eksctl-io · michaelbeaumont · Jun 10, 2020 · Jun 16, 2020 · Jun 17, 2020 · sayboras
diff --git a/go.mod b/go.mod
@@ -61,7 +61,6 @@ require (
 	k8s.io/code-generator v0.16.8
 	k8s.io/kops v1.15.2
 	k8s.io/kubelet v0.16.8
-	k8s.io/kubernetes v1.16.8
 	k8s.io/legacy-cloud-providers v0.16.8
 	sigs.k8s.io/aws-iam-authenticator v0.5.0
 	sigs.k8s.io/yaml v1.2.0

diff --git a/go.sum b/go.sum
@@ -1290,7 +1290,6 @@ k8s.io/kube-scheduler v0.16.8/go.mod h1:Yq1uX8tvuzb/dxjx0nKQE88XBRDRyhW75drSDHLT
 k8s.io/kubectl v0.16.8/go.mod h1:s6lhPwTkZjHBVHH6BRVRUA1SAqqZF8osaWSYTvR1H1U=
 k8s.io/kubelet v0.16.8 h1:737GeCz3Bu4NxGivTj910vPaL6UYkxaXoOGuMarzCI0=
 k8s.io/kubelet v0.16.8/go.mod h1:mzDpnryQg2dlB6V3/WAgb1baIamiICtWpXMFrPOFh6I=
-k8s.io/kubernetes v1.16.8 h1:AQb20svioSN1foO9LOdZiUOM8zRmNua2PnYB8bvO48w=
 k8s.io/kubernetes v1.16.8/go.mod h1:bpUsy1qP0W6EtkxrPluP02p2+wyVN+95lkjPKnLQZtc=
 k8s.io/legacy-cloud-providers v0.16.8 h1:CtBX+VIKHfijcJzvNaIZJ/oRYQJCsZ5y57aN8cb8Xqs=
 k8s.io/legacy-cloud-providers v0.16.8/go.mod h1:8g5j8qDmqXvj1mQjyYOvSBv15CWbzV3D/CsRFrTGCJY=

diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go
@@ -8,8 +8,9 @@ import (
 	"github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/pkg/errors"
 
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation"
-	kubeletapis "k8s.io/kubernetes/pkg/kubelet/apis"
 )
 
 var (
@@ -239,6 +240,51 @@ func ValidateNodeGroup(i int, ng *NodeGroup) error {
 	return nil
 }
 
+// isKubeletLabel returns true if the label key is one that kubelets are allowed to set on their own Node object.
+// This checks if the key is in the KubeletLabels() list, or has a namespace in the KubeletLabelNamespaces() list.
+func isKubeletLabel(key string) bool {
+	var LabelOS = "beta.kubernetes.io/os"
+	var LabelArch = "beta.kubernetes.io/arch"
+
+	var labelZoneFailureDomainGA = "failure-domain.kubernetes.io/zone"
+	var labelZoneRegionGA = "failure-domain.kubernetes.io/region"
+	var labelInstanceTypeGA = "kubernetes.io/instance-type"
+	var kubeletLabels = sets.NewString(
+		v1.LabelHostname,
+		v1.LabelZoneFailureDomain,
+		v1.LabelZoneRegion,
+		v1.LabelInstanceType,
+		v1.LabelOSStable,
+		v1.LabelArchStable,
+
+		LabelOS,
+		LabelArch,
+
+		labelZoneFailureDomainGA,
+		labelZoneRegionGA,
+		labelInstanceTypeGA,
+	)
+	if kubeletLabels.Has(key) {
+		return true
+	}
+
+	var namespace string
+	if parts := strings.SplitN(key, "/", 2); len(parts) == 2 {
+		namespace = parts[0]
+	}
+	var kubeletLabelNamespaces = sets.NewString(
+		v1.LabelNamespaceSuffixKubelet,
+		v1.LabelNamespaceSuffixNode,
+	)
+	for allowedNamespace := range kubeletLabelNamespaces {
+		if namespace == allowedNamespace || strings.HasSuffix(namespace, "."+allowedNamespace) {
+			return true
+		}
+	}
+
+	return false
+}
+
 // ValidateNodeGroupLabels uses proper Kubernetes label validation,
 // it's designed to make sure users don't pass weird labels to the
 // nodes, which would prevent kubelets to startup properly
@@ -266,7 +312,7 @@ func ValidateNodeGroupLabels(labels map[string]string) error {
 
 		if len(labelParts) == 2 {
 			namespace := labelParts[0]
-			if isKubernetesLabel(namespace) && !kubeletapis.IsKubeletLabel(label) {
+			if isKubernetesLabel(namespace) && !isKubeletLabel(label) {
 				unknownKubernetesLabels = append(unknownKubernetesLabels, label)
 			}
 		}