@@ -29,6 +29,8 @@ import (

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/apiserver"

 	kclient "github.com/GoogleCloudPlatform/kubernetes/pkg/client"

 	kmaster "github.com/GoogleCloudPlatform/kubernetes/pkg/master"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/registry/service/allocator"

+	etcdallocator "github.com/GoogleCloudPlatform/kubernetes/pkg/registry/service/allocator/etcd"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/serviceaccount"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

@@ -85,6 +87,10 @@ import (

 	routeregistry "github.com/openshift/origin/pkg/route/registry/route"

 	clusternetworketcd "github.com/openshift/origin/pkg/sdn/registry/clusternetwork/etcd"

 	hostsubnetetcd "github.com/openshift/origin/pkg/sdn/registry/hostsubnet/etcd"

+	securitycontroller "github.com/openshift/origin/pkg/security/controller"

+	"github.com/openshift/origin/pkg/security/mcs"

+	"github.com/openshift/origin/pkg/security/uid"

+	"github.com/openshift/origin/pkg/security/uidallocator"

 	"github.com/openshift/origin/pkg/service"

 	templateregistry "github.com/openshift/origin/pkg/template/registry"

 	templateetcd "github.com/openshift/origin/pkg/template/registry/etcd"

@@ -992,6 +998,40 @@ func (c *MasterConfig) RunImageImportController() {

 	controller.Run()

 }

+func (c *MasterConfig) RunSecurityAllocationController() {

+	uidRange, err := uid.ParseRange("1000000000-1999999999/10000") // provide 100k uid blocks

+	if err != nil {

+		glog.Fatalf("Unable to describe UID range: %v", err)

+	}

+	var etcdAlloc *etcdallocator.Etcd

+	uidAllocator := uidallocator.New(uidRange, func(max int, rangeSpec string) allocator.Interface {

+		mem := allocator.NewContiguousAllocationMap(max, rangeSpec)

+		etcdAlloc = etcdallocator.NewEtcd(mem, "/ranges/uids", "uidallocation", c.EtcdHelper)

+		return etcdAlloc

+	})

+	mcsRange, err := mcs.ParseRange("/2") // use two labels

+	if err != nil {

+		glog.Fatalf("Unable to describe MCS category range: %v", err)

+	}

+

+	kclient := c.PrivilegedLoopbackKubernetesClient

+

+	repair := securitycontroller.NewRepair(time.Minute, kclient.Namespaces(), uidRange, etcdAlloc)

+	if err := repair.RunOnce(); err != nil {

+		// TODO: v scary, may need to use direct etcd calls?

+		glog.Fatalf("Unable to initialize namespaces: %v", err)

+	}

+

+	factory := securitycontroller.AllocationFactory{

+		UIDAllocator: uidAllocator,

+		MCSAllocator: securitycontroller.DefaultMCSAllocation(uidRange, mcsRange, 5), // provide 5 labels per namespace

+		Client:       kclient.Namespaces(),

+		// TODO: reuse namespace cache

+	}

+	controller := factory.Create()

+	controller.Run()

+}

+

 // ensureCORSAllowedOrigins takes a string list of origins and attempts to covert them to CORS origin

 // regexes, or exits if it cannot.

 func (c *MasterConfig) ensureCORSAllowedOrigins() []*regexp.Regexp {

@@ -399,6 +399,7 @@ func StartMaster(openshiftMasterConfig *configapi.MasterConfig) error {

 	openshiftConfig.RunImageImportController()

 	openshiftConfig.RunOriginNamespaceController()

 	openshiftConfig.RunProjectAuthorizationCache()

+	openshiftConfig.RunSecurityAllocationController()

 	openshiftConfig.RunServiceAccountsController()

 	openshiftConfig.RunServiceAccountTokensController()

 	openshiftConfig.RunServiceAccountPullSecretsControllers()

new file mode 100644

@@ -0,0 +1,148 @@

+package controller

+

+import (

+	"fmt"

