e2e-node-tests: fix path to system specs

e2e-node tests may use custom system specs for validating nodes to
conform the specs. The functionality is switched on when the tests
are run with this command:

    make SYSTEM_SPEC_NAME=gke test-e2e-node

Currently the command fails with the error:

    F1228 16:12:41.568836   34514 e2e_node_suite_test.go:106] Failed to load system spec: open /home/rojkov/go/src/k8s.io/kubernetes/k8s.io/kubernetes/cmd/kubeadm/app/util/system/specs/gke.yaml: no such file or directory

Move the spec file under `test/e2e_node/system/specs` and introduce a single
public constant referring the file to use instead of multiple private constants.

test/e2e_node/system/BUILD

@@ -0,0 +1,22 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["specs.go"],
+    importpath = "k8s.io/kubernetes/test/e2e_node/system",
+    visibility = ["//visibility:public"],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

test/e2e_node/system/specs.go

@@ -0,0 +1,22 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package system
+
+const (
+	// SystemSpecPath is a path to spec files used for performing node conformance tests.
+	SystemSpecPath = "test/e2e_node/system/specs"
+)

test/e2e_node/system/specs/gke.yaml

@@ -0,0 +1,269 @@
+# This is the system spec that must be satisfied by the images running on GKE.
+
+os: Linux
+
+kernelSpec:
+  versions:
+  # GKE requires kernel version 4.4+.
+  - '4\.[4-9].*'
+  - '4\.[1-9][0-9].*'
+  - '[5-9].*'
+
+  # Required kernel configurations -- the configuration must be set to "y" or
+  # "m".
+  required:
+  # The configurations required by virtual machine or cloud provider.
+
+  - name: BOOTPARAM_HARDLOCKUP_PANIC
+    description: 'Enable the kernel to panic on "hard lockups".'
+  - name: BOOTPARAM_SOFTLOCKUP_PANIC
+    description: 'Enable the kernel to panic on "soft lockups".'
+  - name: PANIC_ON_OOPS
+    description: 'Enable the kernel to panic when it oops.'
+  - name: PVPANIC
+    description: 'Enable the VM (guest) to communicate panic events with the
+      host.'
+  - name: DMIID
+    description: 'Make sure /sys/class/dmi is exported - cAdvisor currently
+      uses this to determine which the cloud provider it is: aws, azure, or
+      gce, etc'
+  - name: ACPI_BUTTON
+    description: 'Enable the software-controlled power management, and required
+      by reset or stop button of GCE console.'
+
+  # The configurations required by network.
+
+  - name: INET
+    description: 'Enable TCP/IP networking.'
+  - name: VXLAN
+    description: 'Required by the overlay networking in Kubernetes.'
+  - name: IP_SET
+    description: 'Required by Kubernetes network policy.'
+  - name: IP_SET_HASH_IP
+    description: 'This introduces hash:ip set type support, which is required
+      by Kubernetes Calico networking.'
+  - name: IPVLAN
+    description: 'Required by IPVLAN feature.'
+  - name: IPV6
+    description: 'Required by IPVLAN feature.'
+  - name: IP6_NF_IPTABLES
+    description: 'Required by kube-proxy.'
+  - name: IP_NF_TARGET_REDIRECT
+    alias:
+    - NETFILTER_XT_TARGET_REDIRECT
+    description: 'Enabled REDIRECT: all incoming connections are mapped onto
+      the incoming interface''s address, causing the packets to come to the
+      local machine instead of passing through. This is required by
+      kube-proxy.'
+  - name: NETFILTER_XT_MATCH_COMMENT
+    description: 'This option adds a "comment" dummy-match, which allows you to
+      put comments in your iptables ruleset. Today''s kube-proxy implementation
+      depends on this feature.'
+  # This is not critical, but debian-based container-vm kernel module study
+  # shows that many customers' nodes have loaded those kernel modules. We
+  # suspect sysdig module depends on these set of kernel modules for
+  # monitoring.
