From 98f4ae9942ee55c1e7454bb257f21d935c403cb2 Mon Sep 17 00:00:00 2001 From: Bertrand NOEL Date: Thu, 1 Dec 2016 14:23:42 +0100 Subject: [PATCH] K8S: Allows to specify admission control plugins to enable If nothing is specified a set of recommended default plugins is used, which includes the ServiceAccount one. Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94 Closes-Bug: #1646489 (cherry picked from commit 1f3b0500b7de384a6d1cacc39affdf716f0b0679) --- doc/source/userguide.rst | 13 +++++++++++++ magnum/drivers/common/k8s_template_def.py | 3 ++- .../fragments/configure-kubernetes-master.sh | 18 ++++++++++++++++-- .../fragments/write-heat-params-master.yaml | 1 + .../k8s_coreos_v1/templates/kubecluster.yaml | 6 ++++++ .../templates/kubecluster.yaml | 7 +++++++ .../templates/kubemaster.yaml | 6 ++++++ .../templates/kubecluster.yaml | 7 +++++++ .../templates/kubemaster.yaml | 6 ++++++ .../functional/k8s/test_k8s_python_client.py | 5 ++++- .../handlers/test_k8s_cluster_conductor.py | 12 ++++++++++-- .../unit/drivers/test_template_definition.py | 6 ++++++ 12 files changed, 84 insertions(+), 6 deletions(-) diff --git a/doc/source/userguide.rst b/doc/source/userguide.rst index 6fb9e19831..fe5f848e4b 100644 --- a/doc/source/userguide.rst +++ b/doc/source/userguide.rst @@ -296,6 +296,8 @@ the table are linked to more details elsewhere in the user guide. +---------------------------------------+--------------------+---------------+ | `mesos_slave_executor_env_variables`_ | (file name) | "" | +---------------------------------------+--------------------+---------------+ +| `admission_control_list`_ | see below | see below | ++---------------------------------------+--------------------+---------------+ ======= @@ -889,6 +891,17 @@ Log into the servers You can log into the master servers using the login 'fedora' and the keypair specified in the ClusterTemplate. +In addition to the common attributes in the ClusterTemplate, you can specify +the following attributes that are specific to Kubernetes by using the +labels attribute. + +_`admission_control_list` + This label corresponds to Kubernetes parameter for the API server '--admission-control'. + For more details, refer to the `Admission Controllers + `_. + The default value corresponds to the one recommended in this doc + for our current Kubernetes version. + External load balancer for services ----------------------------------- diff --git a/magnum/drivers/common/k8s_template_def.py b/magnum/drivers/common/k8s_template_def.py index dba44175f3..dda7a58cc8 100644 --- a/magnum/drivers/common/k8s_template_def.py +++ b/magnum/drivers/common/k8s_template_def.py @@ -102,7 +102,8 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition): extra_params['kubernetes_port'] = 8080 label_list = ['flannel_network_cidr', 'flannel_backend', - 'flannel_network_subnetlen'] + 'flannel_network_subnetlen', 'admission_control_list'] + for label in label_list: extra_params[label] = cluster_template.labels.get(label) diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh index 0d6308b585..9a183fffe4 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh @@ -29,12 +29,17 @@ else KUBE_API_ARGS="$KUBE_API_ARGS --client_ca_file=/srv/kubernetes/ca.crt" fi +KUBE_ADMISSION_CONTROL="" +if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then + KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}" +fi + sed -i ' /^KUBE_API_ADDRESS=/ s/=.*/='"${KUBE_API_ADDRESS}"'/ /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"| /^KUBE_API_ARGS=/ s/KUBE_API_ARGS.// /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd_servers=http:\/\/127.0.0.1:2379"/ - /^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/ + /^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/ ' /etc/kubernetes/apiserver cat << _EOC_ >> /etc/kubernetes/apiserver #Uncomment the following line to disable Load Balancer feature @@ -43,10 +48,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS" #KUBE_API_ARGS="$KUBE_API_ARGS --cloud_config=/etc/sysconfig/kube_openstack_config --cloud_provider=openstack" _EOC_ +# Add controller manager args +KUBE_CONTROLLER_MANAGER_ARGS="" +if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then + KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key" +fi sed -i ' /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/ - /^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/ + /^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"# ' /etc/kubernetes/controller-manager +cat << _EOC_ >> /etc/kubernetes/controller-manager +#Uncomment the following line to enable Kubernetes Load Balancer feature +#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack" +_EOC_ KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP" diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml index dc2d2fac23..0d8a5f0612 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml @@ -20,6 +20,7 @@ write_files: FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN" FLANNEL_BACKEND="$FLANNEL_BACKEND" PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR" + ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST" ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL" USERNAME="$USERNAME" PASSWORD="$PASSWORD" diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml index 9a31b22a31..97ed23f8e4 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml @@ -80,6 +80,12 @@ parameters: constraints: - allowed_values: ["udp", "vxlan", "host-gw"] + admission_control_list: + type: string + description: > + Not used by this driver + default: "" + kube_allow_priv: type: string description: > diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index a7a6dd8967..6aa3b84569 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -79,6 +79,12 @@ parameters: constraints: - allowed_values: ["udp", "vxlan", "host-gw"] + admission_control_list: + type: string + description: > + List of admission control plugins to activate + default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota" + kube_allow_priv: type: string description: > @@ -474,6 +480,7 @@ resources: flannel_network_subnetlen: {get_param: flannel_network_subnetlen} flannel_backend: {get_param: flannel_backend} portal_network_cidr: {get_param: portal_network_cidr} + admission_control_list: {get_param: admission_control_list} discovery_url: {get_param: discovery_url} cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml index 66d779a0f6..ebf44acb5c 