+

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"

+	kclient "github.com/GoogleCloudPlatform/kubernetes/pkg/client"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

+

+	"github.com/openshift/origin/pkg/security/mcs"

+	"github.com/openshift/origin/pkg/security/uid"

+	"github.com/openshift/origin/pkg/security/uidallocator"

+)

+

+const (

+	uidRangeAnnotation = "openshift.io/sa.scc.uid-range"

+	mcsAnnotation      = "openshift.io/sa.scc.mcs"

+)

+

+type MCSAllocationFunc func(uid.Block) *mcs.Label

+

+// DefaultMCSAllocation returns a label from the MCS range that matches the offset

+// within the overall range. blockSize must be a positive integer representing the

+// number of labels to jump past in the category space (if 1, range == label, if 2

+// each range will have two labels).

+func DefaultMCSAllocation(from *uid.Range, to *mcs.Range, blockSize int) MCSAllocationFunc {

+	return func(block uid.Block) *mcs.Label {

+		ok, offset := from.Offset(block)

+		if !ok {

+			return nil

+		}

+		if blockSize > 0 {

+			offset = offset * uint32(blockSize)

+		}

+		label, _ := to.LabelAt(uint64(offset))

+		return label

+	}

+}

+

+type Allocation struct {

+	uid    uidallocator.Interface

+	mcs    MCSAllocationFunc

+	client kclient.NamespaceInterface

+}

+

+// retryCount is the number of times to retry on a conflict when updating a namespace

+const retryCount = 2

+

+// Next processes a changed namespace and tries to allocate a uid range for it.  If it is

+// successful, an mcs label corresponding to the relative position of the range is also

+// set.

+func (c *Allocation) Next(ns *kapi.Namespace) error {

+	tx := &tx{}

+	defer tx.Rollback()

+

+	if _, ok := ns.Annotations[uidRangeAnnotation]; ok {

+		return nil

+	}

+

+	if ns.Annotations == nil {

+		ns.Annotations = make(map[string]string)

+	}

+

+	// do uid allocation

+	block, err := c.uid.AllocateNext()

+	if err != nil {

+		return err

+	}

+	tx.Add(func() error { return c.uid.Release(block) })

+	ns.Annotations[uidRangeAnnotation] = block.String()

+	if _, ok := ns.Annotations[mcsAnnotation]; !ok {

+		if label := c.mcs(block); label != nil {

+			ns.Annotations[mcsAnnotation] = label.String()

+		}

+	}

+

+	// TODO: could use a client.GuaranteedUpdate/Merge function

+	for i := 0; i < retryCount; i++ {

+		_, err := c.client.Update(ns)

+		if err == nil {

+			// commit and exit

+			tx.Commit()

+			return nil

+		}

+

+		if errors.IsNotFound(err) {

+			return nil

+		}

+		if !errors.IsConflict(err) {

+			return err

+		}

+		newNs, err := c.client.Get(ns.Name)

+		if errors.IsNotFound(err) {

+			return nil

+		}

+		if err != nil {

+			return err

+		}

+		if changedAndSetAnnotations(ns, newNs) {

+			return nil

+		}

+

+		// try again

+		if newNs.Annotations == nil {

+			newNs.Annotations = make(map[string]string)

+		}

+		newNs.Annotations[uidRangeAnnotation] = ns.Annotations[uidRangeAnnotation]

+		newNs.Annotations[mcsAnnotation] = ns.Annotations[mcsAnnotation]

+		ns = newNs

+	}

+

+	return fmt.Errorf("unable to allocate security info on %q after %d retries", ns.Name, retryCount)

+}

+

+func changedAndSetAnnotations(old, ns *kapi.Namespace) bool {

+	if value, ok := ns.Annotations[uidRangeAnnotation]; ok && value != old.Annotations[uidRangeAnnotation] {

+		return true

+	}

+	if value, ok := ns.Annotations[mcsAnnotation]; ok && value != old.Annotations[mcsAnnotation] {

+		return true

+	}

+	return false

+}

+

+type tx struct {

+	rollback []func() error

+}

+

+func (tx *tx) Add(fn func() error) {

+	tx.rollback = append(tx.rollback, fn)

+}

+

+func (tx *tx) HasChanges() bool {

+	return len(tx.rollback) > 0

+}

+

+func (tx *tx) Rollback() {

+	for _, fn := range tx.rollback {

+		if err := fn(); err != nil {

+			util.HandleError(fmt.Errorf("unable to undo tx: %v", err))

+		}

+	}

+}

+

+func (tx *tx) Commit() {

+	tx.rollback = nil

+}

new file mode 100644

@@ -0,0 +1,111 @@

+package controller

+

+import (

+	"fmt"

+	"strings"

+	"testing"

+

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/testclient"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"

+

+	"github.com/openshift/origin/pkg/security/mcs"

+	"github.com/openshift/origin/pkg/security/uid"

+	"github.com/openshift/origin/pkg/security/uidallocator"

+)

+

+func TestController(t *testing.T) {

+	var action testclient.FakeAction

+	client := &testclient.Fake{

+		ReactFn: func(a testclient.FakeAction) (runtime.Object, error) {

+			action = a

+			return (*kapi.Namespace)(nil), nil

+		},

+	}

+	uidr, _ := uid.NewRange(10, 20, 2)

+	mcsr, _ := mcs.NewRange("s0:", 10, 2)

+	uida := uidallocator.NewInMemory(uidr)

+	c := Allocation{

+		uid:    uida,

+		mcs:    DefaultMCSAllocation(uidr, mcsr, 5),

+		client: client.Namespaces(),

+	}

+

+	err := c.Next(&kapi.Namespace{ObjectMeta: kapi.ObjectMeta{Name: "test"}})

+	if err != nil {

+		t.Fatal(err)

+	}

+

+	got := action.Value.(*kapi.Namespace)

+	if got.Annotations[uidRangeAnnotation] != "10/2" {

+		t.Errorf("unexpected annotation: %#v", got)

+	}

+	if got.Annotations[mcsAnnotation] != "s0:c1,c0" {

+		t.Errorf("unexpected annotation: %#v", got)

+	}

+	if !uida.Has(uid.Block{Start: 10, End: 11}) {

+		t.Errorf("did not allocate uid: %#v", uida)

+	}

+}

+

+func TestControllerError(t *testing.T) {

+	testCases := map[string]struct {

+		err     func() error

+		errFn   func(err error) bool

+		reactFn testclient.ReactionFunc

+		actions int

+	}{

+		"not found": {

+			err:     func() error { return errors.NewNotFound("namespace", "test") },

+			errFn:   func(err error) bool { return err == nil },

+			actions: 1,

+		},

+		"unknown": {

+			err:     func() error { return fmt.Errorf("unknown") },

+			errFn:   func(err error) bool { return err.Error() == "unknown" },

+			actions: 1,

+		},

+		"conflict": {

+			actions: 4,

+			reactFn: func(a testclient.FakeAction) (runtime.Object, error) {

+				if a.Action == "get-namespace" {

+					return &kapi.Namespace{ObjectMeta: kapi.ObjectMeta{Name: "test"}}, nil

+				}

+				return (*kapi.Namespace)(nil), errors.NewConflict("namespace", "test", fmt.Errorf("test conflict"))

+			},

+			errFn: func(err error) bool {

+				return err != nil && strings.Contains(err.Error(), "unable to allocate security info")

+			},

+		},

+	}

+

+	for s, testCase := range testCases {

+		client := &testclient.Fake{ReactFn: testCase.reactFn}

+		if client.ReactFn == nil {

+			client.ReactFn = func(a testclient.FakeAction) (runtime.Object, error) {

+				return (*kapi.Namespace)(nil), testCase.err()

