Browse Source

K8S: Allows to specify admission control plugins to enable

If nothing is specified a set of recommended default plugins is used,
which includes the ServiceAccount one.

Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94
Closes-Bug: #1646489
(cherry picked from commit 1f3b0500b7)
Bertrand NOEL 2 years ago
parent
commit
98f4ae9942
No account linked to committer's email address

+ 13
- 0
doc/source/userguide.rst View File

@@ -296,6 +296,8 @@ the table are linked to more details elsewhere in the user guide.
296 296
 +---------------------------------------+--------------------+---------------+
297 297
 | `mesos_slave_executor_env_variables`_ | (file name)        | ""            |
298 298
 +---------------------------------------+--------------------+---------------+
299
+| `admission_control_list`_             | see below          | see below     |
300
++---------------------------------------+--------------------+---------------+
299 301
 
300 302
 
301 303
 =======
@@ -889,6 +891,17 @@ Log into the servers
889 891
   You can log into the master servers using the login 'fedora' and the
890 892
   keypair specified in the ClusterTemplate.
891 893
 
894
+In addition to the common attributes in the ClusterTemplate, you can specify
895
+the following attributes that are specific to Kubernetes by using the
896
+labels attribute.
897
+
898
+_`admission_control_list`
899
+  This label corresponds to Kubernetes parameter for the API server '--admission-control'.
900
+  For more details, refer to the `Admission Controllers
901
+  <https://kubernetes.io/docs/admin/admission-controllers//>`_.
902
+  The default value corresponds to the one recommended in this doc
903
+  for our current Kubernetes version.
904
+
892 905
 External load balancer for services
893 906
 -----------------------------------
894 907
 

+ 2
- 1
magnum/drivers/common/k8s_template_def.py View File

@@ -102,7 +102,8 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition):
102 102
             extra_params['kubernetes_port'] = 8080
103 103
 
104 104
         label_list = ['flannel_network_cidr', 'flannel_backend',
105
-                      'flannel_network_subnetlen']
105
+                      'flannel_network_subnetlen', 'admission_control_list']
106
+
106 107
         for label in label_list:
107 108
             extra_params[label] = cluster_template.labels.get(label)
108 109
 

+ 16
- 2
magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh View File

@@ -29,12 +29,17 @@ else
29 29
     KUBE_API_ARGS="$KUBE_API_ARGS --client_ca_file=/srv/kubernetes/ca.crt"
30 30
 fi
31 31
 
32
+KUBE_ADMISSION_CONTROL=""
33
+if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
34
+    KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}"
35
+fi
36
+
32 37
 sed -i '
33 38
   /^KUBE_API_ADDRESS=/ s/=.*/='"${KUBE_API_ADDRESS}"'/
34 39
   /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
35 40
   /^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
36 41
   /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd_servers=http:\/\/127.0.0.1:2379"/
37
-  /^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/
42
+  /^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
38 43
 ' /etc/kubernetes/apiserver
39 44
 cat << _EOC_ >> /etc/kubernetes/apiserver
40 45
 #Uncomment the following line to disable Load Balancer feature
@@ -43,10 +48,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS"
43 48
 #KUBE_API_ARGS="$KUBE_API_ARGS --cloud_config=/etc/sysconfig/kube_openstack_config --cloud_provider=openstack"
44 49
 _EOC_
45 50
 
51
+# Add controller manager args
52
+KUBE_CONTROLLER_MANAGER_ARGS=""
53
+if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
54
+    KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key"
55
+fi
46 56
 sed -i '
47 57
   /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
48
-  /^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/
58
+  /^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
49 59
 ' /etc/kubernetes/controller-manager
60
+cat << _EOC_ >> /etc/kubernetes/controller-manager
61
+#Uncomment the following line to enable Kubernetes Load Balancer feature
62
+#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
63
+_EOC_
50 64
 
51 65
 KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP"
52 66
 

+ 1
- 0
magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml View File

@@ -20,6 +20,7 @@ write_files:
20 20
       FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
21 21
       FLANNEL_BACKEND="$FLANNEL_BACKEND"
22 22
       PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
23
+      ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
23 24
       ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
24 25
       USERNAME="$USERNAME"
25 26
       PASSWORD="$PASSWORD"

+ 6
- 0
magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml View File

@@ -80,6 +80,12 @@ parameters:
80 80
     constraints:
81 81
       - allowed_values: ["udp", "vxlan", "host-gw"]
82 82
 
83
+  admission_control_list:
84
+    type: string
85
+    description: >
86
+      Not used by this driver
87
+    default: ""
88
+
83 89
   kube_allow_priv:
84 90
     type: string
85 91
     description: >

+ 7
- 0
magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml View File

@@ -79,6 +79,12 @@ parameters:
79 79
     constraints:
80 80
       - allowed_values: ["udp", "vxlan", "host-gw"]
81 81
 