+  - name: PACKET_DIAG
+    description: 'Required by ss (similar to netstat) tools to display Linux
+      TCP / UDP network and socket information.'
+  - name: UNIX_DIAG
+    description: 'Required by ss (similar to netstat) tools to display Linux
+      TCP / UDP network and socket information.'
+  - name: INET_DIAG
+    description: 'Required by ss (similar to netstat) tools to display Linux
+      TCP / UDP network and socket information.'
+  - name: INET_TCP_DIAG
+    description: 'Required by ss (similar to netstat) tools to display Linux
+      TCP / UDP network and socket information.'
+  - name: INET_UDP_DIAG
+    description: 'Required by ss (similar to netstat) tools to display Linux
+      TCP / UDP network and socket information.'
+  - name: NETLINK_DIAG
+    description: 'Required by ss (similar to netstat) tools to display Linux
+      TCP / UDP network and socket information.'
+
+  # The configurations are required by filesystem.
+
+  - name: EXT4_FS
+  - name: DEBUG_FS
+  - name: PROC_FS
+  - name: XFS_FS
+  - name: SCSI_PROC_FS
+  # Currently Kubelet supports three docker graph drivers: overlay, aufs, and
+  # devicemapper due to the legacy reason. But for GKE, we plan to only support
+  # overlayfs. 
+  - name: OVERLAY_FS
+    description: 'Enable OverlayFS, which will be the only docker graph driver
+      supported on GKE.'
+  - name: NFS_FS
+    description: 'Required by NFS support.'
+  - name: AUTOFS4_FS
+    description: 'Required by NFS support.'
+  - name: NFS_FSCACHE
+    description: 'Required by NFS support.'
+  - name: FSCACHE
+    description: 'Required by NFS support.'
+  - name: CACHEFILES
+    description: 'Required by NFS support.'
+  - name: FUSE_FS
+    description: 'Required by GlusterFS support.'
+  - name: BCACHE
+    # TODO(yguo0905): Add a description for BCACHE.
+
+  # The configuration required by the resource isolation, accounting, and
+  # management.
+
+  - name: NAMESPACES
+    description: 'Required by kubelet and docker. Enabling it allows the
+      processes within a pod or a container to have their own view of the
+      system.'
+  - name: IPC_NS
+    description: 'Required by kubelet and docker. Enabling it allows the
+      processes within a pod or a container to have their own view of the
+      system.'
+  - name: NET_NS
+    description: 'Required by kubelet and docker. Enabling it allows the
+      processes within a pod or a container to have their own view of the
+      system.'
+  - name: PID_NS
+    description: 'Required by kubelet and docker. Enabling it allows the
+      processes within a pod or a container to have their own view of the
+      system.'
+  - name: UTS_NS
+    description: 'Required by kubelet and docker. Enabling it allows the
+      processes within a pod or a container to have their own view of the
+      system.'
+  - name: CGROUPS
+    description: 'Required by kubelet and docker. The resource usage of the
+      processes within a pod or a container can be monitored, accounted, and
+      controlled.'
+  - name: CGROUP_CPUACCT
+    description: 'Required by kubelet and docker. The resource usage of the
+      processes within a pod or a container can be monitored, accounted, and
+      controlled.'
+  - name: CGROUP_DEVICE
+    description: 'Required by kubelet and docker. The resource usage of the
+      processes within a pod or a container can be monitored, accounted, and
+      controlled.'
+  - name: CGROUP_SCHED
+    description: 'Required by kubelet and docker. The resource usage of the
+      processes within a pod or a container can be monitored, accounted, and
+      controlled.'
+  - name: CPUSETS
+    description: 'Required by kubelet and docker. The resource usage of the
+      processes within a pod or a container can be monitored, accounted, and
+      controlled.'
+  - name: MEMCG
+    description: 'Required by kubelet and docker. The resource usage of the
+      processes within a pod or a container can be monitored, accounted, and
+      controlled.'
+  - name: QUOTA
+    description: 'Required by kubelet to have an accurate and efficient disk
+      space and inode accounting, and eventually to limit the usage.'
+
+  # The security-related configurations
+
+  - name: SECCOMP
+    description: 'Enabled the SECCOMP application API.'
+  - name: SECURITY_APPARMOR
+    description: 'Enable for AppArmor support.'
+  - name: CC_STACKPROTECTOR_STRONG
+    alias:
+    - CONFIG_CC_STACKPROTECTOR_REGULAR
+      CONFIG_CC_STACKPROTECTOR_ALL
+    description: 'Add the stack buffer overflow protections.'
+  - name: STRICT_DEVMEM
+    description: 'Required for blocking the direct physical memory access.'
+  - name: IMA
+    description: 'Required for security-related logging and auditing.'
+  - name: AUDIT
+    description: 'Required for security-related logging and auditing.'
+  - name: AUDITSYSCALL
+    description: 'Required for security-related logging and auditing.'
+
+  # Misc. configurations
+
+  - name: MODULES
+    description: 'Required for loadable module support.'
+  - name: PRINTK
+    description: 'Required for kernel logging message.'
+  - name: MMU
+    description: 'Required for memory management hardware and mmap() system
+      call.'
+
+packageSpecs:
+- name: apparmor
+  versionRange: '>=2.10.1'
+- name: apparmor-profiles
+  versionRange: '>=2.10.1'
+- name: audit
+  versionRange: '>=2.5.0'
+- name: autofs
+  versionRange: '>=5.0.7'
+- name: bash
+  versionRange: '>=4.3'
+- name: bridge-utils
+  versionRange: '>=1.5'
+- name: cloud-init
+  versionRange: '>=0.7.6'
+- name: coreutils
+  versionRange: '>=8.24'
+- name: dbus
+  versionRange: '>=1.6.8'
+- name: e2fsprogs
+  versionRange: '>=1.4.3'
+- name: ebtables
+  versionRange: '>=2.0.10'
+- name: ethtool
+  versionRange: '>=3.18'
+- name: iproute2
+  versionRange: '>=4.2.0'
+- name: less
+  versionRange: '>=481'
+- name: netcat-openbsd
+  versionRange: '>=1.10'
+- name: python
+  versionRange: '>=2.7.10'
+- name: pv
+  versionRange: '>=1.3.4'
+- name: sudo
+  versionRange: '>=1.8.12'
+- name: systemd
+  versionRange: '>=225'
+- name: tar
+  versionRange: '>=1.28'
+- name: util-linux
+  versionRange: '>=2.27.1'
+- name: wget
+  versionRange: '>=1.18'
+- name: gce-compute-image-packages
+  versionRange: '>=20170227'
+# TODO(yguo0905): Figure out whether watchdog is required.
+
+# packageSpecOverrides contains the OS distro specific package requirements.
+packageSpecOverrides:
+# The following overrides apply to all Ubuntu images.
+- osDistro: ubuntu
+  subtractions:
+  - name: apparmor-profiles
+    description: 'On Ubuntu the apparmor profiles are shipped with individual
+      application package, so the "apparmor-profiles" package is not required.'
+  - name: audit
+    description: 'On Ubuntu the equivalent package is called "auditd", so the
+      "audit" package is not required and "auditd" exists in the additions.'
+  - name: wget
+    description: 'The Ubuntu 1604-xenial image includes wget 1.17.1, which does
+      not satisfy the spec (>=1.18), but meets the functionality requirements.
+      Therefore, it is removed from the base spec. See wget in the additions.'
+  additions:
+  - name: auditd
+    versionRange: '>=2.4.5'
+    description: 'auditd 2.4.5 currently satisfies the requirements because the
+      GKE features that require auditd 2.5 are not yet available.'
+  - name: grub-common
+    versionRange: '>=2.2'
+    description: 'grub is the bootloader on Ubuntu.'
+  - name: wget
+    versionRange: '>=1.17.1'
+    description: 'wget 1.17.1 satisfies the functionality requirements but does
+      not meet the spec, which is fine'