hash ${hash} ==" - return 0 - fi - done - done - - echo "== All downloads failed; sleeping before retrying ==" - sleep 60 - done -} - -validate-hash() { - local -r file="$1" - local -r expected="$2" - local actual - - actual=$(sha256sum "${file}" | awk '{ print $1 }') || true - if [[ "${actual}" != "${expected}" ]]; then - echo "== File ${file} is corrupted; hash ${actual} doesn't match expected ${expected} ==" - return 1 - fi -} - -function download-release() { - case "$(uname -m)" in - x86_64*|i?86_64*|amd64*) - NODEUP_URL="${NODEUP_URL_AMD64}" - NODEUP_HASH="${NODEUP_HASH_AMD64}" - ;; - aarch64*|arm64*) - NODEUP_URL="${NODEUP_URL_ARM64}" - NODEUP_HASH="${NODEUP_HASH_ARM64}" - ;; - *) - echo "Unsupported host arch: $(uname -m)" >&2 - exit 1 - ;; - esac - - cd ${INSTALL_DIR}/bin - download-or-bust nodeup "${NODEUP_HASH}" "${NODEUP_URL}" - - chmod +x nodeup - - echo "== Running nodeup ==" - # We can't run in the foreground because of https://github.com/docker/docker/issues/23793 - ( cd ${INSTALL_DIR}/bin; ./nodeup --install-systemd-unit --conf=${INSTALL_DIR}/conf/kube_env.yaml --v=8 ) -} - -#################################################################################### - -/bin/systemd-machine-id-setup || echo "== Failed to initialize the machine ID; ensure machine-id configured ==" - -echo "== nodeup node config starting ==" -ensure-install-dir - -cat > conf/kube_env.yaml << '__EOF_KUBE_ENV' -CloudProvider: aws -ClusterName: privatecanal.example.com -ConfigBase: memfs://clusters.example.com/privatecanal.example.com -InstanceGroupName: master-us-test-1a -InstanceGroupRole: ControlPlane -NodeupConfigHash: KaerzmSXpT2iOE0EbQmw1+1nNAbgbo372K9d0m6j4tY= - -__EOF_KUBE_ENV - -download-release -echo "== nodeup node config done ==" diff --git a/tests/integration/update_cluster/privatecanal/data/aws_launch_template_nodes.privatecanal.example.com_user_data b/tests/integration/update_cluster/privatecanal/data/aws_launch_template_nodes.privatecanal.example.com_user_data deleted file mode 100644 index e2964b81e3..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_launch_template_nodes.privatecanal.example.com_user_data +++ /dev/null @@ -1,157 +0,0 @@ -#!/bin/bash -set -o errexit -set -o nounset -set -o pipefail - -NODEUP_URL_AMD64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-amd64 -NODEUP_HASH_AMD64=585fbda0f0a43184656b4bfc0cc5f0c0b85612faf43b8816acca1f99d422c924 -NODEUP_URL_ARM64=https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/nodeup,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/nodeup-linux-arm64 -NODEUP_HASH_ARM64=7603675379699105a9b9915ff97718ea99b1bbb01a4c184e2f827c8a96e8e865 - -export AWS_REGION=us-test-1 - - - - -sysctl -w net.core.rmem_max=16777216 || true -sysctl -w net.core.wmem_max=16777216 || true -sysctl -w net.ipv4.tcp_rmem='4096 87380 16777216' || true -sysctl -w net.ipv4.tcp_wmem='4096 87380 16777216' || true - - -function ensure-install-dir() { - INSTALL_DIR="/opt/kops" - # On ContainerOS, we install under /var/lib/toolbox; /opt is ro and noexec - if [[ -d /var/lib/toolbox ]]; then - INSTALL_DIR="/var/lib/toolbox/kops" - fi - mkdir -p ${INSTALL_DIR}/bin - mkdir -p ${INSTALL_DIR}/conf - cd ${INSTALL_DIR} -} - -# Retry a download until we get it. args: name, sha, urls -download-or-bust() { - echo "== Downloading $1 with hash $2 from $3 ==" - local -r file="$1" - local -r hash="$2" - local -a urls - IFS=, read -r -a urls <<< "$3" - - if [[ -f "${file}" ]]; then - if ! validate-hash "${file}" "${hash}"; then - rm -f "${file}" - else - return 0 - fi - fi - - while true; do - for url in "${urls[@]}"; do - commands=( - "curl -f --compressed -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget --compression=auto -O ${file} --connect-timeout=20 --tries=6 --wait=10" - "curl -f -Lo ${file} --connect-timeout 20 --retry 6 --retry-delay 10" - "wget -O ${file} --connect-timeout=20 --tries=6 --wait=10" - ) - for cmd in "${commands[@]}"; do - echo "== Downloading ${url} using ${cmd} ==" - if ! (${cmd} "${url}"); then - echo "== Failed to download ${url} using ${cmd} ==" - continue - fi - if ! validate-hash "${file}" "${hash}"; then - echo "== Failed to validate hash for ${url} ==" - rm -f "${file}" - else - echo "== Downloaded ${url} with hash ${hash} ==" - return 0 - fi - done - done - - echo "== All downloads failed; sleeping before retrying ==" - sleep 60 - done -} - -validate-hash() { - local -r file="$1" - local -r expected="$2" - local actual - - actual=$(sha256sum "${file}" | awk '{ print $1 }') || true - if [[ "${actual}" != "${expected}" ]]; then - echo "== File ${file} is corrupted; hash ${actual} doesn't match expected ${expected} ==" - return 1 - fi -} - -function download-release() { - case "$(uname -m)" in - x86_64*|i?86_64*|amd64*) - NODEUP_URL="${NODEUP_URL_AMD64}" - NODEUP_HASH="${NODEUP_HASH_AMD64}" - ;; - aarch64*|arm64*) - NODEUP_URL="${NODEUP_URL_ARM64}" - NODEUP_HASH="${NODEUP_HASH_ARM64}" - ;; - *) - echo "Unsupported host arch: $(uname -m)" >&2 - exit 1 - ;; - esac - - cd ${INSTALL_DIR}/bin - download-or-bust nodeup "${NODEUP_HASH}" "${NODEUP_URL}" - - chmod +x nodeup - - echo "== Running nodeup ==" - # We can't run in the foreground because of https://github.com/docker/docker/issues/23793 - ( cd ${INSTALL_DIR}/bin; ./nodeup --install-systemd-unit --conf=${INSTALL_DIR}/conf/kube_env.yaml --v=8 ) -} - -#################################################################################### - -/bin/systemd-machine-id-setup || echo "== Failed to initialize the machine ID; ensure machine-id configured ==" - -echo "== nodeup node config starting ==" -ensure-install-dir - -cat > conf/kube_env.yaml << '__EOF_KUBE_ENV' -CloudProvider: aws -ClusterName: privatecanal.example.com -ConfigServer: - CACertificates: | - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANqBD8NSD82AUSMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwODAwWhcNMzEwNzA3MDcw - ODAwWjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBANFI3zr0Tk8krsW8vwjfMpzJOlWQ8616vG3YPa2qAgI7V4oKwfV0yIg1 - jt+H6f4P/wkPAPTPTfRp9Iy8oHEEFw0CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNG3zVjTcLlJwDsJ4/K9DV7KohUA - MA0GCSqGSIb3DQEBCwUAA0EAB8d03fY2w7WKpfO29qI295pu2C4ca9AiVGOpgSc8 - tmQsq6rcxt3T+rb589PVtz0mw/cKTxOk6gH2CCC+yHfy2w== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANvmSa0OAlYmXKMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwOTM2WhcNMzEwNzA3MDcw - OTM2WjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBAMF6F4aZdpe0RUpyykaBpWwZCnwbffhYGOw+fs6RdLuUq7QCNmJm/Eq7 - WWOziMYDiI9SbclpD+6QiJ0N3EqppVUCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLImp6ARjPDAH6nhI+scWVt3Q9bn - MA0GCSqGSIb3DQEBCwUAA0EAVQVx5MUtuAIeePuP9o51xtpT2S6Fvfi8J4ICxnlA - 9B7UD2ushcVFPtaeoL9Gfu8aY4KJBeqqg5ojl4qmRnThjw== - -----END CERTIFICATE----- - servers: - - https://kops-controller.internal.privatecanal.example.com:3988/ -InstanceGroupName: nodes -InstanceGroupRole: Node -NodeupConfigHash: utvltpPR5u6Y3FqNvbkihYM6yb3YEI4AgT263bwK7Xk= - -__EOF_KUBE_ENV - -download-release -echo "== nodeup node config done ==" diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_cluster-completed.spec_content deleted file mode 100644 index 2f808000b0..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_cluster-completed.spec_content +++ /dev/null @@ -1,222 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2016-12-12T04:13:14Z" - name: privatecanal.example.com -spec: - api: - loadBalancer: - class: Classic - type: Public - authorization: - alwaysAllow: {} - channel: stable - cloudConfig: - awsEBSCSIDriver: - version: v1.47.0 - manageStorageClasses: true - cloudControllerManager: - allocateNodeCIDRs: true - clusterCIDR: 100.96.0.0/11 - clusterName: privatecanal.example.com - configureCloudRoutes: false - image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.9 - leaderElection: - leaderElect: true - cloudProvider: aws - clusterDNSDomain: cluster.local - configBase: memfs://clusters.example.com/privatecanal.example.com - containerd: - logLevel: info - runc: - version: 1.1.5 - version: 1.6.20 - dnsZone: Z1AFAKE1ZON3YO - etcdClusters: - - backups: - backupStore: memfs://clusters.example.com/privatecanal.example.com/backups/etcd/main - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - manager: - backupRetentionDays: 90 - name: main - version: 3.5.21 - - backups: - backupStore: memfs://clusters.example.com/privatecanal.example.com/backups/etcd/events - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - manager: - backupRetentionDays: 90 - name: events - version: 3.5.21 - externalDns: - provider: dns-controller - iam: - legacy: false - keyStore: memfs://clusters.example.com/privatecanal.example.com/pki - kubeAPIServer: - allowPrivileged: true - anonymousAuth: false - apiAudiences: - - kubernetes.svc.default - apiServerCount: 1 - authorizationMode: AlwaysAllow - bindAddress: 0.0.0.0 - cloudProvider: external - enableAdmissionPlugins: - - DefaultStorageClass - - DefaultTolerationSeconds - - LimitRanger - - MutatingAdmissionWebhook - - NamespaceLifecycle - - NodeRestriction - - ResourceQuota - - RuntimeClass - - ServiceAccount - - ValidatingAdmissionPolicy - - ValidatingAdmissionWebhook - etcdServers: - - https://127.0.0.1:4001 - etcdServersOverrides: - - /events#https://127.0.0.1:4002 - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-apiserver:v1.27.0 - kubeletPreferredAddressTypes: - - InternalIP - - Hostname - - ExternalIP - logLevel: 2 - requestheaderAllowedNames: - - aggregator - requestheaderExtraHeaderPrefixes: - - X-Remote-Extra- - requestheaderGroupHeaders: - - X-Remote-Group - requestheaderUsernameHeaders: - - X-Remote-User - securePort: 443 - serviceAccountIssuer: https://api.internal.privatecanal.example.com - serviceAccountJWKSURI: https://api.internal.privatecanal.example.com/openid/v1/jwks - serviceClusterIPRange: 100.64.0.0/13 - storageBackend: etcd3 - kubeControllerManager: - allocateNodeCIDRs: true - attachDetachReconcileSyncPeriod: 1m0s - cloudProvider: external - clusterCIDR: 100.96.0.0/11 - clusterName: privatecanal.example.com - configureCloudRoutes: false - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-controller-manager:v1.27.0 - leaderElection: - leaderElect: true - logLevel: 2 - useServiceAccountCredentials: true - kubeDNS: - cacheMaxConcurrent: 150 - cacheMaxSize: 1000 - cpuRequest: 100m - domain: cluster.local - memoryLimit: 170Mi - memoryRequest: 70Mi - nodeLocalDNS: - cpuRequest: 25m - enabled: false - image: registry.k8s.io/dns/k8s-dns-node-cache:1.26.0 - memoryRequest: 5Mi - provider: CoreDNS - serverIP: 100.64.0.10 - kubeProxy: - clusterCIDR: 100.96.0.0/11 - cpuRequest: 100m - image: registry.k8s.io/kube-proxy:v1.27.0 - logLevel: 2 - kubeScheduler: - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-scheduler:v1.27.0 - leaderElection: - leaderElect: true - logLevel: 2 - kubelet: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s - kubernetesApiAccess: - - 0.0.0.0/0 - kubernetesVersion: 1.27.0 - masterKubelet: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s - masterPublicName: api.privatecanal.example.com - networkCIDR: 172.20.0.0/16 - networking: - canal: {} - nodeTerminationHandler: - cpuRequest: 50m - deleteSQSMsgIfNodeNotFound: false - enableRebalanceDraining: false - enableRebalanceMonitoring: false - enableScheduledEventDraining: true - enableSpotInterruptionDraining: true - enabled: true - excludeFromLoadBalancers: true - managedASGTag: aws-node-termination-handler/managed - memoryRequest: 64Mi - podTerminationGracePeriod: -1 - prometheusEnable: false - taintNode: false - version: v1.22.0 - nonMasqueradeCIDR: 100.64.0.0/10 - podCIDR: 100.96.0.0/11 - secretStore: memfs://clusters.example.com/privatecanal.example.com/secrets - serviceClusterIPRange: 100.64.0.0/13 - sshAccess: - - 0.0.0.0/0 - subnets: - - cidr: 172.20.32.0/19 - name: us-test-1a - type: Private - zone: us-test-1a - - cidr: 172.20.4.0/22 - name: utility-us-test-1a - type: Utility - zone: us-test-1a - topology: - dns: - type: Public diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_etcd-cluster-spec-events_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_etcd-cluster-spec-events_content deleted file mode 100644 index 4e70b7f195..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_etcd-cluster-spec-events_content +++ /dev/null @@ -1,4 +0,0 @@ -{ - "memberCount": 1, - "etcdVersion": "3.5.21" -} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_etcd-cluster-spec-main_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_etcd-cluster-spec-main_content deleted file mode 100644 index 4e70b7f195..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_etcd-cluster-spec-main_content +++ /dev/null @@ -1,4 +0,0 @@ -{ - "memberCount": 1, - "etcdVersion": "3.5.21" -} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_kops-version.txt_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_kops-version.txt_content deleted file mode 100644 index b7340298dc..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_kops-version.txt_content +++ /dev/null @@ -1 +0,0 @@ -1.21.0-alpha.1 diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content deleted file mode 100644 index 4615b97aaa..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content +++ /dev/null @@ -1,139 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - creationTimestamp: null - labels: - k8s-app: etcd-manager-events - name: etcd-manager-events - namespace: kube-system -spec: - containers: - - command: - - /bin/sh - - -c - - mkfifo /tmp/pipe; (tee -a /var/log/etcd.log < /tmp/pipe & ) ; exec /ko-app/etcd-manager - --backup-store=memfs://clusters.example.com/privatecanal.example.com/backups/etcd/events - --client-urls=https://__name__:4002 --cluster-name=etcd-events --containerized=true - --dns-suffix=.internal.privatecanal.example.com --grpc-port=3997 --peer-urls=https://__name__:2381 - --quarantine-client-urls=https://__name__:3995 --v=6 --volume-name-tag=k8s.io/etcd/events - --volume-provider=aws --volume-tag=k8s.io/etcd/events --volume-tag=k8s.io/role/control-plane=1 - --volume-tag=kubernetes.io/cluster/privatecanal.example.com=owned > /tmp/pipe - 2>&1 - env: - - name: ETCD_MANAGER_DAILY_BACKUPS_RETENTION - value: 90d - image: registry.k8s.io/etcd-manager/etcd-manager-slim:v3.0.20250803 - name: etcd-manager - resources: - requests: - cpu: 200m - memory: 100Mi - securityContext: - privileged: true - volumeMounts: - - mountPath: /rootfs - name: rootfs - - mountPath: /run - name: run - - mountPath: /etc/kubernetes/pki/etcd-manager - name: pki - - mountPath: /opt - name: opt - - mountPath: /var/log/etcd.log - name: varlogetcd - hostNetwork: true - hostPID: true - initContainers: - - args: - - --target-dir=/opt/kops-utils/ - - --src=/ko-app/kops-utils-cp - command: - - /ko-app/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: kops-utils-cp - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.4.13 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.4.13 - name: init-etcd-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.5.21 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.5.21 - name: init-etcd-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.4.3 - - --src=/opt/etcd-v3.4.13/etcd - - --src=/opt/etcd-v3.4.13/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.5.0 - - --target-dir=/opt/etcd-v3.5.1 - - --target-dir=/opt/etcd-v3.5.13 - - --target-dir=/opt/etcd-v3.5.17 - - --target-dir=/opt/etcd-v3.5.3 - - --target-dir=/opt/etcd-v3.5.4 - - --target-dir=/opt/etcd-v3.5.6 - - --target-dir=/opt/etcd-v3.5.7 - - --target-dir=/opt/etcd-v3.5.9 - - --src=/opt/etcd-v3.5.21/etcd - - --src=/opt/etcd-v3.5.21/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - priorityClassName: system-cluster-critical - tolerations: - - key: CriticalAddonsOnly - operator: Exists - volumes: - - hostPath: - path: / - type: Directory - name: rootfs - - hostPath: - path: /run - type: DirectoryOrCreate - name: run - - hostPath: - path: /etc/kubernetes/pki/etcd-manager-events - type: DirectoryOrCreate - name: pki - - emptyDir: {} - name: opt - - hostPath: - path: /var/log/etcd-events.log - type: FileOrCreate - name: varlogetcd -status: {} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content deleted file mode 100644 index 6301f75dbd..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content +++ /dev/null @@ -1,139 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - creationTimestamp: null - labels: - k8s-app: etcd-manager-main - name: etcd-manager-main - namespace: kube-system -spec: - containers: - - command: - - /bin/sh - - -c - - mkfifo /tmp/pipe; (tee -a /var/log/etcd.log < /tmp/pipe & ) ; exec /ko-app/etcd-manager - --backup-store=memfs://clusters.example.com/privatecanal.example.com/backups/etcd/main - --client-urls=https://__name__:4001 --cluster-name=etcd --containerized=true - --dns-suffix=.internal.privatecanal.example.com --grpc-port=3996 --peer-urls=https://__name__:2380 - --quarantine-client-urls=https://__name__:3994 --v=6 --volume-name-tag=k8s.io/etcd/main - --volume-provider=aws --volume-tag=k8s.io/etcd/main --volume-tag=k8s.io/role/control-plane=1 - --volume-tag=kubernetes.io/cluster/privatecanal.example.com=owned > /tmp/pipe - 2>&1 - env: - - name: ETCD_MANAGER_DAILY_BACKUPS_RETENTION - value: 90d - image: registry.k8s.io/etcd-manager/etcd-manager-slim:v3.0.20250803 - name: etcd-manager - resources: - requests: - cpu: 200m - memory: 100Mi - securityContext: - privileged: true - volumeMounts: - - mountPath: /rootfs - name: rootfs - - mountPath: /run - name: run - - mountPath: /etc/kubernetes/pki/etcd-manager - name: pki - - mountPath: /opt - name: opt - - mountPath: /var/log/etcd.log - name: varlogetcd - hostNetwork: true - hostPID: true - initContainers: - - args: - - --target-dir=/opt/kops-utils/ - - --src=/ko-app/kops-utils-cp - command: - - /ko-app/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: kops-utils-cp - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.4.13 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.4.13 - name: init-etcd-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --target-dir=/opt/etcd-v3.5.21 - - --src=/usr/local/bin/etcd - - --src=/usr/local/bin/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/etcd:v3.5.21 - name: init-etcd-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.4.3 - - --src=/opt/etcd-v3.4.13/etcd - - --src=/opt/etcd-v3.4.13/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-4-13 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - - args: - - --symlink - - --target-dir=/opt/etcd-v3.5.0 - - --target-dir=/opt/etcd-v3.5.1 - - --target-dir=/opt/etcd-v3.5.13 - - --target-dir=/opt/etcd-v3.5.17 - - --target-dir=/opt/etcd-v3.5.3 - - --target-dir=/opt/etcd-v3.5.4 - - --target-dir=/opt/etcd-v3.5.6 - - --target-dir=/opt/etcd-v3.5.7 - - --target-dir=/opt/etcd-v3.5.9 - - --src=/opt/etcd-v3.5.21/etcd - - --src=/opt/etcd-v3.5.21/etcdctl - command: - - /opt/kops-utils/kops-utils-cp - image: registry.k8s.io/kops/kops-utils-cp:1.34.0-alpha.1 - name: init-etcd-symlinks-3-5-21 - resources: {} - volumeMounts: - - mountPath: /opt - name: opt - priorityClassName: system-cluster-critical - tolerations: - - key: CriticalAddonsOnly - operator: Exists - volumes: - - hostPath: - path: / - type: Directory - name: rootfs - - hostPath: - path: /run - type: DirectoryOrCreate - name: run - - hostPath: - path: /etc/kubernetes/pki/etcd-manager-main - type: DirectoryOrCreate - name: pki - - emptyDir: {} - name: opt - - hostPath: - path: /var/log/etcd.log - type: FileOrCreate - name: varlogetcd -status: {} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content deleted file mode 100644 index bcd77bc0ce..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - creationTimestamp: null -spec: - containers: - - args: - - --ca-cert=/secrets/ca.crt - - --client-cert=/secrets/client.crt - - --client-key=/secrets/client.key - image: registry.k8s.io/kops/kube-apiserver-healthcheck:1.34.0-alpha.1 - livenessProbe: - httpGet: - host: 127.0.0.1 - path: /.kube-apiserver-healthcheck/healthz - port: 3990 - initialDelaySeconds: 5 - timeoutSeconds: 5 - name: healthcheck - resources: {} - securityContext: - runAsNonRoot: true - runAsUser: 10012 - volumeMounts: - - mountPath: /secrets - name: healthcheck-secrets - readOnly: true - volumes: - - hostPath: - path: /etc/kubernetes/kube-apiserver-healthcheck/secrets - type: Directory - name: healthcheck-secrets -status: {} diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_nodeupconfig-master-us-test-1a_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_nodeupconfig-master-us-test-1a_content deleted file mode 100644 index c533083ed3..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_nodeupconfig-master-us-test-1a_content +++ /dev/null @@ -1,330 +0,0 @@ -APIServerConfig: - API: - publicName: api.privatecanal.example.com - ClusterDNSDomain: cluster.local - KubeAPIServer: - allowPrivileged: true - anonymousAuth: false - apiAudiences: - - kubernetes.svc.default - apiServerCount: 1 - authorizationMode: AlwaysAllow - bindAddress: 0.0.0.0 - cloudProvider: external - enableAdmissionPlugins: - - DefaultStorageClass - - DefaultTolerationSeconds - - LimitRanger - - MutatingAdmissionWebhook - - NamespaceLifecycle - - NodeRestriction - - ResourceQuota - - RuntimeClass - - ServiceAccount - - ValidatingAdmissionPolicy - - ValidatingAdmissionWebhook - etcdServers: - - https://127.0.0.1:4001 - etcdServersOverrides: - - /events#https://127.0.0.1:4002 - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-apiserver:v1.27.0 - kubeletPreferredAddressTypes: - - InternalIP - - Hostname - - ExternalIP - logLevel: 2 - requestheaderAllowedNames: - - aggregator - requestheaderExtraHeaderPrefixes: - - X-Remote-Extra- - requestheaderGroupHeaders: - - X-Remote-Group - requestheaderUsernameHeaders: - - X-Remote-User - securePort: 443 - serviceAccountIssuer: https://api.internal.privatecanal.example.com - serviceAccountJWKSURI: https://api.internal.privatecanal.example.com/openid/v1/jwks - serviceClusterIPRange: 100.64.0.0/13 - storageBackend: etcd3 - ServiceAccountPublicKeys: | - -----BEGIN RSA PUBLIC KEY----- - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKm - XVSysPKgE80QSU4tZ6m49pAEeIMsvwvDMaLsb2v6JvXe0qvCmueU+/sCAwEAAQ== - -----END RSA PUBLIC KEY----- - -----BEGIN RSA PUBLIC KEY----- - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKOE64nZbH+GM91AIrqf7HEk4hvzqsZF - Ftxc+8xir1XC3mI/RhCCrs6AdVRZNZ26A6uHArhi33c2kHQkCjyLA7sCAwEAAQ== - -----END RSA PUBLIC KEY----- -Assets: - amd64: - - 0b4ed4fcd75d33f5dff3ba17776e6089847fc83064d3f7a3ad59a34e94e60a29@https://dl.k8s.io/release/v1.27.0/bin/linux/amd64/kubelet,https://cdn.dl.k8s.io/release/v1.27.0/bin/linux/amd64/kubelet - - 71a78259d70da9c5540c4cf4cff121f443e863376f68f89a759d90cef3f51e87@https://dl.k8s.io/release/v1.27.0/bin/linux/amd64/kubectl,https://cdn.dl.k8s.io/release/v1.27.0/bin/linux/amd64/kubectl - - 7644623e4ec9ad443ab352a8a5800a5180ee28741288be805286ba72bb8e7164@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/amd64/ecr-credential-provider-linux-amd64 - - f3a841324845ca6bf0d4091b4fc7f97e18a623172158b72fc3fdcdb9d42d2d37@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz - - bb9a9ccd6517e2a54da748a9f60dc9aa9d79d19d4724663f2386812f083968e2@https://github.com/containerd/containerd/releases/download/v1.6.20/containerd-1.6.20-linux-amd64.tar.gz - - f00b144e86f8c1db347a2e8f22caade07d55382c5f76dd5c0a5b1ab64eaec8bb@https://github.com/opencontainers/runc/releases/download/v1.1.5/runc.amd64 - - f90ed6dcef534e6d1ae17907dc7eb40614b8945ad4af7f0e98d2be7cde8165c6@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-amd64 - - 9992e7eb2a2e93f799e5a9e98eb718637433524bc65f630357201a79f49b13d0@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-amd64 - arm64: - - 37aa2edc7c0c4b3e488518c6a4b44c8aade75a55010534ee2be291220c73d157@https://dl.k8s.io/release/v1.27.0/bin/linux/arm64/kubelet,https://cdn.dl.k8s.io/release/v1.27.0/bin/linux/arm64/kubelet - - f8e09630211f2b7c6a8cc38835e7dea94708d401f5c84b23a37c70c604602ddc@https://dl.k8s.io/release/v1.27.0/bin/linux/arm64/kubectl,https://cdn.dl.k8s.io/release/v1.27.0/bin/linux/arm64/kubectl - - 1980e3a038cb16da48a137743b31fb81de6c0b59fa06c206c2bc20ce0a52f849@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/arm64/ecr-credential-provider-linux-arm64 - - 525e2b62ba92a1b6f3dc9612449a84aa61652e680f7ebf4eff579795fe464b57@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz - - c3e6a054b18b20fce06c7c3ed53f0989bb4b255c849bede446ebca955f07a9ce@https://github.com/containerd/containerd/releases/download/v1.6.20/containerd-1.6.20-linux-arm64.tar.gz - - 54e79e4d48b9e191767e4abc08be1a8476a1c757e9a9f8c45c6ded001226867f@https://github.com/opencontainers/runc/releases/download/v1.1.5/runc.arm64 - - 2f599c3d54f4c4bdbcc95aaf0c7b513a845d8f9503ec5b34c9f86aa1bc34fc0c@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-arm64 - - 9d842e3636a95de2315cdea2be7a282355aac0658ef0b86d5dc2449066538f13@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-arm64 -CAs: - apiserver-aggregator-ca: | - -----BEGIN CERTIFICATE----- - MIIBgjCCASygAwIBAgIMFo3gINaZLHjisEcbMA0GCSqGSIb3DQEBCwUAMCIxIDAe - BgNVBAMTF2FwaXNlcnZlci1hZ2dyZWdhdG9yLWNhMB4XDTIxMDYzMDA0NTExMloX - DTMxMDYzMDA0NTExMlowIjEgMB4GA1UEAxMXYXBpc2VydmVyLWFnZ3JlZ2F0b3It - Y2EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAyyE71AOU3go5XFegLQ6fidI0LhhM - x7CzpTzh2xWKcHUfbNI7itgJvC/+GlyG5W+DF5V7ba0IJiQLsFve0oLdewIDAQAB - o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU - ALfqF5ZmfqvqORuJIFilZYKF3d0wDQYJKoZIhvcNAQELBQADQQAHAomFKsF4jvYX - WM/UzQXDj9nSAFTf8dBPCXyZZNotsOH7+P6W4mMiuVs8bAuGiXGUdbsQ2lpiT/Rk - CzMeMdr4 - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBgjCCASygAwIBAgIMFo3gM0nxQpiX/agfMA0GCSqGSIb3DQEBCwUAMCIxIDAe - BgNVBAMTF2FwaXNlcnZlci1hZ2dyZWdhdG9yLWNhMB4XDTIxMDYzMDA0NTIzMVoX - DTMxMDYzMDA0NTIzMVowIjEgMB4GA1UEAxMXYXBpc2VydmVyLWFnZ3JlZ2F0b3It - Y2EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAyyE71AOU3go5XFegLQ6fidI0LhhM - x7CzpTzh2xWKcHUfbNI7itgJvC/+GlyG5W+DF5V7ba0IJiQLsFve0oLdewIDAQAB - o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU - ALfqF5ZmfqvqORuJIFilZYKF3d0wDQYJKoZIhvcNAQELBQADQQCXsoezoxXu2CEN - QdlXZOfmBT6cqxIX/RMHXhpHwRiqPsTO8IO2bVA8CSzxNwMuSv/ZtrMHoh8+PcVW - HLtkTXH8 - -----END CERTIFICATE----- - etcd-clients-ca: | - -----BEGIN CERTIFICATE----- - MIIBcjCCARygAwIBAgIMFo1ogHnr26DL9YkqMA0GCSqGSIb3DQEBCwUAMBoxGDAW - BgNVBAMTD2V0Y2QtY2xpZW50cy1jYTAeFw0yMTA2MjgxNjE5MDFaFw0zMTA2Mjgx - NjE5MDFaMBoxGDAWBgNVBAMTD2V0Y2QtY2xpZW50cy1jYTBcMA0GCSqGSIb3DQEB - AQUAA0sAMEgCQQDYlt4Xx03Cp8QooPrloaVWznx9aQDSpl1UsrDyoBPNEElOLWep - uPaQBHiDLL8LwzGi7G9r+ib13tKrwprnlPv7AgMBAAGjQjBAMA4GA1UdDwEB/wQE - AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQjlt4Ue54AbJPWlDpRM51s - x+PeBDANBgkqhkiG9w0BAQsFAANBAAZAdf8ROEVkr3Rf7I+s+CQOil2toadlKWOY - qCeJ2XaEROfp9aUTEIU1MGM3g57MPyAPPU7mURskuOQz6B1UFaY= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBcjCCARygAwIBAgIMFo1olfBnC/CsT+dqMA0GCSqGSIb3DQEBCwUAMBoxGDAW - BgNVBAMTD2V0Y2QtY2xpZW50cy1jYTAeFw0yMTA2MjgxNjIwMzNaFw0zMTA2Mjgx - NjIwMzNaMBoxGDAWBgNVBAMTD2V0Y2QtY2xpZW50cy1jYTBcMA0GCSqGSIb3DQEB - AQUAA0sAMEgCQQDYlt4Xx03Cp8QooPrloaVWznx9aQDSpl1UsrDyoBPNEElOLWep - uPaQBHiDLL8LwzGi7G9r+ib13tKrwprnlPv7AgMBAAGjQjBAMA4GA1UdDwEB/wQE - AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQjlt4Ue54AbJPWlDpRM51s - x+PeBDANBgkqhkiG9w0BAQsFAANBAF1xUz77PlUVUnd9duF8F7plou0TONC9R6/E - YQ8C6vM1b+9NSDGjCW8YmwEU2fBgskb/BBX2lwVZ32/RUEju4Co= - -----END CERTIFICATE----- - etcd-manager-ca-events: | - -----BEGIN CERTIFICATE----- - MIIBgDCCASqgAwIBAgIMFo+bKjm04vB4rNtaMA0GCSqGSIb3DQEBCwUAMCExHzAd - BgNVBAMTFmV0Y2QtbWFuYWdlci1jYS1ldmVudHMwHhcNMjEwNzA1MjAwOTU2WhcN - MzEwNzA1MjAwOTU2WjAhMR8wHQYDVQQDExZldGNkLW1hbmFnZXItY2EtZXZlbnRz - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKiC8tndMlEFZ7qzeKxeKqFVjaYpsh/H - g7RxWo15+1kgH3suO0lxp9+RxSVv97hnsfbySTPZVhy2cIQj7eZtZt8CAwEAAaNC - MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBg6 - CEZkQNnRkARBwFce03AEWa+sMA0GCSqGSIb3DQEBCwUAA0EAJMnBThok/uUe8q8O - sS5q19KUuE8YCTUzMDj36EBKf6NX4NoakCa1h6kfQVtlMtEIMWQZCjbm8xGK5ffs - GS/VUw== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBgDCCASqgAwIBAgIMFo+bQ+EgIiBmGghjMA0GCSqGSIb3DQEBCwUAMCExHzAd - BgNVBAMTFmV0Y2QtbWFuYWdlci1jYS1ldmVudHMwHhcNMjEwNzA1MjAxMTQ2WhcN - MzEwNzA1MjAxMTQ2WjAhMR8wHQYDVQQDExZldGNkLW1hbmFnZXItY2EtZXZlbnRz - MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKFhHVVxxDGv8d1jBvtdSxz7KIVoBOjL - DMxsmTsINiQkTQaFlb+XPlnY1ar4+RhE519AFUkqfhypk4Zxqf1YFXUCAwEAAaNC - MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNuW - LLH5c8kDubDbr6BHgedW0iJ9MA0GCSqGSIb3DQEBCwUAA0EAiKUoBoaGu7XzboFE - hjfKlX0TujqWuW3qMxDEJwj4dVzlSLrAoB/G01MJ+xxYKh456n48aG6N827UPXhV - cPfVNg== - -----END CERTIFICATE----- - etcd-manager-ca-main: | - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bKjm1c3jfv6hIMA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtbWFuYWdlci1jYS1tYWluMB4XDTIxMDcwNTIwMDk1NloXDTMx - MDcwNTIwMDk1NlowHzEdMBsGA1UEAxMUZXRjZC1tYW5hZ2VyLWNhLW1haW4wXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAxbkDbGYmCSShpRG3r+lzTOFujyuruRfjOhYm - ZRX4w1Utd5y63dUc98sjc9GGUYMHd+0k1ql/a48tGhnK6N6jJwIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWZLkbBFx - GAgPU4i62c52unSo7RswDQYJKoZIhvcNAQELBQADQQAj6Pgd0va/8FtkyMlnohLu - Gf4v8RJO6zk3Y6jJ4+cwWziipFM1ielMzSOZfFcCZgH3m5Io40is4hPSqyq2TOA6 - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bQ+Eg8Si30gr4MA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtbWFuYWdlci1jYS1tYWluMB4XDTIxMDcwNTIwMTE0NloXDTMx - MDcwNTIwMTE0NlowHzEdMBsGA1UEAxMUZXRjZC1tYW5hZ2VyLWNhLW1haW4wXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAw33jzcd/iosN04b0WXbDt7B0c3sJ3aafcGLP - vG3xRB9N5bYr9+qZAq3mzAFkxscn4j1ce5b1/GKTDEAClmZgdQIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUE/h+3gDP - DvKwHRyiYlXM8voZ1wowDQYJKoZIhvcNAQELBQADQQBXuimeEoAOu5HN4hG7NqL9 - t40K3ZRhRZv3JQWnRVJCBDjg1rD0GQJR/n+DoWvbeijI5C9pNjr2pWSIYR1eYCvd - -----END CERTIFICATE----- - etcd-peers-ca-events: | - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bKjmxTPh3/lYJMA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtcGVlcnMtY2EtZXZlbnRzMB4XDTIxMDcwNTIwMDk1NloXDTMx - MDcwNTIwMDk1NlowHzEdMBsGA1UEAxMUZXRjZC1wZWVycy1jYS1ldmVudHMwXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAv5g4HF2xmrYyouJfY9jXx1M3gPLD/pupvxPY - xyjJw5pNCy5M5XGS3iTqRD5RDE0fWudVHFZKLIe8WPc06NApXwIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUf6xiDI+O - Yph1ziCGr2hZaQYt+fUwDQYJKoZIhvcNAQELBQADQQBBxj5hqEQstonTb8lnqeGB - DEYtUeAk4eR/HzvUMjF52LVGuvN3XVt+JTrFeKNvb6/RDUbBNRj3azalcUkpPh6V - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBfDCCASagAwIBAgIMFo+bQ+Eq69jgzpKwMA0GCSqGSIb3DQEBCwUAMB8xHTAb - BgNVBAMTFGV0Y2QtcGVlcnMtY2EtZXZlbnRzMB4XDTIxMDcwNTIwMTE0NloXDTMx - MDcwNTIwMTE0NlowHzEdMBsGA1UEAxMUZXRjZC1wZWVycy1jYS1ldmVudHMwXDAN - BgkqhkiG9w0BAQEFAANLADBIAkEAo5Nj2CjX1qp3mEPw1H5nHAFWLoGNSLSlRFJW - 03NxaNPMFzL5PrCoyOXrX8/MWczuZYw0Crf8EPOOQWi2+W0XLwIDAQABo0IwQDAO - BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxauhhKQh - cvdZND78rHe0RQVTTiswDQYJKoZIhvcNAQELBQADQQB+cq4jIS9q0zXslaRa+ViI - J+dviA3sMygbmSJO0s4DxYmoazKJblux5q0ASSvS9iL1l9ShuZ1dWyp2tpZawHyb - -----END CERTIFICATE----- - etcd-peers-ca-main: | - -----BEGIN CERTIFICATE----- - MIIBeDCCASKgAwIBAgIMFo+bKjmuLDDLcDHsMA0GCSqGSIb3DQEBCwUAMB0xGzAZ - BgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjAeFw0yMTA3MDUyMDA5NTZaFw0zMTA3 - MDUyMDA5NTZaMB0xGzAZBgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjBcMA0GCSqG - SIb3DQEBAQUAA0sAMEgCQQCyRaXWpwgN6INQqws9p/BvPElJv2Rno9dVTFhlQqDA - aUJXe7MBmiO4NJcW76EozeBh5ztR3/4NE1FM2x8TisS3AgMBAAGjQjBAMA4GA1Ud - DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQtE1d49uSvpURf - OQ25Vlu6liY20DANBgkqhkiG9w0BAQsFAANBAAgLVaetJZcfOA3OIMMvQbz2Ydrt - uWF9BKkIad8jrcIrm3IkOtR8bKGmDIIaRKuG/ZUOL6NMe2fky3AAfKwleL4= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBeDCCASKgAwIBAgIMFo+bQ+EuVthBfuZvMA0GCSqGSIb3DQEBCwUAMB0xGzAZ - BgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjAeFw0yMTA3MDUyMDExNDZaFw0zMTA3 - MDUyMDExNDZaMB0xGzAZBgNVBAMTEmV0Y2QtcGVlcnMtY2EtbWFpbjBcMA0GCSqG - SIb3DQEBAQUAA0sAMEgCQQCxNbycDZNx5V1ZOiXxZSvaFpHRwKeHDfcuMUitdoPt - naVMlMTGDWAMuCVmFHFAWohIYynemEegmZkZ15S7AErfAgMBAAGjQjBAMA4GA1Ud - DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTAjQ8T4HclPIsC - qipEfUIcLP6jqTANBgkqhkiG9w0BAQsFAANBAJdZ17TN3HlWrH7HQgfR12UBwz8K - G9DurDznVaBVUYaHY8Sg5AvAXeb+yIF2JMmRR+bK+/G1QYY2D3/P31Ic2Oo= - -----END CERTIFICATE----- - kubernetes-ca: | - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANqBD8NSD82AUSMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwODAwWhcNMzEwNzA3MDcw - ODAwWjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBANFI3zr0Tk8krsW8vwjfMpzJOlWQ8616vG3YPa2qAgI7V4oKwfV0yIg1 - jt+H6f4P/wkPAPTPTfRp9Iy8oHEEFw0CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNG3zVjTcLlJwDsJ4/K9DV7KohUA - MA0GCSqGSIb3DQEBCwUAA0EAB8d03fY2w7WKpfO29qI295pu2C4ca9AiVGOpgSc8 - tmQsq6rcxt3T+rb589PVtz0mw/cKTxOk6gH2CCC+yHfy2w== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBbjCCARigAwIBAgIMFpANvmSa0OAlYmXKMA0GCSqGSIb3DQEBCwUAMBgxFjAU - BgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzA3MDcwOTM2WhcNMzEwNzA3MDcw - OTM2WjAYMRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMFwwDQYJKoZIhvcNAQEBBQAD - SwAwSAJBAMF6F4aZdpe0RUpyykaBpWwZCnwbffhYGOw+fs6RdLuUq7QCNmJm/Eq7 - WWOziMYDiI9SbclpD+6QiJ0N3EqppVUCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLImp6ARjPDAH6nhI+scWVt3Q9bn - MA0GCSqGSIb3DQEBCwUAA0EAVQVx5MUtuAIeePuP9o51xtpT2S6Fvfi8J4ICxnlA - 9B7UD2ushcVFPtaeoL9Gfu8aY4KJBeqqg5ojl4qmRnThjw== - -----END CERTIFICATE----- -ClusterName: privatecanal.example.com -ControlPlaneConfig: - KubeControllerManager: - allocateNodeCIDRs: true - attachDetachReconcileSyncPeriod: 1m0s - cloudProvider: external - clusterCIDR: 100.96.0.0/11 - clusterName: privatecanal.example.com - configureCloudRoutes: false - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-controller-manager:v1.27.0 - leaderElection: - leaderElect: true - logLevel: 2 - useServiceAccountCredentials: true - KubeScheduler: - featureGates: - InTreePluginAWSUnregister: "true" - image: registry.k8s.io/kube-scheduler:v1.27.0 - leaderElection: - leaderElect: true - logLevel: 2 -DNSZone: Z1AFAKE1ZON3YO -EtcdClusterNames: -- main -- events -FileAssets: -- content: | - apiVersion: kubescheduler.config.k8s.io/v1 - clientConnection: - kubeconfig: /var/lib/kube-scheduler/kubeconfig - kind: KubeSchedulerConfiguration - path: /var/lib/kube-scheduler/config.yaml -Hooks: -- null -- null -InstallCNIAssets: true -KeypairIDs: - apiserver-aggregator-ca: "6980187172486667078076483355" - etcd-clients-ca: "6979622252718071085282986282" - etcd-manager-ca-events: "6982279354000777253151890266" - etcd-manager-ca-main: "6982279354000936168671127624" - etcd-peers-ca-events: "6982279353999767935825892873" - etcd-peers-ca-main: "6982279353998887468930183660" - kubernetes-ca: "6982820025135291416230495506" - service-account: "2" -KubeProxy: - clusterCIDR: 100.96.0.0/11 - cpuRequest: 100m - image: registry.k8s.io/kube-proxy:v1.27.0 - logLevel: 2 -KubeletConfig: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - nodeLabels: - kops.k8s.io/kops-controller-pki: "" - node-role.kubernetes.io/control-plane: "" - node.kubernetes.io/exclude-from-external-load-balancers: "" - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s - taints: - - node-role.kubernetes.io/control-plane=:NoSchedule -KubernetesVersion: 1.27.0 -Networking: - nonMasqueradeCIDR: 100.64.0.0/10 - serviceClusterIPRange: 100.64.0.0/13 -UpdatePolicy: automatic -channels: -- memfs://clusters.example.com/privatecanal.example.com/addons/bootstrap-channel.yaml -configStore: - keypairs: memfs://clusters.example.com/privatecanal.example.com/pki - secrets: memfs://clusters.example.com/privatecanal.example.com/secrets -containerdConfig: - logLevel: info - runc: - version: 1.1.5 - version: 1.6.20 -etcdManifests: -- memfs://clusters.example.com/privatecanal.example.com/manifests/etcd/main-master-us-test-1a.yaml -- memfs://clusters.example.com/privatecanal.example.com/manifests/etcd/events-master-us-test-1a.yaml -staticManifests: -- key: kube-apiserver-healthcheck - path: manifests/static/kube-apiserver-healthcheck.yaml -usesLegacyGossip: false -usesNoneDNS: false diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_nodeupconfig-nodes_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_nodeupconfig-nodes_content deleted file mode 100644 index 3ce5ca37a5..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_nodeupconfig-nodes_content +++ /dev/null @@ -1,61 +0,0 @@ -Assets: - amd64: - - 0b4ed4fcd75d33f5dff3ba17776e6089847fc83064d3f7a3ad59a34e94e60a29@https://dl.k8s.io/release/v1.27.0/bin/linux/amd64/kubelet,https://cdn.dl.k8s.io/release/v1.27.0/bin/linux/amd64/kubelet - - 71a78259d70da9c5540c4cf4cff121f443e863376f68f89a759d90cef3f51e87@https://dl.k8s.io/release/v1.27.0/bin/linux/amd64/kubectl,https://cdn.dl.k8s.io/release/v1.27.0/bin/linux/amd64/kubectl - - 7644623e4ec9ad443ab352a8a5800a5180ee28741288be805286ba72bb8e7164@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/amd64/ecr-credential-provider-linux-amd64 - - f3a841324845ca6bf0d4091b4fc7f97e18a623172158b72fc3fdcdb9d42d2d37@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz - - bb9a9ccd6517e2a54da748a9f60dc9aa9d79d19d4724663f2386812f083968e2@https://github.com/containerd/containerd/releases/download/v1.6.20/containerd-1.6.20-linux-amd64.tar.gz - - f00b144e86f8c1db347a2e8f22caade07d55382c5f76dd5c0a5b1ab64eaec8bb@https://github.com/opencontainers/runc/releases/download/v1.1.5/runc.amd64 - arm64: - - 37aa2edc7c0c4b3e488518c6a4b44c8aade75a55010534ee2be291220c73d157@https://dl.k8s.io/release/v1.27.0/bin/linux/arm64/kubelet,https://cdn.dl.k8s.io/release/v1.27.0/bin/linux/arm64/kubelet - - f8e09630211f2b7c6a8cc38835e7dea94708d401f5c84b23a37c70c604602ddc@https://dl.k8s.io/release/v1.27.0/bin/linux/arm64/kubectl,https://cdn.dl.k8s.io/release/v1.27.0/bin/linux/arm64/kubectl - - 1980e3a038cb16da48a137743b31fb81de6c0b59fa06c206c2bc20ce0a52f849@https://artifacts.k8s.io/binaries/cloud-provider-aws/v1.31.7/linux/arm64/ecr-credential-provider-linux-arm64 - - 525e2b62ba92a1b6f3dc9612449a84aa61652e680f7ebf4eff579795fe464b57@https://storage.googleapis.com/k8s-artifacts-cni/release/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz,https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-arm64-v1.2.0.tgz - - c3e6a054b18b20fce06c7c3ed53f0989bb4b255c849bede446ebca955f07a9ce@https://github.com/containerd/containerd/releases/download/v1.6.20/containerd-1.6.20-linux-arm64.tar.gz - - 54e79e4d48b9e191767e4abc08be1a8476a1c757e9a9f8c45c6ded001226867f@https://github.com/opencontainers/runc/releases/download/v1.1.5/runc.arm64 -CAs: {} -ClusterName: privatecanal.example.com -Hooks: -- null -- null -InstallCNIAssets: true -KeypairIDs: - kubernetes-ca: "6982820025135291416230495506" -KubeProxy: - clusterCIDR: 100.96.0.0/11 - cpuRequest: 100m - image: registry.k8s.io/kube-proxy:v1.27.0 - logLevel: 2 -KubeletConfig: - anonymousAuth: false - cgroupDriver: systemd - cgroupRoot: / - cloudProvider: external - clusterDNS: 100.64.0.10 - clusterDomain: cluster.local - enableDebuggingHandlers: true - evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% - featureGates: - InTreePluginAWSUnregister: "true" - kubeconfigPath: /var/lib/kubelet/kubeconfig - logLevel: 2 - nodeLabels: - node-role.kubernetes.io/node: "" - podInfraContainerImage: registry.k8s.io/pause:3.9 - podManifestPath: /etc/kubernetes/manifests - protectKernelDefaults: true - registerSchedulable: true - shutdownGracePeriod: 30s - shutdownGracePeriodCriticalPods: 10s -KubernetesVersion: 1.27.0 -Networking: - nonMasqueradeCIDR: 100.64.0.0/10 - serviceClusterIPRange: 100.64.0.0/13 -UpdatePolicy: automatic -containerdConfig: - logLevel: info - runc: - version: 1.1.5 - version: 1.6.20 -usesLegacyGossip: false -usesNoneDNS: false diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content deleted file mode 100644 index 59ca0721d4..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content +++ /dev/null @@ -1,237 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - k8s-app: aws-cloud-controller-manager - name: aws-cloud-controller-manager - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: aws-cloud-controller-manager - template: - metadata: - creationTimestamp: null - labels: - k8s-app: aws-cloud-controller-manager - kops.k8s.io/managed-by: kops - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - containers: - - args: - - --allocate-node-cidrs=true - - --cluster-cidr=100.96.0.0/11 - - --cluster-name=privatecanal.example.com - - --configure-cloud-routes=false - - --leader-elect=true - - --v=2 - - --cloud-provider=aws - - --use-service-account-credentials=true - - --cloud-config=/etc/kubernetes/cloud.config - env: - - name: KUBERNETES_SERVICE_HOST - value: 127.0.0.1 - image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.9 - imagePullPolicy: IfNotPresent - name: aws-cloud-controller-manager - resources: - requests: - cpu: 200m - volumeMounts: - - mountPath: /etc/kubernetes/cloud.config - name: cloudconfig - readOnly: true - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - serviceAccountName: aws-cloud-controller-manager - tolerations: - - effect: NoSchedule - key: node.cloudprovider.kubernetes.io/uninitialized - value: "true" - - effect: NoSchedule - key: node.kubernetes.io/not-ready - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - - effect: NoSchedule - key: node-role.kubernetes.io/master - volumes: - - hostPath: - path: /etc/kubernetes/cloud.config - type: "" - name: cloudconfig - updateStrategy: - type: RollingUpdate - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: aws-cloud-controller-manager - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: cloud-controller-manager:apiserver-authentication-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- apiGroup: "" - kind: ServiceAccount - name: aws-cloud-controller-manager - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: system:cloud-controller-manager -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiGroups: - - "" - resources: - - nodes - verbs: - - '*' -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -- apiGroups: - - "" - resources: - - services - verbs: - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - services/status - verbs: - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - get - - list - - watch - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - list - - watch - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - - watch -- apiGroups: - - "" - resourceNames: - - node-controller - - service-controller - - route-controller - resources: - - serviceaccounts/token - verbs: - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: aws-cloud-controller.addons.k8s.io - name: system:cloud-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:cloud-controller-manager -subjects: -- apiGroup: "" - kind: ServiceAccount - name: aws-cloud-controller-manager - namespace: kube-system diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content deleted file mode 100644 index 27f14d09f8..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ /dev/null @@ -1,1151 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller - namespace: kube-system -spec: - maxUnavailable: 1 - selector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - ---- - -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-attacher-role -rules: -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - patch -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments/status - verbs: - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node-role -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - patch - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-provisioner-role -rules: -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - create - - patch - - delete -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch - - update -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - get - - list -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents - verbs: - - get - - list -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattributesclasses - verbs: - - get - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-resizer-role -rules: -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - patch -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - persistentvolumeclaims/status - verbs: - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattributesclasses - verbs: - - get - - list - - watch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-external-snapshotter-role -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - get - - list - - watch - - update - - patch - - create -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents/status - verbs: - - update - - patch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotcontents - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotcontents/status - verbs: - - update - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-attacher-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-attacher-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node-getter-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-csi-node-role -subjects: -- kind: ServiceAccount - name: ebs-csi-node-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-provisioner-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-provisioner-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-resizer-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-resizer-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-snapshotter-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ebs-external-snapshotter-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-leases-role - namespace: kube-system -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - watch - - list - - delete - - update - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-leases-rolebinding - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ebs-csi-leases-role -subjects: -- kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system - ---- - -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app: ebs-csi-controller - app.kubernetes.io/managed-by: kops - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller - namespace: kube-system -spec: - ports: - - name: metrics - port: 3301 - targetPort: 3301 - selector: - app: ebs-csi-controller - type: ClusterIP - ---- - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-node - namespace: kube-system -spec: - revisionHistoryLimit: 10 - selector: - matchLabels: - app: ebs-csi-node - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - template: - metadata: - creationTimestamp: null - labels: - app: ebs-csi-node - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - kops.k8s.io/managed-by: kops - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: topology.kubernetes.io/zone - operator: Exists - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - - auto - - hybrid - - key: node.kubernetes.io/instance-type - operator: NotIn - values: - - a1.medium - - a1.large - - a1.xlarge - - a1.2xlarge - - a1.4xlarge - containers: - - args: - - node - - --endpoint=$(CSI_ENDPOINT) - - --csi-mount-point-prefix=/var/lib/kubelet/plugins/kubernetes.io/csi/ebs.csi.aws.com/ - - --logging-format=text - - --v=5 - env: - - name: AWS_REGION - value: us-test-1 - - name: CSI_ENDPOINT - value: unix:/csi/csi.sock - - name: CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.47.0 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /bin/aws-ebs-csi-driver - - pre-stop-hook - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - name: ebs-plugin - ports: - - containerPort: 9808 - name: healthz - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: healthz - periodSeconds: 5 - timeoutSeconds: 3 - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - privileged: true - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/lib/kubelet - mountPropagation: Bidirectional - name: kubelet-dir - - mountPath: /csi - name: plugin-dir - - mountPath: /dev - name: device-dir - - args: - - --csi-address=$(ADDRESS) - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --v=5 - env: - - name: ADDRESS - value: /csi/csi.sock - - name: DRIVER_REG_SOCK_PATH - value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.14.0 - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /csi-node-driver-registrar - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --mode=kubelet-registration-probe - initialDelaySeconds: 30 - periodSeconds: 90 - timeoutSeconds: 15 - name: node-driver-registrar - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /csi - name: plugin-dir - - mountPath: /registration - name: registration-dir - - mountPath: /var/lib/kubelet/plugins/ebs.csi.aws.com/ - name: probe-dir - - args: - - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.16.0 - imagePullPolicy: IfNotPresent - name: liveness-probe - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /csi - name: plugin-dir - hostNetwork: false - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - securityContext: - fsGroup: 0 - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - serviceAccountName: ebs-csi-node-sa - terminationGracePeriodSeconds: 30 - tolerations: - - operator: Exists - volumes: - - hostPath: - path: /var/lib/kubelet - type: Directory - name: kubelet-dir - - hostPath: - path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ - type: DirectoryOrCreate - name: plugin-dir - - hostPath: - path: /var/lib/kubelet/plugins_registry/ - type: Directory - name: registration-dir - - hostPath: - path: /dev - type: Directory - name: device-dir - - emptyDir: {} - name: probe-dir - updateStrategy: - rollingUpdate: - maxUnavailable: 10% - type: RollingUpdate - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs-csi-controller - namespace: kube-system -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - strategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - creationTimestamp: null - labels: - app: ebs-csi-controller - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - kops.k8s.io/managed-by: kops - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - - auto - - hybrid - weight: 1 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: kubernetes.io/os - operator: In - values: - - linux - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - - key: kubernetes.io/os - operator: In - values: - - linux - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - ebs-csi-controller - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - args: - - controller - - --endpoint=$(CSI_ENDPOINT) - - --k8s-tag-cluster-id=privatecanal.example.com - - --extra-tags=KubernetesCluster=privatecanal.example.com - - --http-endpoint=0.0.0.0:3301 - - --batching=true - - --logging-format=text - - --v=5 - env: - - name: AWS_REGION - value: us-test-1 - - name: CSI_ENDPOINT - value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - - name: CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: key_id - name: aws-secret - optional: true - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: access_key - name: aws-secret - optional: true - - name: AWS_EC2_ENDPOINT - valueFrom: - configMapKeyRef: - key: endpoint - name: aws-meta - optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.47.0 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - name: ebs-plugin - ports: - - containerPort: 9808 - name: healthz - protocol: TCP - - containerPort: 3301 - name: metrics - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=60s - - --csi-address=$(ADDRESS) - - --v=5 - - --feature-gates=Topology=true - - --extra-create-metadata - - --leader-election=true - - --default-fstype=ext4 - - --kube-api-qps=20 - - --kube-api-burst=100 - - --worker-threads=100 - - --retry-interval-max=30m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - image: registry.k8s.io/sig-storage/csi-provisioner:v5.3.0 - imagePullPolicy: IfNotPresent - name: csi-provisioner - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=6m - - --csi-address=$(ADDRESS) - - --v=5 - - --leader-election=true - - --kube-api-qps=20 - - --kube-api-burst=100 - - --worker-threads=100 - - --retry-interval-max=5m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - image: registry.k8s.io/sig-storage/csi-attacher:v4.9.0 - imagePullPolicy: IfNotPresent - name: csi-attacher - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=60s - - --csi-address=$(ADDRESS) - - --v=5 - - --leader-election=true - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: public.ecr.aws/ebs-csi-driver/volume-modifier-for-k8s:v0.7.0 - imagePullPolicy: IfNotPresent - name: volumemodifier - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --timeout=60s - - --extra-modify-metadata - - --csi-address=$(ADDRESS) - - --v=5 - - --handle-volume-inuse-error=false - - --leader-election=true - - --kube-api-qps=20 - - --kube-api-burst=100 - - --workers=100 - - --retry-interval-max=30m - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - image: registry.k8s.io/sig-storage/csi-resizer:v1.14.0 - imagePullPolicy: IfNotPresent - name: csi-resizer - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - args: - - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.16.0 - imagePullPolicy: IfNotPresent - name: liveness-probe - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /csi - name: socket-dir - hostNetwork: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - serviceAccountName: ebs-csi-controller-sa - tolerations: - - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - app: ebs-csi-controller - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/name: aws-ebs-csi-driver - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - volumes: - - emptyDir: {} - name: socket-dir - ---- - -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io - app.kubernetes.io/component: csi-driver - app.kubernetes.io/instance: aws-ebs-csi-driver - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.47.0 - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - name: ebs.csi.aws.com -spec: - attachRequired: true - podInfoOnMount: false diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-bootstrap_content deleted file mode 100644 index 0dcead782e..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-bootstrap_content +++ /dev/null @@ -1,168 +0,0 @@ -kind: Addons -metadata: - creationTimestamp: null - name: bootstrap -spec: - addons: - - id: k8s-1.16 - manifest: kops-controller.addons.k8s.io/k8s-1.16.yaml - manifestHash: 7c5c4ea2d18ffe972055caf91850667d8cfc4157a2d685f02edb5476e26fa947 - name: kops-controller.addons.k8s.io - needsRollingUpdate: control-plane - selector: - k8s-addon: kops-controller.addons.k8s.io - version: 9.99.0 - - id: k8s-1.12 - manifest: coredns.addons.k8s.io/k8s-1.12.yaml - manifestHash: 776ca39fa0034ba09a4335cf3ee1bfa9c136407aaed07223555934e6907edd91 - name: coredns.addons.k8s.io - selector: - k8s-addon: coredns.addons.k8s.io - version: 9.99.0 - - id: k8s-1.9 - manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml - manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81 - name: kubelet-api.rbac.addons.k8s.io - selector: - k8s-addon: kubelet-api.rbac.addons.k8s.io - version: 9.99.0 - - manifest: limit-range.addons.k8s.io/v1.5.0.yaml - manifestHash: 2d55c3bc5e354e84a3730a65b42f39aba630a59dc8d32b30859fcce3d3178bc2 - name: limit-range.addons.k8s.io - selector: - k8s-addon: limit-range.addons.k8s.io - version: 9.99.0 - - id: k8s-1.12 - manifest: dns-controller.addons.k8s.io/k8s-1.12.yaml - manifestHash: 4547fd9281fdef75bb50e82a90136a721fe7bd01a42d58dbe837a422cf54466d - name: dns-controller.addons.k8s.io - selector: - k8s-addon: dns-controller.addons.k8s.io - version: 9.99.0 - - id: k8s-1.11 - manifest: node-termination-handler.aws/k8s-1.11.yaml - manifestHash: f22a4f2c1d350d49b295c98e4275a977685ea0ed0cc4efd271d82f2fecdb7b9c - name: node-termination-handler.aws - prune: - kinds: - - kind: ConfigMap - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - kind: Service - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - kind: ServiceAccount - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: apps - kind: DaemonSet - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: apps - kind: Deployment - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: apps - kind: StatefulSet - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: policy - kind: PodDisruptionBudget - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: rbac.authorization.k8s.io - kind: ClusterRole - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: ClusterRoleBinding - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: Role - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: RoleBinding - labelSelector: addon.kops.k8s.io/name=node-termination-handler.aws,app.kubernetes.io/managed-by=kops - selector: - k8s-addon: node-termination-handler.aws - version: 9.99.0 - - id: v1.15.0 - manifest: storage-aws.addons.k8s.io/v1.15.0.yaml - manifestHash: 4e2cda50cd5048133aad1b5e28becb60f4629d3f9e09c514a2757c27998b4200 - name: storage-aws.addons.k8s.io - selector: - k8s-addon: storage-aws.addons.k8s.io - version: 9.99.0 - - id: k8s-1.25 - manifest: networking.projectcalico.org.canal/k8s-1.25.yaml - manifestHash: fd73e91eb9ddc00e565073190350eb301a6831fc211f84b508bb3c9e6bd94841 - name: networking.projectcalico.org.canal - prune: - kinds: - - kind: ConfigMap - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - kind: Service - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - - kind: ServiceAccount - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - - group: apps - kind: DaemonSet - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: apps - kind: Deployment - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: apps - kind: StatefulSet - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - - group: policy - kind: PodDisruptionBudget - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - namespaces: - - kube-system - - group: rbac.authorization.k8s.io - kind: ClusterRole - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: ClusterRoleBinding - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: Role - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - - group: rbac.authorization.k8s.io - kind: RoleBinding - labelSelector: addon.kops.k8s.io/name=networking.projectcalico.org.canal,app.kubernetes.io/managed-by=kops - selector: - role.kubernetes.io/networking: "1" - version: 9.99.0 - - id: k8s-1.18 - manifest: aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml - manifestHash: 83c24e3227c186629805bef655b3fb4a01b717c6aa7dc27dff8fe1a65fb5946b - name: aws-cloud-controller.addons.k8s.io - selector: - k8s-addon: aws-cloud-controller.addons.k8s.io - version: 9.99.0 - - id: k8s-1.17 - manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 298ecdf0e0e37b717809ec379c19adbdbf40eff8366da2ce74a744041927551d - name: aws-ebs-csi-driver.addons.k8s.io - selector: - k8s-addon: aws-ebs-csi-driver.addons.k8s.io - version: 9.99.0 diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content deleted file mode 100644 index 4c4816a315..