K8S: Allows to specify admission control plugins to enable

If nothing is specified a set of recommended default plugins is used,
which includes the ServiceAccount one.

Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94
Closes-Bug: #1646489
This commit is contained in:
Bertrand NOEL 2016-12-01 14:23:42 +01:00 committed by Mathieu Velten
parent ae41b4511c
commit 1f3b0500b7
12 changed files with 84 additions and 6 deletions

View File

@ -302,6 +302,8 @@ the table are linked to more details elsewhere in the user guide.
| | - binpack | |
| | - random | |
+---------------------------------------+--------------------+---------------+
| `admission_control_list`_ | see below | see below |
+---------------------------------------+--------------------+---------------+
=======
@ -1013,6 +1015,17 @@ Log into the servers
You can log into the master servers using the login 'fedora' and the
keypair specified in the ClusterTemplate.
In addition to the common attributes in the ClusterTemplate, you can specify
the following attributes that are specific to Kubernetes by using the
labels attribute.
_`admission_control_list`
This label corresponds to Kubernetes parameter for the API server '--admission-control'.
For more details, refer to the `Admission Controllers
<https://kubernetes.io/docs/admin/admission-controllers//>`_.
The default value corresponds to the one recommended in this doc
for our current Kubernetes version.
External load balancer for services
-----------------------------------

View File

@ -25,12 +25,17 @@ else
KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=/srv/kubernetes/ca.crt"
fi
KUBE_ADMISSION_CONTROL=""
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}"
fi
sed -i '
/^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/
/^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
/^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
/^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd-servers=http:\/\/127.0.0.1:2379"/
/^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/
/^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
' /etc/kubernetes/apiserver
cat << _EOC_ >> /etc/kubernetes/apiserver
#Uncomment the following line to disable Load Balancer feature
@ -39,10 +44,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS"
#KUBE_API_ARGS="$KUBE_API_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
_EOC_
# Add controller manager args
KUBE_CONTROLLER_MANAGER_ARGS=""
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key"
fi
sed -i '
/^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
/^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/
/^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
' /etc/kubernetes/controller-manager
cat << _EOC_ >> /etc/kubernetes/controller-manager
#Uncomment the following line to enable Kubernetes Load Balancer feature
#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
_EOC_
KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP"

View File

@ -20,6 +20,7 @@ write_files:
FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
FLANNEL_BACKEND="$FLANNEL_BACKEND"
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
USERNAME="$USERNAME"
PASSWORD="$PASSWORD"

View File

@ -108,7 +108,9 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition):
label_list = ['flannel_network_cidr', 'flannel_backend',
'flannel_network_subnetlen',
'system_pods_initial_delay',
'system_pods_timeout']
'system_pods_timeout',
'admission_control_list']
for label in label_list:
extra_params[label] = cluster_template.labels.get(label)

View File

@ -104,6 +104,13 @@ parameters:
(in seconds)
default: 5
admission_control_list:
type: string
description: >
Not used by this driver
default: ""
kube_allow_priv:
type: string
description: >

View File

@ -103,6 +103,12 @@ parameters:
(in seconds)
default: 5
admission_control_list:
type: string
description: >
List of admission control plugins to activate
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
kube_allow_priv:
type: string
description: >
@ -428,6 +434,7 @@ resources:
system_pods_initial_delay: {get_param: system_pods_initial_delay}
system_pods_timeout: {get_param: system_pods_timeout}
portal_network_cidr: {get_param: portal_network_cidr}
admission_control_list: {get_param: admission_control_list}
discovery_url: {get_param: discovery_url}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}

View File

@ -77,6 +77,11 @@ parameters:
(in seconds)
default: 5
admission_control_list:
type: string
description: >
List of admission control plugins to activate
discovery_url:
type: string
description: >
@ -249,6 +254,7 @@ resources:
"$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay}
"$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout}
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
"$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
"$AUTH_URL": {get_param: auth_url}
"$USERNAME": {get_param: username}

