From 064f74b2e8334ad0bf8550afebc407850b5044e6 Mon Sep 17 00:00:00 2001 From: Marek Date: Thu, 8 Nov 2018 11:01:36 -0500 Subject: [PATCH] fixes kubeadm 1221 to remove AuditPolicyConfiguration Added conversion test and failure. --- cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go | 13 ----- cmd/kubeadm/app/apis/kubeadm/types.go | 14 ----- .../app/apis/kubeadm/v1alpha3/conversion.go | 4 ++ .../apis/kubeadm/v1alpha3/conversion_test.go | 29 ++++++++++ .../v1alpha3/zz_generated.conversion.go | 41 +------------- .../app/apis/kubeadm/v1beta1/defaults.go | 11 ---- cmd/kubeadm/app/apis/kubeadm/v1beta1/types.go | 14 ----- .../v1beta1/zz_generated.conversion.go | 40 -------------- .../kubeadm/v1beta1/zz_generated.deepcopy.go | 22 -------- .../app/apis/kubeadm/zz_generated.deepcopy.go | 22 -------- cmd/kubeadm/app/cmd/phases/BUILD | 1 - cmd/kubeadm/app/cmd/phases/controlplane.go | 21 ------- cmd/kubeadm/app/cmd/upgrade/common_test.go | 6 -- cmd/kubeadm/app/features/features.go | 4 -- cmd/kubeadm/app/phases/controlplane/BUILD | 2 - .../app/phases/controlplane/manifests.go | 10 ---- .../app/phases/controlplane/manifests_test.go | 55 +------------------ .../app/phases/controlplane/volumes.go | 9 +-- .../app/phases/controlplane/volumes_test.go | 35 ------------ .../testdata/conversion/master/internal.yaml | 4 -- .../testdata/conversion/master/v1beta1.yaml | 4 -- .../testdata/defaulting/master/defaulted.yaml | 4 -- 22 files changed, 36 insertions(+), 329 deletions(-) diff --git a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go index 4a19d8b18c0..414ece80b93 100644 --- a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go +++ b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go @@ -30,7 +30,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { return []interface{}{ fuzzInitConfiguration, fuzzClusterConfiguration, - fuzzAuditPolicyConfiguration, fuzzComponentConfigs, fuzzNodeRegistration, fuzzDNS, @@ -55,10 +54,6 @@ func fuzzInitConfiguration(obj *kubeadm.InitConfiguration, c fuzz.Continue) { Duration: constants.DefaultControlPlaneTimeout, }, }, - AuditPolicyConfiguration: kubeadm.AuditPolicyConfiguration{ - LogDir: constants.StaticPodAuditPolicyLogDir, - LogMaxAge: &v1beta1.DefaultAuditPolicyLogMaxAge, - }, DNS: kubeadm.DNS{ Type: kubeadm.CoreDNS, }, @@ -118,14 +113,6 @@ func fuzzDNS(obj *kubeadm.DNS, c fuzz.Continue) { obj.Type = kubeadm.CoreDNS } -func fuzzAuditPolicyConfiguration(obj *kubeadm.AuditPolicyConfiguration, c fuzz.Continue) { - c.FuzzNoCustom(obj) - - // Pinning values for fields that get defaults if fuzz value is empty string or nil (thus making the round trip test fail) - obj.LogDir = "foo" - obj.LogMaxAge = new(int32) -} - func fuzzComponentConfigs(obj *kubeadm.ComponentConfigs, c fuzz.Continue) { // This is intentionally empty because component config does not exists in the public api // (empty mean all ComponentConfigs fields nil, and this is necessary for getting roundtrip passing) diff --git a/cmd/kubeadm/app/apis/kubeadm/types.go b/cmd/kubeadm/app/apis/kubeadm/types.go index b00c3d4bcb3..ebbd20d025e 100644 --- a/cmd/kubeadm/app/apis/kubeadm/types.go +++ b/cmd/kubeadm/app/apis/kubeadm/types.go @@ -115,9 +115,6 @@ type ClusterConfiguration struct { // UseHyperKubeImage controls if hyperkube should be used for Kubernetes components instead of their respective separate images UseHyperKubeImage bool - // AuditPolicyConfiguration defines the options for the api server audit system. - AuditPolicyConfiguration AuditPolicyConfiguration - // FeatureGates enabled by the user. FeatureGates map[string]bool @@ -418,17 +415,6 @@ type HostPathMount struct { PathType v1.HostPathType } -// AuditPolicyConfiguration holds the options for configuring the api server audit policy. -type AuditPolicyConfiguration struct { - // Path is the local path to an audit policy. - Path string - // LogDir is the local path to the directory where logs should be stored. - LogDir string - // LogMaxAge is the number of days logs will be stored for. 0 indicates forever. - LogMaxAge *int32 - //TODO(chuckha) add other options for audit policy. -} - // CommonConfiguration defines the list of common configuration elements and the getter // methods that must exist for both the InitConfiguration and JoinConfiguration objects. // This is used internally to deduplicate the kubeadm preflight