+			}

+		}

+		uidr, _ := uid.NewRange(10, 19, 2)

+		mcsr, _ := mcs.NewRange("s0:", 10, 2)

+		uida := uidallocator.NewInMemory(uidr)

+		c := Allocation{

+			uid:    uida,

+			mcs:    DefaultMCSAllocation(uidr, mcsr, 5),

+			client: client.Namespaces(),

+		}

+

+		err := c.Next(&kapi.Namespace{ObjectMeta: kapi.ObjectMeta{Name: "test"}})

+		if !testCase.errFn(err) {

+			t.Errorf("%s: unexpected error: %v", s, err)

+		}

+

+		if len(client.Actions) != testCase.actions {

+			t.Errorf("%s: expected %d actions: %v", s, testCase.actions, client.Actions)

+		}

+		if uida.Free() != 5 {

+			t.Errorf("%s: should not have allocated uid: %d/%d", s, uida.Free(), uidr.Size())

+		}

+	}

+}

new file mode 100644

@@ -0,0 +1,68 @@

+package controller

+

+import (

+	"time"

+

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+	kclient "github.com/GoogleCloudPlatform/kubernetes/pkg/client"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/cache"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/fields"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/labels"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

+	kutil "github.com/GoogleCloudPlatform/kubernetes/pkg/util"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"

+

+	"github.com/openshift/origin/pkg/controller"

+	"github.com/openshift/origin/pkg/security/uidallocator"

+)

+

+// AllocationFactory can create an Allocation controller.

+type AllocationFactory struct {

+	UIDAllocator uidallocator.Interface

+	MCSAllocator MCSAllocationFunc

+	Client       kclient.NamespaceInterface

+	// Queue may be a FIFO queue of namespaces. If nil, will be initialized using

+	// the client.

+	Queue controller.ReQueue

+}

+

+// Create creates a Allocation.

+func (f *AllocationFactory) Create() controller.RunnableController {

+	if f.Queue == nil {

+		lw := &cache.ListWatch{

+			ListFunc: func() (runtime.Object, error) {

+				return f.Client.List(labels.Everything(), fields.Everything())

+			},

+			WatchFunc: func(resourceVersion string) (watch.Interface, error) {

+				return f.Client.Watch(labels.Everything(), fields.Everything(), resourceVersion)

+			},

+		}

+		q := cache.NewFIFO(cache.MetaNamespaceKeyFunc)

+		cache.NewReflector(lw, &kapi.Namespace{}, q, 10*time.Minute).Run()

+		f.Queue = q

+	}

+

+	c := &Allocation{

+		uid:    f.UIDAllocator,

+		mcs:    f.MCSAllocator,

+		client: f.Client,

+	}

+

+	return &controller.RetryController{

+		Queue: f.Queue,

+		RetryManager: controller.NewQueueRetryManager(

+			f.Queue,

+			cache.MetaNamespaceKeyFunc,

+			func(obj interface{}, err error, retries controller.Retry) bool {

+				util.HandleError(err)

+				return retries.Count < 5

+			},

+			kutil.NewTokenBucketRateLimiter(1, 10),

+		),

+		Handle: func(obj interface{}) error {

+			r := obj.(*kapi.Namespace)

+			return c.Next(r)

+		},

+	}

+}

new file mode 100644

@@ -0,0 +1,100 @@

+package controller

+

+import (

+	"fmt"

+	"time"

+

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/fields"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/labels"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/registry/service"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

+

+	"github.com/openshift/origin/pkg/security/uid"

+	"github.com/openshift/origin/pkg/security/uidallocator"

+)

+

+// Repair is a controller loop that periodically examines all UID allocations

+// and logs any errors, and then sets the compacted and accurate list of both

+//

+// Can be run at infrequent intervals, and is best performed on startup of the master.

+// Is level driven and idempotent - all claimed UIDs will be updated into the allocator

+// map at the end of a single execution loop if no race is encountered.

