Commit 0eb96907 authored by Bertrand NOEL's avatar Bertrand NOEL Committed by Ricardo Rocha
Browse files

[cern] K8S: Allows to specify admission control plugins to enable

Cherry-pick: https://review.openstack.org/#/c/405374/

If nothing is specified a set of recommended default plugins is used,
which includes the ServiceAccount one.

Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94
Closes-Bug: #1646489

Conflicts:
	doc/source/userguide.rst
	magnum/drivers/common/k8s_template_def.py
	magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
	magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
	magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
	magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
	magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
	magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
	magnum/tests/functional/k8s/test_k8s_python_client.py
	magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
	magnum/tests/unit/drivers/test_template_definition.py
parent 5c68dc14
......@@ -298,6 +298,8 @@ the table are linked to more details elsewhere in the user guide.
+---------------------------------------+--------------------+---------------+
| `mesos_slave_executor_env_variables`_ | (file name) | "" |
+---------------------------------------+--------------------+---------------+
| `admission_control_list`_ | see below | see below |
+---------------------------------------+--------------------+---------------+
=======
......@@ -900,6 +902,17 @@ Log into the servers
You can log into the master servers using the login 'fedora' and the
keypair specified in the ClusterTemplate.
In addition to the common attributes in the ClusterTemplate, you can specify
the following attributes that are specific to Kubernetes by using the
labels attribute.
_`admission_control_list`
This label corresponds to Kubernetes parameter for the API server '--admission-control'.
For more details, refer to the `Admission Controllers
<https://kubernetes.io/docs/admin/admission-controllers//>`_.
The default value corresponds to the one recommended in this doc
for our current Kubernetes version.
External load balancer for services
-----------------------------------
......
......@@ -102,7 +102,9 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition):
extra_params['kubernetes_port'] = 8080
label_list = ['flannel_network_cidr', 'flannel_backend',
'flannel_network_subnetlen']
'flannel_network_subnetlen',
'admission_control_list']
for label in label_list:
extra_params[label] = cluster_template.labels.get(label)
......
......@@ -25,12 +25,17 @@ else
KUBE_API_ARGS="$KUBE_API_ARGS --client_ca_file=/srv/kubernetes/ca.crt"
fi
KUBE_ADMISSION_CONTROL=""
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}"
fi
sed -i '
/^KUBE_API_ADDRESS=/ s/=.*/='"${KUBE_API_ADDRESS}"'/
/^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
/^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
/^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd_servers=http:\/\/127.0.0.1:2379"/
/^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/
/^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/
/^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
/^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
/^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd-servers=http:\/\/127.0.0.1:2379"/
/^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
' /etc/kubernetes/apiserver
cat << _EOC_ >> /etc/kubernetes/apiserver
#Uncomment the following line to disable Load Balancer feature
......@@ -39,10 +44,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS"
#KUBE_API_ARGS="$KUBE_API_ARGS --cloud_config=/etc/sysconfig/kube_openstack_config --cloud_provider=openstack"
_EOC_
# Add controller manager args
KUBE_CONTROLLER_MANAGER_ARGS=""
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key"
fi
sed -i '
/^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
/^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/
/^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
/^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
' /etc/kubernetes/controller-manager
cat << _EOC_ >> /etc/kubernetes/controller-manager
#Uncomment the following line to enable Kubernetes Load Balancer feature
#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
_EOC_
KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP"
......
......@@ -20,6 +20,7 @@ write_files:
FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
FLANNEL_BACKEND="$FLANNEL_BACKEND"
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
USERNAME="$USERNAME"
PASSWORD="$PASSWORD"
......
......@@ -80,6 +80,12 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
admission_control_list:
type: string
description: >
Not used by this driver
default: ""
kube_allow_priv:
type: string
description: >
......
......@@ -79,6 +79,12 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
admission_control_list:
type: string
description: >
List of admission control plugins to activate
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
kube_allow_priv:
type: string
description: >
......@@ -305,6 +311,7 @@ resources:
flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
flannel_backend: {get_param: flannel_backend}
portal_network_cidr: {get_param: portal_network_cidr}
admission_control_list: {get_param: admission_control_list}
discovery_url: {get_param: discovery_url}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
......
......@@ -63,6 +63,11 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
admission_control_list:
type: string
description: >
List of admission control plugins to activate
discovery_url:
type: string
description: >
......@@ -223,6 +228,7 @@ resources:
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
"$FLANNEL_BACKEND": {get_param: flannel_backend}
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
"$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
"$AUTH_URL": {get_param: auth_url}
"$USERNAME": {get_param: username}
......
......@@ -87,6 +87,12 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
admission_control_list:
type: string
description: >
List of admission control plugins to activate
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
kube_allow_priv:
type: string
description: >
......@@ -438,6 +444,7 @@ resources:
flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
flannel_backend: {get_param: flannel_backend}
portal_network_cidr: {get_param: portal_network_cidr}
admission_control_list: {get_param: admission_control_list}
discovery_url: {get_param: discovery_url}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
......
......@@ -63,6 +63,11 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
admission_control_list:
type: string
description: >
List of admission control plugins to activate
discovery_url:
type: string
description: >
......@@ -235,6 +240,7 @@ resources:
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
"$FLANNEL_BACKEND": {get_param: flannel_backend}
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
"$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
"$AUTH_URL": {get_param: auth_url}
"$USERNAME": {get_param: username}
......
......@@ -18,5 +18,8 @@ class TestKubernetesAPIs(base.BaseK8sTest):
"tls_disabled": False,
"network_driver": 'flannel',
"volume_driver": 'cinder',
"fixed_network": '192.168.0.0/24'
"fixed_network": '192.168.0.0/24',
"labels": {
"admission_control_list": "",
}
}
......@@ -43,7 +43,8 @@ class TestClusterConductorWithK8s(base.TestCase):
'no_proxy': 'no_proxy',
'labels': {'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan'},
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list'},
'tls_disabled': False,
'server_type': 'vm',
'registry_enabled': False,
......@@ -134,7 +135,8 @@ class TestClusterConductorWithK8s(base.TestCase):
'discovery_url': 'discovery_url',
'labels': {'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan'},
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list'},
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'no_proxy': 'no_proxy',
......@@ -160,6 +162,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list',
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'no_proxy': 'no_proxy',
......@@ -227,6 +230,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_backend': 'vxlan',
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'admission_control_list': 'fake_list',
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'magnum_url': 'http://127.0.0.1:9511/v1',
......@@ -305,6 +309,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_backend': 'vxlan',
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'admission_control_list': 'fake_list',
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'magnum_url': 'http://127.0.0.1:9511/v1',
......@@ -370,6 +375,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list',
'tls_disabled': False,
'registry_enabled': False,
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
......@@ -427,6 +433,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list',
'tls_disabled': False,
'registry_enabled': False,
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
......@@ -579,6 +586,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
'admission_control_list': 'fake_list',
'tenant_name': 'fake_tenant',
'username': 'fake_user',
'cluster_uuid': self.cluster_dict['uuid'],
......
......@@ -266,6 +266,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
flannel_subnet = mock_cluster_template.labels.get(
'flannel_network_subnetlen')
flannel_backend = mock_cluster_template.labels.get('flannel_backend')
admission_control_list = mock_cluster_template.labels.get(
'admission_control_list')
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
......@@ -278,6 +280,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
'flannel_network_cidr': flannel_cidr,
'flannel_network_subnetlen': flannel_subnet,
'flannel_backend': flannel_backend,
'admission_control_list': admission_control_list,
'username': 'fake_user',
'tenant_name': 'fake_tenant',
'magnum_url': mock_osc.magnum_url.return_value,
......@@ -322,6 +325,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
flannel_subnet = mock_cluster_template.labels.get(
'flannel_network_subnetlen')
flannel_backend = mock_cluster_template.labels.get('flannel_backend')
admission_control_list = mock_cluster_template.labels.get(
'admission_control_list')
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
......@@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
'flannel_network_cidr': flannel_cidr,
'flannel_network_subnetlen': flannel_subnet,
'flannel_backend': flannel_backend,
'admission_control_list': admission_control_list,
'username': 'fake_user',
'tenant_name': 'fake_tenant',
'magnum_url': mock_osc.magnum_url.return_value,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment