diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go index c249f98bb7a93..66fac2315ab53 100644 --- a/cmd/kops/create_cluster.go +++ b/cmd/kops/create_cluster.go @@ -1008,8 +1008,6 @@ func RunCreateCluster(ctx context.Context, f *util.Factory, out io.Writer, c *Cr cluster.Spec.Networking.Canal = &api.CanalNetworkingSpec{} case "kube-router": cluster.Spec.Networking.Kuberouter = &api.KuberouterNetworkingSpec{} - case "romana": - cluster.Spec.Networking.Romana = &api.RomanaNetworkingSpec{} case "amazonvpc", "amazon-vpc-routed-eni": cluster.Spec.Networking.AmazonVPC = &api.AmazonVPCNetworkingSpec{} case "cilium": diff --git a/docs/releases/1.19-NOTES.md b/docs/releases/1.19-NOTES.md index 8b88eb9fd0dc8..2f8c432483c7e 100644 --- a/docs/releases/1.19-NOTES.md +++ b/docs/releases/1.19-NOTES.md @@ -6,6 +6,8 @@ # Breaking changes +* Support for the Romana networking provider has been removed. + # Required Actions # Deprecations diff --git a/nodeup/pkg/model/network.go b/nodeup/pkg/model/network.go index f633a30979898..3bc5ade2a97f7 100644 --- a/nodeup/pkg/model/network.go +++ b/nodeup/pkg/model/network.go @@ -46,7 +46,7 @@ func (b *NetworkBuilder) Build(c *fi.ModelBuilderContext) error { // external is based on kubenet assetNames = append(assetNames, "bridge", "host-local", "loopback") - } else if networking.CNI != nil || networking.Weave != nil || networking.Flannel != nil || networking.Calico != nil || networking.Canal != nil || networking.Kuberouter != nil || networking.Romana != nil || networking.AmazonVPC != nil || networking.Cilium != nil { + } else if networking.CNI != nil || networking.Weave != nil || networking.Flannel != nil || networking.Calico != nil || networking.Canal != nil || networking.Kuberouter != nil || networking.AmazonVPC != nil || networking.Cilium != nil { assetNames = append(assetNames, "bridge", "host-local", "loopback", "ptp", "portmap") // Do we need tuning? diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go index 6c9c4e1f33874..ddf8b50ae0b8d 100644 --- a/pkg/apis/kops/cluster.go +++ b/pkg/apis/kops/cluster.go @@ -623,8 +623,6 @@ func (c *Cluster) fillClusterSpecNetworkingSpec() { // OK } else if c.Spec.Networking.Kuberouter != nil { // OK - } else if c.Spec.Networking.Romana != nil { - // OK } else if c.Spec.Networking.AmazonVPC != nil { // OK } else if c.Spec.Networking.Cilium != nil { diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go index 53f4ce76db677..9f423cf671010 100644 --- a/pkg/apis/kops/validation/validation.go +++ b/pkg/apis/kops/validation/validation.go @@ -372,10 +372,7 @@ func validateNetworking(c *kops.ClusterSpec, v *kops.NetworkingSpec, fldPath *fi } if v.Romana != nil { - if optionTaken { - allErrs = append(allErrs, field.Forbidden(fldPath.Child("romana"), "only one networking option permitted")) - } - optionTaken = true + allErrs = append(allErrs, field.Forbidden(fldPath.Child("romana"), "support for Romana has been removed")) } if v.AmazonVPC != nil { diff --git a/pkg/model/components/networking.go b/pkg/model/components/networking.go index d854d00ee4af5..0e86d587ed877 100644 --- a/pkg/model/components/networking.go +++ b/pkg/model/components/networking.go @@ -59,18 +59,5 @@ func (b *NetworkingOptionsBuilder) BuildOptions(o interface{}) error { return fmt.Errorf("classic networking not supported") } - if networking.Romana != nil { - daemonIP, err := WellKnownServiceIP(clusterSpec, 99) - if err != nil { - return err - } - networking.Romana.DaemonServiceIP = daemonIP.String() - etcdIP, err := WellKnownServiceIP(clusterSpec, 88) - if err != nil { - return err - } - networking.Romana.EtcdServiceIP = etcdIP.String() - } - return nil } diff --git a/pkg/model/firewall.go b/pkg/model/firewall.go index 7cb4ebfb42b3c..af60fd48ad1a7 100644 --- a/pkg/model/firewall.go +++ b/pkg/model/firewall.go @@ -257,13 +257,6 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu protocols = append(protocols, ProtocolIPIP) } - if b.Cluster.Spec.Networking.Romana != nil { - // Romana needs to access etcd - klog.Warningf("Opening etcd port on masters for access from the nodes, for romana. This is unsafe in untrusted environments.") - tcpBlocked[4001] = false - protocols = append(protocols, ProtocolIPIP) - } - if b.Cluster.Spec.Networking.Kuberouter != nil { protocols = append(protocols, ProtocolIPIP) } diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index ca11fd09031f8..fc5ebab2e07cb 