K8S: Allows to specify admission control plugins to enable
If nothing is specified a set of recommended default plugins is used, which includes the ServiceAccount one. Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94 Closes-Bug: #1646489
This commit is contained in:
parent
ae41b4511c
commit
1f3b0500b7
|
@ -302,6 +302,8 @@ the table are linked to more details elsewhere in the user guide.
|
|||
| | - binpack | |
|
||||
| | - random | |
|
||||
+---------------------------------------+--------------------+---------------+
|
||||
| `admission_control_list`_ | see below | see below |
|
||||
+---------------------------------------+--------------------+---------------+
|
||||
|
||||
|
||||
=======
|
||||
|
@ -1013,6 +1015,17 @@ Log into the servers
|
|||
You can log into the master servers using the login 'fedora' and the
|
||||
keypair specified in the ClusterTemplate.
|
||||
|
||||
In addition to the common attributes in the ClusterTemplate, you can specify
|
||||
the following attributes that are specific to Kubernetes by using the
|
||||
labels attribute.
|
||||
|
||||
_`admission_control_list`
|
||||
This label corresponds to Kubernetes parameter for the API server '--admission-control'.
|
||||
For more details, refer to the `Admission Controllers
|
||||
<https://kubernetes.io/docs/admin/admission-controllers//>`_.
|
||||
The default value corresponds to the one recommended in this doc
|
||||
for our current Kubernetes version.
|
||||
|
||||
External load balancer for services
|
||||
-----------------------------------
|
||||
|
||||
|
|
|
@ -25,12 +25,17 @@ else
|
|||
KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=/srv/kubernetes/ca.crt"
|
||||
fi
|
||||
|
||||
KUBE_ADMISSION_CONTROL=""
|
||||
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
|
||||
KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}"
|
||||
fi
|
||||
|
||||
sed -i '
|
||||
/^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/
|
||||
/^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
|
||||
/^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
|
||||
/^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd-servers=http:\/\/127.0.0.1:2379"/
|
||||
/^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/
|
||||
/^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
|
||||
' /etc/kubernetes/apiserver
|
||||
cat << _EOC_ >> /etc/kubernetes/apiserver
|
||||
#Uncomment the following line to disable Load Balancer feature
|
||||
|
@ -39,10 +44,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS"
|
|||
#KUBE_API_ARGS="$KUBE_API_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
|
||||
_EOC_
|
||||
|
||||
# Add controller manager args
|
||||
KUBE_CONTROLLER_MANAGER_ARGS=""
|
||||
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
|
||||
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key"
|
||||
fi
|
||||
sed -i '
|
||||
/^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
|
||||
/^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/
|
||||
/^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
|
||||
' /etc/kubernetes/controller-manager
|
||||
cat << _EOC_ >> /etc/kubernetes/controller-manager
|
||||
#Uncomment the following line to enable Kubernetes Load Balancer feature
|
||||
#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
|
||||
_EOC_
|
||||
|
||||
KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP"
|
||||
|
||||
|
|
|
@ -20,6 +20,7 @@ write_files:
|
|||
FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
|
||||
FLANNEL_BACKEND="$FLANNEL_BACKEND"
|
||||
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
|
||||
ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
|
||||
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
|
||||
USERNAME="$USERNAME"
|
||||
PASSWORD="$PASSWORD"
|
||||
|
|
|
@ -108,7 +108,9 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition):
|
|||
label_list = ['flannel_network_cidr', 'flannel_backend',
|
||||
'flannel_network_subnetlen',
|
||||
'system_pods_initial_delay',
|
||||
'system_pods_timeout']
|
||||
'system_pods_timeout',
|
||||
'admission_control_list']
