From ae73bed1d0b9a299b06fc762d513b9b734ea4ce7 Mon Sep 17 00:00:00 2001
From: Mike Danese <mikedanese@google.com>
Date: Mon, 23 Apr 2018 09:09:28 -0700
Subject: [PATCH] gce: move etcd dir cleanup to manifests

we deploy it as a manifest, not an addon so locate it with the other
master manifests.
---
 .../etcd-empty-dir-cleanup-psp-binding.yaml   | 16 ----------
 .../etcd-empty-dir-cleanup-psp-role.yaml      | 17 ----------
 .../etcd-empty-dir-cleanup-psp.yaml           | 31 -------------------
 cluster/gce/gci/BUILD                         |  2 +-
 cluster/gce/gci/configure-helper.sh           |  3 +-
 cluster/gce/manifests/BUILD                   | 18 ++---------
 .../manifests}/etcd-empty-dir-cleanup.yaml    | 11 -------
 7 files changed, 6 insertions(+), 92 deletions(-)
 delete mode 100644 cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-binding.yaml
 delete mode 100644 cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-role.yaml
 delete mode 100644 cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp.yaml
 rename cluster/{addons/etcd-empty-dir-cleanup => gce/manifests}/etcd-empty-dir-cleanup.yaml (57%)

diff --git a/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-binding.yaml b/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-binding.yaml
deleted file mode 100644
index 77003f69c5..0000000000
--- a/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-binding.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: gce:podsecuritypolicy:etcd-empty-dir-cleanup
-  namespace: kube-system
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-    kubernetes.io/cluster-service: "true"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: gce:podsecuritypolicy:etcd-empty-dir-cleanup
-subjects:
-- kind: ServiceAccount
-  name: etcd-empty-dir-cleanup
-  namespace: kube-system
diff --git a/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-role.yaml b/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-role.yaml
deleted file mode 100644
index 0f57b204d3..0000000000
--- a/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-role.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: gce:podsecuritypolicy:etcd-empty-dir-cleanup
-  namespace: kube-system
-  labels:
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
-- apiGroups:
-  - policy
-  resourceNames:
-  - gce.etcd-empty-dir-cleanup
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
diff --git a/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp.yaml b/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp.yaml
deleted file mode 100644
index c0b315d586..0000000000
--- a/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: gce.etcd-empty-dir-cleanup
-  annotations:
-    kubernetes.io/description: 'Policy used by the etcd-empty-dir-cleanup addon.'
-    # TODO: etcd-empty-dir-cleanup should run with the default seccomp profile
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
-    # 'runtime/default' is already the default, but must be filled in on the
-    # pod to pass admission.
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-  labels:
-    kubernetes.io/cluster-service: 'true'
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  privileged: false
-  volumes:
-  - 'secret'
-  hostNetwork: true
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'RunAsAny'
-  fsGroup:
-    rule: 'RunAsAny'
-  readOnlyRootFilesystem: false
diff --git a/cluster/gce/gci/BUILD b/cluster/gce/gci/BUILD
index a9c43c2108..0a16226b9b 100644
--- a/cluster/gce/gci/BUILD
+++ b/cluster/gce/gci/BUILD
@@ -10,7 +10,7 @@ go_test(
     ],
     data = [
         ":scripts-test-data",
-        "//cluster/gce/manifests:manifests-test-data",
+        "//cluster/gce/manifests",
     ],
     deps = [
         "//pkg/api/legacyscheme:go_default_library",
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index 83189bab0e..1fca03aef3 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -1323,7 +1323,8 @@ function prepare-etcd-manifest {
 }
 
 function start-etcd-empty-dir-cleanup-pod {
-  cp "${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/etcd-empty-dir-cleanup/etcd-empty-dir-cleanup.yaml" "/etc/kubernetes/manifests"
+  local -r src_file="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/etcd-empty-dir-cleanup.yaml"
+  cp "${src_file}" "/etc/kubernetes/manifests"
 }
 
 # Starts etcd server pod (and etcd-events pod if needed).
diff --git a/cluster/gce/manifests/BUILD b/cluster/gce/manifests/BUILD
index 2f352fcaec..d3cfddf1d2 100644
--- a/cluster/gce/manifests/BUILD
+++ b/cluster/gce/manifests/BUILD
@@ -5,30 +5,18 @@ load("@io_kubernetes_build//defs:pkg.bzl", "pkg_tar")
 
 pkg_tar(
     name = "gce-master-manifests",
-    srcs = [
-        "abac-authz-policy.jsonl",
-        "cluster-autoscaler.manifest",
-        "e2e-image-puller.manifest",
-        "etcd.manifest",
-        "glbc.manifest",
-        "kms-plugin-container.manifest",
-        "kube-addon-manager.yaml",
-        "kube-apiserver.manifest",
-        "kube-controller-manager.manifest",
-        "kube-proxy.manifest",
-        "kube-scheduler.manifest",
-        "rescheduler.manifest",
-    ],
+    srcs = [":manifests"],
     mode = "0644",
 )
 
 filegroup(
-    name = "manifests-test-data",
+    name = "manifests",
     srcs = [
         "abac-authz-policy.jsonl",
         "cluster-autoscaler.manifest",
         "e2e-image-puller.manifest",
         "etcd.manifest",
+        "etcd-empty-dir-cleanup.yaml",
         "glbc.manifest",
         "kms-plugin-container.manifest",
         "kube-addon-manager.yaml",
diff --git a/cluster/addons/etcd-empty-dir-cleanup/etcd-empty-dir-cleanup.yaml b/cluster/gce/manifests/etcd-empty-dir-cleanup.yaml
similarity index 57%
rename from cluster/addons/etcd-empty-dir-cleanup/etcd-empty-dir-cleanup.yaml
rename to cluster/gce/manifests/etcd-empty-dir-cleanup.yaml
index fd5b0ecfcd..7e1971634f 100644
--- a/cluster/addons/etcd-empty-dir-cleanup/etcd-empty-dir-cleanup.yaml
+++ b/cluster/gce/manifests/etcd-empty-dir-cleanup.yaml
@@ -1,14 +1,4 @@
 apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: etcd-empty-dir-cleanup
-  namespace: kube-system
-  labels:
-    k8s-app: etcd-empty-dir-cleanup
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
----
-apiVersion: v1
 kind: Pod
 metadata:
   name: etcd-empty-dir-cleanup
@@ -19,7 +9,6 @@ metadata:
     k8s-app: etcd-empty-dir-cleanup
 spec:
   priorityClassName: system-node-critical
-  serviceAccountName: etcd-empty-dir-cleanup
   hostNetwork: true
   dnsPolicy: Default
   containers: