diff --git a/doc/source/userguide.rst b/doc/source/userguide.rst index 9dd0cab504a722c995f3de9e3470a550e619f9e8..a0de51f0ba454816a50a41da2fd16756cfb6f5c2 100644 --- a/doc/source/userguide.rst +++ b/doc/source/userguide.rst @@ -298,6 +298,8 @@ the table are linked to more details elsewhere in the user guide. +---------------------------------------+--------------------+---------------+ | `mesos_slave_executor_env_variables`_ | (file name) | "" | +---------------------------------------+--------------------+---------------+ +| `admission_control_list`_ | see below | see below | ++---------------------------------------+--------------------+---------------+ ======= @@ -900,6 +902,17 @@ Log into the servers You can log into the master servers using the login 'fedora' and the keypair specified in the ClusterTemplate. +In addition to the common attributes in the ClusterTemplate, you can specify +the following attributes that are specific to Kubernetes by using the +labels attribute. + +_`admission_control_list` + This label corresponds to Kubernetes parameter for the API server '--admission-control'. + For more details, refer to the `Admission Controllers + `_. + The default value corresponds to the one recommended in this doc + for our current Kubernetes version. + External load balancer for services ----------------------------------- diff --git a/magnum/drivers/common/k8s_template_def.py b/magnum/drivers/common/k8s_template_def.py index dba44175f301b03c2652267b406340e006ced4bc..6d88d953ab7f11a5eb3c5e10a0c6ec65f82c6ffe 100644 --- a/magnum/drivers/common/k8s_template_def.py +++ b/magnum/drivers/common/k8s_template_def.py @@ -102,7 +102,9 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition): extra_params['kubernetes_port'] = 8080 label_list = ['flannel_network_cidr', 'flannel_backend', - 'flannel_network_subnetlen'] + 'flannel_network_subnetlen', + 'admission_control_list'] + for label in label_list: extra_params[label] = cluster_template.labels.get(label) diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh index d481ff492888b55b60e678b0055a6f54b4bf65cf..df1d8a6c156a9b94a18ca76965daf2ae5169fdd1 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh @@ -25,12 +25,17 @@ else KUBE_API_ARGS="$KUBE_API_ARGS --client_ca_file=/srv/kubernetes/ca.crt" fi +KUBE_ADMISSION_CONTROL="" +if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then + KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}" +fi + sed -i ' - /^KUBE_API_ADDRESS=/ s/=.*/='"${KUBE_API_ADDRESS}"'/ - /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"| - /^KUBE_API_ARGS=/ s/KUBE_API_ARGS.// - /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd_servers=http:\/\/127.0.0.1:2379"/ - /^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/ + /^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/ + /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"| + /^KUBE_API_ARGS=/ s/KUBE_API_ARGS.// + /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd-servers=http:\/\/127.0.0.1:2379"/ + /^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/ ' /etc/kubernetes/apiserver cat << _EOC_ >> /etc/kubernetes/apiserver #Uncomment the following line to disable Load Balancer feature @@ -39,10 +44,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS" #KUBE_API_ARGS="$KUBE_API_ARGS --cloud_config=/etc/sysconfig/kube_openstack_config --cloud_provider=openstack" _EOC_ +# Add controller manager args +KUBE_CONTROLLER_MANAGER_ARGS="" +if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then + KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key" +fi sed -i ' - /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/ - /^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/ + /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/ + /^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"# ' /etc/kubernetes/controller-manager +cat << _EOC_ >> /etc/kubernetes/controller-manager +#Uncomment the following line to enable Kubernetes Load Balancer feature +#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack" +_EOC_ KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP" diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml index 4651ab3db38efa1c085c47960badfec7a98ea185..d4a036f680c9a8e1f9f6c0aebcc7f0e1cfd1b6dd 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml @@ -20,6 +20,7 @@ write_files: FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN" FLANNEL_BACKEND="$FLANNEL_BACKEND" PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR" + ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST" ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL" USERNAME="$USERNAME" PASSWORD="$PASSWORD" diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml index 8d81f81abc4ae4ce22de16f8fa5fd8afd463ed26..0130ff0226ec384b4af86287abe9da602b6ef69a 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml @@ -80,6 +80,12 @@ parameters: constraints: - allowed_values: ["udp", "vxlan", "host-gw"] + admission_control_list: + type: string + description: > + Not used by this driver + default: "" + kube_allow_priv: type: string description: > diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index add4a8c8ae7b3db8e012359cbb657f93878af3d3..c37be1c1552a693640118844f404a7a15ae24e96 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -79,6 +79,12 @@ parameters: constraints: - allowed_values: ["udp", "vxlan", "host-gw"] + admission_control_list: + type: string + description: > + List of admission control plugins to activate + default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota" + kube_allow_priv: type: string description: > @@ -305,6 +311,7 @@ resources: flannel_network_subnetlen: {get_param: flannel_network_subnetlen} flannel_backend: {get_param: flannel_backend} portal_network_cidr: {get_param: portal_network_cidr} + admission_control_list: {get_param: admission_control_list} discovery_url: {get_param: discovery_url} cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml index c6ea154dcda4e37b8947c2b05a4e78afd9dae5ae..c2847fd1267cccef40cb32c631bebf5b1c382aab 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml @@ -63,6 +63,11 @@ parameters: constraints: - allowed_values: ["udp", "vxlan", "host-gw"] + admission_control_list: + type: string + description: > + List of admission control plugins to activate + discovery_url: type: string description: > @@ -223,6 +228,7 @@ resources: "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen} "$FLANNEL_BACKEND": {get_param: flannel_backend} "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr} + "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list} "$ETCD_DISCOVERY_URL": {get_param: discovery_url} "$AUTH_URL": {get_param: auth_url} "$USERNAME": {get_param: username} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml index e95cf100deb591b21ca2415270454f2b0efe60f3..616022404ab07da352375c0028318b934f90a992 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml @@ -87,6 +87,12 @@ parameters: constraints: - allowed_values: ["udp", "vxlan", "host-gw"] + admission_control_list: + type: string + description: > + List of admission control plugins to activate + default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota" + kube_allow_priv: type: string description: > @@ -438,6 +444,7 @@ resources: flannel_network_subnetlen: {get_param: flannel_network_subnetlen} flannel_backend: {get_param: flannel_backend} portal_network_cidr: {get_param: portal_network_cidr} + admission_control_list: {get_param: admission_control_list} discovery_url: {get_param: discovery_url} cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml index 1b1f1d1f8193d319eb5c17495675a9f7106bf2cd..4ccdd1c7298b0281b9f15fc6233a73bbedc5464e 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml @@ -63,6 +63,11 @@ parameters: constraints: - allowed_values: ["udp", "vxlan", "host-gw"] + admission_control_list: + type: string + description: > + List of admission control plugins to activate + discovery_url: type: string description: > @@ -235,6 +240,7 @@ resources: "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen} "$FLANNEL_BACKEND": {get_param: flannel_backend} "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr} + "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list} "$ETCD_DISCOVERY_URL": {get_param: discovery_url} "$AUTH_URL": {get_param: auth_url} "$USERNAME": {get_param: username} diff --git a/magnum/tests/functional/k8s/test_k8s_python_client.py b/magnum/tests/functional/k8s/test_k8s_python_client.py index f6586527dbb0626753c24f8a4d4a98c810d37914..2172c8de75d95b92c1932f9c585a9f439d3a8e96 100644 --- a/magnum/tests/functional/k8s/test_k8s_python_client.py +++ b/magnum/tests/functional/k8s/test_k8s_python_client.py @@ -18,5 +18,8 @@ class TestKubernetesAPIs(base.BaseK8sTest): "tls_disabled": False, "network_driver": 'flannel', "volume_driver": 'cinder', - "fixed_network": '192.168.0.0/24' + "fixed_network": '192.168.0.0/24', + "labels": { + "admission_control_list": "", + } } diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py index 570a55952e7cc8808a1e3ac622ca03b13805f09c..d80287562beef36a2b31a2f666b8154fa2b6ed85 100644 --- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py @@ -43,7 +43,8 @@ class TestClusterConductorWithK8s(base.TestCase): 'no_proxy': 'no_proxy', 'labels': {'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', - 'flannel_backend': 'vxlan'}, + 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list'}, 'tls_disabled': False, 'server_type': 'vm', 'registry_enabled': False, @@ -134,7 +135,8 @@ class TestClusterConductorWithK8s(base.TestCase): 'discovery_url': 'discovery_url', 'labels': {'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', - 'flannel_backend': 'vxlan'}, + 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list'}, 'http_proxy': 'http_proxy', 'https_proxy': 'https_proxy', 'no_proxy': 'no_proxy', @@ -160,6 +162,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list', 'http_proxy': 'http_proxy', 'https_proxy': 'https_proxy', 'no_proxy': 'no_proxy', @@ -227,6 +230,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_backend': 'vxlan', 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', + 'admission_control_list': 'fake_list', 'http_proxy': 'http_proxy', 'https_proxy': 'https_proxy', 'magnum_url': 'http://127.0.0.1:9511/v1', @@ -305,6 +309,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_backend': 'vxlan', 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', + 'admission_control_list': 'fake_list', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', 'magnum_url': 'http://127.0.0.1:9511/v1', @@ -370,6 +375,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list', 'tls_disabled': False, 'registry_enabled': False, 'trustee_domain_id': self.mock_keystone.trustee_domain_id, @@ -427,6 +433,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list', 'tls_disabled': False, 'registry_enabled': False, 'trustee_domain_id': self.mock_keystone.trustee_domain_id, @@ -579,6 +586,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'flannel_network_cidr': '10.101.0.0/16', 'flannel_network_subnetlen': '26', 'flannel_backend': 'vxlan', + 'admission_control_list': 'fake_list', 'tenant_name': 'fake_tenant', 'username': 'fake_user', 'cluster_uuid': self.cluster_dict['uuid'], diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py index f3320ef6ab2fe1b6f73832875167c98ac09c3622..7f0c21b3626f2f40b79ff6b1357dd77b149ab30d 100644 --- a/magnum/tests/unit/drivers/test_template_definition.py +++ b/magnum/tests/unit/drivers/test_template_definition.py @@ -266,6 +266,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): flannel_subnet = mock_cluster_template.labels.get( 'flannel_network_subnetlen') flannel_backend = mock_cluster_template.labels.get('flannel_backend') + admission_control_list = mock_cluster_template.labels.get( + 'admission_control_list') k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition() @@ -278,6 +280,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): 'flannel_network_cidr': flannel_cidr, 'flannel_network_subnetlen': flannel_subnet, 'flannel_backend': flannel_backend, + 'admission_control_list': admission_control_list, 'username': 'fake_user', 'tenant_name': 'fake_tenant', 'magnum_url': mock_osc.magnum_url.return_value, @@ -322,6 +325,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): flannel_subnet = mock_cluster_template.labels.get( 'flannel_network_subnetlen') flannel_backend = mock_cluster_template.labels.get('flannel_backend') + admission_control_list = mock_cluster_template.labels.get( + 'admission_control_list') k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition() @@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase): 'flannel_network_cidr': flannel_cidr, 'flannel_network_subnetlen': flannel_subnet, 'flannel_backend': flannel_backend, + 'admission_control_list': admission_control_list, 'username': 'fake_user', 'tenant_name': 'fake_tenant', 'magnum_url': mock_osc.magnum_url.return_value,