K8S: Allows to specify admission control plugins to enable

If nothing is specified a set of recommended default plugins is used,
which includes the ServiceAccount one.

Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94
Closes-Bug: #1646489
(cherry picked from commit 1f3b0500b7)
This commit is contained in:
Bertrand NOEL 2016-12-01 14:23:42 +01:00 committed by Mohammed Naser
parent dad5b6340a
commit 98f4ae9942
No known key found for this signature in database
GPG Key ID: 481CBC90384AEC42
12 changed files with 84 additions and 6 deletions

View File

@ -296,6 +296,8 @@ the table are linked to more details elsewhere in the user guide.
+---------------------------------------+--------------------+---------------+
| `mesos_slave_executor_env_variables`_ | (file name) | "" |
+---------------------------------------+--------------------+---------------+
| `admission_control_list`_ | see below | see below |
+---------------------------------------+--------------------+---------------+
=======
@ -889,6 +891,17 @@ Log into the servers
You can log into the master servers using the login 'fedora' and the
keypair specified in the ClusterTemplate.
In addition to the common attributes in the ClusterTemplate, you can specify
the following attributes that are specific to Kubernetes by using the
labels attribute.
_`admission_control_list`
This label corresponds to Kubernetes parameter for the API server '--admission-control'.
For more details, refer to the `Admission Controllers
<https://kubernetes.io/docs/admin/admission-controllers//>`_.
The default value corresponds to the one recommended in this doc
for our current Kubernetes version.
External load balancer for services
-----------------------------------

View File

@ -102,7 +102,8 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition):
extra_params['kubernetes_port'] = 8080
label_list = ['flannel_network_cidr', 'flannel_backend',
'flannel_network_subnetlen']
'flannel_network_subnetlen', 'admission_control_list']
for label in label_list:
extra_params[label] = cluster_template.labels.get(label)

View File

@ -29,12 +29,17 @@ else
KUBE_API_ARGS="$KUBE_API_ARGS --client_ca_file=/srv/kubernetes/ca.crt"
fi
KUBE_ADMISSION_CONTROL=""
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}"
fi
sed -i '
/^KUBE_API_ADDRESS=/ s/=.*/='"${KUBE_API_ADDRESS}"'/
/^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
/^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
/^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd_servers=http:\/\/127.0.0.1:2379"/
/^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/
/^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
' /etc/kubernetes/apiserver
cat << _EOC_ >> /etc/kubernetes/apiserver
#Uncomment the following line to disable Load Balancer feature
@ -43,10 +48,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS"
#KUBE_API_ARGS="$KUBE_API_ARGS --cloud_config=/etc/sysconfig/kube_openstack_config --cloud_provider=openstack"
_EOC_
# Add controller manager args
KUBE_CONTROLLER_MANAGER_ARGS=""
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key"
fi
sed -i '
/^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
/^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/
/^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
' /etc/kubernetes/controller-manager
cat << _EOC_ >> /etc/kubernetes/controller-manager
#Uncomment the following line to enable Kubernetes Load Balancer feature
#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
_EOC_
KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP"

View File

@ -20,6 +20,7 @@ write_files:
FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
FLANNEL_BACKEND="$FLANNEL_BACKEND"
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
USERNAME="$USERNAME"
PASSWORD="$PASSWORD"

View File

@ -80,6 +80,12 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
admission_control_list:
type: string
description: >
Not used by this driver
default: ""
kube_allow_priv:
type: string
description: >

View File

@ -79,6 +79,12 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
admission_control_list:
type: string
description: >
List of admission control plugins to activate
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
kube_allow_priv:
type: string
description: >
@ -474,6 +480,7 @@ resources:
flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
flannel_backend: {get_param: flannel_backend}
portal_network_cidr: {get_param: portal_network_cidr}
admission_control_list: {get_param: admission_control_list}
discovery_url: {get_param: discovery_url}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}

View File

@ -63,6 +63,11 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
admission_control_list:
type: string
description: >
List of admission control plugins to activate
discovery_url:
type: string
description: >
@ -237,6 +242,7 @@ resources:
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
"$FLANNEL_BACKEND": {get_param: flannel_backend}
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
"$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
"$AUTH_URL": {get_param: auth_url}
"$USERNAME": {get_param: username}

View File

@ -87,6 +87,12 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
admission_control_list:
type: string
description: >
List of admission control plugins to activate
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
kube_allow_priv:
type: string
description: >
@ -438,6 +444,7 @@ resources:
flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
flannel_backend: {get_param: flannel_backend}
portal_network_cidr: {get_param: portal_network_cidr}
admission_control_list: {get_param: admission_control_list}
discovery_url: {get_param: discovery_url}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}

View File

@ -63,6 +63,11 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
admission_control_list:
type: string
description: >
List of admission control plugins to activate
discovery_url:
type: string
description: >
@ -235,6 +240,7 @@ resources:
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
"$FLANNEL_BACKEND": {get_param: flannel_backend}
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
"$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
"$AUTH_URL": {get_param: auth_url}
"$USERNAME": {get_param: username}

View File

@ -18,5 +18,8 @@ class TestKubernetesAPIs(base.BaseK8sTest):
"tls_disabled": False,
"network_driver": 'flannel',
"volume_driver": 'cinder',
"fixed_network": '192.168.0.0/24'
"fixed_network": '192.168.0.0/24',
"labels": {
"admission_control_list": "",
}
}

View File

@ -43,7 +43,8 @@ class TestClusterConductorWithK8s(base.TestCase):
'no_proxy': 'no_proxy',
'labels': {'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan'},
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list'},
'tls_disabled': False,
'server_type': 'vm',
'registry_enabled': False,
@ -133,7 +134,8 @@ class TestClusterConductorWithK8s(base.TestCase):
'discovery_url': 'discovery_url',
'labels': {'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan'},
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list'},
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'no_proxy': 'no_proxy',
@ -159,6 +161,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list',
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'no_proxy': 'no_proxy',
@ -230,6 +233,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_backend': 'vxlan',
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'admission_control_list': 'fake_list',
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'magnum_url': 'http://127.0.0.1:9511/v1',
@ -305,6 +309,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_backend': 'vxlan',
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'admission_control_list': 'fake_list',
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'magnum_url': 'http://127.0.0.1:9511/v1',
@ -370,6 +375,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list',
'tls_disabled': False,
'registry_enabled': False,
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@ -427,6 +433,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list',
'tls_disabled': False,
'registry_enabled': False,
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@ -578,6 +585,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list',
'tenant_name': 'fake_tenant',
'username': 'fake_user',
'cluster_uuid': self.cluster_dict['uuid'],

View File

@ -266,6 +266,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
flannel_subnet = mock_cluster_template.labels.get(
'flannel_network_subnetlen')
flannel_backend = mock_cluster_template.labels.get('flannel_backend')
admission_control_list = mock_cluster_template.labels.get(
'admission_control_list')
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
@ -278,6 +280,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
'flannel_network_cidr': flannel_cidr,
'flannel_network_subnetlen': flannel_subnet,
'flannel_backend': flannel_backend,
'admission_control_list': admission_control_list,
'username': 'fake_user',
'tenant_name': 'fake_tenant',
'magnum_url': mock_osc.magnum_url.return_value,
@ -322,6 +325,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
flannel_subnet = mock_cluster_template.labels.get(
'flannel_network_subnetlen')
flannel_backend = mock_cluster_template.labels.get('flannel_backend')
admission_control_list = mock_cluster_template.labels.get(
'admission_control_list')
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
'flannel_network_cidr': flannel_cidr,
'flannel_network_subnetlen': flannel_subnet,
'flannel_backend': flannel_backend,
'admission_control_list': admission_control_list,
'username': 'fake_user',
'tenant_name': 'fake_tenant',
'magnum_url': mock_osc.magnum_url.return_value,