Commit 761be18d authored by Darren Shepherd's avatar Darren Shepherd

Patch

parent a21fdbd7
...@@ -110,7 +110,6 @@ kubernetes.tar.gz ...@@ -110,7 +110,6 @@ kubernetes.tar.gz
# generated files in any directory # generated files in any directory
# TODO(thockin): uncomment this when we stop committing the generated files. # TODO(thockin): uncomment this when we stop committing the generated files.
#zz_generated.* #zz_generated.*
zz_generated.openapi.go
# make-related metadata # make-related metadata
/.make/ /.make/
......
# Kubernetes # Kubernetes
[![Submit Queue Widget]][Submit Queue] [![GoDoc Widget]][GoDoc] [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/569/badge)](https://bestpractices.coreinfrastructure.org/projects/569)
<img src="https://github.com/kubernetes/kubernetes/raw/master/logo/logo.png" width="100"> <img src="https://github.com/kubernetes/kubernetes/raw/master/logo/logo.png" width="100">
---- ----
Kubernetes is an open source system for managing [containerized applications] Kubernetes without the features I don't care about.
across multiple hosts; providing basic mechanisms for deployment, maintenance,
and scaling of applications.
Kubernetes builds upon a decade and a half of experience at Google running
production workloads at scale using a system called [Borg],
combined with best-of-breed ideas and practices from the community.
Kubernetes is hosted by the Cloud Native Computing Foundation ([CNCF]).
If you are a company that wants to help shape the evolution of
technologies that are container-packaged, dynamically-scheduled
and microservices-oriented, consider joining the CNCF.
For details about who's involved and how Kubernetes plays a role,
read the CNCF [announcement].
----
## To start using Kubernetes
See our documentation on [kubernetes.io].
Try our [interactive tutorial].
Take a free course on [Scalable Microservices with Kubernetes].
## To start developing Kubernetes
The [community repository] hosts all information about
building Kubernetes from source, how to contribute code
and documentation, who to contact about what, etc.
If you want to build Kubernetes right away there are two options:
##### You have a working [Go environment].
```
$ go get -d k8s.io/kubernetes
$ cd $GOPATH/src/k8s.io/kubernetes
$ make
```
##### You have a working [Docker environment].
```
$ git clone https://github.com/kubernetes/kubernetes
$ cd kubernetes
$ make quick-release
```
For the full story, head over to the [developer's documentation].
## Support
If you need support, start with the [troubleshooting guide],
and work your way through the process that we've outlined.
That said, if you have questions, reach out to us
[one way or another][communication].
[announcement]: https://cncf.io/news/announcement/2015/07/new-cloud-native-computing-foundation-drive-alignment-among-container
[Borg]: https://research.google.com/pubs/pub43438.html
[CNCF]: https://www.cncf.io/about
[communication]: https://git.k8s.io/community/communication
[community repository]: https://git.k8s.io/community
[containerized applications]: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
[developer's documentation]: https://git.k8s.io/community/contributors/devel#readme
[Docker environment]: https://docs.docker.com/engine
[Go environment]: https://golang.org/doc/install
[GoDoc]: https://godoc.org/k8s.io/kubernetes
[GoDoc Widget]: https://godoc.org/k8s.io/kubernetes?status.svg
[interactive tutorial]: http://kubernetes.io/docs/tutorials/kubernetes-basics
