* Modify VAC to block taint updates only on master nodes
Change-Id: I43d85d940761002ea79b6a145104c3ffe9253c0d
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5652
Tested-by: michellew <michellew@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
... | ... |
@@ -1,7 +1,7 @@ |
1 |
-From 756dd774d15d16fd1aa09c016d5a222529e6bc96 Mon Sep 17 00:00:00 2001 |
|
1 |
+From 65059959f5f5ff965897e123fff1a581970d6437 Mon Sep 17 00:00:00 2001 |
|
2 | 2 |
From: DheerajSShetty <dheerajs@vmware.com> |
3 |
-Date: Wed, 22 Aug 2018 16:37:55 -0700 |
|
4 |
-Subject: [PATCH] VKE patch for k8s 1.10 (fbdcc5c) |
|
3 |
+Date: Tue, 11 Sep 2018 11:43:21 -0700 |
|
4 |
+Subject: [PATCH] VKE patch for k8s 1.10 (8033c471) |
|
5 | 5 |
|
6 | 6 |
--- |
7 | 7 |
api/swagger-spec/apps_v1alpha1.json | 21 + |
... | ... |
@@ -29,7 +29,7 @@ Subject: [PATCH] VKE patch for k8s 1.10 (fbdcc5c) |
29 | 29 |
.../providers/cascade/cascade_disks.go | 228 +++++ |
30 | 30 |
.../providers/cascade/cascade_instances.go | 92 ++ |
31 | 31 |
.../providers/cascade/cascade_instances_test.go | 44 + |
32 |
- .../providers/cascade/cascade_loadbalancer.go | 285 +++++++ |
|
32 |
+ .../providers/cascade/cascade_loadbalancer.go | 285 ++++++ |
|
33 | 33 |
pkg/cloudprovider/providers/cascade/client.go | 399 +++++++++ |
34 | 34 |
pkg/cloudprovider/providers/cascade/oidcclient.go | 297 +++++++ |
35 | 35 |
pkg/cloudprovider/providers/cascade/restclient.go | 262 ++++++ |
... | ... |
@@ -49,14 +49,14 @@ Subject: [PATCH] VKE patch for k8s 1.10 (fbdcc5c) |
49 | 49 |
.../admission/persistentvolume/label/admission.go | 54 ++ |
50 | 50 |
plugin/pkg/admission/vke/BUILD | 61 ++ |
51 | 51 |
plugin/pkg/admission/vke/admission.go | 587 +++++++++++++ |
52 |
- plugin/pkg/admission/vke/admission_test.go | 941 +++++++++++++++++++++ |
|
52 |
+ plugin/pkg/admission/vke/admission_test.go | 952 +++++++++++++++++++++ |
|
53 | 53 |
plugin/pkg/auth/authorizer/vke/BUILD | 40 + |
54 | 54 |
plugin/pkg/auth/authorizer/vke/OWNERS | 2 + |
55 | 55 |
plugin/pkg/auth/authorizer/vke/vke_authorizer.go | 123 +++ |
56 | 56 |
.../pkg/auth/authorizer/vke/vke_authorizer_test.go | 230 +++++ |
57 | 57 |
staging/src/k8s.io/api/core/v1/generated.pb.go | 310 ++++++- |
58 | 58 |
staging/src/k8s.io/api/core/v1/types.go | 24 +- |
59 |
- 52 files changed, 5768 insertions(+), 31 deletions(-) |
|
59 |
+ 52 files changed, 5779 insertions(+), 31 deletions(-) |
|
60 | 60 |
|
61 | 61 |
diff --git a/api/swagger-spec/apps_v1alpha1.json b/api/swagger-spec/apps_v1alpha1.json |
62 | 62 |
index 6f54662..0ce6f3f 100644 |
... | ... |
@@ -4198,7 +4198,7 @@ index 0000000..97c0856 |
4198 | 4198 |
\ No newline at end of file |
4199 | 4199 |
diff --git a/plugin/pkg/admission/vke/admission.go b/plugin/pkg/admission/vke/admission.go |
4200 | 4200 |
new file mode 100644 |
4201 |
-index 0000000..ab327ea |
|
4201 |
+index 0000000..37f82d9 |
|
4202 | 4202 |
--- /dev/null |
4203 | 4203 |
+++ b/plugin/pkg/admission/vke/admission.go |
4204 | 4204 |
@@ -0,0 +1,587 @@ |
... | ... |
@@ -4534,10 +4534,10 @@ index 0000000..ab327ea |
4534 | 4534 |
+ } |
4535 | 4535 |
+ } |
4536 | 4536 |
+ |
4537 |
