diff --git a/nodeup/pkg/model/networking/calico.go b/nodeup/pkg/model/networking/calico.go index 1f682fd540..230aa6f280 100644 --- a/nodeup/pkg/model/networking/calico.go +++ b/nodeup/pkg/model/networking/calico.go @@ -39,7 +39,7 @@ func (b *CalicoBuilder) Build(c *fi.ModelBuilderContext) error { } // @check if tls is enabled and if so, we need to download the client certificates - if !b.UseEtcdManager() && b.UseEtcdTLS() { + if b.IsKubernetesLT("1.12") && !b.UseEtcdManager() && b.UseEtcdTLS() { name := "calico-client" dirname := "calico" ca := filepath.Join(dirname, "ca.pem") diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go index 9fbd531bba..eb9380fb88 100644 --- a/pkg/apis/kops/cluster.go +++ b/pkg/apis/kops/cluster.go @@ -674,6 +674,12 @@ func (c *Cluster) IsKubernetesGTE(version string) bool { return clusterVersion.GTE(*parsedVersion) } +// IsKubernetesLT checks if the version is < the specified version. +// It panics if the kubernetes version in the cluster is invalid, or if the version is invalid. +func (c *Cluster) IsKubernetesLT(version string) bool { + return !c.IsKubernetesGTE(version) +} + // EnvVar represents an environment variable present in a Container. type EnvVar struct { // Name of the environment variable. Must be a C_IDENTIFIER. diff --git a/pkg/model/firewall.go b/pkg/model/firewall.go index 604089f8ee..d7d9b3872b 100644 --- a/pkg/model/firewall.go +++ b/pkg/model/firewall.go @@ -250,10 +250,12 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu } if b.Cluster.Spec.Networking.Calico != nil { - // Calico needs to access etcd - // TODO: Remove, replace with etcd in calico manifest - klog.Warningf("Opening etcd port on masters for access from the nodes, for calico. This is unsafe in untrusted environments.") - tcpBlocked[4001] = false + if b.IsKubernetesLT("1.12") { + // Calico needs to access etcd + // TODO: Remove, replace with etcd in calico manifest + klog.Warningf("Opening etcd port on masters for access from the nodes, for calico. This is unsafe in untrusted environments.") + tcpBlocked[4001] = false + } protocols = append(protocols, ProtocolIPIP) } diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index a7ce4a5577..991944ed7b 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -570,7 +570,7 @@ func ReadableStatePaths(cluster *kops.Cluster, role Subject) ([]string, error) { } // @check if calico is enabled as the CNI provider and permit access to the client TLS certificate by default - if networkingSpec.Calico != nil { + if cluster.IsKubernetesLT("1.12") && networkingSpec.Calico != nil { calicoClientCert := false for _, x := range cluster.Spec.EtcdClusters { if x.Provider == kops.EtcdProviderTypeManager { diff --git a/pkg/model/pki.go b/pkg/model/pki.go index 60aee7e3f2..bfa5c5cdaf 100644 --- a/pkg/model/pki.go +++ b/pkg/model/pki.go @@ -129,7 +129,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error { }) // @check if calico is enabled as the CNI provider - if b.KopsModelContext.Cluster.Spec.Networking.Calico != nil { + if b.IsKubernetesLT("1.12") && b.KopsModelContext.Cluster.Spec.Networking.Calico != nil { c.AddTask(&fitasks.Keypair{ Name: fi.String("calico-client"), Lifecycle: b.Lifecycle, diff --git a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf index 2cd9afd8f4..63adfc0561 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf +++ b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf @@ -753,12 +753,12 @@ resource "aws_security_group_rule" "node-to-master-tcp-1-2379" { type = "ingress" } -resource "aws_security_group_rule" "node-to-master-tcp-2382-4001" { +resource "aws_security_group_rule" "node-to-master-tcp-2382-4000" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-bastionuserdata-example-com.id source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id - to_port = 4001 + to_port = 4000 type = "ingress" } diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index c9cdba0c12..54c8fc3340 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -847,7 +847,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodetomastertcp23824001": { + "AWSEC2SecurityGroupIngressnodetomastertcp23824000": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -857,7 +857,7 @@ "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" }, "FromPort": 2382, - "ToPort": 4001, + "ToPort": 4000, "IpProtocol": "tcp" } }, diff --git a/tests/integration/update_cluster/privatecalico/kubernetes.tf b/tests/integration/update_cluster/privatecalico/kubernetes.tf index 98181269a6..a7f5a59290 100644 --- a/tests/integration/update_cluster/privatecalico/kubernetes.tf +++ b/tests/integration/update_cluster/privatecalico/kubernetes.tf @@ -752,12 +752,12 @@ resource "aws_security_group_rule" "node-to-master-tcp-1-2379" { type = "ingress" } -resource "aws_security_group_rule" "node-to-master-tcp-2382-4001" { +resource "aws_security_group_rule" "node-to-master-tcp-2382-4000" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-privatecalico-example-com.id source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id - to_port = 4001 + to_port = 4000 type = "ingress" }