From 651a5b962be756d43ac11898b7982c23d943e053 Mon Sep 17 00:00:00 2001
From: Tom Kirchner <tjk@amazon.com>
Date: Tue, 30 Jun 2020 17:42:30 -0700
Subject: [PATCH] Add aws-k8s-1.17 variant with Kubernetes 1.17

There are only minor changes from the aws-k8s-1.16 variant:
* Rebase the aws-sdk-go update patch
* No longer need the license clarification for github.com/munnerz/goautoneg
  because the project added a license file
* Disable new CSIMigration in kubelet-config until further supported:
  https://kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/
---
 .github/workflows/build.yml                   |  2 +-
 packages/Cargo.lock                           |  7 ++
 packages/Cargo.toml                           |  1 +
 packages/kubernetes-1.17/.gitignore           |  1 +
 ...levant-variables-for-cross-compiling.patch | 77 +++++++++++++++
 .../0002-do-not-omit-debug-info.patch         | 26 +++++
 ...003-enable-PIE-for-platform-binaries.patch | 25 +++++
 ...de-SELinux-label-for-kubelet-plugins.patch | 24 +++++
 packages/kubernetes-1.17/Cargo.toml           | 29 ++++++
 packages/kubernetes-1.17/build.rs             |  9 ++
 packages/kubernetes-1.17/clarify.toml         | 55 +++++++++++
 packages/kubernetes-1.17/kubelet-config       | 34 +++++++
 packages/kubernetes-1.17/kubelet-env          |  4 +
 packages/kubernetes-1.17/kubelet-kubeconfig   | 24 +++++
 packages/kubernetes-1.17/kubelet.service      | 43 +++++++++
 packages/kubernetes-1.17/kubernetes-1.17.spec | 94 +++++++++++++++++++
 packages/kubernetes-1.17/kubernetes-ca-crt    |  1 +
 packages/kubernetes-1.17/pkg.rs               |  1 +
 sources/models/README.md                      |  7 +-
 sources/models/src/aws-k8s-1.17               |  1 +
 sources/models/src/lib.rs                     |  5 +
 variants/README.md                            |  7 ++
 variants/aws-k8s-1.17/Cargo.lock              |  5 +
 variants/aws-k8s-1.17/Cargo.toml              | 20 ++++
 variants/aws-k8s-1.17/build.rs                |  9 ++
 variants/aws-k8s-1.17/lib.rs                  |  1 +
 26 files changed, 510 insertions(+), 2 deletions(-)
 create mode 100644 packages/kubernetes-1.17/.gitignore
 create mode 100644 packages/kubernetes-1.17/0001-always-set-relevant-variables-for-cross-compiling.patch
 create mode 100644 packages/kubernetes-1.17/0002-do-not-omit-debug-info.patch
 create mode 100644 packages/kubernetes-1.17/0003-enable-PIE-for-platform-binaries.patch
 create mode 100644 packages/kubernetes-1.17/0004-override-SELinux-label-for-kubelet-plugins.patch
 create mode 100644 packages/kubernetes-1.17/Cargo.toml
 create mode 100644 packages/kubernetes-1.17/build.rs
 create mode 100644 packages/kubernetes-1.17/clarify.toml
 create mode 100644 packages/kubernetes-1.17/kubelet-config
 create mode 100644 packages/kubernetes-1.17/kubelet-env
 create mode 100644 packages/kubernetes-1.17/kubelet-kubeconfig
 create mode 100644 packages/kubernetes-1.17/kubelet.service
 create mode 100644 packages/kubernetes-1.17/kubernetes-1.17.spec
 create mode 100644 packages/kubernetes-1.17/kubernetes-ca-crt
 create mode 100644 packages/kubernetes-1.17/pkg.rs
 create mode 120000 sources/models/src/aws-k8s-1.17
 create mode 100644 variants/aws-k8s-1.17/Cargo.lock
 create mode 100644 variants/aws-k8s-1.17/Cargo.toml
 create mode 100644 variants/aws-k8s-1.17/build.rs
 create mode 100644 variants/aws-k8s-1.17/lib.rs

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 60e7b0a2bb3..c8bc56809f8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,7 +8,7 @@ jobs:
     continue-on-error: ${{ matrix.supported }}
     strategy:
       matrix:
-        variant: [aws-k8s-1.15, aws-k8s-1.16]
+        variant: [aws-k8s-1.15, aws-k8s-1.16, aws-k8s-1.17]
         arch: [x86_64, aarch64]
         supported: [true]
         include:
diff --git a/packages/Cargo.lock b/packages/Cargo.lock
index 25edfba8b3d..9312e6b48ad 100644
--- a/packages/Cargo.lock
+++ b/packages/Cargo.lock
@@ -210,6 +210,13 @@ dependencies = [
  "glibc",
 ]
 
+[[package]]
+name = "kubernetes-1_17"
+version = "0.1.0"
+dependencies = [
+ "glibc",
+]
+
 [[package]]
 name = "libacl"
 version = "0.1.0"
diff --git a/packages/Cargo.toml b/packages/Cargo.toml
index 9e0547c6393..954b6afb038 100644
--- a/packages/Cargo.toml
+++ b/packages/Cargo.toml
@@ -27,6 +27,7 @@ members = [
     "kmod",
     "kubernetes-1.15",
     "kubernetes-1.16",
+    "kubernetes-1.17",
     "libacl",
     "libattr",
     "libaudit",
diff --git a/packages/kubernetes-1.17/.gitignore b/packages/kubernetes-1.17/.gitignore
new file mode 100644
index 00000000000..4eea2fc7eff
--- /dev/null
+++ b/packages/kubernetes-1.17/.gitignore
@@ -0,0 +1 @@
+/*.patch.bz2
diff --git a/packages/kubernetes-1.17/0001-always-set-relevant-variables-for-cross-compiling.patch b/packages/kubernetes-1.17/0001-always-set-relevant-variables-for-cross-compiling.patch
new file mode 100644
index 00000000000..1cefc4603c5
--- /dev/null
+++ b/packages/kubernetes-1.17/0001-always-set-relevant-variables-for-cross-compiling.patch
@@ -0,0 +1,77 @@
+From 43460991812f41748d2ebbb846e3d956b40b26ae Mon Sep 17 00:00:00 2001
+From: Ben Cressey <bcressey@amazon.com>
+Date: Sat, 18 May 2019 16:57:12 +0000
+Subject: [PATCH 1/4] always set relevant variables for cross compiling
+
+Signed-off-by: Ben Cressey <bcressey@amazon.com>
+---
+ hack/lib/golang.sh | 52 ++++++++++++++++++++++++++--------------------
+ 1 file changed, 30 insertions(+), 22 deletions(-)
+
+diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
+index e9c3b066..14c15994 100755
+--- a/hack/lib/golang.sh
++++ b/hack/lib/golang.sh
+@@ -394,29 +394,37 @@ kube::golang::set_platform_envs() {
+   export GOOS=${platform%/*}
+   export GOARCH=${platform##*/}
+ 
+-  # Do not set CC when building natively on a platform, only if cross-compiling from linux/amd64
+-  if [[ $(kube::golang::host_platform) == "linux/amd64" ]]; then
+-    # Dynamic CGO linking for other server architectures than linux/amd64 goes here
+-    # If you want to include support for more server platforms than these, add arch-specific gcc names here
+-    case "${platform}" in
+-      "linux/arm")
+-        export CGO_ENABLED=1
+-        export CC=arm-linux-gnueabihf-gcc
+-        ;;
+-      "linux/arm64")
+-        export CGO_ENABLED=1
+-        export CC=aarch64-linux-gnu-gcc
+-        ;;
+-      "linux/ppc64le")
+-        export CGO_ENABLED=1
+-        export CC=powerpc64le-linux-gnu-gcc
+-        ;;
+-      "linux/s390x")
+-        export CGO_ENABLED=1
+-        export CC=s390x-linux-gnu-gcc
+-        ;;
+-    esac
++  # Apply standard values for CGO_ENABLED and CC unless KUBE_BUILD_PLATFORMS is set.
