Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for the PodNodeSelector admission controller #920

Merged
merged 9 commits into from
Jun 15, 2020
Merged

Add support for the PodNodeSelector admission controller #920

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ce38d20
Add the PodNodeSelector feature to the API
xmudrii Jun 10, 2020
b4a4722
BACKPORT: Kubernetes APIServer Config API
xmudrii Jun 12, 2020
89a18d3
Regenerate API code
xmudrii Jun 10, 2020
cb8ae61
Implement the PodNodeSelector feature
xmudrii Jun 12, 2020
960ed81
Fix the verify-boilerplate job
xmudrii Jun 12, 2020
84f02eb
Update the example config
xmudrii Jun 12, 2020
6106087
BREAKING: Make paths for PodNodeSelector and StaticAudit relative to …
xmudrii Jun 12, 2020
865df1b
Remove admission config when resetting a cluster
xmudrii Jun 15, 2020
d44fef5
Update test fixtures
xmudrii Jun 15, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions hack/boilerplate/boilerplate.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,8 @@ def file_extension(filename):
'.git',
'vendor',
'hack/boilerplate/test',
'pkg/apis/apiserver/v1',
'pkg/apis/apiserver/v1alpha1',
'pkg/apis/kubeadm/v1beta1',
'pkg/apis/kubeadm/v1beta2',
]
Expand Down
50 changes: 50 additions & 0 deletions pkg/apis/apiserver/v1/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
/*
Copyright 2019 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// AdmissionConfiguration provides versioned configuration for admission controllers.
type AdmissionConfiguration struct {
metav1.TypeMeta `json:",inline"`

// Plugins allows specifying a configuration per admission control plugin.
// +optional
Plugins []AdmissionPluginConfiguration `json:"plugins"`
}

// AdmissionPluginConfiguration provides the configuration for a single plug-in.
type AdmissionPluginConfiguration struct {
// Name is the name of the admission controller.
// It must match the registered admission plugin name.
Name string `json:"name"`

// Path is the path to a configuration file that contains the plugin's
// configuration
// +optional
Path string `json:"path"`

// Configuration is an embedded configuration object to be used as the plugin's
// configuration. If present, it will be used instead of the path to the configuration file.
// +optional
Configuration *runtime.Unknown `json:"configuration"`
}
78 changes: 78 additions & 0 deletions pkg/apis/apiserver/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

50 changes: 50 additions & 0 deletions pkg/apis/apiserver/v1alpha1/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
/*
Copyright 2017 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1alpha1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// AdmissionConfiguration provides versioned configuration for admission controllers.
type AdmissionConfiguration struct {
metav1.TypeMeta `json:",inline"`

// Plugins allows specifying a configuration per admission control plugin.
// +optional
Plugins []AdmissionPluginConfiguration `json:"plugins"`
}

// AdmissionPluginConfiguration provides the configuration for a single plug-in.
type AdmissionPluginConfiguration struct {
// Name is the name of the admission controller.
// It must match the registered admission plugin name.
Name string `json:"name"`

// Path is the path to a configuration file that contains the plugin's
// configuration
// +optional
Path string `json:"path"`

// Configuration is an embedded configuration object to be used as the plugin's
// configuration. If present, it will be used instead of the path to the configuration file.
// +optional
Configuration *runtime.Unknown `json:"configuration"`
}
78 changes: 78 additions & 0 deletions pkg/apis/apiserver/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 16 additions & 0 deletions pkg/apis/kubeone/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,7 @@ type MachineControllerConfig struct {

// Features controls what features will be enabled on the cluster
type Features struct {
PodNodeSelector *PodNodeSelector `json:"podNodeSelector"`
PodPresets *PodPresets `json:"podPresets"`
PodSecurityPolicy *PodSecurityPolicy `json:"podSecurityPolicy"`
StaticAuditLog *StaticAuditLog `json:"staticAuditLog"`
Expand All @@ -257,6 +258,21 @@ type SystemPackages struct {
ConfigureRepositories bool `json:"configureRepositories"`
}

// PodNodeSelector feature flag
type PodNodeSelector struct {
Enable bool `json:"enable"`
Config PodNodeSelectorConfig `json:"config"`
}

// PodNodeSelectorConfig config
type PodNodeSelectorConfig struct {
// ConfigFilePath is a path on the local file system to the PodNodeSelector
// configuration file.
// ConfigFilePath is a required field.
// More info: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podnodeselector
ConfigFilePath string `json:"configFilePath"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ConfigFilePath string `json:"configFilePath"`
Config string `json:"config"`

Let's have it inline instead of file

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've thought about this as well and I'm not sure this is a good approach. I think we should have the standardized API, even if it's a little bit redundant sometimes. A couple of things I have on mind:

  • Config is a struct for all other features. Having it as a string here could introduce confusion
  • The problem mentioned above could be solved by calling it ConfigFilePath like it's now, but then we come to another problem...
  • If we ever have to add another field for any reason, we would drift from the standard API way too much and we would end up in a mess.

In the long run, I think it's better as it is right now.

}

// PodPresets feature flag
type PodPresets struct {
Enable bool `json:"enable"`
Expand Down
16 changes: 16 additions & 0 deletions pkg/apis/kubeone/v1alpha1/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,7 @@ type MachineControllerConfig struct {

// Features controls what features will be enabled on the cluster
type Features struct {
PodNodeSelector *PodNodeSelector `json:"podNodeSelector"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While there is no technical obstacle to add this new feature to v1alpha1, I think we should avoid doing this, as v1alpha1 should be "conserved" and not changed anymore.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've thought about this as well, but I think we should keep both APIs in sync until we don't officially announce the deprecation with the 1.0 release. After that, only v1beta1 should be extended.

PodPresets *PodPresets `json:"podPresets"`
PodSecurityPolicy *PodSecurityPolicy `json:"podSecurityPolicy"`
StaticAuditLog *StaticAuditLog `json:"staticAuditLog"`
Expand All @@ -230,6 +231,21 @@ type SystemPackages struct {
ConfigureRepositories bool `json:"configureRepositories"`
}

// PodNodeSelector feature flag
type PodNodeSelector struct {
Enable bool `json:"enable"`
Config PodNodeSelectorConfig `json:"config"`
}

// PodNodeSelectorConfig config
type PodNodeSelectorConfig struct {
// ConfigFilePath is a path on the local file system to the PodNodeSelector
// configuration file.
// ConfigFilePath is a required field.
// More info: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podnodeselector
ConfigFilePath string `json:"configFilePath"`
}

// PodPresets feature flag
type PodPresets struct {
Enable bool `json:"enable"`
Expand Down
Loading