Browse code
Add VKE patch (8033c471) to 1.9.6 and 1.10.2
* Modify VAC to block taint updates only on master nodes
Change-Id: I43d85d940761002ea79b6a145104c3ffe9253c0d
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5652
Tested-by: michellew <michellew@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
DheerajSShetty authored on 2018/09/12 04:16:24Showing 4 changed files
- SPECS/kubernetes/k8s-1.10-vke.patch
- SPECS/kubernetes/k8s-1.9-vke.patch
- SPECS/kubernetes/kubernetes-1.10.spec
- SPECS/kubernetes/kubernetes-1.9.spec
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 |
-From 756dd774d15d16fd1aa09c016d5a222529e6bc96 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From 65059959f5f5ff965897e123fff1a581970d6437 Mon Sep 17 00:00:00 2001 |
|
| 2 | 2 |
From: DheerajSShetty <dheerajs@vmware.com> |
| 3 |
-Date: Wed, 22 Aug 2018 16:37:55 -0700 |
|
| 4 |
-Subject: [PATCH] VKE patch for k8s 1.10 (fbdcc5c) |
|
| 3 |
+Date: Tue, 11 Sep 2018 11:43:21 -0700 |
|
| 4 |
+Subject: [PATCH] VKE patch for k8s 1.10 (8033c471) |
|
| 5 | 5 |
|
| 6 | 6 |
--- |
| 7 | 7 |
api/swagger-spec/apps_v1alpha1.json | 21 + |
| ... | ... |
@@ -29,7 +29,7 @@ Subject: [PATCH] VKE patch for k8s 1.10 (fbdcc5c) |
| 29 | 29 |
.../providers/cascade/cascade_disks.go | 228 +++++ |
| 30 | 30 |
.../providers/cascade/cascade_instances.go | 92 ++ |
| 31 | 31 |
.../providers/cascade/cascade_instances_test.go | 44 + |
| 32 |
- .../providers/cascade/cascade_loadbalancer.go | 285 +++++++ |
|
| 32 |
+ .../providers/cascade/cascade_loadbalancer.go | 285 ++++++ |
|
| 33 | 33 |
pkg/cloudprovider/providers/cascade/client.go | 399 +++++++++ |
| 34 | 34 |
pkg/cloudprovider/providers/cascade/oidcclient.go | 297 +++++++ |
| 35 | 35 |
pkg/cloudprovider/providers/cascade/restclient.go | 262 ++++++ |
| ... | ... |
@@ -49,14 +49,14 @@ Subject: [PATCH] VKE patch for k8s 1.10 (fbdcc5c) |
| 49 | 49 |
.../admission/persistentvolume/label/admission.go | 54 ++ |
| 50 | 50 |
plugin/pkg/admission/vke/BUILD | 61 ++ |
| 51 | 51 |
plugin/pkg/admission/vke/admission.go | 587 +++++++++++++ |
| 52 |
- plugin/pkg/admission/vke/admission_test.go | 941 +++++++++++++++++++++ |
|
| 52 |
+ plugin/pkg/admission/vke/admission_test.go | 952 +++++++++++++++++++++ |
|
| 53 | 53 |
plugin/pkg/auth/authorizer/vke/BUILD | 40 + |
| 54 | 54 |
plugin/pkg/auth/authorizer/vke/OWNERS | 2 + |
| 55 | 55 |
plugin/pkg/auth/authorizer/vke/vke_authorizer.go | 123 +++ |
| 56 | 56 |
.../pkg/auth/authorizer/vke/vke_authorizer_test.go | 230 +++++ |
| 57 | 57 |
staging/src/k8s.io/api/core/v1/generated.pb.go | 310 ++++++- |
| 58 | 58 |
staging/src/k8s.io/api/core/v1/types.go | 24 +- |
| 59 |
- 52 files changed, 5768 insertions(+), 31 deletions(-) |
|
| 59 |
+ 52 files changed, 5779 insertions(+), 31 deletions(-) |
|
| 60 | 60 |
|
| 61 | 61 |
diff --git a/api/swagger-spec/apps_v1alpha1.json b/api/swagger-spec/apps_v1alpha1.json |
| 62 | 62 |
index 6f54662..0ce6f3f 100644 |
| ... | ... |
@@ -4198,7 +4198,7 @@ index 0000000..97c0856 |
| 4198 | 4198 |
\ No newline at end of file |
| 4199 | 4199 |
diff --git a/plugin/pkg/admission/vke/admission.go b/plugin/pkg/admission/vke/admission.go |
| 4200 | 4200 |
new file mode 100644 |
| 4201 |
-index 0000000..ab327ea |
|
| 4201 |
+index 0000000..37f82d9 |
|
| 4202 | 4202 |
--- /dev/null |
| 4203 | 4203 |
+++ b/plugin/pkg/admission/vke/admission.go |