+//

+type Repair struct {

+	interval time.Duration

+	client   client.NamespaceInterface

+	alloc    service.RangeRegistry

+	uidRange *uid.Range

+}

+

+// NewRepair creates a controller that periodically ensures that all UIDs labels that are allocated in the cluster

+// are claimed.

+func NewRepair(interval time.Duration, client client.NamespaceInterface, uidRange *uid.Range, alloc service.RangeRegistry) *Repair {

+	return &Repair{

+		interval: interval,

+		client:   client,

+		uidRange: uidRange,

+		alloc:    alloc,

+	}

+}

+

+// RunUntil starts the controller until the provided ch is closed.

+func (c *Repair) RunUntil(ch chan struct{}) {

+	util.Until(func() {

+		if err := c.RunOnce(); err != nil {

+			util.HandleError(err)

+		}

+	}, c.interval, ch)

+}

+

+// RunOnce verifies the state of allocations and returns an error if an unrecoverable problem occurs.

+func (c *Repair) RunOnce() error {

+	// TODO: (per smarterclayton) if Get() or List() is a weak consistency read,

+	// or if they are executed against different leaders,

+	// the ordering guarantee required to ensure no item is allocated twice is violated.

+	// List must return a ResourceVersion higher than the etcd index Get,

+	// and the release code must not release items that have allocated but not yet been created

+	// See #8295

+

+	latest, err := c.alloc.Get()

+	if err != nil {

+		return fmt.Errorf("unable to refresh the security allocation UID blocks: %v", err)

+	}

+

+	list, err := c.client.List(labels.Everything(), fields.Everything())

+	if err != nil {

+		return fmt.Errorf("unable to refresh the security allocation UID blocks: %v", err)

+	}

+

+	uids := uidallocator.NewInMemory(c.uidRange)

+

+	for _, ns := range list.Items {

+		value, ok := ns.Annotations[uidRangeAnnotation]

+		if !ok {

+			continue

+		}

+		block, err := uid.ParseBlock(value)

+		if err != nil {

+			continue

+		}

+		switch err := uids.Allocate(block); err {

+		case nil:

+		case uidallocator.ErrFull:

+			// TODO: send event

+			return fmt.Errorf("the UID range %s is full; you must widen the range in order to allocate more UIDs", c.uidRange)

+		default:

+			return fmt.Errorf("unable to allocate UID block %s for namespace %s due to an unknown error, exiting: %v", block, ns.Name, err)

+		}

+	}

+

+	err = uids.Snapshot(latest)

+	if err != nil {

+		return fmt.Errorf("unable to persist the updated namespace UID allocations: %v", err)

+	}

+

+	if err := c.alloc.CreateOrUpdate(latest); err != nil {

+		return fmt.Errorf("unable to persist the updated namespace UID allocations: %v", err)

+	}

+	return nil

+}

new file mode 100644

@@ -0,0 +1,63 @@

+package controller

+

+import (

+	"testing"

+	"time"

+

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/testclient"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"

+

+	"github.com/openshift/origin/pkg/security/uid"

+)

+

+type fakeRange struct {

+	Err       error

+	Range     *kapi.RangeAllocation

+	Updated   *kapi.RangeAllocation

+	UpdateErr error

+}

+

+func (r *fakeRange) Get() (*kapi.RangeAllocation, error) {

+	return r.Range, r.Err

+}

+

+func (r *fakeRange) CreateOrUpdate(update *kapi.RangeAllocation) error {

+	r.Updated = update

+	return r.UpdateErr

+}

+

+func TestRepair(t *testing.T) {

+	var action testclient.FakeAction

+	client := &testclient.Fake{

+		ReactFn: func(a testclient.FakeAction) (runtime.Object, error) {

+			action = a

+			list := &kapi.NamespaceList{

+				Items: []kapi.Namespace{

+					{ObjectMeta: kapi.ObjectMeta{Name: "default"}},

+				},

+			}

+			return list, nil

+		},

+	}

+	alloc := &fakeRange{

+		Range: &kapi.RangeAllocation{},

+	}

+

+	uidr, _ := uid.NewRange(10, 20, 2)

+	repair := NewRepair(0*time.Second, client.Namespaces(), uidr, alloc)

+

+	err := repair.RunOnce()

+	if err != nil {

+		t.Fatal(err)

+	}

+	if alloc.Updated == nil {

+		t.Fatalf("did not store range: %#v", alloc)

+	}

+	if alloc.Updated.Range != "10-20/2" {

+		t.Errorf("didn't store range properly: %#v", alloc.Updated)

+	}

+	if len(alloc.Updated.Data) != 0 {

+		t.Errorf("data wasn't empty: %#v", alloc.Updated)

+	}

+}

@@ -41,6 +41,11 @@ func New(r *mcs.Range, factory allocator.AllocatorFactory) *Allocator {

 	}

 }

+// NewInMemory creates an in-memory Allocator

+func NewInMemory(r *mcs.Range) *Allocator {

+	return New(r, allocator.NewContiguousAllocationInterface)

+}

+

 // Free returns the count of port left in the range.

 func (r *Allocator) Free() int {

 	return r.alloc.Free()

@@ -2,6 +2,7 @@ package uid

 import (

 	"fmt"

+	"strings"

 )

 type Block struct {

@@ -9,7 +10,35 @@ type Block struct {

 	End   uint32

 }

+func ParseBlock(in string) (Block, error) {

+	if strings.Contains(in, "/") {

+		var start, size uint32

+		n, err := fmt.Sscanf(in, "%d/%d", &start, &size)

+		if err != nil {

+			return Block{}, err

+		}

+		if n != 2 {

+			return Block{}, fmt.Errorf("block not in the format \"<start>/<size>\"")

+		}

+		return Block{Start: start, End: start + size - 1}, nil

+	}

+

+	var start, end uint32

+	n, err := fmt.Sscanf(in, "%d-%d", &start, &end)

+	if err != nil {

+		return Block{}, err

+	}

+	if n != 2 {

+		return Block{}, fmt.Errorf("block not in the format \"<start>-<end>\"")

+	}

+	return Block{Start: start, End: end}, nil

+}

+

 func (b Block) String() string {

+	return fmt.Sprintf("%d/%d", b.Start, b.Size())

+}

+

+func (b Block) RangeString() string {

 	return fmt.Sprintf("%d-%d", b.Start, b.End)

 }

@@ -55,7 +84,7 @@ func (r *Range) Size() uint32 {

 }

 func (r *Range) String() string {

-	return fmt.Sprintf("%s/%d", r.block, r.size)

+	return fmt.Sprintf("%s/%d", r.block.RangeString(), r.size)

 }

 func (r *Range) BlockAt(offset uint32) (Block, bool) {

@@ -72,6 +72,20 @@ func TestParseRange(t *testing.T) {

 	}

 }

+func TestBlock(t *testing.T) {

+	b := Block{Start: 100, End: 109}

+	if b.String() != "100/10" {

+		t.Errorf("unexpected block string: %s", b.String())

+	}

+	b, err := ParseBlock("100-109")

+	if err != nil {

+		t.Fatal(err)

+	}

+	if b.String() != "100/10" {

+		t.Errorf("unexpected block string: %s", b.String())

+	}

+}

+

 func TestOffset(t *testing.T) {

 	testCases := map[string]struct {

 		r         Range

@@ -41,6 +41,11 @@ func New(r *uid.Range, factory allocator.AllocatorFactory) *Allocator {

 	}

 }

+// NewInMemory creates an in-memory Allocator

+func NewInMemory(r *uid.Range) *Allocator {

+	return New(r, allocator.NewContiguousAllocationInterface)

+}

+

 // Free returns the count of port left in the range.

 func (r *Allocator) Free() int {

 	return r.alloc.Free()