From c24087a676efaa8c821f839da49ebebff17e57c3 Mon Sep 17 00:00:00 2001
From: Alexander Kanevskiy <alexander.kanevskiy@intel.com>
Date: Mon, 2 Oct 2017 20:03:04 +0300
Subject: [PATCH] Don't try to migrate to new roles and rolebinding within 1.7
 upgrades

Fixes: kubernetes/kubeadm#475
---
 cmd/kubeadm/app/phases/upgrade/postupgrade.go | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/cmd/kubeadm/app/phases/upgrade/postupgrade.go b/cmd/kubeadm/app/phases/upgrade/postupgrade.go
index 5b33251bb010e..1b125b3896ca6 100644
--- a/cmd/kubeadm/app/phases/upgrade/postupgrade.go
+++ b/cmd/kubeadm/app/phases/upgrade/postupgrade.go
@@ -20,6 +20,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/errors"
 	clientset "k8s.io/client-go/kubernetes"
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
+	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/phases/addons/dns"
 	"k8s.io/kubernetes/cmd/kubeadm/app/phases/addons/proxy"
 	"k8s.io/kubernetes/cmd/kubeadm/app/phases/apiconfig"
@@ -62,9 +63,12 @@ func PerformPostUpgradeTasks(client clientset.Interface, cfg *kubeadmapi.MasterC
 		errs = append(errs, err)
 	}
 
-	// Create/update RBAC rules that makes the bootstrap tokens able to get their CSRs approved automatically
-	if err := nodebootstraptoken.AutoApproveNodeBootstrapTokens(client, k8sVersion); err != nil {
-		errs = append(errs, err)
+	// Not needed for 1.7 upgrades
+	if k8sVersion.AtLeast(constants.MinimumCSRAutoApprovalClusterRolesVersion) {
+		// Create/update RBAC rules that makes the bootstrap tokens able to get their CSRs approved automatically
+		if err := nodebootstraptoken.AutoApproveNodeBootstrapTokens(client, k8sVersion); err != nil {
+			errs = append(errs, err)
+		}
 	}
 
 	// TODO: Is this needed to do here? I think that updating cluster info should probably be separate from a normal upgrade
@@ -72,9 +76,12 @@ func PerformPostUpgradeTasks(client clientset.Interface, cfg *kubeadmapi.MasterC
 	// if err := clusterinfo.CreateBootstrapConfigMapIfNotExists(client, kubeadmconstants.GetAdminKubeConfigPath()); err != nil {
 	// 	return err
 	//}
-	// Create/update RBAC rules that makes the cluster-info ConfigMap reachable
-	if err := clusterinfo.CreateClusterInfoRBACRules(client); err != nil {
-		errs = append(errs, err)
+	// Not needed for 1.7 upgrades
+	if k8sVersion.AtLeast(constants.UseEnableBootstrapTokenAuthFlagVersion) {
+		// Create/update RBAC rules that makes the cluster-info ConfigMap reachable
+		if err := clusterinfo.CreateClusterInfoRBACRules(client); err != nil {
+			errs = append(errs, err)
+		}
 	}
 
 	// TODO: This call is deprecated