++  if [ -z "${KUBE_BUILD_PLATFORMS}" ] ; then
++      export CGO_ENABLED=0
++      export CC=gcc
++      return
+   fi
++
++  # Dynamic CGO linking for other server architectures goes here
++  # If you want to include support for more server platforms than these, add arch-specific gcc names here
++  case "${platform}" in
++    "linux/amd64")
++      export CGO_ENABLED=1
++      export CC=x86_64-bottlerocket-linux-gnu-gcc
++      ;;
++    "linux/arm")
++      export CGO_ENABLED=1
++      export CC=arm-bottlerocket-linux-gnueabihf-gcc
++      ;;
++    "linux/arm64")
++      export CGO_ENABLED=1
++      export CC=aarch64-bottlerocket-linux-gnu-gcc
++      ;;
++    "linux/ppc64le")
++      export CGO_ENABLED=1
++      export CC=powerpc64le-bottlerocket-linux-gnu-gcc
++      ;;
++    "linux/s390x")
++      export CGO_ENABLED=1
++      export CC=s390x-bottlerocket-linux-gnu-gcc
++      ;;
++  esac
+ }
+ 
+ kube::golang::unset_platform_envs() {
+-- 
+2.21.0
+
diff --git a/packages/kubernetes-1.17/0002-do-not-omit-debug-info.patch b/packages/kubernetes-1.17/0002-do-not-omit-debug-info.patch
new file mode 100644
index 00000000000..303f427535b
--- /dev/null
+++ b/packages/kubernetes-1.17/0002-do-not-omit-debug-info.patch
@@ -0,0 +1,26 @@
+From 8a067b93f1d6dabf4fe0c0c9c94dbad6f078e10b Mon Sep 17 00:00:00 2001
+From: Ben Cressey <bcressey@amazon.com>
+Date: Fri, 20 Sep 2019 00:33:47 +0000
+Subject: [PATCH 2/4] do not omit debug info
+
+Signed-off-by: Ben Cressey <bcressey@amazon.com>
+---
+ hack/lib/golang.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
+index 14c15994..1547bad5 100755
+--- a/hack/lib/golang.sh
++++ b/hack/lib/golang.sh
+@@ -790,7 +790,7 @@ kube::golang::build_binaries() {
+     # Disable SC2153 for this, as it will throw a warning that the local
+     # variable goldflags will exist, and it suggest changing it to this.
+     # shellcheck disable=SC2153
+-    goldflags="${GOLDFLAGS=-s -w} $(kube::version::ldflags)"
++    goldflags="${GOLDFLAGS:-} $(kube::version::ldflags)"
+     goasmflags="-trimpath=${KUBE_ROOT}"
+     gogcflags="${GOGCFLAGS:-} -trimpath=${KUBE_ROOT}"
+ 
+-- 
+2.21.0
+
diff --git a/packages/kubernetes-1.17/0003-enable-PIE-for-platform-binaries.patch b/packages/kubernetes-1.17/0003-enable-PIE-for-platform-binaries.patch
new file mode 100644
index 00000000000..e4bc4593044
--- /dev/null
+++ b/packages/kubernetes-1.17/0003-enable-PIE-for-platform-binaries.patch
@@ -0,0 +1,25 @@
+From 33cb415ae50c5fb48d37842247261b466093d1ae Mon Sep 17 00:00:00 2001
+From: Ben Cressey <bcressey@amazon.com>
+Date: Tue, 5 Nov 2019 14:23:38 +0000
+Subject: [PATCH 3/4] enable PIE for platform binaries
+
+Signed-off-by: Ben Cressey <bcressey@amazon.com>
+---
+ hack/lib/golang.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
+index 1547bad5..f07418a0 100755
+--- a/hack/lib/golang.sh
++++ b/hack/lib/golang.sh
+@@ -715,6 +715,7 @@ kube::golang::build_binaries_for_platform() {
+ 
+   if [[ "${#nonstatics[@]}" != 0 ]]; then
+     build_args=(
++      -buildmode pie
+       ${goflags:+"${goflags[@]}"}
+       -gcflags "${gogcflags:-}"
+       -asmflags "${goasmflags:-}"
+-- 
+2.21.0
+
diff --git a/packages/kubernetes-1.17/0004-override-SELinux-label-for-kubelet-plugins.patch b/packages/kubernetes-1.17/0004-override-SELinux-label-for-kubelet-plugins.patch
new file mode 100644
