Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor controller initialization (final round?) #14633

Merged
merged 3 commits into from
Jun 21, 2017
Merged

Refactor controller initialization (final round?) #14633

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8c7065f
refactor rest of the origin controllers and kube controllers initiali…
mfojtik Jun 13, 2017
ee76e3e
make sdn retry on auth failure
mfojtik Jun 20, 2017
2c0a1e0
fix policies for unidling controller
mfojtik Jun 21, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
refactor rest of the origin controllers and kube controllers initiali… 
…zation
  • Loading branch information
@mfojtik
mfojtik committed Jun 21, 2017
commit 8c7065fd602edeaf9ef20a350572e908aa0ab7e0
2 changes: 2 additions & 0 deletions pkg/authorization/authorizer/subjects_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ func TestSubjects(t *testing.T) {
"system:serviceaccount:openshift-infra:template-instance-controller",
"system:serviceaccount:openshift-infra:template-instance-controller",
"system:serviceaccount:openshift-infra:build-controller",
"system:serviceaccount:openshift-infra:pv-recycler-controller",
"system:serviceaccount:openshift-infra:sdn-controller",
),
expectedGroups: sets.NewString("RootUsers", "system:cluster-admins", "system:cluster-readers", "system:masters", "system:nodes"),
}
Expand Down
81 changes: 81 additions & 0 deletions pkg/cmd/server/bootstrappolicy/controller_policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,87 @@ func init() {
eventsRule(),
},
})

// sdn-controller
addControllerRole(rbac.ClusterRole{
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraSDNControllerServiceAccountName},
Rules: []rbac.PolicyRule{
rbac.NewRule("get", "create", "update").Groups(networkGroup, legacyNetworkGroup).Resources("clusternetworks").RuleOrDie(),
rbac.NewRule("get", "list").Groups(networkGroup, legacyNetworkGroup).Resources("egressnetworkpolicies").RuleOrDie(),
rbac.NewRule("get", "list", "create", "delete").Groups(networkGroup, legacyNetworkGroup).Resources("hostsubnets").RuleOrDie(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was not correct - the controller needed watch on hostsubnets. How did our tests not catch this @openshift/networking?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The master only needs to watch on hostsubnets to handle the case where an admin manually creates a hostsubnet for F5 router integration, and there are no end-to-end tests of that.

(Looks like an error was getting logged about the watch failing, but that doesn't get returned to anywhere we'd see it.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and there are no end-to-end tests of that.

though it would have been caught by QE before the release went out

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in #14968, added watch access to the other needed resources.

rbac.NewRule("get", "list", "create", "update", "delete").Groups(networkGroup, legacyNetworkGroup).Resources("netnamespaces").RuleOrDie(),
rbac.NewRule("get", "list").Groups(kapiGroup).Resources("pods").RuleOrDie(),
rbac.NewRule("list").Groups(kapiGroup).Resources("services").RuleOrDie(),
rbac.NewRule("list").Groups(kapiGroup).Resources("namespaces").RuleOrDie(),
rbac.NewRule("get").Groups(kapiGroup).Resources("nodes").RuleOrDie(),
rbac.NewRule("update").Groups(kapiGroup).Resources("nodes/status").RuleOrDie(),
rbac.NewRule("list").Groups(extensionsGroup).Resources("networkPolicies").RuleOrDie(),

eventsRule(),
},
})

// cluster-quota-reconciliation
addControllerRole(rbac.ClusterRole{
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraClusterQuotaReconciliationControllerServiceAccountName},
Rules: []rbac.PolicyRule{
rbac.NewRule("get", "list").Groups(kapiGroup).Resources("configMaps").RuleOrDie(),
rbac.NewRule("get", "list").Groups(kapiGroup).Resources("secrets").RuleOrDie(),
rbac.NewRule("update").Groups(quotaGroup, legacyQuotaGroup).Resources("clusterresourcequotas/status").RuleOrDie(),
eventsRule(),
},
})

// unidling-controller
addControllerRole(rbac.ClusterRole{
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraUnidlingControllerServiceAccountName},
Rules: []rbac.PolicyRule{
rbac.NewRule("get", "update").Groups(kapiGroup).Resources("replicationcontrollers/scale", "endpoints").RuleOrDie(),
rbac.NewRule("get", "update", "patch").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(),
rbac.NewRule("get", "update").Groups(extensionsGroup, appsGroup).Resources("replicasets/scale", "deployments/scale").RuleOrDie(),
rbac.NewRule("get", "update").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs/scale").RuleOrDie(),
rbac.NewRule("watch", "list").Groups(kapiGroup).Resources("events").RuleOrDie(),
eventsRule(),
},
})

// ingress-ip-controller
addControllerRole(rbac.ClusterRole{
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraServiceIngressIPControllerServiceAccountName},
Rules: []rbac.PolicyRule{
rbac.NewRule("list", "watch", "update").Groups(kapiGroup).Resources("services").RuleOrDie(),
rbac.NewRule("update").Groups(kapiGroup).Resources("services/status").RuleOrDie(),
eventsRule(),
},
})

// pv-recycler-controller
addControllerRole(rbac.ClusterRole{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removable?

ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraPersistentVolumeRecyclerControllerServiceAccountName},
Rules: []rbac.PolicyRule{
rbac.NewRule("get", "update", "create", "delete", "list", "watch").Groups(kapiGroup).Resources("persistentvolumes").RuleOrDie(),
rbac.NewRule("update").Groups(kapiGroup).Resources("persistentvolumes/status").RuleOrDie(),
rbac.NewRule("get", "update", "list", "watch").Groups(kapiGroup).Resources("persistentvolumeclaims").RuleOrDie(),
rbac.NewRule("update").Groups(kapiGroup).Resources("persistentvolumeclaims/status").RuleOrDie(),
rbac.NewRule("get", "create", "delete", "list", "watch").Groups(kapiGroup).Resources("pods").RuleOrDie(),
eventsRule(),
},
})

// resourcequota-controller
addControllerRole(rbac.ClusterRole{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removable?

ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraResourceQuotaControllerServiceAccountName},
Rules: []rbac.PolicyRule{
rbac.NewRule("update").Groups(kapiGroup).Resources("resourcequotas/status").RuleOrDie(),
rbac.NewRule("list").Groups(kapiGroup).Resources("resourcequotas").RuleOrDie(),
rbac.NewRule("list").Groups(kapiGroup).Resources("services").RuleOrDie(),
rbac.NewRule("list").Groups(kapiGroup).Resources("configmaps").RuleOrDie(),
rbac.NewRule("list").Groups(kapiGroup).Resources("secrets").RuleOrDie(),
rbac.NewRule("list").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(),
eventsRule(),
},
})

}

// ControllerRoles returns the cluster roles used by controllers
Expand Down
Loading