Merge pull request #730 from vinayakankugoyal/byebye

Remove all GKE specific code from gcp-controller-manager.

Author: k8s-ci-robot

cloudbuild.yaml

@@ -9,18 +9,6 @@ steps:
       - IMAGE_REPO=${_IMAGE_REPO}
       - IMAGE_TAG=${_PULL_BASE_REF}
     entrypoint: tools/push-images
-  # build gke-exec-auth-plugin binary
-  - name: 'gcr.io/cloud-builders/bazel'
-    args:
-      - --output_user_root=/workspace/bazel-root
-      - --output_base=/workspace/bazel-base-linux-amd64
-      - build
-      - //cmd/gke-exec-auth-plugin
-  - name: 'gcr.io/cloud-builders/gsutil'
-    args:
-      - cp
-      - /workspace/bazel-base-linux-amd64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/gke-exec-auth-plugin/gke-exec-auth-plugin_/gke-exec-auth-plugin
-      - gs://k8s-staging-cloud-provider-gcp/gke-exec-auth-plugin/linux-amd64/${_GIT_TAG}
   # build gke-gcloud-auth-plugin binary
   - name: 'gcr.io/cloud-builders/bazel'
     args:
@@ -45,19 +33,6 @@ steps:
       - cp
       - /workspace/bazel-base-linux-amd64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/auth-provider-gcp/auth-provider-gcp_/auth-provider-gcp
       - gs://k8s-staging-cloud-provider-gcp/auth-provider-gcp/linux-amd64/${_GIT_TAG}
-  # build gke-exec-auth-plugin binary
-  - name: 'gcr.io/cloud-builders/bazel'
-    args:
-      - --output_user_root=/workspace/bazel-root
-      - --output_base=/workspace/bazel-base-linux-arm64
-      - build
-      - --platforms=@io_bazel_rules_go//go/toolchain:linux_arm64
-      - //cmd/gke-exec-auth-plugin
-  - name: 'gcr.io/cloud-builders/gsutil'
-    args:
-      - cp
-      - /workspace/bazel-base-linux-arm64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/gke-exec-auth-plugin/gke-exec-auth-plugin_/gke-exec-auth-plugin
-      - gs://k8s-staging-cloud-provider-gcp/gke-exec-auth-plugin/linux-arm64/${_GIT_TAG}
   # build gke-gcloud-auth-plugin binary
   - name: 'gcr.io/cloud-builders/bazel'
     args:
@@ -84,19 +59,6 @@ steps:
       - cp
       - /workspace/bazel-base-linux-arm64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/auth-provider-gcp/auth-provider-gcp_/auth-provider-gcp
       - gs://k8s-staging-cloud-provider-gcp/auth-provider-gcp/linux-arm64/${_GIT_TAG}
-  # build gke-exec-auth-plugin binary
-  - name: 'gcr.io/cloud-builders/bazel'
-    args:
-      - --output_user_root=/workspace/bazel-root
-      - --output_base=/workspace/bazel-base-windows-amd64
-      - build
-      - --platforms=@io_bazel_rules_go//go/toolchain:windows_amd64
-      - //cmd/gke-exec-auth-plugin
-  - name: 'gcr.io/cloud-builders/gsutil'
-    args:
-      - cp
-      - /workspace/bazel-base-windows-amd64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/gke-exec-auth-plugin/gke-exec-auth-plugin_/gke-exec-auth-plugin.exe
-      - gs://k8s-staging-cloud-provider-gcp/gke-exec-auth-plugin/windows-amd64/${_GIT_TAG}
   # build gke-gcloud-auth-plugin binary
   - name: 'gcr.io/cloud-builders/bazel'
     args:

cmd/gcp-controller-manager/BUILD

@@ -46,11 +46,8 @@ go_library(
         "//cmd/gcp-controller-manager/healthz",
         "//pkg/clientauthplugin/gcp",
         "//pkg/csrmetrics",
-        "//pkg/nodeidentity",
-        "//pkg/tpmattest",
         "//providers/gce",
         "//vendor/cloud.google.com/go/compute/metadata",
-        "//vendor/github.com/google/go-tpm/tpm2",
         "//vendor/github.com/prometheus/client_golang/prometheus/promhttp",
         "//vendor/github.com/spf13/pflag",
         "//vendor/golang.org/x/oauth2",
@@ -123,10 +120,8 @@ go_test(
     embed = [":gcp-controller-manager_lib"],
     deps = [
         "//pkg/nodeidentity",
-        "//pkg/tpmattest",
         "//vendor/github.com/google/go-cmp/cmp",
         "//vendor/github.com/google/go-cmp/cmp/cmpopts",
-        "//vendor/github.com/google/go-tpm/tpm2",
         "//vendor/google.golang.org/api/compute/v0.beta:v0_beta",
         "//vendor/google.golang.org/api/compute/v1:compute",
         "//vendor/google.golang.org/api/container/v1:container",

cmd/gcp-controller-manager/csr_signer.go

@@ -69,7 +69,7 @@ func newGKESigner(ctx *controllerContext) (*gkeSigner, error) {
 		webhook:      webhook,
 		ctx:          ctx,
 		retryBackoff: ClusterSigningGKERetryBackoff,
-		validators:   csrValidators(ctx),
+		validators:   csrValidators(),
 	}, nil
 }
 