-+ // If the privileged service account tries to update taints on a node, we block. We need to do this so that a user |
|
4538 |
-+ // cannot use a privileged service account to untaint the node and run pods on a master. |
|
4537 |
++ // If the privileged service account tries to update taints on the master node, we block. We need to do this so that |
|
4538 |
++ // a user cannot use a privileged service account to untaint the node and run pods on a master. |
|
4539 | 4539 |
+ if a.GetResource().GroupResource() == api.Resource("nodes") { |
4540 |
-+ if a.GetOperation() == admission.Update { |
|
4540 |
++ if a.GetOperation() == admission.Update && strings.HasPrefix(a.GetName(), masterNodePrefix) { |
|
4541 | 4541 |
+ node, ok := a.GetObject().(*api.Node) |
4542 | 4542 |
+ if !ok { |
4543 | 4543 |
+ return admission.NewForbidden(a, |
... | ... |
@@ -4791,10 +4791,10 @@ index 0000000..ab327ea |
4791 | 4791 |
+} |
4792 | 4792 |
diff --git a/plugin/pkg/admission/vke/admission_test.go b/plugin/pkg/admission/vke/admission_test.go |
4793 | 4793 |
new file mode 100644 |
4794 |
-index 0000000..3fb4674 |
|
4794 |
+index 0000000..c597663 |
|
4795 | 4795 |
--- /dev/null |
4796 | 4796 |
+++ b/plugin/pkg/admission/vke/admission_test.go |
4797 |
-@@ -0,0 +1,941 @@ |
|
4797 |
+@@ -0,0 +1,952 @@ |
|
4798 | 4798 |
+package vke |
4799 | 4799 |
+ |
4800 | 4800 |
+import ( |
... | ... |
@@ -5459,10 +5459,21 @@ index 0000000..3fb4674 |
5459 | 5459 |
+ userInfo: newTestUserBuilder().withGroup(systemNodesGroup).build(), |
5460 | 5460 |
+ shouldPassValidate: true, |
5461 | 5461 |
+ }, |
5462 |
-+ "denied: privileged service account update node taint": { |
|
5462 |
++ "allowed: privileged service account update worker node taint": { |
|
5463 | 5463 |
+ operation: kadmission.Update, |
5464 | 5464 |
+ resource: "nodes", |
5465 | 5465 |
+ namespace: "", |
5466 |
++ name: "worker-guid", |
|
5467 |
++ oldObject: newTestNodeBuilder().build(), |
|
5468 |
++ object: newTestNodeBuilder().withTaint(nil).build(), |
|
5469 |
++ userInfo: newTestUserBuilder().withName(privilegedServiceAccount + "default").build(), |
|
5470 |
++ shouldPassValidate: true, |
|
5471 |
++ }, |
|
5472 |
++ "denied: privileged service account update master node taint": { |
|
5473 |
++ operation: kadmission.Update, |
|
5474 |
++ resource: "nodes", |
|
5475 |
++ namespace: "", |
|
5476 |
++ name: "master-guid", |
|
5466 | 5477 |
+ oldObject: newTestNodeBuilder().build(), |
5467 | 5478 |
+ object: newTestNodeBuilder().withTaint(nil).build(), |
5468 | 5479 |
+ userInfo: newTestUserBuilder().withName(privilegedServiceAccount + "default").build(), |
... | ... |
@@ -1,7 +1,7 @@ |
1 |
-From 6de826b35ced3b7cadc809d7ea778ce6a50aff43 Mon Sep 17 00:00:00 2001 |
|
1 |
+From 73dd46ef2f0ddd1ccf93b0d2d339a38e08b84c20 Mon Sep 17 00:00:00 2001 |
|
2 | 2 |
From: DheerajSShetty <dheerajs@vmware.com> |
3 |
-Date: Wed, 22 Aug 2018 16:30:37 -0700 |
|
4 |
-Subject: [PATCH] VKE patch for k8s version 1.9 (fbdcc5c) |
|
3 |
+Date: Tue, 11 Sep 2018 12:05:49 -0700 |
|
4 |
+Subject: [PATCH] VKE patch for k8s 1.9.6 (8033c471) |
|
5 | 5 |
|
6 | 6 |
--- |
7 | 7 |
api/swagger-spec/apps_v1alpha1.json | Bin 135734 -> 136495 bytes |
... | ... |
