starlingx/stx-puppet
Code Issues Proposed changes

Support adding admission plugin post bootstrap

Browse Source 
This commit adds the ability to change the admission plugins of
kube-apiserver post bootstrap. We need this for pod security plugin.
Starting pod security plugin without any policies will result in all
pods being denied.

Story: 2007351
Task: 38897

Change-Id: I3ad3ba91f3084bd2f0054d5d063d2242594997b2
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
This commit is contained in:
Jerry Sun 2020-03-27 14:11:45 -04:00
parent 6060fb15cd
commit cc786eda4d
3 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py
View File

@ -19,6 +19,7 @@ parser.add_argument("--oidc_issuer_url")
parser.add_argument("--oidc_client_id") parser.add_argument("--oidc_client_id")
parser.add_argument("--oidc_username_claim") parser.add_argument("--oidc_username_claim")
parser.add_argument("--oidc_groups_claim") parser.add_argument("--oidc_groups_claim")
parser.add_argument("--admission_plugins")
args = parser.parse_args() args = parser.parse_args()
if args.configmap_file: if args.configmap_file:
@ -59,6 +60,14 @@ else:
if 'oidc-groups-claim' in cluster_config['apiServer']['extraArgs']: if 'oidc-groups-claim' in cluster_config['apiServer']['extraArgs']:
del cluster_config['apiServer']['extraArgs']['oidc-groups-claim'] del cluster_config['apiServer']['extraArgs']['oidc-groups-claim']
if args.admission_plugins:
cluster_config['apiServer']['extraArgs']['enable-admission-plugins'] = \
args.admission_plugins
else:
plugins = 'enable-admission-plugins'
if plugins in cluster_config['apiServer']['extraArgs']:
del cluster_config['apiServer']['extraArgs'][plugins]
cluster_config_string = yaml.dump(cluster_config, Dumper=yaml.RoundTripDumper, cluster_config_string = yaml.dump(cluster_config, Dumper=yaml.RoundTripDumper,
default_flow_style=False) default_flow_style=False)
# use yaml.scalarstring.PreservedScalarString to make sure the yaml is # use yaml.scalarstring.PreservedScalarString to make sure the yaml is

3
puppet-manifests/src/modules/platform/manifests/kubernetes.pp
View File

@ -21,7 +21,8 @@ class platform::kubernetes::params (
$oidc_issuer_url = undef, $oidc_issuer_url = undef,
$oidc_client_id = undef, $oidc_client_id = undef,
$oidc_username_claim = undef, $oidc_username_claim = undef,
$oidc_groups_claim = undef $oidc_groups_claim = undef,
$admission_plugins = undef
) { } ) { }
class platform::kubernetes::cgroup::params ( class platform::kubernetes::cgroup::params (

3
puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb
View File

@ -20,6 +20,9 @@ python /usr/share/puppet/modules/platform/files/change_kube_apiserver_params.py
<%- if @oidc_groups_claim -%> <%- if @oidc_groups_claim -%>
--oidc_groups_claim <%= @oidc_groups_claim %> \ --oidc_groups_claim <%= @oidc_groups_claim %> \
<%- end -%> <%- end -%>
<%- if @admission_plugins -%>
--admission_plugins <%= @admission_plugins %> \
<%- end -%>
kubectl --kubeconfig=/etc/kubernetes/admin.conf -n kube-system patch configmap kubeadm-config -p "$(cat <%= @configmap_temp_file %>)" kubectl --kubeconfig=/etc/kubernetes/admin.conf -n kube-system patch configmap kubeadm-config -p "$(cat <%= @configmap_temp_file %>)"
kubeadm config view > <%= @configmap_temp_file %> kubeadm config view > <%= @configmap_temp_file %>