index 00000000000..a175fdbcd60
--- /dev/null
+++ b/packages/kubernetes-1.17/0004-override-SELinux-label-for-kubelet-plugins.patch
@@ -0,0 +1,24 @@
+From 03c21553cbd554761302f49f4e3e5c1d78a209cc Mon Sep 17 00:00:00 2001
+From: Ben Cressey <bcressey@amazon.com>
+Date: Tue, 17 Mar 2020 20:14:31 +0000
+Subject: [PATCH 4/4] override SELinux label for kubelet plugins
+
+Signed-off-by: Ben Cressey <bcressey@amazon.com>
+---
+ pkg/kubelet/config/defaults.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pkg/kubelet/config/defaults.go b/pkg/kubelet/config/defaults.go
+index 6c1e4ebf..1bce6b86 100644
+--- a/pkg/kubelet/config/defaults.go
++++ b/pkg/kubelet/config/defaults.go
+@@ -26,5 +26,5 @@ const (
+ 	DefaultKubeletContainersDirName          = "containers"
+ 	DefaultKubeletPluginContainersDirName    = "plugin-containers"
+ 	DefaultKubeletPodResourcesDirName        = "pod-resources"
+-	KubeletPluginsDirSELinuxLabel            = "system_u:object_r:container_file_t:s0"
++	KubeletPluginsDirSELinuxLabel            = "system_u:object_r:local_t:s0"
+ )
+-- 
+2.21.0
+
diff --git a/packages/kubernetes-1.17/Cargo.toml b/packages/kubernetes-1.17/Cargo.toml
new file mode 100644
index 00000000000..f599d6b7436
--- /dev/null
+++ b/packages/kubernetes-1.17/Cargo.toml
@@ -0,0 +1,29 @@
+[package]
+# "." is not allowed in crate names, but we want a friendlier name for the
+# directory and spec file, so we override it below.
+name = "kubernetes-1_17"
+version = "0.1.0"
+edition = "2018"
+publish = false
+build = "build.rs"
+
+[package.metadata.build-package]
+package-name = "kubernetes-1.17"
+
+[lib]
+path = "pkg.rs"
+
+[[package.metadata.build-package.external-files]]
+url = "https://github.com/kubernetes/kubernetes/archive/v1.17.8/kubernetes-1.17.8.tar.gz"
+sha512 = "0bf42da5162d91afe7be4cc9e2ca989e22d768b82b0e7b9d2ddc6bac9583fa73f22f4b755fd9cdd215d4c5023b5a349efc3f3b1a944048a329ba657b05b95f0b"
+
+# This is a large patch, so we don't want to check it into the repo.  It's like
+# https://github.com/kubernetes/kubernetes/commit/a94346bef9806a135ebcfda03672966c336c1c17
+# but applies to 1.17.8 without further context changes.
+[[package.metadata.build-package.external-files]]
+path = "aws-sdk-go-1.28.2_k8s-1.17.8.patch.bz2"
+url = "file:///aws-sdk-go-1.28.2_k8s-1.17.8.patch.bz2"
+sha512 = "bb98ec01b9e0aa843b8a33bf753277ff323f88061a00bc18404a488231fc6cc39208ad43b9c39338bb0a4f1e1b2751d6a2e71f86240d8694bf711a6a531f74d1"
+
+[build-dependencies]
+glibc = { path = "../glibc" }
diff --git a/packages/kubernetes-1.17/build.rs b/packages/kubernetes-1.17/build.rs
new file mode 100644
index 00000000000..cad8999af53
--- /dev/null
+++ b/packages/kubernetes-1.17/build.rs
@@ -0,0 +1,9 @@
+use std::process::{exit, Command};
+
+fn main() -> Result<(), std::io::Error> {
+    let ret = Command::new("buildsys").arg("build-package").status()?;
+    if !ret.success() {
+        exit(1);
+    }
+    Ok(())
+}
diff --git a/packages/kubernetes-1.17/clarify.toml b/packages/kubernetes-1.17/clarify.toml
new file mode 100644
index 00000000000..9c19f36ac18
--- /dev/null
+++ b/packages/kubernetes-1.17/clarify.toml
@@ -0,0 +1,55 @@
+[clarify."github.com/JeffAshton/win_pdh"]
+expression = "BSD-3-Clause"
+license-files = [
+    { path = "LICENSE", hash = 0xb221dcc9 },
+]
+
+[clarify."github.com/daviddengcn/go-colortext"]
+expression = "BSD-3-Clause AND MIT"
+license-files = [
+    { path = "LICENSE", hash = 0x9769fae1 },
+]
+
+[clarify."github.com/ghodss/yaml"]
+expression = "MIT AND BSD-3-Clause"
+license-files = [
+    { path = "LICENSE", hash = 0xcdf3ae00 },
+]
+
+[clarify."github.com/heketi/heketi"]
+# kubernetes only uses code that is under LGPLv3+/Apache 2.0, not the code that is GPLv2+/LGPLv3+
+expression = "LGPL-3.0-or-later OR Apache-2.0"
+license-files = [
+    { path = "LICENSE", hash = 0x3c4b96d1 },
+    { path = "LICENSE-APACHE2", hash = 0x438c8616 },
+    { path = "COPYING-LGPLV3", hash = 0xf0bccb3a },
+]
+skip-files = [ "COPYING-GPLV2" ]
+
+[clarify."github.com/go-bindata/go-bindata"]
+expression = "CC0-1.0"
+license-files = [
+    { path = "LICENSE", hash = 0x393fafd6 },
+]
+
+[clarify."github.com/miekg/dns"]
+expression = "BSD-3-Clause"
+license-files = [
+    { path = "COPYRIGHT", hash = 0xe41dd36c },
+    { path = "LICENSE", hash = 0xbd510d7b },
+]
+
+[clarify."sigs.k8s.io/yaml"]
+expression = "MIT AND BSD-3-Clause"
+license-files = [
+    { path = "LICENSE", hash = 0xcdf3ae00 },
+]
+
+[clarify."honnef.co/go/tools"]
+expression = "MIT AND BSD-3-Clause AND Apache-2.0"
+license-files = [
+    { path = "LICENSE", hash = 0xad378ed2 },
+    { path = "LICENSE-THIRD-PARTY", hash = 0x546425eb },
+    { path = "lint/LICENSE", hash = 0xc6b58232 },
+    { path = "ssa/LICENSE", hash = 0xe656fb62 },
+]
diff --git a/packages/kubernetes-1.17/kubelet-config b/packages/kubernetes-1.17/kubelet-config
new file mode 100644
index 00000000000..6bcc262a777
--- /dev/null
+++ b/packages/kubernetes-1.17/kubelet-config
@@ -0,0 +1,34 @@
+---
+kind: KubeletConfiguration
+apiVersion: kubelet.config.k8s.io/v1beta1
+address: 0.0.0.0
+authentication:
+  anonymous:
+    enabled: false
+  webhook:
+    cacheTTL: 2m0s
+    enabled: true
+  x509:
+    clientCAFile: "/etc/kubernetes/pki/ca.crt"
+authorization:
+  mode: Webhook
+  webhook:
+    cacheAuthorizedTTL: 5m0s
+    cacheUnauthorizedTTL: 30s
+clusterDomain: cluster.local
+clusterDNS:
+- {{settings.kubernetes.cluster-dns-ip}}
+resolvConf: "/etc/resolv.conf"
+hairpinMode: hairpin-veth
+cgroupDriver: systemd
+cgroupRoot: "/"
+runtimeRequestTimeout: 15m
+featureGates:
+  RotateKubeletServerCertificate: true
+  CSIMigration: false
+serializeImagePulls: false
+serverTLSBootstrap: true
+configMapAndSecretChangeDetectionStrategy: Cache
+tlsCipherSuites:
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+MaxPods: {{default 110 settings.kubernetes.max-pods}}
diff --git a/packages/kubernetes-1.17/kubelet-env b/packages/kubernetes-1.17/kubelet-env
new file mode 100644
index 00000000000..e4eb941b1c2
--- /dev/null
+++ b/packages/kubernetes-1.17/kubelet-env
@@ -0,0 +1,4 @@
+NODE_IP={{settings.kubernetes.node-ip}}
+NODE_LABELS={{join_map "=" "," "no-fail-if-missing" settings.kubernetes.node-labels}}
+NODE_TAINTS={{join_map "=" "," "no-fail-if-missing" settings.kubernetes.node-taints}}
+POD_INFRA_CONTAINER_IMAGE={{settings.kubernetes.pod-infra-container-image}}
diff --git a/packages/kubernetes-1.17/kubelet-kubeconfig b/packages/kubernetes-1.17/kubelet-kubeconfig
new file mode 100644
index 00000000000..775e7a576c7
--- /dev/null
+++ b/packages/kubernetes-1.17/kubelet-kubeconfig
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    certificate-authority: "/etc/kubernetes/pki/ca.crt"
+    server: "{{settings.kubernetes.api-server}}"
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: kubelet
+  name: kubelet
+current-context: kubelet
+users:
+- name: kubelet
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1alpha1
+      command: "/usr/bin/aws-iam-authenticator"
+      args:
+      - token
+      - "-i"
+      - "{{settings.kubernetes.cluster-name}}"
diff --git a/packages/kubernetes-1.17/kubelet.service b/packages/kubernetes-1.17/kubelet.service
new file mode 100644
index 00000000000..5d86be4b290
--- /dev/null
+++ b/packages/kubernetes-1.17/kubelet.service
@@ -0,0 +1,43 @@
+[Unit]
+Description=Kubelet
+Documentation=https://github.com/kubernetes/kubernetes
+After=containerd.service configured.target
+Wants=configured.target
+BindsTo=containerd.service
+
+[Service]
+Type=notify
+EnvironmentFile=/etc/kubernetes/kubelet/env
+ExecStartPre=/sbin/iptables -P FORWARD ACCEPT
+# Pull the pause container image before starting `kubelet` so `containerd/cri` wouldn't have to
+ExecStartPre=/usr/bin/host-ctr -source ${POD_INFRA_CONTAINER_IMAGE} \
+    -pull-image-only \
+    -containerd-socket /run/dockershim.sock \
+    -namespace k8s.io
+ExecStart=/usr/bin/kubelet \
+    --cloud-provider aws \
+    --config /etc/kubernetes/kubelet/config \
+    --kubeconfig /etc/kubernetes/kubelet/kubeconfig \
+    --container-runtime=remote \
+    --container-runtime-endpoint=unix:///run/dockershim.sock \
+    --containerd=/run/dockershim.sock \
+    --network-plugin cni \
+    --root-dir /var/lib/kubelet \
+    --cert-dir /var/lib/kubelet/pki \
+    --volume-plugin-dir /var/lib/kubelet/plugins/volume/exec \
+    --node-ip ${NODE_IP} \
+    --node-labels "${NODE_LABELS}" \
+    --register-with-taints "${NODE_TAINTS}" \
+    --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE}
+
+Restart=on-failure
+RestartForceExitStatus=SIGPIPE
+RestartSec=5
+Delegate=yes
+KillMode=process
+CPUAccounting=true
+MemoryAccounting=true
+
+[Install]
+WantedBy=multi-user.target
+RequiredBy=mark-successful-boot.service
diff --git a/packages/kubernetes-1.17/kubernetes-1.17.spec b/packages/kubernetes-1.17/kubernetes-1.17.spec
new file mode 100644
index 00000000000..57a0188c999
--- /dev/null
+++ b/packages/kubernetes-1.17/kubernetes-1.17.spec
@@ -0,0 +1,94 @@
+%global goproject github.com/kubernetes
+%global gorepo kubernetes
+%global goimport %{goproject}/%{gorepo}
+
+%global gover 1.17.8
+%global rpmver %{gover}
+
+%global _dwz_low_mem_die_limit 0
+
+Name: %{_cross_os}%{gorepo}
+Version: %{rpmver}
+Release: 1%{?dist}
+Summary: Container cluster management
+# base Apache-2.0, third_party Apache-2.0 AND BSD-3-Clause
+License: Apache-2.0 AND BSD-3-Clause
+URL: https://%{goimport}
+Source0: https://%{goimport}/archive/v%{gover}/%{gorepo}-%{gover}.tar.gz
+Source1: kubelet.service
+Source2: kubelet-env
+Source3: kubelet-config
+Source4: kubelet-kubeconfig
+Source5: kubernetes-ca-crt
+Source1000: clarify.toml
+Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
+Patch2: 0002-do-not-omit-debug-info.patch
+Patch3: 0003-enable-PIE-for-platform-binaries.patch
+Patch4: 0004-override-SELinux-label-for-kubelet-plugins.patch
+
+# Update aws-sdk-go for IMDSv2 support
+Patch100: aws-sdk-go-1.28.2_k8s-1.17.8.patch.bz2
+
+BuildRequires: git
+BuildRequires: rsync
+BuildRequires: %{_cross_os}glibc-devel
+
+%description
+%{summary}.
+
+%package -n %{_cross_os}kubelet-1.17
+Summary: Container cluster node agent
+Requires: %{_cross_os}conntrack-tools
+Requires: %{_cross_os}containerd
+Requires: %{_cross_os}findutils
+
+%description -n %{_cross_os}kubelet-1.17
+%{summary}.
+
+%prep
+%autosetup -Sgit -n %{gorepo}-%{gover} -p1
+%cross_go_setup %{gorepo}-%{gover} %{goproject} %{goimport}
+
+# third_party licenses
+# multiarch/qemu-user-static ignored, we're not using it
+cp third_party/forked/gonum/graph/LICENSE LICENSE.gonum.graph
+cp third_party/forked/shell2junit/LICENSE LICENSE.shell2junit
+cp third_party/forked/golang/LICENSE LICENSE.golang
+cp third_party/forked/golang/PATENTS PATENTS.golang
+cp third_party/go-srcimporter/LICENSE LICENSE.go-srcimporter
+cp third_party/intemp/LICENSE LICENSE.intemp
+
+%build
+%cross_go_configure %{goimport}
+export KUBE_BUILD_PLATFORMS="linux/%{_cross_go_arch}"
+make WHAT="cmd/kubelet"
+
+%install
+output="./_output/local/bin/linux/%{_cross_go_arch}"
+install -d %{buildroot}%{_cross_bindir}
+install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_bindir}
+
+install -d %{buildroot}%{_cross_unitdir}
+install -p -m 0644 %{S:1} %{buildroot}%{_cross_unitdir}/kubelet.service
+
+mkdir -p %{buildroot}%{_cross_templatedir}
+install -m 0644 %{S:2} %{buildroot}%{_cross_templatedir}/kubelet-env
+install -m 0644 %{S:3} %{buildroot}%{_cross_templatedir}/kubelet-config
+install -m 0644 %{S:4} %{buildroot}%{_cross_templatedir}/kubelet-kubeconfig
+install -m 0644 %{S:5} %{buildroot}%{_cross_templatedir}/kubernetes-ca-crt
+
+%cross_scan_attribution --clarify %{S:1000} go-vendor vendor
+
+%files -n %{_cross_os}kubelet-1.17
+%license LICENSE LICENSE.gonum.graph LICENSE.shell2junit LICENSE.golang PATENTS.golang LICENSE.go-srcimporter LICENSE.intemp
+%{_cross_attribution_file}
+%{_cross_attribution_vendor_dir}
+%{_cross_bindir}/kubelet
+%{_cross_unitdir}/kubelet.service
+%dir %{_cross_templatedir}
+%{_cross_templatedir}/kubelet-env
+%{_cross_templatedir}/kubelet-config
+%{_cross_templatedir}/kubelet-kubeconfig
+%{_cross_templatedir}/kubernetes-ca-crt
+
+%changelog
diff --git a/packages/kubernetes-1.17/kubernetes-ca-crt b/packages/kubernetes-1.17/kubernetes-ca-crt
new file mode 100644
index 00000000000..0a726ad63df
--- /dev/null
+++ b/packages/kubernetes-1.17/kubernetes-ca-crt
@@ -0,0 +1 @@
+{{base64_decode settings.kubernetes.cluster-certificate}}
diff --git a/packages/kubernetes-1.17/pkg.rs b/packages/kubernetes-1.17/pkg.rs
new file mode 100644
index 00000000000..d799fb2d44c
--- /dev/null
+++ b/packages/kubernetes-1.17/pkg.rs
@@ -0,0 +1 @@
+// not used
diff --git a/sources/models/README.md b/sources/models/README.md
index a2c9271e08f..8a838f93071 100644
--- a/sources/models/README.md
+++ b/sources/models/README.md
@@ -30,6 +30,11 @@ The `#[model]` attribute on Settings and its sub-structs reduces duplication and
 * [Model](src/aws-k8s-1.16/mod.rs)
 * [Overridden defaults](src/aws-k8s-1.16/override-defaults.toml)
 
+### aws-k8s-1.17: Kubernetes 1.17
+
+* [Model](src/aws-k8s-1.17/mod.rs)
+* [Overridden defaults](src/aws-k8s-1.17/override-defaults.toml)
+
 ### aws-dev: Development build
 
 * [Model](src/aws-dev/mod.rs)
@@ -57,4 +62,4 @@ Note: all models share the same `Cargo.toml`.
 
 ## Colophon
 
-This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`.
\ No newline at end of file
+This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`.
diff --git a/sources/models/src/aws-k8s-1.17 b/sources/models/src/aws-k8s-1.17
new file mode 120000
index 00000000000..e2762fc566a
--- /dev/null
+++ b/sources/models/src/aws-k8s-1.17
@@ -0,0 +1 @@
+aws-k8s-1.16
\ No newline at end of file
diff --git a/sources/models/src/lib.rs b/sources/models/src/lib.rs
index 1e397948647..7a71c6718f9 100644
--- a/sources/models/src/lib.rs
+++ b/sources/models/src/lib.rs
@@ -27,6 +27,11 @@ The `#[model]` attribute on Settings and its sub-structs reduces duplication and
 * [Model](src/aws-k8s-1.16/mod.rs)
 * [Overridden defaults](src/aws-k8s-1.16/override-defaults.toml)
 
+## aws-k8s-1.17: Kubernetes 1.17
+
+* [Model](src/aws-k8s-1.17/mod.rs)
+* [Overridden defaults](src/aws-k8s-1.17/override-defaults.toml)
+
 ## aws-dev: Development build
 
 * [Model](src/aws-dev/mod.rs)
diff --git a/variants/README.md b/variants/README.md
index b34ead6ad1c..168927d96fb 100644
--- a/variants/README.md
+++ b/variants/README.md
@@ -38,6 +38,13 @@ It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazo
 
 This variant is compatible with Kubernetes 1.15, 1.16, and 1.17 clusters.
 
+### aws-k8s-1.17: Kubernetes 1.17 node
+
+The [aws-k8s-1.17](aws-k8s-1.17/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS.
+It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/).
+
+This variant is compatible with Kubernetes 1.16, 1.17, and 1.18 clusters.
+
 ### aws-dev: Development build
 
 The [aws-dev](aws-dev/Cargo.toml) variant has useful packages for local development of the OS.
diff --git a/variants/aws-k8s-1.17/Cargo.lock b/variants/aws-k8s-1.17/Cargo.lock
new file mode 100644
index 00000000000..718dd589476
--- /dev/null
+++ b/variants/aws-k8s-1.17/Cargo.lock
@@ -0,0 +1,5 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+[[package]]
+name = "aws-k8s-1_17"
+version = "0.1.0"
diff --git a/variants/aws-k8s-1.17/Cargo.toml b/variants/aws-k8s-1.17/Cargo.toml
new file mode 100644
index 00000000000..9c6af1f30b4
--- /dev/null
+++ b/variants/aws-k8s-1.17/Cargo.toml
@@ -0,0 +1,20 @@
+[package]
+# This is the aws-k8s-1.17 variant.  "." is not allowed in crate names, but we
+# don't use this crate name anywhere.
+name = "aws-k8s-1_17"
+version = "0.1.0"
+edition = "2018"
+publish = false
+build = "build.rs"
+
+[package.metadata.build-variant]
+included-packages = [
+    "aws-iam-authenticator",
+    "cni",
+    "cni-plugins",
+    "kubelet-1.17",
+    "release",
+]
+
+[lib]
+path = "lib.rs"
diff --git a/variants/aws-k8s-1.17/build.rs b/variants/aws-k8s-1.17/build.rs
new file mode 100644
index 00000000000..d6a90e4df44
--- /dev/null
+++ b/variants/aws-k8s-1.17/build.rs
@@ -0,0 +1,9 @@
+use std::process::{exit, Command};
+
+fn main() -> Result<(), std::io::Error> {
+    let ret = Command::new("buildsys").arg("build-variant").status()?;
+    if !ret.success() {
+        exit(1);
+    }
+    Ok(())
+}
diff --git a/variants/aws-k8s-1.17/lib.rs b/variants/aws-k8s-1.17/lib.rs
new file mode 100644
index 00000000000..d799fb2d44c
--- /dev/null
+++ b/variants/aws-k8s-1.17/lib.rs
@@ -0,0 +1 @@
+// not used