From 714f56a3aa75f047a05fd12fe3beb577417b6879 Mon Sep 17 00:00:00 2001 From: deads2k Date: Thu, 11 May 2017 16:25:34 -0400 Subject: [PATCH 1/9] move openshift controller roles to system:openshift:controller:* --- .../bootstrappolicy/controller_policy.go | 68 +++++++++++ pkg/cmd/server/bootstrappolicy/dead.go | 4 + .../server/bootstrappolicy/infra_sa_policy.go | 55 +-------- pkg/cmd/server/bootstrappolicy/policy.go | 24 +++- .../bootstrap_cluster_role_bindings.yaml | 14 +++ .../bootstrap_cluster_roles.yaml | 114 +++++++++--------- 6 files changed, 171 insertions(+), 108 deletions(-) create mode 100644 pkg/cmd/server/bootstrappolicy/controller_policy.go diff --git a/pkg/cmd/server/bootstrappolicy/controller_policy.go b/pkg/cmd/server/bootstrappolicy/controller_policy.go new file mode 100644 index 000000000000..16e009c71bbc --- /dev/null +++ b/pkg/cmd/server/bootstrappolicy/controller_policy.go @@ -0,0 +1,68 @@ +package bootstrappolicy + +import ( + "strings" + + "github.com/golang/glog" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rbac "k8s.io/kubernetes/pkg/apis/rbac" +) + +const saRolePrefix = "system:openshift:controller:" + +var ( + // controllerRoles is a slice of roles used for controllers + controllerRoles = []rbac.ClusterRole{} + // controllerRoleBindings is a slice of roles used for controllers + controllerRoleBindings = []rbac.ClusterRoleBinding{} +) + +func addControllerRole(role rbac.ClusterRole) { + if !strings.HasPrefix(role.Name, saRolePrefix) { + glog.Fatalf(`role %q must start with %q`, role.Name, saRolePrefix) + } + + for _, existingRole := range controllerRoles { + if role.Name == existingRole.Name { + glog.Fatalf("role %q was already registered", role.Name) + } + } + + if role.Annotations == nil { + role.Annotations = map[string]string{} + } + role.Annotations[roleSystemOnly] = roleIsSystemOnly + + controllerRoles = append(controllerRoles, role) + + controllerRoleBindings = append(controllerRoleBindings, + rbac.NewClusterBinding(role.Name).SAs(DefaultOpenShiftInfraNamespace, role.Name[len(saRolePrefix):]).BindingOrDie()) +} + +func eventsRule() rbac.PolicyRule { + return rbac.NewRule("create", "update", "patch").Groups(kapiGroup).Resources("events").RuleOrDie() +} + +func init() { + addControllerRole(rbac.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "build-controller"}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("get", "list", "watch", "update").Groups(buildGroup, legacyBuildGroup).Resources("builds").RuleOrDie(), + rbac.NewRule("create").Groups(buildGroup, legacyBuildGroup).Resources("builds/docker", "builds/source", "builds/custom", "builds/jenkinspipeline").RuleOrDie(), + rbac.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams").RuleOrDie(), + rbac.NewRule("get", "list", "create", "delete").Groups(kapiGroup).Resources("pods").RuleOrDie(), + eventsRule(), + }, + }) +} + +// ControllerRoles returns the cluster roles used by controllers +func ControllerRoles() []rbac.ClusterRole { + return controllerRoles +} + +// ControllerRoleBindings returns the role bindings used by controllers +func ControllerRoleBindings() []rbac.ClusterRoleBinding { + return controllerRoleBindings +} diff --git a/pkg/cmd/server/bootstrappolicy/dead.go b/pkg/cmd/server/bootstrappolicy/dead.go index 6618829385c7..47381aeb88a7 100644 --- a/pkg/cmd/server/bootstrappolicy/dead.go +++ b/pkg/cmd/server/bootstrappolicy/dead.go @@ -46,4 +46,8 @@ func init() { addDeadClusterRole("system:gc-controller") addDeadClusterRole("system:certificate-signing-controller") addDeadClusterRole("system:statefulset-controller") + + // these were moved under system:openshift:controller:* + addDeadClusterRole("system:build-controller") + } diff --git a/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go b/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go index 17ff94abf7e8..d4e8e6d36457 100644 --- a/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go +++ b/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go @@ -17,11 +17,13 @@ import ( buildapi "github.com/openshift/origin/pkg/build/api" deployapi "github.com/openshift/origin/pkg/deploy/api" imageapi "github.com/openshift/origin/pkg/image/api" + + // we need the conversions registered for our init block + _ "github.com/openshift/origin/pkg/authorization/api/install" ) const ( InfraBuildControllerServiceAccountName = "build-controller" - BuildControllerRoleName = "system:build-controller" InfraImageTriggerControllerServiceAccountName = "imagetrigger-controller" ImageTriggerControllerRoleName = "system:imagetrigger-controller" @@ -127,58 +129,11 @@ func (r *InfraServiceAccounts) AllRoles() []authorizationapi.ClusterRole { } func init() { + var err error + InfraSAs.serviceAccounts = sets.String{} InfraSAs.saToRole = map[string]authorizationapi.ClusterRole{} - var err error - err = InfraSAs.addServiceAccount( - InfraBuildControllerServiceAccountName, - authorizationapi.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: BuildControllerRoleName, - }, - Rules: []authorizationapi.PolicyRule{ - // BuildControllerFactory.buildLW - // BuildControllerFactory.buildDeleteLW - { - Verbs: sets.NewString("get", "list", "watch"), - Resources: sets.NewString("builds"), - }, - // BuildController.BuildUpdater (OSClientBuildClient) - { - Verbs: sets.NewString("update"), - Resources: sets.NewString("builds"), - }, - // Create permission on virtual build type resources allows builds of those types to be updated - { - Verbs: sets.NewString("create"), - Resources: sets.NewString("builds/docker", "builds/source", "builds/custom", "builds/jenkinspipeline"), - APIGroups: []string{buildapi.GroupName, buildapi.LegacyGroupName}, - }, - // BuildController.ImageStreamClient (ControllerClient) - { - Verbs: sets.NewString("get"), - Resources: sets.NewString("imagestreams"), - }, - // BuildController.PodManager (ControllerClient) - // BuildDeleteController.PodManager (ControllerClient) - // BuildControllerFactory.buildDeleteLW - { - Verbs: sets.NewString("get", "list", "create", "delete"), - Resources: sets.NewString("pods"), - }, - // BuildController.Recorder (EventBroadcaster) - { - Verbs: sets.NewString("create", "update", "patch"), - Resources: sets.NewString("events"), - }, - }, - }, - ) - if err != nil { - panic(err) - } - err = InfraSAs.addServiceAccount( InfraImageTriggerControllerServiceAccountName, authorizationapi.ClusterRole{ diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go index 7dddc3b26db5..b97ccdc15332 100644 --- a/pkg/cmd/server/bootstrappolicy/policy.go +++ b/pkg/cmd/server/bootstrappolicy/policy.go @@ -959,6 +959,11 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { if err != nil { panic(err) } + openshiftControllerRoles, err := GetOpenshiftControllerBootstrapClusterRoles() + // coder error + if err != nil { + panic(err) + } // Eventually openshift controllers and kube controllers have different prefixes // so we will only need to check conflicts on the "normal" cluster roles @@ -990,6 +995,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { finalClusterRoles := []authorizationapi.ClusterRole{} finalClusterRoles = append(finalClusterRoles, openshiftClusterRoles...) finalClusterRoles = append(finalClusterRoles, openshiftSAClusterRoles...) + finalClusterRoles = append(finalClusterRoles, openshiftControllerRoles...) finalClusterRoles = append(finalClusterRoles, kubeSAClusterRoles...) for i := range kubeClusterRoles { if !clusterRoleConflicts.Has(kubeClusterRoles[i].Name) { @@ -1189,7 +1195,12 @@ func GetBootstrapClusterRoleBindings() []authorizationapi.ClusterRoleBinding { if err != nil { panic(err) } - kubeSAClusterRoleBindings, err := GetKubeControllerBootstrapClusterRoleBindings() + kubeControllerClusterRoleBindings, err := GetKubeControllerBootstrapClusterRoleBindings() + // coder error + if err != nil { + panic(err) + } + openshiftControllerClusterRoleBindings, err := GetOpenshiftControllerBootstrapClusterRoleBindings() // coder error if err != nil { panic(err) @@ -1220,7 +1231,8 @@ func GetBootstrapClusterRoleBindings() []authorizationapi.ClusterRoleBinding { finalClusterRoleBindings := []authorizationapi.ClusterRoleBinding{} finalClusterRoleBindings = append(finalClusterRoleBindings, openshiftClusterRoleBindings...) - finalClusterRoleBindings = append(finalClusterRoleBindings, kubeSAClusterRoleBindings...) + finalClusterRoleBindings = append(finalClusterRoleBindings, kubeControllerClusterRoleBindings...) + finalClusterRoleBindings = append(finalClusterRoleBindings, openshiftControllerClusterRoleBindings...) for i := range kubeClusterRoleBindings { if !clusterRoleBindingConflicts.Has(kubeClusterRoleBindings[i].Name) { finalClusterRoleBindings = append(finalClusterRoleBindings, kubeClusterRoleBindings[i]) @@ -1263,6 +1275,10 @@ func GetKubeControllerBootstrapClusterRoleBindings() ([]authorizationapi.Cluster return convertClusterRoleBindings(bootstrappolicy.ControllerRoleBindings()) } +func GetOpenshiftControllerBootstrapClusterRoleBindings() ([]authorizationapi.ClusterRoleBinding, error) { + return convertClusterRoleBindings(ControllerRoleBindings()) +} + func convertClusterRoleBindings(in []rbac.ClusterRoleBinding) ([]authorizationapi.ClusterRoleBinding, error) { out := []authorizationapi.ClusterRoleBinding{} errs := []error{} @@ -1287,6 +1303,10 @@ func GetKubeControllerBootstrapClusterRoles() ([]authorizationapi.ClusterRole, e return convertClusterRoles(bootstrappolicy.ControllerRoles()) } +func GetOpenshiftControllerBootstrapClusterRoles() ([]authorizationapi.ClusterRole, error) { + return convertClusterRoles(ControllerRoles()) +} + func convertClusterRoles(in []rbac.ClusterRole) ([]authorizationapi.ClusterRole, error) { out := []authorizationapi.ClusterRole{} errs := []error{} diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml index 72ed069f6dac..79de6a343ec8 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml @@ -638,6 +638,20 @@ items: namespace: kube-system userNames: - system:serviceaccount:kube-system:certificate-controller +- apiVersion: v1 + groupNames: null + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:openshift:controller:build-controller + roleRef: + name: system:openshift:controller:build-controller + subjects: + - kind: ServiceAccount + name: build-controller + namespace: openshift-infra + userNames: + - system:serviceaccount:openshift-infra:build-controller - apiVersion: v1 groupNames: - system:masters diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml index b43e872aeaa3..e7ab8fabe8ef 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml @@ -2872,64 +2872,9 @@ items: - apiVersion: v1 kind: ClusterRole metadata: - annotations: - authorization.openshift.io/system-only: "true" creationTimestamp: null name: system:build-controller - rules: - - apiGroups: - - "" - attributeRestrictions: null - resources: - - builds - verbs: - - get - - list - - watch - - apiGroups: - - "" - attributeRestrictions: null - resources: - - builds - verbs: - - update - - apiGroups: - - build.openshift.io - - "" - attributeRestrictions: null - resources: - - builds/custom - - builds/docker - - builds/jenkinspipeline - - builds/source - verbs: - - create - - apiGroups: - - "" - attributeRestrictions: null - resources: - - imagestreams - verbs: - - get - - apiGroups: - - "" - attributeRestrictions: null - resources: - - pods - verbs: - - create - - delete - - get - - list - - apiGroups: - - "" - attributeRestrictions: null - resources: - - events - verbs: - - create - - patch - - update + rules: [] - apiVersion: v1 kind: ClusterRole metadata: @@ -3617,6 +3562,63 @@ items: - get - patch - update +- apiVersion: v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + creationTimestamp: null + name: system:openshift:controller:build-controller + rules: + - apiGroups: + - "" + - build.openshift.io + attributeRestrictions: null + resources: + - builds + verbs: + - get + - list + - update + - watch + - apiGroups: + - "" + - build.openshift.io + attributeRestrictions: null + resources: + - builds/custom + - builds/docker + - builds/jenkinspipeline + - builds/source + verbs: + - create + - apiGroups: + - "" + - image.openshift.io + attributeRestrictions: null + resources: + - imagestreams + verbs: + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - create + - delete + - get + - list + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update - apiVersion: v1 kind: ClusterRole metadata: From bb7c275c9a5f8058ae8a278232ce0cd1028e895f Mon Sep 17 00:00:00 2001 From: deads2k Date: Fri, 12 May 2017 13:51:07 -0400 Subject: [PATCH 2/9] rewire build controller initialization to use a controller init func --- pkg/authorization/authorizer/subjects_test.go | 2 +- .../bootstrappolicy/controller_policy.go | 6 +- pkg/cmd/server/origin/controller.go | 28 +++++++ pkg/cmd/server/origin/controller/build.go | 84 +++++++++++++++++++ .../server/origin/controller/interfaces.go | 78 +++++++++++++++++ pkg/cmd/server/origin/run_components.go | 9 +- pkg/cmd/server/start/start_master.go | 52 +++++++++++- test/integration/build_admission_test.go | 10 ++- test/integration/buildcontroller_test.go | 51 ++++++++++- .../bootstrap_cluster_roles.yaml | 7 ++ 10 files changed, 313 insertions(+), 14 deletions(-) create mode 100644 pkg/cmd/server/origin/controller.go create mode 100644 pkg/cmd/server/origin/controller/build.go create mode 100644 pkg/cmd/server/origin/controller/interfaces.go diff --git a/pkg/authorization/authorizer/subjects_test.go b/pkg/authorization/authorizer/subjects_test.go index 245a6ad7316c..c3bbbcccebe8 100644 --- a/pkg/authorization/authorizer/subjects_test.go +++ b/pkg/authorization/authorizer/subjects_test.go @@ -38,7 +38,7 @@ func TestSubjects(t *testing.T) { "system:serviceaccount:adze:second", "system:serviceaccount:foo:default", "system:serviceaccount:other:first", "system:serviceaccount:kube-system:deployment-controller", "system:serviceaccount:kube-system:endpoint-controller", "system:serviceaccount:kube-system:generic-garbage-collector", "system:serviceaccount:kube-system:namespace-controller", "system:serviceaccount:kube-system:persistent-volume-binder", "system:serviceaccount:kube-system:statefulset-controller", - "system:admin", "system:kube-scheduler"), + "system:admin", "system:kube-scheduler", "system:serviceaccount:openshift-infra:build-controller"), expectedGroups: sets.NewString("RootUsers", "system:cluster-admins", "system:cluster-readers", "system:masters", "system:nodes"), } test.clusterPolicies = newDefaultClusterPolicies() diff --git a/pkg/cmd/server/bootstrappolicy/controller_policy.go b/pkg/cmd/server/bootstrappolicy/controller_policy.go index 16e009c71bbc..390974fd0908 100644 --- a/pkg/cmd/server/bootstrappolicy/controller_policy.go +++ b/pkg/cmd/server/bootstrappolicy/controller_policy.go @@ -46,12 +46,14 @@ func eventsRule() rbac.PolicyRule { func init() { addControllerRole(rbac.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "build-controller"}, + ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraBuildControllerServiceAccountName}, Rules: []rbac.PolicyRule{ - rbac.NewRule("get", "list", "watch", "update").Groups(buildGroup, legacyBuildGroup).Resources("builds").RuleOrDie(), + rbac.NewRule("get", "list", "watch", "update", "delete").Groups(buildGroup, legacyBuildGroup).Resources("builds").RuleOrDie(), + rbac.NewRule("get").Groups(buildGroup, legacyBuildGroup).Resources("buildconfigs").RuleOrDie(), rbac.NewRule("create").Groups(buildGroup, legacyBuildGroup).Resources("builds/docker", "builds/source", "builds/custom", "builds/jenkinspipeline").RuleOrDie(), rbac.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams").RuleOrDie(), rbac.NewRule("get", "list", "create", "delete").Groups(kapiGroup).Resources("pods").RuleOrDie(), + rbac.NewRule("get").Groups(kapiGroup).Resources("namespaces").RuleOrDie(), eventsRule(), }, }) diff --git a/pkg/cmd/server/origin/controller.go b/pkg/cmd/server/origin/controller.go new file mode 100644 index 000000000000..b5aefa9bb370 --- /dev/null +++ b/pkg/cmd/server/origin/controller.go @@ -0,0 +1,28 @@ +package origin + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + kapi "k8s.io/kubernetes/pkg/api" + + "github.com/openshift/origin/pkg/cmd/server/origin/controller" +) + +func (c *MasterConfig) NewOpenshiftControllerInitializers() (map[string]controller.InitFunc, error) { + ret := map[string]controller.InitFunc{} + + // initialize build controller + storageVersion := c.Options.EtcdStorageConfig.OpenShiftStorageVersion + groupVersion := schema.GroupVersion{Group: "", Version: storageVersion} + codec := kapi.Codecs.LegacyCodec(groupVersion) + + buildControllerConfig := controller.BuildControllerConfig{ + DockerImage: c.ImageFor("docker-builder"), + STIImage: c.ImageFor("sti-builder"), + AdmissionPluginConfig: c.Options.AdmissionConfig.PluginConfig, + Codec: codec, + } + + ret["build"] = buildControllerConfig.RunController + + return ret, nil +} diff --git a/pkg/cmd/server/origin/controller/build.go b/pkg/cmd/server/origin/controller/build.go new file mode 100644 index 000000000000..d968958f1fd9 --- /dev/null +++ b/pkg/cmd/server/origin/controller/build.go @@ -0,0 +1,84 @@ +package controller + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apiserver/pkg/admission" + kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" + + builddefaults "github.com/openshift/origin/pkg/build/admission/defaults" + buildoverrides "github.com/openshift/origin/pkg/build/admission/overrides" + buildclient "github.com/openshift/origin/pkg/build/client" + buildcontrollerfactory "github.com/openshift/origin/pkg/build/controller/factory" + buildstrategy "github.com/openshift/origin/pkg/build/controller/strategy" + configapi "github.com/openshift/origin/pkg/cmd/server/api" + "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" +) + +type BuildControllerConfig struct { + DockerImage string + STIImage string + AdmissionPluginConfig map[string]configapi.AdmissionPluginConfig + + Codec runtime.Codec +} + +// RunBuildController starts the build sync loop for builds and buildConfig processing. +func (c *BuildControllerConfig) RunController(ctx ControllerContext) (bool, error) { + pluginInitializer := kubeadmission.NewPluginInitializer( + ctx.ClientBuilder.KubeInternalClientOrDie(bootstrappolicy.InfraBuildControllerServiceAccountName), + ctx.DeprecatedOpenshiftInformers.InternalKubernetesInformers(), + nil, // api authorizer, only used by PSP + nil, // cloud config + ) + admissionControl, err := admission.InitPlugin("SecurityContextConstraint", nil, pluginInitializer) + if err != nil { + return true, err + } + + buildDefaults, err := builddefaults.NewBuildDefaults(c.AdmissionPluginConfig) + if err != nil { + return true, err + } + buildOverrides, err := buildoverrides.NewBuildOverrides(c.AdmissionPluginConfig) + if err != nil { + return true, err + } + + deprecatedOpenshiftClient, err := ctx.ClientBuilder.DeprecatedOpenshiftClient(bootstrappolicy.InfraBuildControllerServiceAccountName) + if err != nil { + return true, err + } + + factory := buildcontrollerfactory.BuildControllerFactory{ + KubeClient: ctx.ClientBuilder.KubeInternalClientOrDie(bootstrappolicy.InfraBuildControllerServiceAccountName), + ExternalKubeClient: ctx.ClientBuilder.ClientOrDie(bootstrappolicy.InfraBuildControllerServiceAccountName), + OSClient: deprecatedOpenshiftClient, + BuildUpdater: buildclient.NewOSClientBuildClient(deprecatedOpenshiftClient), + BuildLister: buildclient.NewOSClientBuildClient(deprecatedOpenshiftClient), + BuildConfigGetter: buildclient.NewOSClientBuildConfigClient(osclient), + BuildDeleter: buildclient.NewBuildDeleter(osclient), + DockerBuildStrategy: &buildstrategy.DockerBuildStrategy{ + Image: c.DockerImage, + // TODO: this will be set to --storage-version (the internal schema we use) + Codec: c.Codec, + }, + SourceBuildStrategy: &buildstrategy.SourceBuildStrategy{ + Image: c.STIImage, + // TODO: this will be set to --storage-version (the internal schema we use) + Codec: c.Codec, + AdmissionControl: admissionControl, + }, + CustomBuildStrategy: &buildstrategy.CustomBuildStrategy{ + // TODO: this will be set to --storage-version (the internal schema we use) + Codec: c.Codec, + }, + BuildDefaults: buildDefaults, + BuildOverrides: buildOverrides, + } + + controller := factory.Create() + controller.Run() + deleteController := factory.CreateDeleteController() + deleteController.Run() + return true, nil +} diff --git a/pkg/cmd/server/origin/controller/interfaces.go b/pkg/cmd/server/origin/controller/interfaces.go new file mode 100644 index 000000000000..04da4ae7836a --- /dev/null +++ b/pkg/cmd/server/origin/controller/interfaces.go @@ -0,0 +1,78 @@ +package controller + +import ( + "github.com/golang/glog" + + kubecontroller "k8s.io/kubernetes/cmd/kube-controller-manager/app" + kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" + "k8s.io/kubernetes/pkg/controller" + + osclient "github.com/openshift/origin/pkg/client" + "github.com/openshift/origin/pkg/controller/shared" +) + +type ControllerContext struct { + KubeControllerContext kubecontroller.ControllerContext + + // ClientBuilder will provide a client for this controller to use + ClientBuilder ControllerClientBuilder + + DeprecatedOpenshiftInformers shared.InformerFactory + + // Stop is the stop channel + Stop <-chan struct{} +} + +// TODO wire this up to something that handles the names. The logic is available upstream, we just have to wire to it +func (c ControllerContext) IsControllerEnabled(name string) bool { + return true +} + +type ControllerClientBuilder interface { + controller.ControllerClientBuilder + KubeInternalClient(name string) (kclientsetinternal.Interface, error) + KubeInternalClientOrDie(name string) kclientsetinternal.Interface + DeprecatedOpenshiftClient(name string) (osclient.Interface, error) + DeprecatedOpenshiftClientOrDie(name string) osclient.Interface +} + +// InitFunc is used to launch a particular controller. It may run additional "should I activate checks". +// Any error returned will cause the controller process to `Fatal` +// The bool indicates whether the controller was enabled. +type InitFunc func(ctx ControllerContext) (bool, error) + +type OpenshiftControllerClientBuilder struct { + controller.ControllerClientBuilder +} + +func (b OpenshiftControllerClientBuilder) KubeInternalClient(name string) (kclientsetinternal.Interface, error) { + clientConfig, err := b.Config(name) + if