diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index 489b5f1137..f9ad4e1f0e 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -386,7 +386,7 @@ the table are linked to more details elsewhere in the user guide. | `cgroup_driver`_ | - systemd | "cgroupfs" | | | - cgroupfs | | +---------------------------------------+--------------------+---------------+ -| `cloud_provider_enabled`_ | - true | true | +| `cloud_provider_enabled`_ | - true | see below | | | - false | | +---------------------------------------+--------------------+---------------+ | `service_cluster_ip_range` | IPv4 CIDR for k8s | 10.254.0.0/16 | @@ -1284,9 +1284,12 @@ _`cgroup_driver` _`cloud_provider_enabled` Add 'cloud_provider_enabled' label for the k8s_fedora_atomic driver. Defaults - to true. For specific kubernetes versions if 'cinder' is selected as a - 'volume_driver', it is implied that the cloud provider will be enabled since - they are combined. + to the value of 'cluster_user_trust' (default: 'false' unless explicitly set + to 'true' in magnum.conf due to CVE-2016-7404). Consequently, + 'cloud_provider_enabled' label cannot be overridden to 'true' when + 'cluster_user_trust' resolves to 'false'. For specific kubernetes versions, + if 'cinder' is selected as a 'volume_driver', it is implied that the cloud + provider will be enabled since they are combined. _`keystone_auth_enabled` If this label is set to True, Kubernetes will support use Keystone for diff --git a/magnum/drivers/heat/k8s_fedora_template_def.py b/magnum/drivers/heat/k8s_fedora_template_def.py index 027eef9288..cdb0bba096 100644 --- a/magnum/drivers/heat/k8s_fedora_template_def.py +++ b/magnum/drivers/heat/k8s_fedora_template_def.py @@ -108,17 +108,18 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition): # the cloud provider needs to be enabled. cloud_provider_enabled = cluster.labels.get( 'cloud_provider_enabled', - 'true' if CONF.trust.cluster_user_trust else 'false').lower() + 'true' if CONF.trust.cluster_user_trust else 'false') if (not CONF.trust.cluster_user_trust - and cloud_provider_enabled == 'true'): + and cloud_provider_enabled.lower() == 'true'): raise exception.InvalidParameterValue(_( '"cluster_user_trust" must be set to True in magnum.conf when ' '"cloud_provider_enabled" label is set to true.')) if (cluster_template.volume_driver == 'cinder' - and cloud_provider_enabled == 'false'): + and cloud_provider_enabled.lower() == 'false'): raise exception.InvalidParameterValue(_( '"cinder" volume driver needs "cloud_provider_enabled" label ' 'to be true or unset.')) + extra_params['cloud_provider_enabled'] = cloud_provider_enabled extra_params['master_image'] = cluster_template.image_id extra_params['minion_image'] = cluster_template.image_id @@ -130,7 +131,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition): 'calico_tag', 'calico_kube_controllers_tag', 'calico_ipv4pool', 'etcd_tag', 'flannel_tag', 'flannel_cni_tag', - 'cloud_provider_enabled', 'cloud_provider_tag', + 'cloud_provider_tag', 'prometheus_tag', 'grafana_tag', 'heat_container_agent_tag', 'keystone_auth_enabled', 'k8s_keystone_auth_tag', diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index 2d76a67812..e3b9c9d45f 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -382,7 +382,6 @@ parameters: cloud_provider_enabled: type: boolean description: Enable or disable the openstack kubernetes cloud provider - default: true etcd_tag: type: string diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py index 625e6b82f3..0b0aacb208 100644 --- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py @@ -290,6 +290,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'insecure_registry': '10.0.0.1:5000', } expected = { + 'cloud_provider_enabled': 'false', 'ssh_key_name': 'keypair_id', 'external_network': 'e2a6c8b0-a3c2-42a3-b3f4-01400a30896e', 'fixed_network': 'fixed_network', @@ -432,6 +433,7 @@ class TestClusterConductorWithK8s(base.TestCase): expected = { 'auth_url': 'http://192.168.10.10:5000/v3', + 'cloud_provider_enabled': 'true', 'cluster_uuid': '5d12f6fd-a196-4bf0-ae4c-1f639a523a52', 'discovery_url': 'https://discovery.etcd.io/test', 'dns_nameserver': 'dns_nameserver', @@ -567,6 +569,7 @@ class TestClusterConductorWithK8s(base.TestCase): expected = { 'auth_url': 'http://192.168.10.10:5000/v3', + 'cloud_provider_enabled': 'false', 'cluster_uuid': '5d12f6fd-a196-4bf0-ae4c-1f639a523a52', 'discovery_url': 'https://discovery.etcd.io/test', 'docker_volume_size': 20, @@ -994,6 +997,7 @@ class TestClusterConductorWithK8s(base.TestCase): cluster) expected = { + 'cloud_provider_enabled': 'false', 'ssh_key_name': 'keypair_id', 'external_network': 'e2a6c8b0-a3c2-42a3-b3f4-01400a30896e', 'fixed_network': 'fixed_network',