Don't try to migrate to new roles and rolebinding within 1.7 upgrades

[kad]

What this PR does / why we need it:

If user uses kubeadm 1.8.0 to upgrade within 1.7.x versions, don't try to migrate to new RBAC rules and names. It will lead to errors like described in kubernetes/kubeadm#475

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): kubernetes/kubeadm#475

Special notes for your reviewer:

Release note:

kubeadm 1.8 now properly handles upgrades from to 1.7.x to newer release in 1.7 branch

[kad]

cc @luxas

[liggitt]

this is incorrect... we still need this permission set up for 1.7 installs. this version constant just controls whether we use the --enable-bootstrap-token-auth or --experimental-bootstrap-token-auth flag. In either case, we require the RBAC permissions.

[kad]

It exists if 1.7.x was initialized with kubeadm. Only with different roleRef than expected in 1.8.
Not running it, means cluster will be in the same state as it was expected within 1.7.x (no role/bindings migrations to 1.8 naming schema).

That's what @luxas suggested. First version of that PR had migration to 1.8 naming schema even in cases of 1.7.x->1.7.x upgrade.

[liggitt]

ah, this is just the upgrade path. this still seems like a fragile way to determine what changes are needed, but I'll defer to @luxas.

were all currently supported upgrade paths tested with this change?
1.7.x -> 1.7.y upgrade
1.7.x -> 1.8.x upgrade
1.8.0 -> 1.8.0 "upgrade"

[kad]

Yes, I've tested following on my development cluster:

• install fresh cluster version 1.7.3 using kubeadm 1.7.5
  • old roles/bindings naming schema
• upgrade 1.7.3 to 1.7.7 using modified kubeadm 1.8.0
  • no roles/binding changes, old names/values
• upgrade 1.7.7 to 1.8.0-rc.1 using modified kubeadm 1.8.0
  • roles/bindings migrated to 1.8 schema
• upgrade 1.8.0-rc.1 to 1.8.0 using modified kubeadm 1.8.0
  • roles/bindings in 1.8 naming schema

[jpbetz]

Heads up- We're planning to cut 1.8.1 early this week. If this is a critical fix that will need to be in 1.8.1 please let me know, otherwise we can aim for 1.8.2.

[luxas]

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kad, luxas

Associated issue: 475

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• cmd/kubeadm/OWNERS [luxas]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[luxas]

@jpbetz Yes, I'd really like this to make v1.8.1, it's a bug in one upgrade case.
Is that possible?

[luxas]

@jpbetz FWIW; the kubeadm e2e job is broken due to some test-infra bazel stuff; but CI jobs are passing, so please ignore the PR job e2e failure above. Currently the job fails fast and doesn't even start testing anything. We're looking into it and working on it.

[jpbetz]

@luxas Is this 1.8.1 only or has it also been committed to master? If it's 1.8.1 only, I'd like to make sure the e2e tests are healthy since I don't have the master branch tests to give me more confidence. Can you provide any more detail on what exactly about the test-infra is failing?

And it looks like only pull-kubernetes-e2e-kubeadm-gce is failing... maybe just retest it?

/test pull-kubernetes-e2e-kubeadm-gce

[k8s-cherrypick-bot]

Removing label cherrypick-candidate because no release milestone was set. This is an invalid state and thus this PR is not being considered for cherry-pick to any release branch. Please add an appropriate release milestone and then re-add the label.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[jpbetz]

/test pull-kubernetes-unit

[kad]

@jpbetz it is 1.8.1 only. This fix is for case 1.7.x->1.7.x upgrade issue, and master (1.9) already dropped support for 1.7.x.

[luxas]

Unit tests seem to be flaky.
/retest

@jpbetz it's only the presubmit that for some day now hasn't been able to start. But things are green on the v1.8 e2e postsubmit, which is the real indicator: https://k8s-testgrid.appspot.com/sig-cluster-lifecycle#periodic-kubeadm-gce-1.8
So we'll get this merged, verify that things are green in that job, and then proceed

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue.

[k8s-cherrypick-bot]

Commit found in the "release-1.8" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked.

[k8s-ci-robot]

@kad: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-e2e-kubeadm-gce	c24087a	link	/test pull-kubernetes-e2e-kubeadm-gce

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.