Support adding admission plugin post bootstrap
This commit adds a system service parameter for admission plugins of kube-apiserver. We need this for pod security plugin. Starting pod security plugin without any policies will result in all pods being denied. This means pod security plugin must be started by service parameter after bootstrap. Story: 2007351 Task: 38897 Depends-On: https://review.opendev.org/#/c/717374 Change-Id: I1a7e19f85a4be609112765c975bb81a248217168 Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
This commit is contained in:
parent
d119336b3a
commit
a68e151408
|
@ -1051,6 +1051,9 @@ SERVICE_PARAM_NAME_OIDC_ISSUER_URL = 'oidc_issuer_url'
|
|||
SERVICE_PARAM_NAME_OIDC_CLIENT_ID = 'oidc_client_id'
|
||||
SERVICE_PARAM_NAME_OIDC_USERNAME_CLAIM = 'oidc_username_claim'
|
||||
SERVICE_PARAM_NAME_OIDC_GROUPS_CLAIM = 'oidc_groups_claim'
|
||||
SERVICE_PARAM_NAME_ADMISSION_PLUGINS = 'admission_plugins'
|
||||
|
||||
VALID_ADMISSION_PLUGINS = ['PodSecurityPolicy']
|
||||
|
||||
# ptp service parameters
|
||||
SERVICE_PARAM_SECTION_PTP_GLOBAL = 'global'
|
||||
|
|
|
@ -324,6 +324,19 @@ def _validate_domain(name, value):
|
|||
(name, value)))
|
||||
|
||||
|
||||
def _validate_admission_plugins(name, value):
|
||||
"""Check if specified plugins are supported"""
|
||||
if not value:
|
||||
raise wsme.exc.ClientSideError(_(
|
||||
"Please specify at least 1 plugin"))
|
||||
|
||||
plugins = value.split(',')
|
||||
for plugin in plugins:
|
||||
if plugin not in constants.VALID_ADMISSION_PLUGINS:
|
||||
raise wsme.exc.ClientSideError(_(
|
||||
"Invalid admission plugin: '%s'" % plugin))
|
||||
|
||||
|
||||
IDENTITY_CONFIG_PARAMETER_OPTIONAL = [
|
||||
constants.SERVICE_PARAM_IDENTITY_CONFIG_TOKEN_EXPIRATION,
|
||||
]
|
||||
|
@ -534,10 +547,12 @@ KUBERNETES_APISERVER_PARAMETER_OPTIONAL = [
|
|||
constants.SERVICE_PARAM_NAME_OIDC_CLIENT_ID,
|
||||
constants.SERVICE_PARAM_NAME_OIDC_USERNAME_CLAIM,
|
||||
constants.SERVICE_PARAM_NAME_OIDC_GROUPS_CLAIM,
|
||||
constants.SERVICE_PARAM_NAME_ADMISSION_PLUGINS,
|
||||
]
|
||||
|
||||
KUBERNETES_APISERVER_PARAMETER_VALIDATOR = {
|
||||
constants.SERVICE_PARAM_NAME_OIDC_ISSUER_URL: _validate_oidc_issuer_url,
|
||||
constants.SERVICE_PARAM_NAME_ADMISSION_PLUGINS: _validate_admission_plugins,
|
||||
}
|
||||
|
||||
KUBERNETES_APISERVER_PARAMETER_RESOURCE = {
|
||||
|
@ -549,6 +564,8 @@ KUBERNETES_APISERVER_PARAMETER_RESOURCE = {
|
|||
'platform::kubernetes::params::oidc_username_claim',
|
||||
constants.SERVICE_PARAM_NAME_OIDC_GROUPS_CLAIM:
|
||||
'platform::kubernetes::params::oidc_groups_claim',
|
||||
constants.SERVICE_PARAM_NAME_ADMISSION_PLUGINS:
|
||||
'platform::kubernetes::params::admission_plugins',
|
||||
}
|
||||
|
||||
HTTPD_PORT_PARAMETER_OPTIONAL = [
|
||||
|
|
Loading…
Reference in New Issue