From 8cecb6be47dc1aa1f38134243078f7760e14c692 Mon Sep 17 00:00:00 2001
From: John Gardiner Myers <jgmyers@proofpoint.com>
Date: Fri, 3 Jul 2020 21:08:09 -0700
Subject: [PATCH] Remove support for legacy IAM permissions

---
 docs/releases/1.18-NOTES.md                 | 2 ++
 docs/releases/1.19-NOTES.md                 | 2 ++
 pkg/apis/kops/cluster.go                    | 1 +
 pkg/apis/kops/validation/validation.go      | 4 ++++
 pkg/apis/kops/validation/validation_test.go | 1 +
 pkg/featureflag/featureflag.go              | 2 ++
 6 files changed, 12 insertions(+)

diff --git a/docs/releases/1.18-NOTES.md b/docs/releases/1.18-NOTES.md
index ee550eb47a74d..c1b753319747c 100644
--- a/docs/releases/1.18-NOTES.md
+++ b/docs/releases/1.18-NOTES.md
@@ -123,6 +123,8 @@
 
 * Support for the Romana networking provider is deprecated and will be removed in kops 1.19.
 
+* Support for legacy IAM permissions is deprecated and will be removed in kops 1.19.
+
 # Full change list since 1.17.0 release
 
 ## 1.17.0-alpha.1 to 1.18.0-alpha.1
diff --git a/docs/releases/1.19-NOTES.md b/docs/releases/1.19-NOTES.md
index b787330d591e8..7779ed0250842 100644
--- a/docs/releases/1.19-NOTES.md
+++ b/docs/releases/1.19-NOTES.md
@@ -33,6 +33,8 @@ has been updated by a newer version of kops unless it is given the `--allow-kops
 
 * Support for the Romana networking provider has been removed.
 
+* Support for legacy IAM permissions has been removed. This removal may be temporarily deferred to kops 1.20 by setting the `LegacyIAM` feature flag.
+
 # Required Actions
 
 # Deprecations
diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
index 09f2ac09b5f94..325fb64834bf5 100644
--- a/pkg/apis/kops/cluster.go
+++ b/pkg/apis/kops/cluster.go
@@ -251,6 +251,7 @@ type Assets struct {
 
 // IAMSpec adds control over the IAM security policies applied to resources
 type IAMSpec struct {
+	// TODO: remove Legacy in next APIVersion
 	Legacy                 bool `json:"legacy"`
 	AllowContainerRegistry bool `json:"allowContainerRegistry,omitempty"`
 }
diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
index 15017a43402ef..b6637b5aee893 100644
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@@ -179,6 +179,10 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie
 		}
 	}
 
+	if (spec.IAM == nil || spec.IAM.Legacy) && !featureflag.LegacyIAM.Enabled() {
+		allErrs = append(allErrs, field.Forbidden(fieldPath.Child("iam", "legacy"), "legacy IAM permissions are no longer supported"))
+	}
+
 	if spec.RollingUpdate != nil {
 		allErrs = append(allErrs, validateRollingUpdate(spec.RollingUpdate, fieldPath.Child("rollingUpdate"), false)...)
 	}
diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go
index d5e947d1b57e7..bb86d39f31b4e 100644
--- a/pkg/apis/kops/validation/validation_test.go
+++ b/pkg/apis/kops/validation/validation_test.go
@@ -353,6 +353,7 @@ func Test_Validate_AdditionalPolicies(t *testing.T) {
 					},
 				},
 			},
+			IAM: &kops.IAMSpec{},
 		}
 		errs := validateClusterSpec(clusterSpec, &kops.Cluster{Spec: *clusterSpec}, field.NewPath("spec"))
 		testErrors(t, g.Input, errs, g.ExpectedErrors)
diff --git a/pkg/featureflag/featureflag.go b/pkg/featureflag/featureflag.go
index 8dacf3c6676af..a516976b9bbbe 100644
--- a/pkg/featureflag/featureflag.go
+++ b/pkg/featureflag/featureflag.go
@@ -90,6 +90,8 @@ var (
 	TerraformJSON = New("TerraformJSON", Bool(false))
 	// Terraform012 will output terraform in the 0.12 (hcl2) syntax
 	Terraform012 = New("Terraform-0.12", Bool(true))
+	// LegacyIAM will permit use of legacy IAM permissions.
+	LegacyIAM = New("LegacyIAM", Bool(false))
 )
 
 // FeatureFlag defines a feature flag