[kubernetes.io]: http://kubernetes.io
[Scalable Microservices with Kubernetes]: https://www.udacity.com/course/scalable-microservices-with-kubernetes--ud615
[Submit Queue]: http://submit-queue.k8s.io/#/ci
[Submit Queue Widget]: http://submit-queue.k8s.io/health.svg?v=1
[troubleshooting guide]: https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/README.md?pixel)]()
...@@ -48,8 +48,6 @@ type GenericControllerManagerOptions struct { ...@@ -48,8 +48,6 @@ type GenericControllerManagerOptions struct {
SecureServing *apiserveroptions.SecureServingOptions SecureServing *apiserveroptions.SecureServingOptions
// TODO: remove insecure serving mode // TODO: remove insecure serving mode
InsecureServing *InsecureServingOptions InsecureServing *InsecureServingOptions
Authentication *apiserveroptions.DelegatingAuthenticationOptions
Authorization *apiserveroptions.DelegatingAuthorizationOptions
Master string Master string
Kubeconfig string Kubeconfig string
...@@ -77,8 +75,6 @@ func NewGenericControllerManagerOptions(componentConfig componentconfig.KubeCont ...@@ -77,8 +75,6 @@ func NewGenericControllerManagerOptions(componentConfig componentconfig.KubeCont
BindPort: int(componentConfig.Port), BindPort: int(componentConfig.Port),
BindNetwork: "tcp", BindNetwork: "tcp",
}, },
Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions()
Authorization: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions()
} }
// disable secure serving for now // disable secure serving for now
...@@ -179,8 +175,6 @@ func (o *GenericControllerManagerOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -179,8 +175,6 @@ func (o *GenericControllerManagerOptions) AddFlags(fs *pflag.FlagSet) {
o.SecureServing.AddFlags(fs) o.SecureServing.AddFlags(fs)
o.InsecureServing.AddFlags(fs) o.InsecureServing.AddFlags(fs)
o.InsecureServing.AddDeprecatedFlags(fs) o.InsecureServing.AddDeprecatedFlags(fs)
o.Authentication.AddFlags(fs)
o.Authorization.AddFlags(fs)
} }
// ApplyTo fills up controller manager config with options and userAgent // ApplyTo fills up controller manager config with options and userAgent
...@@ -193,12 +187,6 @@ func (o *GenericControllerManagerOptions) ApplyTo(c *genericcontrollermanager.Co ...@@ -193,12 +187,6 @@ func (o *GenericControllerManagerOptions) ApplyTo(c *genericcontrollermanager.Co
if err := o.InsecureServing.ApplyTo(&c.InsecureServing, &c.ComponentConfig); err != nil { if err := o.InsecureServing.ApplyTo(&c.InsecureServing, &c.ComponentConfig); err != nil {
return err return err
} }
if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
return err
}
if err := o.Authorization.ApplyTo(&c.Authorization); err != nil {
return err
}
var err error var err error
c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(o.Master, o.Kubeconfig) c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(o.Master, o.Kubeconfig)
...@@ -226,8 +214,6 @@ func (o *GenericControllerManagerOptions) Validate() []error { ...@@ -226,8 +214,6 @@ func (o *GenericControllerManagerOptions) Validate() []error {
errors := []error{} errors := []error{}
errors = append(errors, o.SecureServing.Validate()...) errors = append(errors, o.SecureServing.Validate()...)
errors = append(errors, o.InsecureServing.Validate()...) errors = append(errors, o.InsecureServing.Validate()...)
errors = append(errors, o.Authentication.Validate()...)
errors = append(errors, o.Authorization.Validate()...)
// TODO: validate component config, master and kubeconfig // TODO: validate component config, master and kubeconfig
......
