Support adding admission plugin post bootstrap

This commit adds a system service parameter for admission plugins of kube-apiserver. We need this for pod security plugin. Starting pod security plugin without any policies will result in all pods being denied. This means pod security plugin must be started by service parameter after bootstrap. Story: 2007351 Task: 38897 Depends-On: https://review.opendev.org/#/c/717374 Change-Id: I1a7e19f85a4be609112765c975bb81a248217168 Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
2020-03-27 14:15:52 -04:00 · 2020-03-27 14:15:52 -04:00 · a68e151408
parent d119336b3a
commit a68e151408
2 changed files with 20 additions and 0 deletions
--- a/sysinv/sysinv/sysinv/sysinv/common/constants.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/constants.py
@ -1051,6 +1051,9 @@ SERVICE_PARAM_NAME_OIDC_ISSUER_URL = 'oidc_issuer_url'
 SERVICE_PARAM_NAME_OIDC_CLIENT_ID = 'oidc_client_id'
 SERVICE_PARAM_NAME_OIDC_USERNAME_CLAIM = 'oidc_username_claim'
 SERVICE_PARAM_NAME_OIDC_GROUPS_CLAIM = 'oidc_groups_claim'
+SERVICE_PARAM_NAME_ADMISSION_PLUGINS = 'admission_plugins'
+
+VALID_ADMISSION_PLUGINS = ['PodSecurityPolicy']

 # ptp service parameters
 SERVICE_PARAM_SECTION_PTP_GLOBAL = 'global'
--- a/sysinv/sysinv/sysinv/sysinv/common/service_parameter.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/service_parameter.py
@ -324,6 +324,19 @@ def _validate_domain(name, value):
            (name, value)))


+def _validate_admission_plugins(name, value):
+    """Check if specified plugins are supported"""
+    if not value:
+        raise wsme.exc.ClientSideError(_(
+            "Please specify at least 1 plugin"))
+
+    plugins = value.split(',')
+    for plugin in plugins:
+        if plugin not in constants.VALID_ADMISSION_PLUGINS:
+            raise wsme.exc.ClientSideError(_(
+                "Invalid admission plugin: '%s'" % plugin))
+
+
 IDENTITY_CONFIG_PARAMETER_OPTIONAL = [
    constants.SERVICE_PARAM_IDENTITY_CONFIG_TOKEN_EXPIRATION,
 ]
@ -534,10 +547,12 @@ KUBERNETES_APISERVER_PARAMETER_OPTIONAL = [
    constants.SERVICE_PARAM_NAME_OIDC_CLIENT_ID,
    constants.SERVICE_PARAM_NAME_OIDC_USERNAME_CLAIM,
    constants.SERVICE_PARAM_NAME_OIDC_GROUPS_CLAIM,
+    constants.SERVICE_PARAM_NAME_ADMISSION_PLUGINS,
 ]

 KUBERNETES_APISERVER_PARAMETER_VALIDATOR = {
    constants.SERVICE_PARAM_NAME_OIDC_ISSUER_URL: _validate_oidc_issuer_url,
+    constants.SERVICE_PARAM_NAME_ADMISSION_PLUGINS: _validate_admission_plugins,
 }

 KUBERNETES_APISERVER_PARAMETER_RESOURCE = {
@ -549,6 +564,8 @@ KUBERNETES_APISERVER_PARAMETER_RESOURCE = {
        'platform::kubernetes::params::oidc_username_claim',
    constants.SERVICE_PARAM_NAME_OIDC_GROUPS_CLAIM:
        'platform::kubernetes::params::oidc_groups_claim',
+    constants.SERVICE_PARAM_NAME_ADMISSION_PLUGINS:
+        'platform::kubernetes::params::admission_plugins',
 }

 HTTPD_PORT_PARAMETER_OPTIONAL = [