|
||||
|
||||
for label in label_list:
|
||||
extra_params[label] = cluster_template.labels.get(label)
|
||||
|
||||
|
|
|
@ -104,6 +104,13 @@ parameters:
|
|||
(in seconds)
|
||||
default: 5
|
||||
|
||||
admission_control_list:
|
||||
type: string
|
||||
description: >
|
||||
Not used by this driver
|
||||
default: ""
|
||||
|
||||
|
||||
kube_allow_priv:
|
||||
type: string
|
||||
description: >
|
||||
|
|
|
@ -103,6 +103,12 @@ parameters:
|
|||
(in seconds)
|
||||
default: 5
|
||||
|
||||
admission_control_list:
|
||||
type: string
|
||||
description: >
|
||||
List of admission control plugins to activate
|
||||
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
|
||||
|
||||
kube_allow_priv:
|
||||
type: string
|
||||
description: >
|
||||
|
@ -428,6 +434,7 @@ resources:
|
|||
system_pods_initial_delay: {get_param: system_pods_initial_delay}
|
||||
system_pods_timeout: {get_param: system_pods_timeout}
|
||||
portal_network_cidr: {get_param: portal_network_cidr}
|
||||
admission_control_list: {get_param: admission_control_list}
|
||||
discovery_url: {get_param: discovery_url}
|
||||
cluster_uuid: {get_param: cluster_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
|
|
|
@ -77,6 +77,11 @@ parameters:
|
|||
(in seconds)
|
||||
default: 5
|
||||
|
||||
admission_control_list:
|
||||
type: string
|
||||
description: >
|
||||
List of admission control plugins to activate
|
||||
|
||||
discovery_url:
|
||||
type: string
|
||||
description: >
|
||||
|
@ -249,6 +254,7 @@ resources:
|
|||
"$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay}
|
||||
"$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout}
|
||||
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
|
||||
"$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
|
||||
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
|
||||
"$AUTH_URL": {get_param: auth_url}
|
||||
"$USERNAME": {get_param: username}
|
||||
|
|
|
@ -101,6 +101,12 @@ parameters:
|
|||
(in seconds)
|
||||
default: 5
|
||||
|
||||
admission_control_list:
|
||||
type: string
|
||||
description: >
|
||||
List of admission control plugins to activate
|
||||
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
|
||||
|
||||
kube_allow_priv:
|
||||
type: string
|
||||
description: >
|
||||
|
@ -415,6 +421,7 @@ resources:
|
|||
system_pods_initial_delay: {get_param: system_pods_initial_delay}
|
||||
system_pods_timeout: {get_param: system_pods_timeout}
|
||||
portal_network_cidr: {get_param: portal_network_cidr}
|
||||
admission_control_list: {get_param: admission_control_list}
|
||||
discovery_url: {get_param: discovery_url}
|
||||
cluster_uuid: {get_param: cluster_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
|
|
|
@ -77,6 +77,11 @@ parameters:
|
|||
(in seconds)
|
||||
default: 5
|
||||
|
||||
admission_control_list:
|
||||
type: string
|
||||
description: >
|
||||
List of admission control plugins to activate
|
||||
|
||||
discovery_url:
|
||||
type: string
|
||||
description: >
|
||||
|
@ -241,6 +246,7 @@ resources:
|
|||
"$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay}
|
||||
"$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout}
|
||||
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
|
||||
"$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
|
||||
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
|
||||
"$AUTH_URL": {get_param: auth_url}
|
||||
"$USERNAME": {get_param: username}
|
||||
|
|
|
@ -21,6 +21,7 @@ class TestKubernetesAPIs(base.BaseK8sTest):
|
|||
"docker_storage_driver": 'overlay',
|
||||
"labels": {
|
||||
"system_pods_initial_delay": 3600,
|
||||
"system_pods_timeout": 600
|
||||
"system_pods_timeout": 600,
|
||||
"admission_control_list": "",
|
||||
}
|
||||
}
|
||||
|
|
|
@ -50,7 +50,8 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_network_subnetlen': '26',
|
||||
'flannel_backend': 'vxlan',
|
||||
'system_pods_initial_delay': '15',
|
||||
'system_pods_timeout': '1'},
|
||||
'system_pods_timeout': '1',
|
||||
'admission_control_list': 'fake_list'},
|
||||
'tls_disabled': False,
|
||||
'server_type': 'vm',
