Require extra flag when updating cluster with downgraded kops version

cmd/kops/update_cluster.go

@@ -60,13 +60,14 @@ var (
 )
 
 type UpdateClusterOptions struct {
-	Yes             bool
-	Target          string
-	Models          string
-	OutDir          string
-	SSHPublicKey    string
-	RunTasksOptions fi.RunTasksOptions
-	CreateKubecfg   bool
+	Yes                bool
+	Target             string
+	Models             string
+	OutDir             string
+	SSHPublicKey       string
+	RunTasksOptions    fi.RunTasksOptions
+	CreateKubecfg      bool
+	AllowKopsDowngrade bool
 
 	Phase string
 
@@ -116,6 +117,7 @@ func NewCmdUpdateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 	cmd.Flags().StringVar(&options.SSHPublicKey, "ssh-public-key", options.SSHPublicKey, "SSH public key to use (deprecated: use kops create secret instead)")
 	cmd.Flags().StringVar(&options.OutDir, "out", options.OutDir, "Path to write any local output")
 	cmd.Flags().BoolVar(&options.CreateKubecfg, "create-kube-config", options.CreateKubecfg, "Will control automatically creating the kube config file on your local filesystem")
+	cmd.Flags().BoolVar(&options.AllowKopsDowngrade, "allow-kops-downgrade", options.AllowKopsDowngrade, "Allow an older version of kops to update the cluster than last used")
 	cmd.Flags().StringVar(&options.Phase, "phase", options.Phase, "Subset of tasks to run: "+strings.Join(cloudup.Phases.List(), ", "))
 	cmd.Flags().StringSliceVar(&options.LifecycleOverrides, "lifecycle-overrides", options.LifecycleOverrides, "comma separated list of phase overrides, example: SecurityGroups=Ignore,InternetGateway=ExistsAndWarnIfChanges")
 	viper.BindPFlag("lifecycle-overrides", cmd.Flags().Lookup("lifecycle-overrides"))
@@ -262,6 +264,7 @@ func RunUpdateCluster(ctx context.Context, f *util.Factory, clusterName string,
 		Clientset:          clientset,
 		Cluster:            cluster,
 		DryRun:             isDryrun,
+		AllowKopsDowngrade: c.AllowKopsDowngrade,
 		InstanceGroups:     instanceGroups,
 		RunTasksOptions:    &c.RunTasksOptions,
 		Models:             strings.Split(c.Models, ","),

docs/cli/kops_update_cluster.md

@@ -25,6 +25,7 @@ kops update cluster [flags]
 ### Options
 
 ```
+      --allow-kops-downgrade          Allow an older version of kops to update the cluster than last used
       --create-kube-config            Will control automatically creating the kube config file on your local filesystem (default true)
   -h, --help                          help for cluster
       --lifecycle-overrides strings   comma separated list of phase overrides, example: SecurityGroups=Ignore,InternetGateway=ExistsAndWarnIfChanges

docs/releases/1.19-NOTES.md

@@ -8,6 +8,9 @@
 
 * Clusters using the Amazon VPC CNI provider now perform an `ec2.DescribeInstanceTypes` call at instance launch time. In large clusters or AWS accounts this may lead to API throttling which could delay node readiness. If this becomes a problem please open a GitHub issue.
 
+* The `kops update cluster` command will now refuse to run on a cluster that
+has been updated by a newer version of kops unless it is given the `--allow-kops-downgrade` flag.
+
 # Breaking changes
 
 * Support for Kubernetes 1.9 and 1.10 has been removed.

pkg/apis/kops/registry/registry.go

@@ -29,6 +29,8 @@ const (
 	PathCluster = "config"
 	// Path for completed cluster spec in the state store
 	PathClusterCompleted = "cluster.spec"
+	// PathKopsVersion is the path for the version of kops last used to apply the cluster.
+	PathKopsVersionApplied = "kops-version-applied.txt"
 )
 
 func ConfigBase(c *api.Cluster) (vfs.Path, error) {

pkg/client/simple/vfsclientset/clientset.go

@@ -117,7 +117,7 @@ func DeleteAllClusterState(basePath vfs.Path) error {
 			continue
 		}
 
-		if relativePath == "config" || relativePath == "cluster.spec" {
+		if relativePath == "config" || relativePath == "cluster.spec" || relativePath == "kops-version-applied.txt" {
 			continue
 		}
 		if strings.HasPrefix(relativePath, "addons/") {

upup/pkg/fi/cloudup/BUILD.bazel

@@ -30,6 +30,7 @@ go_library(
         "//dnsprovider/pkg/dnsprovider:go_default_library",
         "//dnsprovider/pkg/dnsprovider/providers/aws/route53:go_default_library",
         "//dnsprovider/pkg/dnsprovider/rrstype:go_default_library",
+        "//pkg/acls:go_default_library",
         "//pkg/apis/kops:go_default_library",
         "//pkg/apis/kops/registry:go_default_library",
         "//pkg/apis/kops/util:go_default_library",

upup/pkg/fi/cloudup/apply_cluster.go

@@ -17,6 +17,7 @@ limitations under the License.
 package cloudup
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"net/url"
@@ -28,6 +29,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/klog"
 	kopsbase "k8s.io/kops"
+	"k8s.io/kops/pkg/acls"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/apis/kops/registry"
 	"k8s.io/kops/pkg/apis/kops/util"
@@ -126,6 +128,9 @@ type ApplyClusterCmd struct {
 	// DryRun is true if this is only a dry run
 	DryRun bool
 
+	// AllowKopsDowngrade permits applying with a kops version older than what was last used to apply to the cluster.
+	AllowKopsDowngrade bool
+
 	// RunTasksOptions defines parameters for task execution, e.g. retry interval
 	RunTasksOptions *fi.RunTasksOptions
 
@@ -234,6 +239,34 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
 
 	cluster := c.Cluster
 
+	configBase, err := vfs.Context.BuildVfsPath(cluster.Spec.ConfigBase)
+	if err != nil {
+		return fmt.Errorf("error parsing config base %q: %v", cluster.Spec.ConfigBase, err)
+	}
+
+	if !c.AllowKopsDowngrade {
+		kopsVersionApplied, err := configBase.Join(registry.PathKopsVersionApplied).ReadFile()
+		if err == nil {
+			version, err := semver.Parse(strings.TrimSpace(string(kopsVersionApplied)))
+			if err != nil {
+				return fmt.Errorf("error parsing last kops version applied: %v", err)
+			}
+			if version.GT(semver.MustParse(kopsbase.Version)) {
+				fmt.Printf("\n")
+				fmt.Printf("%s\n", starline)
+				fmt.Printf("\n")
+				fmt.Printf("The cluster was last updated by kops version %s\n", kopsVersionApplied)
+				fmt.Printf("To permit updating by the older version %s, run with the --allow-kops-downgrade flag\n", kopsbase.Version)
+				fmt.Printf("\n")
+				fmt.Printf("%s\n", starline)
+				fmt.Printf("\n")
+				return fmt.Errorf("kops version older than that last used to apply cluster")
+			}
+		} else if err != os.ErrNotExist {
+			return fmt.Errorf("error reading last kops version applied: %v", err)
+		}
+	}
+
 	cloud, err := BuildCloud(cluster)
 	if err != nil {
 		return err
@@ -255,11 +288,6 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
 	l.Init()
 	l.Cluster = c.Cluster
 
-	configBase, err := vfs.Context.BuildVfsPath(cluster.Spec.ConfigBase)
-	if err != nil {
-		return fmt.Errorf("error parsing config base %q: %v", cluster.Spec.ConfigBase, err)
-	}
-
 	keyStore, err := c.Clientset.KeyStore(cluster)
 	if err != nil {
 		return err
@@ -876,6 +904,15 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
 	c.Target = target
 
 	if !dryRun {
+		acl, err := acls.GetACL(configBase, cluster)
+		if err != nil {
+			return err
+		}
+		err = configBase.Join(registry.PathKopsVersionApplied).WriteFile(bytes.NewReader([]byte(kopsbase.Version)), acl)
+		if err != nil {
+			return fmt.Errorf("error writing kops version: %v", err)
+		}
+
 		err = registry.WriteConfigDeprecated(cluster, configBase.Join(registry.PathClusterCompleted), c.Cluster)
 		if err != nil {
 			return fmt.Errorf("error writing completed cluster spec: %v", err)