K8S: Allows to specify admission control plugins to enable

If nothing is specified a set of recommended default plugins is used, which includes the ServiceAccount one. Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94 Closes-Bug: #1646489
7 years ago · 1f3b0500b7
parent ae41b4511c
commit 1f3b0500b7
12 changed files with 84 additions and 6 deletions
--- a/doc/source/userguide.rst
+++ b/doc/source/userguide.rst
@ -302,6 +302,8 @@ the table are linked to more details elsewhere in the user guide.
 |                                       | - binpack          |               |
 |                                       | - random           |               |
 +---------------------------------------+--------------------+---------------+
+| `admission_control_list`_             | see below          | see below     |
+---------------------------------------+--------------------+---------------+


 =======
@ -1013,6 +1015,17 @@ Log into the servers
  You can log into the master servers using the login 'fedora' and the
  keypair specified in the ClusterTemplate.

+In addition to the common attributes in the ClusterTemplate, you can specify
+the following attributes that are specific to Kubernetes by using the
+labels attribute.
+
+_`admission_control_list`
+  This label corresponds to Kubernetes parameter for the API server '--admission-control'.
+  For more details, refer to the `Admission Controllers
+  <https://kubernetes.io/docs/admin/admission-controllers//>`_.
+  The default value corresponds to the one recommended in this doc
+  for our current Kubernetes version.
+
 External load balancer for services
 -----------------------------------

--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@ -25,12 +25,17 @@ else
    KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=/srv/kubernetes/ca.crt"
 fi

+KUBE_ADMISSION_CONTROL=""
+if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
+    KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}"
+fi
+
 sed -i '
    /^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/
    /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
    /^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
    /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd-servers=http:\/\/127.0.0.1:2379"/
-    /^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/
+    /^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
 ' /etc/kubernetes/apiserver
 cat << _EOC_ >> /etc/kubernetes/apiserver
 #Uncomment the following line to disable Load Balancer feature
@ -39,10 +44,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS"
 #KUBE_API_ARGS="$KUBE_API_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
 _EOC_

+# Add controller manager args
+KUBE_CONTROLLER_MANAGER_ARGS=""
+if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
+    KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key"
+fi
 sed -i '
    /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
-    /^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/
+    /^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
 ' /etc/kubernetes/controller-manager
+cat << _EOC_ >> /etc/kubernetes/controller-manager
+#Uncomment the following line to enable Kubernetes Load Balancer feature
+#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
+_EOC_

 KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP"

--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
@ -20,6 +20,7 @@ write_files:
      FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
      FLANNEL_BACKEND="$FLANNEL_BACKEND"
      PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
+      ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
      ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
      USERNAME="$USERNAME"
      PASSWORD="$PASSWORD"
--- a/magnum/drivers/heat/k8s_template_def.py
+++ b/magnum/drivers/heat/k8s_template_def.py
@ -108,7 +108,9 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition):
        label_list = ['flannel_network_cidr', 'flannel_backend',
                      'flannel_network_subnetlen',
                      'system_pods_initial_delay',
-                      'system_pods_timeout']
+                      'system_pods_timeout',
+                      'admission_control_list']
+
        for label in label_list:
            extra_params[label] = cluster_template.labels.get(label)

--- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
@ -104,6 +104,13 @@ parameters:
      (in seconds)
    default: 5

+  admission_control_list:
+    type: string
+    description: >
+      Not used by this driver
+    default: ""
+
+
  kube_allow_priv:
    type: string
    description: >
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@ -103,6 +103,12 @@ parameters:
      (in seconds)
    default: 5

+  admission_control_list:
+    type: string
+    description: >
+      List of admission control plugins to activate
+    default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
+
  kube_allow_priv:
    type: string
    description: >
@ -428,6 +434,7 @@ resources:
          system_pods_initial_delay: {get_param: system_pods_initial_delay}
          system_pods_timeout: {get_param: system_pods_timeout}
          portal_network_cidr: {get_param: portal_network_cidr}
+          admission_control_list: {get_param: admission_control_list}
          discovery_url: {get_param: discovery_url}
          cluster_uuid: {get_param: cluster_uuid}
          magnum_url: {get_param: magnum_url}
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
@ -77,6 +77,11 @@ parameters:
      (in seconds)
    default: 5

+  admission_control_list:
+    type: string
+    description: >
+      List of admission control plugins to activate
+
  discovery_url:
    type: string
    description: >
@ -249,6 +254,7 @@ resources:
            "$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay}
            "$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout}
            "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
+            "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
            "$ETCD_DISCOVERY_URL": {get_param: discovery_url}
            "$AUTH_URL": {get_param: auth_url}
            "$USERNAME": {get_param: username}
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
@ -101,6 +101,12 @@ parameters:
      (in seconds)
    default: 5

+  admission_control_list:
+    type: string
+    description: >
+      List of admission control plugins to activate
+    default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
+
  kube_allow_priv:
    type: string
    description: >
@ -415,6 +421,7 @@ resources:
          system_pods_initial_delay: {get_param: system_pods_initial_delay}
          system_pods_timeout: {get_param: system_pods_timeout}
          portal_network_cidr: {get_param: portal_network_cidr}
+          admission_control_list: {get_param: admission_control_list}
          discovery_url: {get_param: discovery_url}
          cluster_uuid: {get_param: cluster_uuid}
          magnum_url: {get_param: magnum_url}
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
@ -77,6 +77,11 @@ parameters:
      (in seconds)
    default: 5