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content +++ /dev/null @@ -1,383 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - kubernetes.io/cluster-service: "true" - name: coredns - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns -rules: -- apiGroups: - - "" - resources: - - endpoints - - services - - pods - - namespaces - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:coredns -subjects: -- kind: ServiceAccount - name: coredns - namespace: kube-system - ---- - -apiVersion: v1 -data: - Corefile: |- - .:53 { - errors - health { - lameduck 5s - } - ready - kubernetes cluster.local. in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - ttl 30 - } - prometheus :9153 - forward . /etc/resolv.conf { - max_concurrent 1000 - } - cache 30 - loop - reload - loadbalance - } -kind: ConfigMap -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - addonmanager.kubernetes.io/mode: EnsureExists - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: CoreDNS - name: coredns - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: kube-dns - strategy: - rollingUpdate: - maxSurge: 10% - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - creationTimestamp: null - labels: - k8s-app: kube-dns - kops.k8s.io/managed-by: kops - spec: - containers: - - args: - - -conf - - /etc/coredns/Corefile - image: registry.k8s.io/coredns/coredns:v1.11.4 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /health - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 - successThreshold: 1 - timeoutSeconds: 5 - name: coredns - ports: - - containerPort: 53 - name: dns - protocol: UDP - - containerPort: 53 - name: dns-tcp - protocol: TCP - - containerPort: 9153 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8181 - scheme: HTTP - resources: - limits: - memory: 170Mi - requests: - cpu: 100m - memory: 70Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_BIND_SERVICE - drop: - - all - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /etc/coredns - name: config-volume - readOnly: true - dnsPolicy: Default - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: coredns - tolerations: - - key: CriticalAddonsOnly - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - k8s-app: kube-dns - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - k8s-app: kube-dns - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - volumes: - - configMap: - name: coredns - name: config-volume - ---- - -apiVersion: v1 -kind: Service -metadata: - annotations: - prometheus.io/port: "9153" - prometheus.io/scrape: "true" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: CoreDNS - name: kube-dns - namespace: kube-system - resourceVersion: "0" -spec: - clusterIP: 100.64.0.10 - ports: - - name: dns - port: 53 - protocol: UDP - - name: dns-tcp - port: 53 - protocol: TCP - - name: metrics - port: 9153 - protocol: TCP - selector: - k8s-app: kube-dns - ---- - -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: kube-dns - namespace: kube-system -spec: - maxUnavailable: 50% - selector: - matchLabels: - k8s-app: kube-dns - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns-autoscaler - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns-autoscaler -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - replicationcontrollers/scale - verbs: - - get - - update -- apiGroups: - - extensions - - apps - resources: - - deployments/scale - - replicasets/scale - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - name: coredns-autoscaler -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: coredns-autoscaler -subjects: -- kind: ServiceAccount - name: coredns-autoscaler - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: coredns.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: coredns.addons.k8s.io - k8s-app: coredns-autoscaler - kubernetes.io/cluster-service: "true" - name: coredns-autoscaler - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: coredns-autoscaler - template: - metadata: - creationTimestamp: null - labels: - k8s-app: coredns-autoscaler - kops.k8s.io/managed-by: kops - spec: - containers: - - command: - - /cluster-proportional-autoscaler - - --namespace=kube-system - - --configmap=coredns-autoscaler - - --target=Deployment/coredns - - --default-params={"linear":{"coresPerReplica":256,"nodesPerReplica":16,"preventSinglePointFailure":true}} - - --logtostderr=true - - --v=2 - image: registry.k8s.io/cpa/cluster-proportional-autoscaler:v1.9.0 - name: autoscaler - resources: - requests: - cpu: 20m - memory: 10Mi - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: coredns-autoscaler - tolerations: - - key: CriticalAddonsOnly - operator: Exists diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content deleted file mode 100644 index 4997c5166f..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content +++ /dev/null @@ -1,138 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - k8s-app: dns-controller - version: v1.34.0-alpha.1 - name: dns-controller - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - k8s-app: dns-controller - strategy: - type: Recreate - template: - metadata: - creationTimestamp: null - labels: - k8s-addon: dns-controller.addons.k8s.io - k8s-app: dns-controller - kops.k8s.io/managed-by: kops - version: v1.34.0-alpha.1 - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - containers: - - args: - - --watch-ingress=false - - --dns=aws-route53 - - --zone=*/Z1AFAKE1ZON3YO - - --internal-ipv4 - - --zone=*/* - - -v=2 - command: null - env: - - name: KUBERNETES_SERVICE_HOST - value: 127.0.0.1 - image: registry.k8s.io/kops/dns-controller:1.34.0-alpha.1 - name: dns-controller - resources: - requests: - cpu: 50m - memory: 50Mi - securityContext: - runAsNonRoot: true - dnsPolicy: Default - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - serviceAccount: dns-controller - tolerations: - - key: node.cloudprovider.kubernetes.io/uninitialized - operator: Exists - - key: node.kubernetes.io/not-ready - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: node-role.kubernetes.io/master - operator: Exists - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - name: dns-controller - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - name: kops:dns-controller -rules: -- apiGroups: - - "" - resources: - - endpoints - - services - - pods - - ingress - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: dns-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: dns-controller.addons.k8s.io - name: kops:dns-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kops:dns-controller -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:serviceaccount:kube-system:dns-controller diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content deleted file mode 100644 index 8fb90df10c..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content +++ /dev/null @@ -1,227 +0,0 @@ -apiVersion: v1 -data: - config.yaml: | - {"clusterName":"privatecanal.example.com","cloud":"aws","configBase":"memfs://clusters.example.com/privatecanal.example.com","secretStore":"memfs://clusters.example.com/privatecanal.example.com/secrets","server":{"Listen":":3988","provider":{"aws":{"nodesRoles":["nodes.privatecanal.example.com"],"Region":"us-test-1"}},"serverKeyPath":"/etc/kubernetes/kops-controller/pki/kops-controller.key","serverCertificatePath":"/etc/kubernetes/kops-controller/pki/kops-controller.crt","caBasePath":"/etc/kubernetes/kops-controller/pki","signingCAs":["kubernetes-ca"],"certNames":["kubelet","kubelet-server","kube-proxy"]}} -kind: ConfigMap -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - k8s-app: kops-controller - version: v1.34.0-alpha.1 - name: kops-controller - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: kops-controller - template: - metadata: - annotations: - dns.alpha.kubernetes.io/internal: kops-controller.internal.privatecanal.example.com - creationTimestamp: null - labels: - k8s-addon: kops-controller.addons.k8s.io - k8s-app: kops-controller - kops.k8s.io/managed-by: kops - version: v1.34.0-alpha.1 - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: kops.k8s.io/kops-controller-pki - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - - key: kops.k8s.io/kops-controller-pki - operator: Exists - containers: - - args: - - --v=2 - - --conf=/etc/kubernetes/kops-controller/config/config.yaml - command: null - env: - - name: KUBERNETES_SERVICE_HOST - value: 127.0.0.1 - - name: KOPS_RUN_TOO_NEW_VERSION - value: "1" - image: registry.k8s.io/kops/kops-controller:1.34.0-alpha.1 - name: kops-controller - resources: - requests: - cpu: 50m - memory: 50Mi - securityContext: - runAsNonRoot: true - runAsUser: 10011 - volumeMounts: - - mountPath: /etc/kubernetes/kops-controller/config/ - name: kops-controller-config - - mountPath: /etc/kubernetes/kops-controller/pki/ - name: kops-controller-pki - dnsPolicy: Default - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - serviceAccount: kops-controller - tolerations: - - key: node.cloudprovider.kubernetes.io/uninitialized - operator: Exists - - key: node.kubernetes.io/not-ready - operator: Exists - - key: node-role.kubernetes.io/master - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - volumes: - - configMap: - name: kops-controller - name: kops-controller-config - - hostPath: - path: /etc/kubernetes/kops-controller/ - type: Directory - name: kops-controller-pki - updateStrategy: - type: OnDelete - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kops-controller -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:serviceaccount:kube-system:kops-controller - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - get - - list - - watch - - create -- apiGroups: - - "" - - coordination.k8s.io - resourceNames: - - kops-controller-leader - resources: - - configmaps - - leases - verbs: - - get - - list - - watch - - patch - - update - - delete -- apiGroups: - - "" - - coordination.k8s.io - resources: - - configmaps - - leases - verbs: - - create - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kops-controller.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kops-controller.addons.k8s.io - name: kops-controller - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kops-controller -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:serviceaccount:kube-system:kops-controller diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content deleted file mode 100644 index 36761e1c56..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: kubelet-api.rbac.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: kubelet-api.rbac.addons.k8s.io - name: kops:system:kubelet-api-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:kubelet-api-admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: kubelet-api diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-limit-range.addons.k8s.io_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-limit-range.addons.k8s.io_content deleted file mode 100644 index 4dcdce48b9..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-limit-range.addons.k8s.io_content +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: LimitRange -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: limit-range.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: limit-range.addons.k8s.io - name: limits - namespace: default -spec: - limits: - - defaultRequest: - cpu: 100m - type: Container diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-networking.projectcalico.org.canal-k8s-1.25_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-networking.projectcalico.org.canal-k8s-1.25_content deleted file mode 100644 index be47480918..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-networking.projectcalico.org.canal-k8s-1.25_content +++ /dev/null @@ -1,4907 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - k8s-app: calico-kube-controllers - role.kubernetes.io/networking: "1" - name: calico-kube-controllers - namespace: kube-system -spec: - maxUnavailable: 1 - selector: - matchLabels: - k8s-app: calico-kube-controllers - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: calico-kube-controllers - namespace: kube-system - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: canal - namespace: kube-system - ---- - -apiVersion: v1 -data: - canal_iface: "" - cni_network_config: |- - { - "name": "k8s-pod-network", - "cniVersion": "0.3.1", - "plugins": [ - { - "type": "calico", - "log_level": "info", - "log_file_path": "/var/log/calico/cni/cni.log", - "datastore_type": "kubernetes", - "nodename": "__KUBERNETES_NODE_NAME__", - "mtu": __CNI_MTU__, - "ipam": { - "type": "host-local", - "subnet": "usePodCidr" - }, - "policy": { - "type": "k8s" - }, - "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__" - } - }, - { - "type": "portmap", - "snat": true, - "capabilities": {"portMappings": true} - }, - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - masquerade: "true" - net-conf.json: |- - { - "Network": "100.64.0.0/10", - "Backend": { - "Type": "vxlan" - } - } - typha_service_name: none - veth_mtu: "0" -kind: ConfigMap -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: canal-config - namespace: kube-system - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: bgpconfigurations.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: BGPConfiguration - listKind: BGPConfigurationList - plural: bgpconfigurations - singular: bgpconfiguration - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: BGPConfiguration contains the configuration for any BGP routing. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BGPConfigurationSpec contains the values of the BGP configuration. - properties: - asNumber: - description: 'ASNumber is the default AS number used by a node. [Default: - 64512]' - format: int32 - type: integer - bindMode: - description: BindMode indicates whether to listen for BGP connections - on all addresses (None) or only on the node's canonical IP address - Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen - for BGP connections on all addresses. - type: string - communities: - description: Communities is a list of BGP community values and their - arbitrary names for tagging routes. - items: - description: Community contains standard or large community value - and its name. - properties: - name: - description: Name given to community value. - type: string - value: - description: Value must be of format `aa:nn` or `aa:nn:mm`. - For standard community use `aa:nn` format, where `aa` and - `nn` are 16 bit number. For large community use `aa:nn:mm` - format, where `aa`, `nn` and `mm` are 32 bit number. Where, - `aa` is an AS Number, `nn` and `mm` are per-AS identifier. - pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ - type: string - type: object - type: array - ignoredInterfaces: - description: IgnoredInterfaces indicates the network interfaces that - needs to be excluded when reading device routes. - items: - type: string - type: array - listenPort: - description: ListenPort is the port where BGP protocol should listen. - Defaults to 179 - maximum: 65535 - minimum: 1 - type: integer - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: INFO]' - type: string - nodeMeshMaxRestartTime: - description: Time to allow for software restart for node-to-mesh peerings. When - specified, this is configured as the graceful restart timeout. When - not specified, the BIRD default of 120s is used. This field can - only be set on the default BGPConfiguration instance and requires - that NodeMesh is enabled - type: string - nodeMeshPassword: - description: Optional BGP password for full node-to-mesh peerings. - This field can only be set on the default BGPConfiguration instance - and requires that NodeMesh is enabled - properties: - secretKeyRef: - description: Selects a key of a secret in the node pod's namespace. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - type: object - nodeToNodeMeshEnabled: - description: 'NodeToNodeMeshEnabled sets whether full node to node - BGP mesh is enabled. [Default: true]' - type: boolean - prefixAdvertisements: - description: PrefixAdvertisements contains per-prefix advertisement - configuration. - items: - description: PrefixAdvertisement configures advertisement properties - for the specified CIDR. - properties: - cidr: - description: CIDR for which properties should be advertised. - type: string - communities: - description: Communities can be list of either community names - already defined in `Specs.Communities` or community value - of format `aa:nn` or `aa:nn:mm`. For standard community use - `aa:nn` format, where `aa` and `nn` are 16 bit number. For - large community use `aa:nn:mm` format, where `aa`, `nn` and - `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and - `mm` are per-AS identifier. - items: - type: string - type: array - type: object - type: array - serviceClusterIPs: - description: ServiceClusterIPs are the CIDR blocks from which service - cluster IPs are allocated. If specified, Calico will advertise these - blocks, as well as any cluster IPs within them. - items: - description: ServiceClusterIPBlock represents a single allowed ClusterIP - CIDR block. - properties: - cidr: - type: string - type: object - type: array - serviceExternalIPs: - description: ServiceExternalIPs are the CIDR blocks for Kubernetes - Service External IPs. Kubernetes Service ExternalIPs will only be - advertised if they are within one of these blocks. - items: - description: ServiceExternalIPBlock represents a single allowed - External IP CIDR block. - properties: - cidr: - type: string - type: object - type: array - serviceLoadBalancerIPs: - description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes - Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress - IPs will only be advertised if they are within one of these blocks. - items: - description: ServiceLoadBalancerIPBlock represents a single allowed - LoadBalancer IP CIDR block. - properties: - cidr: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: bgppeers.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: BGPPeer - listKind: BGPPeerList - plural: bgppeers - singular: bgppeer - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BGPPeerSpec contains the specification for a BGPPeer resource. - properties: - asNumber: - description: The AS Number of the peer. - format: int32 - type: integer - keepOriginalNextHop: - description: Option to keep the original nexthop field when routes - are sent to a BGP Peer. Setting "true" configures the selected BGP - Peers node to use the "next hop keep;" instead of "next hop self;"(default) - in the specific branch of the Node on "bird.cfg". - type: boolean - maxRestartTime: - description: Time to allow for software restart. When specified, - this is configured as the graceful restart timeout. When not specified, - the BIRD default of 120s is used. - type: string - node: - description: The node name identifying the Calico node instance that - is targeted by this peer. If this is not set, and no nodeSelector - is specified, then this BGP peer selects all nodes in the cluster. - type: string - nodeSelector: - description: Selector for the nodes that should have this peering. When - this is set, the Node field must be empty. - type: string - numAllowedLocalASNumbers: - description: Maximum number of local AS numbers that are allowed in - the AS path for received routes. This removes BGP loop prevention - and should only be used if absolutely necesssary. - format: int32 - type: integer - password: - description: Optional BGP password for the peerings generated by this - BGPPeer resource. - properties: - secretKeyRef: - description: Selects a key of a secret in the node pod's namespace. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - type: object - peerIP: - description: The IP address of the peer followed by an optional port - number to peer with. If port number is given, format should be `[]:port` - or `:` for IPv4. If optional port number is not set, - and this peer IP and ASNumber belongs to a calico/node with ListenPort - set in BGPConfiguration, then we use that port to peer. - type: string - peerSelector: - description: Selector for the remote nodes to peer with. When this - is set, the PeerIP and ASNumber fields must be empty. For each - peering between the local node and selected remote nodes, we configure - an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, - and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The - remote AS number comes from the remote node's NodeBGPSpec.ASNumber, - or the global default if that is not set. - type: string - reachableBy: - description: Add an exact, i.e. /32, static route toward peer IP in - order to prevent route flapping. ReachableBy contains the address - of the gateway which peer can be reached by. - type: string - sourceAddress: - description: Specifies whether and how to configure a source address - for the peerings generated by this BGPPeer resource. Default value - "UseNodeIP" means to configure the node IP as the source address. "None" - means not to configure a source address. - type: string - ttlSecurity: - description: TTLSecurity enables the generalized TTL security mechanism - (GTSM) which protects against spoofed packets by ignoring received - packets with a smaller than expected TTL value. The provided value - is the number of hops (edges) between the peers. - type: integer - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: blockaffinities.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: BlockAffinity - listKind: BlockAffinityList - plural: blockaffinities - singular: blockaffinity - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BlockAffinitySpec contains the specification for a BlockAffinity - resource. - properties: - cidr: - type: string - deleted: - description: Deleted indicates that this block affinity is being deleted. - This field is a string for compatibility with older releases that - mistakenly treat this field as a string. - type: string - node: - type: string - state: - type: string - required: - - cidr - - deleted - - node - - state - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: caliconodestatuses.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: CalicoNodeStatus - listKind: CalicoNodeStatusList - plural: caliconodestatuses - singular: caliconodestatus - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus - resource. - properties: - classes: - description: Classes declares the types of information to monitor - for this calico/node, and allows for selective status reporting - about certain subsets of information. - items: - type: string - type: array - node: - description: The node name identifies the Calico node instance for - node status. - type: string - updatePeriodSeconds: - description: UpdatePeriodSeconds is the period at which CalicoNodeStatus - should be updated. Set to 0 to disable CalicoNodeStatus refresh. - Maximum update period is one day. - format: int32 - type: integer - type: object - status: - description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. - No validation needed for status since it is updated by Calico. - properties: - agent: - description: Agent holds agent status on the node. - properties: - birdV4: - description: BIRDV4 represents the latest observed status of bird4. - properties: - lastBootTime: - description: LastBootTime holds the value of lastBootTime - from bird.ctl output. - type: string - lastReconfigurationTime: - description: LastReconfigurationTime holds the value of lastReconfigTime - from bird.ctl output. - type: string - routerID: - description: Router ID used by bird. - type: string - state: - description: The state of the BGP Daemon. - type: string - version: - description: Version of the BGP daemon - type: string - type: object - birdV6: - description: BIRDV6 represents the latest observed status of bird6. - properties: - lastBootTime: - description: LastBootTime holds the value of lastBootTime - from bird.ctl output. - type: string - lastReconfigurationTime: - description: LastReconfigurationTime holds the value of lastReconfigTime - from bird.ctl output. - type: string - routerID: - description: Router ID used by bird. - type: string - state: - description: The state of the BGP Daemon. - type: string - version: - description: Version of the BGP daemon - type: string - type: object - type: object - bgp: - description: BGP holds node BGP status. - properties: - numberEstablishedV4: - description: The total number of IPv4 established bgp sessions. - type: integer - numberEstablishedV6: - description: The total number of IPv6 established bgp sessions. - type: integer - numberNotEstablishedV4: - description: The total number of IPv4 non-established bgp sessions. - type: integer - numberNotEstablishedV6: - description: The total number of IPv6 non-established bgp sessions. - type: integer - peersV4: - description: PeersV4 represents IPv4 BGP peers status on the node. - items: - description: CalicoNodePeer contains the status of BGP peers - on the node. - properties: - peerIP: - description: IP address of the peer whose condition we are - reporting. - type: string - since: - description: Since the state or reason last changed. - type: string - state: - description: State is the BGP session state. - type: string - type: - description: Type indicates whether this peer is configured - via the node-to-node mesh, or via en explicit global or - per-node BGPPeer object. - type: string - type: object - type: array - peersV6: - description: PeersV6 represents IPv6 BGP peers status on the node. - items: - description: CalicoNodePeer contains the status of BGP peers - on the node. - properties: - peerIP: - description: IP address of the peer whose condition we are - reporting. - type: string - since: - description: Since the state or reason last changed. - type: string - state: - description: State is the BGP session state. - type: string - type: - description: Type indicates whether this peer is configured - via the node-to-node mesh, or via en explicit global or - per-node BGPPeer object. - type: string - type: object - type: array - required: - - numberEstablishedV4 - - numberEstablishedV6 - - numberNotEstablishedV4 - - numberNotEstablishedV6 - type: object - lastUpdated: - description: LastUpdated is a timestamp representing the server time - when CalicoNodeStatus object last updated. It is represented in - RFC3339 form and is in UTC. - format: date-time - nullable: true - type: string - routes: - description: Routes reports routes known to the Calico BGP daemon - on the node. - properties: - routesV4: - description: RoutesV4 represents IPv4 routes on the node. - items: - description: CalicoNodeRoute contains the status of BGP routes - on the node. - properties: - destination: - description: Destination of the route. - type: string - gateway: - description: Gateway for the destination. - type: string - interface: - description: Interface for the destination - type: string - learnedFrom: - description: LearnedFrom contains information regarding - where this route originated. - properties: - peerIP: - description: If sourceType is NodeMesh or BGPPeer, IP - address of the router that sent us this route. - type: string - sourceType: - description: Type of the source where a route is learned - from. - type: string - type: object - type: - description: Type indicates if the route is being used for - forwarding or not. - type: string - type: object - type: array - routesV6: - description: RoutesV6 represents IPv6 routes on the node. - items: - description: CalicoNodeRoute contains the status of BGP routes - on the node. - properties: - destination: - description: Destination of the route. - type: string - gateway: - description: Gateway for the destination. - type: string - interface: - description: Interface for the destination - type: string - learnedFrom: - description: LearnedFrom contains information regarding - where this route originated. - properties: - peerIP: - description: If sourceType is NodeMesh or BGPPeer, IP - address of the router that sent us this route. - type: string - sourceType: - description: Type of the source where a route is learned - from. - type: string - type: object - type: - description: Type indicates if the route is being used for - forwarding or not. - type: string - type: object - type: array - type: object - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: clusterinformations.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: ClusterInformation - listKind: ClusterInformationList - plural: clusterinformations - singular: clusterinformation - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ClusterInformation contains the cluster specific information. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterInformationSpec contains the values of describing - the cluster. - properties: - calicoVersion: - description: CalicoVersion is the version of Calico that the cluster - is running - type: string - clusterGUID: - description: ClusterGUID is the GUID of the cluster - type: string - clusterType: - description: ClusterType describes the type of the cluster - type: string - datastoreReady: - description: DatastoreReady is used during significant datastore migrations - to signal to components such as Felix that it should wait before - accessing the datastore. - type: boolean - variant: - description: Variant declares which variant of Calico should be active. - type: string - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: felixconfigurations.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: FelixConfiguration - listKind: FelixConfigurationList - plural: felixconfigurations - singular: felixconfiguration - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: Felix Configuration contains the configuration for Felix. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: FelixConfigurationSpec contains the values of the Felix configuration. - properties: - allowIPIPPacketsFromWorkloads: - description: 'AllowIPIPPacketsFromWorkloads controls whether Felix - will add a rule to drop IPIP encapsulated traffic from workloads - [Default: false]' - type: boolean - allowVXLANPacketsFromWorkloads: - description: 'AllowVXLANPacketsFromWorkloads controls whether Felix - will add a rule to drop VXLAN encapsulated traffic from workloads - [Default: false]' - type: boolean - awsSrcDstCheck: - description: 'Set source-destination-check on AWS EC2 instances. Accepted - value must be one of "DoNothing", "Enable" or "Disable". [Default: - DoNothing]' - enum: - - DoNothing - - Enable - - Disable - type: string - bpfConnectTimeLoadBalancingEnabled: - description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, - controls whether Felix installs the connection-time load balancer. The - connect-time load balancer is required for the host to be able to - reach Kubernetes services and it improves the performance of pod-to-service - connections. The only reason to disable it is for debugging purposes. [Default: - true]' - type: boolean - bpfDataIfacePattern: - description: BPFDataIfacePattern is a regular expression that controls - which interfaces Felix should attach BPF programs to in order to - catch traffic to/from the network. This needs to match the interfaces - that Calico workload traffic flows over as well as any interfaces - that handle incoming traffic to nodeports and services from outside - the cluster. It should not match the workload interfaces (usually - named cali...). - type: string - bpfDisableUnprivileged: - description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled - sysctl to disable unprivileged use of BPF. This ensures that unprivileged - users cannot access Calico''s BPF maps and cannot insert their own - BPF programs to interfere with Calico''s. [Default: true]' - type: boolean - bpfEnabled: - description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. - [Default: false]' - type: boolean - bpfEnforceRPF: - description: 'BPFEnforceRPF enforce strict RPF on all host interfaces - with BPF programs regardless of what is the per-interfaces or global - setting. Possible values are Disabled, Strict or Loose. [Default: - Strict]' - type: string - bpfExtToServiceConnmark: - description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit - mark that is set on connections from an external client to a local - service. This mark allows us to control how packets of that connection - are routed within the host and how is routing interpreted by RPF - check. [Default: 0]' - type: integer - bpfExternalServiceMode: - description: 'BPFExternalServiceMode in BPF mode, controls how connections - from outside the cluster to services (node ports and cluster IPs) - are forwarded to remote workloads. If set to "Tunnel" then both - request and response traffic is tunneled to the remote node. If - set to "DSR", the request traffic is tunneled but the response traffic - is sent directly from the remote node. In "DSR" mode, the remote - node appears to use the IP of the ingress node; this requires a - permissive L2 network. [Default: Tunnel]' - type: string - bpfHostConntrackBypass: - description: 'BPFHostConntrackBypass Controls whether to bypass Linux - conntrack in BPF mode for workloads and services. [Default: true - - bypass Linux conntrack]' - type: boolean - bpfKubeProxyEndpointSlicesEnabled: - description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls - whether Felix's embedded kube-proxy accepts EndpointSlices or not. - type: boolean - bpfKubeProxyIptablesCleanupEnabled: - description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF - mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s - iptables chains. Should only be enabled if kube-proxy is not running. [Default: - true]' - type: boolean - bpfKubeProxyMinSyncPeriod: - description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the - minimum time between updates to the dataplane for Felix''s embedded - kube-proxy. Lower values give reduced set-up latency. Higher values - reduce Felix CPU usage by batching up more work. [Default: 1s]' - type: string - bpfL3IfacePattern: - description: BPFL3IfacePattern is a regular expression that allows - to list tunnel devices like wireguard or vxlan (i.e., L3 devices) - in addition to BPFDataIfacePattern. That is, tunnel interfaces not - created by Calico, that Calico workload traffic flows over as well - as any interfaces that handle incoming traffic to nodeports and - services from outside the cluster. - type: string - bpfLogLevel: - description: 'BPFLogLevel controls the log level of the BPF programs - when in BPF dataplane mode. One of "Off", "Info", or "Debug". The - logs are emitted to the BPF trace pipe, accessible with the command - `tc exec bpf debug`. [Default: Off].' - type: string - bpfMapSizeConntrack: - description: 'BPFMapSizeConntrack sets the size for the conntrack - map. This map must be large enough to hold an entry for each active - connection. Warning: changing the size of the conntrack map can - cause disruption.' - type: integer - bpfMapSizeIPSets: - description: BPFMapSizeIPSets sets the size for ipsets map. The IP - sets map must be large enough to hold an entry for each endpoint - matched by every selector in the source/destination matches in network - policy. Selectors such as "all()" can result in large numbers of - entries (one entry per endpoint in that case). - type: integer - bpfMapSizeIfState: - description: BPFMapSizeIfState sets the size for ifstate map. The - ifstate map must be large enough to hold an entry for each device - (host + workloads) on a host. - type: integer - bpfMapSizeNATAffinity: - type: integer - bpfMapSizeNATBackend: - description: BPFMapSizeNATBackend sets the size for nat back end map. - This is the total number of endpoints. This is mostly more than - the size of the number of services. - type: integer - bpfMapSizeNATFrontend: - description: BPFMapSizeNATFrontend sets the size for nat front end - map. FrontendMap should be large enough to hold an entry for each - nodeport, external IP and each port in each service. - type: integer - bpfMapSizeRoute: - description: BPFMapSizeRoute sets the size for the routes map. The - routes map should be large enough to hold one entry per workload - and a handful of entries per host (enough to cover its own IPs and - tunnel IPs). - type: integer - bpfPSNATPorts: - anyOf: - - type: integer - - type: string - description: 'BPFPSNATPorts sets the range from which we randomly - pick a port if there is a source port collision. This should be - within the ephemeral range as defined by RFC 6056 (1024–65535) - and preferably outside the ephemeral ranges used by common operating - systems. Linux uses 32768–60999, while others mostly use the IANA - defined range 49152–65535. It is not necessarily a problem if - this range overlaps with the operating systems. Both ends of the - range are inclusive. [Default: 20000:29999]' - pattern: ^.* - x-kubernetes-int-or-string: true - bpfPolicyDebugEnabled: - description: BPFPolicyDebugEnabled when true, Felix records detailed - information about the BPF policy programs, which can be examined - with the calico-bpf command-line tool. - type: boolean - chainInsertMode: - description: 'ChainInsertMode controls whether Felix hooks the kernel''s - top-level iptables chains by inserting a rule at the top of the - chain or by appending a rule at the bottom. insert is the safe default - since it prevents Calico''s rules from being bypassed. If you switch - to append mode, be sure that the other rules in the chains signal - acceptance by falling through to the Calico rules, otherwise the - Calico policy will be bypassed. [Default: insert]' - type: string - dataplaneDriver: - description: DataplaneDriver filename of the external dataplane driver - to use. Only used if UseInternalDataplaneDriver is set to false. - type: string - dataplaneWatchdogTimeout: - description: "DataplaneWatchdogTimeout is the readiness/liveness timeout - used for Felix's (internal) dataplane driver. Increase this value - if you experience spurious non-ready or non-live events when Felix - is under heavy load. Decrease the value to get felix to report non-live - or non-ready more quickly. [Default: 90s] \n Deprecated: replaced - by the generic HealthTimeoutOverrides." - type: string - debugDisableLogDropping: - type: boolean - debugMemoryProfilePath: - type: string - debugSimulateCalcGraphHangAfter: - type: string - debugSimulateDataplaneHangAfter: - type: string - defaultEndpointToHostAction: - description: 'DefaultEndpointToHostAction controls what happens to - traffic that goes from a workload endpoint to the host itself (after - the traffic hits the endpoint egress policy). By default Calico - blocks traffic from workload endpoints to the host itself with an - iptables "DROP" action. If you want to allow some or all traffic - from endpoint to host, set this parameter to RETURN or ACCEPT. Use - RETURN if you have your own rules in the iptables "INPUT" chain; - Calico will insert its rules at the top of that chain, then "RETURN" - packets to the "INPUT" chain once it has completed processing workload - endpoint egress policy. Use ACCEPT to unconditionally accept packets - from workloads after processing workload endpoint egress policy. - [Default: Drop]' - type: string - deviceRouteProtocol: - description: This defines the route protocol added to programmed device - routes, by default this will be RTPROT_BOOT when left blank. - type: integer - deviceRouteSourceAddress: - description: This is the IPv4 source address to use on programmed - device routes. By default the source address is left blank, leaving - the kernel to choose the source address used. - type: string - deviceRouteSourceAddressIPv6: - description: This is the IPv6 source address to use on programmed - device routes. By default the source address is left blank, leaving - the kernel to choose the source address used. - type: string - disableConntrackInvalidCheck: - type: boolean - endpointReportingDelay: - type: string - endpointReportingEnabled: - type: boolean - externalNodesList: - description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes - which may source tunnel traffic and have the tunneled traffic be - accepted at calico nodes. - items: - type: string - type: array - failsafeInboundHostPorts: - description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports - and CIDRs that Felix will allow incoming traffic to host endpoints - on irrespective of the security policy. This is useful to avoid - accidentally cutting off a host with incorrect configuration. For - back-compatibility, if the protocol is not specified, it defaults - to "tcp". If a CIDR is not specified, it will allow traffic from - all addresses. To disable all inbound host ports, use the value - none. The default value allows ssh access and DHCP. [Default: tcp:22, - udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' - items: - description: ProtoPort is combination of protocol, port, and CIDR. - Protocol and port must be specified. - properties: - net: - type: string - port: - type: integer - protocol: - type: string - required: - - port - - protocol - type: object - type: array - failsafeOutboundHostPorts: - description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports - and CIDRs that Felix will allow outgoing traffic from host endpoints - to irrespective of the security policy. This is useful to avoid - accidentally cutting off a host with incorrect configuration. For - back-compatibility, if the protocol is not specified, it defaults - to "tcp". If a CIDR is not specified, it will allow traffic from - all addresses. To disable all outbound host ports, use the value - none. The default value opens etcd''s standard ports to ensure that - Felix does not get cut off from etcd as well as allowing DHCP and - DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, - tcp:6667, udp:53, udp:67]' - items: - description: ProtoPort is combination of protocol, port, and CIDR. - Protocol and port must be specified. - properties: - net: - type: string - port: - type: integer - protocol: - type: string - required: - - port - - protocol - type: object - type: array - featureDetectOverride: - description: FeatureDetectOverride is used to override feature detection - based on auto-detected platform capabilities. Values are specified - in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" - or "false" will force the feature, empty or omitted values are auto-detected. - type: string - featureGates: - description: FeatureGates is used to enable or disable tech-preview - Calico features. Values are specified in a comma separated list - with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". - This is used to enable features that are not fully production ready. - type: string - floatingIPs: - description: FloatingIPs configures whether or not Felix will program - non-OpenStack floating IP addresses. (OpenStack-derived floating - IPs are always programmed, regardless of this setting.) - enum: - - Enabled - - Disabled - type: string - genericXDPEnabled: - description: 'GenericXDPEnabled enables Generic XDP so network cards - that don''t support XDP offload or driver modes can use XDP. This - is not recommended since it doesn''t provide better performance - than iptables. [Default: false]' - type: boolean - healthEnabled: - type: boolean - healthHost: - type: string - healthPort: - type: integer - healthTimeoutOverrides: - description: HealthTimeoutOverrides allows the internal watchdog timeouts - of individual subcomponents to be overriden. This is useful for - working around "false positive" liveness timeouts that can occur - in particularly stressful workloads or if CPU is constrained. For - a list of active subcomponents, see Felix's logs. - items: - properties: - name: - type: string - timeout: - type: string - required: - - name - - timeout - type: object - type: array - interfaceExclude: - description: 'InterfaceExclude is a comma-separated list of interfaces - that Felix should exclude when monitoring for host endpoints. The - default value ensures that Felix ignores Kubernetes'' IPVS dummy - interface, which is used internally by kube-proxy. If you want to - exclude multiple interface names using a single value, the list - supports regular expressions. For regular expressions you must wrap - the value with ''/''. For example having values ''/^kube/,veth1'' - will exclude all interfaces that begin with ''kube'' and also the - interface ''veth1''. [Default: kube-ipvs0]' - type: string - interfacePrefix: - description: 'InterfacePrefix is the interface name prefix that identifies - workload endpoints and so distinguishes them from host endpoint - interfaces. Note: in environments other than bare metal, the orchestrators - configure this appropriately. For example our Kubernetes and Docker - integrations set the ''cali'' value, and our OpenStack integration - sets the ''tap'' value. [Default: cali]' - type: string - interfaceRefreshInterval: - description: InterfaceRefreshInterval is the period at which Felix - rescans local interfaces to verify their state. The rescan can be - disabled by setting the interval to 0. - type: string - ipipEnabled: - description: 'IPIPEnabled overrides whether Felix should configure - an IPIP interface on the host. Optional as Felix determines this - based on the existing IP pools. [Default: nil (unset)]' - type: boolean - ipipMTU: - description: 'IPIPMTU is the MTU to set on the tunnel device. See - Configuring MTU [Default: 1440]' - type: integer - ipsetsRefreshInterval: - description: 'IpsetsRefreshInterval is the period at which Felix re-checks - all iptables state to ensure that no other process has accidentally - broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: - 90s]' - type: string - iptablesBackend: - description: IptablesBackend specifies which backend of iptables will - be used. The default is Auto. - type: string - iptablesFilterAllowAction: - type: string - iptablesLockFilePath: - description: 'IptablesLockFilePath is the location of the iptables - lock file. You may need to change this if the lock file is not in - its standard location (for example if you have mapped it into Felix''s - container at a different path). [Default: /run/xtables.lock]' - type: string - iptablesLockProbeInterval: - description: 'IptablesLockProbeInterval is the time that Felix will - wait between attempts to acquire the iptables lock if it is not - available. Lower values make Felix more responsive when the lock - is contended, but use more CPU. [Default: 50ms]' - type: string - iptablesLockTimeout: - description: 'IptablesLockTimeout is the time that Felix will wait - for the iptables lock, or 0, to disable. To use this feature, Felix - must share the iptables lock file with all other processes that - also take the lock. When running Felix inside a container, this - requires the /run directory of the host to be mounted into the calico/node - or calico/felix container. [Default: 0s disabled]' - type: string - iptablesMangleAllowAction: - type: string - iptablesMarkMask: - description: 'IptablesMarkMask is the mask that Felix selects its - IPTables Mark bits from. Should be a 32 bit hexadecimal number with - at least 8 bits set, none of which clash with any other mark bits - in use on the system. [Default: 0xff000000]' - format: int32 - type: integer - iptablesNATOutgoingInterfaceFilter: - type: string - iptablesPostWriteCheckInterval: - description: 'IptablesPostWriteCheckInterval is the period after Felix - has done a write to the dataplane that it schedules an extra read - back in order to check the write was not clobbered by another process. - This should only occur if another application on the system doesn''t - respect the iptables lock. [Default: 1s]' - type: string - iptablesRefreshInterval: - description: 'IptablesRefreshInterval is the period at which Felix - re-checks the IP sets in the dataplane to ensure that no other process - has accidentally broken Calico''s rules. Set to 0 to disable IP - sets refresh. Note: the default for this value is lower than the - other refresh intervals as a workaround for a Linux kernel bug that - was fixed in kernel version 4.11. If you are using v4.11 or greater - you may want to set this to, a higher value to reduce Felix CPU - usage. [Default: 10s]' - type: string - ipv6Support: - description: IPv6Support controls whether Felix enables support for - IPv6 (if supported by the in-use dataplane). - type: boolean - kubeNodePortRanges: - description: 'KubeNodePortRanges holds list of port ranges used for - service node ports. Only used if felix detects kube-proxy running - in ipvs mode. Felix uses these ranges to separate host and workload - traffic. [Default: 30000:32767].' - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - logDebugFilenameRegex: - description: LogDebugFilenameRegex controls which source code files - have their Debug log output included in the logs. Only logs from - files with names that match the given regular expression are included. The - filter only applies to Debug level logs. - type: string - logFilePath: - description: 'LogFilePath is the full path to the Felix log. Set to - none to disable file logging. [Default: /var/log/calico/felix.log]' - type: string - logPrefix: - description: 'LogPrefix is the log prefix that Felix uses when rendering - LOG rules. [Default: calico-packet]' - type: string - logSeverityFile: - description: 'LogSeverityFile is the log severity above which logs - are sent to the log file. [Default: Info]' - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: Info]' - type: string - logSeveritySys: - description: 'LogSeveritySys is the log severity above which logs - are sent to the syslog. Set to None for no logging to syslog. [Default: - Info]' - type: string - maxIpsetSize: - type: integer - metadataAddr: - description: 'MetadataAddr is the IP address or domain name of the - server that can answer VM queries for cloud-init metadata. In OpenStack, - this corresponds to the machine running nova-api (or in Ubuntu, - nova-api-metadata). A value of none (case insensitive) means that - Felix should not set up any NAT rule for the metadata path. [Default: - 127.0.0.1]' - type: string - metadataPort: - description: 'MetadataPort is the port of the metadata server. This, - combined with global.MetadataAddr (if not ''None''), is used to - set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. - In most cases this should not need to be changed [Default: 8775].' - type: integer - mtuIfacePattern: - description: MTUIfacePattern is a regular expression that controls - which interfaces Felix should scan in order to calculate the host's - MTU. This should not match workload interfaces (usually named cali...). - type: string - natOutgoingAddress: - description: NATOutgoingAddress specifies an address to use when performing - source NAT for traffic in a natOutgoing pool that is leaving the - network. By default the address used is an address on the interface - the traffic is leaving on (ie it uses the iptables MASQUERADE target) - type: string - natPortRange: - anyOf: - - type: integer - - type: string - description: NATPortRange specifies the range of ports that is used - for port mapping when doing outgoing NAT. When unset the default - behavior of the network stack is used. - pattern: ^.* - x-kubernetes-int-or-string: true - netlinkTimeout: - type: string - openstackRegion: - description: 'OpenstackRegion is the name of the region that a particular - Felix belongs to. In a multi-region Calico/OpenStack deployment, - this must be configured somehow for each Felix (here in the datamodel, - or in felix.cfg or the environment on each compute node), and must - match the [calico] openstack_region value configured in neutron.conf - on each node. [Default: Empty]' - type: string - policySyncPathPrefix: - description: 'PolicySyncPathPrefix is used to by Felix to communicate - policy changes to external services, like Application layer policy. - [Default: Empty]' - type: string - prometheusGoMetricsEnabled: - description: 'PrometheusGoMetricsEnabled disables Go runtime metrics - collection, which the Prometheus client does by default, when set - to false. This reduces the number of metrics reported, reducing - Prometheus load. [Default: true]' - type: boolean - prometheusMetricsEnabled: - description: 'PrometheusMetricsEnabled enables the Prometheus metrics - server in Felix if set to true. [Default: false]' - type: boolean - prometheusMetricsHost: - description: 'PrometheusMetricsHost is the host that the Prometheus - metrics server should bind to. [Default: empty]' - type: string - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the Prometheus - metrics server should bind to. [Default: 9091]' - type: integer - prometheusProcessMetricsEnabled: - description: 'PrometheusProcessMetricsEnabled disables process metrics - collection, which the Prometheus client does by default, when set - to false. This reduces the number of metrics reported, reducing - Prometheus load. [Default: true]' - type: boolean - prometheusWireGuardMetricsEnabled: - description: 'PrometheusWireGuardMetricsEnabled disables wireguard - metrics collection, which the Prometheus client does by default, - when set to false. This reduces the number of metrics reported, - reducing Prometheus load. [Default: true]' - type: boolean - removeExternalRoutes: - description: Whether or not to remove device routes that have not - been programmed by Felix. Disabling this will allow external applications - to also add device routes. This is enabled by default which means - we will remove externally added routes. - type: boolean - reportingInterval: - description: 'ReportingInterval is the interval at which Felix reports - its status into the datastore or 0 to disable. Must be non-zero - in OpenStack deployments. [Default: 30s]' - type: string - reportingTTL: - description: 'ReportingTTL is the time-to-live setting for process-wide - status reports. [Default: 90s]' - type: string - routeRefreshInterval: - description: 'RouteRefreshInterval is the period at which Felix re-checks - the routes in the dataplane to ensure that no other process has - accidentally broken Calico''s rules. Set to 0 to disable route refresh. - [Default: 90s]' - type: string - routeSource: - description: 'RouteSource configures where Felix gets its routing - information. - WorkloadIPs: use workload endpoints to construct - routes. - CalicoIPAM: the default - use IPAM data to construct routes.' - type: string - routeSyncDisabled: - description: RouteSyncDisabled will disable all operations performed - on the route table. Set to true to run in network-policy mode only. - type: boolean - routeTableRange: - description: Deprecated in favor of RouteTableRanges. Calico programs - additional Linux route tables for various purposes. RouteTableRange - specifies the indices of the route tables that Calico should use. - properties: - max: - type: integer - min: - type: integer - required: - - max - - min - type: object - routeTableRanges: - description: Calico programs additional Linux route tables for various - purposes. RouteTableRanges specifies a set of table index ranges - that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`. - items: - properties: - max: - type: integer - min: - type: integer - required: - - max - - min - type: object - type: array - serviceLoopPrevention: - description: 'When service IP advertisement is enabled, prevent routing - loops to service IPs that are not in use, by dropping or rejecting - packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", - in which case such routing loops continue to be allowed. [Default: - Drop]' - type: string - sidecarAccelerationEnabled: - description: 'SidecarAccelerationEnabled enables experimental sidecar - acceleration [Default: false]' - type: boolean - usageReportingEnabled: - description: 'UsageReportingEnabled reports anonymous Calico version - number and cluster size to projectcalico.org. Logs warnings returned - by the usage server. For example, if a significant security vulnerability - has been discovered in the version of Calico being used. [Default: - true]' - type: boolean - usageReportingInitialDelay: - description: 'UsageReportingInitialDelay controls the minimum delay - before Felix makes a report. [Default: 300s]' - type: string - usageReportingInterval: - description: 'UsageReportingInterval controls the interval at which - Felix makes reports. [Default: 86400s]' - type: string - useInternalDataplaneDriver: - description: UseInternalDataplaneDriver, if true, Felix will use its - internal dataplane programming logic. If false, it will launch - an external dataplane driver and communicate with it over protobuf. - type: boolean - vxlanEnabled: - description: 'VXLANEnabled overrides whether Felix should create the - VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix - determines this based on the existing IP pools. [Default: nil (unset)]' - type: boolean - vxlanMTU: - description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel - device. See Configuring MTU [Default: 1410]' - type: integer - vxlanMTUV6: - description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel - device. See Configuring MTU [Default: 1390]' - type: integer - vxlanPort: - type: integer - vxlanVNI: - type: integer - wireguardEnabled: - description: 'WireguardEnabled controls whether Wireguard is enabled - for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). - [Default: false]' - type: boolean - wireguardEnabledV6: - description: 'WireguardEnabledV6 controls whether Wireguard is enabled - for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). - [Default: false]' - type: boolean - wireguardHostEncryptionEnabled: - description: 'WireguardHostEncryptionEnabled controls whether Wireguard - host-to-host encryption is enabled. [Default: false]' - type: boolean - wireguardInterfaceName: - description: 'WireguardInterfaceName specifies the name to use for - the IPv4 Wireguard interface. [Default: wireguard.cali]' - type: string - wireguardInterfaceNameV6: - description: 'WireguardInterfaceNameV6 specifies the name to use for - the IPv6 Wireguard interface. [Default: wg-v6.cali]' - type: string - wireguardKeepAlive: - description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive - option. Set 0 to disable. [Default: 0]' - type: string - wireguardListeningPort: - description: 'WireguardListeningPort controls the listening port used - by IPv4 Wireguard. [Default: 51820]' - type: integer - wireguardListeningPortV6: - description: 'WireguardListeningPortV6 controls the listening port - used by IPv6 Wireguard. [Default: 51821]' - type: integer - wireguardMTU: - description: 'WireguardMTU controls the MTU on the IPv4 Wireguard - interface. See Configuring MTU [Default: 1440]' - type: integer - wireguardMTUV6: - description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard - interface. See Configuring MTU [Default: 1420]' - type: integer - wireguardRoutingRulePriority: - description: 'WireguardRoutingRulePriority controls the priority value - to use for the Wireguard routing rule. [Default: 99]' - type: integer - workloadSourceSpoofing: - description: WorkloadSourceSpoofing controls whether pods can use - the allowedSourcePrefixes annotation to send traffic with a source - IP address that is not theirs. This is disabled by default. When - set to "Any", pods can request any prefix. - type: string - xdpEnabled: - description: 'XDPEnabled enables XDP acceleration for suitable untracked - incoming deny rules. [Default: true]' - type: boolean - xdpRefreshInterval: - description: 'XDPRefreshInterval is the period at which Felix re-checks - all XDP state to ensure that no other process has accidentally broken - Calico''s BPF maps or attached programs. Set to 0 to disable XDP - refresh. [Default: 90s]' - type: string - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: globalnetworkpolicies.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: GlobalNetworkPolicy - listKind: GlobalNetworkPolicyList - plural: globalnetworkpolicies - singular: globalnetworkpolicy - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - applyOnForward: - description: ApplyOnForward indicates to apply the rules in this policy - on forward traffic. - type: boolean - doNotTrack: - description: DoNotTrack indicates whether packets matched by the rules - in this policy should go through the data plane's connection tracking, - such as Linux conntrack. If True, the rules in this policy are - applied before any data plane connection tracking, and packets allowed - by this policy are marked as not to be tracked. - type: boolean - egress: - description: The ordered set of egress rules. Each rule contains - a set of packet match criteria and a corresponding action to apply. - items: - description: "A Rule encapsulates a set of match criteria and an - action. Both selector-based security Policy and security Profiles - reference rules - separated out as a list of rules for both ingress - and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with \"Not\". All the match criteria - within a rule must be satisfied for a packet to match. A single - rule can contain the positive and negative version of a match - and both must be satisfied for the rule to match." - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and another selector are defined on the same rule, then - only workload endpoints that are matched by both selectors - will be selected by the rule. \n For NetworkPolicy, an - empty NamespaceSelector implies that the Selector is limited - to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, `global()` - NamespaceSelector implies that the Selector is limited - to selecting only GlobalNetworkSet or HostEndpoint. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all - namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label \"my_label\". \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label \"my_label\". - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - services: - description: "Services is an optional field that contains - options for matching Kubernetes Services. If specified, - only traffic that originates from or terminates at endpoints - within the selected service(s) will be matched, and only - to/from each endpoint's port. \n Services cannot be specified - on the same rule as Selector, NotSelector, NamespaceSelector, - Nets, NotNets or ServiceAccounts. \n Ports and NotPorts - can only be specified with Services on ingress rules." - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: Namespace specifies the namespace of the - given Service. If left empty, the rule will match - within this policy's namespace. - type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: Methods is an optional field that restricts - the rule to apply only to HTTP requests that use one of - the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple - methods are OR'd together. - items: - type: string - type: array - paths: - description: 'Paths is an optional field that restricts - the rule to apply to HTTP requests that use one of the - listed HTTP Paths. Multiple paths are OR''d together. - e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a `exact` or a `prefix` match. The - validator will check for it.' - items: - description: 'HTTPPath specifies an HTTP path to match. - It may be either of the form: exact: : which matches - the path exactly or prefix: : which matches - the path prefix' - properties: - exact: - type: string - prefix: - type: string - type: object - type: array - type: object - icmp: - description: ICMP is an optional field that restricts the rule - to apply to a specific type and code of ICMP traffic. This - should only be specified if the Protocol field is set to "ICMP" - or "ICMPv6". - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel's iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - ipVersion: - description: IPVersion is an optional field that restricts the - rule to only match a specific IP version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel's iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: "Protocol is an optional field that restricts the - rule to only apply to traffic of a specific IP protocol. Required - if any of the EntityRules contain Ports (because ports only - apply to certain protocols). \n Must be one of these string - values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", - \"UDPLite\" or an integer in the range 1-255." - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and another selector are defined on the same rule, then - only workload endpoints that are matched by both selectors - will be selected by the rule. \n For NetworkPolicy, an - empty NamespaceSelector implies that the Selector is limited - to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, `global()` - NamespaceSelector implies that the Selector is limited - to selecting only GlobalNetworkSet or HostEndpoint. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all - namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label \"my_label\". \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label \"my_label\". - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - services: - description: "Services is an optional field that contains - options for matching Kubernetes Services. If specified, - only traffic that originates from or terminates at endpoints - within the selected service(s) will be matched, and only - to/from each endpoint's port. \n Services cannot be specified - on the same rule as Selector, NotSelector, NamespaceSelector, - Nets, NotNets or ServiceAccounts. \n Ports and NotPorts - can only be specified with Services on ingress rules." - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: Namespace specifies the namespace of the - given Service. If left empty, the rule will match - within this policy's namespace. - type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: The ordered set of ingress rules. Each rule contains - a set of packet match criteria and a corresponding action to apply. - items: - description: "A Rule encapsulates a set of match criteria and an - action. Both selector-based security Policy and security Profiles - reference rules - separated out as a list of rules for both ingress - and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with \"Not\". All the match criteria - within a rule must be satisfied for a packet to match. A single - rule can contain the positive and negative version of a match - and both must be satisfied for the rule to match." - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and another selector are defined on the same rule, then - only workload endpoints that are matched by both selectors - will be selected by the rule. \n For NetworkPolicy, an - empty NamespaceSelector implies that the Selector is limited - to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, `global()` - NamespaceSelector implies that the Selector is limited - to selecting only GlobalNetworkSet or HostEndpoint. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all - namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label \"my_label\". \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label \"my_label\". - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - services: - description: "Services is an optional field that contains - options for matching Kubernetes Services. If specified, - only traffic that originates from or terminates at endpoints - within the selected service(s) will be matched, and only - to/from each endpoint's port. \n Services cannot be specified - on the same rule as Selector, NotSelector, NamespaceSelector, - Nets, NotNets or ServiceAccounts. \n Ports and NotPorts - can only be specified with Services on ingress rules." - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: Namespace specifies the namespace of the - given Service. If left empty, the rule will match - within this policy's namespace. - type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: Methods is an optional field that restricts - the rule to apply only to HTTP requests that use one of - the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple - methods are OR'd together. - items: - type: string - type: array - paths: - description: 'Paths is an optional field that restricts - the rule to apply to HTTP requests that use one of the - listed HTTP Paths. Multiple paths are OR''d together. - e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a `exact` or a `prefix` match. The - validator will check for it.' - items: - description: 'HTTPPath specifies an HTTP path to match. - It may be either of the form: exact: : which matches - the path exactly or prefix: : which matches - the path prefix' - properties: - exact: - type: string - prefix: - type: string - type: object - type: array - type: object - icmp: - description: ICMP is an optional field that restricts the rule - to apply to a specific type and code of ICMP traffic. This - should only be specified if the Protocol field is set to "ICMP" - or "ICMPv6". - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel's iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - ipVersion: - description: IPVersion is an optional field that restricts the - rule to only match a specific IP version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel's iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: "Protocol is an optional field that restricts the - rule to only apply to traffic of a specific IP protocol. Required - if any of the EntityRules contain Ports (because ports only - apply to certain protocols). \n Must be one of these string - values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", - \"UDPLite\" or an integer in the range 1-255." - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and another selector are defined on the same rule, then - only workload endpoints that are matched by both selectors - will be selected by the rule. \n For NetworkPolicy, an - empty NamespaceSelector implies that the Selector is limited - to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, `global()` - NamespaceSelector implies that the Selector is limited - to selecting only GlobalNetworkSet or HostEndpoint. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all - namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label \"my_label\". \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label \"my_label\". - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - services: - description: "Services is an optional field that contains - options for matching Kubernetes Services. If specified, - only traffic that originates from or terminates at endpoints - within the selected service(s) will be matched, and only - to/from each endpoint's port. \n Services cannot be specified - on the same rule as Selector, NotSelector, NamespaceSelector, - Nets, NotNets or ServiceAccounts. \n Ports and NotPorts - can only be specified with Services on ingress rules." - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: Namespace specifies the namespace of the - given Service. If left empty, the rule will match - within this policy's namespace. - type: string - type: object - type: object - required: - - action - type: object - type: array - namespaceSelector: - description: NamespaceSelector is an optional field for an expression - used to select a pod based on namespaces. - type: string - order: - description: Order is an optional field that specifies the order in - which the policy is applied. Policies with higher "order" are applied - after those with lower order. If the order is omitted, it may be - considered to be "infinite" - i.e. the policy will be applied last. Policies - with identical order will be applied in alphanumerical order based - on the Policy "Name". - type: number - preDNAT: - description: PreDNAT indicates to apply the rules in this policy before - any DNAT. - type: boolean - selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should be applied to. \n Selector - expressions follow this syntax: \n \tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present \tlabel in - { \"a\", \"b\", \"c\", ... } -> true if the value of label X is - one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", - ... } -> true if the value of label X is not one of \"a\", \"b\", - \"c\" \thas(label_name) -> True if that label is present \t! expr - -> negation of expr \texpr && expr -> Short-circuit and \texpr - || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() - or the empty selector -> matches all endpoints. \n Label names are - allowed to contain alphanumerics, -, _ and /. String literals are - more permissive but they do not support escape characters. \n Examples - (with made-up labels): \n \ttype == \"webserver\" && deployment - == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != - \"dev\" \t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - types: - description: "Types indicates whether this policy applies to ingress, - or to egress, or to both. When not explicitly specified (and so - the value on creation is empty or nil), Calico defaults Types according - to what Ingress and Egress rules are present in the policy. The - default is: \n - [ PolicyTypeIngress ], if there are no Egress rules - (including the case where there are also no Ingress rules) \n - - [ PolicyTypeEgress ], if there are Egress rules but no Ingress - rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are - both Ingress and Egress rules. \n When the policy is read back again, - Types will always be one of these values, never empty or nil." - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: globalnetworksets.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: GlobalNetworkSet - listKind: GlobalNetworkSetList - plural: globalnetworksets - singular: globalnetworkset - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs - that share labels to allow rules to refer to them via selectors. The labels - of GlobalNetworkSet are not namespaced. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GlobalNetworkSetSpec contains the specification for a NetworkSet - resource. - properties: - nets: - description: The list of IP networks that belong to this set. - items: - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: hostendpoints.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: HostEndpoint - listKind: HostEndpointList - plural: hostendpoints - singular: hostendpoint - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HostEndpointSpec contains the specification for a HostEndpoint - resource. - properties: - expectedIPs: - description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. - If \"InterfaceName\" is not present, Calico will look for an interface - matching any of the IPs in the list and apply policy to that. Note: - \tWhen using the selector match criteria in an ingress or egress - security Policy \tor Profile, Calico converts the selector into - a set of IP addresses. For host \tendpoints, the ExpectedIPs field - is used for that purpose. (If only the interface \tname is specified, - Calico does not learn the IPs of the interface for use in match - \tcriteria.)" - items: - type: string - type: array - interfaceName: - description: "Either \"*\", or the name of a specific Linux interface - to apply policy to; or empty. \"*\" indicates that this HostEndpoint - governs all traffic to, from or through the default network namespace - of the host named by the \"Node\" field; entering and leaving that - namespace via any interface, including those from/to non-host-networked - local workloads. \n If InterfaceName is not \"*\", this HostEndpoint - only governs traffic that enters or leaves the host through the - specific interface named by InterfaceName, or - when InterfaceName - is empty - through the specific interface that has one of the IPs - in ExpectedIPs. Therefore, when InterfaceName is empty, at least - one expected IP must be specified. Only external interfaces (such - as \"eth0\") are supported here; it isn't possible for a HostEndpoint - to protect traffic through a specific local workload interface. - \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; - initially just pre-DNAT policy. Please check Calico documentation - for the latest position." - type: string - node: - description: The node name identifying the Calico node instance. - type: string - ports: - description: Ports contains the endpoint's named ports, which may - be referenced in security policy rules. - items: - properties: - name: - type: string - port: - type: integer - protocol: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - required: - - name - - port - - protocol - type: object - type: array - profiles: - description: A list of identifiers of security Profile objects that - apply to this endpoint. Each profile is applied in the order that - they appear in this list. Profile rules are applied after the selector-based - security policy. - items: - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: ipamblocks.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: IPAMBlock - listKind: IPAMBlockList - plural: ipamblocks - singular: ipamblock - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IPAMBlockSpec contains the specification for an IPAMBlock - resource. - properties: - affinity: - description: Affinity of the block, if this block has one. If set, - it will be of the form "host:". If not set, this block - is not affine to a host. - type: string - allocations: - description: Array of allocations in-use within this block. nil entries - mean the allocation is free. For non-nil entries at index i, the - index is the ordinal of the allocation within this block and the - value is the index of the associated attributes in the Attributes - array. - items: - nullable: true - type: integer - type: array - attributes: - description: Attributes is an array of arbitrary metadata associated - with allocations in the block. To find attributes for a given allocation, - use the value of the allocation's entry in the Allocations array - as the index of the element in this array. - items: - properties: - handle_id: - type: string - secondary: - additionalProperties: - type: string - type: object - type: object - type: array - cidr: - description: The block's CIDR. - type: string - deleted: - description: Deleted is an internal boolean used to workaround a limitation - in the Kubernetes API whereby deletion will not return a conflict - error if the block has been updated. It should not be set manually. - type: boolean - sequenceNumber: - default: 0 - description: We store a sequence number that is updated each time - the block is written. Each allocation will also store the sequence - number of the block at the time of its creation. When releasing - an IP, passing the sequence number associated with the allocation - allows us to protect against a race condition and ensure the IP - hasn't been released and re-allocated since the release request. - format: int64 - type: integer - sequenceNumberForAllocation: - additionalProperties: - format: int64 - type: integer - description: Map of allocated ordinal within the block to sequence - number of the block at the time of allocation. Kubernetes does not - allow numerical keys for maps, so the key is cast to a string. - type: object - strictAffinity: - description: StrictAffinity on the IPAMBlock is deprecated and no - longer used by the code. Use IPAMConfig StrictAffinity instead. - type: boolean - unallocated: - description: Unallocated is an ordered list of allocations which are - free in the block. - items: - type: integer - type: array - required: - - allocations - - attributes - - cidr - - strictAffinity - - unallocated - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: ipamconfigs.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: IPAMConfig - listKind: IPAMConfigList - plural: ipamconfigs - singular: ipamconfig - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IPAMConfigSpec contains the specification for an IPAMConfig - resource. - properties: - autoAllocateBlocks: - type: boolean - maxBlocksPerHost: - description: MaxBlocksPerHost, if non-zero, is the max number of blocks - that can be affine to each host. - maximum: 2147483647 - minimum: 0 - type: integer - strictAffinity: - type: boolean - required: - - autoAllocateBlocks - - strictAffinity - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: ipamhandles.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: IPAMHandle - listKind: IPAMHandleList - plural: ipamhandles - singular: ipamhandle - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IPAMHandleSpec contains the specification for an IPAMHandle - resource. - properties: - block: - additionalProperties: - type: integer - type: object - deleted: - type: boolean - handleID: - type: string - required: - - block - - handleID - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: ippools.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: IPPool - listKind: IPPoolList - plural: ippools - singular: ippool - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IPPoolSpec contains the specification for an IPPool resource. - properties: - allowedUses: - description: AllowedUse controls what the IP pool will be used for. If - not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility - items: - type: string - type: array - blockSize: - description: The block size to use for IP address assignments from - this pool. Defaults to 26 for IPv4 and 122 for IPv6. - type: integer - cidr: - description: The pool CIDR. - type: string - disableBGPExport: - description: 'Disable exporting routes from this IP Pool''s CIDR over - BGP. [Default: false]' - type: boolean - disabled: - description: When disabled is true, Calico IPAM will not assign addresses - from this pool. - type: boolean - ipip: - description: 'Deprecated: this field is only used for APIv1 backwards - compatibility. Setting this field is not allowed, this field is - for internal use only.' - properties: - enabled: - description: When enabled is true, ipip tunneling will be used - to deliver packets to destinations within this pool. - type: boolean - mode: - description: The IPIP mode. This can be one of "always" or "cross-subnet". A - mode of "always" will also use IPIP tunneling for routing to - destination IP addresses within this pool. A mode of "cross-subnet" - will only use IPIP tunneling when the destination node is on - a different subnet to the originating node. The default value - (if not specified) is "always". - type: string - type: object - ipipMode: - description: Contains configuration for IPIP tunneling for this pool. - If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling - is disabled). - type: string - nat-outgoing: - description: 'Deprecated: this field is only used for APIv1 backwards - compatibility. Setting this field is not allowed, this field is - for internal use only.' - type: boolean - natOutgoing: - description: When natOutgoing is true, packets sent from Calico networked - containers in this pool to destinations outside of this pool will - be masqueraded. - type: boolean - nodeSelector: - description: Allows IPPool to allocate for a specific node by label - selector. - type: string - vxlanMode: - description: Contains configuration for VXLAN tunneling for this pool. - If not specified, then this is defaulted to "Never" (i.e. VXLAN - tunneling is disabled). - type: string - required: - - cidr - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: ipreservations.