err != nil { + return nil, err + } + return kclientsetinternal.NewForConfig(clientConfig) +} + +func (b OpenshiftControllerClientBuilder) KubeInternalClientOrDie(name string) kclientsetinternal.Interface { + client, err := b.KubeInternalClient(name) + if err != nil { + glog.Fatal(err) + } + return client +} + +func (b OpenshiftControllerClientBuilder) DeprecatedOpenshiftClient(name string) (osclient.Interface, error) { + clientConfig, err := b.Config(name) + if err != nil { + return nil, err + } + return osclient.New(clientConfig) +} + +func (b OpenshiftControllerClientBuilder) DeprecatedOpenshiftClientOrDie(name string) osclient.Interface { + client, err := b.DeprecatedOpenshiftClient(name) + if err != nil { + glog.Fatal(err) + } + return client +} diff --git a/pkg/cmd/server/origin/run_components.go b/pkg/cmd/server/origin/run_components.go index 589f7cf8bead..acdd578f8482 100644 --- a/pkg/cmd/server/origin/run_components.go +++ b/pkg/cmd/server/origin/run_components.go @@ -13,7 +13,6 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" utilwait "k8s.io/apimachinery/pkg/util/wait" - "k8s.io/apiserver/pkg/admission" kv1core "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/client-go/util/cert" "k8s.io/client-go/util/flowcontrol" @@ -28,19 +27,15 @@ import ( "k8s.io/kubernetes/pkg/controller" kresourcequota "k8s.io/kubernetes/pkg/controller/resourcequota" sacontroller "k8s.io/kubernetes/pkg/controller/serviceaccount" - kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" "k8s.io/kubernetes/pkg/registry/core/service/allocator" etcdallocator "k8s.io/kubernetes/pkg/registry/core/service/allocator/storage" "k8s.io/kubernetes/pkg/serviceaccount" serviceaccountadmission "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount" "github.com/openshift/origin/pkg/authorization/controller/authorizationsync" - builddefaults "github.com/openshift/origin/pkg/build/admission/defaults" - buildoverrides "github.com/openshift/origin/pkg/build/admission/overrides" buildclient "github.com/openshift/origin/pkg/build/client" buildpodcontroller "github.com/openshift/origin/pkg/build/controller/buildpod" buildcontrollerfactory "github.com/openshift/origin/pkg/build/controller/factory" - buildstrategy "github.com/openshift/origin/pkg/build/controller/strategy" osclient "github.com/openshift/origin/pkg/client" oscache "github.com/openshift/origin/pkg/client/cache" configapi "github.com/openshift/origin/pkg/cmd/server/api" @@ -48,7 +43,6 @@ import ( "github.com/openshift/origin/pkg/cmd/server/crypto" cmdutil "github.com/openshift/origin/pkg/cmd/util" "github.com/openshift/origin/pkg/cmd/util/clientcmd" - "github.com/openshift/origin/pkg/controller/shared" deploycontroller "github.com/openshift/origin/pkg/deploy/controller/deployment" deployconfigcontroller "github.com/openshift/origin/pkg/deploy/controller/deploymentconfig" triggercontroller "github.com/openshift/origin/pkg/deploy/controller/generictrigger" @@ -252,6 +246,7 @@ func (c *MasterConfig) RunProjectCache() { c.ProjectCache.Run() } +<<<<<<< HEAD // RunBuildController starts the build sync loop for builds and buildConfig processing. func (c *MasterConfig) RunBuildController(informers shared.InformerFactory) error { // initialize build controller @@ -318,6 +313,8 @@ func (c *MasterConfig) RunBuildController(informers shared.InformerFactory) erro return nil } +======= +>>>>>>> 6f6552550b... rewire build controller initialization to use a controller init func // RunBuildPodController starts the build/pod status sync loop for build status func (c *MasterConfig) RunBuildPodController() { buildInfomer := c.Informers.Builds().Informer() diff --git a/pkg/cmd/server/start/start_master.go b/pkg/cmd/server/start/start_master.go index 396f72e78e8e..9546072af480 100644 --- a/pkg/cmd/server/start/start_master.go +++ b/pkg/cmd/server/start/start_master.go @@ -36,6 +36,7 @@ import ( "github.com/openshift/origin/pkg/cmd/server/etcd/etcdserver" kubernetes "github.com/openshift/origin/pkg/cmd/server/kubernetes/master" "github.com/openshift/origin/pkg/cmd/server/origin" + origincontrollers "github.com/openshift/origin/pkg/cmd/server/origin/controller" "github.com/openshift/origin/pkg/cmd/templates" cmdutil "github.com/openshift/origin/pkg/cmd/util" "github.com/openshift/origin/pkg/cmd/util/pluginconfig" @@ -699,12 +700,57 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro glog.Infof("Started Kubernetes Controllers") - // no special order + openshiftControllerContext := origincontrollers.ControllerContext{ + KubeControllerContext: controllerContext, + ClientBuilder: origincontrollers.OpenshiftControllerClientBuilder{ + ControllerClientBuilder: controller.SAControllerClientBuilder{ + ClientConfig: restclient.AnonymousClientConfig(&oc.PrivilegedLoopbackClientConfig), + CoreClient: oc.PrivilegedLoopbackKubernetesClientsetExternal.Core(), + AuthenticationClient: oc.PrivilegedLoopbackKubernetesClientsetExternal.Authentication(), + Namespace: bootstrappolicy.DefaultOpenShiftInfraNamespace, + }, + }, + DeprecatedOpenshiftInformers: oc.Informers, + Stop: controllerContext.Stop, + } + openshiftControllerInitializers, err := oc.NewOpenshiftControllerInitializers() + + allowedOpenshiftControllers := sets.NewString() if configapi.IsBuildEnabled(&oc.Options) { - if err := oc.RunBuildController(oc.Informers); err != nil { - glog.Fatalf("Could not start build controller: %v", err) + allowedOpenshiftControllers.Insert("build") + } + + if err != nil { + glog.Errorf("Could not start build controller: %v", err) + return err + } + + for controllerName, initFn := range openshiftControllerInitializers { + // TODO remove this. Only call one to start to prove the principle + if !allowedOpenshiftControllers.Has(controllerName) { + glog.Warningf("%q is skipped", controllerName) + continue + } + if !openshiftControllerContext.IsControllerEnabled(controllerName) { + glog.Warningf("%q is disabled", controllerName) + continue + } + + glog.V(1).Infof("Starting %q", controllerName) + started, err := initFn(openshiftControllerContext) + if err != nil { + glog.Errorf("Error starting %q", controllerName) return err } + if !started { + glog.Warningf("Skipping %q", controllerName) + continue + } + glog.Infof("Started %q", controllerName) + } + + // no special order + if configapi.IsBuildEnabled(&oc.Options) { oc.RunBuildPodController() oc.RunBuildConfigChangeController() } diff --git a/test/integration/build_admission_test.go b/test/integration/build_admission_test.go index b76ce26c6d29..6eff026594f0 100644 --- a/test/integration/build_admission_test.go +++ b/test/integration/build_admission_test.go @@ -13,6 +13,7 @@ import ( "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" testutil "github.com/openshift/origin/test/util" testserver "github.com/openshift/origin/test/util/server" + kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" ) // all build strategy types @@ -206,7 +207,8 @@ func setupBuildStrategyTest(t *testing.T, includeControllers bool) (clusterAdmin if err != nil { t.Fatalf("unexpected error: %v", err) } - projectEditorClient, _, _, err = testutil.GetClientForUser(*clusterAdminClientConfig, "joe") + var kubeClient kclientset.Interface + projectEditorClient, kubeClient, _, err = testutil.GetClientForUser(*clusterAdminClientConfig, "joe") if err != nil { t.Fatalf("unexpected error: %v", err) } @@ -224,6 +226,12 @@ func setupBuildStrategyTest(t *testing.T, includeControllers bool) (clusterAdmin t.Fatalf(err.Error()) } + if includeControllers { + if err := testserver.WaitForServiceAccounts(kubeClient, namespace, []string{"builder"}); err != nil { + t.Fatalf(err.Error()) + } + } + // we need a template that doesn't create service accounts or rolebindings so editors can create // pipeline buildconfig's successfully, so we're not using the standard jenkins template. // but we do need a template that creates a service named jenkins. diff --git a/test/integration/buildcontroller_test.go b/test/integration/buildcontroller_test.go index b0973c628c8a..44227c79506d 100644 --- a/test/integration/buildcontroller_test.go +++ b/test/integration/buildcontroller_test.go @@ -4,12 +4,18 @@ import ( "testing" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/wait" + restclient "k8s.io/client-go/rest" + kctrlmgr "k8s.io/kubernetes/cmd/kube-controller-manager/app" + cmapp "k8s.io/kubernetes/cmd/kube-controller-manager/app/options" kapi "k8s.io/kubernetes/pkg/api" kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" + "k8s.io/kubernetes/pkg/controller" "github.com/openshift/origin/pkg/client" "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" "github.com/openshift/origin/pkg/cmd/server/origin" + origincontrollers "github.com/openshift/origin/pkg/cmd/server/origin/controller" "github.com/openshift/origin/test/common/build" testutil "github.com/openshift/origin/test/util" testserver "github.com/openshift/origin/test/util/server" @@ -106,8 +112,51 @@ func setupBuildControllerTest(counts controllerCount, t *testing.T) (*client.Cli // We don't want to proceed with the rest of the test until those are available openshiftConfig.BuildControllerClients() + // this test wants to duplicate the controllers, so it needs to duplicate the wiring. + // TODO have this simply start the particular controller it wants multiple times + controllerManagerOptions := cmapp.NewCMServer() + rootClientBuilder := controller.SimpleControllerClientBuilder{ + ClientConfig: &openshiftConfig.PrivilegedLoopbackClientConfig, + } + saClientBuilder := controller.SAControllerClientBuilder{ + ClientConfig: restclient.AnonymousClientConfig(&openshiftConfig.PrivilegedLoopbackClientConfig), + CoreClient: openshiftConfig.PrivilegedLoopbackKubernetesClientsetExternal.Core(), + AuthenticationClient: openshiftConfig.PrivilegedLoopbackKubernetesClientsetExternal.Authentication(), + Namespace: "kube-system", + } + availableResources, err := kctrlmgr.GetAvailableResources(rootClientBuilder) + if err != nil { + t.Fatal(err) + } + + controllerContext := kctrlmgr.ControllerContext{ + ClientBuilder: saClientBuilder, + InformerFactory: openshiftConfig.Informers.KubernetesInformers(), + Options: *controllerManagerOptions, + AvailableResources: availableResources, + Stop: wait.NeverStop, + } + + openshiftControllerContext := origincontrollers.ControllerContext{ + KubeControllerContext: controllerContext, + ClientBuilder: origincontrollers.OpenshiftControllerClientBuilder{ + ControllerClientBuilder: controller.SAControllerClientBuilder{ + ClientConfig: restclient.AnonymousClientConfig(&openshiftConfig.PrivilegedLoopbackClientConfig), + CoreClient: openshiftConfig.PrivilegedLoopbackKubernetesClientsetExternal.Core(), + AuthenticationClient: openshiftConfig.PrivilegedLoopbackKubernetesClientsetExternal.Authentication(), + Namespace: bootstrappolicy.DefaultOpenShiftInfraNamespace, + }, + }, + DeprecatedOpenshiftInformers: openshiftConfig.Informers, + Stop: controllerContext.Stop, + } + openshiftControllerInitializers, err := openshiftConfig.NewOpenshiftControllerInitializers() + for i := 0; i < counts.BuildControllers; i++ { - openshiftConfig.RunBuildController(openshiftConfig.Informers) + _, err := openshiftControllerInitializers["build"](openshiftControllerContext) + if err != nil { + t.Fatal(err) + } } for i := 0; i < counts.BuildPodControllers; i++ { openshiftConfig.RunBuildPodController() diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml index e7ab8fabe8ef..20c56b2078bd 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml @@ -3610,6 +3610,13 @@ items: - delete - get - list + - apiGroups: + - "" + attributeRestrictions: null + resources: + - namespaces + verbs: + - get - apiGroups: - "" attributeRestrictions: null From aa35b697a82d44e5dbdd699ec0063d45cd4f7f7b Mon Sep 17 00:00:00 2001 From: Michal Fojtik Date: Tue, 2 May 2017 16:30:09 +0200 Subject: [PATCH 3/9] deploy: fix the owner reference kind to be rc --- pkg/deploy/controller/deployment/deployment_controller.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/deploy/controller/deployment/deployment_controller.go b/pkg/deploy/controller/deployment/deployment_controller.go index 1740e5355ebd..461cfff98200 100755 --- a/pkg/deploy/controller/deployment/deployment_controller.go +++ b/pkg/deploy/controller/deployment/deployment_controller.go @@ -329,10 +329,8 @@ func (c *DeploymentController) makeDeployerPod(deployment *kapi.ReplicationContr // and the deployer pod is preserved when a revisionHistory limit is reached and the // deployment is removed, we also remove the deployer pod with it. OwnerReferences: []metav1.OwnerReference{{ - // FIXME: This will have to point to apps.openshift.io/v1 after we switch to - // clientsets. APIVersion: "v1", - Kind: deployapi.Kind("DeploymentConfig").Kind, + Kind: kapi.Kind("ReplicationController").Kind, Name: deployment.Name, UID: deployment.UID, }}, From 8ca79b0563d424e1a09d31d2862e3a92554853db Mon Sep 17 00:00:00 2001 From: Michal Fojtik Date: Tue, 2 May 2017 16:44:14 +0200 Subject: [PATCH 4/9] deploy: set background propagation policy for old deployment cleanup --- .../deploymentconfig/deploymentconfig_controller.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/deploy/controller/deploymentconfig/deploymentconfig_controller.go b/pkg/deploy/controller/deploymentconfig/deploymentconfig_controller.go index 50f7269e2b7e..f66b74abedd0 100644 --- a/pkg/deploy/controller/deploymentconfig/deploymentconfig_controller.go +++ b/pkg/deploy/controller/deploymentconfig/deploymentconfig_controller.go @@ -7,6 +7,7 @@ import ( "github.com/golang/glog" kapierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" kutilerrors "k8s.io/apimachinery/pkg/util/errors" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -428,7 +429,10 @@ func (c *DeploymentConfigController) cleanupOldDeployments(existingDeployments [ continue } - err := c.rn.ReplicationControllers(deployment.Namespace).Delete(deployment.Name, nil) + policy := metav1.DeletePropagationBackground + err := c.rn.ReplicationControllers(deployment.Namespace).Delete(deployment.Name, &metav1.DeleteOptions{ + PropagationPolicy: &policy, + }) if err != nil && !kapierrors.IsNotFound(err) { deletionErrors = append(deletionErrors, err) } From f10dae7d5f5e5e54a2fa0e375fa8ae6bbf162c03 Mon Sep 17 00:00:00 2001 From: Michal Fojtik Date: Wed, 3 May 2017 14:44:39 +0200 Subject: [PATCH 5/9] deploy: automatically set ownerRef for hook pods when rollout fail --- .../deployment/deployment_controller.go | 76 ++++++++++++++++++- .../deployment/deployment_controller_test.go | 8 +- 2 files changed, 80 insertions(+), 4 deletions(-) diff --git a/pkg/deploy/controller/deployment/deployment_controller.go b/pkg/deploy/controller/deployment/deployment_controller.go index 461cfff98200..2b06e8594ee0 100755 --- a/pkg/deploy/controller/deployment/deployment_controller.go +++ b/pkg/deploy/controller/deployment/deployment_controller.go @@ -8,12 +8,16 @@ import ( kerrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + kutilerrors "k8s.io/apimachinery/pkg/util/errors" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apimachinery/pkg/util/strategicpatch" "k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/record" "k8s.io/client-go/util/workqueue" kapi "k8s.io/kubernetes/pkg/api" + kapiv1 "k8s.io/kubernetes/pkg/api/v1" kcoreclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion" kcorelisters "k8s.io/kubernetes/pkg/client/listers/core/internalversion" @@ -206,6 +210,12 @@ func (c *DeploymentController) handle(deployment *kapi.ReplicationController, wi if err := c.cleanupDeployerPods(deployment); err != nil { return err } + } else { + // Set an ownerRef for the deployment lifecycle pods so they are cleaned up when the + // replication controller is deleted. + if err := c.setDeployerPodsOwnerRef(deployment); err != nil { + return err + } } } @@ -216,6 +226,12 @@ func (c *DeploymentController) handle(deployment *kapi.ReplicationController, wi if err := c.cleanupDeployerPods(deployment); err != nil { return err } + } else { + // Set an ownerRef for the deployment lifecycle pods so they are cleaned up when the + // replication controller is deleted. + if err := c.setDeployerPodsOwnerRef(deployment); err != nil { + return err + } } case deployapi.DeploymentStatusComplete: @@ -412,9 +428,65 @@ func (c *DeploymentController) makeDeployerContainer(strategy *deployapi.Deploym } } +func (c *DeploymentController) getDeployerPods(deployment *kapi.ReplicationController) ([]*kapi.Pod, error) { + return c.podLister.Pods(deployment.Namespace).List(deployutil.DeployerPodSelector(deployment.Name)) +} + +func (c *DeploymentController) setDeployerPodsOwnerRef(deployment *kapi.ReplicationController) error { + deployerPodsList, err := c.getDeployerPods(deployment) + if err != nil { + return fmt.Errorf("couldn't fetch deployer pods for %q: %v", deployutil.LabelForDeployment(deployment), err) + } + + encoder := kapi.Codecs.LegacyCodec(kapi.Registry.EnabledVersions()...) + glog.V(4).Infof("deployment %s/%s owning %d pods", deployment.Namespace, deployment.Name, len(deployerPodsList)) + + var errors []error + for _, pod := range deployerPodsList { + if len(pod.OwnerReferences) > 0 { + continue + } + glog.V(4).Infof("setting ownerRef for pod %s/%s to deployment %s/%s", pod.Namespace, pod.Name, deployment.Namespace, deployment.Name) + objCopy, err := kapi.Scheme.DeepCopy(pod) + if err != nil { + errors = append(errors, err) + continue + } + newPod, ok := objCopy.(*kapi.Pod) + if !ok { + errors = append(errors, fmt.Errorf("object %#+v is not a pod", objCopy)) + continue + } + newPod.SetOwnerReferences([]metav1.OwnerReference{{ + APIVersion: "v1", + Name: deployment.Name, + Kind: kapi.Kind("ReplicationController").Kind, + UID: deployment.UID, + }}) + newPodBytes, err := runtime.Encode(encoder, newPod) + if err != nil { + errors = append(errors, err) + continue + } + oldPodBytes, err := runtime.Encode(encoder, pod) + if err != nil { + errors = append(errors, err) + continue + } + patchBytes, err := strategicpatch.CreateTwoWayMergePatch(oldPodBytes, newPodBytes, &kapiv1.Pod{}) + if err != nil { + errors = append(errors, err) + continue + } + if _, err := c.pn.Pods(pod.Namespace).Patch(pod.Name, types.StrategicMergePatchType, patchBytes); err != nil { + errors = append(errors, err) + } + } + return kutilerrors.NewAggregate(errors) +} + func (c *DeploymentController) cleanupDeployerPods(deployment *kapi.ReplicationController) error { - selector := deployutil.DeployerPodSelector(deployment.Name) - deployerList, err := c.podLister.Pods(deployment.Namespace).List(selector) + deployerList, err := c.getDeployerPods(deployment) if err != nil { return fmt.Errorf("couldn't fetch deployer pods for %q: %v", deployutil.LabelForDeployment(deployment), err) } diff --git a/pkg/deploy/controller/deployment/deployment_controller_test.go b/pkg/deploy/controller/deployment/deployment_controller_test.go index 8b8f6f54f191..939f51b4f9ee 100644 --- a/pkg/deploy/controller/deployment/deployment_controller_test.go +++ b/pkg/deploy/controller/deployment/deployment_controller_test.go @@ -122,6 +122,9 @@ func TestHandle_createPodOk(t *testing.T) { createdPod = pod return true, pod, nil }) + client.AddReactor("patch", "pods", func(action clientgotesting.Action) (handled bool, ret runtime.Object, err error) { + return true, nil, nil + }) client.AddReactor("update", "replicationcontrollers", func(action clientgotesting.Action) (handled bool, ret runtime.Object, err error) { rc := action.(clientgotesting.UpdateAction).GetObject().(*kapi.ReplicationController) updatedDeployment = rc @@ -436,8 +439,9 @@ func TestHandle_noop(t *testing.T) { continue } - if len(client.Actions()) > 0 { - t.Errorf("%s: unexpected actions: %v", test.name, client.Actions()) + // Expect only patching for ownerRefs + if len(client.Actions()) != 1 { + t.Errorf("%s: unexpected %d actions: %#+v", test.name, len(client.Actions()), client.Actions()) } } } From a62205970eb63eeb68c2bf55ef75241a2ecaae32 Mon Sep 17 00:00:00 2001 From: Michal Fojtik Date: Wed, 10 May 2017 14:37:23 +0200 Subject: [PATCH 6/9] deploy: rename deployment controller to deployer controller --- pkg/cmd/server/origin/run_components.go | 4 ++-- .../deployer_controller.go} | 0 .../deployer_controller_test.go} | 2 +- pkg/deploy/controller/{deployment => deployer}/factory.go | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) rename pkg/deploy/controller/{deployment/deployment_controller.go => deployer/deployer_controller.go} (100%) rename pkg/deploy/controller/{deployment/deployment_controller_test.go => deployer/deployer_controller_test.go} (99%) rename pkg/deploy/controller/{deployment => deployer}/factory.go (98%) diff --git a/pkg/cmd/server/origin/run_components.go b/pkg/cmd/server/origin/run_components.go index acdd578f8482..61cd6a2c9ae0 100644 --- a/pkg/cmd/server/origin/run_components.go +++ b/pkg/cmd/server/origin/run_components.go @@ -43,7 +43,7 @@ import ( "github.com/openshift/origin/pkg/cmd/server/crypto" cmdutil "github.com/openshift/origin/pkg/cmd/util" "github.com/openshift/origin/pkg/cmd/util/clientcmd" - deploycontroller "github.com/openshift/origin/pkg/deploy/controller/deployment" + deployercontroller "github.com/openshift/origin/pkg/deploy/controller/deployer" deployconfigcontroller "github.com/openshift/origin/pkg/deploy/controller/deploymentconfig" triggercontroller "github.com/openshift/origin/pkg/deploy/controller/generictrigger" deployclient "github.com/openshift/origin/pkg/deploy/generated/internalclientset/typed/apps/internalversion" @@ -360,7 +360,7 @@ func (c *MasterConfig) RunDeploymentController() { path.Join(serviceaccountadmission.DefaultAPITokenMountPath, kapi.ServiceAccountTokenKey), ) - controller := deploycontroller.NewDeploymentController( + controller := deployercontroller.NewDeployerController( rcInformer, podInformer, internalKubeClientset, diff --git a/pkg/deploy/controller/deployment/deployment_controller.go b/pkg/deploy/controller/deployer/deployer_controller.go similarity index 100% rename from pkg/deploy/controller/deployment/deployment_controller.go rename to pkg/deploy/controller/deployer/deployer_controller.go diff --git a/pkg/deploy/controller/deployment/deployment_controller_test.go b/pkg/deploy/controller/deployer/deployer_controller_test.go similarity index 99% rename from pkg/deploy/controller/deployment/deployment_controller_test.go rename to