checks. diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion.go index 18d8d0dae63..d2ed1c15d5c 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion.go @@ -129,6 +129,10 @@ func Convert_v1alpha3_ClusterConfiguration_To_kubeadm_ClusterConfiguration(in *C return err } + if len(in.AuditPolicyConfiguration.Path) > 0 { + return errors.New("AuditPolicyConfiguration has been removed from ClusterConfiguration. Please cleanup ClusterConfiguration.AuditPolicyConfiguration fields") + } + out.APIServer.ExtraArgs = in.APIServerExtraArgs out.APIServer.CertSANs = in.APIServerCertSANs out.APIServer.TimeoutForControlPlane = &metav1.Duration{ diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion_test.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion_test.go index 73bc9809aa5..1891e506b76 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion_test.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha3/conversion_test.go @@ -56,6 +56,35 @@ func TestJoinConfigurationConversion(t *testing.T) { } } +func TestInitConfigurationConversion(t *testing.T) { + testcases := map[string]struct { + old *InitConfiguration + expectedErr bool + }{ + "conversion succeeds": { + old: &InitConfiguration{}, + expectedErr: false, + }, + "feature gates fails to be converted": { + old: &InitConfiguration{ + ClusterConfiguration: ClusterConfiguration{ + AuditPolicyConfiguration: AuditPolicyConfiguration{ + Path: "test", + }, + }, + }, + expectedErr: true, + }, + } + for _, tc := range testcases { + internal := &kubeadm.InitConfiguration{} + err := Convert_v1alpha3_InitConfiguration_To_kubeadm_InitConfiguration(tc.old, internal, nil) + if (err != nil) != tc.expectedErr { + t.Errorf("no error was expected but '%s' was found", err) + } + } +} + func TestConvertToUseHyperKubeImage(t *testing.T) { tests := []struct { desc string diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha3/zz_generated.conversion.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha3/zz_generated.conversion.go index 496e208448e..5ecc75eaf67 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha3/zz_generated.conversion.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha3/zz_generated.conversion.go @@ -47,16 +47,6 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*AuditPolicyConfiguration)(nil), (*kubeadm.AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(a.(*AuditPolicyConfiguration), b.(*kubeadm.AuditPolicyConfiguration), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*kubeadm.AuditPolicyConfiguration)(nil), (*AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(a.(*kubeadm.AuditPolicyConfiguration), b.(*AuditPolicyConfiguration), scope) - }); err != nil { - return err - } if err := s.AddGeneratedConversionFunc((*BootstrapToken)(nil), (*kubeadm.BootstrapToken)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha3_BootstrapToken_To_kubeadm_BootstrapToken(a.(*BootstrapToken), b.(*kubeadm.BootstrapToken), scope) }); err != nil { @@ -252,30 +242,6 @@ func Convert_kubeadm_APIEndpoint_To_v1alpha3_APIEndpoint(in *kubeadm.APIEndpoint return autoConvert_kubeadm_APIEndpoint_To_v1alpha3_APIEndpoint(in, out, s) } -func autoConvert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error { - out.Path = in.Path - out.LogDir = in.LogDir - out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge)) - return nil -} - -// Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration is an autogenerated conversion function. -func Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error { - return autoConvert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in, out, s) -} - -func autoConvert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error { - out.Path = in.Path - out.LogDir = in.LogDir - out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge)) - return nil -} - -// Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration is an autogenerated conversion function. -func Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error { - return autoConvert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(in, out, s) -} - func autoConvert_v1alpha3_BootstrapToken_To_kubeadm_BootstrapToken(in *BootstrapToken, out *kubeadm.BootstrapToken, s conversion.Scope) error { out.Token = (*kubeadm.BootstrapTokenString)(unsafe.Pointer(in.Token)) out.Description = in.Description @@ -347,9 +313,7 @@ func autoConvert_v1alpha3_ClusterConfiguration_To_kubeadm_ClusterConfiguration(i