in upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go [305:1124]
func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*AddonList, error) {
addons := &AddonList{}
serviceAccountRoles := []iam.Subject{}
{
key := "kops-controller.addons.k8s.io"
{
location := key + "/k8s-1.16.yaml"
id := "k8s-1.16"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
NeedsRollingUpdate: "control-plane",
Id: id,
})
}
}
{
key := "core.addons.k8s.io"
version := "1.4.0"
location := key + "/v" + version + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
})
}
// @check if podsecuritypolicies are enabled and if so, push the default kube-system policy
if b.Cluster.Spec.KubeAPIServer != nil && b.Cluster.Spec.KubeAPIServer.HasAdmissionController("PodSecurityPolicy") {
key := "podsecuritypolicy.addons.k8s.io"
{
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
kubeDNS := b.Cluster.Spec.KubeDNS
// This checks if the Kubernetes version is greater than or equal to 1.20
// and makes the default DNS server as CoreDNS if the DNS provider is not specified
// and the Kubernetes version is >=1.19
if kubeDNS.Provider == "" {
kubeDNS.Provider = "KubeDNS"
if b.Cluster.IsKubernetesGTE("1.20") {
kubeDNS.Provider = "CoreDNS"
}
}
if kubeDNS.Provider == "KubeDNS" {
{
key := "kube-dns.addons.k8s.io"
{
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
}
if kubeDNS.Provider == "CoreDNS" && !featureflag.UseAddonOperators.Enabled() {
{
key := "coredns.addons.k8s.io"
{
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
}
// @check if bootstrap tokens are enabled an if so we can forgo applying
// this manifest. For clusters whom are upgrading from RBAC to Node,RBAC the clusterrolebinding
// will remain and have to be deleted manually once all the nodes have been upgraded.
enableRBACAddon := true
if b.UseKopsControllerForNodeBootstrap() {
enableRBACAddon = false
}
if b.Cluster.Spec.KubeAPIServer != nil {
if b.Cluster.Spec.KubeAPIServer.EnableBootstrapAuthToken != nil && *b.Cluster.Spec.KubeAPIServer.EnableBootstrapAuthToken {
enableRBACAddon = false
}
}
if enableRBACAddon {
{
key := "rbac.addons.k8s.io"
{
location := key + "/k8s-1.8.yaml"
id := "k8s-1.8"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
}
{
// Adding the kubelet-api-admin binding: this is required when switching to webhook authorization on the kubelet
// docs: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles
// issue: https://github.com/kubernetes/kops/issues/5176
key := "kubelet-api.rbac.addons.k8s.io"
{
location := key + "/k8s-1.9.yaml"
id := "k8s-1.9"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
if b.IsKubernetesGTE("1.23") && b.IsKubernetesLT("1.26") &&
(kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderAWS ||
kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderGCE) {
// AWS and GCE KCM-to-CCM leader migration
key := "leader-migration.rbac.addons.k8s.io"
if b.IsKubernetesLT("1.25") {
location := key + "/k8s-1.23.yaml"
id := "k8s-1.23"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
if b.IsKubernetesGTE("1.25") {
location := key + "/k8s-1.25.yaml"
id := "k8s-1.25"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
{
key := "limit-range.addons.k8s.io"
version := "1.5.0"
location := key + "/v" + version + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
})
}
if b.Cluster.Spec.ExternalDNS == nil || b.Cluster.Spec.ExternalDNS.Provider == kops.ExternalDNSProviderDNSController {
{
key := "dns-controller.addons.k8s.io"
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
// Generate dns-controller ServiceAccount IAM permissions.
// Gossip clsuters do not require any cloud permissions.
if b.UseServiceAccountExternalPermissions() && !b.IsGossip() {
serviceAccountRoles = append(serviceAccountRoles, &dnscontroller.ServiceAccount{})
}
} else if b.Cluster.Spec.ExternalDNS.Provider == kops.ExternalDNSProviderExternalDNS {
{
key := "external-dns.addons.k8s.io"
{
location := key + "/k8s-1.19.yaml"
id := "k8s-1.19"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
if b.UseServiceAccountExternalPermissions() {
serviceAccountRoles = append(serviceAccountRoles, &externaldns.ServiceAccount{})
}
}
}
// @check if the node-local-dns is enabled
NodeLocalDNS := b.Cluster.Spec.KubeDNS.NodeLocalDNS
if kubeDNS.Provider == "CoreDNS" && NodeLocalDNS != nil && fi.BoolValue(NodeLocalDNS.Enabled) {
{
key := "nodelocaldns.addons.k8s.io"
{
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
}
if b.Cluster.Spec.ClusterAutoscaler != nil && fi.BoolValue(b.Cluster.Spec.ClusterAutoscaler.Enabled) {
{
key := "cluster-autoscaler.addons.k8s.io"
{
location := key + "/k8s-1.15.yaml"
id := "k8s-1.15"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
if b.UseServiceAccountExternalPermissions() {
serviceAccountRoles = append(serviceAccountRoles, &clusterautoscaler.ServiceAccount{})
}
}
if b.Cluster.Spec.MetricsServer != nil && fi.BoolValue(b.Cluster.Spec.MetricsServer.Enabled) {
{
key := "metrics-server.addons.k8s.io"
{
location := key + "/k8s-1.11.yaml"
id := "k8s-1.11"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-app": "metrics-server"},
Manifest: fi.String(location),
Id: id,
NeedsPKI: !fi.BoolValue(b.Cluster.Spec.MetricsServer.Insecure),
})
}
}
}
if b.Cluster.Spec.CertManager != nil && fi.BoolValue(b.Cluster.Spec.CertManager.Enabled) && (b.Cluster.Spec.CertManager.Managed == nil || fi.BoolValue(b.Cluster.Spec.CertManager.Managed)) {
{
key := "certmanager.io"
{
location := key + "/k8s-1.16.yaml"
id := "k8s-1.16"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Manifest: fi.String(location),
Id: id,
})
}
}
}
nth := b.Cluster.Spec.NodeTerminationHandler
if nth != nil && fi.BoolValue(nth.Enabled) {
key := "node-termination-handler.aws"
{
location := key + "/k8s-1.11.yaml"
id := "k8s-1.11"
addon := addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
addon.BuildPrune = true
}
if b.UseServiceAccountExternalPermissions() {
serviceAccountRoles = append(serviceAccountRoles, &nodeterminationhandler.ServiceAccount{})
}
}
npd := b.Cluster.Spec.NodeProblemDetector
if npd != nil && fi.BoolValue(npd.Enabled) {
key := "node-problem-detector.addons.k8s.io"
{
location := key + "/k8s-1.17.yaml"
id := "k8s-1.17"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
nvidia := b.Cluster.Spec.Containerd.NvidiaGPU
if nvidia != nil && fi.BoolValue(nvidia.Enabled) {
key := "nvidia.addons.k8s.io"
{
location := key + "/k8s-1.16.yaml"
id := "k8s-1.16"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
if b.Cluster.Spec.AWSLoadBalancerController != nil && fi.BoolValue(b.Cluster.Spec.AWSLoadBalancerController.Enabled) {
key := "aws-load-balancer-controller.addons.k8s.io"
{
location := key + "/k8s-1.9.yaml"
id := "k8s-1.9"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
NeedsPKI: true,
})
}
// Generate aws-load-balancer-controller ServiceAccount IAM permissions
if b.UseServiceAccountExternalPermissions() {
serviceAccountRoles = append(serviceAccountRoles, &awsloadbalancercontroller.ServiceAccount{})
}
}
if kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderAWS {
key := "storage-aws.addons.k8s.io"
{
id := "v1.15.0"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
if kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderDO {
key := "digitalocean-cloud-controller.addons.k8s.io"
{
id := "k8s-1.8"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
if kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderGCE {
key := "storage-gce.addons.k8s.io"
{
id := "v1.7.0"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
if b.Cluster.Spec.CloudConfig != nil && b.Cluster.Spec.CloudConfig.GCPPDCSIDriver != nil && fi.BoolValue(b.Cluster.Spec.CloudConfig.GCPPDCSIDriver.Enabled) {
key := "gcp-pd-csi-driver.addons.k8s.io"
{
id := "k8s-1.23"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Manifest: fi.String(location),
Selector: map[string]string{"k8s-addon": key},
Id: id,
})
}
}
}
if featureflag.Spotinst.Enabled() && featureflag.SpotinstController.Enabled() {
key := "spotinst-kubernetes-cluster-controller.addons.k8s.io"
{
id := "v1.14.0"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
// The metadata-proxy daemonset conceals node metadata endpoints in GCE.
// It will land on nodes labeled cloud.google.com/metadata-proxy-ready=true
if kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderGCE {
key := "metadata-proxy.addons.k8s.io"
{
id := "v0.1.12"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
if kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderGCE {
if b.Cluster.Spec.ExternalCloudControllerManager != nil {
key := "gcp-cloud-controller.addons.k8s.io"
{
id := "k8s-1.23"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Manifest: fi.String(location),
Selector: map[string]string{"k8s-addon": key},
Id: id,
})
}
}
}
}
if b.Cluster.Spec.Networking.Kopeio != nil && !featureflag.UseAddonOperators.Enabled() {
key := "networking.kope.io"
{
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12"
addon := addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: networkingSelector(),
Manifest: fi.String(location),
Id: id,
})
addon.BuildPrune = true
}
}
if b.Cluster.Spec.Networking.Weave != nil {
key := "networking.weave"
{
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: networkingSelector(),
Manifest: fi.String(location),
Id: id,
})
}
}
if b.Cluster.Spec.Networking.Flannel != nil {
key := "networking.flannel"
{
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: networkingSelector(),
Manifest: fi.String(location),
Id: id,
})
}
}
if b.Cluster.Spec.Networking.Calico != nil {
key := "networking.projectcalico.org"
{
id := "k8s-1.16"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: networkingSelector(),
Manifest: fi.String(location),
Id: id,
})
}
}
if b.Cluster.Spec.Networking.Canal != nil {
key := "networking.projectcalico.org.canal"
if b.IsKubernetesGTE("v1.22.0") {
id := "k8s-1.22"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: networkingSelector(),
Manifest: fi.String(location),
Id: id,
})
} else {
id := "k8s-1.16"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: networkingSelector(),
Manifest: fi.String(location),
Id: id,
})
}
}
if b.Cluster.Spec.Networking.Kuberouter != nil {
key := "networking.kuberouter"
{
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: networkingSelector(),
Manifest: fi.String(location),
Id: id,
})
}
}
if b.Cluster.Spec.Networking.AmazonVPC != nil {
key := "networking.amazon-vpc-routed-eni"
{
id := "k8s-1.16"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: networkingSelector(),
Manifest: fi.String(location),
Id: id,
NeedsRollingUpdate: "all",
})
}
}
err := addCiliumAddon(b, addons)
if err != nil {
return nil, fmt.Errorf("failed to add cilium addon: %w", err)
}
authenticationSelector := map[string]string{"role.kubernetes.io/authentication": "1"}
if b.Cluster.Spec.Authentication != nil {
if b.Cluster.Spec.Authentication.Kopeio != nil {
key := "authentication.kope.io"
{
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: authenticationSelector,
Manifest: fi.String(location),
Id: id,
})
}
}
if b.Cluster.Spec.Authentication.AWS != nil {
key := "authentication.aws"
{
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: authenticationSelector,
Manifest: fi.String(location),
Id: id,
})
}
}
}
if kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderOpenstack {
{
key := "storage-openstack.addons.k8s.io"
id := "k8s-1.16"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Manifest: fi.String(location),
Selector: map[string]string{"k8s-addon": key},
Id: id,
})
}
if b.Cluster.Spec.ExternalCloudControllerManager != nil {
// cloudprovider specific out-of-tree controller
{
key := "openstack.addons.k8s.io"
location := key + "/k8s-1.13.yaml"
id := "k8s-1.13-ccm"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Manifest: fi.String(location),
Selector: map[string]string{"k8s-addon": key},
Id: id,
})
}
} else {
{
key := "core.addons.k8s.io"
location := key + "/k8s-1.12.yaml"
id := "k8s-1.12-ccm"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
Id: id,
})
}
}
}
if kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderAWS {
if b.Cluster.Spec.ExternalCloudControllerManager != nil {
key := "aws-cloud-controller.addons.k8s.io"
{
id := "k8s-1.18"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Manifest: fi.String(location),
Selector: map[string]string{"k8s-addon": key},
Id: id,
})
}
if b.UseServiceAccountExternalPermissions() {
serviceAccountRoles = append(serviceAccountRoles, &awscloudcontrollermanager.ServiceAccount{})
}
}
if b.Cluster.Spec.CloudConfig != nil && b.Cluster.Spec.CloudConfig.AWSEBSCSIDriver != nil && fi.BoolValue(b.Cluster.Spec.CloudConfig.AWSEBSCSIDriver.Enabled) {
key := "aws-ebs-csi-driver.addons.k8s.io"
{
id := "k8s-1.17"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Manifest: fi.String(location),
Selector: map[string]string{"k8s-addon": key},
Id: id,
})
}
if b.UseServiceAccountExternalPermissions() {
serviceAccountRoles = append(serviceAccountRoles, &awsebscsidriver.ServiceAccount{})
}
}
}
if b.IsKubernetesGTE("1.20") && b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) {
key := "snapshot-controller.addons.k8s.io"
{
id := "k8s-1.20"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Manifest: fi.String(location),
Selector: map[string]string{"k8s-addon": key},
NeedsPKI: true,
Id: id,
})
}
}
if b.Cluster.Spec.Karpenter != nil && fi.BoolValue(&b.Cluster.Spec.Karpenter.Enabled) {
key := "karpenter.sh"
{
id := "k8s-1.19"
location := key + "/" + id + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Manifest: fi.String(location),
Selector: map[string]string{"k8s-addon": key},
Id: id,
})
if b.UseServiceAccountExternalPermissions() {
serviceAccountRoles = append(serviceAccountRoles, &karpenter.ServiceAccount{})
}
}
}
if b.Cluster.Spec.KubeScheduler.UsePolicyConfigMap != nil {
key := "scheduler.addons.k8s.io"
version := "1.7.0"
location := key + "/v" + version + ".yaml"
addons.Add(&channelsapi.AddonSpec{
Name: fi.String(key),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
})
}
if kops.CloudProviderID(b.Cluster.Spec.CloudProvider) == kops.CloudProviderAWS && b.Cluster.Spec.KubeAPIServer.ServiceAccountIssuer != nil {
awsModelContext := &awsmodel.AWSModelContext{
KopsModelContext: b.KopsModelContext,
}
for _, serviceAccountRole := range serviceAccountRoles {
iamModelBuilder := &awsmodel.IAMModelBuilder{AWSModelContext: awsModelContext, Lifecycle: b.Lifecycle, Cluster: b.Cluster}
_, err := iamModelBuilder.BuildServiceAccountRoleTasks(serviceAccountRole, c)
if err != nil {
return nil, err
}
}
}
return addons, nil
}