82
+  admission_control_list:
83
+    type: string
84
+    description: >
85
+      List of admission control plugins to activate
86
+    default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
87
+
82 88
   kube_allow_priv:
83 89
     type: string
84 90
     description: >
@@ -474,6 +480,7 @@ resources:
474 480
           flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
475 481
           flannel_backend: {get_param: flannel_backend}
476 482
           portal_network_cidr: {get_param: portal_network_cidr}
483
+          admission_control_list: {get_param: admission_control_list}
477 484
           discovery_url: {get_param: discovery_url}
478 485
           cluster_uuid: {get_param: cluster_uuid}
479 486
           magnum_url: {get_param: magnum_url}

+ 6
- 0
magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml View File

@@ -63,6 +63,11 @@ parameters:
63 63
     constraints:
64 64
       - allowed_values: ["udp", "vxlan", "host-gw"]
65 65
 
66
+  admission_control_list:
67
+    type: string
68
+    description: >
69
+      List of admission control plugins to activate
70
+
66 71
   discovery_url:
67 72
     type: string
68 73
     description: >
@@ -237,6 +242,7 @@ resources:
237 242
             "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
238 243
             "$FLANNEL_BACKEND": {get_param: flannel_backend}
239 244
             "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
245
+            "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
240 246
             "$ETCD_DISCOVERY_URL": {get_param: discovery_url}
241 247
             "$AUTH_URL": {get_param: auth_url}
242 248
             "$USERNAME": {get_param: username}

+ 7
- 0
magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml View File

@@ -87,6 +87,12 @@ parameters:
87 87
     constraints:
88 88
       - allowed_values: ["udp", "vxlan", "host-gw"]
89 89
 
90
+  admission_control_list:
91
+    type: string
92
+    description: >
93
+      List of admission control plugins to activate
94
+    default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
95
+
90 96
   kube_allow_priv:
91 97
     type: string
92 98
     description: >
@@ -438,6 +444,7 @@ resources:
438 444
           flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
439 445
           flannel_backend: {get_param: flannel_backend}
440 446
           portal_network_cidr: {get_param: portal_network_cidr}
447
+          admission_control_list: {get_param: admission_control_list}
441 448
           discovery_url: {get_param: discovery_url}
442 449
           cluster_uuid: {get_param: cluster_uuid}
443 450
           magnum_url: {get_param: magnum_url}

+ 6
- 0
magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml View File

@@ -63,6 +63,11 @@ parameters:
63 63
     constraints:
64 64
       - allowed_values: ["udp", "vxlan", "host-gw"]
65 65
 
66
+  admission_control_list:
67
+    type: string
68
+    description: >
69
+      List of admission control plugins to activate
70
+
66 71
   discovery_url:
67 72
     type: string
68 73
     description: >
@@ -235,6 +240,7 @@ resources:
235 240
             "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
236 241
             "$FLANNEL_BACKEND": {get_param: flannel_backend}
237 242
             "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
243
+            "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
238 244
             "$ETCD_DISCOVERY_URL": {get_param: discovery_url}
239 245
             "$AUTH_URL": {get_param: auth_url}
240 246
             "$USERNAME": {get_param: username}

+ 4
- 1
magnum/tests/functional/k8s/test_k8s_python_client.py View File

@@ -18,5 +18,8 @@ class TestKubernetesAPIs(base.BaseK8sTest):
18 18
         "tls_disabled": False,
19 19
         "network_driver": 'flannel',
20 20
         "volume_driver": 'cinder',
21
-        "fixed_network": '192.168.0.0/24'
21
+        "fixed_network": '192.168.0.0/24',
22
+        "labels": {
23
+            "admission_control_list": "",
24
+        }
22 25
     }

