From ac1184fa4724915a66e2dbb14fa9573c8d14eac2 Mon Sep 17 00:00:00 2001
From: ArchiFleKs <kevin.lefevre@osones.io>
Date: Wed, 1 Mar 2017 11:48:42 +0100
Subject: [PATCH] Add admission control to CoreOS Driver

This adds the default set of admission control to CoreOS driver and
enable service account that are a requirement for most K8s addons

Change-Id: Id4948973627f4517eba13901e822f22e3fb1212f
Partially-Implements: bp coreos-best-pratice
---
 .../templates/fragments/enable-kube-apiserver.yaml          | 6 ++++++
 .../templates/fragments/write-heat-params-master.yaml       | 1 +
 magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml     | 5 +++--
 magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml      | 6 ++++++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-apiserver.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-apiserver.yaml
index 5faf605b4d..640b6e2710 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-apiserver.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-apiserver.yaml
@@ -21,6 +21,11 @@ write_files:
     content: |
       #!/bin/sh
 
+      KUBE_ADMISSION_CONTROL=""
+      if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
+          KUBE_ADMISSION_CONTROL="- --admission-control=${ADMISSION_CONTROL_LIST}"
+      fi
+
       TLS_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
       TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
       CLIENT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
@@ -62,6 +67,7 @@ write_files:
           - --tls-private-key-file=${TLS_PRIVATE_KEY_FILE}
           - --client-ca-file=${CLIENT_CA_FILE}
           - --service-account-key-file=${TLS_PRIVATE_KEY_FILE}
+          ${KUBE_ADMISSION_CONTROL}
           ports:
           - containerPort: 6443
             hostPort: 6443
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
index 9d70465b9d..3d1876c654 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
@@ -19,6 +19,7 @@ write_files:
       FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
       FLANNEL_BACKEND="$FLANNEL_BACKEND"
       PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
+      ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
       ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
       USERNAME="$USERNAME"
       PASSWORD="$PASSWORD"
diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
index 034531939e..34b2eed6c7 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
@@ -107,8 +107,8 @@ parameters:
   admission_control_list:
     type: string
     description: >
-      Not used by this driver
-    default: ""
+      List of admission control plugins to activate
+    default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
 
   kube_allow_priv:
     type: string
@@ -376,6 +376,7 @@ resources:
           system_pods_initial_delay: {get_param: system_pods_initial_delay}
           system_pods_timeout: {get_param: system_pods_timeout}
           portal_network_cidr: {get_param: portal_network_cidr}
+          admission_control_list: {get_param: admission_control_list}
           fixed_network: {get_attr: [network, fixed_network]}
           fixed_subnet: {get_attr: [network, fixed_subnet]}
           discovery_url: {get_param: discovery_url}
diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
index 503d9717d5..c49fc30a09 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
@@ -77,6 +77,11 @@ parameters:
       (in seconds)
     default: 5
 
+  admission_control_list:
+    type: string
+    description: >
+      List of admission control plugins to activate
+
   fixed_network:
     type: string
     description: Network from which to allocate fixed addresses.
@@ -225,6 +230,7 @@ resources:
             "$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay}
             "$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout}
             "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
+            "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
             "$CLUSTER_SUBNET": {get_param: fixed_subnet}
             "$ETCD_DISCOVERY_URL": {get_param: discovery_url}
             "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}