View File

@ -101,6 +101,12 @@ parameters:
(in seconds)
default: 5
admission_control_list:
type: string
description: >
List of admission control plugins to activate
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
kube_allow_priv:
type: string
description: >
@ -415,6 +421,7 @@ resources:
system_pods_initial_delay: {get_param: system_pods_initial_delay}
system_pods_timeout: {get_param: system_pods_timeout}
portal_network_cidr: {get_param: portal_network_cidr}
admission_control_list: {get_param: admission_control_list}
discovery_url: {get_param: discovery_url}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}

View File

@ -77,6 +77,11 @@ parameters:
(in seconds)
default: 5
admission_control_list:
type: string
description: >
List of admission control plugins to activate
discovery_url:
type: string
description: >
@ -241,6 +246,7 @@ resources:
"$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay}
"$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout}
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
"$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
"$AUTH_URL": {get_param: auth_url}
"$USERNAME": {get_param: username}

View File

@ -21,6 +21,7 @@ class TestKubernetesAPIs(base.BaseK8sTest):
"docker_storage_driver": 'overlay',
"labels": {
"system_pods_initial_delay": 3600,
"system_pods_timeout": 600
"system_pods_timeout": 600,
"admission_control_list": "",
}
}

View File

@ -50,7 +50,8 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
'system_pods_initial_delay': '15',
'system_pods_timeout': '1'},
'system_pods_timeout': '1',
'admission_control_list': 'fake_list'},
'tls_disabled': False,
'server_type': 'vm',
'registry_enabled': False,
@ -147,7 +148,8 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
'system_pods_initial_delay': '15',
'system_pods_timeout': '1'},
'system_pods_timeout': '1',
'admission_control_list': 'fake_list'},
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'no_proxy': 'no_proxy',
@ -177,6 +179,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_backend': 'vxlan',
'system_pods_initial_delay': '15',
'system_pods_timeout': '1',
'admission_control_list': 'fake_list',
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'no_proxy': 'no_proxy',
@ -253,6 +256,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_subnetlen': '26',
'system_pods_initial_delay': '15',
'system_pods_timeout': '1',
'admission_control_list': 'fake_list',
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'magnum_url': 'http://127.0.0.1:9511/v1',
@ -335,6 +339,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_subnetlen': '26',
'system_pods_initial_delay': '15',
'system_pods_timeout': '1',
'admission_control_list': 'fake_list',
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'magnum_url': 'http://127.0.0.1:9511/v1',
@ -409,6 +414,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_backend': 'vxlan',
'system_pods_initial_delay': '15',
'system_pods_timeout': '1',
'admission_control_list': 'fake_list',
'tls_disabled': False,
'registry_enabled': False,
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@ -475,6 +481,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_backend': 'vxlan',
'system_pods_initial_delay': '15',
'system_pods_timeout': '1',
'admission_control_list': 'fake_list',
'tls_disabled': False,
'registry_enabled': False,
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@ -667,6 +674,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_backend': 'vxlan',
'system_pods_initial_delay': '15',
'system_pods_timeout': '1',
'admission_control_list': 'fake_list',
'tenant_name': 'fake_tenant',
'username': 'fake_user',
'cluster_uuid': self.cluster_dict['uuid'],

View File

@ -258,6 +258,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
'system_pods_initial_delay')
system_pods_timeout = mock_cluster_template.labels.get(
'system_pods_timeout')
admission_control_list = mock_cluster_template.labels.get(
'admission_control_list')
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
@ -272,6 +274,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
'flannel_backend': flannel_backend,
'system_pods_initial_delay': system_pods_initial_delay,
'system_pods_timeout': system_pods_timeout,
'admission_control_list': admission_control_list,
'username': 'fake_user',
'tenant_name': 'fake_tenant',
'magnum_url': mock_osc.magnum_url.return_value,
@ -320,6 +323,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
'system_pods_initial_delay')
system_pods_timeout = mock_cluster_template.labels.get(
'system_pods_timeout')
admission_control_list = mock_cluster_template.labels.get(
'admission_control_list')
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
'flannel_backend': flannel_backend,
'system_pods_initial_delay': system_pods_initial_delay,
'system_pods_timeout': system_pods_timeout,
'admission_control_list': admission_control_list,
'username': 'fake_user',
'tenant_name': 'fake_tenant',
'magnum_url': mock_osc.magnum_url.return_value,