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: IPReservation - listKind: IPReservationList - plural: ipreservations - singular: ipreservation - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IPReservationSpec contains the specification for an IPReservation - resource. - properties: - reservedCIDRs: - description: ReservedCIDRs is a list of CIDRs and/or IP addresses - that Calico IPAM will exclude from new allocations. - items: - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: kubecontrollersconfigurations.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: KubeControllersConfiguration - listKind: KubeControllersConfigurationList - plural: kubecontrollersconfigurations - singular: kubecontrollersconfiguration - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KubeControllersConfigurationSpec contains the values of the - Kubernetes controllers configuration. - properties: - controllers: - description: Controllers enables and configures individual Kubernetes - controllers - properties: - namespace: - description: Namespace enables and configures the namespace controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - node: - description: Node enables and configures the node controller. - Enabled by default, set to nil to disable. - properties: - hostEndpoint: - description: HostEndpoint controls syncing nodes to host endpoints. - Disabled by default, set to nil to disable. - properties: - autoCreate: - description: 'AutoCreate enables automatic creation of - host endpoints for every node. [Default: Disabled]' - type: string - type: object - leakGracePeriod: - description: 'LeakGracePeriod is the period used by the controller - to determine if an IP address has been leaked. Set to 0 - to disable IP garbage collection. [Default: 15m]' - type: string - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - syncLabels: - description: 'SyncLabels controls whether to copy Kubernetes - node labels to Calico nodes. [Default: Enabled]' - type: string - type: object - policy: - description: Policy enables and configures the policy controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - serviceAccount: - description: ServiceAccount enables and configures the service - account controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - workloadEndpoint: - description: WorkloadEndpoint enables and configures the workload - endpoint controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - type: object - debugProfilePort: - description: DebugProfilePort configures the port to serve memory - and cpu profiles on. If not specified, profiling is disabled. - format: int32 - type: integer - etcdV3CompactionPeriod: - description: 'EtcdV3CompactionPeriod is the period between etcdv3 - compaction requests. Set to 0 to disable. [Default: 10m]' - type: string - healthChecks: - description: 'HealthChecks enables or disables support for health - checks [Default: Enabled]' - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: Info]' - type: string - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the Prometheus - metrics server should bind to. Set to 0 to disable. [Default: 9094]' - type: integer - required: - - controllers - type: object - status: - description: KubeControllersConfigurationStatus represents the status - of the configuration. It's useful for admins to be able to see the actual - config that was applied, which can be modified by environment variables - on the kube-controllers process. - properties: - environmentVars: - additionalProperties: - type: string - description: EnvironmentVars contains the environment variables on - the kube-controllers that influenced the RunningConfig. - type: object - runningConfig: - description: RunningConfig contains the effective config that is running - in the kube-controllers pod, after merging the API resource with - any environment variables. - properties: - controllers: - description: Controllers enables and configures individual Kubernetes - controllers - properties: - namespace: - description: Namespace enables and configures the namespace - controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - node: - description: Node enables and configures the node controller. - Enabled by default, set to nil to disable. - properties: - hostEndpoint: - description: HostEndpoint controls syncing nodes to host - endpoints. Disabled by default, set to nil to disable. - properties: - autoCreate: - description: 'AutoCreate enables automatic creation - of host endpoints for every node. [Default: Disabled]' - type: string - type: object - leakGracePeriod: - description: 'LeakGracePeriod is the period used by the - controller to determine if an IP address has been leaked. - Set to 0 to disable IP garbage collection. [Default: - 15m]' - type: string - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - syncLabels: - description: 'SyncLabels controls whether to copy Kubernetes - node labels to Calico nodes. [Default: Enabled]' - type: string - type: object - policy: - description: Policy enables and configures the policy controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - serviceAccount: - description: ServiceAccount enables and configures the service - account controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - workloadEndpoint: - description: WorkloadEndpoint enables and configures the workload - endpoint controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - type: object - debugProfilePort: - description: DebugProfilePort configures the port to serve memory - and cpu profiles on. If not specified, profiling is disabled. - format: int32 - type: integer - etcdV3CompactionPeriod: - description: 'EtcdV3CompactionPeriod is the period between etcdv3 - compaction requests. Set to 0 to disable. [Default: 10m]' - type: string - healthChecks: - description: 'HealthChecks enables or disables support for health - checks [Default: Enabled]' - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which - logs are sent to the stdout. [Default: Info]' - type: string - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the Prometheus - metrics server should bind to. Set to 0 to disable. [Default: - 9094]' - type: integer - required: - - controllers - type: object - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: networkpolicies.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: NetworkPolicy - listKind: NetworkPolicyList - plural: networkpolicies - singular: networkpolicy - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - egress: - description: The ordered set of egress rules. Each rule contains - a set of packet match criteria and a corresponding action to apply. - items: - description: "A Rule encapsulates a set of match criteria and an - action. Both selector-based security Policy and security Profiles - reference rules - separated out as a list of rules for both ingress - and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with \"Not\". All the match criteria - within a rule must be satisfied for a packet to match. A single - rule can contain the positive and negative version of a match - and both must be satisfied for the rule to match." - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and another selector are defined on the same rule, then - only workload endpoints that are matched by both selectors - will be selected by the rule. \n For NetworkPolicy, an - empty NamespaceSelector implies that the Selector is limited - to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, `global()` - NamespaceSelector implies that the Selector is limited - to selecting only GlobalNetworkSet or HostEndpoint. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all - namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label \"my_label\". \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label \"my_label\". - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - services: - description: "Services is an optional field that contains - options for matching Kubernetes Services. If specified, - only traffic that originates from or terminates at endpoints - within the selected service(s) will be matched, and only - to/from each endpoint's port. \n Services cannot be specified - on the same rule as Selector, NotSelector, NamespaceSelector, - Nets, NotNets or ServiceAccounts. \n Ports and NotPorts - can only be specified with Services on ingress rules." - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: Namespace specifies the namespace of the - given Service. If left empty, the rule will match - within this policy's namespace. - type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: Methods is an optional field that restricts - the rule to apply only to HTTP requests that use one of - the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple - methods are OR'd together. - items: - type: string - type: array - paths: - description: 'Paths is an optional field that restricts - the rule to apply to HTTP requests that use one of the - listed HTTP Paths. Multiple paths are OR''d together. - e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a `exact` or a `prefix` match. The - validator will check for it.' - items: - description: 'HTTPPath specifies an HTTP path to match. - It may be either of the form: exact: : which matches - the path exactly or prefix: : which matches - the path prefix' - properties: - exact: - type: string - prefix: - type: string - type: object - type: array - type: object - icmp: - description: ICMP is an optional field that restricts the rule - to apply to a specific type and code of ICMP traffic. This - should only be specified if the Protocol field is set to "ICMP" - or "ICMPv6". - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel's iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - ipVersion: - description: IPVersion is an optional field that restricts the - rule to only match a specific IP version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel's iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: "Protocol is an optional field that restricts the - rule to only apply to traffic of a specific IP protocol. Required - if any of the EntityRules contain Ports (because ports only - apply to certain protocols). \n Must be one of these string - values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", - \"UDPLite\" or an integer in the range 1-255." - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and another selector are defined on the same rule, then - only workload endpoints that are matched by both selectors - will be selected by the rule. \n For NetworkPolicy, an - empty NamespaceSelector implies that the Selector is limited - to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, `global()` - NamespaceSelector implies that the Selector is limited - to selecting only GlobalNetworkSet or HostEndpoint. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all - namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label \"my_label\". \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label \"my_label\". - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - services: - description: "Services is an optional field that contains - options for matching Kubernetes Services. If specified, - only traffic that originates from or terminates at endpoints - within the selected service(s) will be matched, and only - to/from each endpoint's port. \n Services cannot be specified - on the same rule as Selector, NotSelector, NamespaceSelector, - Nets, NotNets or ServiceAccounts. \n Ports and NotPorts - can only be specified with Services on ingress rules." - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: Namespace specifies the namespace of the - given Service. If left empty, the rule will match - within this policy's namespace. - type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: The ordered set of ingress rules. Each rule contains - a set of packet match criteria and a corresponding action to apply. - items: - description: "A Rule encapsulates a set of match criteria and an - action. Both selector-based security Policy and security Profiles - reference rules - separated out as a list of rules for both ingress - and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with \"Not\". All the match criteria - within a rule must be satisfied for a packet to match. A single - rule can contain the positive and negative version of a match - and both must be satisfied for the rule to match." - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and another selector are defined on the same rule, then - only workload endpoints that are matched by both selectors - will be selected by the rule. \n For NetworkPolicy, an - empty NamespaceSelector implies that the Selector is limited - to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, `global()` - NamespaceSelector implies that the Selector is limited - to selecting only GlobalNetworkSet or HostEndpoint. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all - namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label \"my_label\". \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label \"my_label\". - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - services: - description: "Services is an optional field that contains - options for matching Kubernetes Services. If specified, - only traffic that originates from or terminates at endpoints - within the selected service(s) will be matched, and only - to/from each endpoint's port. \n Services cannot be specified - on the same rule as Selector, NotSelector, NamespaceSelector, - Nets, NotNets or ServiceAccounts. \n Ports and NotPorts - can only be specified with Services on ingress rules." - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: Namespace specifies the namespace of the - given Service. If left empty, the rule will match - within this policy's namespace. - type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: Methods is an optional field that restricts - the rule to apply only to HTTP requests that use one of - the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple - methods are OR'd together. - items: - type: string - type: array - paths: - description: 'Paths is an optional field that restricts - the rule to apply to HTTP requests that use one of the - listed HTTP Paths. Multiple paths are OR''d together. - e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a `exact` or a `prefix` match. The - validator will check for it.' - items: - description: 'HTTPPath specifies an HTTP path to match. - It may be either of the form: exact: : which matches - the path exactly or prefix: : which matches - the path prefix' - properties: - exact: - type: string - prefix: - type: string - type: object - type: array - type: object - icmp: - description: ICMP is an optional field that restricts the rule - to apply to a specific type and code of ICMP traffic. This - should only be specified if the Protocol field is set to "ICMP" - or "ICMPv6". - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel's iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - ipVersion: - description: IPVersion is an optional field that restricts the - rule to only match a specific IP version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel's iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: "Protocol is an optional field that restricts the - rule to only apply to traffic of a specific IP protocol. Required - if any of the EntityRules contain Ports (because ports only - apply to certain protocols). \n Must be one of these string - values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", - \"UDPLite\" or an integer in the range 1-255." - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and another selector are defined on the same rule, then - only workload endpoints that are matched by both selectors - will be selected by the rule. \n For NetworkPolicy, an - empty NamespaceSelector implies that the Selector is limited - to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, `global()` - NamespaceSelector implies that the Selector is limited - to selecting only GlobalNetworkSet or HostEndpoint. \n - For GlobalNetworkPolicy, an empty NamespaceSelector implies - the Selector applies to workload endpoints across all - namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label \"my_label\". \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label \"my_label\". - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - services: - description: "Services is an optional field that contains - options for matching Kubernetes Services. If specified, - only traffic that originates from or terminates at endpoints - within the selected service(s) will be matched, and only - to/from each endpoint's port. \n Services cannot be specified - on the same rule as Selector, NotSelector, NamespaceSelector, - Nets, NotNets or ServiceAccounts. \n Ports and NotPorts - can only be specified with Services on ingress rules." - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: Namespace specifies the namespace of the - given Service. If left empty, the rule will match - within this policy's namespace. - type: string - type: object - type: object - required: - - action - type: object - type: array - order: - description: Order is an optional field that specifies the order in - which the policy is applied. Policies with higher "order" are applied - after those with lower order. If the order is omitted, it may be - considered to be "infinite" - i.e. the policy will be applied last. Policies - with identical order will be applied in alphanumerical order based - on the Policy "Name". - type: number - selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should be applied to. \n Selector - expressions follow this syntax: \n \tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present \tlabel in - { \"a\", \"b\", \"c\", ... } -> true if the value of label X is - one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", - ... } -> true if the value of label X is not one of \"a\", \"b\", - \"c\" \thas(label_name) -> True if that label is present \t! expr - -> negation of expr \texpr && expr -> Short-circuit and \texpr - || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() - or the empty selector -> matches all endpoints. \n Label names are - allowed to contain alphanumerics, -, _ and /. String literals are - more permissive but they do not support escape characters. \n Examples - (with made-up labels): \n \ttype == \"webserver\" && deployment - == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != - \"dev\" \t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - types: - description: "Types indicates whether this policy applies to ingress, - or to egress, or to both. When not explicitly specified (and so - the value on creation is empty or nil), Calico defaults Types according - to what Ingress and Egress are present in the policy. The default - is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including - the case where there are also no Ingress rules) \n - [ PolicyTypeEgress - ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, - PolicyTypeEgress ], if there are both Ingress and Egress rules. - \n When the policy is read back again, Types will always be one - of these values, never empty or nil." - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: networksets.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: NetworkSet - listKind: NetworkSetList - plural: networksets - singular: networkset - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: NetworkSetSpec contains the specification for a NetworkSet - resource. - properties: - nets: - description: The list of IP networks that belong to this set. - items: - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: calico-kube-controllers -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - watch - - list - - get -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - crd.projectcalico.org - resources: - - ipreservations - verbs: - - list -- apiGroups: - - crd.projectcalico.org - resources: - - blockaffinities - - ipamblocks - - ipamhandles - verbs: - - get - - list - - create - - update - - delete - - watch -- apiGroups: - - crd.projectcalico.org - resources: - - ippools - verbs: - - list - - watch -- apiGroups: - - crd.projectcalico.org - resources: - - hostendpoints - verbs: - - get - - list - - create - - update - - delete -- apiGroups: - - crd.projectcalico.org - resources: - - clusterinformations - verbs: - - get - - list - - create - - update - - watch -- apiGroups: - - crd.projectcalico.org - resources: - - kubecontrollersconfigurations - verbs: - - get - - create - - update - - watch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: calico-node -rules: -- apiGroups: - - "" - resourceNames: - - canal - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - "" - resources: - - pods - - nodes - - namespaces - verbs: - - get -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - watch - - list -- apiGroups: - - "" - resources: - - endpoints - - services - verbs: - - watch - - list - - get -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch - - update -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - watch - - list -- apiGroups: - - "" - resources: - - pods - - namespaces - - serviceaccounts - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch -- apiGroups: - - crd.projectcalico.org - resources: - - globalfelixconfigs - - felixconfigurations - - bgppeers - - globalbgpconfigs - - bgpconfigurations - - ippools - - ipreservations - - ipamblocks - - globalnetworkpolicies - - globalnetworksets - - networkpolicies - - networksets - - clusterinformations - - hostendpoints - - blockaffinities - - caliconodestatuses - verbs: - - get - - list - - watch -- apiGroups: - - crd.projectcalico.org - resources: - - ippools - - felixconfigurations - - clusterinformations - verbs: - - create - - update -- apiGroups: - - crd.projectcalico.org - resources: - - caliconodestatuses - verbs: - - update -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - crd.projectcalico.org - resources: - - bgpconfigurations - - bgppeers - verbs: - - create - - update - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: flannel -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: calico-kube-controllers -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-kube-controllers -subjects: -- kind: ServiceAccount - name: calico-kube-controllers - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: canal-flannel -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: flannel -subjects: -- kind: ServiceAccount - name: canal - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - role.kubernetes.io/networking: "1" - name: canal-calico -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-node -subjects: -- kind: ServiceAccount - name: canal - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - k8s-app: canal - role.kubernetes.io/networking: "1" - name: canal - namespace: kube-system -spec: - selector: - matchLabels: - k8s-app: canal - template: - metadata: - creationTimestamp: null - labels: - k8s-app: canal - kops.k8s.io/managed-by: kops - spec: - containers: - - env: - - name: DATASTORE_TYPE - value: kubernetes - - name: USE_POD_CIDR - value: "true" - - name: WAIT_FOR_DATASTORE - value: "true" - - name: NODENAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: CALICO_CNI_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: CALICO_NETWORKING_BACKEND - value: none - - name: CLUSTER_TYPE - value: k8s,canal - - name: FELIX_IPTABLESREFRESHINTERVAL - value: "60" - - name: IP - value: "" - - name: FELIX_IPINIPMTU - valueFrom: - configMapKeyRef: - key: veth_mtu - name: canal-config - - name: CALICO_DISABLE_FILE_LOGGING - value: "true" - - name: FELIX_DEFAULTENDPOINTTOHOSTACTION - value: ACCEPT - - name: FELIX_IPV6SUPPORT - value: "false" - - name: FELIX_HEALTHENABLED - value: "true" - - name: FELIX_CHAININSERTMODE - value: insert - - name: FELIX_IPTABLESBACKEND - value: Auto - - name: FELIX_LOGSEVERITYSCREEN - value: info - - name: FELIX_PROMETHEUSMETRICSENABLED - value: "false" - - name: FELIX_PROMETHEUSMETRICSPORT - value: "9091" - - name: FELIX_PROMETHEUSGOMETRICSENABLED - value: "false" - - name: FELIX_PROMETHEUSPROCESSMETRICSENABLED - value: "false" - envFrom: - - configMapRef: - name: kubernetes-services-endpoint - optional: true - image: docker.io/calico/node:v3.25.1 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /bin/calico-node - - -shutdown - livenessProbe: - exec: - command: - - /bin/calico-node - - -felix-live - failureThreshold: 6 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 10 - name: calico-node - readinessProbe: - httpGet: - host: localhost - path: /readiness - port: 9099 - periodSeconds: 10 - timeoutSeconds: 10 - resources: - requests: - cpu: 100m - securityContext: - privileged: true - volumeMounts: - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - readOnly: false - - mountPath: /lib/modules - name: lib-modules - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - readOnly: false - - mountPath: /var/run/calico - name: var-run-calico - readOnly: false - - mountPath: /var/lib/calico - name: var-lib-calico - readOnly: false - - mountPath: /var/run/nodeagent - name: policysync - - mountPath: /sys/fs/bpf - name: bpffs - - mountPath: /var/log/calico/cni - name: cni-log-dir - readOnly: true - - command: - - /opt/bin/flanneld - - --ip-masq - - --kube-subnet-mgr - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: FLANNELD_IFACE - valueFrom: - configMapKeyRef: - key: canal_iface - name: canal-config - - name: FLANNELD_IP_MASQ - valueFrom: - configMapKeyRef: - key: masquerade - name: canal-config - image: quay.io/coreos/flannel:v0.15.1 - imagePullPolicy: IfNotPresent - name: kube-flannel - securityContext: - privileged: true - volumeMounts: - - mountPath: /run/xtables.lock - name: xtables-lock - readOnly: false - - mountPath: /etc/kube-flannel/ - name: flannel-cfg - hostNetwork: true - initContainers: - - command: - - /opt/cni/bin/install - env: - - name: CALICO_CNI_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: CNI_CONF_NAME - value: 10-canal.conflist - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - key: cni_network_config - name: canal-config - - name: KUBERNETES_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: CNI_MTU - valueFrom: - configMapKeyRef: - key: veth_mtu - name: canal-config - - name: SLEEP - value: "false" - envFrom: - - configMapRef: - name: kubernetes-services-endpoint - optional: true - image: docker.io/calico/cni:v3.25.1 - imagePullPolicy: IfNotPresent - name: install-cni - securityContext: - privileged: true - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - command: - - calico-node - - -init - - -best-effort - image: docker.io/calico/node:v3.25.1 - imagePullPolicy: IfNotPresent - name: mount-bpffs - securityContext: - privileged: true - volumeMounts: - - mountPath: /sys/fs - mountPropagation: Bidirectional - name: sys-fs - - mountPath: /var/run/calico - mountPropagation: Bidirectional - name: var-run-calico - - mountPath: /nodeproc - name: nodeproc - readOnly: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-node-critical - serviceAccountName: canal - terminationGracePeriodSeconds: 0 - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - volumes: - - hostPath: - path: /lib/modules - name: lib-modules - - hostPath: - path: /var/run/calico - name: var-run-calico - - hostPath: - path: /var/lib/calico - name: var-lib-calico - - hostPath: - path: /run/xtables.lock - type: FileOrCreate - name: xtables-lock - - hostPath: - path: /sys/fs/ - type: DirectoryOrCreate - name: sys-fs - - hostPath: - path: /sys/fs/bpf - type: Directory - name: bpffs - - hostPath: - path: /proc - name: nodeproc - - configMap: - name: canal-config - name: flannel-cfg - - hostPath: - path: /opt/cni/bin - name: cni-bin-dir - - hostPath: - path: /etc/cni/net.d - name: cni-net-dir - - hostPath: - path: /var/log/calico/cni - name: cni-log-dir - - hostPath: - path: /var/run/nodeagent - type: DirectoryOrCreate - name: policysync - updateStrategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.projectcalico.org.canal - app.kubernetes.io/managed-by: kops - k8s-app: calico-kube-controllers - role.kubernetes.io/networking: "1" - name: calico-kube-controllers - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - k8s-app: calico-kube-controllers - strategy: - type: Recreate - template: - metadata: - creationTimestamp: null - labels: - k8s-app: calico-kube-controllers - kops.k8s.io/managed-by: kops - name: calico-kube-controllers - namespace: kube-system - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: kubernetes.io/os - operator: In - values: - - linux - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - env: - - name: ENABLED_CONTROLLERS - value: node - - name: DATASTORE_TYPE - value: kubernetes - image: docker.io/calico/kube-controllers:v3.25.1 - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /usr/bin/check-status - - -l - failureThreshold: 6 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 10 - name: calico-kube-controllers - readinessProbe: - exec: - command: - - /usr/bin/check-status - - -r - periodSeconds: 10 - priorityClassName: system-cluster-critical - serviceAccountName: calico-kube-controllers - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-node-termination-handler.aws-k8s-1.11_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-node-termination-handler.aws-k8s-1.11_content deleted file mode 100644 index 2f9fdc6557..