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -180,10 +180,6 @@ func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error) { addECRPermissions(p) } - if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Romana != nil { - addRomanaCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy, b.Cluster.GetName()) - } - if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.AmazonVPC != nil { addAmazonVPCCNIPermissions(p, resource, b.Cluster.Spec.IAM.Legacy, b.Cluster.GetName(), b.IAMPrefix()) } @@ -826,40 +822,6 @@ func addRoute53ListHostedZonesPermission(p *Policy) { }) } -func addRomanaCNIPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) { - if legacyIAM { - // Legacy IAM provides ec2:*, so no additional permissions required - return - } - - // Romana requires additional Describe permissions - // Comments are which Romana component makes the call - p.Statement = append(p.Statement, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Slice([]string{ - "ec2:DescribeAvailabilityZones", // vpcrouter - "ec2:DescribeVpcs", // vpcrouter - }), - Resource: resource, - }, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Slice([]string{ - "ec2:CreateRoute", // vpcrouter - "ec2:DeleteRoute", // vpcrouter - "ec2:ReplaceRoute", // vpcrouter - }), - Resource: resource, - Condition: Condition{ - "StringEquals": map[string]string{ - "ec2:ResourceTag/KubernetesCluster": clusterName, - }, - }, - }, - ) -} - func addLyftVPCPermissions(p *Policy, resource stringorslice.StringOrSlice, legacyIAM bool, clusterName string) { if legacyIAM { // Legacy IAM provides ec2:*, so no additional permissions required diff --git a/pkg/model/openstackmodel/firewall.go b/pkg/model/openstackmodel/firewall.go index aeca5624c1c05..7830222b6456e 100644 --- a/pkg/model/openstackmodel/firewall.go +++ b/pkg/model/openstackmodel/firewall.go @@ -163,8 +163,7 @@ func (b *FirewallModelBuilder) addETCDRules(c *fi.ModelBuilderContext, sgMap map addDirectionalGroupRule(c, masterSG, masterSG, etcdMgmrRule) } - if b.Cluster.Spec.Networking.Romana != nil || - b.Cluster.Spec.Networking.Calico != nil { + if b.Cluster.Spec.Networking.Calico != nil { etcdCNIRule := &openstacktasks.SecurityGroupRule{ Lifecycle: b.Lifecycle, @@ -391,10 +390,6 @@ func (b *FirewallModelBuilder) addCNIRules(c *fi.ModelBuilderContext, sgMap map[ protocols = append(protocols, ProtocolIPEncap) } - if b.Cluster.Spec.Networking.Romana != nil { - tcpPorts = append(tcpPorts, 9600) - } - if b.Cluster.Spec.Networking.Kuberouter != nil { protocols = append(protocols, ProtocolIPEncap) } diff --git a/upup/models/bindata.go b/upup/models/bindata.go index ceb1e1da95cc5..01733caf90ea9 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -46,8 +46,6 @@ // upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.15.yaml.template // upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template // upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.9.yaml.template -// upup/models/cloudup/resources/addons/networking.romana/k8s-1.12.yaml.template -// upup/models/cloudup/resources/addons/networking.romana/k8s-1.7.yaml.template // upup/models/cloudup/resources/addons/networking.weave/k8s-1.12.yaml.template // upup/models/cloudup/resources/addons/networking.weave/k8s-1.8.yaml.template // upup/models/cloudup/resources/addons/node-authorizer.addons.k8s.io/k8s-1.10.yaml.template @@ -13397,768 +13395,6 @@ func cloudupResourcesAddonsNetworkingProjectcalicoOrgCanalK8s19YamlTemplate() (* return a, nil } -var _cloudupResourcesAddonsNetworkingRomanaK8s112YamlTemplate = []byte(`--- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-listener -rules: -- apiGroups: - - "*" - resources: - - pods - - namespaces - - nodes - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - extensions - resources: - - networkpolicies - verbs: - - get - - list - - watch -- apiGroups: - - "*" - resources: - - services - verbs: - - update - - list - - watch ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-listener - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-listener -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-listener -subjects: -- kind: ServiceAccount - name: romana-listener - namespace: kube-system ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-agent -rules: -- apiGroups: - - "*" - resources: - - pods - - nodes - verbs: - - get ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-agent - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-agent -subjects: -- kind: ServiceAccount - name: romana-agent - namespace: kube-system ---- -apiVersion: v1 -kind: Service -metadata: - name: romana-etcd - namespace: kube-system -spec: - clusterIP: {{ .Networking.Romana.EtcdServiceIP }} - ports: - - name: etcd - port: 12379 - protocol: TCP - targetPort: 4001 - selector: - k8s-app: etcd-server - sessionAffinity: None - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: romana - namespace: kube-system -spec: - clusterIP: {{ .Networking.Romana.DaemonServiceIP }} - ports: - - name: daemon - port: 9600 - protocol: TCP - targetPort: 9600 - selector: - romana-app: daemon - sessionAffinity: None - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: romana-daemon - namespace: kube-system - labels: - romana-app: daemon -spec: - replicas: 1 - selector: - matchLabels: - romana-app: daemon - template: - metadata: - labels: - romana-app: daemon - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - priorityClassName: system-cluster-critical - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-daemon - image: quay.io/romana/daemon:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi - args: - - --cloud=aws - - --network-cidr-overrides=romana-network={{ .KubeControllerManager.ClusterCIDR }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: romana-listener - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - romana-app: listener - template: - metadata: - labels: - romana-app: listener - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - priorityClassName: system-cluster-critical - serviceAccountName: romana-listener - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-listener - image: quay.io/romana/listener:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: romana-agent - namespace: kube-system - labels: - romana-app: agent -spec: - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - romana-app: agent - template: - metadata: - labels: - romana-app: agent - spec: - hostNetwork: true - priorityClassName: system-node-critical - securityContext: - seLinuxOptions: - type: spc_t - serviceAccountName: romana-agent - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - containers: - - name: romana-agent - image: quay.io/romana/agent:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 25m - memory: 128Mi - limits: - memory: 128Mi - env: - - name: NODENAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: NODEIP - valueFrom: - fieldRef: - fieldPath: status.hostIP - args: - - --service-cluster-ip-range={{ .ServiceClusterIPRange }} - securityContext: - privileged: true - volumeMounts: - - name: host-usr-local-bin - mountPath: /host/usr/local/bin - - name: host-etc-romana - mountPath: /host/etc/romana - - name: host-cni-bin - mountPath: /host/opt/cni/bin - - name: host-cni-net-d - mountPath: /host/etc/cni/net.d - - name: run-path - mountPath: /var/run/romana - volumes: - - name: host-usr-local-bin - hostPath: - path: /usr/local/bin - - name: host-etc-romana - hostPath: - path: /etc/romana - - name: host-cni-bin - hostPath: - path: /opt/cni/bin - - name: host-cni-net-d - hostPath: - path: /etc/cni/net.d - - name: run-path - hostPath: - path: /var/run/romana ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-aws -rules: -- apiGroups: - - "*" - resources: - - nodes - verbs: - - get - - list - - watch ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-aws - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-aws -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-aws -subjects: -- kind: ServiceAccount - name: romana-aws - namespace: kube-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: romana-aws - namespace: kube-system - labels: - romana-app: aws -spec: - replicas: 1 - selector: - matchLabels: - romana-app: aws - template: - metadata: - labels: - romana-app: aws - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - priorityClassName: system-cluster-critical - serviceAccountName: romana-aws - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-aws - image: quay.io/romana/aws:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: romana-vpcrouter - namespace: kube-system - labels: - romana-app: vpcrouter -spec: - replicas: 1 - selector: - matchLabels: - romana-app: vpcrouter - template: - metadata: - labels: - romana-app: vpcrouter - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - priorityClassName: system-cluster-critical - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-vpcrouter - image: quay.io/romana/vpcrouter-romana-plugin:1.1.17 - imagePullPolicy: Always - resources: - requests: - cpu: 45m - memory: 128Mi - limits: - memory: 128Mi - args: - - --etcd_use_v2 - - --etcd_addr={{ .Networking.Romana.EtcdServiceIP }} - - --etcd_port=12379 -`) - -func cloudupResourcesAddonsNetworkingRomanaK8s112YamlTemplateBytes() ([]byte, error) { - return _cloudupResourcesAddonsNetworkingRomanaK8s112YamlTemplate, nil -} - -func cloudupResourcesAddonsNetworkingRomanaK8s112YamlTemplate() (*asset, error) { - bytes, err := cloudupResourcesAddonsNetworkingRomanaK8s112YamlTemplateBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "cloudup/resources/addons/networking.romana/k8s-1.12.yaml.template", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _cloudupResourcesAddonsNetworkingRomanaK8s17YamlTemplate = []byte(`--- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-listener -rules: -- apiGroups: - - "*" - resources: - - pods - - namespaces - - nodes - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - extensions - resources: - - networkpolicies - verbs: - - get - - list - - watch -- apiGroups: - - "*" - resources: - - services - verbs: - - update - - list - - watch ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-listener - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-listener -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-listener -subjects: -- kind: ServiceAccount - name: romana-listener - namespace: kube-system ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-agent -rules: -- apiGroups: - - "*" - resources: - - pods - - nodes - verbs: - - get ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-agent - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-agent -subjects: -- kind: ServiceAccount - name: romana-agent - namespace: kube-system ---- -apiVersion: v1 -kind: Service -metadata: - name: romana-etcd - namespace: kube-system -spec: - clusterIP: {{ .Networking.Romana.EtcdServiceIP }} - ports: - - name: etcd - port: 12379 - protocol: TCP - targetPort: 4001 - selector: - k8s-app: etcd-server - sessionAffinity: None - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: romana - namespace: kube-system -spec: - clusterIP: {{ .Networking.Romana.DaemonServiceIP }} - ports: - - name: daemon - port: 9600 - protocol: TCP - targetPort: 9600 - selector: - romana-app: daemon - sessionAffinity: None - type: ClusterIP ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: romana-daemon - namespace: kube-system -spec: - replicas: 1 - template: - metadata: - labels: - romana-app: daemon - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-daemon - image: quay.io/romana/daemon:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi - args: - - --cloud=aws - - --network-cidr-overrides=romana-network={{ .KubeControllerManager.ClusterCIDR }} ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: romana-listener - namespace: kube-system -spec: - replicas: 1 - template: - metadata: - labels: - romana-app: listener - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - serviceAccountName: romana-listener - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-listener - image: quay.io/romana/listener:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi ---- -apiVersion: extensions/v1beta1 -kind: DaemonSet -metadata: - name: romana-agent - namespace: kube-system -spec: - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - romana-app: agent - spec: - hostNetwork: true - securityContext: - seLinuxOptions: - type: spc_t - serviceAccountName: romana-agent - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - containers: - - name: romana-agent - image: quay.io/romana/agent:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 25m - memory: 128Mi - limits: - memory: 128Mi - env: - - name: NODENAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: NODEIP - valueFrom: - fieldRef: - fieldPath: status.hostIP - args: - - --service-cluster-ip-range={{ .ServiceClusterIPRange }} - securityContext: - privileged: true - volumeMounts: - - name: host-usr-local-bin - mountPath: /host/usr/local/bin - - name: host-etc-romana - mountPath: /host/etc/romana - - name: host-cni-bin - mountPath: /host/opt/cni/bin - - name: host-cni-net-d - mountPath: /host/etc/cni/net.d - - name: run-path - mountPath: /var/run/romana - volumes: - - name: host-usr-local-bin - hostPath: - path: /usr/local/bin - - name: host-etc-romana - hostPath: - path: /etc/romana - - name: host-cni-bin - hostPath: - path: /opt/cni/bin - - name: host-cni-net-d - hostPath: - path: /etc/cni/net.d - - name: run-path - hostPath: - path: /var/run/romana ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-aws -rules: -- apiGroups: - - "*" - resources: - - nodes - verbs: - - get - - list - - watch ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-aws - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-aws -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-aws -subjects: -- kind: ServiceAccount - name: romana-aws - namespace: kube-system ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: romana-aws - namespace: kube-system -spec: - replicas: 1 - template: - metadata: - labels: - romana-app: aws - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - serviceAccountName: romana-aws - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-aws - image: quay.io/romana/aws:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: romana-vpcrouter - namespace: kube-system -spec: - replicas: 1 - template: - metadata: - labels: - romana-app: vpcrouter - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-vpcrouter - image: quay.io/romana/vpcrouter-romana-plugin:1.1.17 - imagePullPolicy: Always - resources: - requests: - cpu: 45m - memory: 128Mi - limits: - memory: 128Mi - args: - - --etcd_use_v2 - - --etcd_addr={{ .Networking.Romana.EtcdServiceIP }} - - --etcd_port=12379 -`) - -func cloudupResourcesAddonsNetworkingRomanaK8s17YamlTemplateBytes() ([]byte, error) { - return _cloudupResourcesAddonsNetworkingRomanaK8s17YamlTemplate, nil -} - -func cloudupResourcesAddonsNetworkingRomanaK8s17YamlTemplate() (*asset, error) { - bytes, err := cloudupResourcesAddonsNetworkingRomanaK8s17YamlTemplateBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "cloudup/resources/addons/networking.romana/k8s-1.7.yaml.template", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - var _cloudupResourcesAddonsNetworkingWeaveK8s112YamlTemplate = []byte(`{{- if WeaveSecret }} apiVersion: v1 kind: Secret @@ -16981,8 +16217,6 @@ var _bindata = map[string]func() (*asset, error){ "cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.15.yaml.template": cloudupResourcesAddonsNetworkingProjectcalicoOrgCanalK8s115YamlTemplate, "cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template": cloudupResourcesAddonsNetworkingProjectcalicoOrgCanalK8s116YamlTemplate, "cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.9.yaml.template": cloudupResourcesAddonsNetworkingProjectcalicoOrgCanalK8s19YamlTemplate, - "cloudup/resources/addons/networking.romana/k8s-1.12.yaml.template": cloudupResourcesAddonsNetworkingRomanaK8s112YamlTemplate, - "cloudup/resources/addons/networking.romana/k8s-1.7.yaml.template": cloudupResourcesAddonsNetworkingRomanaK8s17YamlTemplate, "cloudup/resources/addons/networking.weave/k8s-1.12.yaml.template": cloudupResourcesAddonsNetworkingWeaveK8s112YamlTemplate, "cloudup/resources/addons/networking.weave/k8s-1.8.yaml.template": cloudupResourcesAddonsNetworkingWeaveK8s18YamlTemplate, "cloudup/resources/addons/node-authorizer.addons.k8s.io/k8s-1.10.yaml.template": cloudupResourcesAddonsNodeAuthorizerAddonsK8sIoK8s110YamlTemplate, @@ -17132,10 +16366,6 @@ var _bintree = &bintree{nil, map[string]*bintree{ "k8s-1.16.yaml.template": {cloudupResourcesAddonsNetworkingProjectcalicoOrgCanalK8s116YamlTemplate, map[string]*bintree{}}, "k8s-1.9.yaml.template": {cloudupResourcesAddonsNetworkingProjectcalicoOrgCanalK8s19YamlTemplate, map[string]*bintree{}}, }}, - "networking.romana": {nil, map[string]*bintree{ - "k8s-1.12.yaml.template": {cloudupResourcesAddonsNetworkingRomanaK8s112YamlTemplate, map[string]*bintree{}}, - "k8s-1.7.yaml.template": {cloudupResourcesAddonsNetworkingRomanaK8s17YamlTemplate, map[string]*bintree{}}, - }}, "networking.weave": {nil, map[string]*bintree{ "k8s-1.12.yaml.template": {cloudupResourcesAddonsNetworkingWeaveK8s112YamlTemplate, map[string]*bintree{}}, "k8s-1.8.yaml.template": {cloudupResourcesAddonsNetworkingWeaveK8s18YamlTemplate, map[string]*bintree{}}, diff --git a/upup/models/cloudup/resources/addons/networking.romana/k8s-1.12.yaml.template b/upup/models/cloudup/resources/addons/networking.romana/k8s-1.12.yaml.template deleted file mode 100644 index babab2bcc4f3e..0000000000000 --- a/upup/models/cloudup/resources/addons/networking.romana/k8s-1.12.yaml.template +++ /dev/null @@ -1,378 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-listener -rules: -- apiGroups: - - "*" - resources: - - pods - - namespaces - - nodes - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - extensions - resources: - - networkpolicies - verbs: - - get - - list - - watch -- apiGroups: - - "*" - resources: - - services - verbs: - - update - - list - - watch ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-listener - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-listener -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-listener -subjects: -- kind: ServiceAccount - name: romana-listener - namespace: kube-system ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-agent -rules: -- apiGroups: - - "*" - resources: - - pods - - nodes - verbs: - - get ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-agent - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-agent -subjects: -- kind: ServiceAccount - name: romana-agent - namespace: kube-system ---- -apiVersion: v1 -kind: Service -metadata: - name: romana-etcd - namespace: kube-system -spec: - clusterIP: {{ .Networking.Romana.EtcdServiceIP }} - ports: - - name: etcd - port: 12379 - protocol: TCP - targetPort: 4001 - selector: - k8s-app: etcd-server - sessionAffinity: None - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: romana - namespace: kube-system -spec: - clusterIP: {{ .Networking.Romana.DaemonServiceIP }} - ports: - - name: daemon - port: 9600 - protocol: TCP - targetPort: 9600 - selector: - romana-app: daemon - sessionAffinity: None - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: romana-daemon - namespace: kube-system - labels: - romana-app: daemon -spec: - replicas: 1 - selector: - matchLabels: - romana-app: daemon - template: - metadata: - labels: - romana-app: daemon - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - priorityClassName: system-cluster-critical - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-daemon - image: quay.io/romana/daemon:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi - args: - - --cloud=aws - - --network-cidr-overrides=romana-network={{ .KubeControllerManager.ClusterCIDR }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: romana-listener - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - romana-app: listener - template: - metadata: - labels: - romana-app: listener - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - priorityClassName: system-cluster-critical - serviceAccountName: romana-listener - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-listener - image: quay.io/romana/listener:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: romana-agent - namespace: kube-system - labels: - romana-app: agent -spec: - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - romana-app: agent - template: - metadata: - labels: - romana-app: agent - spec: - hostNetwork: true - priorityClassName: system-node-critical - securityContext: - seLinuxOptions: - type: spc_t - serviceAccountName: romana-agent - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - containers: - - name: romana-agent - image: quay.io/romana/agent:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 25m - memory: 128Mi - limits: - memory: 128Mi - env: - - name: NODENAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: NODEIP - valueFrom: - fieldRef: - fieldPath: status.hostIP - args: - - --service-cluster-ip-range={{ .ServiceClusterIPRange }} - securityContext: - privileged: true - volumeMounts: - - name: host-usr-local-bin - mountPath: /host/usr/local/bin - - name: host-etc-romana - mountPath: /host/etc/romana - - name: host-cni-bin - mountPath: /host/opt/cni/bin - - name: host-cni-net-d - mountPath: /host/etc/cni/net.d - - name: run-path - mountPath: /var/run/romana - volumes: - - name: host-usr-local-bin - hostPath: - path: /usr/local/bin - - name: host-etc-romana - hostPath: - path: /etc/romana - - name: host-cni-bin - hostPath: - path: /opt/cni/bin - - name: host-cni-net-d - hostPath: - path: /etc/cni/net.d - - name: run-path - hostPath: - path: /var/run/romana ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-aws -rules: -- apiGroups: - - "*" - resources: - - nodes - verbs: - - get - - list - - watch ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-aws - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: romana-aws -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-aws -subjects: -- kind: ServiceAccount - name: romana-aws - namespace: kube-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: romana-aws - namespace: kube-system - labels: - romana-app: aws -spec: - replicas: 1 - selector: - matchLabels: - romana-app: aws - template: - metadata: - labels: - romana-app: aws - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - priorityClassName: system-cluster-critical - serviceAccountName: romana-aws - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-aws - image: quay.io/romana/aws:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: romana-vpcrouter - namespace: kube-system - labels: - romana-app: vpcrouter -spec: - replicas: 1 - selector: - matchLabels: - romana-app: vpcrouter - template: - metadata: - labels: - romana-app: vpcrouter - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - priorityClassName: system-cluster-critical - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-vpcrouter - image: quay.io/romana/vpcrouter-romana-plugin:1.1.17 - imagePullPolicy: Always - resources: - requests: - cpu: 45m - memory: 128Mi - limits: - memory: 128Mi - args: - - --etcd_use_v2 - - --etcd_addr={{ .Networking.Romana.EtcdServiceIP }} - - --etcd_port=12379 diff --git a/upup/models/cloudup/resources/addons/networking.romana/k8s-1.7.yaml.template b/upup/models/cloudup/resources/addons/networking.romana/k8s-1.7.yaml.template deleted file mode 100644 index a7ba12ceed697..0000000000000 --- a/upup/models/cloudup/resources/addons/networking.romana/k8s-1.7.yaml.template +++ /dev/null @@ -1,350 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-listener -rules: -- apiGroups: - - "*" - resources: - - pods - - namespaces - - nodes - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - extensions - resources: - - networkpolicies - verbs: - - get - - list - - watch -- apiGroups: - - "*" - resources: - - services - verbs: - - update - - list - - watch ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-listener - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-listener -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-listener -subjects: -- kind: ServiceAccount - name: romana-listener - namespace: kube-system ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-agent -rules: -- apiGroups: - - "*" - resources: - - pods - - nodes - verbs: - - get ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-agent - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-agent -subjects: -- kind: ServiceAccount - name: romana-agent - namespace: kube-system ---- -apiVersion: v1 -kind: Service -metadata: - name: romana-etcd - namespace: kube-system -spec: - clusterIP: {{ .Networking.Romana.EtcdServiceIP }} - ports: - - name: etcd - port: 12379 - protocol: TCP - targetPort: 4001 - selector: - k8s-app: etcd-server - sessionAffinity: None - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: romana - namespace: kube-system -spec: - clusterIP: {{ .Networking.Romana.DaemonServiceIP }} - ports: - - name: daemon - port: 9600 - protocol: TCP - targetPort: 9600 - selector: - romana-app: daemon - sessionAffinity: None - type: ClusterIP ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: romana-daemon - namespace: kube-system -spec: - replicas: 1 - template: - metadata: - labels: - romana-app: daemon - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-daemon - image: quay.io/romana/daemon:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi - args: - - --cloud=aws - - --network-cidr-overrides=romana-network={{ .KubeControllerManager.ClusterCIDR }} ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: romana-listener - namespace: kube-system -spec: - replicas: 1 - template: - metadata: - labels: - romana-app: listener - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - serviceAccountName: romana-listener - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-listener - image: quay.io/romana/listener:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi ---- -apiVersion: extensions/v1beta1 -kind: DaemonSet -metadata: - name: romana-agent - namespace: kube-system -spec: - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - romana-app: agent - spec: - hostNetwork: true - securityContext: - seLinuxOptions: - type: spc_t - serviceAccountName: romana-agent - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - containers: - - name: romana-agent - image: quay.io/romana/agent:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 25m - memory: 128Mi - limits: - memory: 128Mi - env: - - name: NODENAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: NODEIP - valueFrom: - fieldRef: - fieldPath: status.hostIP - args: - - --service-cluster-ip-range={{ .ServiceClusterIPRange }} - securityContext: - privileged: true - volumeMounts: - - name: host-usr-local-bin - mountPath: /host/usr/local/bin - - name: host-etc-romana - mountPath: /host/etc/romana - - name: host-cni-bin - mountPath: /host/opt/cni/bin - - name: host-cni-net-d - mountPath: /host/etc/cni/net.d - - name: run-path - mountPath: /var/run/romana - volumes: - - name: host-usr-local-bin - hostPath: - path: /usr/local/bin - - name: host-etc-romana - hostPath: - path: /etc/romana - - name: host-cni-bin - hostPath: - path: /opt/cni/bin - - name: host-cni-net-d - hostPath: - path: /etc/cni/net.d - - name: run-path - hostPath: - path: /var/run/romana ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-aws -rules: -- apiGroups: - - "*" - resources: - - nodes - verbs: - - get - - list - - watch ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: romana-aws - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: romana-aws -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: romana-aws -subjects: -- kind: ServiceAccount - name: romana-aws - namespace: kube-system ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: romana-aws - namespace: kube-system -spec: - replicas: 1 - template: - metadata: - labels: - romana-app: aws - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - serviceAccountName: romana-aws - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-aws - image: quay.io/romana/aws:v2.0.2 - imagePullPolicy: Always - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - memory: 64Mi ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: romana-vpcrouter - namespace: kube-system -spec: - replicas: 1 - template: - metadata: - labels: - romana-app: vpcrouter - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - hostNetwork: true - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: romana-vpcrouter - image: quay.io/romana/vpcrouter-romana-plugin:1.1.17 - imagePullPolicy: Always - resources: - requests: - cpu: 45m - memory: 128Mi - limits: - memory: 128Mi - args: - - --etcd_use_v2 - - --etcd_addr={{ .Networking.Romana.EtcdServiceIP }} - - --etcd_port=12379 diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index 446c8b7542b4b..e7b2b93acf341 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -886,39 +886,6 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { } } - if b.cluster.Spec.Networking.Romana != nil { - key := "networking.romana" - version := "v2.0.2-kops.3" - - { - location := key + "/k8s-1.7.yaml" - id := "k8s-1.7" - - addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ - Name: fi.String(key), - Version: fi.String(version), - Selector: networkingSelector, - Manifest: fi.String(location), - KubernetesVersion: "<1.12.0", - Id: id, - }) - } - - { - location := key + "/k8s-1.12.yaml" - id := "k8s-1.12" - - addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ - Name: fi.String(key), - Version: fi.String(version), - Selector: networkingSelector, - Manifest: fi.String(location), - KubernetesVersion: ">=1.12.0", - Id: id, - }) - } - } - if b.cluster.Spec.Networking.AmazonVPC != nil { key := "networking.amazon-vpc-routed-eni" diff --git a/upup/pkg/fi/cloudup/tagbuilder_test.go b/upup/pkg/fi/cloudup/tagbuilder_test.go index f7c2d73c39e8d..7326d50661afb 100644 --- a/upup/pkg/fi/cloudup/tagbuilder_test.go +++ b/upup/pkg/fi/cloudup/tagbuilder_test.go @@ -167,32 +167,6 @@ func TestBuildTags_CloudProvider_AWS_Canal(t *testing.T) { } } -func TestBuildTags_CloudProvider_AWS_Romana(t *testing.T) { - - c := buildCluster(nil) - networking := &api.NetworkingSpec{Romana: &api.RomanaNetworkingSpec{}} - - c.Spec.Networking = networking - - tags, err := buildCloudupTags(c) - if err != nil { - t.Fatalf("buildCloudupTags error: %v", err) - } - - if !tags.Has("_aws") { - t.Fatal("tag _aws not found") - } - - nodeUpTags, err := buildNodeupTags(api.InstanceGroupRoleNode, c, tags) - if err != nil { - t.Fatalf("buildNodeupTags error: %v", err) - } - - if !nodeUpTags.Has("_aws") { - t.Fatal("nodeUpTag _aws not found") - } -} - func TestBuildTags_CloudProvider_AWS(t *testing.T) { c := buildCluster(nil)