| 4204 | 4204 |
@@ -0,0 +1,587 @@ |
| ... | ... |
@@ -4534,10 +4534,10 @@ index 0000000..ab327ea |
| 4534 | 4534 |
+ } |
| 4535 | 4535 |
+ } |
| 4536 | 4536 |
+ |
| 4537 |
-+ // If the privileged service account tries to update taints on a node, we block. We need to do this so that a user |
|
| 4538 |
-+ // cannot use a privileged service account to untaint the node and run pods on a master. |
|
| 4537 |
++ // If the privileged service account tries to update taints on the master node, we block. We need to do this so that |
|
| 4538 |
++ // a user cannot use a privileged service account to untaint the node and run pods on a master. |
|
| 4539 | 4539 |
+ if a.GetResource().GroupResource() == api.Resource("nodes") {
|
| 4540 |
-+ if a.GetOperation() == admission.Update {
|
|
| 4540 |
++ if a.GetOperation() == admission.Update && strings.HasPrefix(a.GetName(), masterNodePrefix) {
|
|
| 4541 | 4541 |
+ node, ok := a.GetObject().(*api.Node) |
| 4542 | 4542 |
+ if !ok {
|
| 4543 | 4543 |
+ return admission.NewForbidden(a, |
| ... | ... |
@@ -4791,10 +4791,10 @@ index 0000000..ab327ea |
| 4791 | 4791 |
+} |
| 4792 | 4792 |
diff --git a/plugin/pkg/admission/vke/admission_test.go b/plugin/pkg/admission/vke/admission_test.go |
| 4793 | 4793 |
new file mode 100644 |
| 4794 |
-index 0000000..3fb4674 |
|
| 4794 |
+index 0000000..c597663 |
|
| 4795 | 4795 |
--- /dev/null |
| 4796 | 4796 |
+++ b/plugin/pkg/admission/vke/admission_test.go |
| 4797 |
-@@ -0,0 +1,941 @@ |
|
| 4797 |
+@@ -0,0 +1,952 @@ |
|
| 4798 | 4798 |
+package vke |
| 4799 | 4799 |
+ |
| 4800 | 4800 |
+import ( |
| ... | ... |
@@ -5459,10 +5459,21 @@ index 0000000..3fb4674 |
| 5459 | 5459 |
+ userInfo: newTestUserBuilder().withGroup(systemNodesGroup).build(), |
| 5460 | 5460 |
+ shouldPassValidate: true, |
| 5461 | 5461 |
+ }, |
| 5462 |
-+ "denied: privileged service account update node taint": {
|
|
| 5462 |
++ "allowed: privileged service account update worker node taint": {
|
|
| 5463 | 5463 |
+ operation: kadmission.Update, |
| 5464 | 5464 |
+ resource: "nodes", |
| 5465 | 5465 |
+ namespace: "", |
| 5466 |
++ name: "worker-guid", |
|
| 5467 |
++ oldObject: newTestNodeBuilder().build(), |
|
| 5468 |
++ object: newTestNodeBuilder().withTaint(nil).build(), |
|
| 5469 |
++ userInfo: newTestUserBuilder().withName(privilegedServiceAccount + "default").build(), |
|
| 5470 |
++ shouldPassValidate: true, |
|
| 5471 |
++ }, |
|
| 5472 |
++ "denied: privileged service account update master node taint": {
|
|
| 5473 |
++ operation: kadmission.Update, |
|
| 5474 |
++ resource: "nodes", |
|
| 5475 |
++ namespace: "", |
|
| 5476 |
++ name: "master-guid", |
|
| 5466 | 5477 |
+ oldObject: newTestNodeBuilder().build(), |
| 5467 | 5478 |
+ object: newTestNodeBuilder().withTaint(nil).build(), |
| 5468 | 5479 |
+ userInfo: newTestUserBuilder().withName(privilegedServiceAccount + "default").build(), |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 |
-From 6de826b35ced3b7cadc809d7ea778ce6a50aff43 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From 73dd46ef2f0ddd1ccf93b0d2d339a38e08b84c20 Mon Sep 17 00:00:00 2001 |
|
| 2 | 2 |
From: DheerajSShetty <dheerajs@vmware.com> |
| 3 |
-Date: Wed, 22 Aug 2018 16:30:37 -0700 |
|
| 4 |
-Subject: [PATCH] VKE patch for k8s version 1.9 (fbdcc5c) |
|
| 3 |
+Date: Tue, 11 Sep 2018 12:05:49 -0700 |
|
| 4 |
+Subject: [PATCH] VKE patch for k8s 1.9.6 (8033c471) |
|
| 5 | 5 |
|
| 6 | 6 |
--- |
| 7 | 7 |
api/swagger-spec/apps_v1alpha1.json | Bin 135734 -> 136495 bytes |
| ... | ... |
@@ -30,7 +30,7 @@ Subject: [PATCH] VKE patch for k8s version 1.9 (fbdcc5c) |
| 30 | 30 |
.../providers/cascade/cascade_disks.go | 226 +++++ |
| 31 | 31 |
.../providers/cascade/cascade_instances.go | 91 ++ |
| 32 | 32 |
.../providers/cascade/cascade_instances_test.go | 43 + |
| 33 |
- .../providers/cascade/cascade_loadbalancer.go | 284 +++++++ |
|
| 33 |
+ .../providers/cascade/cascade_loadbalancer.go | 284 ++++++ |
|
| 34 | 34 |
pkg/cloudprovider/providers/cascade/client.go | 399 +++++++++ |
| 35 | 35 |
pkg/cloudprovider/providers/cascade/oidcclient.go | 297 +++++++ |
| 36 | 36 |
pkg/cloudprovider/providers/cascade/restclient.go | 262 ++++++ |
| ... | ... |
@@ -50,14 +50,14 @@ Subject: [PATCH] VKE patch for k8s version 1.9 (fbdcc5c) |
| 50 | 50 |
.../admission/persistentvolume/label/admission.go | 54 ++ |
| 51 | 51 |
plugin/pkg/admission/vke/BUILD | 61 ++ |
| 52 | 52 |
plugin/pkg/admission/vke/admission.go | 587 +++++++++++++ |
| 53 |
- plugin/pkg/admission/vke/admission_test.go | 941 +++++++++++++++++++++ |
|
| 53 |
+ plugin/pkg/admission/vke/admission_test.go | 952 +++++++++++++++++++++ |
|
| 54 | 54 |
plugin/pkg/auth/authorizer/vke/BUILD | 40 + |
| 55 | 55 |
plugin/pkg/auth/authorizer/vke/OWNERS | 3 + |
| 56 | 56 |
plugin/pkg/auth/authorizer/vke/vke_authorizer.go | 123 +++ |
| 57 | 57 |
.../pkg/auth/authorizer/vke/vke_authorizer_test.go | 230 +++++ |
| 58 | 58 |
staging/src/k8s.io/api/core/v1/generated.pb.go | Bin 1241955 -> 1248240 bytes |
| 59 | 59 |
staging/src/k8s.io/api/core/v1/types.go | 26 +- |
| 60 |
- 53 files changed, 5462 insertions(+), 8 deletions(-) |
|
| 60 |
+ 53 files changed, 5473 insertions(+), 8 deletions(-) |
|
| 61 | 61 |
|
| 62 | 62 |
diff --git a/api/swagger-spec/apps_v1alpha1.json b/api/swagger-spec/apps_v1alpha1.json |
| 63 | 63 |
index aa3fbdc..0189f38 100644 |
| ... | ... |
@@ -4354,7 +4354,7 @@ index 0000000..7d66036 |
| 4354 | 4354 |
\ No newline at end of file |
| 4355 | 4355 |
diff --git a/plugin/pkg/admission/vke/admission.go b/plugin/pkg/admission/vke/admission.go |
| 4356 | 4356 |
new file mode 100644 |
| 4357 |
-index 0000000..192f384 |
|
| 4357 |
+index 0000000..a5403d0 |
|
| 4358 | 4358 |
--- /dev/null |
| 4359 | 4359 |
+++ b/plugin/pkg/admission/vke/admission.go |
| 4360 | 4360 |
@@ -0,0 +1,587 @@ |
| ... | ... |
@@ -4693,7 +4693,7 @@ index 0000000..192f384 |
| 4693 | 4693 |
+ // If the privileged service account tries to update taints on a node, we block. We need to do this so that a user |
| 4694 | 4694 |
+ // cannot use a privileged service account to untaint the node and run pods on a master. |
| 4695 | 4695 |
+ if a.GetResource().GroupResource() == api.Resource("nodes") {
|
| 4696 |
-+ if a.GetOperation() == admission.Update {
|
|
| 4696 |
++ if a.GetOperation() == admission.Update && strings.HasPrefix(a.GetName(), masterNodePrefix) {
|
|
| 4697 | 4697 |
+ node, ok := a.GetObject().(*api.Node) |
| 4698 | 4698 |
+ if !ok {
|
| 4699 | 4699 |
+ return admission.NewForbidden(a, |
| ... | ... |
@@ -4947,10 +4947,10 @@ index 0000000..192f384 |
| 4947 | 4947 |
+} |
| 4948 | 4948 |
diff --git a/plugin/pkg/admission/vke/admission_test.go b/plugin/pkg/admission/vke/admission_test.go |
| 4949 | 4949 |