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-node-termination-handler.aws-k8s-1.11_content +++ /dev/null @@ -1,285 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - k8s-app: aws-node-termination-handler - name: aws-node-termination-handler - namespace: kube-system - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - name: aws-node-termination-handler -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - patch - - update -- apiGroups: - - "" - resources: - - pods - verbs: - - list - - get -- apiGroups: - - "" - resources: - - pods/eviction - verbs: - - create -- apiGroups: - - extensions - resources: - - daemonsets - verbs: - - get -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - get -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - name: aws-node-termination-handler -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: aws-node-termination-handler -subjects: -- kind: ServiceAccount - name: aws-node-termination-handler - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/component: deployment - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - app.kubernetes.io/part-of: aws-node-termination-handler - app.kubernetes.io/version: v1.22.0 - k8s-addon: node-termination-handler.aws - k8s-app: aws-node-termination-handler - name: aws-node-termination-handler - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kubernetes.io/os: linux - template: - metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: deployment - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - k8s-app: aws-node-termination-handler - kops.k8s.io/managed-by: kops - kops.k8s.io/nth-mode: sqs - kubernetes.io/os: linux - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - containers: - - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ENABLE_PROBES_SERVER - value: "true" - - name: PROBES_SERVER_PORT - value: "8080" - - name: PROBES_SERVER_ENDPOINT - value: /healthz - - name: LOG_LEVEL - value: info - - name: JSON_LOGGING - value: "true" - - name: LOG_FORMAT_VERSION - value: "2" - - name: ENABLE_PROMETHEUS_SERVER - value: "false" - - name: PROMETHEUS_SERVER_PORT - value: "9092" - - name: CHECK_TAG_BEFORE_DRAINING - value: "true" - - name: MANAGED_TAG - value: aws-node-termination-handler/managed - - name: USE_PROVIDER_ID - value: "true" - - name: DRY_RUN - value: "false" - - name: CORDON_ONLY - value: "false" - - name: TAINT_NODE - value: "false" - - name: EXCLUDE_FROM_LOAD_BALANCERS - value: "true" - - name: DELETE_LOCAL_DATA - value: "true" - - name: IGNORE_DAEMON_SETS - value: "true" - - name: POD_TERMINATION_GRACE_PERIOD - value: "-1" - - name: NODE_TERMINATION_GRACE_PERIOD - value: "120" - - name: EMIT_KUBERNETES_EVENTS - value: "true" - - name: COMPLETE_LIFECYCLE_ACTION_DELAY_SECONDS - value: "-1" - - name: ENABLE_SQS_TERMINATION_DRAINING - value: "true" - - name: QUEUE_URL - value: https://sqs.us-test-1.amazonaws.com/123456789012/privatecanal-example-com-nth - - name: DELETE_SQS_MSG_IF_NODE_NOT_FOUND - value: "false" - - name: WORKERS - value: "10" - image: public.ecr.aws/aws-ec2/aws-node-termination-handler:v1.22.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 - name: aws-node-termination-handler - ports: - - containerPort: 8080 - name: liveness-probe - protocol: TCP - - containerPort: 9092 - name: metrics - protocol: TCP - resources: - requests: - cpu: 50m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - hostNetwork: true - nodeSelector: null - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1000 - serviceAccountName: aws-node-termination-handler - tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: node-role.kubernetes.io/master - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kops.k8s.io/nth-mode: sqs - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kops.k8s.io/nth-mode: sqs - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - ---- - -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: node-termination-handler.aws - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: aws-node-termination-handler - k8s-addon: node-termination-handler.aws - name: aws-node-termination-handler - namespace: kube-system -spec: - maxUnavailable: 1 - selector: - matchLabels: - app.kubernetes.io/instance: aws-node-termination-handler - app.kubernetes.io/name: aws-node-termination-handler - kops.k8s.io/nth-mode: sqs diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content deleted file mode 100644 index bea3e88be3..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content +++ /dev/null @@ -1,118 +0,0 @@ -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: default -parameters: - type: gp2 -provisioner: kubernetes.io/aws-ebs - ---- - -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - annotations: - storageclass.kubernetes.io/is-default-class: "false" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: gp2 -parameters: - type: gp2 -provisioner: kubernetes.io/aws-ebs - ---- - -allowVolumeExpansion: true -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - annotations: - storageclass.kubernetes.io/is-default-class: "false" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: kops-ssd-1-17 -parameters: - encrypted: "true" - type: gp2 -provisioner: kubernetes.io/aws-ebs -volumeBindingMode: WaitForFirstConsumer - ---- - -allowVolumeExpansion: true -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - annotations: - storageclass.kubernetes.io/is-default-class: "true" - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: kops-csi-1-21 -parameters: - encrypted: "true" - type: gp3 -provisioner: ebs.csi.aws.com -volumeBindingMode: WaitForFirstConsumer - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: system:aws-cloud-provider -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: storage-aws.addons.k8s.io - app.kubernetes.io/managed-by: kops - k8s-addon: storage-aws.addons.k8s.io - name: system:aws-cloud-provider -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:aws-cloud-provider -subjects: -- kind: ServiceAccount - name: aws-cloud-provider - namespace: kube-system diff --git a/tests/integration/update_cluster/privatecanal/data/aws_sqs_queue_privatecanal-example-com-nth_policy b/tests/integration/update_cluster/privatecanal/data/aws_sqs_queue_privatecanal-example-com-nth_policy deleted file mode 100644 index eda203bd81..0000000000 --- a/tests/integration/update_cluster/privatecanal/data/aws_sqs_queue_privatecanal-example-com-nth_policy +++ /dev/null @@ -1,16 +0,0 @@ -{ - "Statement": [ - { - "Action": "sqs:SendMessage", - "Effect": "Allow", - "Principal": { - "Service": [ - "events.amazonaws.com", - "sqs.amazonaws.com" - ] - }, - "Resource": "arn:aws-test:sqs:us-test-1:123456789012:privatecanal-example-com-nth" - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/privatecanal/id_rsa.pub b/tests/integration/update_cluster/privatecanal/id_rsa.pub deleted file mode 100755 index 81cb012783..0000000000 --- a/tests/integration/update_cluster/privatecanal/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/update_cluster/privatecanal/in-v1alpha2.yaml b/tests/integration/update_cluster/privatecanal/in-v1alpha2.yaml deleted file mode 100644 index 0198ce593e..0000000000 --- a/tests/integration/update_cluster/privatecanal/in-v1alpha2.yaml +++ /dev/null @@ -1,98 +0,0 @@ -apiVersion: kops.k8s.io/v1alpha2 -kind: Cluster -metadata: - creationTimestamp: "2016-12-12T04:13:14Z" - name: privatecanal.example.com -spec: - kubernetesApiAccess: - - 0.0.0.0/0 - channel: stable - cloudProvider: aws - configBase: memfs://clusters.example.com/privatecanal.example.com - etcdClusters: - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: main - - etcdMembers: - - instanceGroup: master-us-test-1a - name: us-test-1a - name: events - iam: {} - kubelet: - anonymousAuth: false - kubernetesVersion: v1.27.0 - masterPublicName: api.privatecanal.example.com - networkCIDR: 172.20.0.0/16 - networking: - canal: {} - nonMasqueradeCIDR: 100.64.0.0/10 - sshAccess: - - 0.0.0.0/0 - subnets: - - cidr: 172.20.32.0/19 - name: us-test-1a - type: Private - zone: us-test-1a - - cidr: 172.20.4.0/22 - name: utility-us-test-1a - type: Utility - zone: us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-12T04:13:15Z" - name: master-us-test-1a - labels: - kops.k8s.io/cluster: privatecanal.example.com -spec: - associatePublicIp: true - image: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220404 - machineType: m3.medium - maxSize: 1 - minSize: 1 - role: Master - subnets: - - us-test-1a - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-12T04:13:15Z" - name: nodes - labels: - kops.k8s.io/cluster: privatecanal.example.com -spec: - associatePublicIp: true - image: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220404 - machineType: t2.medium - maxSize: 2 - minSize: 2 - role: Node - subnets: - - us-test-1a - - ---- - -apiVersion: kops.k8s.io/v1alpha2 -kind: InstanceGroup -metadata: - creationTimestamp: "2016-12-14T15:32:41Z" - name: bastion - labels: - kops.k8s.io/cluster: privatecanal.example.com -spec: - associatePublicIp: true - image: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220404 - machineType: t2.micro - maxSize: 1 - minSize: 1 - role: Bastion - subnets: - - utility-us-test-1a diff --git a/tests/integration/update_cluster/privatecanal/kubernetes.tf b/tests/integration/update_cluster/privatecanal/kubernetes.tf deleted file mode 100644 index 606872094b..0000000000 --- a/tests/integration/update_cluster/privatecanal/kubernetes.tf +++ /dev/null @@ -1,1467 +0,0 @@ -locals { - bastion_autoscaling_group_ids = [aws_autoscaling_group.bastion-privatecanal-example-com.id] - bastion_security_group_ids = [aws_security_group.bastion-privatecanal-example-com.id] - bastions_role_arn = aws_iam_role.bastions-privatecanal-example-com.arn - bastions_role_name = aws_iam_role.bastions-privatecanal-example-com.name - cluster_name = "privatecanal.example.com" - master_autoscaling_group_ids = [aws_autoscaling_group.master-us-test-1a-masters-privatecanal-example-com.id] - master_security_group_ids = [aws_security_group.masters-privatecanal-example-com.id] - masters_role_arn = aws_iam_role.masters-privatecanal-example-com.arn - masters_role_name = aws_iam_role.masters-privatecanal-example-com.name - node_autoscaling_group_ids = [aws_autoscaling_group.nodes-privatecanal-example-com.id] - node_security_group_ids = [aws_security_group.nodes-privatecanal-example-com.id] - node_subnet_ids = [aws_subnet.us-test-1a-privatecanal-example-com.id] - nodes_role_arn = aws_iam_role.nodes-privatecanal-example-com.arn - nodes_role_name = aws_iam_role.nodes-privatecanal-example-com.name - region = "us-test-1" - route_table_private-us-test-1a_id = aws_route_table.private-us-test-1a-privatecanal-example-com.id - route_table_public_id = aws_route_table.privatecanal-example-com.id - subnet_us-test-1a_id = aws_subnet.us-test-1a-privatecanal-example-com.id - subnet_utility-us-test-1a_id = aws_subnet.utility-us-test-1a-privatecanal-example-com.id - vpc_cidr_block = aws_vpc.privatecanal-example-com.cidr_block - vpc_id = aws_vpc.privatecanal-example-com.id - vpc_ipv6_cidr_block = aws_vpc.privatecanal-example-com.ipv6_cidr_block - vpc_ipv6_cidr_length = local.vpc_ipv6_cidr_block == "" ? null : tonumber(regex(".*/(\\d+)", local.vpc_ipv6_cidr_block)[0]) -} - -output "bastion_autoscaling_group_ids" { - value = [aws_autoscaling_group.bastion-privatecanal-example-com.id] -} - -output "bastion_security_group_ids" { - value = [aws_security_group.bastion-privatecanal-example-com.id] -} - -output "bastions_role_arn" { - value = aws_iam_role.bastions-privatecanal-example-com.arn -} - -output "bastions_role_name" { - value = aws_iam_role.bastions-privatecanal-example-com.name -} - -output "cluster_name" { - value = "privatecanal.example.com" -} - -output "master_autoscaling_group_ids" { - value = [aws_autoscaling_group.master-us-test-1a-masters-privatecanal-example-com.id] -} - -output "master_security_group_ids" { - value = [aws_security_group.masters-privatecanal-example-com.id] -} - -output "masters_role_arn" { - value = aws_iam_role.masters-privatecanal-example-com.arn -} - -output "masters_role_name" { - value = aws_iam_role.masters-privatecanal-example-com.name -} - -output "node_autoscaling_group_ids" { - value = [aws_autoscaling_group.nodes-privatecanal-example-com.id] -} - -output "node_security_group_ids" { - value = [aws_security_group.nodes-privatecanal-example-com.id] -} - -output "node_subnet_ids" { - value = [aws_subnet.us-test-1a-privatecanal-example-com.id] -} - -output "nodes_role_arn" { - value = aws_iam_role.nodes-privatecanal-example-com.arn -} - -output "nodes_role_name" { - value = aws_iam_role.nodes-privatecanal-example-com.name -} - -output "region" { - value = "us-test-1" -} - -output "route_table_private-us-test-1a_id" { - value = aws_route_table.private-us-test-1a-privatecanal-example-com.id -} - -output "route_table_public_id" { - value = aws_route_table.privatecanal-example-com.id -} - -output "subnet_us-test-1a_id" { - value = aws_subnet.us-test-1a-privatecanal-example-com.id -} - -output "subnet_utility-us-test-1a_id" { - value = aws_subnet.utility-us-test-1a-privatecanal-example-com.id -} - -output "vpc_cidr_block" { - value = aws_vpc.privatecanal-example-com.cidr_block -} - -output "vpc_id" { - value = aws_vpc.privatecanal-example-com.id -} - -output "vpc_ipv6_cidr_block" { - value = aws_vpc.privatecanal-example-com.ipv6_cidr_block -} - -output "vpc_ipv6_cidr_length" { - value = local.vpc_ipv6_cidr_block == "" ? null : tonumber(regex(".*/(\\d+)", local.vpc_ipv6_cidr_block)[0]) -} - -provider "aws" { - region = "us-test-1" -} - -provider "aws" { - alias = "files" - region = "us-test-1" -} - -resource "aws_autoscaling_group" "bastion-privatecanal-example-com" { - enabled_metrics = ["GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances"] - launch_template { - id = aws_launch_template.bastion-privatecanal-example-com.id - version = aws_launch_template.bastion-privatecanal-example-com.latest_version - } - max_instance_lifetime = 0 - max_size = 1 - metrics_granularity = "1Minute" - min_size = 1 - name = "bastion.privatecanal.example.com" - protect_from_scale_in = false - tag { - key = "KubernetesCluster" - propagate_at_launch = true - value = "privatecanal.example.com" - } - tag { - key = "Name" - propagate_at_launch = true - value = "bastion.privatecanal.example.com" - } - tag { - key = "aws-node-termination-handler/managed" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/role/bastion" - propagate_at_launch = true - value = "1" - } - tag { - key = "kops.k8s.io/instancegroup" - propagate_at_launch = true - value = "bastion" - } - tag { - key = "kubernetes.io/cluster/privatecanal.example.com" - propagate_at_launch = true - value = "owned" - } - target_group_arns = [aws_lb_target_group.bastion-privatecanal-exam-hmhsp5.id] - vpc_zone_identifier = [aws_subnet.utility-us-test-1a-privatecanal-example-com.id] -} - -resource "aws_autoscaling_group" "master-us-test-1a-masters-privatecanal-example-com" { - enabled_metrics = ["GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances"] - launch_template { - id = aws_launch_template.master-us-test-1a-masters-privatecanal-example-com.id - version = aws_launch_template.master-us-test-1a-masters-privatecanal-example-com.latest_version - } - load_balancers = [aws_elb.api-privatecanal-example-com.id] - max_instance_lifetime = 0 - max_size = 1 - metrics_granularity = "1Minute" - min_size = 1 - name = "master-us-test-1a.masters.privatecanal.example.com" - protect_from_scale_in = false - tag { - key = "KubernetesCluster" - propagate_at_launch = true - value = "privatecanal.example.com" - } - tag { - key = "Name" - propagate_at_launch = true - value = "master-us-test-1a.masters.privatecanal.example.com" - } - tag { - key = "aws-node-termination-handler/managed" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/role/control-plane" - propagate_at_launch = true - value = "1" - } - tag { - key = "k8s.io/role/master" - propagate_at_launch = true - value = "1" - } - tag { - key = "kops.k8s.io/instancegroup" - propagate_at_launch = true - value = "master-us-test-1a" - } - tag { - key = "kubernetes.io/cluster/privatecanal.example.com" - propagate_at_launch = true - value = "owned" - } - vpc_zone_identifier = [aws_subnet.us-test-1a-privatecanal-example-com.id] -} - -resource "aws_autoscaling_group" "nodes-privatecanal-example-com" { - enabled_metrics = ["GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances"] - launch_template { - id = aws_launch_template.nodes-privatecanal-example-com.id - version = aws_launch_template.nodes-privatecanal-example-com.latest_version - } - max_instance_lifetime = 0 - max_size = 2 - metrics_granularity = "1Minute" - min_size = 2 - name = "nodes.privatecanal.example.com" - protect_from_scale_in = false - tag { - key = "KubernetesCluster" - propagate_at_launch = true - value = "privatecanal.example.com" - } - tag { - key = "Name" - propagate_at_launch = true - value = "nodes.privatecanal.example.com" - } - tag { - key = "aws-node-termination-handler/managed" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" - propagate_at_launch = true - value = "" - } - tag { - key = "k8s.io/role/node" - propagate_at_launch = true - value = "1" - } - tag { - key = "kops.k8s.io/instancegroup" - propagate_at_launch = true - value = "nodes" - } - tag { - key = "kubernetes.io/cluster/privatecanal.example.com" - propagate_at_launch = true - value = "owned" - } - vpc_zone_identifier = [aws_subnet.us-test-1a-privatecanal-example-com.id] -} - -resource "aws_autoscaling_lifecycle_hook" "bastion-NTHLifecycleHook" { - autoscaling_group_name = aws_autoscaling_group.bastion-privatecanal-example-com.id - default_result = "CONTINUE" - heartbeat_timeout = 300 - lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" - name = "bastion-NTHLifecycleHook" -} - -resource "aws_autoscaling_lifecycle_hook" "master-us-test-1a-NTHLifecycleHook" { - autoscaling_group_name = aws_autoscaling_group.master-us-test-1a-masters-privatecanal-example-com.id - default_result = "CONTINUE" - heartbeat_timeout = 300 - lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" - name = "master-us-test-1a-NTHLifecycleHook" -} - -resource "aws_autoscaling_lifecycle_hook" "nodes-NTHLifecycleHook" { - autoscaling_group_name = aws_autoscaling_group.nodes-privatecanal-example-com.id - default_result = "CONTINUE" - heartbeat_timeout = 300 - lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" - name = "nodes-NTHLifecycleHook" -} - -resource "aws_cloudwatch_event_rule" "privatecanal-example-com-ASGLifecycle" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_privatecanal.example.com-ASGLifecycle_event_pattern") - name = "privatecanal.example.com-ASGLifecycle" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "privatecanal.example.com-ASGLifecycle" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_rule" "privatecanal-example-com-InstanceScheduledChange" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_privatecanal.example.com-InstanceScheduledChange_event_pattern") - name = "privatecanal.example.com-InstanceScheduledChange" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "privatecanal.example.com-InstanceScheduledChange" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_rule" "privatecanal-example-com-InstanceStateChange" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_privatecanal.example.com-InstanceStateChange_event_pattern") - name = "privatecanal.example.com-InstanceStateChange" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "privatecanal.example.com-InstanceStateChange" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_rule" "privatecanal-example-com-SpotInterruption" { - event_pattern = file("${path.module}/data/aws_cloudwatch_event_rule_privatecanal.example.com-SpotInterruption_event_pattern") - name = "privatecanal.example.com-SpotInterruption" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "privatecanal.example.com-SpotInterruption" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_cloudwatch_event_target" "privatecanal-example-com-ASGLifecycle-Target" { - arn = aws_sqs_queue.privatecanal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.privatecanal-example-com-ASGLifecycle.id -} - -resource "aws_cloudwatch_event_target" "privatecanal-example-com-InstanceScheduledChange-Target" { - arn = aws_sqs_queue.privatecanal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.privatecanal-example-com-InstanceScheduledChange.id -} - -resource "aws_cloudwatch_event_target" "privatecanal-example-com-InstanceStateChange-Target" { - arn = aws_sqs_queue.privatecanal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.privatecanal-example-com-InstanceStateChange.id -} - -resource "aws_cloudwatch_event_target" "privatecanal-example-com-SpotInterruption-Target" { - arn = aws_sqs_queue.privatecanal-example-com-nth.arn - rule = aws_cloudwatch_event_rule.privatecanal-example-com-SpotInterruption.id -} - -resource "aws_ebs_volume" "us-test-1a-etcd-events-privatecanal-example-com" { - availability_zone = "us-test-1a" - encrypted = false - iops = 3000 - size = 20 - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "us-test-1a.etcd-events.privatecanal.example.com" - "k8s.io/etcd/events" = "us-test-1a/us-test-1a" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - throughput = 125 - type = "gp3" -} - -resource "aws_ebs_volume" "us-test-1a-etcd-main-privatecanal-example-com" { - availability_zone = "us-test-1a" - encrypted = false - iops = 3000 - size = 20 - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "us-test-1a.etcd-main.privatecanal.example.com" - "k8s.io/etcd/main" = "us-test-1a/us-test-1a" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - throughput = 125 - type = "gp3" -} - -resource "aws_eip" "us-test-1a-privatecanal-example-com" { - domain = "vpc" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "us-test-1a.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_elb" "api-privatecanal-example-com" { - connection_draining = true - connection_draining_timeout = 300 - cross_zone_load_balancing = false - health_check { - healthy_threshold = 2 - interval = 10 - target = "SSL:443" - timeout = 5 - unhealthy_threshold = 2 - } - idle_timeout = 300 - listener { - instance_port = 443 - instance_protocol = "TCP" - lb_port = 443 - lb_protocol = "TCP" - } - name = "api-privatecanal-example--6tql53" - security_groups = [aws_security_group.api-elb-privatecanal-example-com.id] - subnets = [aws_subnet.utility-us-test-1a-privatecanal-example-com.id] - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "api.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_iam_instance_profile" "bastions-privatecanal-example-com" { - name = "bastions.privatecanal.example.com" - role = aws_iam_role.bastions-privatecanal-example-com.name - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "bastions.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_iam_instance_profile" "masters-privatecanal-example-com" { - name = "masters.privatecanal.example.com" - role = aws_iam_role.masters-privatecanal-example-com.name - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "masters.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_iam_instance_profile" "nodes-privatecanal-example-com" { - name = "nodes.privatecanal.example.com" - role = aws_iam_role.nodes-privatecanal-example-com.name - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "nodes.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_iam_role" "bastions-privatecanal-example-com" { - assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.privatecanal.example.com_policy") - name = "bastions.privatecanal.example.com" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "bastions.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_iam_role" "masters-privatecanal-example-com" { - assume_role_policy = file("${path.module}/data/aws_iam_role_masters.privatecanal.example.com_policy") - name = "masters.privatecanal.example.com" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "masters.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_iam_role" "nodes-privatecanal-example-com" { - assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.privatecanal.example.com_policy") - name = "nodes.privatecanal.example.com" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "nodes.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_iam_role_policy" "bastions-privatecanal-example-com" { - name = "bastions.privatecanal.example.com" - policy = file("${path.module}/data/aws_iam_role_policy_bastions.privatecanal.example.com_policy") - role = aws_iam_role.bastions-privatecanal-example-com.name -} - -resource "aws_iam_role_policy" "masters-privatecanal-example-com" { - name = "masters.privatecanal.example.com" - policy = file("${path.module}/data/aws_iam_role_policy_masters.privatecanal.example.com_policy") - role = aws_iam_role.masters-privatecanal-example-com.name -} - -resource "aws_iam_role_policy" "nodes-privatecanal-example-com" { - name = "nodes.privatecanal.example.com" - policy = file("${path.module}/data/aws_iam_role_policy_nodes.privatecanal.example.com_policy") - role = aws_iam_role.nodes-privatecanal-example-com.name -} - -resource "aws_internet_gateway" "privatecanal-example-com" { - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - vpc_id = aws_vpc.privatecanal-example-com.id -} - -resource "aws_key_pair" "kubernetes-privatecanal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" { - key_name = "kubernetes.privatecanal.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57" - public_key = file("${path.module}/data/aws_key_pair_kubernetes.privatecanal.