From ca3519c7adab28a00c57da99b92b8d03d13b674d Mon Sep 17 00:00:00 2001
From: Gustavo Paiva <guustavo.paiva@gmail.com>
Date: Thu, 20 Jun 2019 00:06:02 -0300
Subject: [PATCH 1/2] Clean up selft-set node labels

---
 cluster/addons/ip-masq-agent/ip-masq-agent.yaml       | 3 +--
 cluster/addons/kube-proxy/kube-proxy-ds.yaml          | 3 +--
 cluster/addons/metadata-proxy/gce/metadata-proxy.yaml | 3 +--
 cluster/gce/config-default.sh                         | 2 --
 cluster/gce/config-test.sh                            | 2 --
 cluster/gce/util.sh                                   | 3 +--
 6 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/cluster/addons/ip-masq-agent/ip-masq-agent.yaml b/cluster/addons/ip-masq-agent/ip-masq-agent.yaml
index efa6fe30034..18dc76ad284 100644
--- a/cluster/addons/ip-masq-agent/ip-masq-agent.yaml
+++ b/cluster/addons/ip-masq-agent/ip-masq-agent.yaml
@@ -46,8 +46,7 @@ spec:
           - name: config
             mountPath: /etc/config
       nodeSelector:
-        # TODO(liggitt): switch to node.kubernetes.io/masq-agent-ds-ready in 1.16
-        beta.kubernetes.io/masq-agent-ds-ready: "true"
+        node.kubernetes.io/masq-agent-ds-ready: "true"
       volumes:
         - name: config
           configMap:
diff --git a/cluster/addons/kube-proxy/kube-proxy-ds.yaml b/cluster/addons/kube-proxy/kube-proxy-ds.yaml
index fb28b02a4c8..910591e4216 100644
--- a/cluster/addons/kube-proxy/kube-proxy-ds.yaml
+++ b/cluster/addons/kube-proxy/kube-proxy-ds.yaml
@@ -27,8 +27,7 @@ spec:
       priorityClassName: system-node-critical
       hostNetwork: true
       nodeSelector:
-        # TODO(liggitt): switch to node.kubernetes.io/kube-proxy-ds-ready in 1.16
-        beta.kubernetes.io/kube-proxy-ds-ready: "true"
+        node.kubernetes.io/kube-proxy-ds-ready: "true"
       tolerations:
       - operator: "Exists"
         effect: "NoExecute"
diff --git a/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml b/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
index cbe373657e9..f5b9ba720c7 100644
--- a/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
+++ b/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
@@ -88,7 +88,6 @@ spec:
                 fieldPath: metadata.namespace
       # END_PROMETHEUS_TO_SD
       nodeSelector:
-        # TODO(liggitt): switch to cloud.google.com/metadata-proxy-ready=true in v1.16
-        beta.kubernetes.io/metadata-proxy-ready: "true"
+        cloud.google.com/metadata-proxy-ready: "true"
         beta.kubernetes.io/os: linux
       terminationGracePeriodSeconds: 30
diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
index d38723996e2..32e2c35d5af 100755
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@@ -220,8 +220,6 @@ METADATA_CONCEALMENT_NO_FIREWALL="${METADATA_CONCEALMENT_NO_FIREWALL:-false}" #
 if [[ ${ENABLE_METADATA_CONCEALMENT:-} == "true" ]]; then
   # Put the necessary label on the node so the daemonset gets scheduled.
   NODE_LABELS="${NODE_LABELS},cloud.google.com/metadata-proxy-ready=true"
-  # TODO(liggitt): remove this in v1.16
-  NODE_LABELS="${NODE_LABELS},beta.kubernetes.io/metadata-proxy-ready=true"
   # Add to the provider custom variables.
   PROVIDER_VARS="${PROVIDER_VARS:-} ENABLE_METADATA_CONCEALMENT METADATA_CONCEALMENT_NO_FIREWALL"
 fi
diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh
index b2ce6d5703a..9c47bdd7caf 100755
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@@ -260,8 +260,6 @@ METADATA_CONCEALMENT_NO_FIREWALL="${METADATA_CONCEALMENT_NO_FIREWALL:-false}" #
 if [[ ${ENABLE_METADATA_CONCEALMENT:-} == "true" ]]; then
   # Put the necessary label on the node so the daemonset gets scheduled.
   NODE_LABELS="${NODE_LABELS},cloud.google.com/metadata-proxy-ready=true"
-  # TODO(liggitt): remove this in v1.16
-  NODE_LABELS="${NODE_LABELS},beta.kubernetes.io/metadata-proxy-ready=true"
   # Add to the provider custom variables.
   PROVIDER_VARS="${PROVIDER_VARS:-} ENABLE_METADATA_CONCEALMENT METADATA_CONCEALMENT_NO_FIREWALL"
 fi
diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index 815efd390ba..e4939c77255 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -611,8 +611,7 @@ function build-linux-node-labels {
   if [[ "${KUBE_PROXY_DAEMONSET:-}" == "true" && "${master}" != "true" ]]; then
     # Add kube-proxy daemonset label to node to avoid situation during cluster
     # upgrade/downgrade when there are two instances of kube-proxy running on a node.
-    # TODO(liggitt): drop beta.kubernetes.io/kube-proxy-ds-ready in 1.16
-    node_labels="node.kubernetes.io/kube-proxy-ds-ready=true,beta.kubernetes.io/kube-proxy-ds-ready=true"
+    node_labels="node.kubernetes.io/kube-proxy-ds-ready=true"
   fi
   if [[ -n "${NODE_LABELS:-}" ]]; then
     node_labels="${node_labels:+${node_labels},}${NODE_LABELS}"

From 096bd5f5d86cb0f2003432350d840505c8194255 Mon Sep 17 00:00:00 2001
From: Gustavo Paiva <guustavo.paiva@gmail.com>
Date: Wed, 26 Jun 2019 19:24:30 -0300
Subject: [PATCH 2/2] block not allowed node labels on kubelet

---
 cmd/kubelet/app/options/options.go      |  5 +--
 cmd/kubelet/app/options/options_test.go | 45 +++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go
index 69139621fd6..8d61426cedf 100644
--- a/cmd/kubelet/app/options/options.go
+++ b/cmd/kubelet/app/options/options.go
@@ -30,7 +30,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	cliflag "k8s.io/component-base/cli/flag"
-	"k8s.io/klog"
 	"k8s.io/kubelet/config/v1beta1"
 	"k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/features"
@@ -247,9 +246,7 @@ func ValidateKubeletFlags(f *KubeletFlags) error {
 		}
 	}
 	if len(unknownLabels) > 0 {
-		// TODO(liggitt): in 1.16, return an error
-		klog.Warningf("unknown 'kubernetes.io' or 'k8s.io' labels specified with --node-labels: %v", unknownLabels.List())
-		klog.Warningf("in 1.16, --node-labels in the 'kubernetes.io' namespace must begin with an allowed prefix (%s) or be in the specifically allowed set (%s)", strings.Join(kubeletapis.KubeletLabelNamespaces(), ", "), strings.Join(kubeletapis.KubeletLabels(), ", "))
+		return fmt.Errorf("unknown 'kubernetes.io' or 'k8s.io' labels specified with --node-labels: %v\n--node-labels in the 'kubernetes.io' namespace must begin with an allowed prefix (%s) or be in the specifically allowed set (%s)", unknownLabels.List(), strings.Join(kubeletapis.KubeletLabelNamespaces(), ", "), strings.Join(kubeletapis.KubeletLabels(), ", "))
 	}
 
 	return nil
diff --git a/cmd/kubelet/app/options/options_test.go b/cmd/kubelet/app/options/options_test.go
index 1c976658129..dd78175e595 100644
--- a/cmd/kubelet/app/options/options_test.go
+++ b/cmd/kubelet/app/options/options_test.go
@@ -145,3 +145,48 @@ func asArgs(fn, defaultFn func(*pflag.FlagSet)) []string {
 	})
 	return args
 }
+
+func TestValidateKubeletFlags(t *testing.T) {
+	tests := []struct {
+		name   string
+		error  bool
+		labels map[string]string
+	}{
+		{
+			name:  "Invalid kubernetes.io label",
+			error: true,
+			labels: map[string]string{
+				"beta.kubernetes.io/metadata-proxy-ready": "true",
+			},
+		},
+		{
+			name:  "Valid label outside of kubernetes.io and k8s.io",
+			error: false,
+			labels: map[string]string{
+				"cloud.google.com/metadata-proxy-ready": "true",
+			},
+		},
+		{
+			name:   "Empty label list",
+			error:  false,
+			labels: map[string]string{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ValidateKubeletFlags(&KubeletFlags{
+				NodeLabels: tt.labels,
+			})
+
+			if tt.error && err == nil {
+				t.Errorf("ValidateKubeletFlags should have failed with labels: %+v", tt.labels)
+			}
+
+			if !tt.error && err != nil {
+				t.Errorf("ValidateKubeletFlags should not have failed with labels: %+v", tt.labels)
+			}
+		})
+	}
+
+}