Browse code
Add service account for attach-detach controller
Paul Morie authored on 2016/09/14 00:21:08Showing 4 changed files
- pkg/cmd/server/bootstrappolicy/infra_sa_policy.go
- pkg/cmd/server/kubernetes/master.go
- pkg/cmd/server/start/start_master.go
- test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
| ... | ... |
@@ -44,6 +44,9 @@ const ( |
| 44 | 44 |
InfraPersistentVolumeBinderControllerServiceAccountName = "pv-binder-controller" |
| 45 | 45 |
PersistentVolumeBinderControllerRoleName = "system:pv-binder-controller" |
| 46 | 46 |
|
| 47 |
+ InfraPersistentVolumeAttachDetachControllerServiceAccountName = "pv-attach-detach-controller" |
|
| 48 |
+ PersistentVolumeAttachDetachControllerRoleName = "system:pv-attach-detach-controller" |
|
| 49 |
+ |
|
| 47 | 50 |
InfraPersistentVolumeRecyclerControllerServiceAccountName = "pv-recycler-controller" |
| 48 | 51 |
PersistentVolumeRecyclerControllerRoleName = "system:pv-recycler-controller" |
| 49 | 52 |
|
| ... | ... |
@@ -465,6 +468,55 @@ func init() {
|
| 465 | 465 |
} |
| 466 | 466 |
|
| 467 | 467 |
err = InfraSAs.addServiceAccount( |
| 468 |
+ InfraPersistentVolumeAttachDetachControllerServiceAccountName, |
|
| 469 |
+ authorizationapi.ClusterRole{
|
|
| 470 |
+ ObjectMeta: kapi.ObjectMeta{
|
|
| 471 |
+ Name: PersistentVolumeAttachDetachControllerRoleName, |
|
| 472 |
+ }, |
|
| 473 |
+ Rules: []authorizationapi.PolicyRule{
|
|
| 474 |
+ // shared informer on PVs |
|
| 475 |
+ {
|
|
| 476 |
+ Verbs: sets.NewString("list", "watch"),
|
|
| 477 |
+ Resources: sets.NewString("persistentvolumes"),
|
|
| 478 |
+ }, |
|
| 479 |
+ // shared informer on PVCs |
|
| 480 |
+ {
|
|
| 481 |
+ Verbs: sets.NewString("list", "watch"),
|
|
| 482 |
+ Resources: sets.NewString("persistentvolumeclaims"),
|
|
| 483 |
+ }, |
|
| 484 |
+ // shared informer on nodes |
|
| 485 |
+ {
|
|
| 486 |
+ Verbs: sets.NewString("list", "watch"),
|
|
| 487 |
+ Resources: sets.NewString("nodes"),
|
|
| 488 |
+ }, |
|
| 489 |
+ // operationexecutor uses get with nodes |
|
| 490 |
+ {
|
|
| 491 |
+ Verbs: sets.NewString("get"),
|
|
| 492 |
+ Resources: sets.NewString("nodes"),
|
|
| 493 |
+ }, |
|
| 494 |
+ // strategic patch on nodes/status |
|
| 495 |
+ {
|
|
| 496 |
+ Verbs: sets.NewString("patch", "update"),
|
|
| 497 |
+ Resources: sets.NewString("nodes/status"),
|
|
| 498 |
+ }, |
|
| 499 |
+ // shared informer on pods |
|
| 500 |
+ {
|
|
| 501 |
+ Verbs: sets.NewString("list", "watch"),
|
|
| 502 |
+ Resources: sets.NewString("pods"),
|
|
| 503 |
+ }, |
|
| 504 |
+ // normal event usage |
|
| 505 |
+ {
|
|
| 506 |
+ Verbs: sets.NewString("create", "update", "patch"),
|
|
| 507 |
+ Resources: sets.NewString("events"),
|
|
| 508 |
+ }, |
|
| 509 |
+ }, |
|
| 510 |
+ }, |
|
| 511 |
+ ) |
|
| 512 |
+ if err != nil {
|
|
| 513 |
+ panic(err) |
|
| 514 |
+ } |
|
| 515 |
+ |
|
| 516 |
+ err = InfraSAs.addServiceAccount( |
|
| 468 | 517 |
InfraPersistentVolumeBinderControllerServiceAccountName, |
| 469 | 518 |
authorizationapi.ClusterRole{
|
| 470 | 519 |
ObjectMeta: kapi.ObjectMeta{
|
| ... | ... |
@@ -171,7 +171,10 @@ func (c *MasterConfig) RunPersistentVolumeController(client *client.Client, name |
| 171 | 171 |
s.VolumeConfiguration.EnableDynamicProvisioning, |
| 172 | 172 |
) |
| 173 | 173 |
volumeController.Run() |
| 174 |
+} |
|
| 174 | 175 |
|
| 176 |
+func (c *MasterConfig) RunPersistentVolumeAttachDetachController(client *client.Client) {
|
|
| 177 |
+ s := c.ControllerManager |
|
| 175 | 178 |
attachDetachController, err := |
| 176 | 179 |
