Merge pull request #30900 from jsafrane/pvc-admission

Automatic merge from submit-queue Add admission controller for default storage class. The admission controller adds a default class to PVCs that do not require any specific class. This way, users (=PVC authors) do not need to care about storage classes, administrator can configure a default one and all these PVCs that do not care about class will get the default one. The marker of default class is annotation "volume.beta.kubernetes.io/storage-class", which must be set to "true" to work. All other values (or missing annotation) makes the class non-default. Based on @thockin's code, added tests and made it not to reject a PVC when no class is marked as default. . @kubernetes/sig-storage
kubernetes · Aug 24, 2016 · ef27186 · ef27186
2 parents 3544f8a + 5f6efef
commit ef27186
Show file tree

Hide file tree

Showing 21 changed files with 423 additions and 19 deletions.
diff --git a/cluster/aws/config-default.sh b/cluster/aws/config-default.sh
@@ -138,7 +138,7 @@ fi
 
 # Admission Controllers to invoke prior to persisting objects in cluster
 # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
-ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota
+ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota
 
 # Optional: Enable/disable public IP assignment for minions.
 # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes!

diff --git a/cluster/aws/config-test.sh b/cluster/aws/config-test.sh
@@ -121,7 +121,7 @@ fi
 
 # Admission Controllers to invoke prior to persisting objects in cluster
 # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
-ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota
+ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota
 
 # Optional: Enable/disable public IP assignment for minions.
 # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes!

diff --git a/cluster/azure-legacy/config-default.sh b/cluster/azure-legacy/config-default.sh
@@ -57,4 +57,4 @@ ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-influxdb}"
 ENABLE_CLUSTER_UI="${KUBE_ENABLE_CLUSTER_UI:-true}"
 
 # Admission Controllers to invoke prior to persisting objects in cluster
-ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
+ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota
diff --git a/cluster/centos/config-default.sh b/cluster/centos/config-default.sh
@@ -42,7 +42,7 @@ export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"}
 
 # Admission Controllers to invoke prior to persisting objects in cluster
 # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
-export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota
+export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,DefaultStorageClass,ResourceQuota
 
 # Extra options to set on the Docker command line.
 # This is useful for setting --insecure-registry for local registries.

diff --git a/cluster/centos/master/scripts/apiserver.sh b/cluster/centos/master/scripts/apiserver.sh
@@ -56,7 +56,7 @@ KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"
 # Comma-delimited list of: 
 #   LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists, 
 #   NamespaceLifecycle, NamespaceAutoProvision,
-#   AlwaysAdmit, ServiceAccount, ResourceQuota
+#   AlwaysAdmit, ServiceAccount, ResourceQuota, DefaultStorageClass
 KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL}"
 
 # --client-ca-file="": If set, any request presenting a client certificate signed

diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
@@ -136,7 +136,7 @@ ENABLE_RESCHEDULER="${KUBE_ENABLE_RESCHEDULER:-false}"
 
 # Admission Controllers to invoke prior to persisting objects in cluster
 # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
-ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota
+ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota
 
 # Optional: if set to true kube-up will automatically check for existing resources and clean them up.
 KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false}

diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh
@@ -155,7 +155,7 @@ fi
 ENABLE_RESCHEDULER="${KUBE_ENABLE_RESCHEDULER:-false}"
 
 # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
-ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota}"
+ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota}"
 
 # Optional: if set to true kube-up will automatically check for existing resources and clean them up.
 KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false}

diff --git a/cluster/images/hyperkube/static-pods/master-multi.json b/cluster/images/hyperkube/static-pods/master-multi.json
@@ -36,7 +36,7 @@
               "--service-cluster-ip-range=10.0.0.1/24",
               "--insecure-bind-address=0.0.0.0",
               "--etcd-servers=http://127.0.0.1:2379",
-              "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota",
+              "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota",
               "--client-ca-file=/srv/kubernetes/ca.crt",
               "--basic-auth-file=/srv/kubernetes/basic_auth.csv",
               "--min-request-timeout=300",

diff --git a/cluster/images/hyperkube/static-pods/master.json b/cluster/images/hyperkube/static-pods/master.json
@@ -36,7 +36,7 @@
               "--service-cluster-ip-range=10.0.0.1/24",
               "--insecure-bind-address=127.0.0.1",
               "--etcd-servers=http://127.0.0.1:2379",
-              "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota",
+              "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota",
               "--client-ca-file=/srv/kubernetes/ca.crt",
               "--basic-auth-file=/srv/kubernetes/basic_auth.csv",
               "--min-request-timeout=300",