new file mode 100644 |
| 4950 |
-index 0000000..3fb4674 |
|
| 4950 |
+index 0000000..c597663 |
|
| 4951 | 4951 |
--- /dev/null |
| 4952 | 4952 |
+++ b/plugin/pkg/admission/vke/admission_test.go |
| 4953 |
-@@ -0,0 +1,941 @@ |
|
| 4953 |
+@@ -0,0 +1,952 @@ |
|
| 4954 | 4954 |
+package vke |
| 4955 | 4955 |
+ |
| 4956 | 4956 |
+import ( |
| ... | ... |
@@ -5615,10 +5615,21 @@ index 0000000..3fb4674 |
| 5615 | 5615 |
+ userInfo: newTestUserBuilder().withGroup(systemNodesGroup).build(), |
| 5616 | 5616 |
+ shouldPassValidate: true, |
| 5617 | 5617 |
+ }, |
| 5618 |
-+ "denied: privileged service account update node taint": {
|
|
| 5618 |
++ "allowed: privileged service account update worker node taint": {
|
|
| 5619 | 5619 |
+ operation: kadmission.Update, |
| 5620 | 5620 |
+ resource: "nodes", |
| 5621 | 5621 |
+ namespace: "", |
| 5622 |
++ name: "worker-guid", |
|
| 5623 |
++ oldObject: newTestNodeBuilder().build(), |
|
| 5624 |
++ object: newTestNodeBuilder().withTaint(nil).build(), |
|
| 5625 |
++ userInfo: newTestUserBuilder().withName(privilegedServiceAccount + "default").build(), |
|
| 5626 |
++ shouldPassValidate: true, |
|
| 5627 |
++ }, |
|
| 5628 |
++ "denied: privileged service account update master node taint": {
|
|
| 5629 |
++ operation: kadmission.Update, |
|
| 5630 |
++ resource: "nodes", |
|
| 5631 |
++ namespace: "", |
|
| 5632 |
++ name: "master-guid", |
|
| 5622 | 5633 |
+ oldObject: newTestNodeBuilder().build(), |
| 5623 | 5634 |
+ object: newTestNodeBuilder().withTaint(nil).build(), |
| 5624 | 5635 |
+ userInfo: newTestUserBuilder().withName(privilegedServiceAccount + "default").build(), |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Kubernetes cluster management |
| 2 | 2 |
Name: kubernetes |
| 3 | 3 |
Version: 1.10.2 |
| 4 |
-Release: 12%{?dist}
|
|
| 4 |
+Release: 13%{?dist}
|
|
| 5 | 5 |
License: ASL 2.0 |
| 6 | 6 |
URL: https://github.com/kubernetes/kubernetes/archive/v%{version}.tar.gz
|
| 7 | 7 |
Source0: kubernetes-%{version}.tar.gz
|
| ... | ... |
@@ -207,6 +207,8 @@ fi |
| 207 | 207 |
/opt/vmware/kubernetes/windows/amd64/kubectl.exe |
| 208 | 208 |
|
| 209 | 209 |
%changelog |
| 210 |
+* Tue Sep 11 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.10.2-13 |
|
| 211 |
+- Update vke patch (8033c471) |
|
| 210 | 212 |
* Mon Aug 22 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.10.2-12 |
| 211 | 213 |
- Update vke patch (fbdcc5c) |
| 212 | 214 |
* Mon Aug 06 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.10.2-11 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Kubernetes cluster management |
| 2 | 2 |
Name: kubernetes |
| 3 | 3 |
Version: 1.9.6 |
| 4 |
-Release: 10%{?dist}
|
|
| 4 |
+Release: 11%{?dist}
|
|
| 5 | 5 |
License: ASL 2.0 |
| 6 | 6 |
URL: https://github.com/kubernetes/kubernetes/archive/v%{version}.tar.gz
|
| 7 | 7 |
Source0: kubernetes-v%{version}.tar.gz
|
| ... | ... |
@@ -185,6 +185,8 @@ fi |
| 185 | 185 |
%{_bindir}/pause-amd64
|
| 186 | 186 |
|
| 187 | 187 |
%changelog |
| 188 |
+* Tue Sep 11 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.9.6-11 |
|
| 189 |
+- Update vke patch (8033c471) |
|
| 188 | 190 |
* Mon Aug 22 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.9.6-10 |
| 189 | 191 |
- Update vke patch (fbdcc5c) |
| 190 | 192 |
* Mon Aug 06 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.9.6-9 |