From 82d35fb461b2effb0f533bfd808ffccc35b2562a Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Thu, 18 Aug 2016 18:55:35 +0200 Subject: [PATCH 1/2] Add admission controller for default storage class. The admission controller adds a default class to PVCs that do not require any specific class. This way, users (=PVC authors) do not need to care about storage classes, administrator can configure a default one and all these PVCs that do not care about class will get the default one. --- cluster/aws/config-default.sh | 2 +- cluster/aws/config-test.sh | 2 +- cluster/azure-legacy/config-default.sh | 2 +- cluster/centos/config-default.sh | 2 +- cluster/centos/master/scripts/apiserver.sh | 2 +- cluster/gce/config-default.sh | 2 +- cluster/gce/config-test.sh | 2 +- .../hyperkube/static-pods/master-multi.json | 2 +- .../images/hyperkube/static-pods/master.json | 2 +- .../layers/kubernetes/templates/master.json | 2 +- cluster/libvirt-coreos/util.sh | 2 +- cluster/mesos/docker/docker-compose.yml | 2 +- .../fragments/configure-salt.yaml | 2 +- .../templates/create-dynamic-salt-files.sh | 2 +- cluster/ubuntu/config-default.sh | 2 +- cluster/vagrant/config-default.sh | 2 +- .../templates/create-dynamic-salt-files.sh | 2 +- cmd/kube-apiserver/app/plugins.go | 1 + hack/local-up-cluster.sh | 4 +- .../default/admission.go | 171 +++++++++++++ .../default/admission_test.go | 232 ++++++++++++++++++ 21 files changed, 423 insertions(+), 19 deletions(-) create mode 100644 plugin/pkg/admission/persistentvolumeclaim/default/admission.go create mode 100644 plugin/pkg/admission/persistentvolumeclaim/default/admission_test.go diff --git a/cluster/aws/config-default.sh b/cluster/aws/config-default.sh index 5734cda55b..2b138173bb 100644 --- a/cluster/aws/config-default.sh +++ b/cluster/aws/config-default.sh @@ -135,7 +135,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota # Optional: Enable/disable public IP assignment for minions. # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes! diff --git a/cluster/aws/config-test.sh b/cluster/aws/config-test.sh index 3e0531a9d8..4f5c4d151d 100755 --- a/cluster/aws/config-test.sh +++ b/cluster/aws/config-test.sh @@ -121,7 +121,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota # Optional: Enable/disable public IP assignment for minions. # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes! diff --git a/cluster/azure-legacy/config-default.sh b/cluster/azure-legacy/config-default.sh index 53b14ef401..4a23c81d2d 100644 --- a/cluster/azure-legacy/config-default.sh +++ b/cluster/azure-legacy/config-default.sh @@ -57,4 +57,4 @@ ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-influxdb}" ENABLE_CLUSTER_UI="${KUBE_ENABLE_CLUSTER_UI:-true}" # Admission Controllers to invoke prior to persisting objects in cluster -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota diff --git a/cluster/centos/config-default.sh b/cluster/centos/config-default.sh index 05ab4d570f..6bfdbece84 100755 --- a/cluster/centos/config-default.sh +++ b/cluster/centos/config-default.sh @@ -42,7 +42,7 @@ export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"} # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota +export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,SimpleDefaultStorageClassForPVC,ResourceQuota # Extra options to set on the Docker command line. # This is useful for setting --insecure-registry for local registries. diff --git a/cluster/centos/master/scripts/apiserver.sh b/cluster/centos/master/scripts/apiserver.sh index 5ed89a760d..45e610bd39 100755 --- a/cluster/centos/master/scripts/apiserver.sh +++ b/cluster/centos/master/scripts/apiserver.sh @@ -56,7 +56,7 @@ KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" # Comma-delimited list of: # LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists, # NamespaceLifecycle, NamespaceAutoProvision, -# AlwaysAdmit, ServiceAccount, ResourceQuota +# AlwaysAdmit, ServiceAccount, ResourceQuota, SimpleDefaultStorageClassForPVC KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL}" # --client-ca-file="": If set, any request presenting a client certificate signed diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 093515cc16..12a5407532 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -130,7 +130,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 6ef55fc987..e8870acbac 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -149,7 +149,7 @@ if [[ "${ENABLE_CLUSTER_AUTOSCALER}" == "true" ]]; then fi # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota}" +ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota}" # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/images/hyperkube/static-pods/master-multi.json b/cluster/images/hyperkube/static-pods/master-multi.json index 7d45269db8..8c6090fbc5 100644 --- a/cluster/images/hyperkube/static-pods/master-multi.json +++ b/cluster/images/hyperkube/static-pods/master-multi.json @@ -36,7 +36,7 @@ "--service-cluster-ip-range=10.0.0.1/24", "--insecure-bind-address=0.0.0.0", "--etcd-servers=http://127.0.0.1:2379", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota", "--client-ca-file=/srv/kubernetes/ca.crt", "--basic-auth-file=/srv/kubernetes/basic_auth.csv", "--min-request-timeout=300", diff --git a/cluster/images/hyperkube/static-pods/master.json b/cluster/images/hyperkube/static-pods/master.json index c409e070c2..152cba50a4 100644 --- a/cluster/images/hyperkube/static-pods/master.json +++ b/cluster/images/hyperkube/static-pods/master.json @@ -36,7 +36,7 @@ "--service-cluster-ip-range=10.0.0.1/24", "--insecure-bind-address=127.0.0.1", "--etcd-servers=http://127.0.0.1:2379", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota", "--client-ca-file=/srv/kubernetes/ca.crt", "--basic-auth-file=/srv/kubernetes/basic_auth.csv", "--min-request-timeout=300", diff --git a/cluster/juju/layers/kubernetes/templates/master.json b/cluster/juju/layers/kubernetes/templates/master.json index 3966569562..2eebcdf5b1 100644 --- a/cluster/juju/layers/kubernetes/templates/master.json +++ b/cluster/juju/layers/kubernetes/templates/master.json @@ -38,7 +38,7 @@ "--etcd-certfile={{ etcd_cert }}", {%- endif %} "--etcd-servers={{ connection_string }}", - "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota", "--client-ca-file=/srv/kubernetes/ca.crt", "--basic-auth-file=/srv/kubernetes/basic_auth.csv", "--min-request-timeout=300", diff --git a/cluster/libvirt-coreos/util.sh b/cluster/libvirt-coreos/util.sh index 129c82ec99..07e403242e 100644 --- a/cluster/libvirt-coreos/util.sh +++ b/cluster/libvirt-coreos/util.sh @@ -25,7 +25,7 @@ source "$KUBE_ROOT/cluster/common.sh" export LIBVIRT_DEFAULT_URI=qemu:///system export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false} -export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota} +export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota} readonly POOL=kubernetes readonly POOL_PATH=/var/lib/libvirt/images/kubernetes diff --git a/cluster/mesos/docker/docker-compose.yml b/cluster/mesos/docker/docker-compose.yml index df098f6968..dc2eb42109 100644 --- a/cluster/mesos/docker/docker-compose.yml +++ b/cluster/mesos/docker/docker-compose.yml @@ -77,7 +77,7 @@ apiserver: --external-hostname=apiserver --etcd-servers=http://etcd:4001 --port=8888 - --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota + --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota --authorization-mode=AlwaysAllow --token-auth-file=/var/run/kubernetes/auth/token-users --basic-auth-file=/var/run/kubernetes/auth/basic-users diff --git a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml index a2b6b582b8..388dcbfd93 100644 --- a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml +++ b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml @@ -49,7 +49,7 @@ write_files: dns_domain: cluster.local federations_domain_map: '' instance_prefix: kubernetes - admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota + admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota enable_cpu_cfs_quota: "true" network_provider: none opencontrail_tag: R2.20 diff --git a/cluster/photon-controller/templates/create-dynamic-salt-files.sh b/cluster/photon-controller/templates/create-dynamic-salt-files.sh index 048dc13b32..7ddf2a56af 100755 --- a/cluster/photon-controller/templates/create-dynamic-salt-files.sh +++ b/cluster/photon-controller/templates/create-dynamic-salt-files.sh @@ -124,5 +124,5 @@ federations_domain_map: '' e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}" cluster_cidr: "$NODE_IP_RANGES" allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}" -admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota +admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota EOF diff --git a/cluster/ubuntu/config-default.sh b/cluster/ubuntu/config-default.sh