pkg/deploy/controller/deployer/deployer_controller_test.go index 939f51b4f9ee..64f6df4059fd 100644 --- a/pkg/deploy/controller/deployment/deployment_controller_test.go +++ b/pkg/deploy/controller/deployer/deployer_controller_test.go @@ -42,7 +42,7 @@ func okDeploymentController(client kclientset.Interface, deployment *kapi.Replic rcInformer := informerFactory.Core().InternalVersion().ReplicationControllers() podInformer := informerFactory.Core().InternalVersion().Pods() - c := NewDeploymentController(rcInformer, podInformer, client, kfakeexternal.NewSimpleClientset(), "sa:test", "openshift/origin-deployer", env, codec) + c := NewDeployerController(rcInformer, podInformer, client, kfakeexternal.NewSimpleClientset(), "sa:test", "openshift/origin-deployer", env, codec) c.podListerSynced = alwaysReady c.rcListerSynced = alwaysReady diff --git a/pkg/deploy/controller/deployment/factory.go b/pkg/deploy/controller/deployer/factory.go similarity index 98% rename from pkg/deploy/controller/deployment/factory.go rename to pkg/deploy/controller/deployer/factory.go index 39bf78bb315a..3e1004c260b2 100644 --- a/pkg/deploy/controller/deployment/factory.go +++ b/pkg/deploy/controller/deployer/factory.go @@ -30,8 +30,8 @@ const ( storeSyncedPollPeriod = 100 * time.Millisecond ) -// NewDeploymentController creates a new DeploymentController. -func NewDeploymentController( +// NewDeployerController creates a new DeploymentController. +func NewDeployerController( rcInformer kcoreinformers.ReplicationControllerInformer, podInformer kcoreinformers.PodInformer, internalKubeClientset kclientset.Interface, From 6ddf8dcc71e2692598508d6c106818bb583506be Mon Sep 17 00:00:00 2001 From: Michal Fojtik Date: Fri, 12 May 2017 14:41:12 +0200 Subject: [PATCH 7/9] deploy: use correct client for deployer controller --- pkg/cmd/server/origin/master_config.go | 17 +++++++++++++---- pkg/cmd/server/origin/run_components.go | 8 ++++---- pkg/cmd/server/start/start_master.go | 2 +- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go index 3119b5166eca..8b8111ec1d22 100644 --- a/pkg/cmd/server/origin/master_config.go +++ b/pkg/cmd/server/origin/master_config.go @@ -994,9 +994,14 @@ func (c *MasterConfig) DeploymentConfigInstantiateClients() (*osclient.Client, k return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClientsetInternal } -// DeploymentControllerClients returns the deployment controller client objects -func (c *MasterConfig) DeploymentControllerClients() (*osclient.Client, kclientsetinternal.Interface, kclientsetexternal.Interface) { - _, osClient, internalKubeClientset, externalKubeClientset, err := c.GetServiceAccountClients(bootstrappolicy.InfraDeploymentConfigControllerServiceAccountName) +// DeploymentConfigClients returns deploymentConfig and deployment client objects +func (c *MasterConfig) DeploymentConfigClients() (*osclient.Client, kclientsetinternal.Interface) { + return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClientsetInternal +} + +// DeployerControllerClients returns the deployer controller client objects +func (c *MasterConfig) DeployerControllerClients() (*osclient.Client, kclientsetinternal.Interface, kclientsetexternal.Interface) { + _, osClient, internalKubeClientset, externalKubeClientset, err := c.GetServiceAccountClients(bootstrappolicy.InfraDeployerControllerServiceAccountName) if err != nil { glog.Fatal(err) } @@ -1019,7 +1024,11 @@ func (c *MasterConfig) DeploymentConfigClients() (*osclient.Client, kclientsetin // DeploymentConfigControllerClients returns the deploymentConfig controller client objects func (c *MasterConfig) DeploymentConfigControllerClients() (*osclient.Client, kclientsetinternal.Interface, kclientsetexternal.Interface) { - return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClientsetInternal, c.PrivilegedLoopbackKubernetesClientsetExternal + _, osClient, internalKubeClientset, externalKubeClientset, err := c.GetServiceAccountClients(bootstrappolicy.InfraDeploymentConfigControllerServiceAccountName) + if err != nil { + glog.Fatal(err) + } + return osClient, internalKubeClientset, externalKubeClientset } // DeploymentTriggerControllerClient returns the deploymentConfig trigger controller client object diff --git a/pkg/cmd/server/origin/run_components.go b/pkg/cmd/server/origin/run_components.go index 61cd6a2c9ae0..a3a5f61ec7f1 100644 --- a/pkg/cmd/server/origin/run_components.go +++ b/pkg/cmd/server/origin/run_components.go @@ -341,16 +341,16 @@ func (c *MasterConfig) RunBuildConfigChangeController() { factory.Create().Run() } -// RunDeploymentController starts the deployment controller process. -func (c *MasterConfig) RunDeploymentController() { +// RunDeployerController starts the deployment controller process. +func (c *MasterConfig) RunDeployerController() { // TODO these should be external rcInformer := c.Informers.InternalKubernetesInformers().Core().InternalVersion().ReplicationControllers() podInformer := c.Informers.InternalKubernetesInformers().Core().InternalVersion().Pods() - _, internalKubeClientset, externalKubeClientset := c.DeploymentControllerClients() + _, internalKubeClientset, externalKubeClientset := c.DeployerControllerClients() _, kclientConfig, err := configapi.GetInternalKubeClient(c.Options.MasterClients.OpenShiftLoopbackKubeConfig, c.Options.MasterClients.OpenShiftLoopbackClientConnectionOverrides) if err != nil { - glog.Fatalf("Unable to initialize deployment controller: %v", err) + glog.Fatalf("Unable to initialize deployer controller: %v", err) } // TODO eliminate these environment variables once service accounts provide a kubeconfig that includes all of this info env := clientcmd.EnvVars( diff --git a/pkg/cmd/server/start/start_master.go b/pkg/cmd/server/start/start_master.go index 9546072af480..0501caaddbf8 100644 --- a/pkg/cmd/server/start/start_master.go +++ b/pkg/cmd/server/start/start_master.go @@ -755,7 +755,7 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro oc.RunBuildConfigChangeController() } - oc.RunDeploymentController() + oc.RunDeployerController() oc.RunDeploymentConfigController() oc.RunDeploymentTriggerController() oc.RunImageTriggerController() From 4bd76cf1f5fba8f27d2830c882f452ae58b92fab Mon Sep 17 00:00:00 2001 From: Michal Fojtik Date: Fri, 12 May 2017 14:40:53 +0200 Subject: [PATCH 8/9] auth: add rbac roles for deployments --- .../bootstrappolicy/controller_policy.go | 20 ++ pkg/cmd/server/bootstrappolicy/dead.go | 2 + .../server/bootstrappolicy/infra_sa_policy.go | 88 +------- .../bootstrap_cluster_role_bindings.yaml | 28 +++ .../bootstrap_cluster_roles.yaml | 196 +++++++++--------- 5 files changed, 156 insertions(+), 178 deletions(-) diff --git a/pkg/cmd/server/bootstrappolicy/controller_policy.go b/pkg/cmd/server/bootstrappolicy/controller_policy.go index 390974fd0908..1e0a3baf062e 100644 --- a/pkg/cmd/server/bootstrappolicy/controller_policy.go +++ b/pkg/cmd/server/bootstrappolicy/controller_policy.go @@ -57,6 +57,26 @@ func init() { eventsRule(), }, }) + + addControllerRole(rbac.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraDeployerControllerServiceAccountName}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("create", "get", "list", "watch", "update", "patch", "delete").Groups(kapiGroup).Resources("pods").RuleOrDie(), + rbac.NewRule("create", "get", "list", "watch", "update", "delete").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(), + eventsRule(), + }, + }) + + addControllerRole(rbac.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraDeploymentConfigControllerServiceAccountName}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("get", "list", "watch").Groups(kapiGroup).Resources("pods").RuleOrDie(), + rbac.NewRule("create", "get", "list", "watch", "update", "delete").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(), + rbac.NewRule("update").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs/status").RuleOrDie(), + rbac.NewRule("get", "list", "watch").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs").RuleOrDie(), + eventsRule(), + }, + }) } // ControllerRoles returns the cluster roles used by controllers diff --git a/pkg/cmd/server/bootstrappolicy/dead.go b/pkg/cmd/server/bootstrappolicy/dead.go index 47381aeb88a7..980c9309e465 100644 --- a/pkg/cmd/server/bootstrappolicy/dead.go +++ b/pkg/cmd/server/bootstrappolicy/dead.go @@ -49,5 +49,7 @@ func init() { // these were moved under system:openshift:controller:* addDeadClusterRole("system:build-controller") + addDeadClusterRole("system:deploymentconfig-controller") + addDeadClusterRole("system:deployment-controller") } diff --git a/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go b/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go index d4e8e6d36457..34585bec8067 100644 --- a/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go +++ b/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go @@ -23,16 +23,11 @@ import ( ) const ( - InfraBuildControllerServiceAccountName = "build-controller" - - InfraImageTriggerControllerServiceAccountName = "imagetrigger-controller" - ImageTriggerControllerRoleName = "system:imagetrigger-controller" - + InfraBuildControllerServiceAccountName = "build-controller" + InfraImageTriggerControllerServiceAccountName = "imagetrigger-controller" + ImageTriggerControllerRoleName = "system:imagetrigger-controller" InfraDeploymentConfigControllerServiceAccountName = "deploymentconfig-controller" - DeploymentConfigControllerRoleName = "system:deploymentconfig-controller" - - InfraDeploymentControllerServiceAccountName = "deployment-controller" - DeploymentControllerRoleName = "system:deployment-controller" + InfraDeployerControllerServiceAccountName = "deployer-controller" InfraPersistentVolumeBinderControllerServiceAccountName = "pv-binder-controller" PersistentVolumeBinderControllerRoleName = "system:pv-binder-controller" @@ -185,81 +180,6 @@ func init() { panic(err) } - err = InfraSAs.addServiceAccount( - InfraDeploymentConfigControllerServiceAccountName, - authorizationapi.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: DeploymentConfigControllerRoleName, - }, - Rules: []authorizationapi.PolicyRule{ - // DeploymentControllerFactory.deploymentLW - { - Verbs: sets.NewString("list", "watch"), - Resources: sets.NewString("replicationcontrollers"), - }, - // DeploymentControllerFactory.deploymentClient - { - Verbs: sets.NewString("get", "update"), - Resources: sets.NewString("replicationcontrollers"), - }, - // DeploymentController.podClient - { - Verbs: sets.NewString("get", "list", "create", "watch", "delete", "update"), - Resources: sets.NewString("pods"), - }, - // DeploymentController.recorder (EventBroadcaster) - { - Verbs: sets.NewString("create", "update", "patch"), - Resources: sets.NewString("events"), - }, - }, - }, - ) - if err != nil { - panic(err) - } - - err = InfraSAs.addServiceAccount( - InfraDeploymentControllerServiceAccountName, - authorizationapi.