From ba56884d919cdbaf384db367f77c18a95ab25916 Mon Sep 17 00:00:00 2001 From: Davanum Srinivas Date: Sun, 21 Mar 2021 21:36:38 -0400 Subject: [PATCH 1/2] Ensure providerless kubelet does not pull cloud providers Signed-off-by: Davanum Srinivas --- cmd/kubelet/app/plugins.go | 5 ---- cmd/kubelet/app/plugins_providers.go | 5 ++++ .../cadvisor/cadvisor_cloudproviders.go | 28 +++++++++++++++++++ pkg/kubelet/cadvisor/cadvisor_linux.go | 6 ---- 4 files changed, 33 insertions(+), 11 deletions(-) create mode 100644 pkg/kubelet/cadvisor/cadvisor_cloudproviders.go diff --git a/cmd/kubelet/app/plugins.go b/cmd/kubelet/app/plugins.go index af9f708dc52..dc5125295c8 100644 --- a/cmd/kubelet/app/plugins.go +++ b/cmd/kubelet/app/plugins.go @@ -18,11 +18,6 @@ package app // This file exists to force the desired plugin implementations to be linked. import ( - // Credential providers - _ "k8s.io/kubernetes/pkg/credentialprovider/aws" - _ "k8s.io/kubernetes/pkg/credentialprovider/azure" - _ "k8s.io/kubernetes/pkg/credentialprovider/gcp" - "k8s.io/component-base/featuregate" "k8s.io/utils/exec" diff --git a/cmd/kubelet/app/plugins_providers.go b/cmd/kubelet/app/plugins_providers.go index 6eead0b5f6a..7261cd13b6a 100644 --- a/cmd/kubelet/app/plugins_providers.go +++ b/cmd/kubelet/app/plugins_providers.go @@ -19,6 +19,11 @@ limitations under the License. package app import ( + // Credential providers + _ "k8s.io/kubernetes/pkg/credentialprovider/aws" + _ "k8s.io/kubernetes/pkg/credentialprovider/azure" + _ "k8s.io/kubernetes/pkg/credentialprovider/gcp" + "k8s.io/component-base/featuregate" "k8s.io/csi-translation-lib/plugins" "k8s.io/klog/v2" diff --git a/pkg/kubelet/cadvisor/cadvisor_cloudproviders.go b/pkg/kubelet/cadvisor/cadvisor_cloudproviders.go new file mode 100644 index 00000000000..c6444f24172 --- /dev/null +++ b/pkg/kubelet/cadvisor/cadvisor_cloudproviders.go @@ -0,0 +1,28 @@ +// +build linux +// +build !providerless + +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package cadvisor + +import ( + // Register cloud info providers. + // TODO(#68522): Remove this in 1.20+ once the cAdvisor endpoints are removed. + _ "github.com/google/cadvisor/utils/cloudinfo/aws" + _ "github.com/google/cadvisor/utils/cloudinfo/azure" + _ "github.com/google/cadvisor/utils/cloudinfo/gce" +) diff --git a/pkg/kubelet/cadvisor/cadvisor_linux.go b/pkg/kubelet/cadvisor/cadvisor_linux.go index 309b4efe7c9..991afe5fcfe 100644 --- a/pkg/kubelet/cadvisor/cadvisor_linux.go +++ b/pkg/kubelet/cadvisor/cadvisor_linux.go @@ -31,12 +31,6 @@ import ( _ "github.com/google/cadvisor/container/crio/install" _ "github.com/google/cadvisor/container/systemd/install" - // Register cloud info providers. - // TODO(#68522): Remove this in 1.20+ once the cAdvisor endpoints are removed. - _ "github.com/google/cadvisor/utils/cloudinfo/aws" - _ "github.com/google/cadvisor/utils/cloudinfo/azure" - _ "github.com/google/cadvisor/utils/cloudinfo/gce" - "github.com/google/cadvisor/cache/memory" cadvisormetrics "github.com/google/cadvisor/container" "github.com/google/cadvisor/events" From 4edf95ed84651fe84d4226c1eebf0577e0c8fa9a Mon Sep 17 00:00:00 2001 From: Davanum Srinivas Date: Mon, 22 Mar 2021 15:48:38 -0400 Subject: [PATCH 2/2] verify using go list Signed-off-by: Davanum Srinivas --- hack/verify-typecheck-dockerless.sh | 9 +++++++++ hack/verify-typecheck-providerless.sh | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/hack/verify-typecheck-dockerless.sh b/hack/verify-typecheck-dockerless.sh index c8364d3446a..d8f95e6b2ec 100755 --- a/hack/verify-typecheck-dockerless.sh +++ b/hack/verify-typecheck-dockerless.sh @@ -22,4 +22,13 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/.. cd "${KUBE_ROOT}" # verify the dockerless build +# https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/1547-building-kubelet-without-docker/README.md hack/verify-typecheck.sh --skip-test --tags=dockerless --ignore-dirs=test + +# verify using go list +if _out="$(go list -mod=readonly -tags "dockerless" -e -json k8s.io/kubernetes/cmd/kubelet/... \ + | grep -e dockershim)"; then + echo "${_out}" >&2 + echo "Verify typecheck for dockerless tag failed. Found restricted packages." >&2 + exit 1 +fi diff --git a/hack/verify-typecheck-providerless.sh b/hack/verify-typecheck-providerless.sh index 6b1b78f3835..de3c76c2861 100755 --- a/hack/verify-typecheck-providerless.sh +++ b/hack/verify-typecheck-providerless.sh @@ -27,3 +27,11 @@ cd "${KUBE_ROOT}" # verify the providerless build # https://github.com/kubernetes/enhancements/blob/master/keps/sig-cloud-provider/1179-building-without-in-tree-providers/README.md hack/verify-typecheck.sh --skip-test --tags=providerless --ignore-dirs=test + +# verify using go list +if _out="$(go list -mod=readonly -tags "providerless" -e -json k8s.io/kubernetes/cmd/kubelet/... \ + | grep -e Azure/azure-sdk-for-go -e github.com/aws/aws-sdk-go -e google.golang.org/api)"; then + echo "${_out}" >&2 + echo "Verify typecheck for providerless tag failed. Found restricted packages." >&2 + exit 1 +fi