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key") - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_launch_template" "bastion-privatecanal-example-com" { - block_device_mappings { - device_name = "/dev/xvda" - ebs { - delete_on_termination = true - encrypted = true - iops = 3000 - throughput = 125 - volume_size = 32 - volume_type = "gp3" - } - } - iam_instance_profile { - name = aws_iam_instance_profile.bastions-privatecanal-example-com.id - } - image_id = "ami-12345678" - instance_type = "t2.micro" - key_name = aws_key_pair.kubernetes-privatecanal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id - lifecycle { - create_before_destroy = true - } - metadata_options { - http_endpoint = "enabled" - http_protocol_ipv6 = "disabled" - http_put_response_hop_limit = 1 - http_tokens = "required" - } - monitoring { - enabled = false - } - name = "bastion.privatecanal.example.com" - network_interfaces { - associate_public_ip_address = true - delete_on_termination = true - ipv6_address_count = 0 - security_groups = [aws_security_group.bastion-privatecanal-example-com.id] - } - tag_specifications { - resource_type = "instance" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "bastion.privatecanal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/role/bastion" = "1" - "kops.k8s.io/instancegroup" = "bastion" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - } - tag_specifications { - resource_type = "volume" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "bastion.privatecanal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/role/bastion" = "1" - "kops.k8s.io/instancegroup" = "bastion" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - } - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "bastion.privatecanal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/role/bastion" = "1" - "kops.k8s.io/instancegroup" = "bastion" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_launch_template" "master-us-test-1a-masters-privatecanal-example-com" { - block_device_mappings { - device_name = "/dev/xvda" - ebs { - delete_on_termination = true - encrypted = true - iops = 3000 - throughput = 125 - volume_size = 64 - volume_type = "gp3" - } - } - block_device_mappings { - device_name = "/dev/sdc" - virtual_name = "ephemeral0" - } - iam_instance_profile { - name = aws_iam_instance_profile.masters-privatecanal-example-com.id - } - image_id = "ami-12345678" - instance_type = "m3.medium" - key_name = aws_key_pair.kubernetes-privatecanal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id - lifecycle { - create_before_destroy = true - } - metadata_options { - http_endpoint = "enabled" - http_protocol_ipv6 = "disabled" - http_put_response_hop_limit = 1 - http_tokens = "required" - } - monitoring { - enabled = false - } - name = "master-us-test-1a.masters.privatecanal.example.com" - network_interfaces { - associate_public_ip_address = false - delete_on_termination = true - ipv6_address_count = 0 - security_groups = [aws_security_group.masters-privatecanal-example-com.id] - } - tag_specifications { - resource_type = "instance" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "master-us-test-1a.masters.privatecanal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" = "" - "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = "" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kops.k8s.io/instancegroup" = "master-us-test-1a" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - } - tag_specifications { - resource_type = "volume" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "master-us-test-1a.masters.privatecanal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" = "" - "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = "" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kops.k8s.io/instancegroup" = "master-us-test-1a" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - } - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "master-us-test-1a.masters.privatecanal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane" = "" - "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = "" - "k8s.io/role/control-plane" = "1" - "k8s.io/role/master" = "1" - "kops.k8s.io/instancegroup" = "master-us-test-1a" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - user_data = filebase64("${path.module}/data/aws_launch_template_master-us-test-1a.masters.privatecanal.example.com_user_data") -} - -resource "aws_launch_template" "nodes-privatecanal-example-com" { - block_device_mappings { - device_name = "/dev/xvda" - ebs { - delete_on_termination = true - encrypted = true - iops = 3000 - throughput = 125 - volume_size = 128 - volume_type = "gp3" - } - } - iam_instance_profile { - name = aws_iam_instance_profile.nodes-privatecanal-example-com.id - } - image_id = "ami-12345678" - instance_type = "t2.medium" - key_name = aws_key_pair.kubernetes-privatecanal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id - lifecycle { - create_before_destroy = true - } - metadata_options { - http_endpoint = "enabled" - http_protocol_ipv6 = "disabled" - http_put_response_hop_limit = 1 - http_tokens = "required" - } - monitoring { - enabled = false - } - name = "nodes.privatecanal.example.com" - network_interfaces { - associate_public_ip_address = false - delete_on_termination = true - ipv6_address_count = 0 - security_groups = [aws_security_group.nodes-privatecanal-example-com.id] - } - tag_specifications { - resource_type = "instance" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "nodes.privatecanal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = "" - "k8s.io/role/node" = "1" - "kops.k8s.io/instancegroup" = "nodes" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - } - tag_specifications { - resource_type = "volume" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "nodes.privatecanal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = "" - "k8s.io/role/node" = "1" - "kops.k8s.io/instancegroup" = "nodes" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - } - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "nodes.privatecanal.example.com" - "aws-node-termination-handler/managed" = "" - "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = "" - "k8s.io/role/node" = "1" - "kops.k8s.io/instancegroup" = "nodes" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - user_data = filebase64("${path.module}/data/aws_launch_template_nodes.privatecanal.example.com_user_data") -} - -resource "aws_lb" "bastion-privatecanal-example-com" { - enable_cross_zone_load_balancing = false - internal = false - load_balancer_type = "network" - name = "bastion-privatecanal-exam-hmhsp5" - security_groups = [aws_security_group.bastion-elb-privatecanal-example-com.id] - subnet_mapping { - subnet_id = aws_subnet.utility-us-test-1a-privatecanal-example-com.id - } - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "bastion.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_lb_listener" "bastion-privatecanal-example-com-22" { - default_action { - target_group_arn = aws_lb_target_group.bastion-privatecanal-exam-hmhsp5.id - type = "forward" - } - load_balancer_arn = aws_lb.bastion-privatecanal-example-com.id - port = 22 - protocol = "TCP" -} - -resource "aws_lb_target_group" "bastion-privatecanal-exam-hmhsp5" { - connection_termination = "true" - deregistration_delay = "30" - health_check { - healthy_threshold = 2 - interval = 10 - protocol = "TCP" - unhealthy_threshold = 2 - } - name = "bastion-privatecanal-exam-hmhsp5" - port = 22 - protocol = "TCP" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "bastion-privatecanal-exam-hmhsp5" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - vpc_id = aws_vpc.privatecanal-example-com.id -} - -resource "aws_nat_gateway" "us-test-1a-privatecanal-example-com" { - allocation_id = aws_eip.us-test-1a-privatecanal-example-com.id - subnet_id = aws_subnet.utility-us-test-1a-privatecanal-example-com.id - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "us-test-1a.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_route" "route-0-0-0-0--0" { - destination_cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.privatecanal-example-com.id - route_table_id = aws_route_table.privatecanal-example-com.id -} - -resource "aws_route" "route-__--0" { - destination_ipv6_cidr_block = "::/0" - gateway_id = aws_internet_gateway.privatecanal-example-com.id - route_table_id = aws_route_table.privatecanal-example-com.id -} - -resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { - destination_cidr_block = "0.0.0.0/0" - nat_gateway_id = aws_nat_gateway.us-test-1a-privatecanal-example-com.id - route_table_id = aws_route_table.private-us-test-1a-privatecanal-example-com.id -} - -resource "aws_route53_record" "api-privatecanal-example-com" { - alias { - evaluate_target_health = false - name = aws_elb.api-privatecanal-example-com.dns_name - zone_id = aws_elb.api-privatecanal-example-com.zone_id - } - name = "api.privatecanal.example.com" - type = "A" - zone_id = "/hostedzone/Z1AFAKE1ZON3YO" -} - -resource "aws_route53_record" "api-privatecanal-example-com-AAAA" { - alias { - evaluate_target_health = false - name = aws_elb.api-privatecanal-example-com.dns_name - zone_id = aws_elb.api-privatecanal-example-com.zone_id - } - name = "api.privatecanal.example.com" - type = "AAAA" - zone_id = "/hostedzone/Z1AFAKE1ZON3YO" -} - -resource "aws_route_table" "private-us-test-1a-privatecanal-example-com" { - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "private-us-test-1a.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - "kubernetes.io/kops/role" = "private-us-test-1a" - } - vpc_id = aws_vpc.privatecanal-example-com.id -} - -resource "aws_route_table" "privatecanal-example-com" { - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - "kubernetes.io/kops/role" = "public" - } - vpc_id = aws_vpc.privatecanal-example-com.id -} - -resource "aws_route_table_association" "private-us-test-1a-privatecanal-example-com" { - route_table_id = aws_route_table.private-us-test-1a-privatecanal-example-com.id - subnet_id = aws_subnet.us-test-1a-privatecanal-example-com.id -} - -resource "aws_route_table_association" "utility-us-test-1a-privatecanal-example-com" { - route_table_id = aws_route_table.privatecanal-example-com.id - subnet_id = aws_subnet.utility-us-test-1a-privatecanal-example-com.id -} - -resource "aws_s3_object" "cluster-completed-spec" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_cluster-completed.spec_content") - key = "clusters.example.com/privatecanal.example.com/cluster-completed.spec" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "etcd-cluster-spec-events" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_etcd-cluster-spec-events_content") - key = "clusters.example.com/privatecanal.example.com/backups/etcd/events/control/etcd-cluster-spec" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "etcd-cluster-spec-main" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_etcd-cluster-spec-main_content") - key = "clusters.example.com/privatecanal.example.com/backups/etcd/main/control/etcd-cluster-spec" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "kops-version-txt" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_kops-version.txt_content") - key = "clusters.example.com/privatecanal.example.com/kops-version.txt" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "manifests-etcdmanager-events-master-us-test-1a" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_manifests-etcdmanager-events-master-us-test-1a_content") - key = "clusters.example.com/privatecanal.example.com/manifests/etcd/events-master-us-test-1a.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "manifests-etcdmanager-main-master-us-test-1a" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_manifests-etcdmanager-main-master-us-test-1a_content") - key = "clusters.example.com/privatecanal.example.com/manifests/etcd/main-master-us-test-1a.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "manifests-static-kube-apiserver-healthcheck" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_manifests-static-kube-apiserver-healthcheck_content") - key = "clusters.example.com/privatecanal.example.com/manifests/static/kube-apiserver-healthcheck.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "nodeupconfig-master-us-test-1a" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_nodeupconfig-master-us-test-1a_content") - key = "clusters.example.com/privatecanal.example.com/igconfig/control-plane/master-us-test-1a/nodeupconfig.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "nodeupconfig-nodes" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_nodeupconfig-nodes_content") - key = "clusters.example.com/privatecanal.example.com/igconfig/node/nodes/nodeupconfig.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "privatecanal-example-com-addons-aws-cloud-controller-addons-k8s-io-k8s-1-18" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_privatecanal.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content") - key = "clusters.example.com/privatecanal.example.com/addons/aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "privatecanal-example-com-addons-aws-ebs-csi-driver-addons-k8s-io-k8s-1-17" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_privatecanal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content") - key = "clusters.example.com/privatecanal.example.com/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "privatecanal-example-com-addons-bootstrap" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_privatecanal.example.com-addons-bootstrap_content") - key = "clusters.example.com/privatecanal.example.com/addons/bootstrap-channel.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "privatecanal-example-com-addons-coredns-addons-k8s-io-k8s-1-12" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_privatecanal.example.com-addons-coredns.addons.k8s.io-k8s-1.12_content") - key = "clusters.example.com/privatecanal.example.com/addons/coredns.addons.k8s.io/k8s-1.12.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "privatecanal-example-com-addons-dns-controller-addons-k8s-io-k8s-1-12" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_privatecanal.example.com-addons-dns-controller.addons.k8s.io-k8s-1.12_content") - key = "clusters.example.com/privatecanal.example.com/addons/dns-controller.addons.k8s.io/k8s-1.12.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "privatecanal-example-com-addons-kops-controller-addons-k8s-io-k8s-1-16" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_privatecanal.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content") - key = "clusters.example.com/privatecanal.example.com/addons/kops-controller.addons.k8s.io/k8s-1.16.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "privatecanal-example-com-addons-kubelet-api-rbac-addons-k8s-io-k8s-1-9" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_privatecanal.example.com-addons-kubelet-api.rbac.addons.k8s.io-k8s-1.9_content") - key = "clusters.example.com/privatecanal.example.com/addons/kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "privatecanal-example-com-addons-limit-range-addons-k8s-io" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_privatecanal.example.com-addons-limit-range.addons.k8s.io_content") - key = "clusters.example.com/privatecanal.example.com/addons/limit-range.addons.k8s.io/v1.5.0.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "privatecanal-example-com-addons-networking-projectcalico-org-canal-k8s-1-25" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_privatecanal.example.com-addons-networking.projectcalico.org.canal-k8s-1.25_content") - key = "clusters.example.com/privatecanal.example.com/addons/networking.projectcalico.org.canal/k8s-1.25.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "privatecanal-example-com-addons-node-termination-handler-aws-k8s-1-11" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_privatecanal.example.com-addons-node-termination-handler.aws-k8s-1.11_content") - key = "clusters.example.com/privatecanal.example.com/addons/node-termination-handler.aws/k8s-1.11.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_s3_object" "privatecanal-example-com-addons-storage-aws-addons-k8s-io-v1-15-0" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_object_privatecanal.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content") - key = "clusters.example.com/privatecanal.example.com/addons/storage-aws.addons.k8s.io/v1.15.0.yaml" - provider = aws.files - server_side_encryption = "AES256" -} - -resource "aws_security_group" "api-elb-privatecanal-example-com" { - description = "Security group for api ELB" - name = "api-elb.privatecanal.example.com" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "api-elb.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - vpc_id = aws_vpc.privatecanal-example-com.id -} - -resource "aws_security_group" "bastion-elb-privatecanal-example-com" { - description = "Security group for bastion ELB" - name = "bastion-elb.privatecanal.example.com" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "bastion-elb.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - vpc_id = aws_vpc.privatecanal-example-com.id -} - -resource "aws_security_group" "bastion-privatecanal-example-com" { - description = "Security group for bastion" - name = "bastion.privatecanal.example.com" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "bastion.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - vpc_id = aws_vpc.privatecanal-example-com.id -} - -resource "aws_security_group" "masters-privatecanal-example-com" { - description = "Security group for masters" - name = "masters.privatecanal.example.com" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "masters.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - vpc_id = aws_vpc.privatecanal-example-com.id -} - -resource "aws_security_group" "nodes-privatecanal-example-com" { - description = "Security group for nodes" - name = "nodes.privatecanal.example.com" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "nodes.privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } - vpc_id = aws_vpc.privatecanal-example-com.id -} - -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatecanal-example-com" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-privatecanal-example-com" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-privatecanal-example-com.id - to_port = 443 - type = "ingress" -} - -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-privatecanal-example-com" { - cidr_blocks = ["172.20.4.0/22"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-api-elb-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.api-elb-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-api-elb-privatecanal-example-com-egress-all-0to0-__--0" { - from_port = 0 - ipv6_cidr_blocks = ["::/0"] - protocol = "-1" - security_group_id = aws_security_group.api-elb-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-bastion-elb-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-bastion-elb-privatecanal-example-com-egress-all-0to0-__--0" { - from_port = 0 - ipv6_cidr_blocks = ["::/0"] - protocol = "-1" - security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-bastion-elb-privatecanal-example-com-ingress-icmp-3to4-bastion-privatecanal-example-com" { - from_port = 3 - protocol = "icmp" - security_group_id = aws_security_group.bastion-privatecanal-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id - to_port = 4 - type = "ingress" -} - -resource "aws_security_group_rule" "from-bastion-elb-privatecanal-example-com-ingress-tcp-22to22-bastion-privatecanal-example-com" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecanal-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-egress-all-0to0-__--0" { - from_port = 0 - ipv6_cidr_blocks = ["::/0"] - protocol = "-1" - security_group_id = aws_security_group.bastion-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-ingress-icmp-3to4-bastion-elb-privatecanal-example-com" { - from_port = 3 - protocol = "icmp" - security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id - source_security_group_id = aws_security_group.bastion-privatecanal-example-com.id - to_port = 4 - type = "ingress" -} - -resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-ingress-tcp-22to22-masters-privatecanal-example-com" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.bastion-privatecanal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-ingress-tcp-22to22-nodes-privatecanal-example-com" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-privatecanal-example-com.id - source_security_group_id = aws_security_group.bastion-privatecanal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "from-masters-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-masters-privatecanal-example-com-egress-all-0to0-__--0" { - from_port = 0 - ipv6_cidr_blocks = ["::/0"] - protocol = "-1" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-masters-privatecanal-example-com-ingress-all-0to0-masters-privatecanal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.masters-privatecanal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "from-masters-privatecanal-example-com-ingress-all-0to0-nodes-privatecanal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecanal-example-com.id - source_security_group_id = aws_security_group.masters-privatecanal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-egress-all-0to0-__--0" { - from_port = 0 - ipv6_cidr_blocks = ["::/0"] - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-ingress-all-0to0-nodes-privatecanal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecanal-example-com.id - source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-ingress-tcp-1to2379-masters-privatecanal-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-ingress-tcp-2382to4000-masters-privatecanal-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-ingress-tcp-4003to65535-masters-privatecanal-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-ingress-udp-1to65535-masters-privatecanal-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "https-elb-to-master" { - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.api-elb-privatecanal-example-com.id - to_port = 443 - type = "ingress" -} - -resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 3 - protocol = "icmp" - security_group_id = aws_security_group.api-elb-privatecanal-example-com.id - to_port = 4 - type = "ingress" -} - -resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { - from_port = 3 - protocol = "icmp" - security_group_id = aws_security_group.api-elb-privatecanal-example-com.id - source_security_group_id = aws_security_group.masters-privatecanal-example-com.id - to_port = 4 - type = "ingress" -} - -resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { - from_port = 3 - protocol = "icmp" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.api-elb-privatecanal-example-com.id - to_port = 4 - type = "ingress" -} - -resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 3 - protocol = "icmp" - security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id - to_port = 4 - type = "ingress" -} - -resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { - cidr_blocks = ["172.20.4.0/22"] - from_port = 3 - protocol = "icmp" - security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id - to_port = 4 - type = "ingress" -} - -resource "aws_sqs_queue" "privatecanal-example-com-nth" { - message_retention_seconds = 300 - name = "privatecanal-example-com-nth" - policy = file("${path.module}/data/aws_sqs_queue_privatecanal-example-com-nth_policy") - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "privatecanal-example-com-nth" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_subnet" "us-test-1a-privatecanal-example-com" { - availability_zone = "us-test-1a" - cidr_block = "172.20.32.0/19" - enable_resource_name_dns_a_record_on_launch = true - private_dns_hostname_type_on_launch = "resource-name" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "us-test-1a.privatecanal.example.com" - "SubnetType" = "Private" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - "kubernetes.io/role/internal-elb" = "1" - } - vpc_id = aws_vpc.privatecanal-example-com.id -} - -resource "aws_subnet" "utility-us-test-1a-privatecanal-example-com" { - availability_zone = "us-test-1a" - cidr_block = "172.20.4.0/22" - enable_resource_name_dns_a_record_on_launch = true - private_dns_hostname_type_on_launch = "resource-name" - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "utility-us-test-1a.privatecanal.example.com" - "SubnetType" = "Utility" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - "kubernetes.io/role/elb" = "1" - } - vpc_id = aws_vpc.privatecanal-example-com.id -} - -resource "aws_vpc" "privatecanal-example-com" { - assign_generated_ipv6_cidr_block = true - cidr_block = "172.20.0.0/16" - enable_dns_hostnames = true - enable_dns_support = true - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_vpc_dhcp_options" "privatecanal-example-com" { - domain_name = "us-test-1.compute.internal" - domain_name_servers = ["AmazonProvidedDNS"] - tags = { - "KubernetesCluster" = "privatecanal.example.com" - "Name" = "privatecanal.example.com" - "kubernetes.io/cluster/privatecanal.example.com" = "owned" - } -} - -resource "aws_vpc_dhcp_options_association" "privatecanal-example-com" { - dhcp_options_id = aws_vpc_dhcp_options.privatecanal-example-com.id - vpc_id = aws_vpc.privatecanal-example-com.id -} - -terraform { - required_version = ">= 0.15.0" - required_providers { - aws = { - "configuration_aliases" = [aws.files] - "source" = "hashicorp/aws" - "version" = ">= 5.0.0" - } - } -} diff --git a/upup/pkg/fi/cloudup/apply_cluster.go b/upup/pkg/fi/cloudup/apply_cluster.go index c81b2d9574..f53e04cd5b 100644 --- a/upup/pkg/fi/cloudup/apply_cluster.go +++ b/upup/pkg/fi/cloudup/apply_cluster.go @@ -72,9 +72,9 @@ const ( starline = "*********************************************************************************" // OldestSupportedKubernetesVersion is the oldest kubernetes version that is supported in kOps. - OldestSupportedKubernetesVersion = "1.27.0" + OldestSupportedKubernetesVersion = "1.29.0" // OldestRecommendedKubernetesVersion is the oldest kubernetes version that is not deprecated in kOps. - OldestRecommendedKubernetesVersion = "1.29.0" + OldestRecommendedKubernetesVersion = "1.31.0" ) // TerraformCloudProviders is the list of cloud providers with terraform target support diff --git a/upup/pkg/fi/cloudup/new_cluster.go b/upup/pkg/fi/cloudup/new_cluster.go index 133e612db9..b52f642047 100644 --- a/upup/pkg/fi/cloudup/new_cluster.go +++ b/upup/pkg/fi/cloudup/new_cluster.go @@ -937,12 +937,6 @@ func setupControlPlane(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubne g.Spec.Zones = []string{zone} } - if cluster.IsKubernetesLT("1.27") && cloudProvider == api.CloudProviderAWS { - g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{ - HTTPTokens: fi.PtrTo("required"), - } - } - for i, size := range opt.ControlPlaneSizes { if i == 0 { g.Spec.MachineType = size @@ -1117,15 +1111,6 @@ func setupNodes(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnetsMap m g.Spec.Zones = []string{zone} } - if cluster.IsKubernetesLT("1.27") { - if cloudProvider == api.CloudProviderAWS { - g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{ - HTTPPutResponseHopLimit: fi.PtrTo(int64(1)), - HTTPTokens: fi.PtrTo("required"), - } - } - } - if cloudProvider == api.CloudProviderGCE { if g.Spec.NodeLabels == nil { g.Spec.NodeLabels = make(map[string]string) @@ -1161,13 +1146,6 @@ func setupKarpenterNodes(cluster *api.Cluster) ([]*api.InstanceGroup, error) { g.Spec.Manager = api.InstanceManagerKarpenter g.ObjectMeta.Name = "nodes" - if cluster.IsKubernetesLT("1.27") { - g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{ - HTTPPutResponseHopLimit: fi.PtrTo(int64(1)), - HTTPTokens: fi.PtrTo("required"), - } - } - return []*api.InstanceGroup{g}, nil } @@ -1210,15 +1188,6 @@ func setupAPIServers(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubnets g.Spec.Zones = []string{zone} } - if cluster.IsKubernetesLT("1.27") { - if cloudProvider == api.CloudProviderAWS { - g.Spec.InstanceMetadata = &api.InstanceMetadataOptions{ - HTTPPutResponseHopLimit: fi.PtrTo(int64(1)), - HTTPTokens: fi.PtrTo("required"), - } - } - } - nodes = append(nodes, g) } @@ -1406,15 +1375,6 @@ func setupTopology(opt *NewClusterOptions, cluster *api.Cluster, allZones sets.S bastionGroup.Spec.Zones = allZones.List() } - if cluster.IsKubernetesLT("1.27") { - if cluster.GetCloudProvider() == api.CloudProviderAWS { - bastionGroup.Spec.InstanceMetadata = &api.InstanceMetadataOptions{ - HTTPPutResponseHopLimit: fi.PtrTo(int64(1)), - HTTPTokens: fi.PtrTo("required"), - } - } - } - bastionGroup.Spec.Image = opt.BastionImage }