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: DeploymentControllerRoleName, - }, - Rules: []authorizationapi.PolicyRule{ - { - APIGroups: []string{extensions.GroupName}, - Verbs: sets.NewString("get", "list", "watch", "update"), - Resources: sets.NewString("deployments"), - }, - { - APIGroups: []string{extensions.GroupName}, - Verbs: sets.NewString("update"), - Resources: sets.NewString("deployments/status"), - }, - { - APIGroups: []string{extensions.GroupName}, - Verbs: sets.NewString("list", "watch", "get", "create", "patch", "update", "delete"), - Resources: sets.NewString("replicasets"), - }, - { - APIGroups: []string{""}, - // TODO: remove "update" once - // https://github.com/kubernetes/kubernetes/issues/36897 is resolved. - Verbs: sets.NewString("get", "list", "watch", "update"), - Resources: sets.NewString("pods"), - }, - { - APIGroups: []string{""}, - Verbs: sets.NewString("create", "update", "patch"), - Resources: sets.NewString("events"), - }, - }, - }, - ) - if err != nil { - panic(err) - } - err = InfraSAs.addServiceAccount( InfraPersistentVolumeRecyclerControllerServiceAccountName, authorizationapi.ClusterRole{ diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml index 79de6a343ec8..c60e2f7625fe 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml @@ -652,6 +652,34 @@ items: namespace: openshift-infra userNames: - system:serviceaccount:openshift-infra:build-controller +- apiVersion: v1 + groupNames: null + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:openshift:controller:deployer-controller + roleRef: + name: system:openshift:controller:deployer-controller + subjects: + - kind: ServiceAccount + name: deployer-controller + namespace: openshift-infra + userNames: + - system:serviceaccount:openshift-infra:deployer-controller +- apiVersion: v1 + groupNames: null + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:openshift:controller:deploymentconfig-controller + roleRef: + name: system:openshift:controller:deploymentconfig-controller + subjects: + - kind: ServiceAccount + name: deploymentconfig-controller + namespace: openshift-infra + userNames: + - system:serviceaccount:openshift-infra:deploymentconfig-controller - apiVersion: v1 groupNames: - system:masters diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml index 20c56b2078bd..78525907d7fd 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml @@ -2878,105 +2878,15 @@ items: - apiVersion: v1 kind: ClusterRole metadata: - annotations: - authorization.openshift.io/system-only: "true" creationTimestamp: null - name: system:deployment-controller - rules: - - apiGroups: - - extensions - attributeRestrictions: null - resources: - - deployments - verbs: - - get - - list - - update - - watch - - apiGroups: - - extensions - attributeRestrictions: null - resources: - - deployments/status - verbs: - - update - - apiGroups: - - extensions - attributeRestrictions: null - resources: - - replicasets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - attributeRestrictions: null - resources: - - pods - verbs: - - get - - list - - update - - watch - - apiGroups: - - "" - attributeRestrictions: null - resources: - - events - verbs: - - create - - patch - - update + name: system:deploymentconfig-controller + rules: [] - apiVersion: v1 kind: ClusterRole metadata: - annotations: - authorization.openshift.io/system-only: "true" creationTimestamp: null - name: system:deploymentconfig-controller - rules: - - apiGroups: - - "" - attributeRestrictions: null - resources: - - replicationcontrollers - verbs: - - list - - watch - - apiGroups: - - "" - attributeRestrictions: null - resources: - - replicationcontrollers - verbs: - - get - - update - - apiGroups: - - "" - attributeRestrictions: null - resources: - - pods - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - "" - attributeRestrictions: null - resources: - - events - verbs: - - create - - patch - - update + name: system:deployment-controller + rules: [] - apiVersion: v1 kind: ClusterRole metadata: @@ -3626,6 +3536,104 @@ items: - create - patch - update +- apiVersion: v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + creationTimestamp: null + name: system:openshift:controller:deployer-controller + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + creationTimestamp: null + name: system:openshift:controller:deploymentconfig-controller + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - "" + - apps.openshift.io + attributeRestrictions: null + resources: + - deploymentconfigs/status + verbs: + - update + - apiGroups: + - "" + - apps.openshift.io + attributeRestrictions: null + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update - apiVersion: v1 kind: ClusterRole metadata: From c3d4af7de8abd8cc89816e2ecb8bc0c5377f2be8 Mon Sep 17 00:00:00 2001 From: Michal Fojtik Date: Thu, 18 May 2017 13:12:00 +0200 Subject: [PATCH 9/9] deploy: rewire deployment controllers initialization to use a controller init func --- pkg/authorization/authorizer/subjects_test.go | 19 ++- .../bootstrappolicy/controller_policy.go | 20 ++- .../server/bootstrappolicy/infra_sa_policy.go | 11 +- pkg/cmd/server/origin/controller.go | 16 ++- pkg/cmd/server/origin/controller/apps.go | 90 ++++++++++++ pkg/cmd/server/origin/controller/build.go | 4 +- pkg/cmd/server/origin/master_config.go | 47 +++---- pkg/cmd/server/origin/run_components.go | 129 ------------------ pkg/cmd/server/start/start_master.go | 12 +- .../deployer/deployer_controller_test.go | 11 +- test/integration/authorization_test.go | 2 + .../bootstrap_cluster_role_bindings.yaml | 14 ++ .../bootstrap_cluster_roles.yaml | 66 ++++++++- 13 files changed, 259 insertions(+), 182 deletions(-) create mode 100644 pkg/cmd/server/origin/controller/apps.go diff --git a/pkg/authorization/authorizer/subjects_test.go b/pkg/authorization/authorizer/subjects_test.go index c3bbbcccebe8..11b3738ad239 100644 --- a/pkg/authorization/authorizer/subjects_test.go +++ b/pkg/authorization/authorizer/subjects_test.go @@ -35,10 +35,21 @@ func TestSubjects(t *testing.T) { Resource: "pods", }, expectedUsers: sets.NewString("Anna", "ClusterAdmin", "Ellen", "Valerie", - "system:serviceaccount:adze:second", "system:serviceaccount:foo:default", "system:serviceaccount:other:first", - "system:serviceaccount:kube-system:deployment-controller", "system:serviceaccount:kube-system:endpoint-controller", "system:serviceaccount:kube-system:generic-garbage-collector", - "system:serviceaccount:kube-system:namespace-controller", "system:serviceaccount:kube-system:persistent-volume-binder", "system:serviceaccount:kube-system:statefulset-controller", - "system:admin", "system:kube-scheduler", "system:serviceaccount:openshift-infra:build-controller"), + "system:serviceaccount:adze:second", + "system:serviceaccount:foo:default", + "system:serviceaccount:other:first", + "system:serviceaccount:kube-system:deployment-controller", + "system:serviceaccount:kube-system:endpoint-controller", + "system:serviceaccount:kube-system:generic-garbage-collector", + "system:serviceaccount:kube-system:namespace-controller", + "system:serviceaccount:kube-system:persistent-volume-binder", + "system:serviceaccount:kube-system:statefulset-controller", + "system:admin", + "system:kube-scheduler", + "system:serviceaccount:openshift-infra:build-controller", + "system:serviceaccount:openshift-infra:deployer-controller", + "system:serviceaccount:openshift-infra:deploymentconfig-controller", + ), expectedGroups: sets.NewString("RootUsers", "system:cluster-admins", "system:cluster-readers", "system:masters", "system:nodes"), } test.clusterPolicies = newDefaultClusterPolicies() diff --git a/pkg/cmd/server/bootstrappolicy/controller_policy.go b/pkg/cmd/server/bootstrappolicy/controller_policy.go index 1e0a3baf062e..7ca99389cdba 100644 --- a/pkg/cmd/server/bootstrappolicy/controller_policy.go +++ b/pkg/cmd/server/bootstrappolicy/controller_policy.go @@ -45,6 +45,7 @@ func eventsRule() rbac.PolicyRule { } func init() { + // build-controller addControllerRole(rbac.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraBuildControllerServiceAccountName}, Rules: []rbac.PolicyRule{ @@ -58,15 +59,17 @@ func init() { }, }) + // deployer-controller addControllerRole(rbac.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraDeployerControllerServiceAccountName}, Rules: []rbac.PolicyRule{ - rbac.NewRule("create", "get", "list", "watch", "update", "patch", "delete").Groups(kapiGroup).Resources("pods").RuleOrDie(), - rbac.NewRule("create", "get", "list", "watch", "update", "delete").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(), + rbac.NewRule("create", "get", "list", "watch", "patch", "delete").Groups(kapiGroup).Resources("pods").RuleOrDie(), + rbac.NewRule("get", "list", "watch", "update").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(), eventsRule(), }, }) + // deploymentconfig-controller addControllerRole(rbac.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraDeploymentConfigControllerServiceAccountName}, Rules: []rbac.PolicyRule{ @@ -77,6 +80,19 @@ func init() { eventsRule(), }, }) + + // deployment-trigger-controller + addControllerRole(rbac.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraDeploymentTriggerControllerServiceAccountName}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("get", "list", "watch").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(), + rbac.NewRule("get", "list", "watch").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs").RuleOrDie(), + rbac.NewRule("get", "list", "watch").Groups(imageGroup, legacyImageGroup).Resources("imagestreams").RuleOrDie(), + + rbac.NewRule("create").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs/instantiate").RuleOrDie(), + eventsRule(), + }, + }) } // ControllerRoles returns the cluster roles used by controllers diff --git a/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go b/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go index 34585bec8067..9d565750c4e4 100644 --- a/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go +++ b/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go @@ -23,11 +23,12 @@ import ( ) const ( - InfraBuildControllerServiceAccountName = "build-controller" - InfraImageTriggerControllerServiceAccountName = "imagetrigger-controller" - ImageTriggerControllerRoleName = "system:imagetrigger-controller" - InfraDeploymentConfigControllerServiceAccountName = "deploymentconfig-controller" - InfraDeployerControllerServiceAccountName = "deployer-controller" + InfraBuildControllerServiceAccountName = "build-controller" + InfraImageTriggerControllerServiceAccountName = "imagetrigger-controller" + ImageTriggerControllerRoleName = "system:imagetrigger-controller" + InfraDeploymentConfigControllerServiceAccountName = "deploymentconfig-controller" + InfraDeploymentTriggerControllerServiceAccountName = "deployment-trigger-controller" + InfraDeployerControllerServiceAccountName = "deployer-controller" InfraPersistentVolumeBinderControllerServiceAccountName = "pv-binder-controller" PersistentVolumeBinderControllerRoleName = "system:pv-binder-controller" diff --git a/pkg/cmd/server/origin/controller.go b/pkg/cmd/server/origin/controller.go index b5aefa9bb370..b5a486430dfc 100644 --- a/pkg/cmd/server/origin/controller.go +++ b/pkg/cmd/server/origin/controller.go @@ -13,6 +13,7 @@ func (c *MasterConfig) NewOpenshiftControllerInitializers() (map[string]controll // initialize build controller storageVersion := c.Options.EtcdStorageConfig.OpenShiftStorageVersion groupVersion := schema.GroupVersion{Group: "", Version: storageVersion} + // TODO: add codec to the controller context codec := kapi.Codecs.LegacyCodec(groupVersion) buildControllerConfig := controller.BuildControllerConfig{ @@ -21,8 +22,21 @@ func (c *MasterConfig) NewOpenshiftControllerInitializers() (map[string]controll AdmissionPluginConfig: c.Options.AdmissionConfig.PluginConfig, Codec: codec, } - ret["build"] = buildControllerConfig.RunController + // initialize apps.openshift.io controllers + vars, err := c.GetOpenShiftClientEnvVars() + if err != nil { + return nil, err + } + deployer := controller.DeployerControllerConfig{ImageName: c.ImageFor("deployer"), Codec: codec, ClientEnvVars: vars} + ret["deployer"] = deployer.RunController + + deploymentConfig := controller.DeploymentConfigControllerConfig{Codec: codec} + ret["deploymentconfig"] = deploymentConfig.RunController + + deploymentTrigger := controller.DeploymentTriggerControllerConfig{Codec: codec} + ret["deploymenttrigger"] = deploymentTrigger.RunController + return ret, nil } diff --git a/pkg/cmd/server/origin/controller/apps.go b/pkg/cmd/server/origin/controller/apps.go new file mode 100644 index 000000000000..4c1c331ba8c1 --- /dev/null +++ b/pkg/cmd/server/origin/controller/apps.go @@ -0,0 +1,90 @@ +package controller + +import ( + "k8s.io/apimachinery/pkg/runtime" + kapi "k8s.io/kubernetes/pkg/api" + + "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" + deployercontroller "github.com/openshift/origin/pkg/deploy/controller/deployer" + deployconfigcontroller "github.com/openshift/origin/pkg/deploy/controller/deploymentconfig" + triggercontroller "github.com/openshift/origin/pkg/deploy/controller/generictrigger" +) + +type DeployerControllerConfig struct { + ImageName string + ClientEnvVars []kapi.EnvVar + + Codec runtime.Codec +} + +type DeploymentConfigControllerConfig struct { + Codec runtime.Codec +} + +type DeploymentTriggerControllerConfig struct { + Codec runtime.Codec +} + +func (c *DeployerControllerConfig) RunController(ctx ControllerContext) (bool, error) { + internalDeployerKubeClient, err := ctx.ClientBuilder.KubeInternalClient(bootstrappolicy.InfraDeployerControllerServiceAccountName) + if err != nil { + return true, err + } + + go deployercontroller.NewDeployerController( + ctx.DeprecatedOpenshiftInformers.InternalKubernetesInformers().Core().InternalVersion().ReplicationControllers(), + ctx.DeprecatedOpenshiftInformers.InternalKubernetesInformers().Core().InternalVersion().Pods(), + internalDeployerKubeClient, + ctx.ClientBuilder.ClientOrDie(bootstrappolicy.InfraDeployerControllerServiceAccountName), + bootstrappolicy.DeployerServiceAccountName, + c.ImageName, + c.ClientEnvVars, + c.Codec, + ).Run(5, ctx.Stop) + + return true, nil +} + +func (c *DeploymentConfigControllerConfig) RunController(ctx ControllerContext) (bool, error) { + saName := bootstrappolicy.InfraDeploymentConfigControllerServiceAccountName + + internalDcKubeClient, err := ctx.ClientBuilder.KubeInternalClient(saName) + if err != nil { + return true, err + } + deprecatedOcDcClient, err := ctx.ClientBuilder.DeprecatedOpenshiftClient(saName) + if err != nil { + return true, err + } + + go deployconfigcontroller.NewDeploymentConfigController( + ctx.DeprecatedOpenshiftInformers.DeploymentConfigs().Informer(), + ctx.DeprecatedOpenshiftInformers.InternalKubernetesInformers().Core().InternalVersion().ReplicationControllers(), + ctx.DeprecatedOpenshiftInformers.InternalKubernetesInformers().Core().InternalVersion().Pods(), + deprecatedOcDcClient, + internalDcKubeClient, + ctx.ClientBuilder.ClientOrDie(saName), + c.Codec, + ).Run(5, ctx.Stop) + + return true, nil +} + +func (c *DeploymentTriggerControllerConfig) RunController(ctx ControllerContext) (bool, error) { + saName := bootstrappolicy.InfraDeploymentTriggerControllerServiceAccountName + + deprecatedOcTriggerClient, err := ctx.ClientBuilder.DeprecatedOpenshiftClient(saName) + if err != nil { + return true, err + } + + go triggercontroller.NewDeploymentTriggerController( + ctx.DeprecatedOpenshiftInformers.DeploymentConfigs().Informer(), + ctx.DeprecatedOpenshiftInformers.InternalKubernetesInformers().Core().InternalVersion().ReplicationControllers().Informer(), + ctx.DeprecatedOpenshiftInformers.ImageStreams().Informer(), + deprecatedOcTriggerClient, + c.Codec, + ).Run(5, ctx.Stop) + + return true, nil +} diff --git a/pkg/cmd/server/origin/controller/build.go b/pkg/cmd/server/origin/controller/build.go index d968958f1fd9..7ef86d5a6d81 100644 --- a/pkg/cmd/server/origin/controller/build.go +++ b/pkg/cmd/server/origin/controller/build.go @@ -55,8 +55,8 @@ func (c *BuildControllerConfig) RunController(ctx ControllerContext) (bool, erro OSClient: deprecatedOpenshiftClient, BuildUpdater: buildclient.NewOSClientBuildClient(deprecatedOpenshiftClient), BuildLister: buildclient.NewOSClientBuildClient(deprecatedOpenshiftClient), - BuildConfigGetter: buildclient.NewOSClientBuildConfigClient(osclient), - BuildDeleter: buildclient.NewBuildDeleter(osclient), + BuildConfigGetter: buildclient.NewOSClientBuildConfigClient(deprecatedOpenshiftClient), + BuildDeleter: buildclient.NewBuildDeleter(deprecatedOpenshiftClient), DockerBuildStrategy: &buildstrategy.DockerBuildStrategy{ Image: c.DockerImage, // TODO: this will be set to --storage-version (the internal schema we use) diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go index 8b8111ec1d22..c89ab4951b3e 100644 --- a/pkg/cmd/server/origin/master_config.go +++ b/pkg/cmd/server/origin/master_config.go @@ -49,6 +49,7 @@ import ( "k8s.io/kubernetes/pkg/serviceaccount" "k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle" saadmit "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount" + serviceaccountadmission "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount" storageclassdefaultadmission "k8s.io/kubernetes/plugin/pkg/admission/storageclass/default" "github.com/openshift/origin/pkg/auth/authenticator/request/paramtoken" @@ -75,6 +76,7 @@ import ( "github.com/openshift/origin/pkg/cmd/server/etcd" kubernetes "github.com/openshift/origin/pkg/cmd/server/kubernetes/master" originrest "github.com/openshift/origin/pkg/cmd/server/origin/rest" + "github.com/openshift/origin/pkg/cmd/util/clientcmd" "github.com/openshift/origin/pkg/cmd/util/plug" "github.com/openshift/origin/pkg/cmd/util/pluginconfig" "github.com/openshift/origin/pkg/cmd/util/variable" @@ -960,6 +962,22 @@ func (c *MasterConfig) BuildConfigWebHookClient() *osclient.Client { return c.PrivilegedLoopbackOpenShiftClient } +func (c *MasterConfig) GetOpenShiftClientEnvVars() ([]kapi.EnvVar, error) { + _, kclientConfig, err := configapi.GetInternalKubeClient( + c.Options.MasterClients.OpenShiftLoopbackKubeConfig, + c.Options.MasterClients.OpenShiftLoopbackClientConnectionOverrides, + ) + if err != nil { + return nil, err + } + return clientcmd.EnvVars( + kclientConfig.Host, + kclientConfig.CAData, + kclientConfig.Insecure, + path.Join(serviceaccountadmission.DefaultAPITokenMountPath, kapi.ServiceAccountTokenKey), + ), nil +} + // BuildControllerClients returns the build controller client objects func (c *MasterConfig) BuildControllerClients() (*osclient.Client, kclientsetinternal.Interface, kclientsetexternal.Interface) { _, osClient, internalKubeClientset, externalKubeClientset, err := c.GetServiceAccountClients(bootstrappolicy.InfraBuildControllerServiceAccountName) @@ -989,7 +1007,6 @@ func (c *MasterConfig) ImageImportControllerClient() *osclient.Client { return c.PrivilegedLoopbackOpenShiftClient } -// DeploymentConfigInstantiateClients returns the clients used by the instantiate endpoint. func (c *MasterConfig) DeploymentConfigInstantiateClients() (*osclient.Client, kclientsetinternal.Interface) { return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClientsetInternal } @@ -999,15 +1016,6 @@ func (c *MasterConfig) DeploymentConfigClients() (*osclient.Client, kclientsetin return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClientsetInternal } -// DeployerControllerClients returns the deployer controller client objects -func (c *MasterConfig) DeployerControllerClients() (*osclient.Client, kclientsetinternal.Interface, kclientsetexternal.Interface) { - _, osClient, internalKubeClientset, externalKubeClientset, err := c.GetServiceAccountClients(bootstrappolicy.InfraDeployerControllerServiceAccountName) - if err != nil { - glog.Fatal(err) - } - return osClient, internalKubeClientset, externalKubeClientset -} - // ImageTriggerControllerClients returns the trigger controller client objects func (c *MasterConfig) ImageTriggerControllerClients() (*osclient.Client, kclientsetinternal.Interface, kclientsetexternal.Interface) { _, osClient, internalKubeClientset, externalKubeClientset, err := c.GetServiceAccountClients(bootstrappolicy.InfraImageTriggerControllerServiceAccountName) @@ -1017,25 +1025,6 @@ func (c *MasterConfig) ImageTriggerControllerClients() (*osclient.Client, kclien return osClient, internalKubeClientset, externalKubeClientset } -// DeploymentConfigClients returns deploymentConfig and deployment client objects -func (c *MasterConfig) DeploymentConfigClients() (*osclient.Client, kclientsetinternal.Interface) { - return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClientsetInternal -} - -// DeploymentConfigControllerClients returns the deploymentConfig controller client objects -func (c *MasterConfig) DeploymentConfigControllerClients() (*osclient.Client, kclientsetinternal.Interface, kclientsetexternal.Interface) { - _, osClient, internalKubeClientset, externalKubeClientset, err := c.GetServiceAccountClients(bootstrappolicy.InfraDeploymentConfigControllerServiceAccountName) - if err != nil { - glog.Fatal(err) - } - return osClient, internalKubeClientset, externalKubeClientset -} - -// DeploymentTriggerControllerClient returns the deploymentConfig trigger controller client object -func (c *MasterConfig) DeploymentTriggerControllerClient() *osclient.Client { - return c.PrivilegedLoopbackOpenShiftClient -} - // DeploymentLogClient returns the deployment log client object func (c *MasterConfig) DeploymentLogClient() kclientsetinternal.Interface { return c.PrivilegedLoopbackKubernetesClientsetInternal diff --git a/pkg/cmd/server/origin/run_components.go b/pkg/cmd/server/origin/run_components.go index a3a5f61ec7f1..2149175357dc 100644 --- a/pkg/cmd/server/origin/run_components.go +++ b/pkg/cmd/server/origin/run_components.go @@ -4,7 +4,6 @@ import ( "fmt" "io/ioutil" "net" - "path" "sync" "time" @@ -30,7 +29,6 @@ import ( "k8s.io/kubernetes/pkg/registry/core/service/allocator" etcdallocator "k8s.io/kubernetes/pkg/registry/core/service/allocator/storage" "k8s.io/kubernetes/pkg/serviceaccount" - serviceaccountadmission "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount" "github.com/openshift/origin/pkg/authorization/controller/authorizationsync" buildclient "github.com/openshift/origin/pkg/build/client" @@ -39,13 +37,8 @@ import ( osclient "github.com/openshift/origin/pkg/client" oscache "github.com/openshift/origin/pkg/client/cache" configapi "github.com/openshift/origin/pkg/cmd/server/api" - "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" "github.com/openshift/origin/pkg/cmd/server/crypto" cmdutil "github.com/openshift/origin/pkg/cmd/util" - "github.com/openshift/origin/pkg/cmd/util/clientcmd" - deployercontroller "github.com/openshift/origin/pkg/deploy/controller/deployer" - deployconfigcontroller "github.com/openshift/origin/pkg/deploy/controller/deploymentconfig" - triggercontroller "github.com/openshift/origin/pkg/deploy/controller/generictrigger" deployclient "github.com/openshift/origin/pkg/deploy/generated/internalclientset/typed/apps/internalversion" "github.com/openshift/origin/pkg/dns" imagecontroller "github.com/openshift/origin/pkg/image/controller" @@ -246,75 +239,6 @@ func (c *MasterConfig) RunProjectCache() { c.ProjectCache.Run() } -<<<<<<< HEAD -// RunBuildController starts the build sync loop for builds and buildConfig processing. -func (c *MasterConfig) RunBuildController(informers shared.InformerFactory) error { - // initialize build controller - dockerImage := c.ImageFor("docker-builder") - stiImage := c.ImageFor("sti-builder") - - storageVersion := c.Options.EtcdStorageConfig.OpenShiftStorageVersion - groupVersion := schema.GroupVersion{Group: "", Version: storageVersion} - codec := kapi.Codecs.LegacyCodec(groupVersion) - - pluginInitializer := kubeadmission.NewPluginInitializer( - c.KubeClientsetInternal(), - c.Informers.InternalKubernetesInformers(), - nil, // api authorizer, only used by PSP - nil, // cloud config - ) - admissionControl, err := admission.InitPlugin("SecurityContextConstraint", nil, pluginInitializer) - if err != nil { - return err - } - - buildDefaults, err := builddefaults.NewBuildDefaults(c.Options.AdmissionConfig.PluginConfig) - if err != nil { - return err - } - buildOverrides, err := buildoverrides.NewBuildOverrides(c.Options.AdmissionConfig.PluginConfig) - if err != nil { - return err - } - - osclient, internalKubeClientset, externalKubeClientset := c.BuildControllerClients() - factory := buildcontrollerfactory.BuildControllerFactory{ - KubeClient: internalKubeClientset, - ExternalKubeClient: externalKubeClientset, - OSClient: osclient, - BuildUpdater: buildclient.NewOSClientBuildClient(osclient), - BuildLister: buildclient.NewOSClientBuildClient(osclient), - BuildConfigGetter: buildclient.NewOSClientBuildConfigClient(osclient), - BuildDeleter: buildclient.NewBuildDeleter(osclient), - - DockerBuildStrategy: &buildstrategy.DockerBuildStrategy{ - Image: dockerImage, - // TODO: this will be set to --storage-version (the internal schema we use) - Codec: codec, - }, - SourceBuildStrategy: &buildstrategy.SourceBuildStrategy{ - Image: stiImage, - // TODO: this will be set to --storage-version (the internal schema we use) - Codec: codec, - AdmissionControl: admissionControl, - }, - CustomBuildStrategy: &buildstrategy.CustomBuildStrategy{ - // TODO: this will be set to --storage-version (the internal schema we use) - Codec: codec, - }, - BuildDefaults: buildDefaults, - BuildOverrides: buildOverrides, - } - - controller := factory.Create() - controller.Run() - deleteController := factory.CreateDeleteController() - deleteController.Run() - return nil -} - -======= ->>>>>>> 6f6552550b... rewire build controller initialization to use a controller init func // RunBuildPodController starts the build/pod status sync loop for build status func (c *MasterConfig) RunBuildPodController() { buildInfomer := c.Informers.Builds().Informer() @@ -341,59 +265,6 @@ func (c *MasterConfig) RunBuildConfigChangeController() { factory.Create().Run() } -// RunDeployerController starts the deployment controller process. -func (c *MasterConfig) RunDeployerController() { - // TODO these should be external - rcInformer := c.Informers.InternalKubernetesInformers().Core().InternalVersion().ReplicationControllers() - podInformer := c.Informers.InternalKubernetesInformers().Core().InternalVersion().Pods() - _, internalKubeClientset, externalKubeClientset := c.DeployerControllerClients() - - _, kclientConfig, err := configapi.GetInternalKubeClient(c.Options.MasterClients.OpenShiftLoopbackKubeConfig, c.Options.MasterClients.OpenShiftLoopbackClientConnectionOverrides) - if err != nil { - glog.Fatalf("Unable to initialize deployer controller: %v", err) - } - // TODO eliminate these environment variables once service accounts provide a kubeconfig that includes all of this info - env := clientcmd.EnvVars( - kclientConfig.Host, - kclientConfig.CAData, - kclientConfig.Insecure, - path.Join(serviceaccountadmission.DefaultAPITokenMountPath, kapi.ServiceAccountTokenKey), - ) - - controller := deployercontroller.NewDeployerController( - rcInformer, - podInformer, - internalKubeClientset, - externalKubeClientset, - bootstrappolicy.DeployerServiceAccountName, - c.ImageFor("deployer"), - env, - c.ExternalVersionCodec, - ) - go controller.Run(5, utilwait.NeverStop) -} - -// RunDeploymentConfigController starts the deployment config controller process. -func (c *MasterConfig) RunDeploymentConfigController() { - dcInfomer := c.Informers.DeploymentConfigs().Informer() - rcInformer := c.Informers.InternalKubernetesInformers().Core().InternalVersion().ReplicationControllers() - podInformer := c.Informers.InternalKubernetesInformers().Core().InternalVersion().Pods() - osclient, kclientInternal, kclientExternal := c.DeploymentConfigControllerClients() - - controller := deployconfigcontroller.NewDeploymentConfigController(dcInfomer, rcInformer, podInformer, osclient, kclientInternal, kclientExternal, c.ExternalVersionCodec) - go controller.Run(5, utilwait.NeverStop) -} - -// RunDeploymentTriggerController starts the deployment trigger controller process. -func (c *MasterConfig) RunDeploymentTriggerController() { - dcInfomer := c.Informers.DeploymentConfigs().Informer() - rcInformer := c.Informers.InternalKubernetesInformers().Core().InternalVersion().ReplicationControllers().Informer() - osclient := c.DeploymentTriggerControllerClient() - - controller := triggercontroller.NewDeploymentTriggerController(dcInfomer, rcInformer, nil, osclient, c.ExternalVersionCodec) - go controller.Run(5, utilwait.NeverStop) -} - // TODO: remove when generated informers exist type temporaryLister struct { *oscache.StoreToImageStreamLister diff --git a/pkg/cmd/server/start/start_master.go b/pkg/cmd/server/start/start_master.go index 0501caaddbf8..ec5b4093656c 100644 --- a/pkg/cmd/server/start/start_master.go +++ b/pkg/cmd/server/start/start_master.go @@ -653,7 +653,6 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro "statefuleset", "cronjob", "certificatesigningrequests", - // not used in openshift. Yet? // "ttl", // "bootstrapsigner", @@ -715,7 +714,11 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro } openshiftControllerInitializers, err := oc.NewOpenshiftControllerInitializers() - allowedOpenshiftControllers := sets.NewString() + allowedOpenshiftControllers := sets.NewString( + "deployer", + "deploymentconfig", + "deploymenttrigger", + ) if configapi.IsBuildEnabled(&oc.Options) { allowedOpenshiftControllers.Insert("build") } @@ -739,7 +742,7 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro glog.V(1).Infof("Starting %q", controllerName) started, err := initFn(openshiftControllerContext) if err != nil { - glog.Errorf("Error starting %q", controllerName) + glog.Fatalf("Error starting %q", controllerName) return err } if !started { @@ -755,9 +758,6 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro oc.RunBuildConfigChangeController() } - oc.RunDeployerController() - oc.RunDeploymentConfigController() - oc.RunDeploymentTriggerController() oc.RunImageTriggerController() oc.RunImageImportController() oc.RunOriginNamespaceController() diff --git a/pkg/deploy/controller/deployer/deployer_controller_test.go b/pkg/deploy/controller/deployer/deployer_controller_test.go index 64f6df4059fd..4181a06d8fd0 100644 --- a/pkg/deploy/controller/deployer/deployer_controller_test.go +++ b/pkg/deploy/controller/deployer/deployer_controller_test.go @@ -439,8 +439,17 @@ func TestHandle_noop(t *testing.T) { continue } + hasPatch := func(actions []clientgotesting.Action) bool { + for _, a := range actions { + if a.GetVerb() == "patch" { + return true + } + } + return false + } + // Expect only patching for ownerRefs - if len(client.Actions()) != 1 { + if len(client.Actions()) != 1 && hasPatch(client.Actions()) { t.Errorf("%s: unexpected %d actions: %#+v", test.name, len(client.Actions()), client.Actions()) } } diff --git a/test/integration/authorization_test.go b/test/integration/authorization_test.go index 9723b8e8a40a..01d0f3d02a4c 100644 --- a/test/integration/authorization_test.go +++ b/test/integration/authorization_test.go @@ -384,6 +384,8 @@ var globalDeploymentConfigGetterUsers = sets.NewString( "system:serviceaccount:kube-system:namespace-controller", "system:serviceaccount:openshift-infra:imagetrigger-controller", "system:serviceaccount:openshift-infra:unidling-controller", + "system:serviceaccount:openshift-infra:deployment-trigger-controller", + "system:serviceaccount:openshift-infra:deploymentconfig-controller", ) type resourceAccessReviewTest struct { diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml index c60e2f7625fe..bbc6590459c7 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml @@ -680,6 +680,20 @@ items: namespace: openshift-infra userNames: - system:serviceaccount:openshift-infra:deploymentconfig-controller +- apiVersion: v1 + groupNames: null + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:openshift:controller:deployment-trigger-controller + roleRef: + name: system:openshift:controller:deployment-trigger-controller + subjects: + - kind: ServiceAccount + name: deployment-trigger-controller + namespace: openshift-infra + userNames: + - system:serviceaccount:openshift-infra:deployment-trigger-controller - apiVersion: v1 groupNames: - system:masters diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml index 78525907d7fd..b83820ea8a9f 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml @@ -3487,10 +3487,19 @@ items: resources: - builds verbs: + - delete - get - list - update - watch + - apiGroups: + - "" + - build.openshift.io + attributeRestrictions: null + resources: + - buildconfigs + verbs: + - get - apiGroups: - "" - build.openshift.io @@ -3555,7 +3564,6 @@ items: - get - list - patch - - update - watch - apiGroups: - "" @@ -3563,8 +3571,6 @@ items: resources: - replicationcontrollers verbs: - - create - - delete - get - list - update @@ -3634,6 +3640,60 @@ items: - create - patch - update +- apiVersion: v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + creationTimestamp: null + name: system:openshift:controller:deployment-trigger-controller + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers + verbs: + - get + - list + - watch + - apiGroups: + - "" + - apps.openshift.io + attributeRestrictions: null + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - apiGroups: + - "" + - image.openshift.io + attributeRestrictions: null + resources: + - imagestreams + verbs: + - get + - list + - watch + - apiGroups: + - "" + - apps.openshift.io + attributeRestrictions: null + resources: + - deploymentconfigs/instantiate + verbs: + - create + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update - apiVersion: v1 kind: ClusterRole metadata: