K8S: Allows to specify admission control plugins to enable
If nothing is specified a set of recommended default plugins is used,
which includes the ServiceAccount one.
Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94
Closes-Bug: #1646489
(cherry picked from commit 1f3b0500b7
)
This commit is contained in:
parent
dad5b6340a
commit
98f4ae9942
|
@ -296,6 +296,8 @@ the table are linked to more details elsewhere in the user guide.
|
|||
+---------------------------------------+--------------------+---------------+
|
||||
| `mesos_slave_executor_env_variables`_ | (file name) | "" |
|
||||
+---------------------------------------+--------------------+---------------+
|
||||
| `admission_control_list`_ | see below | see below |
|
||||
+---------------------------------------+--------------------+---------------+
|
||||
|
||||
|
||||
=======
|
||||
|
@ -889,6 +891,17 @@ Log into the servers
|
|||
You can log into the master servers using the login 'fedora' and the
|
||||
keypair specified in the ClusterTemplate.
|
||||
|
||||
In addition to the common attributes in the ClusterTemplate, you can specify
|
||||
the following attributes that are specific to Kubernetes by using the
|
||||
labels attribute.
|
||||
|
||||
_`admission_control_list`
|
||||
This label corresponds to Kubernetes parameter for the API server '--admission-control'.
|
||||
For more details, refer to the `Admission Controllers
|
||||
<https://kubernetes.io/docs/admin/admission-controllers//>`_.
|
||||
The default value corresponds to the one recommended in this doc
|
||||
for our current Kubernetes version.
|
||||
|
||||
External load balancer for services
|
||||
-----------------------------------
|
||||
|
||||
|
|
|
@ -102,7 +102,8 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition):
|
|||
extra_params['kubernetes_port'] = 8080
|
||||
|
||||
label_list = ['flannel_network_cidr', 'flannel_backend',
|
||||
'flannel_network_subnetlen']
|
||||
'flannel_network_subnetlen', 'admission_control_list']
|
||||
|
||||
for label in label_list:
|
||||
extra_params[label] = cluster_template.labels.get(label)
|
||||
|
||||
|
|
|
@ -29,12 +29,17 @@ else
|
|||
KUBE_API_ARGS="$KUBE_API_ARGS --client_ca_file=/srv/kubernetes/ca.crt"
|
||||
fi
|
||||
|
||||
KUBE_ADMISSION_CONTROL=""
|
||||
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
|
||||
KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}"
|
||||
fi
|
||||
|
||||
sed -i '
|
||||
/^KUBE_API_ADDRESS=/ s/=.*/='"${KUBE_API_ADDRESS}"'/
|
||||
/^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
|
||||
/^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
|
||||
/^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd_servers=http:\/\/127.0.0.1:2379"/
|
||||
/^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/
|
||||
/^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
|
||||
' /etc/kubernetes/apiserver
|
||||
cat << _EOC_ >> /etc/kubernetes/apiserver
|
||||
#Uncomment the following line to disable Load Balancer feature
|
||||
|
@ -43,10 +48,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS"
|
|||
#KUBE_API_ARGS="$KUBE_API_ARGS --cloud_config=/etc/sysconfig/kube_openstack_config --cloud_provider=openstack"
|
||||
_EOC_
|
||||
|
||||
# Add controller manager args
|
||||
KUBE_CONTROLLER_MANAGER_ARGS=""
|
||||
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
|
||||
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key"
|
||||
fi
|
||||
sed -i '
|
||||
/^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
|
||||
/^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/
|
||||
/^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
|
||||
' /etc/kubernetes/controller-manager
|
||||
cat << _EOC_ >> /etc/kubernetes/controller-manager
|
||||
#Uncomment the following line to enable Kubernetes Load Balancer feature
|
||||
#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
|
||||
_EOC_
|
||||
|
||||
KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP"
|
||||
|
||||
|
|
|
@ -20,6 +20,7 @@ write_files:
|
|||
FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
|
||||
FLANNEL_BACKEND="$FLANNEL_BACKEND"
|
||||
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
|
||||
ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
|
||||
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
|
||||
USERNAME="$USERNAME"
|
||||
PASSWORD="$PASSWORD"
|
||||
|
|
|
@ -80,6 +80,12 @@ parameters:
|
|||
constraints:
|
||||
- allowed_values: ["udp", "vxlan", "host-gw"]
|
||||
|
||||
admission_control_list:
|
||||
type: string
|
||||
description: >
|
||||
Not used by this driver
|
||||
default: ""
|
||||
|
||||
kube_allow_priv:
|
||||
type: string
|
||||
description: >
|
||||
|
|
|
@ -79,6 +79,12 @@ parameters:
|
|||
constraints:
|
||||
- allowed_values: ["udp", "vxlan", "host-gw"]
|
||||
|
||||
admission_control_list:
|
||||
type: string
|
||||
description: >
|
||||
List of admission control plugins to activate
|
||||
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
|
||||
|
||||
kube_allow_priv:
|
||||
type: string
|
||||
description: >
|
||||
|
@ -474,6 +480,7 @@ resources:
|
|||
flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
|
||||
flannel_backend: {get_param: flannel_backend}
|
||||
portal_network_cidr: {get_param: portal_network_cidr}
|
||||
admission_control_list: {get_param: admission_control_list}
|
||||
discovery_url: {get_param: discovery_url}
|
||||
cluster_uuid: {get_param: cluster_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
|
|
|
@ -63,6 +63,11 @@ parameters:
|
|||
constraints:
|
||||
- allowed_values: ["udp", "vxlan", "host-gw"]
|
||||
|
||||
admission_control_list:
|
||||
type: string
|
||||
description: >
|
||||
List of admission control plugins to activate
|
||||
|
||||
discovery_url:
|
||||
type: string
|
||||
description: >
|
||||
|
@ -237,6 +242,7 @@ resources:
|
|||
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
|
||||
"$FLANNEL_BACKEND": {get_param: flannel_backend}
|
||||
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
|
||||
"$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
|
||||
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
|
||||
"$AUTH_URL": {get_param: auth_url}
|
||||
"$USERNAME": {get_param: username}
|
||||
|
|
|
@ -87,6 +87,12 @@ parameters:
|
|||
constraints:
|
||||
- allowed_values: ["udp", "vxlan", "host-gw"]
|
||||
|
||||
admission_control_list:
|
||||
type: string
|
||||
description: >
|
||||
List of admission control plugins to activate
|
||||
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
|
||||
|
||||
kube_allow_priv:
|
||||
type: string
|
||||
description: >
|
||||
|
@ -438,6 +444,7 @@ resources:
|
|||
flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
|
||||
flannel_backend: {get_param: flannel_backend}
|
||||
portal_network_cidr: {get_param: portal_network_cidr}
|
||||
admission_control_list: {get_param: admission_control_list}
|
||||
discovery_url: {get_param: discovery_url}
|
||||
cluster_uuid: {get_param: cluster_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
|
|
|
@ -63,6 +63,11 @@ parameters:
|
|||
constraints:
|
||||
- allowed_values: ["udp", "vxlan", "host-gw"]
|
||||
|
||||
admission_control_list:
|
||||
type: string
|
||||
description: >
|
||||
List of admission control plugins to activate
|
||||
|
||||
discovery_url:
|
||||
type: string
|
||||
description: >
|
||||
|
@ -235,6 +240,7 @@ resources:
|
|||
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
|
||||
"$FLANNEL_BACKEND": {get_param: flannel_backend}
|
||||
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
|
||||
"$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
|
||||
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
|
||||
"$AUTH_URL": {get_param: auth_url}
|
||||
"$USERNAME": {get_param: username}
|
||||
|
|
|
@ -18,5 +18,8 @@ class TestKubernetesAPIs(base.BaseK8sTest):
|
|||
"tls_disabled": False,
|
||||
"network_driver": 'flannel',
|
||||
"volume_driver": 'cinder',
|
||||
"fixed_network": '192.168.0.0/24'
|
||||
"fixed_network": '192.168.0.0/24',
|
||||
"labels": {
|
||||
"admission_control_list": "",
|
||||
}
|
||||
}
|
||||
|
|
|
@ -43,7 +43,8 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'no_proxy': 'no_proxy',
|
||||
'labels': {'flannel_network_cidr': '10.101.0.0/16',
|
||||
'flannel_network_subnetlen': '26',
|
||||
'flannel_backend': 'vxlan'},
|
||||
'flannel_backend': 'vxlan',
|
||||
'admission_control_list': 'fake_list'},
|
||||
'tls_disabled': False,
|
||||
'server_type': 'vm',
|
||||
'registry_enabled': False,
|
||||
|
@ -133,7 +134,8 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'discovery_url': 'discovery_url',
|
||||
'labels': {'flannel_network_cidr': '10.101.0.0/16',
|
||||
'flannel_network_subnetlen': '26',
|
||||
'flannel_backend': 'vxlan'},
|
||||
'flannel_backend': 'vxlan',
|
||||
'admission_control_list': 'fake_list'},
|
||||
'http_proxy': 'http_proxy',
|
||||
'https_proxy': 'https_proxy',
|
||||
'no_proxy': 'no_proxy',
|
||||
|
@ -159,6 +161,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_network_cidr': '10.101.0.0/16',
|
||||
'flannel_network_subnetlen': '26',
|
||||
'flannel_backend': 'vxlan',
|
||||
'admission_control_list': 'fake_list',
|
||||
'http_proxy': 'http_proxy',
|
||||
'https_proxy': 'https_proxy',
|
||||
'no_proxy': 'no_proxy',
|
||||
|
@ -230,6 +233,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_backend': 'vxlan',
|
||||
'flannel_network_cidr': '10.101.0.0/16',
|
||||
'flannel_network_subnetlen': '26',
|
||||
'admission_control_list': 'fake_list',
|
||||
'http_proxy': 'http_proxy',
|
||||
'https_proxy': 'https_proxy',
|
||||
'magnum_url': 'http://127.0.0.1:9511/v1',
|
||||
|
@ -305,6 +309,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_backend': 'vxlan',
|
||||
'flannel_network_cidr': '10.101.0.0/16',
|
||||
'flannel_network_subnetlen': '26',
|
||||
'admission_control_list': 'fake_list',
|
||||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'magnum_url': 'http://127.0.0.1:9511/v1',
|
||||
|
@ -370,6 +375,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_network_cidr': '10.101.0.0/16',
|
||||
'flannel_network_subnetlen': '26',
|
||||
'flannel_backend': 'vxlan',
|
||||
'admission_control_list': 'fake_list',
|
||||
'tls_disabled': False,
|
||||
'registry_enabled': False,
|
||||
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
|
||||
|
@ -427,6 +433,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_network_cidr': '10.101.0.0/16',
|
||||
'flannel_network_subnetlen': '26',
|
||||
'flannel_backend': 'vxlan',
|
||||
'admission_control_list': 'fake_list',
|
||||
'tls_disabled': False,
|
||||
'registry_enabled': False,
|
||||
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
|
||||
|
@ -578,6 +585,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'flannel_network_cidr': '10.101.0.0/16',
|
||||
'flannel_network_subnetlen': '26',
|
||||
'flannel_backend': 'vxlan',
|
||||
'admission_control_list': 'fake_list',
|
||||
'tenant_name': 'fake_tenant',
|
||||
'username': 'fake_user',
|
||||
'cluster_uuid': self.cluster_dict['uuid'],
|
||||
|
|
|
@ -266,6 +266,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
|
|||
flannel_subnet = mock_cluster_template.labels.get(
|
||||
'flannel_network_subnetlen')
|
||||
flannel_backend = mock_cluster_template.labels.get('flannel_backend')
|
||||
admission_control_list = mock_cluster_template.labels.get(
|
||||
'admission_control_list')
|
||||
|
||||
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
|
||||
|
||||
|
@ -278,6 +280,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
|
|||
'flannel_network_cidr': flannel_cidr,
|
||||
'flannel_network_subnetlen': flannel_subnet,
|
||||
'flannel_backend': flannel_backend,
|
||||
'admission_control_list': admission_control_list,
|
||||
'username': 'fake_user',
|
||||
'tenant_name': 'fake_tenant',
|
||||
'magnum_url': mock_osc.magnum_url.return_value,
|
||||
|
@ -322,6 +325,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
|
|||
flannel_subnet = mock_cluster_template.labels.get(
|
||||
'flannel_network_subnetlen')
|
||||
flannel_backend = mock_cluster_template.labels.get('flannel_backend')
|
||||
admission_control_list = mock_cluster_template.labels.get(
|
||||
'admission_control_list')
|
||||
|
||||
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
|
||||
|
||||
|
@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
|
|||
'flannel_network_cidr': flannel_cidr,
|
||||
'flannel_network_subnetlen': flannel_subnet,
|
||||
'flannel_backend': flannel_backend,
|
||||
'admission_control_list': admission_control_list,
|
||||
'username': 'fake_user',
|
||||
'tenant_name': 'fake_tenant',
|
||||
'magnum_url': mock_osc.magnum_url.return_value,
|
||||
|
|
Loading…
Reference in New Issue