diff --git a/doc/source/userguide.rst b/doc/source/userguide.rst
index 9dd0cab504a722c995f3de9e3470a550e619f9e8..a0de51f0ba454816a50a41da2fd16756cfb6f5c2 100644
--- a/doc/source/userguide.rst
+++ b/doc/source/userguide.rst
@@ -298,6 +298,8 @@ the table are linked to more details elsewhere in the user guide.
+---------------------------------------+--------------------+---------------+
| `mesos_slave_executor_env_variables`_ | (file name) | "" |
+---------------------------------------+--------------------+---------------+
+| `admission_control_list`_ | see below | see below |
++---------------------------------------+--------------------+---------------+
=======
@@ -900,6 +902,17 @@ Log into the servers
You can log into the master servers using the login 'fedora' and the
keypair specified in the ClusterTemplate.
+In addition to the common attributes in the ClusterTemplate, you can specify
+the following attributes that are specific to Kubernetes by using the
+labels attribute.
+
+_`admission_control_list`
+ This label corresponds to Kubernetes parameter for the API server '--admission-control'.
+ For more details, refer to the `Admission Controllers
+ <https://kubernetes.io/docs/admin/admission-controllers//>`_.
+ The default value corresponds to the one recommended in this doc
+ for our current Kubernetes version.
+
External load balancer for services
-----------------------------------
diff --git a/magnum/drivers/common/k8s_template_def.py b/magnum/drivers/common/k8s_template_def.py
index dba44175f301b03c2652267b406340e006ced4bc..6d88d953ab7f11a5eb3c5e10a0c6ec65f82c6ffe 100644
--- a/magnum/drivers/common/k8s_template_def.py
+++ b/magnum/drivers/common/k8s_template_def.py
@@ -102,7 +102,9 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition):
extra_params['kubernetes_port'] = 8080
label_list = ['flannel_network_cidr', 'flannel_backend',
- 'flannel_network_subnetlen']
+ 'flannel_network_subnetlen',
+ 'admission_control_list']
+
for label in label_list:
extra_params[label] = cluster_template.labels.get(label)
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
index d481ff492888b55b60e678b0055a6f54b4bf65cf..df1d8a6c156a9b94a18ca76965daf2ae5169fdd1 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@@ -25,12 +25,17 @@ else
KUBE_API_ARGS="$KUBE_API_ARGS --client_ca_file=/srv/kubernetes/ca.crt"
fi
+KUBE_ADMISSION_CONTROL=""
+if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
+ KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}"
+fi
+
sed -i '
- /^KUBE_API_ADDRESS=/ s/=.*/='"${KUBE_API_ADDRESS}"'/
- /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
- /^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
- /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd_servers=http:\/\/127.0.0.1:2379"/
- /^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/
+ /^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/
+ /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
+ /^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
+ /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd-servers=http:\/\/127.0.0.1:2379"/
+ /^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
' /etc/kubernetes/apiserver
cat << _EOC_ >> /etc/kubernetes/apiserver
#Uncomment the following line to disable Load Balancer feature
@@ -39,10 +44,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS"
#KUBE_API_ARGS="$KUBE_API_ARGS --cloud_config=/etc/sysconfig/kube_openstack_config --cloud_provider=openstack"
_EOC_
+# Add controller manager args
+KUBE_CONTROLLER_MANAGER_ARGS=""
+if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
+ KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key"
+fi
sed -i '
- /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
- /^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/
+ /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
+ /^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
' /etc/kubernetes/controller-manager
+cat << _EOC_ >> /etc/kubernetes/controller-manager
+#Uncomment the following line to enable Kubernetes Load Balancer feature
+#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
+_EOC_
KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP"
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
index 4651ab3db38efa1c085c47960badfec7a98ea185..d4a036f680c9a8e1f9f6c0aebcc7f0e1cfd1b6dd 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
@@ -20,6 +20,7 @@ write_files:
FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
FLANNEL_BACKEND="$FLANNEL_BACKEND"
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
+ ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
USERNAME="$USERNAME"
PASSWORD="$PASSWORD"
diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
index 8d81f81abc4ae4ce22de16f8fa5fd8afd463ed26..0130ff0226ec384b4af86287abe9da602b6ef69a 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
@@ -80,6 +80,12 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
+ admission_control_list:
+ type: string
+ description: >
+ Not used by this driver
+ default: ""
+
kube_allow_priv:
type: string
description: >
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
index add4a8c8ae7b3db8e012359cbb657f93878af3d3..c37be1c1552a693640118844f404a7a15ae24e96 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@@ -79,6 +79,12 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
+ admission_control_list:
+ type: string
+ description: >
+ List of admission control plugins to activate
+ default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
+
kube_allow_priv:
type: string
description: >
@@ -305,6 +311,7 @@ resources:
flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
flannel_backend: {get_param: flannel_backend}
portal_network_cidr: {get_param: portal_network_cidr}
+ admission_control_list: {get_param: admission_control_list}
discovery_url: {get_param: discovery_url}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
index c6ea154dcda4e37b8947c2b05a4e78afd9dae5ae..c2847fd1267cccef40cb32c631bebf5b1c382aab 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
@@ -63,6 +63,11 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
+ admission_control_list:
+ type: string
+ description: >
+ List of admission control plugins to activate
+
discovery_url:
type: string
description: >
@@ -223,6 +228,7 @@ resources:
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
"$FLANNEL_BACKEND": {get_param: flannel_backend}
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
+ "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
"$AUTH_URL": {get_param: auth_url}
"$USERNAME": {get_param: username}
diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
index e95cf100deb591b21ca2415270454f2b0efe60f3..616022404ab07da352375c0028318b934f90a992 100644
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
@@ -87,6 +87,12 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
+ admission_control_list:
+ type: string
+ description: >
+ List of admission control plugins to activate
+ default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
+
kube_allow_priv:
type: string
description: >
@@ -438,6 +444,7 @@ resources:
flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
flannel_backend: {get_param: flannel_backend}
portal_network_cidr: {get_param: portal_network_cidr}
+ admission_control_list: {get_param: admission_control_list}
discovery_url: {get_param: discovery_url}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
index 1b1f1d1f8193d319eb5c17495675a9f7106bf2cd..4ccdd1c7298b0281b9f15fc6233a73bbedc5464e 100644
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
@@ -63,6 +63,11 @@ parameters:
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
+ admission_control_list:
+ type: string
+ description: >
+ List of admission control plugins to activate
+
discovery_url:
type: string
description: >
@@ -235,6 +240,7 @@ resources:
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
"$FLANNEL_BACKEND": {get_param: flannel_backend}
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
+ "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
"$AUTH_URL": {get_param: auth_url}
"$USERNAME": {get_param: username}
diff --git a/magnum/tests/functional/k8s/test_k8s_python_client.py b/magnum/tests/functional/k8s/test_k8s_python_client.py
index f6586527dbb0626753c24f8a4d4a98c810d37914..2172c8de75d95b92c1932f9c585a9f439d3a8e96 100644
--- a/magnum/tests/functional/k8s/test_k8s_python_client.py
+++ b/magnum/tests/functional/k8s/test_k8s_python_client.py
@@ -18,5 +18,8 @@ class TestKubernetesAPIs(base.BaseK8sTest):
"tls_disabled": False,
"network_driver": 'flannel',
"volume_driver": 'cinder',
- "fixed_network": '192.168.0.0/24'
+ "fixed_network": '192.168.0.0/24',
+ "labels": {
+ "admission_control_list": "",
+ }
}
diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
index 570a55952e7cc8808a1e3ac622ca03b13805f09c..d80287562beef36a2b31a2f666b8154fa2b6ed85 100644
--- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
@@ -43,7 +43,8 @@ class TestClusterConductorWithK8s(base.TestCase):
'no_proxy': 'no_proxy',
'labels': {'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
- 'flannel_backend': 'vxlan'},
+ 'flannel_backend': 'vxlan',
+ 'admission_control_list': 'fake_list'},
'tls_disabled': False,
'server_type': 'vm',
'registry_enabled': False,
@@ -134,7 +135,8 @@ class TestClusterConductorWithK8s(base.TestCase):
'discovery_url': 'discovery_url',
'labels': {'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
- 'flannel_backend': 'vxlan'},
+ 'flannel_backend': 'vxlan',
+ 'admission_control_list': 'fake_list'},
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'no_proxy': 'no_proxy',
@@ -160,6 +162,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
+ 'admission_control_list': 'fake_list',
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'no_proxy': 'no_proxy',
@@ -227,6 +230,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_backend': 'vxlan',
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
+ 'admission_control_list': 'fake_list',
'http_proxy': 'http_proxy',
'https_proxy': 'https_proxy',
'magnum_url': 'http://127.0.0.1:9511/v1',
@@ -305,6 +309,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_backend': 'vxlan',
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
+ 'admission_control_list': 'fake_list',
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'magnum_url': 'http://127.0.0.1:9511/v1',
@@ -370,6 +375,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
+ 'admission_control_list': 'fake_list',
'tls_disabled': False,
'registry_enabled': False,
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@@ -427,6 +433,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
+ 'admission_control_list': 'fake_list',
'tls_disabled': False,
'registry_enabled': False,
'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@@ -579,6 +586,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'flannel_network_cidr': '10.101.0.0/16',
'flannel_network_subnetlen': '26',
'flannel_backend': 'vxlan',
+ 'admission_control_list': 'fake_list',
'tenant_name': 'fake_tenant',
'username': 'fake_user',
'cluster_uuid': self.cluster_dict['uuid'],
diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py
index f3320ef6ab2fe1b6f73832875167c98ac09c3622..7f0c21b3626f2f40b79ff6b1357dd77b149ab30d 100644
--- a/magnum/tests/unit/drivers/test_template_definition.py
+++ b/magnum/tests/unit/drivers/test_template_definition.py
@@ -266,6 +266,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
flannel_subnet = mock_cluster_template.labels.get(
'flannel_network_subnetlen')
flannel_backend = mock_cluster_template.labels.get('flannel_backend')
+ admission_control_list = mock_cluster_template.labels.get(
+ 'admission_control_list')
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
@@ -278,6 +280,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
'flannel_network_cidr': flannel_cidr,
'flannel_network_subnetlen': flannel_subnet,
'flannel_backend': flannel_backend,
+ 'admission_control_list': admission_control_list,
'username': 'fake_user',
'tenant_name': 'fake_tenant',
'magnum_url': mock_osc.magnum_url.return_value,
@@ -322,6 +325,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
flannel_subnet = mock_cluster_template.labels.get(
'flannel_network_subnetlen')
flannel_backend = mock_cluster_template.labels.get('flannel_backend')
+ admission_control_list = mock_cluster_template.labels.get(
+ 'admission_control_list')
k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
@@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
'flannel_network_cidr': flannel_cidr,
'flannel_network_subnetlen': flannel_subnet,
'flannel_backend': flannel_backend,
+ 'admission_control_list': admission_control_list,
'username': 'fake_user',
'tenant_name': 'fake_tenant',
'magnum_url': mock_osc.magnum_url.return_value,