+ 10
- 2
magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py View File

@@ -43,7 +43,8 @@ class TestClusterConductorWithK8s(base.TestCase):
43 43
             'no_proxy': 'no_proxy',
44 44
             'labels': {'flannel_network_cidr': '10.101.0.0/16',
45 45
                        'flannel_network_subnetlen': '26',
46
-                       'flannel_backend': 'vxlan'},
46
+                       'flannel_backend': 'vxlan',
47
+                       'admission_control_list': 'fake_list'},
47 48
             'tls_disabled': False,
48 49
             'server_type': 'vm',
49 50
             'registry_enabled': False,
@@ -133,7 +134,8 @@ class TestClusterConductorWithK8s(base.TestCase):
133 134
             'discovery_url': 'discovery_url',
134 135
             'labels': {'flannel_network_cidr': '10.101.0.0/16',
135 136
                        'flannel_network_subnetlen': '26',
136
-                       'flannel_backend': 'vxlan'},
137
+                       'flannel_backend': 'vxlan',
138
+                       'admission_control_list': 'fake_list'},
137 139
             'http_proxy': 'http_proxy',
138 140
             'https_proxy': 'https_proxy',
139 141
             'no_proxy': 'no_proxy',
@@ -159,6 +161,7 @@ class TestClusterConductorWithK8s(base.TestCase):
159 161
             'flannel_network_cidr': '10.101.0.0/16',
160 162
             'flannel_network_subnetlen': '26',
161 163
             'flannel_backend': 'vxlan',
164
+            'admission_control_list': 'fake_list',
162 165
             'http_proxy': 'http_proxy',
163 166
             'https_proxy': 'https_proxy',
164 167
             'no_proxy': 'no_proxy',
@@ -230,6 +233,7 @@ class TestClusterConductorWithK8s(base.TestCase):
230 233
             'flannel_backend': 'vxlan',
231 234
             'flannel_network_cidr': '10.101.0.0/16',
232 235
             'flannel_network_subnetlen': '26',
236
+            'admission_control_list': 'fake_list',
233 237
             'http_proxy': 'http_proxy',
234 238
             'https_proxy': 'https_proxy',
235 239
             'magnum_url': 'http://127.0.0.1:9511/v1',
@@ -305,6 +309,7 @@ class TestClusterConductorWithK8s(base.TestCase):
305 309
             'flannel_backend': 'vxlan',
306 310
             'flannel_network_cidr': '10.101.0.0/16',
307 311
             'flannel_network_subnetlen': '26',
312
+            'admission_control_list': 'fake_list',
308 313
             'insecure_registry_url': '10.0.0.1:5000',
309 314
             'kube_version': 'fake-version',
310 315
             'magnum_url': 'http://127.0.0.1:9511/v1',
@@ -370,6 +375,7 @@ class TestClusterConductorWithK8s(base.TestCase):
370 375
             'flannel_network_cidr': '10.101.0.0/16',
371 376
             'flannel_network_subnetlen': '26',
372 377
             'flannel_backend': 'vxlan',
378
+            'admission_control_list': 'fake_list',
373 379
             'tls_disabled': False,
374 380
             'registry_enabled': False,
375 381
             'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@@ -427,6 +433,7 @@ class TestClusterConductorWithK8s(base.TestCase):
427 433
             'flannel_network_cidr': '10.101.0.0/16',
428 434
             'flannel_network_subnetlen': '26',
429 435
             'flannel_backend': 'vxlan',
436
+            'admission_control_list': 'fake_list',
430 437
             'tls_disabled': False,
431 438
             'registry_enabled': False,
432 439
             'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@@ -578,6 +585,7 @@ class TestClusterConductorWithK8s(base.TestCase):
578 585
             'flannel_network_cidr': '10.101.0.0/16',
579 586
             'flannel_network_subnetlen': '26',
580 587
             'flannel_backend': 'vxlan',
588
+            'admission_control_list': 'fake_list',
581 589
             'tenant_name': 'fake_tenant',
582 590
             'username': 'fake_user',
583 591
             'cluster_uuid': self.cluster_dict['uuid'],

+ 6
- 0
magnum/tests/unit/drivers/test_template_definition.py View File

@@ -266,6 +266,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
266 266
         flannel_subnet = mock_cluster_template.labels.get(
267 267
             'flannel_network_subnetlen')
268 268
         flannel_backend = mock_cluster_template.labels.get('flannel_backend')
269
+        admission_control_list = mock_cluster_template.labels.get(
270
+            'admission_control_list')
269 271
 
270 272
         k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
271 273
 
@@ -278,6 +280,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
278 280
             'flannel_network_cidr': flannel_cidr,
279 281
             'flannel_network_subnetlen': flannel_subnet,
280 282
             'flannel_backend': flannel_backend,
283
+            'admission_control_list': admission_control_list,
281 284
             'username': 'fake_user',
282 285
             'tenant_name': 'fake_tenant',
283 286
             'magnum_url': mock_osc.magnum_url.return_value,
@@ -322,6 +325,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
322 325
         flannel_subnet = mock_cluster_template.labels.get(
323 326
             'flannel_network_subnetlen')
324 327
         flannel_backend = mock_cluster_template.labels.get('flannel_backend')
328
+        admission_control_list = mock_cluster_template.labels.get(
329
+            'admission_control_list')
325 330
 
326 331
         k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
327 332
 
@@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
334 339
             'flannel_network_cidr': flannel_cidr,
335 340
             'flannel_network_subnetlen': flannel_subnet,
336 341
             'flannel_backend': flannel_backend,
342
+            'admission_control_list': admission_control_list,
337 343
             'username': 'fake_user',
338 344
             'tenant_name': 'fake_tenant',
339 345
             'magnum_url': mock_osc.magnum_url.return_value,

Loading…
Cancel
Save