Add version logic to UseServiceAccountIAM

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
2020-09-08 10:32:28 -04:00 · 2020-09-08 10:32:28 -04:00 · d8895c57ec
parent a61ecf4c58
commit d8895c57ec
3 changed files with 14 additions and 18 deletions
--- a/pkg/model/context.go
+++ b/pkg/model/context.go
@ -411,5 +411,5 @@ func (m *KopsModelContext) NodePortRange() (utilnet.PortRange, error) {

 // UseServiceAccountIAM returns true if we are using service-account bound IAM roles.
 func (m *KopsModelContext) UseServiceAccountIAM() bool {
-	return featureflag.UseServiceAccountIAM.Enabled()
+	return featureflag.UseServiceAccountIAM.Enabled() && m.IsKubernetesGTE("1.12")
 }
--- a/pkg/model/iam.go
+++ b/pkg/model/iam.go
@ -160,6 +160,7 @@ func (b *IAMModelBuilder) buildIAMRolePolicy(role iam.Subject, iamName string, i
 			Cluster:              b.Cluster,
 			Role:                 role,
 			Region:               b.Region,
+			UseServiceAccountIAM: b.UseServiceAccountIAM(),
 		},
 	}

--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@ -37,7 +37,6 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/apis/kops/model"
-	"k8s.io/kops/pkg/featureflag"
 	"k8s.io/kops/pkg/util/stringorslice"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awstasks"
@ -113,6 +112,7 @@ type PolicyBuilder struct {
 	Region               string
 	ResourceARN          *string
 	Role                 Subject
+	UseServiceAccountIAM bool
 }

 // BuildAWSPolicy builds a set of IAM policy statements based on the
@ -157,7 +157,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addKMSIAMPolicies(p, stringorslice.Slice(b.KMSKeys), b.Cluster.Spec.IAM.Legacy)
 	}

-	if !b.UseServiceAccountIAM() {
+	if !b.UseServiceAccountIAM {
 		if b.Cluster.Spec.IAM.Legacy {
 			addLegacyDNSControllerPermissions(b, p)
 		}
@ -198,7 +198,7 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err)
 	}

-	if !b.UseServiceAccountIAM() && b.Cluster.Spec.IAM.Legacy {
+	if !b.UseServiceAccountIAM && b.Cluster.Spec.IAM.Legacy {
 		addLegacyDNSControllerPermissions(b, p)
 		AddDNSControllerPermissions(b, p)
 	}
@ -572,11 +572,6 @@ func addECRPermissions(p *Policy) {
 	})
 }

-// UseServiceAccountIAM returns true if we are using service-account bound IAM roles.
-func (b *PolicyBuilder) UseServiceAccountIAM() bool {
-	return featureflag.UseServiceAccountIAM.Enabled()
-}
-
 // addLegacyDNSControllerPermissions adds legacy IAM permissions used by the node roles.
 func addLegacyDNSControllerPermissions(b *PolicyBuilder, p *Policy) {
 	// Legacy IAM permissions for node roles