From 05559c0404f7fc5b93277fe807490642bc190f58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lucas=20K=C3=A4ldstr=C3=B6m?= <lucas@weave.works>
Date: Tue, 15 May 2018 15:35:04 +0100
Subject: [PATCH] kubeadm: Remove the .PrivilegedPods configuration option

---
 cmd/kubeadm/app/apis/kubeadm/types.go         |  5 ---
 .../app/apis/kubeadm/v1alpha1/conversion.go   | 11 +----
 .../app/apis/kubeadm/v1alpha2/types.go        |  5 ---
 cmd/kubeadm/app/cmd/upgrade/common_test.go    |  3 --
 .../app/phases/controlplane/manifests.go      | 14 ------
 .../app/phases/controlplane/manifests_test.go | 44 -------------------
 6 files changed, 1 insertion(+), 81 deletions(-)

diff --git a/cmd/kubeadm/app/apis/kubeadm/types.go b/cmd/kubeadm/app/apis/kubeadm/types.go
index 1c6c8ec9f94..d6b75b9f33b 100644
--- a/cmd/kubeadm/app/apis/kubeadm/types.go
+++ b/cmd/kubeadm/app/apis/kubeadm/types.go
@@ -54,11 +54,6 @@ type MasterConfiguration struct {
 	// single node configurations).
 	NoTaintMaster bool
 
-	// Mark the controller and api server pods as privileged as some cloud
-	// controllers like openstack need escalated privileges under some conditions
-	// example - loading a config drive to fetch node information.
-	PrivilegedPods bool
-
 	// Token is used for establishing bidirectional trust between nodes and masters.
 	// Used for joining nodes in the cluster.
 	Token string
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go
index cc0f0e626a2..5cd1c9cfe98 100644
--- a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go
@@ -25,7 +25,6 @@ import (
 func addConversionFuncs(scheme *runtime.Scheme) error {
 	// Add non-generated conversion functions
 	err := scheme.AddConversionFuncs(
-		Convert_kubeadm_MasterConfiguration_To_v1alpha1_MasterConfiguration,
 		Convert_v1alpha1_MasterConfiguration_To_kubeadm_MasterConfiguration,
 	)
 	if err != nil {
@@ -35,21 +34,13 @@ func addConversionFuncs(scheme *runtime.Scheme) error {
 	return nil
 }
 
-func Convert_kubeadm_MasterConfiguration_To_v1alpha1_MasterConfiguration(in *kubeadm.MasterConfiguration, out *MasterConfiguration, s conversion.Scope) error {
-	if err := autoConvert_kubeadm_MasterConfiguration_To_v1alpha1_MasterConfiguration(in, out, s); err != nil {
-		return err
-	}
-
-	// Setting .CloudProvider is not supported from internal API not supported
-	return nil
-}
-
 func Convert_v1alpha1_MasterConfiguration_To_kubeadm_MasterConfiguration(in *MasterConfiguration, out *kubeadm.MasterConfiguration, s conversion.Scope) error {
 	if err := autoConvert_v1alpha1_MasterConfiguration_To_kubeadm_MasterConfiguration(in, out, s); err != nil {
 		return err
 	}
 
 	UpgradeCloudProvider(in, out)
+	// We don't support migrating information from the .PrivilegedPods field which was removed in v1alpha2
 
 	return nil
 }
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go
index 1657173fb4d..2852166ac4e 100644
--- a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go
@@ -54,11 +54,6 @@ type MasterConfiguration struct {
 	// single node configurations).
 	NoTaintMaster bool `json:"noTaintMaster,omitempty"`
 
-	// Mark the controller and api server pods as privileged as some cloud
-	// controllers like openstack need escalated privileges under some conditions
-	// example - loading a config drive to fetch node information
-	PrivilegedPods bool `json:"privilegedPods"`
-
 	// Token is used for establishing bidirectional trust between nodes and masters.
 	// Used for joining nodes in the cluster.
 	Token string `json:"token"`
diff --git a/cmd/kubeadm/app/cmd/upgrade/common_test.go b/cmd/kubeadm/app/cmd/upgrade/common_test.go
index c36d4a0d74d..5b8d2bae78d 100644
--- a/cmd/kubeadm/app/cmd/upgrade/common_test.go
+++ b/cmd/kubeadm/app/cmd/upgrade/common_test.go
@@ -64,7 +64,6 @@ func TestPrintConfiguration(t *testing.T) {
 	  podSubnet: ""
 	  serviceSubnet: ""
 	nodeName: ""
-	privilegedPods: false
 	token: ""
 	unifiedControlPlaneImage: ""
 `),
@@ -103,7 +102,6 @@ func TestPrintConfiguration(t *testing.T) {
 	  podSubnet: ""
 	  serviceSubnet: 10.96.0.1/12
 	nodeName: ""
-	privilegedPods: false
 	token: ""
 	unifiedControlPlaneImage: ""
 `),
@@ -152,7 +150,6 @@ func TestPrintConfiguration(t *testing.T) {
 	  podSubnet: ""
 	  serviceSubnet: ""
 	nodeName: ""
-	privilegedPods: false
 	token: ""
 	unifiedControlPlaneImage: ""
 `),
diff --git a/cmd/kubeadm/app/phases/controlplane/manifests.go b/cmd/kubeadm/app/phases/controlplane/manifests.go
index 5a4e54e3fa3..e409cc21ada 100644
--- a/cmd/kubeadm/app/phases/controlplane/manifests.go
+++ b/cmd/kubeadm/app/phases/controlplane/manifests.go
@@ -38,7 +38,6 @@ import (
 	staticpodutil "k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod"
 	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 	"k8s.io/kubernetes/pkg/master/reconcilers"
-	utilpointer "k8s.io/kubernetes/pkg/util/pointer"
 	"k8s.io/kubernetes/pkg/util/version"
 )
 
@@ -107,19 +106,6 @@ func GetStaticPodSpecs(cfg *kubeadmapi.MasterConfiguration, k8sVersion *version.
 			Env:             getProxyEnvVars(),
 		}, mounts.GetVolumes(kubeadmconstants.KubeScheduler)),
 	}
-
-	// Some cloud providers need extra privileges for example to load node information from a config drive
-	// TODO: when we fully to external cloud providers and the api server and controller manager do not need
-	// to call out to cloud provider code, we can remove the support for the PrivilegedPods
-	if cfg.PrivilegedPods {
-		staticPodSpecs[kubeadmconstants.KubeAPIServer].Spec.Containers[0].SecurityContext = &v1.SecurityContext{
-			Privileged: utilpointer.BoolPtr(true),
-		}
-		staticPodSpecs[kubeadmconstants.KubeControllerManager].Spec.Containers[0].SecurityContext = &v1.SecurityContext{
-			Privileged: utilpointer.BoolPtr(true),
-		}
-	}
-
 	return staticPodSpecs
 }
 
diff --git a/cmd/kubeadm/app/phases/controlplane/manifests_test.go b/cmd/kubeadm/app/phases/controlplane/manifests_test.go
index 237ee341380..aefdb319d41 100644
--- a/cmd/kubeadm/app/phases/controlplane/manifests_test.go
+++ b/cmd/kubeadm/app/phases/controlplane/manifests_test.go
@@ -136,50 +136,6 @@ func TestCreateStaticPodFilesAndWrappers(t *testing.T) {
 	}
 }
 
-func TestPrivilegedPods(t *testing.T) {
-	var staticPodNames = []string{
-		kubeadmconstants.KubeAPIServer,
-		kubeadmconstants.KubeControllerManager,
-	}
-	var assertions = []struct {
-		privilegedPods    bool
-		expectedPrivilege bool
-	}{
-		{
-			privilegedPods:    false,
-			expectedPrivilege: false,
-		},
-		{
-			privilegedPods:    true,
-			expectedPrivilege: true,
-		},
-	}
-
-	for _, assertion := range assertions {
-		cfg := &kubeadmapi.MasterConfiguration{
-			KubernetesVersion: "v1.9.0",
-			PrivilegedPods:    assertion.privilegedPods,
-		}
-
-		k8sVersion, _ := version.ParseSemantic(cfg.KubernetesVersion)
-		specs := GetStaticPodSpecs(cfg, k8sVersion)
-
-		for _, podname := range staticPodNames {
-			spec, _ := specs[podname]
-			sc := spec.Spec.Containers[0].SecurityContext
-			if assertion.expectedPrivilege == true {
-				if sc == nil || sc.Privileged == nil || *sc.Privileged == false {
-					t.Errorf("GetStaticPodSpecs did not enable privileged containers in %s pod", podname)
-				}
-			} else {
-				if sc != nil && sc.Privileged != nil && *sc.Privileged == true {
-					t.Errorf("GetStaticPodSpecs enabled privileged containers in %s pod", podname)
-				}
-			}
-		}
-	}
-}
-
 func TestGetAPIServerCommand(t *testing.T) {
 	var tests = []struct {
 		name     string