...@@ -44,7 +44,6 @@ type ServerRunOptions struct { ...@@ -44,7 +44,6 @@ type ServerRunOptions struct {
Etcd *genericoptions.EtcdOptions Etcd *genericoptions.EtcdOptions
SecureServing *genericoptions.SecureServingOptionsWithLoopback SecureServing *genericoptions.SecureServingOptionsWithLoopback
InsecureServing *kubeoptions.InsecureServingOptions InsecureServing *kubeoptions.InsecureServingOptions
Audit *genericoptions.AuditOptions
Features *genericoptions.FeatureOptions Features *genericoptions.FeatureOptions
Admission *kubeoptions.AdmissionOptions Admission *kubeoptions.AdmissionOptions
Authentication *kubeoptions.BuiltInAuthenticationOptions Authentication *kubeoptions.BuiltInAuthenticationOptions
...@@ -82,7 +81,6 @@ func NewServerRunOptions() *ServerRunOptions { ...@@ -82,7 +81,6 @@ func NewServerRunOptions() *ServerRunOptions {
Etcd: genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, nil)), Etcd: genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, nil)),
SecureServing: kubeoptions.NewSecureServingOptions(), SecureServing: kubeoptions.NewSecureServingOptions(),
InsecureServing: kubeoptions.NewInsecureServingOptions(), InsecureServing: kubeoptions.NewInsecureServingOptions(),
Audit: genericoptions.NewAuditOptions(),
Features: genericoptions.NewFeatureOptions(), Features: genericoptions.NewFeatureOptions(),
Admission: kubeoptions.NewAdmissionOptions(), Admission: kubeoptions.NewAdmissionOptions(),
Authentication: kubeoptions.NewBuiltInAuthenticationOptions().WithAll(), Authentication: kubeoptions.NewBuiltInAuthenticationOptions().WithAll(),
...@@ -118,7 +116,7 @@ func NewServerRunOptions() *ServerRunOptions { ...@@ -118,7 +116,7 @@ func NewServerRunOptions() *ServerRunOptions {
s.ServiceClusterIPRange = kubeoptions.DefaultServiceIPCIDR s.ServiceClusterIPRange = kubeoptions.DefaultServiceIPCIDR
// Overwrite the default for storage data format. // Overwrite the default for storage data format.
s.Etcd.DefaultStorageMediaType = "application/vnd.kubernetes.protobuf" //s.Etcd.DefaultStorageMediaType = "application/vnd.kubernetes.protobuf"
return &s return &s
} }
...@@ -131,7 +129,6 @@ func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -131,7 +129,6 @@ func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) {
s.SecureServing.AddFlags(fs) s.SecureServing.AddFlags(fs)
s.InsecureServing.AddFlags(fs) s.InsecureServing.AddFlags(fs)
s.InsecureServing.AddDeprecatedFlags(fs) s.InsecureServing.AddDeprecatedFlags(fs)
s.Audit.AddFlags(fs)
s.Features.AddFlags(fs) s.Features.AddFlags(fs)
s.Authentication.AddFlags(fs) s.Authentication.AddFlags(fs)
s.Authorization.AddFlags(fs) s.Authorization.AddFlags(fs)
......
...@@ -67,9 +67,6 @@ func (options *ServerRunOptions) Validate() []error { ...@@ -67,9 +67,6 @@ func (options *ServerRunOptions) Validate() []error {
if errs := options.Authentication.Validate(); len(errs) > 0 { if errs := options.Authentication.Validate(); len(errs) > 0 {
errors = append(errors, errs...) errors = append(errors, errs...)
} }
if errs := options.Audit.Validate(); len(errs) > 0 {
errors = append(errors, errs...)
}
if errs := options.Admission.Validate(); len(errs) > 0 { if errs := options.Admission.Validate(); len(errs) > 0 {
errors = append(errors, errs...) errors = append(errors, errs...)
} }
......