out.CertificatesDir = in.CertificatesDir out.ImageRepository = in.ImageRepository // WARNING: in.UnifiedControlPlaneImage requires manual conversion: does not exist in peer-type - if err := Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil { - return err - } + // WARNING: in.AuditPolicyConfiguration requires manual conversion: does not exist in peer-type out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates)) out.ClusterName = in.ClusterName return nil @@ -373,9 +337,6 @@ func autoConvert_kubeadm_ClusterConfiguration_To_v1alpha3_ClusterConfiguration(i out.ImageRepository = in.ImageRepository // INFO: in.CIImageRepository opted out of conversion generation // WARNING: in.UseHyperKubeImage requires manual conversion: does not exist in peer-type - if err := Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil { - return err - } out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates)) out.ClusterName = in.ClusterName return nil diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta1/defaults.go b/cmd/kubeadm/app/apis/kubeadm/v1beta1/defaults.go index 96e8440016e..60c72a73d36 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1beta1/defaults.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1beta1/defaults.go @@ -101,7 +101,6 @@ func SetDefaults_ClusterConfiguration(obj *ClusterConfiguration) { SetDefaults_DNS(obj) SetDefaults_Etcd(obj) - SetDefaults_AuditPolicyConfiguration(obj) SetDefaults_APIServer(&obj.APIServer) } @@ -184,16 +183,6 @@ func SetDefaults_FileDiscovery(obj *FileDiscovery) { } } -// SetDefaults_AuditPolicyConfiguration sets default values for the AuditPolicyConfiguration -func SetDefaults_AuditPolicyConfiguration(obj *ClusterConfiguration) { - if obj.AuditPolicyConfiguration.LogDir == "" { - obj.AuditPolicyConfiguration.LogDir = constants.StaticPodAuditPolicyLogDir - } - if obj.AuditPolicyConfiguration.LogMaxAge == nil { - obj.AuditPolicyConfiguration.LogMaxAge = &DefaultAuditPolicyLogMaxAge - } -} - // SetDefaults_BootstrapTokens sets the defaults for the .BootstrapTokens field // If the slice is empty, it's defaulted with one token. Otherwise it just loops // through the slice and sets the defaults for the omitempty fields that are TTL, diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta1/types.go b/cmd/kubeadm/app/apis/kubeadm/v1beta1/types.go index 6935500bbd5..53eebca036f 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1beta1/types.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1beta1/types.go @@ -106,9 +106,6 @@ type ClusterConfiguration struct { // UseHyperKubeImage controls if hyperkube should be used for Kubernetes components instead of their respective separate images UseHyperKubeImage bool `json:"useHyperKubeImage,omitempty"` - // AuditPolicyConfiguration defines the options for the api server audit system - AuditPolicyConfiguration AuditPolicyConfiguration `json:"auditPolicy"` - // FeatureGates enabled by the user. FeatureGates map[string]bool `json:"featureGates,omitempty"` @@ -384,14 +381,3 @@ type HostPathMount struct { // PathType is the type of the HostPath. PathType v1.HostPathType `json:"pathType,omitempty"` } - -// AuditPolicyConfiguration holds the options for configuring the api server audit policy. -type AuditPolicyConfiguration struct { - // Path is the local path to an audit policy. - Path string `json:"path"` - // LogDir is the local path to the directory where logs should be stored. - LogDir string `json:"logDir"` - // LogMaxAge is the number of days logs will be stored for. 0 indicates forever. - LogMaxAge *int32 `json:"logMaxAge,omitempty"` - //TODO(chuckha) add other options for audit policy. -} diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.conversion.go b/cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.conversion.go index 8967c60a8b4..4863c317fb3 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.conversion.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.conversion.go @@ -57,16 +57,6 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*AuditPolicyConfiguration)(nil), (*kubeadm.AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(a.(*AuditPolicyConfiguration), b.(*kubeadm.AuditPolicyConfiguration), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*kubeadm.AuditPolicyConfiguration)(nil), (*AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(a.(*kubeadm.AuditPolicyConfiguration), b.(*AuditPolicyConfiguration), scope) - }); err != nil { - return err - } if err := s.AddGeneratedConversionFunc((*BootstrapToken)(nil), (*kubeadm.BootstrapToken)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1beta1_BootstrapToken_To_kubeadm_BootstrapToken(a.(*BootstrapToken), b.(*kubeadm.BootstrapToken), scope) }); err != nil { @@ -310,30 +300,6 @@ func Convert_kubeadm_APIServer_To_v1beta1_APIServer(in *kubeadm.APIServer, out * return autoConvert_kubeadm_APIServer_To_v1beta1_APIServer(in, out, s) } -func autoConvert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error { - out.Path = in.Path - out.LogDir = in.LogDir - out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge)) - return nil -} - -// Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration is an autogenerated conversion function. -func Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error { - return autoConvert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in, out, s) -} - -func autoConvert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error { - out.Path = in.Path - out.LogDir = in.LogDir - out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge)) - return nil -} - -// Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration is an autogenerated conversion function. -func Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error { - return autoConvert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(in, out, s) -} - func autoConvert_v1beta1_BootstrapToken_To_kubeadm_BootstrapToken(in *BootstrapToken, out *kubeadm.BootstrapToken, s conversion.Scope) error { out.Token = (*kubeadm.BootstrapTokenString)(unsafe.Pointer(in.Token)) out.Description = in.Description @@ -436,9 +402,6 @@ func autoConvert_v1beta1_ClusterConfiguration_To_kubeadm_ClusterConfiguration(in out.CertificatesDir = in.CertificatesDir out.ImageRepository = in.ImageRepository out.UseHyperKubeImage = in.UseHyperKubeImage - if err := Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil { - return err - } out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates)) out.ClusterName = in.ClusterName return nil @@ -475,9 +438,6 @@ func autoConvert_kubeadm_ClusterConfiguration_To_v1beta1_ClusterConfiguration(in out.ImageRepository = in.ImageRepository // INFO: in.CIImageRepository opted out of conversion generation out.UseHyperKubeImage = in.UseHyperKubeImage - if err := Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil { - return err - } out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates)) out.ClusterName = in.ClusterName return nil diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.deepcopy.go b/cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.deepcopy.go index 5d5cb5d5372..d6cdfda335a 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.deepcopy.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1beta1/zz_generated.deepcopy.go @@ -69,27 +69,6 @@ func (in *APIServer) DeepCopy() *APIServer { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuditPolicyConfiguration) DeepCopyInto(out *AuditPolicyConfiguration) { - *out = *in - if in.LogMaxAge != nil { - in, out := &in.LogMaxAge, &out.LogMaxAge - *out = new(int32) - **out = **in - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditPolicyConfiguration. -func (in *AuditPolicyConfiguration) DeepCopy() *AuditPolicyConfiguration { - if in == nil { - return nil - } - out := new(AuditPolicyConfiguration) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BootstrapToken) DeepCopyInto(out *BootstrapToken) { *out = *in @@ -177,7 +156,6 @@ func (in *ClusterConfiguration) DeepCopyInto(out *ClusterConfiguration) { in.ControllerManager.DeepCopyInto(&out.ControllerManager) in.Scheduler.DeepCopyInto(&out.Scheduler) out.DNS = in.DNS - in.AuditPolicyConfiguration.DeepCopyInto(&out.AuditPolicyConfiguration) if in.FeatureGates != nil { in, out := &in.FeatureGates, &out.FeatureGates *out = make(map[string]bool, len(*in)) diff --git a/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go b/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go index 7fba007e779..ebdf10bb2e2 100644 --- a/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go +++ b/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go @@ -71,27 +71,6 @@ func (in *APIServer) DeepCopy() *APIServer { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuditPolicyConfiguration) DeepCopyInto(out *AuditPolicyConfiguration) { - *out = *in - if in.LogMaxAge != nil { - in, out := &in.LogMaxAge, &out.LogMaxAge - *out = new(int32) - **out = **in - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditPolicyConfiguration. -func (in *AuditPolicyConfiguration) DeepCopy() *AuditPolicyConfiguration { - if in == nil { - return nil - } - out := new(AuditPolicyConfiguration) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BootstrapToken) DeepCopyInto(out *BootstrapToken) { *out = *in @@ -180,7 +159,6 @@ func (in *ClusterConfiguration) DeepCopyInto(out *ClusterConfiguration) { in.ControllerManager.DeepCopyInto(&out.ControllerManager) in.Scheduler.DeepCopyInto(&out.Scheduler) out.DNS = in.DNS - in.AuditPolicyConfiguration.DeepCopyInto(&out.AuditPolicyConfiguration) if in.FeatureGates != nil { in, out := &in.FeatureGates, &out.FeatureGates *out = make(map[string]bool, len(*in)) diff --git a/cmd/kubeadm/app/cmd/phases/BUILD b/cmd/kubeadm/app/cmd/phases/BUILD index f286af6f42b..96a6c947ddb 100644 --- a/cmd/kubeadm/app/cmd/phases/BUILD +++ b/cmd/kubeadm/app/cmd/phases/BUILD @@ -43,7 +43,6 @@ go_library( "//cmd/kubeadm/app/preflight:go_default_library", "//cmd/kubeadm/app/util:go_default_library", "//cmd/kubeadm/app/util/apiclient:go_default_library", - "//cmd/kubeadm/app/util/audit:go_default_library", "//cmd/kubeadm/app/util/config:go_default_library", "//cmd/kubeadm/app/util/dryrun:go_default_library", "//cmd/kubeadm/app/util/kubeconfig:go_default_library", diff --git a/cmd/kubeadm/app/cmd/phases/controlplane.go b/cmd/kubeadm/app/cmd/phases/controlplane.go index 81ea3c1c561..a76bedbcce7 100644 --- a/cmd/kubeadm/app/cmd/phases/controlplane.go +++ b/cmd/kubeadm/app/cmd/phases/controlplane.go @@ -19,16 +19,11 @@ package phases import ( "errors" "fmt" - "os" - "path/filepath" - kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" "k8s.io/kubernetes/cmd/kubeadm/app/cmd/options" "k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/workflow" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" - "k8s.io/kubernetes/cmd/kubeadm/app/features" "k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane" - auditutil "k8s.io/kubernetes/cmd/kubeadm/app/util/audit" "k8s.io/kubernetes/pkg/util/normalizer" ) @@ -145,22 +140,6 @@ func runControlPlaneSubPhase(component string) func(c workflow.RunData) error { } cfg := data.Cfg() - // special case to handle audit policy for the API server - if component == kubeadmconstants.KubeAPIServer && features.Enabled(cfg.FeatureGates, features.Auditing) { - // Setup the AuditPolicy (either it was passed in and exists or it wasn't passed in and generate a default policy) - if cfg.AuditPolicyConfiguration.Path != "" { - // TODO(chuckha) ensure passed in audit policy is valid so users don't have to find the error in the api server log. - if _, err := os.Stat(cfg.AuditPolicyConfiguration.Path); err != nil { - return fmt.Errorf("error getting file info for audit policy file %q [%v]", cfg.AuditPolicyConfiguration.Path, err) - } - } else { - cfg.AuditPolicyConfiguration.Path = filepath.Join(data.KubeConfigDir(), kubeadmconstants.AuditPolicyDir, kubeadmconstants.AuditPolicyFile) - if err := auditutil.CreateDefaultAuditLogPolicy(cfg.AuditPolicyConfiguration.Path); err != nil { - return fmt.Errorf("error creating default audit policy %q [%v]", cfg.AuditPolicyConfiguration.Path, err) - } - } - } - fmt.Printf("[control-plane] Creating static Pod manifest for %q\n", component) if err := controlplane.CreateStaticPodFiles(data.ManifestDir(), cfg, component); err != nil { return err diff --git a/cmd/kubeadm/app/cmd/upgrade/common_test.go b/cmd/kubeadm/app/cmd/upgrade/common_test.go index 1af894a44ec..513ff84edeb 100644 --- a/cmd/kubeadm/app/cmd/upgrade/common_test.go +++ b/cmd/kubeadm/app/cmd/upgrade/common_test.go @@ -48,9 +48,6 @@ func TestPrintConfiguration(t *testing.T) { expectedBytes: []byte(`[upgrade/config] Configuration used: apiServer: {} apiVersion: kubeadm.k8s.io/v1beta1 - auditPolicy: - logDir: "" - path: "" certificatesDir: "" controlPlaneEndpoint: "" controllerManager: {} @@ -87,9 +84,6 @@ func TestPrintConfiguration(t *testing.T) { expectedBytes: []byte(`[upgrade/config] Configuration used: apiServer: {} apiVersion: kubeadm.k8s.io/v1beta1 - auditPolicy: - logDir: "" - path: "" certificatesDir: "" controlPlaneEndpoint: "" controllerManager: {} diff --git a/cmd/kubeadm/app/features/features.go