Skip to content

Commit

Permalink
Merge pull request #10233 from hakman/automated-cherry-pick-of-#10217…
Browse files Browse the repository at this point in the history
…-upstream-release-1.19

Automated cherry pick of #10217: Fix various nits
  • Loading branch information
k8s-ci-robot authored Nov 13, 2020
2 parents c4acdc7 + 025d099 commit 2d10bd4
Show file tree
Hide file tree
Showing 7 changed files with 52 additions and 25 deletions.
2 changes: 1 addition & 1 deletion pkg/apis/kops/validation/instancegroup.go
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ func validateInstanceProfile(v *kops.IAMProfileSpec, fldPath *field.Path) field.
if v != nil && v.Profile != nil {
instanceProfileARN := *v.Profile
parsedARN, err := arn.Parse(instanceProfileARN)
if err != nil || !strings.HasPrefix(parsedARN.Resource, "instance-profile") {
if err != nil || !strings.HasPrefix(parsedARN.Resource, "instance-profile/") {
allErrs = append(allErrs, field.Invalid(fldPath.Child("profile"), instanceProfileARN,
"Instance Group IAM Instance Profile must be a valid aws arn such as arn:aws:iam::123456789012:instance-profile/KopsExampleRole"))
}
Expand Down
48 changes: 37 additions & 11 deletions pkg/apis/kops/validation/validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,21 +23,21 @@ import (
"regexp"
"strings"

"github.com/aws/aws-sdk-go/aws/arn"
"github.com/blang/semver/v4"
"golang.org/x/net/ipv4"
"golang.org/x/net/ipv6"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/kops/pkg/featureflag"
"k8s.io/kops/upup/pkg/fi"

"k8s.io/apimachinery/pkg/api/validation"
"k8s.io/apimachinery/pkg/util/intstr"
utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apimachinery/pkg/util/sets"
utilvalidation "k8s.io/apimachinery/pkg/util/validation"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/pkg/featureflag"
"k8s.io/kops/pkg/model/components"
"k8s.io/kops/pkg/model/iam"
"k8s.io/kops/upup/pkg/fi"
)

func newValidateCluster(cluster *kops.Cluster) field.ErrorList {
Expand Down Expand Up @@ -158,12 +158,18 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie
allErrs = append(allErrs, validateNodeTerminationHandler(c, spec.NodeTerminationHandler, fieldPath.Child("nodeTerminationHandler"))...)
}

// IAM additionalPolicies
// IAM additional policies
if spec.AdditionalPolicies != nil {
for k, v := range *spec.AdditionalPolicies {
allErrs = append(allErrs, validateAdditionalPolicy(k, v, fieldPath.Child("additionalPolicies"))...)
}
}
// IAM external policies
if spec.ExternalPolicies != nil {
for k, v := range *spec.ExternalPolicies {
allErrs = append(allErrs, validateExternalPolicies(k, v, fieldPath.Child("externalPolicies"))...)
}
}

// EtcdClusters
{
Expand Down Expand Up @@ -798,31 +804,51 @@ func validateNetworkingGCE(c *kops.ClusterSpec, v *kops.GCENetworkingSpec, fldPa
}

func validateAdditionalPolicy(role string, policy string, fldPath *field.Path) field.ErrorList {
errs := field.ErrorList{}
allErrs := field.ErrorList{}

var valid []string
for _, r := range kops.AllInstanceGroupRoles {
valid = append(valid, strings.ToLower(string(r)))
}
errs = append(errs, IsValidValue(fldPath, &role, valid)...)
allErrs = append(allErrs, IsValidValue(fldPath, &role, valid)...)

statements, err := iam.ParseStatements(policy)
if err != nil {
errs = append(errs, field.Invalid(fldPath.Key(role), policy, "policy was not valid JSON: "+err.Error()))
allErrs = append(allErrs, field.Invalid(fldPath.Key(role), policy, "policy was not valid JSON: "+err.Error()))
}

// Trivial validation of policy, mostly to make sure it isn't some other random object
for i, statement := range statements {
fldEffect := fldPath.Key(role).Index(i).Child("Effect")
if statement.Effect == "" {
errs = append(errs, field.Required(fldEffect, "Effect must be specified for IAM policy"))
allErrs = append(allErrs, field.Required(fldEffect, "Effect must be specified for IAM policy"))
} else {
value := string(statement.Effect)
errs = append(errs, IsValidValue(fldEffect, &value, []string{"Allow", "Deny"})...)
allErrs = append(allErrs, IsValidValue(fldEffect, &value, []string{"Allow", "Deny"})...)
}
}

return allErrs
}

func validateExternalPolicies(role string, policies []string, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}

var valid []string
for _, r := range kops.AllInstanceGroupRoles {
valid = append(valid, strings.ToLower(string(r)))
}
allErrs = append(allErrs, IsValidValue(fldPath, &role, valid)...)