...@@ -25,34 +25,17 @@ import ( ...@@ -25,34 +25,17 @@ import (
// Cloud providers // Cloud providers
"k8s.io/kubernetes/pkg/apis/componentconfig" "k8s.io/kubernetes/pkg/apis/componentconfig"
_ "k8s.io/kubernetes/pkg/cloudprovider/providers"
// Volume plugins // Volume plugins
"github.com/golang/glog" "github.com/golang/glog"
"k8s.io/kubernetes/pkg/cloudprovider" "k8s.io/kubernetes/pkg/cloudprovider"
"k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume"
"k8s.io/kubernetes/pkg/volume/aws_ebs"
"k8s.io/kubernetes/pkg/volume/azure_dd"
"k8s.io/kubernetes/pkg/volume/azure_file"
"k8s.io/kubernetes/pkg/volume/cinder"
"k8s.io/kubernetes/pkg/volume/csi" "k8s.io/kubernetes/pkg/volume/csi"
"k8s.io/kubernetes/pkg/volume/fc"
"k8s.io/kubernetes/pkg/volume/flexvolume" "k8s.io/kubernetes/pkg/volume/flexvolume"
"k8s.io/kubernetes/pkg/volume/flocker"
"k8s.io/kubernetes/pkg/volume/gce_pd"
"k8s.io/kubernetes/pkg/volume/glusterfs"
"k8s.io/kubernetes/pkg/volume/host_path" "k8s.io/kubernetes/pkg/volume/host_path"
"k8s.io/kubernetes/pkg/volume/iscsi"
"k8s.io/kubernetes/pkg/volume/local" "k8s.io/kubernetes/pkg/volume/local"
"k8s.io/kubernetes/pkg/volume/nfs" "k8s.io/kubernetes/pkg/volume/nfs"
"k8s.io/kubernetes/pkg/volume/photon_pd"
"k8s.io/kubernetes/pkg/volume/portworx"
"k8s.io/kubernetes/pkg/volume/quobyte"
"k8s.io/kubernetes/pkg/volume/rbd"
"k8s.io/kubernetes/pkg/volume/scaleio"
"k8s.io/kubernetes/pkg/volume/storageos"
volumeutil "k8s.io/kubernetes/pkg/volume/util" volumeutil "k8s.io/kubernetes/pkg/volume/util"
"k8s.io/kubernetes/pkg/volume/vsphere_volume"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
...@@ -65,18 +48,6 @@ import ( ...@@ -65,18 +48,6 @@ import (
func ProbeAttachableVolumePlugins() []volume.VolumePlugin { func ProbeAttachableVolumePlugins() []volume.VolumePlugin {
allPlugins := []volume.VolumePlugin{} allPlugins := []volume.VolumePlugin{}
allPlugins = append(allPlugins, aws_ebs.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, gce_pd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, cinder.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, portworx.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, vsphere_volume.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, azure_dd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, photon_pd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, iscsi.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) { if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) {
allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...) allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
} }
...@@ -94,19 +65,6 @@ func GetDynamicPluginProber(config componentconfig.VolumeConfiguration) volume.D ...@@ -94,19 +65,6 @@ func GetDynamicPluginProber(config componentconfig.VolumeConfiguration) volume.D
func ProbeExpandableVolumePlugins(config componentconfig.VolumeConfiguration) []volume.VolumePlugin { func ProbeExpandableVolumePlugins(config componentconfig.VolumeConfiguration) []volume.VolumePlugin {
allPlugins := []volume.VolumePlugin{} allPlugins := []volume.VolumePlugin{}
allPlugins = append(allPlugins, aws_ebs.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, gce_pd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, cinder.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, portworx.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, vsphere_volume.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, glusterfs.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, azure_dd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, azure_file.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, photon_pd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
return allPlugins return allPlugins
} }
...@@ -145,24 +103,7 @@ func ProbeControllerVolumePlugins(cloud cloudprovider.Interface, config componen ...@@ -145,24 +103,7 @@ func ProbeControllerVolumePlugins(cloud cloudprovider.Interface, config componen
glog.Fatalf("Could not create NFS recycler pod from file %s: %+v", config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathNFS, err) glog.Fatalf("Could not create NFS recycler pod from file %s: %+v", config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathNFS, err)
} }
allPlugins = append(allPlugins, nfs.ProbeVolumePlugins(nfsConfig)...) allPlugins = append(allPlugins, nfs.ProbeVolumePlugins(nfsConfig)...)
allPlugins = append(allPlugins, glusterfs.ProbeVolumePlugins()...)
