Ensure that Autopilot can be disabled for real

The disable component flag only guarded the CRD and RBAC application,
but the actual Autopilot components were still started.

Add the new field autopilotDisabled to the worker profiles config map
to transport this information over to the workers.

See: 9ec69a2 ("Apply Autopilot RBAC only when Autopilot is enabled")
Signed-off-by: Tom Wieczorek <[email protected]>

Author: twz123

cmd/controller/controller.go

@@ -447,10 +447,6 @@ func (c *command) start(ctx context.Context, flags *config.ControllerOptions, de
 		))
 	}
 
-	if !slices.Contains(flags.DisableComponents, constant.AutopilotComponentName) {
-		clusterComponents.Add(ctx, controller.NewCRD(c.K0sVars.ManifestsDir, "autopilot"))
-	}
-
 	if enableK0sEndpointReconciler {
 		clusterComponents.Add(ctx, controller.NewEndpointReconciler(
 			nodeConfig,
@@ -512,13 +508,15 @@ func (c *command) start(ctx context.Context, flags *config.ControllerOptions, de
 		clusterComponents.Add(ctx, metrics)
 	}
 
+	disableAutopilot := slices.Contains(flags.DisableComponents, constant.AutopilotComponentName)
+
 	if !slices.Contains(flags.DisableComponents, constant.WorkerConfigComponentName) {
 		// Create new dedicated leasepool for worker config reconciler
 		leaseName := fmt.Sprintf("k0s-%s-%s", constant.WorkerConfigComponentName, constant.KubernetesMajorMinorVersion)
 		workerConfigLeasePool := leaderelector.NewLeasePool(c.K0sVars.InvocationID, adminClientFactory, leaseName)
 		clusterComponents.Add(ctx, workerConfigLeasePool)
 
-		reconciler, err := workerconfig.NewReconciler(c.K0sVars, nodeConfig.Spec, adminClientFactory, workerConfigLeasePool, enableKonnectivity)
+		reconciler, err := workerconfig.NewReconciler(c.K0sVars, nodeConfig.Spec, adminClientFactory, workerConfigLeasePool, enableKonnectivity, disableAutopilot)
 		if err != nil {
 			return err
 		}
@@ -528,7 +526,7 @@ func (c *command) start(ctx context.Context, flags *config.ControllerOptions, de
 	if !slices.Contains(flags.DisableComponents, constant.SystemRBACComponentName) {
 		clusterComponents.Add(ctx, &controller.SystemRBAC{
 			Clients:          adminClientFactory,
-			ExcludeAutopilot: slices.Contains(flags.DisableComponents, constant.AutopilotComponentName),
+			ExcludeAutopilot: disableAutopilot,
 		})
 	}
 
@@ -577,13 +575,16 @@ func (c *command) start(ctx context.Context, flags *config.ControllerOptions, de
 		logrus.Info("Telemetry is disabled")
 	}
 
-	clusterComponents.Add(ctx, &controller.Autopilot{
-		K0sVars:            c.K0sVars,
-		KubeletExtraArgs:   c.KubeletExtraArgs,
-		KubeAPIPort:        nodeConfig.Spec.API.Port,
-		AdminClientFactory: adminClientFactory,
-		Workloads:          controllerMode.WorkloadsEnabled(),
-	})
+	if !disableAutopilot {
+		clusterComponents.Add(ctx, controller.NewCRD(c.K0sVars.ManifestsDir, "autopilot"))
+		clusterComponents.Add(ctx, &controller.Autopilot{
+			K0sVars:            c.K0sVars,
+			KubeletExtraArgs:   c.KubeletExtraArgs,
+			KubeAPIPort:        nodeConfig.Spec.API.Port,
+			AdminClientFactory: adminClientFactory,
+			Workloads:          controllerMode.WorkloadsEnabled(),
+		})
+	}
 
 	if !slices.Contains(flags.DisableComponents, constant.UpdateProberComponentName) {
 		clusterComponents.Add(ctx, controller.NewUpdateProber(

cmd/worker/worker.go

@@ -296,7 +296,7 @@ func (c *Command) Start(ctx context.Context, nodeName apitypes.NodeName, kubelet
 
 	certManager := worker.NewCertificateManager(kubeletKubeconfigPath)
 
-	addPlatformSpecificComponents(ctx, componentManager, c.K0sVars, controller, certManager)
+	addPlatformSpecificComponents(ctx, componentManager, c.K0sVars, workerConfig, controller, certManager)
 
 	// extract needed components
 	if err := componentManager.Init(ctx); err != nil {

cmd/worker/worker_unix.go

@@ -14,12 +14,13 @@ import (
 	"github.com/k0sproject/k0s/pkg/component/prober"
 	"github.com/k0sproject/k0s/pkg/component/status"
 	"github.com/k0sproject/k0s/pkg/component/worker"
+	workerconfig "github.com/k0sproject/k0s/pkg/component/worker/config"
 	"github.com/k0sproject/k0s/pkg/config"
 )
 
 func initLogging(context.Context, string) error { return nil }
 
-func addPlatformSpecificComponents(ctx context.Context, m *manager.Manager, k0sVars *config.CfgVars, controller EmbeddingController, certManager *worker.CertificateManager) {
+func addPlatformSpecificComponents(ctx context.Context, m *manager.Manager, k0sVars *config.CfgVars, workerConfig *workerconfig.Profile, controller EmbeddingController, certManager *worker.CertificateManager) {
 	// if running inside a controller, status component is already running
 	if controller == nil {
 		m.Add(ctx, &status.Status{
@@ -41,8 +42,10 @@ func addPlatformSpecificComponents(ctx context.Context, m *manager.Manager, k0sV
 		})
 	}
 
-	m.Add(ctx, &worker.Autopilot{
-		K0sVars:     k0sVars,
-		CertManager: certManager,
-	})
+	if !workerConfig.AutopilotDisabled {
+		m.Add(ctx, &worker.Autopilot{
+			K0sVars:     k0sVars,
+			CertManager: certManager,
+		})
+	}
 }

cmd/worker/worker_windows.go

@@ -14,6 +14,7 @@ import (
 	"github.com/k0sproject/k0s/internal/pkg/log"
 	"github.com/k0sproject/k0s/pkg/component/manager"
 	"github.com/k0sproject/k0s/pkg/component/worker"
+	workerconfig "github.com/k0sproject/k0s/pkg/component/worker/config"
 	"github.com/k0sproject/k0s/pkg/config"
 	"github.com/k0sproject/k0s/pkg/constant"
 	"github.com/k0sproject/k0s/pkg/k0scontext"
@@ -45,6 +46,6 @@ func initLogging(ctx context.Context, logDir string) error {
 	return nil
 }
 
-func addPlatformSpecificComponents(context.Context, *manager.Manager, *config.CfgVars, EmbeddingController, *worker.CertificateManager) {
+func addPlatformSpecificComponents(context.Context, *manager.Manager, *config.CfgVars, *workerconfig.Profile, EmbeddingController, *worker.CertificateManager) {
 	// no-op
 }

pkg/component/controller/workerconfig/reconciler.go

@@ -54,6 +54,7 @@ type Reconciler struct {
 	clientFactory       kubeutil.ClientFactoryInterface
 	leaderElector       leaderelector.Interface
 	konnectivityEnabled bool
+	autopilotDisabled   bool
 
 	mu    sync.Mutex
 	state reconcilerState
@@ -82,7 +83,7 @@ var (
 )
 
 // NewReconciler creates a new reconciler for worker configurations.
-func NewReconciler(k0sVars *config.CfgVars, nodeSpec *v1beta1.ClusterSpec, clientFactory kubeutil.ClientFactoryInterface, leaderElector leaderelector.Interface, konnectivityEnabled bool) (*Reconciler, error) {
+func NewReconciler(k0sVars *config.CfgVars, nodeSpec *v1beta1.ClusterSpec, clientFactory kubeutil.ClientFactoryInterface, leaderElector leaderelector.Interface, konnectivityEnabled, autopilotDisabled bool) (*Reconciler, error) {
 	log := logrus.WithFields(logrus.Fields{"component": "workerconfig.Reconciler"})
 
 	clusterDNSIPString, err := nodeSpec.Network.DNSAddress()
@@ -102,6 +103,7 @@ func NewReconciler(k0sVars *config.CfgVars, nodeSpec *v1beta1.ClusterSpec, clien
 		clientFactory:       clientFactory,
 		leaderElector:       leaderElector,
 		konnectivityEnabled: konnectivityEnabled,
+		autopilotDisabled:   autopilotDisabled,
 
 		state: reconcilerCreated,
 	}
@@ -602,7 +604,8 @@ func (r *Reconciler) buildProfile(snapshot *snapshot) *workerconfig.Profile {
 			Enabled:   r.konnectivityEnabled,
 			AgentPort: snapshot.konnectivityAgentPort,
 		},
-		DualStackEnabled: snapshot.dualStackEnabled,
+		DualStackEnabled:  snapshot.dualStackEnabled,
+		AutopilotDisabled: r.autopilotDisabled,
 	}
 
 	if workerProfile.NodeLocalLoadBalancing != nil &&

pkg/component/controller/workerconfig/reconciler_test.go

@@ -59,6 +59,7 @@ func TestReconciler_Lifecycle(t *testing.T) {
 			clients,
 			&leaderelector.Dummy{Leader: true},
 			true,
+			false,
 		)
 		require.NoError(t, err)
 		underTest.log = newTestLogger(t)
@@ -314,6 +315,7 @@ func TestReconciler_ResourceGeneration(t *testing.T) {
 		clients,
 		&leaderelector.Dummy{Leader: true},
 		true,
+		false,
 	)
 	require.NoError(t, err)
 	underTest.log = newTestLogger(t)
@@ -497,6 +499,7 @@ func TestReconciler_ReconcilesOnChangesOnly(t *testing.T) {
 		clients,
 		&leaderelector.Dummy{Leader: true},
 		true,
+		false,
 	)
 	require.NoError(t, err)
 	underTest.log = newTestLogger(t)
@@ -647,6 +650,7 @@ func TestReconciler_LeaderElection(t *testing.T) {
 		clients,
 		&le,
 		true,
+		false,
 	)
 	require.NoError(t, err)
 

pkg/component/worker/config/config.go

@@ -27,6 +27,7 @@ type Profile struct {
 	Konnectivity           Konnectivity
 	PauseImage             *v1beta1.ImageSpec
 	DualStackEnabled       bool
+	AutopilotDisabled      bool
 }
 
 func (p *Profile) DeepCopy() *Profile {
@@ -143,6 +144,7 @@ func forEachConfigMapEntry(profile *Profile, f func(fieldName string, ptr any))
 		"konnectivity":           &profile.Konnectivity,
 		"pauseImage":             &profile.PauseImage,
 		"dualStackEnabled":       &profile.DualStackEnabled,
+		"autopilotDisabled":      &profile.AutopilotDisabled,
 	} {
 		f(fieldName, ptr)
 	}