From 1f3b0500b7de384a6d1cacc39affdf716f0b0679 Mon Sep 17 00:00:00 2001 From: Bertrand NOEL Date: Thu, 1 Dec 2016 14:23:42 +0100 Subject: [PATCH] K8S: Allows to specify admission control plugins to enable If nothing is specified a set of recommended default plugins is used, which includes the ServiceAccount one. Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94 Closes-Bug: #1646489 --- doc/source/userguide.rst | 13 +++++++++++++ .../fragments/configure-kubernetes-master.sh | 18 ++++++++++++++++-- .../fragments/write-heat-params-master.yaml | 1 + magnum/drivers/heat/k8s_template_def.py | 4 +++- .../k8s_coreos_v1/templates/kubecluster.yaml | 7 +++++++ .../templates/kubecluster.yaml | 7 +++++++ .../templates/kubemaster.yaml | 6 ++++++ .../templates/kubecluster.yaml | 7 +++++++ .../templates/kubemaster.yaml | 6 ++++++ .../functional/k8s/test_k8s_python_client.py | 3 ++- .../handlers/test_k8s_cluster_conductor.py | 12 ++++++++++-- .../unit/drivers/test_template_definition.py | 6 ++++++ 12 files changed, 84 insertions(+), 6 deletions(-) diff --git a/doc/source/userguide.rst b/doc/source/userguide.rst index 4afae1f0e1..773a373e0a 100644 --- a/doc/source/userguide.rst +++ b/doc/source/userguide.rst @@ -302,6 +302,8 @@ the table are linked to more details elsewhere in the user guide. | | - binpack | | | | - random | | +---------------------------------------+--------------------+---------------+ +| `admission_control_list`_ | see below | see below | ++---------------------------------------+--------------------+---------------+ ======= @@ -1013,6 +1015,17 @@ Log into the servers You can log into the master servers using the login 'fedora' and the keypair specified in the ClusterTemplate. +In addition to the common attributes in the ClusterTemplate, you can specify +the following attributes that are specific to Kubernetes by using the +labels attribute. + +_`admission_control_list` + This label corresponds to Kubernetes parameter for the API server '--admission-control'. + For more details, refer to the `Admission Controllers + `_. + The default value corresponds to the one recommended in this doc + for our current Kubernetes version. + External load balancer for services ----------------------------------- diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh index 111fd311bc..0b6fd77739 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh @@ -25,12 +25,17 @@ else KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=/srv/kubernetes/ca.crt" fi +KUBE_ADMISSION_CONTROL="" +if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then + KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}" +fi + sed -i ' /^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/ /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"| /^KUBE_API_ARGS=/ s/KUBE_API_ARGS.// /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd-servers=http:\/\/127.0.0.1:2379"/ - /^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/ + /^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/ ' /etc/kubernetes/apiserver cat << _EOC_ >> /etc/kubernetes/apiserver #Uncomment the following line to disable Load Balancer feature @@ -39,10 +44,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS" #KUBE_API_ARGS="$KUBE_API_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack" _EOC_ +# Add controller manager args +KUBE_CONTROLLER_MANAGER_ARGS="" +if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then + KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key" +fi sed -i ' /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/ - /^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/ + /^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"# ' /etc/kubernetes/controller-manager +cat << _EOC_ >> /etc/kubernetes/controller-manager +#Uncomment the following line to enable Kubernetes Load Balancer feature +#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack" +_EOC_ KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP" diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml index 19fa0ed9f7..249d3d4fef 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml @@ -20,6 +20,7 @@ write_files: FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN" FLANNEL_BACKEND="$FLANNEL_BACKEND" PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR" + ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST" ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL" USERNAME="$USERNAME" PASSWORD="$PASSWORD" diff --git a/magnum/drivers/heat/k8s_template_def.py b/magnum/drivers/heat/k8s_template_def.py index 812a3fd778..a0a807fa51 100644 --- a/magnum/drivers/heat/k8s_template_def.py +++ b/magnum/drivers/heat/k8s_template_def.py @@ -108,7 +108,9 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition): label_list = ['flannel_network_cidr', 'flannel_backend', 'flannel_network_subnetlen', 'system_pods_initial_delay', - 'system_pods_timeout'] + 'system_pods_timeout', + 'admission_control_list'] + for label in label_list: extra_params[label] = cluster_template.labels.get(label) diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml index baa54bc0bb..f43eb05f83 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml @@ -104,6 +104,13 @@ parameters: (in seconds) default: 5 + admission_control_list: + type: string + description: > + Not used by this driver + default: "" + + kube_allow_priv: type: string description: > diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index 2f6d9fccb6..d2fad7475a 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -103,6 +103,12 @@ parameters: (in seconds) default: 5 + admission_control_list: + type: string + description: > + List of admission control plugins to activate + default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota" + kube_allow_priv: type: string description: > @@ -428,6 +434,7 @@ resources: system_pods_initial_delay: {get_param: system_pods_initial_delay} system_pods_timeout: {get_param: system_pods_timeout} portal_network_cidr: {get_param: portal_network_cidr} + admission_control_list: {get_param: admission_control_list} discovery_url: {get_param: discovery_url} cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml index d26d25da0b..4ea56fe0de 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml @@ -77,6 +77,11 @@ parameters: (in seconds) default: 5 + admission_control_list: + type: string + description: > + List of admission control plugins to activate + discovery_url: type: string description: > @@ -249,6 +254,7 @@ resources: "$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay} "$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout} "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr} + "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list} "$ETCD_DISCOVERY_URL": {get_param: discovery_url} "$AUTH_URL": {get_param: auth_url} "$USERNAME": {get_param: username} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml index a673158c28..03d7a8754f 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml @@ -101,6 +101,12 @@ parameters: (in seconds) default: 5 + admission_control_list: + type: string + description: > + List of admission control plugins to activate + default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota" + kube_allow_priv: type: string description: > @@ -415,6 +421,7 @@ resources: system_pods_initial_delay: {get_param: system_pods_initial_delay} system_pods_timeout: {get_param: system_pods_timeout} portal_network_cidr: {get_param: portal_network_cidr} + admission_control_list: {get_param: admission_control_list} discovery_url: {get_param: discovery_url} cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml index dab54150cf..d6e6435c94 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml @@ -77,6 +77,11 @@ parameters: (in seconds) default: 5 + admission_control_list: + type: string + description: > + List of admission control plugins to activate + discovery_url: type: string description: > @@ -241,6 +246,7 @@ resources: "$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay} "$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout} "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr} + "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list} "$ETCD_DISCOVERY_URL": {get_param: discovery_url} "$AUTH_URL": {get_param: auth_url} "$USERNAME": {get_param: username} diff --git a/magnum/tests/functional/k8s/test_k8s_python_client.py b/magnum/tests/functional/k8s/test_k8s_python_client.py index cc61e2fddb..bd7f6f7154 100644 --- a/magnum/tests/functional/k8s/test_k8s_python_client.py +++ b/magnum/tests/functional/k8s/test_k8s_python_client.py @@ -21,6 +21,7 @@ class TestKubernetesAPIs(base.BaseK8sTest): "docker_storage_driver": 'overlay', "labels": { "system_pods_initial_delay": 3600, - "system_pods_timeout": 600 + "system_pods_timeout": 600, + "admission_control_list": "", } } diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py index 54d7b2678e..2e9438f213 100644 --- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py @@ -50,7 +50,8 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_subnetlen': '26', 'flannel_backend': 'vxlan', 'system_pods_initial_delay': '15', - 'system_pods_timeout': '1'}, + 'system_pods_timeout': '1', + 'admission_control_list': 'fake_list'}, 'tls_disabled': False, 'server_type': 'vm', 'registry_enabled': False, @@ -147,7 +148,8 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_subnetlen': '26', 'flannel_backend': 'vxlan', 'system_pods_initial_delay': '15', - 'system_pods_timeout': '1'}, + 'system_pods_timeout': '1', + 'admission_control_list': 'fake_list'}, 'http_proxy': 'http_proxy', 'https_proxy': 'https_proxy', 'no_proxy': 'no_proxy', @@ -177,6 +179,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_backend': 'vxlan', 'system_pods_initial_delay': '15', 'system_pods_timeout': '1', + 'admission_control_list': 'fake_list', 'http_proxy': 'http_proxy', 'https_proxy': 'https_proxy', 'no_proxy': 'no_proxy', @@ -253,6 +256,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_subnetlen': '26', 'system_pods_initial_delay': '15', 'system_pods_timeout': '1', + 'admission_control_list': 'fake_list', 'http_proxy': 'http_proxy', 'https_proxy': 'https_proxy', 'magnum_url': 'http://127.0.0.1:9511/v1', @@ -335,6 +339,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_subnetlen': '26', 'system_pods_initial_delay': '15', 'system_pods_timeout': '1', + 'admission_control_list': 'fake_list', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', 'magnum_url': 'http://127.0.0.1:9511/v1', @@ -409,6 +414,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_backend': 'vxlan', 'system_pods_initial_delay': '15', 'system_pods_timeout': '1', + 'admission_control_list': 'fake_list', 'tls_disabled': False, 'registry_enabled': False, 'trustee_domain_id': self.mock_keystone.trustee_domain_id, @@ -475,6 +481,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_backend': 'vxlan', 'system_pods_initial_delay': '15', 'system_pods_timeout': '1', + 'admission_control_list': 'fake_list', 'tls_disabled': False, 'registry_enabled': False, 'trustee_domain_id': self.mock_keystone.trustee_domain_id, @@ -667,6 +674,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_backend': 'vxlan', 'system_pods_initial_delay': '15', 'system_pods_timeout': '1', + 'admission_control_list': 'fake_list', 'tenant_name': 'fake_tenant', 'username': 'fake_user', 'cluster_uuid': self.cluster_dict['uuid'], diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py index d0e50dd9b3..cd50d653f4 100644 --- a/magnum/tests/unit/drivers/test_template_definition.py +++ b/magnum/tests/unit/drivers/test_template_definition.py @@ -258,6 +258,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): 'system_pods_initial_delay') system_pods_timeout = mock_cluster_template.labels.get( 'system_pods_timeout') + admission_control_list = mock_cluster_template.labels.get( + 'admission_control_list') k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition() @@ -272,6 +274,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): 'flannel_backend': flannel_backend, 'system_pods_initial_delay': system_pods_initial_delay, 'system_pods_timeout': system_pods_timeout, + 'admission_control_list': admission_control_list, 'username': 'fake_user', 'tenant_name': 'fake_tenant', 'magnum_url': mock_osc.magnum_url.return_value, @@ -320,6 +323,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): 'system_pods_initial_delay') system_pods_timeout = mock_cluster_template.labels.get( 'system_pods_timeout') + admission_control_list = mock_cluster_template.labels.get( + 'admission_control_list') k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition() @@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): 'flannel_backend': flannel_backend, 'system_pods_initial_delay': system_pods_initial_delay, 'system_pods_timeout': system_pods_timeout, + 'admission_control_list': admission_control_list, 'username': 'fake_user', 'tenant_name': 'fake_tenant', 'magnum_url': mock_osc.magnum_url.return_value,