attachdetachcontroller.NewAttachDetachController( |
| 177 | 180 |
clientadapter.FromUnversionedClient(client), |
| ... | ... |
@@ -583,6 +583,11 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro |
| 583 | 583 |
glog.Fatalf("Could not get client for persistent volume binder controller: %v", err)
|
| 584 | 584 |
} |
| 585 | 585 |
|
| 586 |
+ _, _, attachDetachControllerClient, err := oc.GetServiceAccountClients(bootstrappolicy.InfraPersistentVolumeAttachDetachControllerServiceAccountName) |
|
| 587 |
+ if err != nil {
|
|
| 588 |
+ glog.Fatalf("Could not get client for attach detach controller: %v", err)
|
|
| 589 |
+ } |
|
| 590 |
+ |
|
| 586 | 591 |
_, _, daemonSetClient, err := oc.GetServiceAccountClients(bootstrappolicy.InfraDaemonSetControllerServiceAccountName) |
| 587 | 592 |
if err != nil {
|
| 588 | 593 |
glog.Fatalf("Could not get client for daemonset controller: %v", err)
|
| ... | ... |
@@ -641,6 +646,7 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro |
| 641 | 641 |
kc.RunEndpointController(endpointControllerClient) |
| 642 | 642 |
kc.RunNamespaceController(namespaceControllerClientSet, namespaceControllerClientPool) |
| 643 | 643 |
kc.RunPersistentVolumeController(binderClient, oc.Options.PolicyConfig.OpenShiftInfrastructureNamespace, oc.ImageFor("recycler"), bootstrappolicy.InfraPersistentVolumeRecyclerControllerServiceAccountName)
|
| 644 |
+ kc.RunPersistentVolumeAttachDetachController(attachDetachControllerClient) |
|
| 644 | 645 |
kc.RunGCController(gcClient) |
| 645 | 646 |
|
| 646 | 647 |
kc.RunServiceLoadBalancerController(serviceLoadBalancerClient) |
| ... | ... |
@@ -2746,6 +2746,68 @@ items: |
| 2746 | 2746 |
kind: ClusterRole |
| 2747 | 2747 |
metadata: |
| 2748 | 2748 |
creationTimestamp: null |
| 2749 |
+ name: system:pv-attach-detach-controller |
|
| 2750 |
+ rules: |
|
| 2751 |
+ - apiGroups: |
|
| 2752 |
+ - "" |
|
| 2753 |
+ attributeRestrictions: null |
|
| 2754 |
+ resources: |
|
| 2755 |
+ - persistentvolumes |
|
| 2756 |
+ verbs: |
|
| 2757 |
+ - list |
|
| 2758 |
+ - watch |
|
| 2759 |
+ - apiGroups: |
|
| 2760 |
+ - "" |
|
| 2761 |
+ attributeRestrictions: null |
|
| 2762 |
+ resources: |
|
| 2763 |
+ - persistentvolumeclaims |
|
| 2764 |
+ verbs: |
|
| 2765 |
+ - list |
|
| 2766 |
+ - watch |
|
| 2767 |
+ - apiGroups: |
|
| 2768 |
+ - "" |
|
| 2769 |
+ attributeRestrictions: null |
|
| 2770 |
+ resources: |
|
| 2771 |
+ - nodes |
|
| 2772 |
+ verbs: |
|
| 2773 |
+ - list |
|
| 2774 |
+ - watch |
|
| 2775 |
+ - apiGroups: |
|
| 2776 |
+ - "" |
|
| 2777 |
+ attributeRestrictions: null |
|
| 2778 |
+ resources: |
|
| 2779 |
+ - nodes |
|
| 2780 |
+ verbs: |
|
| 2781 |
+ - get |
|
| 2782 |
+ - apiGroups: |
|
| 2783 |
+ - "" |
|
| 2784 |
+ attributeRestrictions: null |
|
| 2785 |
+ resources: |
|
| 2786 |
+ - nodes/status |
|
| 2787 |
+ verbs: |
|
| 2788 |
+ - patch |
|
| 2789 |
+ - update |
|
| 2790 |
+ - apiGroups: |
|
| 2791 |
+ - "" |
|
| 2792 |
+ attributeRestrictions: null |
|
| 2793 |
+ resources: |
|
| 2794 |
+ - pods |
|
| 2795 |
+ verbs: |
|
| 2796 |
+ - list |
|
| 2797 |
+ - watch |
|
| 2798 |
+ - apiGroups: |
|
| 2799 |
+ - "" |
|
| 2800 |
+ attributeRestrictions: null |
|
| 2801 |
+ resources: |
|
| 2802 |
+ - events |
|
| 2803 |
+ verbs: |
|
| 2804 |
+ - create |
|
| 2805 |
+ - patch |
|
| 2806 |
+ - update |
|
| 2807 |
+- apiVersion: v1 |
|
| 2808 |
+ kind: ClusterRole |
|
| 2809 |
+ metadata: |
|
| 2810 |
+ creationTimestamp: null |
|
| 2749 | 2811 |
name: system:pv-binder-controller |
| 2750 | 2812 |
rules: |
| 2751 | 2813 |
- apiGroups: |