Support adding admission plugin post bootstrap

This commit adds the ability to change the admission plugins of kube-apiserver post bootstrap. We need this for pod security plugin. Starting pod security plugin without any policies will result in all pods being denied. Story: 2007351 Task: 38897 Change-Id: I3ad3ba91f3084bd2f0054d5d063d2242594997b2 Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
2020-03-27 14:11:45 -04:00 · 2020-03-27 14:11:45 -04:00 · cc786eda4d
commit cc786eda4d
parent 6060fb15cd
3 changed files with 14 additions and 1 deletions
--- a/puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py
+++ b/puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py
@ -19,6 +19,7 @@ parser.add_argument("--oidc_issuer_url")
 parser.add_argument("--oidc_client_id")
 parser.add_argument("--oidc_username_claim")
 parser.add_argument("--oidc_groups_claim")
+parser.add_argument("--admission_plugins")
 args = parser.parse_args()

 if args.configmap_file:
@ -59,6 +60,14 @@ else:
    if 'oidc-groups-claim' in cluster_config['apiServer']['extraArgs']:
        del cluster_config['apiServer']['extraArgs']['oidc-groups-claim']

+if args.admission_plugins:
+    cluster_config['apiServer']['extraArgs']['enable-admission-plugins'] = \
+        args.admission_plugins
+else:
+    plugins = 'enable-admission-plugins'
+    if plugins in cluster_config['apiServer']['extraArgs']:
+        del cluster_config['apiServer']['extraArgs'][plugins]
+
 cluster_config_string = yaml.dump(cluster_config, Dumper=yaml.RoundTripDumper,
                                  default_flow_style=False)
 # use yaml.scalarstring.PreservedScalarString to make sure the yaml is
--- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
+++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
@ -21,7 +21,8 @@ class platform::kubernetes::params (
  $oidc_issuer_url = undef,
  $oidc_client_id = undef,
  $oidc_username_claim = undef,
-  $oidc_groups_claim = undef
+  $oidc_groups_claim = undef,
+  $admission_plugins = undef
 ) { }

 class platform::kubernetes::cgroup::params (
--- a/puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb
+++ b/puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb
@ -20,6 +20,9 @@ python /usr/share/puppet/modules/platform/files/change_kube_apiserver_params.py
 <%- if @oidc_groups_claim -%>
 --oidc_groups_claim <%= @oidc_groups_claim %> \
 <%- end -%>
+<%- if @admission_plugins -%>
+--admission_plugins <%= @admission_plugins %> \
+<%- end -%>

 kubectl --kubeconfig=/etc/kubernetes/admin.conf -n kube-system patch configmap kubeadm-config -p "$(cat <%= @configmap_temp_file %>)"
 kubeadm config view > <%= @configmap_temp_file %>