+  admission_control_list:
+    type: string
+    description: >
+      List of admission control plugins to activate
+
  discovery_url:
    type: string
    description: >
@ -241,6 +246,7 @@ resources:
            "$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay}
            "$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout}
            "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
+            "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
            "$ETCD_DISCOVERY_URL": {get_param: discovery_url}
            "$AUTH_URL": {get_param: auth_url}
            "$USERNAME": {get_param: username}
--- a/magnum/tests/functional/k8s/test_k8s_python_client.py
+++ b/magnum/tests/functional/k8s/test_k8s_python_client.py
@ -21,6 +21,7 @@ class TestKubernetesAPIs(base.BaseK8sTest):
        "docker_storage_driver": 'overlay',
        "labels": {
            "system_pods_initial_delay": 3600,
-            "system_pods_timeout": 600
+            "system_pods_timeout": 600,
+            "admission_control_list": "",
        }
    }
--- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
@ -50,7 +50,8 @@ class TestClusterConductorWithK8s(base.TestCase):
                       'flannel_network_subnetlen': '26',
                       'flannel_backend': 'vxlan',
                       'system_pods_initial_delay': '15',
-                       'system_pods_timeout': '1'},
+                       'system_pods_timeout': '1',
+                       'admission_control_list': 'fake_list'},
            'tls_disabled': False,
            'server_type': 'vm',
            'registry_enabled': False,
@ -147,7 +148,8 @@ class TestClusterConductorWithK8s(base.TestCase):
                       'flannel_network_subnetlen': '26',
                       'flannel_backend': 'vxlan',
                       'system_pods_initial_delay': '15',
-                       'system_pods_timeout': '1'},
+                       'system_pods_timeout': '1',
+                       'admission_control_list': 'fake_list'},
            'http_proxy': 'http_proxy',
            'https_proxy': 'https_proxy',
            'no_proxy': 'no_proxy',
@ -177,6 +179,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'flannel_backend': 'vxlan',
            'system_pods_initial_delay': '15',
            'system_pods_timeout': '1',
+            'admission_control_list': 'fake_list',
            'http_proxy': 'http_proxy',
            'https_proxy': 'https_proxy',
            'no_proxy': 'no_proxy',
@ -253,6 +256,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'flannel_network_subnetlen': '26',
            'system_pods_initial_delay': '15',
            'system_pods_timeout': '1',
+            'admission_control_list': 'fake_list',
            'http_proxy': 'http_proxy',
            'https_proxy': 'https_proxy',
            'magnum_url': 'http://127.0.0.1:9511/v1',
@ -335,6 +339,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'flannel_network_subnetlen': '26',
            'system_pods_initial_delay': '15',
            'system_pods_timeout': '1',
+            'admission_control_list': 'fake_list',
            'insecure_registry_url': '10.0.0.1:5000',
            'kube_version': 'fake-version',
            'magnum_url': 'http://127.0.0.1:9511/v1',
@ -409,6 +414,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'flannel_backend': 'vxlan',
            'system_pods_initial_delay': '15',
            'system_pods_timeout': '1',
+            'admission_control_list': 'fake_list',
            'tls_disabled': False,
            'registry_enabled': False,
            'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@ -475,6 +481,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'flannel_backend': 'vxlan',
            'system_pods_initial_delay': '15',
            'system_pods_timeout': '1',
+            'admission_control_list': 'fake_list',
            'tls_disabled': False,
            'registry_enabled': False,
            'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@ -667,6 +674,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'flannel_backend': 'vxlan',
            'system_pods_initial_delay': '15',
            'system_pods_timeout': '1',
+            'admission_control_list': 'fake_list',
            'tenant_name': 'fake_tenant',
            'username': 'fake_user',
            'cluster_uuid': self.cluster_dict['uuid'],
--- a/magnum/tests/unit/drivers/test_template_definition.py
+++ b/magnum/tests/unit/drivers/test_template_definition.py
@ -258,6 +258,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
            'system_pods_initial_delay')
        system_pods_timeout = mock_cluster_template.labels.get(
            'system_pods_timeout')
+        admission_control_list = mock_cluster_template.labels.get(
+            'admission_control_list')

        k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()

@ -272,6 +274,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
            'flannel_backend': flannel_backend,
            'system_pods_initial_delay': system_pods_initial_delay,
            'system_pods_timeout': system_pods_timeout,
+            'admission_control_list': admission_control_list,
            'username': 'fake_user',
            'tenant_name': 'fake_tenant',
            'magnum_url': mock_osc.magnum_url.return_value,
@ -320,6 +323,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
            'system_pods_initial_delay')
        system_pods_timeout = mock_cluster_template.labels.get(
            'system_pods_timeout')
+        admission_control_list = mock_cluster_template.labels.get(
+            'admission_control_list')

        k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()

@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
            'flannel_backend': flannel_backend,
            'system_pods_initial_delay': system_pods_initial_delay,
            'system_pods_timeout': system_pods_timeout,
+            'admission_control_list': admission_control_list,
            'username': 'fake_user',
            'tenant_name': 'fake_tenant',
            'magnum_url': mock_osc.magnum_url.return_value,