Browse code
added infra namespace to PV recycler
markturansky authored on 2016/01/29 02:08:19Showing 5 changed files
- UPGRADE.md
- pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go
- pkg/cmd/server/bootstrappolicy/securitycontextconstraints_test.go
- pkg/cmd/server/kubernetes/master.go
- pkg/cmd/server/start/start_master.go
| ... | ... |
@@ -90,3 +90,4 @@ references: |
| 90 | 90 |
|
| 91 | 91 |
1. The existing docker registry images will not be able to support auto-provisioning of image streams based on docker pushes against new API servers. |
| 92 | 92 |
Upgrade your docker registry image to make auto-provisioning work again. |
| 93 |
+1. New service accounts specific to the PersistentVolume operations of binding, recycling, and provisioning were added. Run `oadm policy reconcile-sccs --confirm` to update your SecurityContextConstraints. |
| ... | ... |
@@ -251,10 +251,10 @@ func GetBoostrapSCCAccess(infraNamespace string) (map[string][]string, map[strin |
| 251 | 251 |
} |
| 252 | 252 |
|
| 253 | 253 |
buildControllerUsername := serviceaccount.MakeUsername(infraNamespace, InfraBuildControllerServiceAccountName) |
| 254 |
- pvControllerUsername := serviceaccount.MakeUsername(infraNamespace, InfraPersistentVolumeBinderControllerServiceAccountName) |
|
| 254 |
+ pvRecyclerControllerUsername := serviceaccount.MakeUsername(infraNamespace, InfraPersistentVolumeRecyclerControllerServiceAccountName) |
|
| 255 | 255 |
users := map[string][]string{
|
| 256 | 256 |
SecurityContextConstraintPrivileged: {buildControllerUsername},
|
| 257 |
- SecurityContextConstraintHostMountAndAnyUID: {pvControllerUsername},
|
|
| 257 |
+ SecurityContextConstraintHostMountAndAnyUID: {pvRecyclerControllerUsername},
|
|
| 258 | 258 |
} |
| 259 | 259 |
return groups, users |
| 260 | 260 |
} |
| ... | ... |
@@ -69,10 +69,10 @@ func getExpectedAccess() (map[string][]string, map[string][]string) {
|
| 69 | 69 |
} |
| 70 | 70 |
|
| 71 | 71 |
buildControllerUsername := serviceaccount.MakeUsername(DefaultOpenShiftInfraNamespace, InfraBuildControllerServiceAccountName) |
| 72 |
- pvControllerUsername := serviceaccount.MakeUsername(DefaultOpenShiftInfraNamespace, InfraPersistentVolumeBinderControllerServiceAccountName) |
|
| 72 |
+ pvRecyclerControllerUsername := serviceaccount.MakeUsername(DefaultOpenShiftInfraNamespace, InfraPersistentVolumeRecyclerControllerServiceAccountName) |
|
| 73 | 73 |
users := map[string][]string{
|
| 74 | 74 |
SecurityContextConstraintPrivileged: {buildControllerUsername},
|
| 75 |
- SecurityContextConstraintHostMountAndAnyUID: {pvControllerUsername},
|
|
| 75 |
+ SecurityContextConstraintHostMountAndAnyUID: {pvRecyclerControllerUsername},
|
|
| 76 | 76 |
} |
| 77 | 77 |
return groups, users |
| 78 | 78 |
} |
| ... | ... |
@@ -116,9 +116,10 @@ func (c *MasterConfig) RunPersistentVolumeProvisioner(client *client.Client) {
|
| 116 | 116 |
} |
| 117 | 117 |
} |
| 118 | 118 |
|
| 119 |
-func (c *MasterConfig) RunPersistentVolumeClaimRecycler(recyclerImageName string, client *client.Client) {
|
|
| 119 |
+func (c *MasterConfig) RunPersistentVolumeClaimRecycler(recyclerImageName string, client *client.Client, namespace string) {
|
|
| 120 | 120 |
uid := int64(0) |
| 121 | 121 |
defaultScrubPod := volume.NewPersistentVolumeRecyclerPodTemplate() |
| 122 |
+ defaultScrubPod.Namespace = namespace |
|
| 122 | 123 |
defaultScrubPod.Spec.Containers[0].Image = recyclerImageName |
| 123 | 124 |
defaultScrubPod.Spec.Containers[0].Command = []string{"/usr/bin/recycle"}
|
| 124 | 125 |
defaultScrubPod.Spec.Containers[0].Args = []string{"/scrub"}
|
| ... | ... |
@@ -565,7 +565,7 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro |
| 565 | 565 |
kc.RunNamespaceController() |
| 566 | 566 |
kc.RunPersistentVolumeClaimBinder(binderClient) |
| 567 | 567 |
kc.RunPersistentVolumeProvisioner(provisionerClient) |
| 568 |
- kc.RunPersistentVolumeClaimRecycler(oc.ImageFor("recycler"), recyclerClient)
|
|
| 568 |
+ kc.RunPersistentVolumeClaimRecycler(oc.ImageFor("recycler"), recyclerClient, oc.Options.PolicyConfig.OpenShiftInfrastructureNamespace)
|
|
| 569 | 569 |
|
| 570 | 570 |
glog.Infof("Started Kubernetes Controllers")
|
| 571 | 571 |
} |