|
||||
'registry_enabled': False,
|
||||
|
@ -147,7 +148,8 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_network_subnetlen': '26',
|
||||
'flannel_backend': 'vxlan',
|
||||
'system_pods_initial_delay': '15',
|
||||
'system_pods_timeout': '1'},
|
||||
'system_pods_timeout': '1',
|
||||
'admission_control_list': 'fake_list'},
|
||||
'http_proxy': 'http_proxy',
|
||||
'https_proxy': 'https_proxy',
|
||||
'no_proxy': 'no_proxy',
|
||||
|
@ -177,6 +179,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_backend': 'vxlan',
|
||||
'system_pods_initial_delay': '15',
|
||||
'system_pods_timeout': '1',
|
||||
'admission_control_list': 'fake_list',
|
||||
'http_proxy': 'http_proxy',
|
||||
'https_proxy': 'https_proxy',
|
||||
'no_proxy': 'no_proxy',
|
||||
|
@ -253,6 +256,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_network_subnetlen': '26',
|
||||
'system_pods_initial_delay': '15',
|
||||
'system_pods_timeout': '1',
|
||||
'admission_control_list': 'fake_list',
|
||||
'http_proxy': 'http_proxy',
|
||||
'https_proxy': 'https_proxy',
|
||||
'magnum_url': 'http://127.0.0.1:9511/v1',
|
||||
|
@ -335,6 +339,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_network_subnetlen': '26',
|
||||
'system_pods_initial_delay': '15',
|
||||
'system_pods_timeout': '1',
|
||||
'admission_control_list': 'fake_list',
|
||||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'magnum_url': 'http://127.0.0.1:9511/v1',
|
||||
|
@ -409,6 +414,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_backend': 'vxlan',
|
||||
'system_pods_initial_delay': '15',
|
||||
'system_pods_timeout': '1',
|
||||
'admission_control_list': 'fake_list',
|
||||
'tls_disabled': False,
|
||||
'registry_enabled': False,
|
||||
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
|
||||
|
@ -475,6 +481,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_backend': 'vxlan',
|
||||
'system_pods_initial_delay': '15',
|
||||
'system_pods_timeout': '1',
|
||||
'admission_control_list': 'fake_list',
|
||||
'tls_disabled': False,
|
||||
'registry_enabled': False,
|
||||
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
|
||||
|
@ -667,6 +674,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_backend': 'vxlan',
|
||||
'system_pods_initial_delay': '15',
|
||||
'system_pods_timeout': '1',
|
||||
'admission_control_list': 'fake_list',
|
||||
'tenant_name': 'fake_tenant',
|
||||
'username': 'fake_user',
|
||||
'cluster_uuid': self.cluster_dict['uuid'],
|
||||
|
|
|
@ -258,6 +258,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
|
|||
'system_pods_initial_delay')
|
||||
system_pods_timeout = mock_cluster_template.labels.get(
|
||||
'system_pods_timeout')
|
||||
admission_control_list = mock_cluster_template.labels.get(
|
||||
'admission_control_list')
|
||||
|
||||
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
|
||||
|
||||
|
@ -272,6 +274,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
|
|||
'flannel_backend': flannel_backend,
|
||||
'system_pods_initial_delay': system_pods_initial_delay,
|
||||
'system_pods_timeout': system_pods_timeout,
|
||||
'admission_control_list': admission_control_list,
|
||||
'username': 'fake_user',
|
||||
'tenant_name': 'fake_tenant',
|
||||
'magnum_url': mock_osc.magnum_url.return_value,
|
||||
|
@ -320,6 +323,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
|
|||
'system_pods_initial_delay')
|
||||
system_pods_timeout = mock_cluster_template.labels.get(
|
||||
'system_pods_timeout')
|
||||
admission_control_list = mock_cluster_template.labels.get(
|
||||
'admission_control_list')
|
||||
|
||||
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
|
||||
|
||||
|
@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
|
|||
'flannel_backend': flannel_backend,
|
||||
'system_pods_initial_delay': system_pods_initial_delay,
|
||||
'system_pods_timeout': system_pods_timeout,
|
||||
'admission_control_list': admission_control_list,
|
||||
'username': 'fake_user',
|
||||
'tenant_name': 'fake_tenant',
|
||||
'magnum_url': mock_osc.magnum_url.return_value,
|
||||
|
|
Loading…
Reference in New Issue