@@ -30,7 +30,7 @@ Subject: [PATCH] VKE patch for k8s version 1.9 (fbdcc5c) |
30 | 30 |
.../providers/cascade/cascade_disks.go | 226 +++++ |
31 | 31 |
.../providers/cascade/cascade_instances.go | 91 ++ |
32 | 32 |
.../providers/cascade/cascade_instances_test.go | 43 + |
33 |
- .../providers/cascade/cascade_loadbalancer.go | 284 +++++++ |
|
33 |
+ .../providers/cascade/cascade_loadbalancer.go | 284 ++++++ |
|
34 | 34 |
pkg/cloudprovider/providers/cascade/client.go | 399 +++++++++ |
35 | 35 |
pkg/cloudprovider/providers/cascade/oidcclient.go | 297 +++++++ |
36 | 36 |
pkg/cloudprovider/providers/cascade/restclient.go | 262 ++++++ |
... | ... |
@@ -50,14 +50,14 @@ Subject: [PATCH] VKE patch for k8s version 1.9 (fbdcc5c) |
50 | 50 |
.../admission/persistentvolume/label/admission.go | 54 ++ |
51 | 51 |
plugin/pkg/admission/vke/BUILD | 61 ++ |
52 | 52 |
plugin/pkg/admission/vke/admission.go | 587 +++++++++++++ |
53 |
- plugin/pkg/admission/vke/admission_test.go | 941 +++++++++++++++++++++ |
|
53 |
+ plugin/pkg/admission/vke/admission_test.go | 952 +++++++++++++++++++++ |
|
54 | 54 |
plugin/pkg/auth/authorizer/vke/BUILD | 40 + |
55 | 55 |
plugin/pkg/auth/authorizer/vke/OWNERS | 3 + |
56 | 56 |
plugin/pkg/auth/authorizer/vke/vke_authorizer.go | 123 +++ |
57 | 57 |
.../pkg/auth/authorizer/vke/vke_authorizer_test.go | 230 +++++ |
58 | 58 |
staging/src/k8s.io/api/core/v1/generated.pb.go | Bin 1241955 -> 1248240 bytes |
59 | 59 |
staging/src/k8s.io/api/core/v1/types.go | 26 +- |
60 |
- 53 files changed, 5462 insertions(+), 8 deletions(-) |
|
60 |
+ 53 files changed, 5473 insertions(+), 8 deletions(-) |
|
61 | 61 |
|
62 | 62 |
diff --git a/api/swagger-spec/apps_v1alpha1.json b/api/swagger-spec/apps_v1alpha1.json |
63 | 63 |
index aa3fbdc..0189f38 100644 |
... | ... |
@@ -4354,7 +4354,7 @@ index 0000000..7d66036 |
4354 | 4354 |
\ No newline at end of file |
4355 | 4355 |
diff --git a/plugin/pkg/admission/vke/admission.go b/plugin/pkg/admission/vke/admission.go |
4356 | 4356 |
new file mode 100644 |
4357 |
-index 0000000..192f384 |
|
4357 |
+index 0000000..a5403d0 |
|
4358 | 4358 |
--- /dev/null |
4359 | 4359 |
+++ b/plugin/pkg/admission/vke/admission.go |
4360 | 4360 |
@@ -0,0 +1,587 @@ |
... | ... |
@@ -4693,7 +4693,7 @@ index 0000000..192f384 |
4693 | 4693 |
+ // If the privileged service account tries to update taints on a node, we block. We need to do this so that a user |
4694 | 4694 |
+ // cannot use a privileged service account to untaint the node and run pods on a master. |
4695 | 4695 |
+ if a.GetResource().GroupResource() == api.Resource("nodes") { |
4696 |
-+ if a.GetOperation() == admission.Update { |
|
4696 |
++ if a.GetOperation() == admission.Update && strings.HasPrefix(a.GetName(), masterNodePrefix) { |
|
4697 | 4697 |
+ node, ok := a.GetObject().(*api.Node) |
4698 | 4698 |
+ if !ok { |
4699 | 4699 |
+ return admission.NewForbidden(a, |
... | ... |
@@ -4947,10 +4947,10 @@ index 0000000..192f384 |
4947 | 4947 |
+} |
4948 | 4948 |
diff --git a/plugin/pkg/admission/vke/admission_test.go b/plugin/pkg/admission/vke/admission_test.go |
4949 | 4949 |
new file mode 100644 |
4950 |
-index 0000000..3fb4674 |
|
4950 |
