Update validation to allow role=apiserver on GCE

rifelpet · rifelpet · commit 1b5ef8e99585 · 2026-04-01T20:31:43.000-05:00
diff --git a/pkg/apis/kops/validation/instancegroup.go b/pkg/apis/kops/validation/instancegroup.go
@@ -239,8 +239,8 @@ func CrossValidateInstanceGroup(g *kops.InstanceGroup, cluster *kops.Cluster, cl
 	}
 
 	if g.Spec.Role == kops.InstanceGroupRoleAPIServer {
-		if cluster.GetCloudProvider() != kops.CloudProviderAWS {
-			allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "role"), "APIServer role only supported on AWS"))
+		if cluster.GetCloudProvider() != kops.CloudProviderAWS && cluster.GetCloudProvider() != kops.CloudProviderGCE {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "role"), "APIServer role only supported on AWS and GCE"))
 		}
 		if cluster.UsesNoneDNS() {
 			allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "role"), "APIServer cannot be used with topology.dns.type=None"))
diff --git a/pkg/apis/kops/validation/instancegroup_test.go b/pkg/apis/kops/validation/instancegroup_test.go
@@ -510,3 +510,69 @@ func createMinimalInstanceGroup() *kops.InstanceGroup {
 	}
 	return ig
 }
+
+func TestCrossValidateAPIServerRole(t *testing.T) {
+	grid := []struct {
+		Description    string
+		Cluster        *kops.Cluster
+		ExpectedErrors int
+	}{
+		{
+			Description: "APIServer role allowed on AWS",
+			Cluster: &kops.Cluster{
+				Spec: kops.ClusterSpec{
+					CloudProvider: kops.CloudProviderSpec{
+						AWS: &kops.AWSSpec{},
+					},
+				},
+			},
+			ExpectedErrors: 0,
+		},
+		{
+			Description: "APIServer role allowed on GCE",
+			Cluster: &kops.Cluster{
+				Spec: kops.ClusterSpec{
+					CloudProvider: kops.CloudProviderSpec{
+						GCE: &kops.GCESpec{},
+					},
+				},
+			},
+			ExpectedErrors: 0,
+		},
+		{
+			Description: "APIServer role forbidden on DO",
+			Cluster: &kops.Cluster{
+				Spec: kops.ClusterSpec{
+					CloudProvider: kops.CloudProviderSpec{
+						DO: &kops.DOSpec{},
+					},
+				},
+			},
+			ExpectedErrors: 1,
+		},
+	}
+
+	for _, g := range grid {
+		t.Run(g.Description, func(t *testing.T) {
+			ig := &kops.InstanceGroup{
+				ObjectMeta: v1.ObjectMeta{
+					Name: "apiserver",
+				},
+				Spec: kops.InstanceGroupSpec{
+					Role:    kops.InstanceGroupRoleAPIServer,
+					Subnets: []string{"eu-central-1a"},
+					MaxSize: fi.PtrTo(int32(1)),
+					MinSize: fi.PtrTo(int32(1)),
+					Image:   "my-image",
+				},
+			}
+			g.Cluster.Spec.Networking.Subnets = []kops.ClusterSubnetSpec{
+				{Name: "eu-central-1a", Region: "eu-central-1"},
+			}
+			errs := CrossValidateInstanceGroup(ig, g.Cluster, nil, true)
+			if len(errs) != g.ExpectedErrors {
+				t.Errorf("expected %d errors, got %d: %v", g.ExpectedErrors, len(errs), errs)
+			}
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -239,8 +239,8 @@ func CrossValidateInstanceGroup(g kops.InstanceGroup, cluster kops.Cluster, cl`
`239`	`239`	`}`
`240`	`240`
`241`	`241`	`if g.Spec.Role == kops.InstanceGroupRoleAPIServer {`
`242`		`- if cluster.GetCloudProvider() != kops.CloudProviderAWS {`
`243`		`- allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "role"), "APIServer role only supported on AWS"))`
	`242`	`+ if cluster.GetCloudProvider() != kops.CloudProviderAWS && cluster.GetCloudProvider() != kops.CloudProviderGCE {`
	`243`	`+ allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "role"), "APIServer role only supported on AWS and GCE"))`
`244`	`244`	`}`
`245`	`245`	`if cluster.UsesNoneDNS() {`
`246`	`246`	`allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "role"), "APIServer cannot be used with topology.dns.type=None"))`