kubernetes · k8s-ci-robot · Jun 3, 2020 · Jun 3, 2020 · Jun 3, 2020 · Jun 3, 2020
diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go
@@ -1008,8 +1008,6 @@ func RunCreateCluster(ctx context.Context, f *util.Factory, out io.Writer, c *Cr
 		cluster.Spec.Networking.Canal = &api.CanalNetworkingSpec{}
 	case "kube-router":
 		cluster.Spec.Networking.Kuberouter = &api.KuberouterNetworkingSpec{}
-	case "romana":
-		cluster.Spec.Networking.Romana = &api.RomanaNetworkingSpec{}
 	case "amazonvpc", "amazon-vpc-routed-eni":
 		cluster.Spec.Networking.AmazonVPC = &api.AmazonVPCNetworkingSpec{}
 	case "cilium":

diff --git a/docs/releases/1.19-NOTES.md b/docs/releases/1.19-NOTES.md
@@ -6,6 +6,8 @@
 
 # Breaking changes
 
+* Removed support for Romana networking provider.
+
 # Required Actions
 
 # Deprecations

diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -3202,7 +3202,8 @@ spec:
                     type: object
                   romana:
                     description: RomanaNetworkingSpec declares that we want Romana
-                      networking
+                      networking Romana is deprecated as of kops 1.18 and removed
+                      as of kops 1.19
                     properties:
                       daemonServiceIP:
                         description: DaemonServiceIP is the Kubernetes Service IP

diff --git a/nodeup/pkg/model/network.go b/nodeup/pkg/model/network.go
@@ -46,7 +46,7 @@ func (b *NetworkBuilder) Build(c *fi.ModelBuilderContext) error {
 		// external is based on kubenet
 		assetNames = append(assetNames, "bridge", "host-local", "loopback")
 
-	} else if networking.CNI != nil || networking.Weave != nil || networking.Flannel != nil || networking.Calico != nil || networking.Canal != nil || networking.Kuberouter != nil || networking.Romana != nil || networking.AmazonVPC != nil || networking.Cilium != nil {
+	} else if networking.CNI != nil || networking.Weave != nil || networking.Flannel != nil || networking.Calico != nil || networking.Canal != nil || networking.Kuberouter != nil || networking.AmazonVPC != nil || networking.Cilium != nil {
 		assetNames = append(assetNames, "bridge", "host-local", "loopback", "ptp", "portmap")
 		// Do we need tuning?
 

diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
@@ -623,8 +623,6 @@ func (c *Cluster) fillClusterSpecNetworkingSpec() {
 		// OK
 	} else if c.Spec.Networking.Kuberouter != nil {
 		// OK
-	} else if c.Spec.Networking.Romana != nil {
-		// OK
 	} else if c.Spec.Networking.AmazonVPC != nil {
 		// OK
 	} else if c.Spec.Networking.Cilium != nil {

diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go
@@ -181,6 +181,7 @@ type KuberouterNetworkingSpec struct {
 }
 
 // RomanaNetworkingSpec declares that we want Romana networking
+// Romana is deprecated as of kops 1.18 and removed as of kops 1.19
 type RomanaNetworkingSpec struct {
 	// DaemonServiceIP is the Kubernetes Service IP for the romana-daemon pod
 	DaemonServiceIP string `json:"daemonServiceIP,omitempty"`

diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go
@@ -181,6 +181,7 @@ type KuberouterNetworkingSpec struct {
 }
 
 // RomanaNetworkingSpec declares that we want Romana networking
+// Romana is deprecated as of kops 1.18 and removed as of kops 1.19
 type RomanaNetworkingSpec struct {
 	// DaemonServiceIP is the Kubernetes Service IP for the romana-daemon pod
 	DaemonServiceIP string `json:"daemonServiceIP,omitempty"`

diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
@@ -367,6 +367,7 @@ func validateNetworking(c *kops.ClusterSpec, v *kops.NetworkingSpec, fldPath *fi
 	}
 
 	if v.Romana != nil {
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("romana"), "support for Romana has been removed"))
 		if optionTaken {
 			allErrs = append(allErrs, field.Forbidden(fldPath.Child("romana"), "only one networking option permitted"))
 		}

diff --git a/pkg/model/components/networking.go b/pkg/model/components/networking.go
@@ -59,18 +59,5 @@ func (b *NetworkingOptionsBuilder) BuildOptions(o interface{}) error {
 		return fmt.Errorf("classic networking not supported")
 	}
 
-	if networking.Romana != nil {
-		daemonIP, err := WellKnownServiceIP(clusterSpec, 99)
-		if err != nil {
-			return err
-		}
-		networking.Romana.DaemonServiceIP = daemonIP.String()
-		etcdIP, err := WellKnownServiceIP(clusterSpec, 88)
-		if err != nil {
-			return err
-		}
-		networking.Romana.EtcdServiceIP = etcdIP.String()
-	}
-
 	return nil
 }
diff --git a/pkg/model/firewall.go b/pkg/model/firewall.go
@@ -257,13 +257,6 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu
 		protocols = append(protocols, ProtocolIPIP)
 	}
 
-	if b.Cluster.Spec.Networking.Romana != nil {
-		// Romana needs to access etcd
-		klog.Warningf("Opening etcd port on masters for access from the nodes, for romana.  This is unsafe in untrusted environments.")
-		tcpBlocked[4001] = false
-		protocols = append(protocols, ProtocolIPIP)
-	}
-
 	if b.Cluster.Spec.Networking.Kuberouter != nil {
 		protocols = append(protocols, ProtocolIPIP)
 	}

diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
@@ -180,10 +180,6 @@ func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error) {
 		addECRPermissions(p)
 	}
 
-	if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Romana != nil {
-		addRomanaCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy, b.Cluster.GetName())
-	}
-
 	if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.AmazonVPC != nil {
 		addAmazonVPCCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy, b.Cluster.GetName(), b.IAMPrefix())
 	}
@@ -826,40 +822,6 @@ func addRoute53ListHostedZonesPermission(p *Policy) {
 	})
 }
 
-func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) {
-	if legacyIAM {
-		// Legacy IAM provides ec2:*, so no additional permissions required
-		return
-	}
-
-	// Romana requires additional Describe permissions
-	// Comments are which Romana component makes the call
-	p.Statement = append(p.Statement,
-		&Statement{
-			Effect: StatementEffectAllow,
-			Action: stringorslice.Slice([]string{
-				"ec2:DescribeAvailabilityZones", // vpcrouter
-				"ec2:DescribeVpcs",              // vpcrouter
-			}),
-			Resource: resource,
-		},
-		&Statement{
-			Effect: StatementEffectAllow,
-			Action: stringorslice.Slice([]string{
-				"ec2:CreateRoute",  // vpcrouter
-				"ec2:DeleteRoute",  // vpcrouter
-				"ec2:ReplaceRoute", // vpcrouter
-			}),
-			Resource: resource,
-			Condition: Condition{
-				"StringEquals": map[string]string{
-					"ec2:ResourceTag/KubernetesCluster": clusterName,
-				},
-			},
-		},
-	)
-}
-
 func addLyftVPCPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) {
 	if legacyIAM {
 		// Legacy IAM provides ec2:*, so no additional permissions required

diff --git a/pkg/model/openstackmodel/firewall.go b/pkg/model/openstackmodel/firewall.go
@@ -163,8 +163,7 @@ func (b *FirewallModelBuilder) addETCDRules(c *fi.ModelBuilderContext, sgMap map
 		addDirectionalGroupRule(c, masterSG, masterSG, etcdMgmrRule)
 	}
 
-	if b.Cluster.Spec.Networking.Romana != nil ||
-		b.Cluster.Spec.Networking.Calico != nil {
+	if b.Cluster.Spec.Networking.Calico != nil {
 
 		etcdCNIRule := &openstacktasks.SecurityGroupRule{
 			Lifecycle:    b.Lifecycle,
@@ -391,10 +390,6 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[
 			protocols = append(protocols, ProtocolIPEncap)
 		}
 
-		if b.Cluster.Spec.Networking.Romana != nil {
-			tcpPorts = append(tcpPorts, 9600)
-		}
-
 		if b.Cluster.Spec.Networking.Kuberouter != nil {
 			protocols = append(protocols, ProtocolIPEncap)
 		}