Merge pull request #9255 from olemarkus/romana-remove

Remove romana support

cmd/kops/create_cluster.go

@@ -1008,8 +1008,6 @@ func RunCreateCluster(ctx context.Context, f *util.Factory, out io.Writer, c *Cr
 		cluster.Spec.Networking.Canal = &api.CanalNetworkingSpec{}
 	case "kube-router":
 		cluster.Spec.Networking.Kuberouter = &api.KuberouterNetworkingSpec{}
-	case "romana":
-		cluster.Spec.Networking.Romana = &api.RomanaNetworkingSpec{}
 	case "amazonvpc", "amazon-vpc-routed-eni":
 		cluster.Spec.Networking.AmazonVPC = &api.AmazonVPCNetworkingSpec{}
 	case "cilium":

docs/releases/1.19-NOTES.md

@@ -6,6 +6,8 @@
 
 # Breaking changes
 
+* Support for the Romana networking provider has been removed.
+
 # Required Actions
 
 # Deprecations

nodeup/pkg/model/network.go

@@ -46,7 +46,7 @@ func (b *NetworkBuilder) Build(c *fi.ModelBuilderContext) error {
 		// external is based on kubenet
 		assetNames = append(assetNames, "bridge", "host-local", "loopback")
 
-	} else if networking.CNI != nil || networking.Weave != nil || networking.Flannel != nil || networking.Calico != nil || networking.Canal != nil || networking.Kuberouter != nil || networking.Romana != nil || networking.AmazonVPC != nil || networking.Cilium != nil {
+	} else if networking.CNI != nil || networking.Weave != nil || networking.Flannel != nil || networking.Calico != nil || networking.Canal != nil || networking.Kuberouter != nil || networking.AmazonVPC != nil || networking.Cilium != nil {
 		assetNames = append(assetNames, "bridge", "host-local", "loopback", "ptp", "portmap")
 		// Do we need tuning?
 

pkg/apis/kops/cluster.go

@@ -623,8 +623,6 @@ func (c *Cluster) fillClusterSpecNetworkingSpec() {
 		// OK
 	} else if c.Spec.Networking.Kuberouter != nil {
 		// OK
-	} else if c.Spec.Networking.Romana != nil {
-		// OK
 	} else if c.Spec.Networking.AmazonVPC != nil {
 		// OK
 	} else if c.Spec.Networking.Cilium != nil {

pkg/apis/kops/validation/validation.go

@@ -372,10 +372,7 @@ func validateNetworking(c *kops.ClusterSpec, v *kops.NetworkingSpec, fldPath *fi
 	}
 
 	if v.Romana != nil {
-		if optionTaken {
-			allErrs = append(allErrs, field.Forbidden(fldPath.Child("romana"), "only one networking option permitted"))
-		}
-		optionTaken = true
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("romana"), "support for Romana has been removed"))
 	}
 
 	if v.AmazonVPC != nil {

pkg/model/components/networking.go

@@ -59,18 +59,5 @@ func (b *NetworkingOptionsBuilder) BuildOptions(o interface{}) error {
 		return fmt.Errorf("classic networking not supported")
 	}
 
-	if networking.Romana != nil {
-		daemonIP, err := WellKnownServiceIP(clusterSpec, 99)
-		if err != nil {
-			return err
-		}
-		networking.Romana.DaemonServiceIP = daemonIP.String()
-		etcdIP, err := WellKnownServiceIP(clusterSpec, 88)
-		if err != nil {
-			return err
-		}
-		networking.Romana.EtcdServiceIP = etcdIP.String()
-	}
-
 	return nil
 }

pkg/model/firewall.go

@@ -257,13 +257,6 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu
 		protocols = append(protocols, ProtocolIPIP)
 	}
 
-	if b.Cluster.Spec.Networking.Romana != nil {
-		// Romana needs to access etcd
-		klog.Warningf("Opening etcd port on masters for access from the nodes, for romana.  This is unsafe in untrusted environments.")
-		tcpBlocked[4001] = false
-		protocols = append(protocols, ProtocolIPIP)
-	}
-
 	if b.Cluster.Spec.Networking.Kuberouter != nil {
 		protocols = append(protocols, ProtocolIPIP)
 	}

pkg/model/iam/iam_builder.go

@@ -180,10 +180,6 @@ func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error) {
 		addECRPermissions(p)
 	}
 
-	if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Romana != nil {
-		addRomanaCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy, b.Cluster.GetName())
-	}
-
 	if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.AmazonVPC != nil {
 		addAmazonVPCCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy, b.Cluster.GetName(), b.IAMPrefix())
 	}
@@ -826,40 +822,6 @@ func addRoute53ListHostedZonesPermission(p *Policy) {
 	})
 }
 
-func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) {
-	if legacyIAM {
-		// Legacy IAM provides ec2:*, so no additional permissions required
-		return
-	}
-
-	// Romana requires additional Describe permissions
-	// Comments are which Romana component makes the call
-	p.Statement = append(p.Statement,
-		&Statement{
-			Effect: StatementEffectAllow,
-			Action: stringorslice.Slice([]string{
-				"ec2:DescribeAvailabilityZones", // vpcrouter
-				"ec2:DescribeVpcs",              // vpcrouter
-			}),
-			Resource: resource,
-		},
-		&Statement{
-			Effect: StatementEffectAllow,
-			Action: stringorslice.Slice([]string{
-				"ec2:CreateRoute",  // vpcrouter
-				"ec2:DeleteRoute",  // vpcrouter
-				"ec2:ReplaceRoute", // vpcrouter
-			}),
-			Resource: resource,
-			Condition: Condition{
-				"StringEquals": map[string]string{
-					"ec2:ResourceTag/KubernetesCluster": clusterName,
-				},
-			},
-		},
-	)
-}
-
 func addLyftVPCPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) {
 	if legacyIAM {
 		// Legacy IAM provides ec2:*, so no additional permissions required

pkg/model/openstackmodel/firewall.go

@@ -163,8 +163,7 @@ func (b *FirewallModelBuilder) addETCDRules(c *fi.ModelBuilderContext, sgMap map
 		addDirectionalGroupRule(c, masterSG, masterSG, etcdMgmrRule)
 	}
 
-	if b.Cluster.Spec.Networking.Romana != nil ||
-		b.Cluster.Spec.Networking.Calico != nil {
+	if b.Cluster.Spec.Networking.Calico != nil {
 
 		etcdCNIRule := &openstacktasks.SecurityGroupRule{
 			Lifecycle:    b.Lifecycle,
@@ -391,10 +390,6 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
 			protocols = append(protocols, ProtocolIPEncap)
 		}
 
-		if b.Cluster.Spec.Networking.Romana != nil {
-			tcpPorts = append(tcpPorts, 9600)
-		}
-
 		if b.Cluster.Spec.Networking.Kuberouter != nil {
 			protocols = append(protocols, ProtocolIPEncap)
 		}