From 048aca04653790dee73632d11a7321203175ec1c Mon Sep 17 00:00:00 2001 From: Peter Rifel Date: Sun, 5 Apr 2026 14:08:07 -0500 Subject: [PATCH 1/2] Allow role=apiserver with dns=none on GCE There shouldn't be a reason this wont work, so lets allow it for e2e to validate it --- pkg/apis/kops/validation/instancegroup.go | 2 +- .../kops/validation/instancegroup_test.go | 25 +++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/pkg/apis/kops/validation/instancegroup.go b/pkg/apis/kops/validation/instancegroup.go index 349e8fbbf888d..c32f251e9cabe 100644 --- a/pkg/apis/kops/validation/instancegroup.go +++ b/pkg/apis/kops/validation/instancegroup.go @@ -242,7 +242,7 @@ func CrossValidateInstanceGroup(g *kops.InstanceGroup, cluster *kops.Cluster, cl if cluster.GetCloudProvider() != kops.CloudProviderAWS && cluster.GetCloudProvider() != kops.CloudProviderGCE { allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "role"), "APIServer role only supported on AWS and GCE")) } - if cluster.UsesNoneDNS() { + if cluster.UsesNoneDNS() && cluster.GetCloudProvider() != kops.CloudProviderGCE { allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "role"), "APIServer cannot be used with topology.dns.type=None")) } } diff --git a/pkg/apis/kops/validation/instancegroup_test.go b/pkg/apis/kops/validation/instancegroup_test.go index 23485c2e92ce5..01eeaf41db61f 100644 --- a/pkg/apis/kops/validation/instancegroup_test.go +++ b/pkg/apis/kops/validation/instancegroup_test.go @@ -512,6 +512,7 @@ func createMinimalInstanceGroup() *kops.InstanceGroup { } func TestCrossValidateAPIServerRole(t *testing.T) { + noneDNSTopology := &kops.TopologySpec{DNS: kops.DNSTypeNone} grid := []struct { Description string Cluster *kops.Cluster @@ -539,6 +540,30 @@ func TestCrossValidateAPIServerRole(t *testing.T) { }, ExpectedErrors: 0, }, + { + Description: "APIServer role allowed on GCE with dns=None", + Cluster: &kops.Cluster{ + Spec: kops.ClusterSpec{ + CloudProvider: kops.CloudProviderSpec{ + GCE: &kops.GCESpec{}, + }, + Networking: kops.NetworkingSpec{Topology: noneDNSTopology}, + }, + }, + ExpectedErrors: 0, + }, + { + Description: "APIServer role forbidden on AWS with dns=None", + Cluster: &kops.Cluster{ + Spec: kops.ClusterSpec{ + CloudProvider: kops.CloudProviderSpec{ + AWS: &kops.AWSSpec{}, + }, + Networking: kops.NetworkingSpec{Topology: noneDNSTopology}, + }, + }, + ExpectedErrors: 1, + }, { Description: "APIServer role forbidden on DO", Cluster: &kops.Cluster{ From a01ed0993af6102ec41b657b654172ce368b09a8 Mon Sep 17 00:00:00 2001 From: Peter Rifel Date: Sun, 5 Apr 2026 14:08:56 -0500 Subject: [PATCH 2/2] Use dns=none for GCE role=apiserver E2E test --- tests/e2e/templates/apiserver-gce.yaml.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/e2e/templates/apiserver-gce.yaml.tmpl b/tests/e2e/templates/apiserver-gce.yaml.tmpl index aa8fd6ad423c7..48e4da313c31c 100644 --- a/tests/e2e/templates/apiserver-gce.yaml.tmpl +++ b/tests/e2e/templates/apiserver-gce.yaml.tmpl @@ -49,7 +49,7 @@ spec: type: Public topology: dns: - type: Public + type: None ---