diff --git a/cluster/juju/layers/kubernetes/templates/master.json b/cluster/juju/layers/kubernetes/templates/master.json
@@ -38,7 +38,7 @@
               "--etcd-certfile={{ etcd_cert }}",
               {%- endif %}
               "--etcd-servers={{ connection_string }}",
-              "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota",
+              "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota",
               "--client-ca-file=/srv/kubernetes/ca.crt",
               "--basic-auth-file=/srv/kubernetes/basic_auth.csv",
               "--min-request-timeout=300",

diff --git a/cluster/libvirt-coreos/util.sh b/cluster/libvirt-coreos/util.sh
@@ -25,7 +25,7 @@ source "$KUBE_ROOT/cluster/common.sh"
 
 export LIBVIRT_DEFAULT_URI=qemu:///system
 export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false}
-export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota}
+export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota}
 readonly POOL=kubernetes
 readonly POOL_PATH=/var/lib/libvirt/images/kubernetes
 

diff --git a/cluster/mesos/docker/docker-compose.yml b/cluster/mesos/docker/docker-compose.yml
@@ -77,7 +77,7 @@ apiserver:
     --external-hostname=apiserver
     --etcd-servers=http://etcd:4001
     --port=8888
-    --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
+    --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota
     --authorization-mode=AlwaysAllow
     --token-auth-file=/var/run/kubernetes/auth/token-users
     --basic-auth-file=/var/run/kubernetes/auth/basic-users

diff --git a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml
@@ -49,7 +49,7 @@ write_files:
       dns_domain: cluster.local
       federations_domain_map: ''
       instance_prefix: kubernetes
-      admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
+      admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota
       enable_cpu_cfs_quota: "true"
       network_provider: none
       opencontrail_tag: R2.20

diff --git a/cluster/photon-controller/templates/create-dynamic-salt-files.sh b/cluster/photon-controller/templates/create-dynamic-salt-files.sh
@@ -124,5 +124,5 @@ federations_domain_map: ''
 e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}"
 cluster_cidr: "$NODE_IP_RANGES"
 allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}"
-admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
+admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota
 EOF
diff --git a/cluster/ubuntu/config-default.sh b/cluster/ubuntu/config-default.sh
@@ -68,7 +68,7 @@ FLANNEL_OTHER_NET_CONFIG=''
 
 # Admission Controllers to invoke prior to persisting objects in cluster
 # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
-export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota
+export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,DefaultStorageClass,ResourceQuota
 
 # Path to the config file or directory of files of kubelet
 export KUBELET_CONFIG=${KUBELET_CONFIG:-""}

diff --git a/cluster/vagrant/config-default.sh b/cluster/vagrant/config-default.sh
@@ -56,7 +56,7 @@ MASTER_PASSWD="${MASTER_PASSWD:-vagrant}"
 
 # Admission Controllers to invoke prior to persisting objects in cluster
 # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
-ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
+ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
 
 # Optional: Enable node logging.
 ENABLE_NODE_LOGGING=false

diff --git a/cluster/vsphere/templates/create-dynamic-salt-files.sh b/cluster/vsphere/templates/create-dynamic-salt-files.sh
@@ -124,7 +124,7 @@ federations_domain_map: ''
 e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}"
 cluster_cidr: "$NODE_IP_RANGES"
 allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}"
-admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
+admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota
 EOF
 
 mkdir -p /srv/salt-overlay/salt/nginx

diff --git a/cmd/kube-apiserver/app/plugins.go b/cmd/kube-apiserver/app/plugins.go
@@ -40,4 +40,5 @@ import (
 	_ "k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/storageclass/default"
 )
diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
@@ -264,9 +264,9 @@ function set_service_accounts {
 function start_apiserver {
     # Admission Controllers to invoke prior to persisting objects in cluster
     if [[ -z "${ALLOW_SECURITY_CONTEXT}" ]]; then
-      ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
+      ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,DefaultStorageClass
     else
-      ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
+      ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,DefaultStorageClass
     fi
     # This is the default dir and filename where the apiserver will generate a self-signed cert
     # which should be able to be used as the CA to verify itself

diff --git a/plugin/pkg/admission/storageclass/default/admission.go b/plugin/pkg/admission/storageclass/default/admission.go
@@ -0,0 +1,171 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package admission
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/golang/glog"
+
+	admission "k8s.io/kubernetes/pkg/admission"
+	api "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/errors"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/client/cache"
+	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/watch"
+)
+
+const (
+	PluginName = "DefaultStorageClass"
+)
+
+func init() {
+	admission.RegisterPlugin(PluginName, func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
+		plugin := newPlugin(client)
+		plugin.Run()
+		return plugin, nil
+	})
+}
+
+// claimDefaulterPlugin holds state for and implements the admission plugin.
+type claimDefaulterPlugin struct {
+	*admission.Handler
+	client clientset.Interface
+
+	reflector *cache.Reflector
+	stopChan  chan struct{}
+	store     cache.Store
+}
+
+var _ admission.Interface = &claimDefaulterPlugin{}
+
+// newPlugin creates a new admission plugin.
+func newPlugin(kclient clientset.Interface) *claimDefaulterPlugin {
+	store := cache.NewStore(cache.MetaNamespaceKeyFunc)
+	reflector := cache.NewReflector(
+		&cache.ListWatch{
+			ListFunc: func(options api.ListOptions) (runtime.Object, error) {
+				return kclient.Extensions().StorageClasses().List(options)
+			},
+			WatchFunc: func(options api.ListOptions) (watch.Interface, error) {
+				return kclient.Extensions().StorageClasses().Watch(options)
+			},
+		},
+		&extensions.StorageClass{},
+		store,
+		0,
+	)
+
+	return &claimDefaulterPlugin{
+		Handler:   admission.NewHandler(admission.Create),
+		client:    kclient,
+		store:     store,
+		reflector: reflector,
+	}
+}
+
+func (a *claimDefaulterPlugin) Run() {
+	if a.stopChan == nil {
+		a.stopChan = make(chan struct{})
+	}
+	a.reflector.RunUntil(a.stopChan)
+}
+func (a *claimDefaulterPlugin) Stop() {
+	if a.stopChan != nil {
+		close(a.stopChan)
+		a.stopChan = nil
+	}
+}
+
+// This is a stand-in until we have a real field.  This string should be a const somewhere.
+const classAnnotation = "volume.beta.kubernetes.io/storage-class"
+
+// This indicates that a particular StorageClass nominates itself as the system default.
+const isDefaultAnnotation = "storageclass.beta.kubernetes.io/is-default-class"
+
+// Admit sets the default value of a PersistentVolumeClaim's storage class, in case the user did
+// not provide a value.
+//
+// 1.  Find available StorageClasses.
+// 2.  Figure which is the default
+// 3.  Write to the PVClaim
+func (c *claimDefaulterPlugin) Admit(a admission.Attributes) error {
+	if a.GetResource().GroupResource() != api.Resource("persistentvolumeclaims") {
+		return nil
+	}
+
+	if len(a.GetSubresource()) != 0 {
+		return nil
+	}
+
+	pvc, ok := a.GetObject().(*api.PersistentVolumeClaim)
+	// if we can't convert then we don't handle this object so just return
+	if !ok {
+		return nil
+	}
+
+	_, found := pvc.Annotations[classAnnotation]
+	if found {
+		// The user asked for a class.
+		return nil
+	}
+
+	glog.V(4).Infof("no storage class for claim %s (generate: %s)", pvc.Name, pvc.GenerateName)
+
+	def, err := getDefaultClass(c.store)
+	if err != nil {
+		return admission.NewForbidden(a, err)
+	}
+	if def == nil {
+		// No default class selected, do nothing about the PVC.
+		return nil
+	}
+
+	glog.V(4).Infof("defaulting storage class for claim %s (generate: %s) to %s", pvc.Name, pvc.GenerateName, def.Name)
+	if pvc.ObjectMeta.Annotations == nil {
+		pvc.ObjectMeta.Annotations = map[string]string{}
+	}
+	pvc.Annotations[classAnnotation] = def.Name
+	return nil
+}
+
+// getDefaultClass returns the default StorageClass from the store, or nil.
+func getDefaultClass(store cache.Store) (*extensions.StorageClass, error) {
+	defaultClasses := []*extensions.StorageClass{}
+	for _, c := range store.List() {
+		class, ok := c.(*extensions.StorageClass)
+		if !ok {
+			return nil, errors.NewInternalError(fmt.Errorf("error converting stored object to StorageClass: %v", c))
+		}
+		if class.Annotations[isDefaultAnnotation] == "true" {
+			defaultClasses = append(defaultClasses, class)
+			glog.V(4).Infof("getDefaultClass added: %s", class.Name)
+		}
+	}
+
+	if len(defaultClasses) == 0 {
+		return nil, nil
+	}
+	if len(defaultClasses) > 1 {
+		glog.V(4).Infof("getDefaultClass %s defaults found", len(defaultClasses))
+		return nil, errors.NewInternalError(fmt.Errorf("%d default StorageClasses were found", len(defaultClasses)))
+	}
+	return defaultClasses[0], nil
+}