Remove support for legacy IAM permissions

kubernetes · Jul 18, 2020 · 8cecb6b · 8cecb6b
1 parent be3e311
commit 8cecb6b
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 0 deletions.
diff --git a/docs/releases/1.18-NOTES.md b/docs/releases/1.18-NOTES.md
@@ -123,6 +123,8 @@
 
 * Support for the Romana networking provider is deprecated and will be removed in kops 1.19.
 
+* Support for legacy IAM permissions is deprecated and will be removed in kops 1.19.
+
 # Full change list since 1.17.0 release
 
 ## 1.17.0-alpha.1 to 1.18.0-alpha.1

diff --git a/docs/releases/1.19-NOTES.md b/docs/releases/1.19-NOTES.md
@@ -33,6 +33,8 @@ has been updated by a newer version of kops unless it is given the `--allow-kops
 
 * Support for the Romana networking provider has been removed.
 
+* Support for legacy IAM permissions has been removed. This removal may be temporarily deferred to kops 1.20 by setting the `LegacyIAM` feature flag.
+
 # Required Actions
 
 # Deprecations

diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
@@ -251,6 +251,7 @@ type Assets struct {
 
 // IAMSpec adds control over the IAM security policies applied to resources
 type IAMSpec struct {
+	// TODO: remove Legacy in next APIVersion
 	Legacy                 bool `json:"legacy"`
 	AllowContainerRegistry bool `json:"allowContainerRegistry,omitempty"`
 }

diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
@@ -179,6 +179,10 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie
 		}
 	}
 
+	if (spec.IAM == nil || spec.IAM.Legacy) && !featureflag.LegacyIAM.Enabled() {
+		allErrs = append(allErrs, field.Forbidden(fieldPath.Child("iam", "legacy"), "legacy IAM permissions are no longer supported"))
+	}
+
 	if spec.RollingUpdate != nil {
 		allErrs = append(allErrs, validateRollingUpdate(spec.RollingUpdate, fieldPath.Child("rollingUpdate"), false)...)
 	}

diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go
@@ -353,6 +353,7 @@ func Test_Validate_AdditionalPolicies(t *testing.T) {
 					},
 				},
 			},
+			IAM: &kops.IAMSpec{},
 		}
 		errs := validateClusterSpec(clusterSpec, &kops.Cluster{Spec: *clusterSpec}, field.NewPath("spec"))
 		testErrors(t, g.Input, errs, g.ExpectedErrors)

diff --git a/pkg/featureflag/featureflag.go b/pkg/featureflag/featureflag.go
@@ -90,6 +90,8 @@ var (
 	TerraformJSON = New("TerraformJSON", Bool(false))
 	// Terraform012 will output terraform in the 0.12 (hcl2) syntax
 	Terraform012 = New("Terraform-0.12", Bool(true))
+	// LegacyIAM will permit use of legacy IAM permissions.
+	LegacyIAM = New("LegacyIAM", Bool(false))
 )
 
 // FeatureFlag defines a feature flag
-Original file line number
+Diff line change
@@ Expand Up / @@ -353,6 +353,7 @@ func Test_Validate_AdditionalPolicies(t *testing.T) { @@
     					},
     				},
     			},
+    			IAM: &kops.IAMSpec{},
     		}
     		errs := validateClusterSpec(clusterSpec, &kops.Cluster{Spec: *clusterSpec}, field.NewPath("spec"))
     		testErrors(t, g.Input, errs, g.ExpectedErrors)
@@ Expand Down @@