+index 0000000..c597663 |
|
4951 | 4951 |
--- /dev/null |
4952 | 4952 |
+++ b/plugin/pkg/admission/vke/admission_test.go |
4953 |
-@@ -0,0 +1,941 @@ |
|
4953 |
+@@ -0,0 +1,952 @@ |
|
4954 | 4954 |
+package vke |
4955 | 4955 |
+ |
4956 | 4956 |
+import ( |
... | ... |
@@ -5615,10 +5615,21 @@ index 0000000..3fb4674 |
5615 | 5615 |
+ userInfo: newTestUserBuilder().withGroup(systemNodesGroup).build(), |
5616 | 5616 |
+ shouldPassValidate: true, |
5617 | 5617 |
+ }, |
5618 |
-+ "denied: privileged service account update node taint": { |
|
5618 |
++ "allowed: privileged service account update worker node taint": { |
|
5619 | 5619 |
+ operation: kadmission.Update, |
5620 | 5620 |
+ resource: "nodes", |
5621 | 5621 |
+ namespace: "", |
5622 |
++ name: "worker-guid", |
|
5623 |
++ oldObject: newTestNodeBuilder().build(), |
|
5624 |
++ object: newTestNodeBuilder().withTaint(nil).build(), |
|
5625 |
++ userInfo: newTestUserBuilder().withName(privilegedServiceAccount + "default").build(), |
|
5626 |
++ shouldPassValidate: true, |
|
5627 |
++ }, |
|
5628 |
++ "denied: privileged service account update master node taint": { |
|
5629 |
++ operation: kadmission.Update, |
|
5630 |
++ resource: "nodes", |
|
5631 |
++ namespace: "", |
|
5632 |
++ name: "master-guid", |
|
5622 | 5633 |
+ oldObject: newTestNodeBuilder().build(), |
5623 | 5634 |
+ object: newTestNodeBuilder().withTaint(nil).build(), |
5624 | 5635 |
+ userInfo: newTestUserBuilder().withName(privilegedServiceAccount + "default").build(), |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Kubernetes cluster management |
2 | 2 |
Name: kubernetes |
3 | 3 |
Version: 1.10.2 |
4 |
-Release: 12%{?dist} |
|
4 |
+Release: 13%{?dist} |
|
5 | 5 |
License: ASL 2.0 |
6 | 6 |
URL: https://github.com/kubernetes/kubernetes/archive/v%{version}.tar.gz |
7 | 7 |
Source0: kubernetes-%{version}.tar.gz |
... | ... |
@@ -207,6 +207,8 @@ fi |
207 | 207 |
/opt/vmware/kubernetes/windows/amd64/kubectl.exe |
208 | 208 |
|
209 | 209 |
%changelog |
210 |
+* Tue Sep 11 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.10.2-13 |
|
211 |
+- Update vke patch (8033c471) |
|
210 | 212 |
* Mon Aug 22 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.10.2-12 |
211 | 213 |
- Update vke patch (fbdcc5c) |
212 | 214 |
* Mon Aug 06 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.10.2-11 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Kubernetes cluster management |
2 | 2 |
Name: kubernetes |
3 | 3 |
Version: 1.9.6 |
4 |
-Release: 10%{?dist} |
|
4 |
+Release: 11%{?dist} |
|
5 | 5 |
License: ASL 2.0 |
6 | 6 |
URL: https://github.com/kubernetes/kubernetes/archive/v%{version}.tar.gz |
7 | 7 |
Source0: kubernetes-v%{version}.tar.gz |
... | ... |
@@ -185,6 +185,8 @@ fi |
185 | 185 |
%{_bindir}/pause-amd64 |
186 | 186 |
|
187 | 187 |
%changelog |
188 |
+* Tue Sep 11 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.9.6-11 |
|
189 |
+- Update vke patch (8033c471) |
|
188 | 190 |
* Mon Aug 22 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.9.6-10 |
189 | 191 |
- Update vke patch (fbdcc5c) |
190 | 192 |
* Mon Aug 06 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.9.6-9 |