cmd/gcp-controller-manager/loops.go

@@ -41,9 +41,6 @@ type controllerContext struct {
 	recorder                              record.EventRecorder
 	gcpCfg                                gcpConfig
 	clusterSigningGKEKubeconfig           string
-	csrApproverVerifyClusterMembership    bool
-	csrApproverAllowLegacyKubelet         bool
-	csrApproverListReferrersConfig        gceInstanceListReferrersConfig
 	authAuthorizeServiceAccountMappingURL string
 	authSyncNodeURL                       string
 	hmsAuthorizeSAMappingURL              string

cmd/gcp-controller-manager/main.go

@@ -60,28 +60,23 @@ const (
 )
 
 var (
-	port                                    = pflag.Int("port", 8089, "Port to serve status endpoints on (such as /healthz and /metrics).")
-	metricsPort                             = pflag.Int("metrics-port", 8089, "Deprecated. Port to expose Prometheus metrics on. If not set, uses the value of --port.")
-	kubeconfig                              = pflag.String("kubeconfig", "", "Path to kubeconfig file with authorization and master location information.")
-	clusterSigningGKEKubeconfig             = pflag.String("cluster-signing-gke-kubeconfig", "", "If set, use the kubeconfig file to call GKE to sign cluster-scoped certificates instead of using a local private key.")
-	gceConfigPath                           = pflag.String("gce-config", "/etc/gce.conf", "Path to gce.conf.")
-	controllers                             = pflag.StringSlice("controllers", []string{"*"}, "Controllers to enable. Possible controllers are: "+strings.Join(loopNames(), ",")+".")
-	csrApproverVerifyClusterMembership      = pflag.Bool("csr-validate-cluster-membership", true, "Validate that VMs requesting CSRs belong to current GKE cluster.")
-	csrApproverAllowLegacyKubelet           = pflag.Bool("csr-allow-legacy-kubelet", true, "Allow legacy kubelet bootstrap flow.")
-	csrApproverUseGCEInstanceListReferrers  = pflag.Bool("csr-use-gce-instance-list-referrers", false, "If true use https://cloud.google.com/compute/docs/reference/rest/v1/instances/listReferrers to validate instance cluster membership.")
-	csrApproverListReferrersInitialInterval = pflag.Duration("csr-gce-list-referrers-initial-interval", 5*time.Second, "Initial interval of the exponential back-off retries for calls to listReferrers, exponential factor is set to 1.5, defaults to 5s.")
-	csrApproverListReferrersRetryCount      = pflag.Int("csr-gce-list-referrers-retry-count", 10, "Maximal number of retries in exponential back-off for calls to listReferrers, defaults to 10")
-	gceAPIEndpointOverride                  = pflag.String("gce-api-endpoint-override", "", "If set, talks to a different GCE API Endpoint. By default it talks to https://www.googleapis.com/compute/v1/projects/")
-	directPath                              = pflag.Bool("direct-path", false, "Enable Direct Path.")
-	authAuthorizeServiceAccountMappingURL   = pflag.String("auth-authorize-service-account-mapping-url", "", "URL for reaching the Auth Service AuthorizeServiceAccountMapping API.")
-	authSyncNodeURL                         = pflag.String("auth-sync-node-url", "", "URL for reaching the Auth Service SyncNode API.")
-	hmsAuthorizeSAMappingURL                = pflag.String("hms-authorize-sa-mapping-url", "", "URL for reaching the Hosted Master Service AuthorizeSAMapping API.")
-	hmsSyncNodeURL                          = pflag.String("hms-sync-node-url", "", "URL for reaching the Hosted Master Service SyncNode API.")
-	kubeletReadOnlyCSRApprover              = pflag.Bool("kubelet-read-only-csr-approver", false, "Enable kubelet readonly csr approver or not")
-	autopilotEnabled                        = pflag.Bool("autopilot", false, "Is this a GKE Autopilot cluster.")
-	clearStalePodsOnNodeRegistration        = pflag.Bool("clearStalePodsOnNodeRegistration", false, "If true, after node registration, delete pods bound to old node.")
-	kubeconfigQPS                           = pflag.Float32("kubeconfig-qps", 100, "QPS to use while talking with kube-apiserver.")
-	kubeconfigBurst                         = pflag.Int("kubeconfig-burst", 200, "Burst to use while talking with kube-apiserver.")
+	port                                  = pflag.Int("port", 8089, "Port to serve status endpoints on (such as /healthz and /metrics).")
+	metricsPort                           = pflag.Int("metrics-port", 8089, "Deprecated. Port to expose Prometheus metrics on. If not set, uses the value of --port.")
+	kubeconfig                            = pflag.String("kubeconfig", "", "Path to kubeconfig file with authorization and master location information.")
+	clusterSigningGKEKubeconfig           = pflag.String("cluster-signing-gke-kubeconfig", "", "If set, use the kubeconfig file to call GKE to sign cluster-scoped certificates instead of using a local private key.")
+	gceConfigPath                         = pflag.String("gce-config", "/etc/gce.conf", "Path to gce.conf.")
+	controllers                           = pflag.StringSlice("controllers", []string{"*"}, "Controllers to enable. Possible controllers are: "+strings.Join(loopNames(), ",")+".")
+	gceAPIEndpointOverride                = pflag.String("gce-api-endpoint-override", "", "If set, talks to a different GCE API Endpoint. By default it talks to https://www.googleapis.com/compute/v1/projects/")
+	directPath                            = pflag.Bool("direct-path", false, "Enable Direct Path.")
+	authAuthorizeServiceAccountMappingURL = pflag.String("auth-authorize-service-account-mapping-url", "", "URL for reaching the Auth Service AuthorizeServiceAccountMapping API.")
+	authSyncNodeURL                       = pflag.String("auth-sync-node-url", "", "URL for reaching the Auth Service SyncNode API.")
+	hmsAuthorizeSAMappingURL              = pflag.String("hms-authorize-sa-mapping-url", "", "URL for reaching the Hosted Master Service AuthorizeSAMapping API.")
+	hmsSyncNodeURL                        = pflag.String("hms-sync-node-url", "", "URL for reaching the Hosted Master Service SyncNode API.")
+	kubeletReadOnlyCSRApprover            = pflag.Bool("kubelet-read-only-csr-approver", false, "Enable kubelet readonly csr approver or not")
+	autopilotEnabled                      = pflag.Bool("autopilot", false, "Is this a GKE Autopilot cluster.")
+	clearStalePodsOnNodeRegistration      = pflag.Bool("clearStalePodsOnNodeRegistration", false, "If true, after node registration, delete pods bound to old node.")
+	kubeconfigQPS                         = pflag.Float32("kubeconfig-qps", 100, "QPS to use while talking with kube-apiserver.")
+	kubeconfigBurst                       = pflag.Int("kubeconfig-burst", 200, "Burst to use while talking with kube-apiserver.")
 )
 
 func main() {
@@ -106,17 +101,10 @@ func main() {
 	logs.InitLogs()
 
 	s := &controllerManager{
-		clusterSigningGKEKubeconfig:        *clusterSigningGKEKubeconfig,
-		gceConfigPath:                      *gceConfigPath,
-		gceAPIEndpointOverride:             *gceAPIEndpointOverride,
-		controllers:                        *controllers,
-		csrApproverVerifyClusterMembership: *csrApproverVerifyClusterMembership,
-		csrApproverAllowLegacyKubelet:      *csrApproverAllowLegacyKubelet,
-		csrApproverListReferrersConfig: gceInstanceListReferrersConfig{
-			enabled:         *csrApproverUseGCEInstanceListReferrers,
-			initialInterval: *csrApproverListReferrersInitialInterval,
-			retryCount:      *csrApproverListReferrersRetryCount,
-		},
+		clusterSigningGKEKubeconfig:           *clusterSigningGKEKubeconfig,
+		gceConfigPath:                         *gceConfigPath,
+		gceAPIEndpointOverride:                *gceAPIEndpointOverride,
+		controllers:                           *controllers,
 		leaderElectionConfig:                  *leConfig,
 		authAuthorizeServiceAccountMappingURL: *authAuthorizeServiceAccountMappingURL,
 		authSyncNodeURL:                       *authSyncNodeURL,
@@ -176,9 +164,6 @@ type controllerManager struct {
 	gceConfigPath                         string
 	gceAPIEndpointOverride                string
 	controllers                           []string
-	csrApproverVerifyClusterMembership    bool
-	csrApproverAllowLegacyKubelet         bool
-	csrApproverListReferrersConfig        gceInstanceListReferrersConfig
 	leaderElectionConfig                  componentbaseconfig.LeaderElectionConfiguration
 	authAuthorizeServiceAccountMappingURL string
 	authSyncNodeURL                       string
@@ -197,13 +182,6 @@ type controllerManager struct {
 	healthz              *healthz.Handler
 }
 
-// gceInstanceListReferrersConfig configuration on the ListReferrers retry logic.
-type gceInstanceListReferrersConfig struct {
-	enabled         bool
-	initialInterval time.Duration
-	retryCount      int
-}
-
 func (s *controllerManager) isEnabled(name string) bool {
 	var star bool
 	for _, controller := range s.controllers {
@@ -255,9 +233,6 @@ func run(s *controllerManager) error {
 				}),
 				gcpCfg:                                s.gcpConfig,
 				clusterSigningGKEKubeconfig:           s.clusterSigningGKEKubeconfig,
-				csrApproverVerifyClusterMembership:    s.csrApproverVerifyClusterMembership,
-				csrApproverAllowLegacyKubelet:         s.csrApproverAllowLegacyKubelet,
-				csrApproverListReferrersConfig:        s.csrApproverListReferrersConfig,
 				authAuthorizeServiceAccountMappingURL: s.authAuthorizeServiceAccountMappingURL,
 				authSyncNodeURL:                       s.authSyncNodeURL,
 				hmsAuthorizeSAMappingURL:              s.hmsAuthorizeSAMappingURL,