index ffec3292b3..ea3a00fe68 100755 --- a/cluster/ubuntu/config-default.sh +++ b/cluster/ubuntu/config-default.sh @@ -68,7 +68,7 @@ FLANNEL_OTHER_NET_CONFIG='' # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota +export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,SimpleDefaultStorageClassForPVC,ResourceQuota # Path to the config file or directory of files of kubelet export KUBELET_CONFIG=${KUBELET_CONFIG:-""} diff --git a/cluster/vagrant/config-default.sh b/cluster/vagrant/config-default.sh index 7731fc822e..29d7713abc 100755 --- a/cluster/vagrant/config-default.sh +++ b/cluster/vagrant/config-default.sh @@ -56,7 +56,7 @@ MASTER_PASSWD="${MASTER_PASSWD:-vagrant}" # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota # Optional: Enable node logging. ENABLE_NODE_LOGGING=false diff --git a/cluster/vsphere/templates/create-dynamic-salt-files.sh b/cluster/vsphere/templates/create-dynamic-salt-files.sh index 70242ea240..f495bf4afd 100755 --- a/cluster/vsphere/templates/create-dynamic-salt-files.sh +++ b/cluster/vsphere/templates/create-dynamic-salt-files.sh @@ -124,7 +124,7 @@ federations_domain_map: '' e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}" cluster_cidr: "$NODE_IP_RANGES" allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}" -admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota +admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota EOF mkdir -p /srv/salt-overlay/salt/nginx diff --git a/cmd/kube-apiserver/app/plugins.go b/cmd/kube-apiserver/app/plugins.go index ef4dda786a..8b1b82897c 100644 --- a/cmd/kube-apiserver/app/plugins.go +++ b/cmd/kube-apiserver/app/plugins.go @@ -35,6 +35,7 @@ import ( _ "k8s.io/kubernetes/plugin/pkg/admission/namespace/exists" _ "k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle" _ "k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/label" + _ "k8s.io/kubernetes/plugin/pkg/admission/persistentvolumeclaim/default" _ "k8s.io/kubernetes/plugin/pkg/admission/resourcequota" _ "k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy" _ "k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny" diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index 2c695a2aba..388e35de60 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -264,9 +264,9 @@ function set_service_accounts { function start_apiserver { # Admission Controllers to invoke prior to persisting objects in cluster if [[ -z "${ALLOW_SECURITY_CONTEXT}" ]]; then - ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota + ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,SimpleDefaultStorageClassForPVC else - ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota + ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,SimpleDefaultStorageClassForPVC fi # This is the default dir and filename where the apiserver will generate a self-signed cert # which should be able to be used as the CA to verify itself diff --git a/plugin/pkg/admission/persistentvolumeclaim/default/admission.go b/plugin/pkg/admission/persistentvolumeclaim/default/admission.go new file mode 100644 index 0000000000..b1ae84e253 --- /dev/null +++ b/plugin/pkg/admission/persistentvolumeclaim/default/admission.go @@ -0,0 +1,171 @@ +/* +Copyright 2016 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package admission + +import ( + "fmt" + "io" + + "github.com/golang/glog" + + admission "k8s.io/kubernetes/pkg/admission" + api "k8s.io/kubernetes/pkg/api" + "k8s.io/kubernetes/pkg/api/errors" + "k8s.io/kubernetes/pkg/apis/extensions" + "k8s.io/kubernetes/pkg/client/cache" + clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" + "k8s.io/kubernetes/pkg/runtime" + "k8s.io/kubernetes/pkg/watch" +) + +const ( + PluginName = "SimpleDefaultStorageClassForPVC" +) + +func init() { + admission.RegisterPlugin(PluginName, func(client clientset.Interface, config io.Reader) (admission.Interface, error) { + plugin := newPlugin(client) + plugin.Run() + return plugin, nil + }) +} + +// claimDefaulterPlugin holds state for and implements the admission plugin. +type claimDefaulterPlugin struct { + *admission.Handler + client clientset.Interface + + reflector *cache.Reflector + stopChan chan struct{} + store cache.Store +} + +var _ admission.Interface = &claimDefaulterPlugin{} + +// newPlugin creates a new admission plugin. +func newPlugin(kclient clientset.Interface) *claimDefaulterPlugin { + store := cache.NewStore(cache.MetaNamespaceKeyFunc) + reflector := cache.NewReflector( + &cache.ListWatch{ + ListFunc: func(options api.ListOptions) (runtime.Object, error) { + return kclient.Extensions().StorageClasses().List(options) + }, + WatchFunc: func(options api.ListOptions) (watch.Interface, error) { + return kclient.Extensions().StorageClasses().Watch(options) + }, + }, + &extensions.StorageClass{}, + store, + 0, + ) + + return &claimDefaulterPlugin{ + Handler: admission.NewHandler(admission.Create), + client: kclient, + store: store, + reflector: reflector, + } +} + +func (a *claimDefaulterPlugin) Run() { + if a.stopChan == nil { + a.stopChan = make(chan struct{}) + } + a.reflector.RunUntil(a.stopChan) +} +func (a *claimDefaulterPlugin) Stop() { + if a.stopChan != nil { + close(a.stopChan) + a.stopChan = nil + } +} + +// This is a stand-in until we have a real field. This string should be a const somewhere. +const classAnnotation = "volume.beta.kubernetes.io/storage-class" + +// This indicates that a particular StorageClass nominates itself as the system default. +const isDefaultAnnotation = "storageclass.beta.kubernetes.io/is-default-class" + +// Admit sets the default value of a PersistentVolumeClaim's storage class, in case the user did +// not provide a value. +// +// 1. Find available StorageClasses. +// 2. Figure which is the default +// 3. Write to the PVClaim +func (c *claimDefaulterPlugin) Admit(a admission.Attributes) error { + if a.GetResource().GroupResource() != api.Resource("persistentvolumeclaims") { + return nil + } + + if len(a.GetSubresource()) != 0 { + return nil + } + + pvc, ok := a.GetObject().(*api.PersistentVolumeClaim) + // if we can't convert then we don't handle this object so just return + if !ok { + return nil + } + + _, found := pvc.Annotations[classAnnotation] + if found { + // The user asked for a class. + return nil + } + + glog.V(4).Infof("no storage class for claim %s (generate: %s)", pvc.Name, pvc.GenerateName) + + def, err := getDefaultClass(c.store) + if err != nil { + return admission.NewForbidden(a, err) + } + if def == nil { + // No default class selected, do nothing about the PVC. + return nil + } + + glog.V(4).Infof("defaulting storage class for claim %s (generate: %s) to %s", pvc.Name, pvc.GenerateName, def.Name) + if pvc.ObjectMeta.Annotations == nil { + pvc.ObjectMeta.Annotations = map[string]string{} + } + pvc.Annotations[classAnnotation] = def.Name + return nil +} + +// getDefaultClass returns the default StorageClass from the store, or nil. +func getDefaultClass(store cache.Store) (*extensions.StorageClass, error) { + defaultClasses := []*extensions.StorageClass{} + for _, c := range store.List() { + class, ok := c.(*extensions.StorageClass) + if !ok { + return nil, errors.NewInternalError(fmt.Errorf("error converting stored object to StorageClass: %v", c)) + } + if class.Annotations[isDefaultAnnotation] == "true" { + defaultClasses = append(defaultClasses, class) + glog.V(4).Infof("getDefaultClass added: %s", class.Name) + } + } + + if len(defaultClasses) == 0 { + return nil, nil + } + if len(defaultClasses) > 1 { + glog.V(4).Infof("getDefaultClass %s defaults found", len(defaultClasses)) + return nil, errors.NewInternalError(fmt.Errorf("%d default StorageClasses were found", len(defaultClasses))) + } + return defaultClasses[0], nil +} diff --git a/plugin/pkg/admission/persistentvolumeclaim/default/admission_test.go b/plugin/pkg/admission/persistentvolumeclaim/default/admission_test.go new file mode 100644 index 0000000000..ecfe16cd0c --- /dev/null +++ b/plugin/pkg/admission/persistentvolumeclaim/default/admission_test.go @@ -0,0 +1,232 @@ +/* +Copyright 2016 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package admission + +import ( + "testing" + + "github.com/golang/glog" + + "k8s.io/kubernetes/pkg/admission" + "k8s.io/kubernetes/pkg/api" + "k8s.io/kubernetes/pkg/api/unversioned" + "k8s.io/kubernetes/pkg/apis/extensions" + "k8s.io/kubernetes/pkg/conversion" +) + +func TestAdmission(t *testing.T) { + defaultClass1 := &extensions.StorageClass{ + TypeMeta: unversioned.TypeMeta{ + Kind: "StorageClass", + }, + ObjectMeta: api.ObjectMeta{ + Name: "default1", + Annotations: map[string]string{ + isDefaultAnnotation: "true", + }, + }, + Provisioner: "default1", + } + defaultClass2 := &extensions.StorageClass{ + TypeMeta: unversioned.TypeMeta{ + Kind: "StorageClass", + }, + ObjectMeta: api.ObjectMeta{ + Name: "default2", + Annotations: map[string]string{ + isDefaultAnnotation: "true", + }, + }, + Provisioner: "default2", + } + // Class that has explicit default = false + classWithFalseDefault := &extensions.StorageClass{ + TypeMeta: unversioned.TypeMeta{ + Kind: "StorageClass", + }, + ObjectMeta: api.ObjectMeta{ + Name: "nondefault1", + Annotations: map[string]string{ + isDefaultAnnotation: "false", + }, + }, + Provisioner: "nondefault1", + } + // Class with missing default annotation (=non-default) + classWithNoDefault := &extensions.StorageClass{ + TypeMeta: unversioned.TypeMeta{ + Kind: "StorageClass", + }, + ObjectMeta: api.ObjectMeta{ + Name: "nondefault2", + }, + Provisioner: "nondefault1", + } + // Class with empty default annotation (=non-default) + classWithEmptyDefault := &extensions.StorageClass{ + TypeMeta: unversioned.TypeMeta{ + Kind: "StorageClass", + }, + ObjectMeta: api.ObjectMeta{ + Name: "nondefault2", + Annotations: map[string]string{ + isDefaultAnnotation: "", + }, + }, + Provisioner: "nondefault1", + } + + claimWithClass := &api.PersistentVolumeClaim{ + TypeMeta: unversioned.TypeMeta{ + Kind: "PersistentVolumeClaim", + }, + ObjectMeta: api.ObjectMeta{ + Name: "claimWithClass", + Namespace: "ns", + Annotations: map[string]string{ + classAnnotation: "foo", + }, + }, + } + claimWithEmptyClass := &api.PersistentVolumeClaim{ + TypeMeta: unversioned.TypeMeta{ + Kind: "PersistentVolumeClaim", + }, + ObjectMeta: api.ObjectMeta{ + Name: "claimWithEmptyClass", + Namespace: "ns", + Annotations: map[string]string{ + classAnnotation: "", + }, + }, + } + claimWithNoClass := &api.PersistentVolumeClaim{ + TypeMeta: unversioned.TypeMeta{ + Kind: "PersistentVolumeClaim", + }, + ObjectMeta: api.ObjectMeta{ + Name: "claimWithNoClass", + Namespace: "ns", + }, + } + + tests := []struct { + name string + classes []*extensions.StorageClass + claim *api.PersistentVolumeClaim + expectError bool + expectedClassName string + }{ + { + "no default, no modification of PVCs", + []*extensions.StorageClass{classWithFalseDefault, classWithNoDefault, classWithEmptyDefault}, + claimWithNoClass, + false, + "", + }, + { + "one default, modify PVC with class=nil", + []*extensions.StorageClass{defaultClass1, classWithFalseDefault, classWithNoDefault, classWithEmptyDefault}, + claimWithNoClass, + false, + "default1", + }, + { + "one default, no modification of PVC with class=''", + []*extensions.StorageClass{defaultClass1, classWithFalseDefault, classWithNoDefault, classWithEmptyDefault}, + claimWithEmptyClass, + false, + "", + }, + { + "one default, no modification of PVC with class='foo'", + []*extensions.StorageClass{defaultClass1, classWithFalseDefault, classWithNoDefault, classWithEmptyDefault}, + claimWithClass, + false, + "foo", + }, + { + "two defaults, error with PVC with class=nil", + []*extensions.StorageClass{defaultClass1, defaultClass2, classWithFalseDefault, classWithNoDefault, classWithEmptyDefault}, + claimWithNoClass, + true, + "", + }, + { + "two defaults, no modification of PVC with class=''", + []*extensions.StorageClass{defaultClass1, defaultClass2, classWithFalseDefault, classWithNoDefault, classWithEmptyDefault}, + claimWithEmptyClass, + false, + "", + }, + { + "two defaults, no modification of PVC with class='foo'", + []*extensions.StorageClass{defaultClass1, defaultClass2, classWithFalseDefault, classWithNoDefault, classWithEmptyDefault}, + claimWithClass, + false, + "foo", + }, + } + + for _, test := range tests { + glog.V(4).Infof("starting test %q", test.name) + + // clone the claim, it's going to be modified + clone, err := conversion.NewCloner().DeepCopy(test.claim) + if err != nil { + t.Fatalf("Cannot clone claim: %v", err) + } + claim := clone.(*api.PersistentVolumeClaim) + + ctrl := newPlugin(nil) + for _, c := range test.classes { + ctrl.store.Add(c) + } + attrs := admission.NewAttributesRecord( + claim, // new object + nil, // old object + api.Kind("PersistentVolumeClaim").WithVersion("version"), + claim.Namespace, + claim.Name, + api.Resource("persistentvolumeclaims").WithVersion("version"), + "", // subresource + admission.Create, + nil, // userInfo + ) + err = ctrl.Admit(attrs) + glog.Infof("Got %v", err) + if err != nil && !test.expectError { + t.Errorf("Test %q: unexpected error received: %v", test.name, err) + } + if err == nil && test.expectError { + t.Errorf("Test %q: expected error and no error recevied", test.name) + } + + class := "" + if claim.Annotations != nil { + if value, ok := claim.Annotations[classAnnotation]; ok { + class = value + } + } + if test.expectedClassName != "" && test.expectedClassName != class { + t.Errorf("Test %q: expected class name %q, got %q", test.name, test.expectedClassName, class) + } + if test.expectedClassName == "" && class != "" { + t.Errorf("Test %q: expected class name %q, got %q", test.name, test.expectedClassName, class) + } + } +} From 5f6efefc400c81df55cc6d9c956d3046da5e3b07 Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Mon, 22 Aug 2016 14:11:01 +0200 Subject: [PATCH 2/2] [squash] Rename and move to storageclass/ --- cluster/aws/config-default.sh | 2 +- cluster/aws/config-test.sh | 2 +- cluster/azure-legacy/config-default.sh | 2 +- cluster/centos/config-default.sh | 2 +- cluster/centos/master/scripts/apiserver.sh | 2 +- cluster/gce/config-default.sh | 2 +- cluster/gce/config-test.sh | 2 +- cluster/images/hyperkube/static-pods/master-multi.json | 2 +- cluster/images/hyperkube/static-pods/master.json | 2 +- cluster/juju/layers/kubernetes/templates/master.json | 2 +- cluster/libvirt-coreos/util.sh | 2 +- cluster/mesos/docker/docker-compose.yml | 2 +- .../kubernetes-heat/fragments/configure-salt.yaml | 2 +- .../photon-controller/templates/create-dynamic-salt-files.sh | 2 +- cluster/ubuntu/config-default.sh | 2 +- cluster/vagrant/config-default.sh | 2 +- cluster/vsphere/templates/create-dynamic-salt-files.sh | 2 +- cmd/kube-apiserver/app/plugins.go | 2 +- hack/local-up-cluster.sh | 4 ++-- .../default/admission.go | 2 +- .../default/admission_test.go | 0 21 files changed, 21 insertions(+), 21 deletions(-) rename plugin/pkg/admission/{persistentvolumeclaim => storageclass}/default/admission.go (99%) rename plugin/pkg/admission/{persistentvolumeclaim => storageclass}/default/admission_test.go (100%) diff --git a/cluster/aws/config-default.sh b/cluster/aws/config-default.sh index 2b138173bb..ac30612169 100644 --- a/cluster/aws/config-default.sh +++ b/cluster/aws/config-default.sh @@ -135,7 +135,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota # Optional: Enable/disable public IP assignment for minions. # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes! diff --git a/cluster/aws/config-test.sh b/cluster/aws/config-test.sh index 4f5c4d151d..a2d8e94285 100755 --- a/cluster/aws/config-test.sh +++ b/cluster/aws/config-test.sh @@ -121,7 +121,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota # Optional: Enable/disable public IP assignment for minions. # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes! diff --git a/cluster/azure-legacy/config-default.sh b/cluster/azure-legacy/config-default.sh index 4a23c81d2d..20687b9311 100644 --- a/cluster/azure-legacy/config-default.sh +++ b/cluster/azure-legacy/config-default.sh @@ -57,4 +57,4 @@ ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-influxdb}" ENABLE_CLUSTER_UI="${KUBE_ENABLE_CLUSTER_UI:-true}" # Admission Controllers to invoke prior to persisting objects in cluster -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota diff --git a/cluster/centos/config-default.sh b/cluster/centos/config-default.sh index 6bfdbece84..2fd596e2e6 100755 --- a/cluster/centos/config-default.sh +++ b/cluster/centos/config-default.sh @@ -42,7 +42,7 @@ export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"} # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,SimpleDefaultStorageClassForPVC,ResourceQuota +export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,DefaultStorageClass,ResourceQuota # Extra options to set on the Docker command line. # This is useful for setting --insecure-registry for local registries. diff --git a/cluster/centos/master/scripts/apiserver.sh b/cluster/centos/master/scripts/apiserver.sh index 45e610bd39..29bcc985bb 100755 --- a/cluster/centos/master/scripts/apiserver.sh +++ b/cluster/centos/master/scripts/apiserver.sh @@ -56,7 +56,7 @@ KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" # Comma-delimited list of: # LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists, # NamespaceLifecycle, NamespaceAutoProvision, -# AlwaysAdmit, ServiceAccount, ResourceQuota, SimpleDefaultStorageClassForPVC +# AlwaysAdmit, ServiceAccount, ResourceQuota, DefaultStorageClass KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL}" # --client-ca-file="": If set, any request presenting a client certificate signed diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 12a5407532..24466af0bf 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -130,7 +130,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index e8870acbac..2eb13a872d 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -149,7 +149,7 @@ if [[ "${ENABLE_CLUSTER_AUTOSCALER}" == "true" ]]; then fi # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota}" +ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota}" # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/images/hyperkube/static-pods/master-multi.json b/cluster/images/hyperkube/static-pods/master-multi.json index 8c6090fbc5..b69da036a1 100644 --- a/cluster/images/hyperkube/static-pods/master-multi.json +++ b/cluster/images/hyperkube/static-pods/master-multi.json @@ -36,7 +36,7 @@ "--service-cluster-ip-range=10.0.0.1/24", "--insecure-bind-address=0.0.0.0", "--etcd-servers=http://127.0.0.1:2379", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota", "--client-ca-file=/srv/kubernetes/ca.crt", "--basic-auth-file=/srv/kubernetes/basic_auth.csv", "--min-request-timeout=300", diff --git a/cluster/images/hyperkube/static-pods/master.json b/cluster/images/hyperkube/static-pods/master.json index 152cba50a4..704f8f9076 100644 --- a/cluster/images/hyperkube/static-pods/master.json +++ b/cluster/images/hyperkube/static-pods/master.json @@ -36,7 +36,7 @@ "--service-cluster-ip-range=10.0.0.1/24", "--insecure-bind-address=127.0.0.1", "--etcd-servers=http://127.0.0.1:2379", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota", "--client-ca-file=/srv/kubernetes/ca.crt", "--basic-auth-file=/srv/kubernetes/basic_auth.csv", "--min-request-timeout=300", diff --git a/cluster/juju/layers/kubernetes/templates/master.json b/cluster/juju/layers/kubernetes/templates/master.json index 2eebcdf5b1..007405a7c5 100644 --- a/cluster/juju/layers/kubernetes/templates/master.json +++ b/cluster/juju/layers/kubernetes/templates/master.json @@ -38,7 +38,7 @@ "--etcd-certfile={{ etcd_cert }}", {%- endif %} "--etcd-servers={{ connection_string }}", - "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota", "--client-ca-file=/srv/kubernetes/ca.crt", "--basic-auth-file=/srv/kubernetes/basic_auth.csv", "--min-request-timeout=300", diff --git a/cluster/libvirt-coreos/util.sh b/cluster/libvirt-coreos/util.sh index 07e403242e..c3a6fb6b88 100644 --- a/cluster/libvirt-coreos/util.sh +++ b/cluster/libvirt-coreos/util.sh @@ -25,7 +25,7 @@ source "$KUBE_ROOT/cluster/common.sh" export LIBVIRT_DEFAULT_URI=qemu:///system export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false} -export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota} +export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota} readonly POOL=kubernetes readonly POOL_PATH=/var/lib/libvirt/images/kubernetes diff --git a/cluster/mesos/docker/docker-compose.yml b/cluster/mesos/docker/docker-compose.yml index dc2eb42109..1f7d5c0be0 100644 --- a/cluster/mesos/docker/docker-compose.yml +++ b/cluster/mesos/docker/docker-compose.yml @@ -77,7 +77,7 @@ apiserver: --external-hostname=apiserver --etcd-servers=http://etcd:4001 --port=8888 - --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota + --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota --authorization-mode=AlwaysAllow --token-auth-file=/var/run/kubernetes/auth/token-users --basic-auth-file=/var/run/kubernetes/auth/basic-users diff --git a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml index 388dcbfd93..d70edce9db 100644 --- a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml +++ b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml @@ -49,7 +49,7 @@ write_files: dns_domain: cluster.local federations_domain_map: '' instance_prefix: kubernetes - admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota + admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota enable_cpu_cfs_quota: "true" network_provider: none opencontrail_tag: R2.20 diff --git a/cluster/photon-controller/templates/create-dynamic-salt-files.sh b/cluster/photon-controller/templates/create-dynamic-salt-files.sh index 7ddf2a56af..0bb568ff47 100755 --- a/cluster/photon-controller/templates/create-dynamic-salt-files.sh +++ b/cluster/photon-controller/templates/create-dynamic-salt-files.sh @@ -124,5 +124,5 @@ federations_domain_map: '' e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}" cluster_cidr: "$NODE_IP_RANGES" allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}" -admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota +admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota EOF diff --git a/cluster/ubuntu/config-default.sh b/cluster/ubuntu/config-default.sh index ea3a00fe68..34463e205a 100755 --- a/cluster/ubuntu/config-default.sh +++ b/cluster/ubuntu/config-default.sh @@ -68,7 +68,7 @@ FLANNEL_OTHER_NET_CONFIG='' # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,SimpleDefaultStorageClassForPVC,ResourceQuota +export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,DefaultStorageClass,ResourceQuota # Path to the config file or directory of files of kubelet export KUBELET_CONFIG=${KUBELET_CONFIG:-""} diff --git a/cluster/vagrant/config-default.sh b/cluster/vagrant/config-default.sh index 29d7713abc..1f97b9bb83 100755 --- a/cluster/vagrant/config-default.sh +++ b/cluster/vagrant/config-default.sh @@ -56,7 +56,7 @@ MASTER_PASSWD="${MASTER_PASSWD:-vagrant}" # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota # Optional: Enable node logging. ENABLE_NODE_LOGGING=false diff --git a/cluster/vsphere/templates/create-dynamic-salt-files.sh b/cluster/vsphere/templates/create-dynamic-salt-files.sh index f495bf4afd..291b5555cd 100755 --- a/cluster/vsphere/templates/create-dynamic-salt-files.sh +++ b/cluster/vsphere/templates/create-dynamic-salt-files.sh @@ -124,7 +124,7 @@ federations_domain_map: '' e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}" cluster_cidr: "$NODE_IP_RANGES" allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}" -admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota +admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota EOF mkdir -p /srv/salt-overlay/salt/nginx diff --git a/cmd/kube-apiserver/app/plugins.go b/cmd/kube-apiserver/app/plugins.go index 8b1b82897c..e0f57e899b 100644 --- a/cmd/kube-apiserver/app/plugins.go +++ b/cmd/kube-apiserver/app/plugins.go @@ -35,9 +35,9 @@ import ( _ "k8s.io/kubernetes/plugin/pkg/admission/namespace/exists" _ "k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle" _ "k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/label" - _ "k8s.io/kubernetes/plugin/pkg/admission/persistentvolumeclaim/default" _ "k8s.io/kubernetes/plugin/pkg/admission/resourcequota" _ "k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy" _ "k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny" _ "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount" + _ "k8s.io/kubernetes/plugin/pkg/admission/storageclass/default" ) diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index 388e35de60..2ef17fc8ab 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -264,9 +264,9 @@ function set_service_accounts { function start_apiserver { # Admission Controllers to invoke prior to persisting objects in cluster if [[ -z "${ALLOW_SECURITY_CONTEXT}" ]]; then - ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,SimpleDefaultStorageClassForPVC + ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,DefaultStorageClass else - ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,SimpleDefaultStorageClassForPVC + ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,DefaultStorageClass fi # This is the default dir and filename where the apiserver will generate a self-signed cert # which should be able to be used as the CA to verify itself diff --git a/plugin/pkg/admission/persistentvolumeclaim/default/admission.go b/plugin/pkg/admission/storageclass/default/admission.go similarity index 99% rename from plugin/pkg/admission/persistentvolumeclaim/default/admission.go rename to plugin/pkg/admission/storageclass/default/admission.go index b1ae84e253..c6728db7df 100644 --- a/plugin/pkg/admission/persistentvolumeclaim/default/admission.go +++ b/plugin/pkg/admission/storageclass/default/admission.go @@ -33,7 +33,7 @@ import ( ) const ( - PluginName = "SimpleDefaultStorageClassForPVC" + PluginName = "DefaultStorageClass" ) func init() { diff --git a/plugin/pkg/admission/persistentvolumeclaim/default/admission_test.go b/plugin/pkg/admission/storageclass/default/admission_test.go similarity index 100% rename from plugin/pkg/admission/persistentvolumeclaim/default/admission_test.go rename to plugin/pkg/admission/storageclass/default/admission_test.go