for _, policy := range policies {
parsedARN, err := arn.Parse(policy)
if err != nil || !strings.HasPrefix(parsedARN.Resource, "policy/") {
allErrs = append(allErrs, field.Invalid(fldPath.Child(role), policy,
"Policy must be a valid AWS ARN such as arn:aws:iam::123456789012:policy/KopsExamplePolicy"))
}
}

return errs
return allErrs
}

func validateEtcdClusterSpec(spec kops.EtcdClusterSpec, c *kops.Cluster, fieldPath *field.Path) field.ErrorList {
Expand Down
10 changes: 5 additions & 5 deletions pkg/resources/aws/aws.go
Original file line number Diff line number Diff line change
Expand Up @@ -575,13 +575,13 @@ func DeleteVolume(cloud fi.Cloud, r *resources.Resource) error {
}
_, err := c.EC2().DeleteVolume(request)
if err != nil {
if IsDependencyViolation(err) {
return err
}
if awsup.AWSErrorCode(err) == "InvalidVolume.NotFound" {
// Concurrently deleted
klog.V(2).Infof("Got InvalidVolume.NotFound error deleting Volume %q; will treat as already-deleted", id)
return nil
}
if IsDependencyViolation(err) {
return err
}
return fmt.Errorf("error deleting Volume %q: %v", id, err)
}
return nil
Expand Down Expand Up @@ -1744,7 +1744,7 @@ func DeleteElasticIP(cloud fi.Cloud, t *resources.Resource) error {
_, err := c.EC2().ReleaseAddress(request)
if err != nil {
if awsup.AWSErrorCode(err) == "InvalidAllocationID.NotFound" {
klog.V(2).Infof("Got InvalidAllocationID.NotFound error describing ElasticIP %q; will treat as already-deleted", id)
klog.V(2).Infof("Got InvalidAllocationID.NotFound error deleting ElasticIP %q; will treat as already-deleted", id)
return nil
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/resources/aws/errors.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ func IsDependencyViolation(err error) bool {
switch code {
case "":
return false
case "DependencyViolation", "VolumeInUse", "InvalidIPAddress.InUse":
case "AuthFailure", "DependencyViolation", "InvalidIPAddress.InUse", "VolumeInUse", "ResourceInUse":
return true
default:
klog.Infof("unexpected aws error code: %q", code)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,11 @@ spec:
nodes: public
externalPolicies:
node:
- aws:arn:iam:123456789000:policy:test-policy
- arn:aws:iam::123456789000:policy/test-policy
master:
- aws:arn:iam:123456789000:policy:test-policy
- arn:aws:iam::123456789000:policy/test-policy
bastion:
- aws:arn:iam:123456789000:policy:test-policy
- arn:aws:iam::123456789000:policy/test-policy
subnets:
- cidr: 172.20.32.0/19
name: us-test-1a
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -268,13 +268,13 @@ resource "aws_iam_instance_profile" "nodes-externalpolicies-example-com" {
role = aws_iam_role.nodes-externalpolicies-example-com.name
}

resource "aws_iam_role_policy_attachment" "master-policyoverride-1178482798" {
policy_arn = "aws:arn:iam:123456789000:policy:test-policy"
resource "aws_iam_role_policy_attachment" "master-policyoverride-1242070525" {
policy_arn = "arn:aws:iam::123456789000:policy/test-policy"
role = aws_iam_role.masters-externalpolicies-example-com.name
}

resource "aws_iam_role_policy_attachment" "node-policyoverride-1178482798" {
policy_arn = "aws:arn:iam:123456789000:policy:test-policy"
resource "aws_iam_role_policy_attachment" "node-policyoverride-1242070525" {
policy_arn = "arn:aws:iam::123456789000:policy/test-policy"
role = aws_iam_role.nodes-externalpolicies-example-com.name
}

Expand Down
1 change: 1 addition & 0 deletions upup/pkg/fi/dryrun_target.go
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,7 @@ func (t *DryRunTarget) PrintReport(taskMap map[string]Task, out io.Writer) error
fmt.Fprintf(b, " internal consistency error!\n")
fmt.Fprintf(b, " actual: %+v\n", r.a)
fmt.Fprintf(b, " expect: %+v\n", r.e)
fmt.Fprintf(b, " change: %+v\n", r.changes)
continue
}

Expand Down

0 comments on commit 2d10bd4

Please sign in to comment.