b/cmd/kubeadm/app/features/features.go index 4e46d6dd51f..179ce987dea 100644 --- a/cmd/kubeadm/app/features/features.go +++ b/cmd/kubeadm/app/features/features.go @@ -34,9 +34,6 @@ const ( // DynamicKubeletConfig is beta in v1.11 DynamicKubeletConfig = "DynamicKubeletConfig" - - // Auditing is beta in 1.8 - Auditing = "Auditing" ) var coreDNSMessage = "featureGates:CoreDNS has been removed in v1.13\n" + @@ -46,7 +43,6 @@ var coreDNSMessage = "featureGates:CoreDNS has been removed in v1.13\n" + var InitFeatureGates = FeatureList{ CoreDNS: {FeatureSpec: utilfeature.FeatureSpec{Default: true, PreRelease: utilfeature.Deprecated}, HiddenInHelpText: true, DeprecationMessage: coreDNSMessage}, DynamicKubeletConfig: {FeatureSpec: utilfeature.FeatureSpec{Default: false, PreRelease: utilfeature.Beta}}, - Auditing: {FeatureSpec: utilfeature.FeatureSpec{Default: false, PreRelease: utilfeature.Alpha}}, } // Feature represents a feature being gated diff --git a/cmd/kubeadm/app/phases/controlplane/BUILD b/cmd/kubeadm/app/phases/controlplane/BUILD index 12afc6d5ce9..e265eb30eaa 100644 --- a/cmd/kubeadm/app/phases/controlplane/BUILD +++ b/cmd/kubeadm/app/phases/controlplane/BUILD @@ -23,7 +23,6 @@ go_test( "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/version:go_default_library", - "//vendor/k8s.io/utils/pointer:go_default_library", ], ) @@ -36,7 +35,6 @@ go_library( importpath = "k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane", deps = [ "//cmd/kubeadm/app/apis/kubeadm:go_default_library", - "//cmd/kubeadm/app/apis/kubeadm/v1beta1:go_default_library", "//cmd/kubeadm/app/constants:go_default_library", "//cmd/kubeadm/app/features:go_default_library", "//cmd/kubeadm/app/images:go_default_library", diff --git a/cmd/kubeadm/app/phases/controlplane/manifests.go b/cmd/kubeadm/app/phases/controlplane/manifests.go index 960bb7e6e51..b6b04502659 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests.go @@ -29,7 +29,6 @@ import ( "k8s.io/apimachinery/pkg/util/version" "k8s.io/klog" kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" - kubeadmapiv1beta1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" "k8s.io/kubernetes/cmd/kubeadm/app/features" "k8s.io/kubernetes/cmd/kubeadm/app/images" @@ -179,15 +178,6 @@ func getAPIServerCommand(cfg *kubeadmapi.InitConfiguration) []string { defaultArguments["feature-gates"] = "DynamicKubeletConfig=true" } - if features.Enabled(cfg.FeatureGates, features.Auditing) { - defaultArguments["audit-policy-file"] = kubeadmconstants.GetStaticPodAuditPolicyFile() - defaultArguments["audit-log-path"] = filepath.Join(kubeadmconstants.StaticPodAuditPolicyLogDir, kubeadmconstants.AuditPolicyLogFile) - if cfg.AuditPolicyConfiguration.LogMaxAge == nil { - defaultArguments["audit-log-maxage"] = fmt.Sprintf("%d", kubeadmapiv1beta1.DefaultAuditPolicyLogMaxAge) - } else { - defaultArguments["audit-log-maxage"] = fmt.Sprintf("%d", *cfg.AuditPolicyConfiguration.LogMaxAge) - } - } if cfg.APIServer.ExtraArgs == nil { cfg.APIServer.ExtraArgs = map[string]string{} } diff --git a/cmd/kubeadm/app/phases/controlplane/manifests_test.go b/cmd/kubeadm/app/phases/controlplane/manifests_test.go index 0aa23ec48db..c6040759569 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests_test.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests_test.go @@ -34,7 +34,6 @@ import ( authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" testutil "k8s.io/kubernetes/cmd/kubeadm/test" - utilpointer "k8s.io/utils/pointer" ) const ( @@ -189,11 +188,6 @@ func TestGetAPIServerCommand(t *testing.T) { ClusterConfiguration: kubeadmapi.ClusterConfiguration{ Networking: kubeadmapi.Networking{ServiceSubnet: "bar"}, CertificatesDir: testCertsDir, - AuditPolicyConfiguration: kubeadmapi.AuditPolicyConfiguration{ - Path: "/foo/bar", - LogDir: "/foo/baz", - LogMaxAge: utilpointer.Int32Ptr(10), - }, }, }, expected: []string{ @@ -353,52 +347,6 @@ func TestGetAPIServerCommand(t *testing.T) { "--etcd-servers=http://127.0.0.1:2379,http://127.0.0.1:2380", }, }, - { - name: "auditing is enabled with a custom log max age of 0", - cfg: &kubeadmapi.InitConfiguration{ - LocalAPIEndpoint: kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "2001:db8::1"}, - ClusterConfiguration: kubeadmapi.ClusterConfiguration{ - Networking: kubeadmapi.Networking{ServiceSubnet: "bar"}, - FeatureGates: map[string]bool{features.Auditing: true}, - CertificatesDir: testCertsDir, - AuditPolicyConfiguration: kubeadmapi.AuditPolicyConfiguration{ - LogMaxAge: utilpointer.Int32Ptr(0), - }, - }, - }, - expected: []string{ - "kube-apiserver", - "--insecure-port=0", - "--enable-admission-plugins=NodeRestriction", - "--service-cluster-ip-range=bar", - "--service-account-key-file=" + testCertsDir + "/sa.pub", - "--client-ca-file=" + testCertsDir + "/ca.crt", - "--tls-cert-file=" + testCertsDir + "/apiserver.crt", - "--tls-private-key-file=" + testCertsDir + "/apiserver.key", - "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt", - "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key", - fmt.Sprintf("--secure-port=%d", 123), - "--allow-privileged=true", - "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", - "--enable-bootstrap-token-auth=true", - "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt", - "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key", - "--requestheader-username-headers=X-Remote-User", - "--requestheader-group-headers=X-Remote-Group", - "--requestheader-extra-headers-prefix=X-Remote-Extra-", - "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt", - "--requestheader-allowed-names=front-proxy-client", - "--authorization-mode=Node,RBAC", - "--advertise-address=2001:db8::1", - fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort), - "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt", - "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", - "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", - "--audit-policy-file=/etc/kubernetes/audit/audit.yaml", - "--audit-log-path=/var/log/kubernetes/audit/audit.log", - "--audit-log-maxage=0", - }, - }, { name: "ensure the DynamicKubelet flag gets passed through", cfg: &kubeadmapi.InitConfiguration{ @@ -447,7 +395,7 @@ func TestGetAPIServerCommand(t *testing.T) { ClusterConfiguration: kubeadmapi.ClusterConfiguration{ Networking: kubeadmapi.Networking{ServiceSubnet: "bar"}, CertificatesDir: testCertsDir, - FeatureGates: map[string]bool{features.DynamicKubeletConfig: true, features.Auditing: true}, + FeatureGates: map[string]bool{features.DynamicKubeletConfig: true}, APIServer: kubeadmapi.APIServer{ ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{ ExtraArgs: map[string]string{ @@ -491,7 +439,6 @@ func TestGetAPIServerCommand(t *testing.T) { "--feature-gates=DynamicKubeletConfig=true", "--audit-policy-file=/etc/config/audit.yaml", "--audit-log-path=/var/log/kubernetes", - "--audit-log-maxage=2", }, }, { diff --git a/cmd/kubeadm/app/phases/controlplane/volumes.go b/cmd/kubeadm/app/phases/controlplane/volumes.go index 8ca3b9b8b04..7892be889b6 100644 --- a/cmd/kubeadm/app/phases/controlplane/volumes.go +++ b/cmd/kubeadm/app/phases/controlplane/volumes.go @@ -26,7 +26,6 @@ import ( "k8s.io/apimachinery/pkg/util/sets" kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" - "k8s.io/kubernetes/cmd/kubeadm/app/features" staticpodutil "k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod" ) @@ -46,7 +45,6 @@ var caCertsExtraVolumePaths = []string{"/etc/pki", "/usr/share/ca-certificates", func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.InitConfiguration) controlPlaneHostPathMounts { hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate hostPathFileOrCreate := v1.HostPathFileOrCreate - hostPathFile := v1.HostPathFile mounts := newControlPlaneHostPathMounts() // HostPath volumes for the API Server @@ -55,12 +53,7 @@ func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.InitConfiguration) con mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeCertificatesVolumeName, cfg.CertificatesDir, cfg.CertificatesDir, true, &hostPathDirectoryOrCreate) // Read-only mount for the ca certs (/etc/ssl/certs) directory mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, caCertsVolumeName, caCertsVolumePath, caCertsVolumePath, true, &hostPathDirectoryOrCreate) - if features.Enabled(cfg.FeatureGates, features.Auditing) { - // Read-only mount for the audit policy file. - mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeAuditPolicyVolumeName, cfg.AuditPolicyConfiguration.Path, kubeadmconstants.GetStaticPodAuditPolicyFile(), true, &hostPathFile) - // Write mount for the audit logs. - mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeAuditPolicyLogVolumeName, cfg.AuditPolicyConfiguration.LogDir, kubeadmconstants.StaticPodAuditPolicyLogDir, false, &hostPathDirectoryOrCreate) - } + // If