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml @@ -63,6 +63,11 @@ parameters: constraints: - allowed_values: ["udp", "vxlan", "host-gw"] + admission_control_list: + type: string + description: > + List of admission control plugins to activate + discovery_url: type: string description: > @@ -237,6 +242,7 @@ resources: "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen} "$FLANNEL_BACKEND": {get_param: flannel_backend} "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr} + "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list} "$ETCD_DISCOVERY_URL": {get_param: discovery_url} "$AUTH_URL": {get_param: auth_url} "$USERNAME": {get_param: username} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml index d3eb814453..72e10b3482 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml @@ -87,6 +87,12 @@ parameters: constraints: - allowed_values: ["udp", "vxlan", "host-gw"] + admission_control_list: + type: string + description: > + List of admission control plugins to activate + default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota" + kube_allow_priv: type: string description: > @@ -438,6 +444,7 @@ resources: flannel_network_subnetlen: {get_param: flannel_network_subnetlen} flannel_backend: {get_param: flannel_backend} portal_network_cidr: {get_param: portal_network_cidr} + admission_control_list: {get_param: admission_control_list} discovery_url: {get_param: discovery_url} cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml index 27f4fe2e55..468084d78a 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml @@ -63,6 +63,11 @@ parameters: constraints: - allowed_values: ["udp", "vxlan", "host-gw"] + admission_control_list: + type: string + description: > + List of admission control plugins to activate + discovery_url: type: string description: > @@ -235,6 +240,7 @@ resources: "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen} "$FLANNEL_BACKEND": {get_param: flannel_backend} "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr} + "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list} "$ETCD_DISCOVERY_URL": {get_param: discovery_url} "$AUTH_URL": {get_param: auth_url} "$USERNAME": {get_param: username} diff --git a/magnum/tests/functional/k8s/test_k8s_python_client.py b/magnum/tests/functional/k8s/test_k8s_python_client.py index f6586527db..2172c8de75 100644 --- a/magnum/tests/functional/k8s/test_k8s_python_client.py +++ b/magnum/tests/functional/k8s/test_k8s_python_client.py @@ -18,5 +18,8 @@ class TestKubernetesAPIs(base.BaseK8sTest): "tls_disabled": False, "network_driver": 'flannel', "volume_driver": 'cinder', - "fixed_network": '192.168.0.0/24' + "fixed_network": '192.168.0.0/24', + "labels": { + "admission_control_list": "", + } } diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py index cd9c9d239a..985ebf963f 100644 --- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py @@ -43,7 +43,8 @@ class TestClusterConductorWithK8s(base.TestCase): 'no_proxy': 'no_proxy', 'labels': {'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', - 'flannel_backend': 'vxlan'}, + 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list'}, 'tls_disabled': False, 'server_type': 'vm', 'registry_enabled': False, @@ -133,7 +134,8 @@ class TestClusterConductorWithK8s(base.TestCase): 'discovery_url': 'discovery_url', 'labels': {'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', - 'flannel_backend': 'vxlan'}, + 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list'}, 'http_proxy': 'http_proxy', 'https_proxy': 'https_proxy', 'no_proxy': 'no_proxy', @@ -159,6 +161,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list', 'http_proxy': 'http_proxy', 'https_proxy': 'https_proxy', 'no_proxy': 'no_proxy', @@ -230,6 +233,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_backend': 'vxlan', 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', + 'admission_control_list': 'fake_list', 'http_proxy': 'http_proxy', 'https_proxy': 'https_proxy', 'magnum_url': 'http://127.0.0.1:9511/v1', @@ -305,6 +309,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_backend': 'vxlan', 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', + 'admission_control_list': 'fake_list', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', 'magnum_url': 'http://127.0.0.1:9511/v1', @@ -370,6 +375,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list', 'tls_disabled': False, 'registry_enabled': False, 'trustee_domain_id': self.mock_keystone.trustee_domain_id, @@ -427,6 +433,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list', 'tls_disabled': False, 'registry_enabled': False, 'trustee_domain_id': self.mock_keystone.trustee_domain_id, @@ -578,6 +585,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list', 'tenant_name': 'fake_tenant', 'username': 'fake_user', 'cluster_uuid': self.cluster_dict['uuid'], diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py index f3320ef6ab..7f0c21b362 100644 --- a/magnum/tests/unit/drivers/test_template_definition.py +++ b/magnum/tests/unit/drivers/test_template_definition.py @@ -266,6 +266,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): flannel_subnet = mock_cluster_template.labels.get( 'flannel_network_subnetlen') flannel_backend = mock_cluster_template.labels.get('flannel_backend') + admission_control_list = mock_cluster_template.labels.get( + 'admission_control_list') k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition() @@ -278,6 +280,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): 'flannel_network_cidr': flannel_cidr, 'flannel_network_subnetlen': flannel_subnet, 'flannel_backend': flannel_backend, + 'admission_control_list': admission_control_list, 'username': 'fake_user', 'tenant_name': 'fake_tenant', 'magnum_url': mock_osc.magnum_url.return_value, @@ -322,6 +325,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): flannel_subnet = mock_cluster_template.labels.get( 'flannel_network_subnetlen') flannel_backend = mock_cluster_template.labels.get('flannel_backend') + admission_control_list = mock_cluster_template.labels.get( + 'admission_control_list') k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition() @@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): 'flannel_network_cidr': flannel_cidr, 'flannel_network_subnetlen': flannel_subnet, 'flannel_backend': flannel_backend, + 'admission_control_list': admission_control_list, 'username': 'fake_user', 'tenant_name': 'fake_tenant', 'magnum_url': mock_osc.magnum_url.return_value,