Add snapshot-controller

k8s/crds/kops.k8s.io_clusters.yaml

@@ -3906,6 +3906,14 @@ spec:
                 description: ServiceClusterIPRange is the CIDR, from the internal
                   network, where we allocate IPs for services
                 type: string
+              snapshotController:
+                description: SnapshotController defines the CSI Snapshot Controller
+                  configuration.
+                properties:
+                  enabled:
+                    description: Enabled enables the CSI Snapshot Controller
+                    type: boolean
+                type: object
               sshAccess:
                 description: SSHAccess determines the permitted access to SSH Currently
                   only a single CIDR is supported (though a richer grammar could be

pkg/apis/kops/cluster.go

@@ -201,6 +201,9 @@ type ClusterSpec struct {
 
 	// ClusterAutoscaler defines the cluster autoscaler configuration.
 	ClusterAutoscaler *ClusterAutoscalerConfig `json:"clusterAutoscaler,omitempty"`
+
+	// SnapshotController defines the CSI Snapshot Controller configuration.
+	SnapshotController *SnapshotControllerConfig `json:"snapshotController,omitempty"`
 }
 
 // NodeAuthorizationSpec is used to node authorization

pkg/apis/kops/componentconfig.go

@@ -832,6 +832,12 @@ type AWSEBSCSIDriver struct {
 	Enabled *bool `json:"enabled,omitempty"`
 }
 
+// SnapshotControllerConfig is the config for the CSI Snapshot Controller
+type SnapshotControllerConfig struct {
+	//Enabled enables the CSI Snapshot Controller
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
 // NodeTerminationHandlerConfig determines the node termination handler configuration.
 type NodeTerminationHandlerConfig struct {
 	// Enabled enables the node termination handler.

pkg/apis/kops/v1alpha2/cluster.go

@@ -200,6 +200,9 @@ type ClusterSpec struct {
 
 	// ClusterAutoscaler defines the cluaster autoscaler configuration.
 	ClusterAutoscaler *ClusterAutoscalerConfig `json:"clusterAutoscaler,omitempty"`
+
+	// SnapshotController defines the CSI Snapshot Controller configuration.
+	SnapshotController *SnapshotControllerConfig `json:"snapshotController,omitempty"`
 }
 
 // NodeAuthorizationSpec is used to node authorization

pkg/apis/kops/v1alpha2/componentconfig.go

@@ -831,6 +831,12 @@ type AWSEBSCSIDriver struct {
 	Enabled *bool `json:"enabled,omitempty"`
 }
 
+// SnapshotControllerConfig is the config for the CSI Snapshot Controller
+type SnapshotControllerConfig struct {
+	//Enabled enables the CSI Snapshot Controller
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
 // NodeTerminationHandlerConfig determines the node termination handler configuration.
 type NodeTerminationHandlerConfig struct {
 	// Enabled enables the node termination handler.

pkg/apis/kops/validation/validation.go

@@ -160,7 +160,12 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie
 	}
 
 	if spec.MetricsServer != nil {
-		allErrs = append(allErrs, validateMetricsServer(c, spec.MetricsServer, fieldPath.Child("nodeTerminationHandler"))...)
+		allErrs = append(allErrs, validateMetricsServer(c, spec.MetricsServer, fieldPath.Child("metricsServer"))...)
+
+	}
+
+	if spec.SnapshotController != nil {
+		allErrs = append(allErrs, validateSnapshotController(c, spec.SnapshotController, fieldPath.Child("snapshotController"))...)
 
 	}
 
@@ -1289,3 +1294,18 @@ func validateMetricsServer(cluster *kops.Cluster, spec *kops.MetricsServerConfig
 	}
 	return allErrs
 }
+
+func validateSnapshotController(cluster *kops.Cluster, spec *kops.SnapshotControllerConfig, fldPath *field.Path) (allErrs field.ErrorList) {
+	if spec != nil && fi.BoolValue(spec.Enabled) {
+		if !cluster.IsKubernetesGTE("1.20") {
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child("enabled"), "Snapshot controller requires kubernetes 1.20+"))
+		}
+		if !components.IsCertManagerEnabled(cluster) {
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child("enabled"), "Snapshot controller requires that cert manager is enabled"))
+		}
+		if cluster.Spec.CloudConfig == nil || cluster.Spec.CloudConfig.AWSEBSCSIDriver == nil || !fi.BoolValue(cluster.Spec.CloudConfig.AWSEBSCSIDriver.Enabled) {
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child("enabled"), "Snapshot controller requires external CSI Driver"))
+		}
+	}
+	return allErrs
+}

pkg/model/iam/iam_builder.go

@@ -282,6 +282,9 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addCalicoSrcDstCheckPermissions(p)
 	}
 
+	if b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) {
+		addSnapshotPersmissions(p)
+	}
 	return p, nil
 }
 
@@ -671,6 +674,19 @@ func addCalicoSrcDstCheckPermissions(p *Policy) {
 	})
 }
 
+func addSnapshotPersmissions(p *Policy) {
+	p.Statement = append(p.Statement, &Statement{
+		Effect: StatementEffectAllow,
+		Action: stringorslice.Of(
+			"ec2:CreateSnapshot",
+			"ec2:DeleteSnapshot",
+			"ec2:DescribeAvailabilityZones",
+			"ec2:DescribeSnapshots",
+		),
+		Resource: stringorslice.Slice([]string{"*"}),
+	})
+}
+
 // addLegacyDNSControllerPermissions adds legacy IAM permissions used by the node roles.
 func addLegacyDNSControllerPermissions(b *PolicyBuilder, p *Policy) {
 	// Legacy IAM permissions for node roles