external etcd is specified, mount the directories needed for accessing the CA/serving certs and the private key if cfg.Etcd.External != nil { etcdVols, etcdVolMounts := getEtcdCertVolumes(cfg.Etcd.External, cfg.CertificatesDir) diff --git a/cmd/kubeadm/app/phases/controlplane/volumes_test.go b/cmd/kubeadm/app/phases/controlplane/volumes_test.go index 8d3dba07c11..341e479c971 100644 --- a/cmd/kubeadm/app/phases/controlplane/volumes_test.go +++ b/cmd/kubeadm/app/phases/controlplane/volumes_test.go @@ -26,7 +26,6 @@ import ( "k8s.io/api/core/v1" kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" - "k8s.io/kubernetes/cmd/kubeadm/app/features" ) func TestGetEtcdCertVolumes(t *testing.T) { @@ -259,7 +258,6 @@ func TestGetEtcdCertVolumes(t *testing.T) { func TestGetHostPathVolumesForTheControlPlane(t *testing.T) { hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate hostPathFileOrCreate := v1.HostPathFileOrCreate - hostPathFile := v1.HostPathFile volMap := make(map[string]map[string]v1.Volume) volMap[kubeadmconstants.KubeAPIServer] = map[string]v1.Volume{} volMap[kubeadmconstants.KubeAPIServer]["k8s-certs"] = v1.Volume{ @@ -280,24 +278,6 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) { }, }, } - volMap[kubeadmconstants.KubeAPIServer]["audit"] = v1.Volume{ - Name: "audit", - VolumeSource: v1.VolumeSource{ - HostPath: &v1.HostPathVolumeSource{ - Path: "/foo/bar/baz.yaml", - Type: &hostPathFile, - }, - }, - } - volMap[kubeadmconstants.KubeAPIServer]["audit-log"] = v1.Volume{ - Name: "audit-log", - VolumeSource: v1.VolumeSource{ - HostPath: &v1.HostPathVolumeSource{ - Path: "/bar/foo", - Type: &hostPathDirectoryOrCreate, - }, - }, - } volMap[kubeadmconstants.KubeControllerManager] = map[string]v1.Volume{} volMap[kubeadmconstants.KubeControllerManager]["k8s-certs"] = v1.Volume{ Name: "k8s-certs", @@ -348,16 +328,6 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) { MountPath: "/etc/ssl/certs", ReadOnly: true, } - volMountMap[kubeadmconstants.KubeAPIServer]["audit"] = v1.VolumeMount{ - Name: "audit", - MountPath: "/etc/kubernetes/audit/audit.yaml", - ReadOnly: true, - } - volMountMap[kubeadmconstants.KubeAPIServer]["audit-log"] = v1.VolumeMount{ - Name: "audit-log", - MountPath: "/var/log/kubernetes/audit", - ReadOnly: false, - } volMountMap[kubeadmconstants.KubeControllerManager] = map[string]v1.VolumeMount{} volMountMap[kubeadmconstants.KubeControllerManager]["k8s-certs"] = v1.VolumeMount{ Name: "k8s-certs", @@ -511,11 +481,6 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) { cfg: &kubeadmapi.ClusterConfiguration{ CertificatesDir: testCertsDir, Etcd: kubeadmapi.Etcd{}, - FeatureGates: map[string]bool{features.Auditing: true}, - AuditPolicyConfiguration: kubeadmapi.AuditPolicyConfiguration{ - Path: "/foo/bar/baz.yaml", - LogDir: "/bar/foo", - }, }, vol: volMap, volMount: volMountMap, diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml index 048f6eb3b62..b6c3c66a889 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml @@ -14,10 +14,6 @@ APIServer: PathType: "" ReadOnly: false TimeoutForControlPlane: 4m0s -AuditPolicyConfiguration: - LogDir: /var/log/kubernetes/audit - LogMaxAge: 2 - Path: "" BootstrapTokens: - Description: "" Expires: null diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1beta1.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1beta1.yaml index 7b232648a7c..bc8abfa27ba 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1beta1.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1beta1.yaml @@ -31,10 +31,6 @@ apiServer: name: WritableVolume timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta1 -auditPolicy: - logDir: /var/log/kubernetes/audit - logMaxAge: 2 - path: "" certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controlPlaneEndpoint: "" diff --git a/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml b/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml index 4732817dbd3..4456eb175ce 100644 --- a/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml +++ b/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml @@ -21,10 +21,6 @@ nodeRegistration: apiServer: timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta1 -auditPolicy: - logDir: /var/log/kubernetes/audit - logMaxAge: 2 - path: "" certificatesDir: /var/lib/kubernetes/pki clusterName: kubernetes controlPlaneEndpoint: ""