kubernetes · k8s-ci-robot · Jul 18, 2021 · Jul 17, 2021
diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go
@@ -241,7 +241,7 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 		return []string{"containerd", "docker"}, cobra.ShellCompDirectiveNoFileComp
 	})
 
-	cmd.Flags().StringVar(&sshPublicKey, "ssh-public-key", sshPublicKey, "SSH public key to use (defaults to ~/.ssh/id_rsa.pub on AWS)")
+	cmd.Flags().StringVar(&sshPublicKey, "ssh-public-key", sshPublicKey, "SSH public key to use")
 	cmd.RegisterFlagCompletionFunc("ssh-public-key", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return []string{"pub"}, cobra.ShellCompDirectiveFilterFileExt
 	})
@@ -700,8 +700,7 @@ func RunCreateCluster(ctx context.Context, f *util.Factory, out io.Writer, c *Cr
 	if len(c.SSHPublicKeys) == 0 {
 		autoloadSSHPublicKeys := true
 		switch c.CloudProvider {
-		case "gce":
-			// We don't normally use SSH keys on GCE
+		case "gce", "aws":
 			autoloadSSHPublicKeys = false
 		}
 

diff --git a/docs/cli/kops_create_cluster.md b/docs/cli/kops_create_cluster.md
diff --git a/docs/releases/1.22-NOTES.md b/docs/releases/1.22-NOTES.md
@@ -23,6 +23,9 @@ spec:
 
 ## Other significant changes
 
+* New clusters on AWS will no longer provision an SSH public key by default. To provision
+  an SSH public key on a new cluster, use the `--ssh-public-key` flag to `kops create cluster`.
+
 * The kOps Terraform support now renders managed files through the Terraform configuration instead 
   of writing them to S3 directly. This defers changes to these files until the time of `terraform apply`.
   This feature may be temporarily disabled by turning off the `TerraformManagedFiles` feature flag

diff --git a/pkg/model/context.go b/pkg/model/context.go
@@ -333,11 +333,14 @@ func (b *KopsModelContext) UseEtcdTLS() bool {
 	return false
 }
 
-// UseSSHKey returns true if SSHKeyName from the cluster spec is not set to an empty string (""). Setting SSHKeyName
-// to an empty string indicates that an SSH key should not be set on instances.
+// UseSSHKey returns true if SSHKeyName from the cluster spec is set to a nonempty string
+// or there is an SSH public key provisioned in the key store.
 func (b *KopsModelContext) UseSSHKey() bool {
 	sshKeyName := b.Cluster.Spec.SSHKeyName
-	return sshKeyName == nil || *sshKeyName != ""
+	if sshKeyName == nil {
+		return len(b.SSHPublicKeys) > 0
+	}
+	return *sshKeyName != ""
 }
 
 // KubernetesVersion parses the semver version of kubernetes, from the cluster spec

diff --git a/upup/pkg/fi/cloudup/apply_cluster.go b/upup/pkg/fi/cloudup/apply_cluster.go
@@ -417,10 +417,6 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
 			modelContext.AWSAccountID = accountID
 			modelContext.AWSPartition = partition
 
-			if len(sshPublicKeys) == 0 && c.Cluster.Spec.SSHKeyName == nil {
-				return fmt.Errorf("SSH public key must be specified when running with AWS (create with `kops create secret --name %s sshpublickey admin -i ~/.ssh/id_rsa.pub`)", cluster.ObjectMeta.Name)
-			}
-
 			if len(sshPublicKeys) > 1 {
 				return fmt.Errorf("exactly one 'admin' SSH public key can be specified when running with AWS; please delete a key using `kops delete secret`")
 			}