// add rbd provisioner
allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, quobyte.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, azure_file.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, flocker.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, portworx.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, local.ProbeVolumePlugins()...) allPlugins = append(allPlugins, local.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, aws_ebs.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, gce_pd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, cinder.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, vsphere_volume.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, azure_dd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, photon_pd.ProbeVolumePlugins()...)
return allPlugins return allPlugins
} }
......
...@@ -550,7 +550,7 @@ func createClients(config componentconfig.ClientConnectionConfiguration, masterO ...@@ -550,7 +550,7 @@ func createClients(config componentconfig.ClientConnectionConfiguration, masterO
} }
// Run runs the SchedulerServer. This should never exit. // Run runs the SchedulerServer. This should never exit.
func (s *SchedulerServer) Run(stop chan struct{}) error { func (s *SchedulerServer) Run(stop <-chan struct{}) error {
// To help debugging, immediately log version // To help debugging, immediately log version
glog.Infof("Version: %+v", version.Get()) glog.Infof("Version: %+v", version.Get())
......
...@@ -86,17 +86,6 @@ func BuildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz k ...@@ -86,17 +86,6 @@ func BuildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz k
case kubeletconfig.KubeletAuthorizationModeAlwaysAllow: case kubeletconfig.KubeletAuthorizationModeAlwaysAllow:
return authorizerfactory.NewAlwaysAllowAuthorizer(), nil return authorizerfactory.NewAlwaysAllowAuthorizer(), nil
case kubeletconfig.KubeletAuthorizationModeWebhook:
if client == nil {
return nil, errors.New("no client provided, cannot use webhook authorization")
}
authorizerConfig := authorizerfactory.DelegatingAuthorizerConfig{
SubjectAccessReviewClient: client,
AllowCacheTTL: authz.Webhook.CacheAuthorizedTTL.Duration,
DenyCacheTTL: authz.Webhook.CacheUnauthorizedTTL.Duration,
}
return authorizerConfig.New()
case "": case "":
return nil, fmt.Errorf("No authorization mode specified") return nil, fmt.Errorf("No authorization mode specified")
......
...@@ -48,7 +48,7 @@ func NewContainerRuntimeOptions() *config.ContainerRuntimeOptions { ...@@ -48,7 +48,7 @@ func NewContainerRuntimeOptions() *config.ContainerRuntimeOptions {
} }
return &config.ContainerRuntimeOptions{ return &config.ContainerRuntimeOptions{
ContainerRuntime: kubetypes.DockerContainerRuntime, ContainerRuntime: kubetypes.RemoteContainerRuntime,
DockerEndpoint: dockerEndpoint, DockerEndpoint: dockerEndpoint,
DockershimRootDirectory: "/var/lib/dockershim", DockershimRootDirectory: "/var/lib/dockershim",
DockerDisableSharedPID: true, DockerDisableSharedPID: true,
......
...@@ -30,8 +30,6 @@ import ( ...@@ -30,8 +30,6 @@ import (
// ensure libs have a chance to globally register their flags // ensure libs have a chance to globally register their flags
_ "github.com/golang/glog" _ "github.com/golang/glog"
_ "k8s.io/kubernetes/pkg/credentialprovider/azure"
_ "k8s.io/kubernetes/pkg/credentialprovider/gcp"
) )
// AddGlobalFlags explicitly registers flags that libraries (glog, verflag, etc.) register // AddGlobalFlags explicitly registers flags that libraries (glog, verflag, etc.) register
...@@ -40,7 +38,6 @@ import ( ...@@ -40,7 +38,6 @@ import (
func AddGlobalFlags(fs *pflag.FlagSet) { func AddGlobalFlags(fs *pflag.FlagSet) {
addGlogFlags(fs) addGlogFlags(fs)
addCadvisorFlags(fs) addCadvisorFlags(fs)
addCredentialProviderFlags(fs)
verflag.AddFlags(fs) verflag.AddFlags(fs)
logs.AddFlags(fs) logs.AddFlags(fs)
} }
...@@ -84,22 +81,6 @@ func pflagRegisterDeprecated(global, local *pflag.FlagSet, globalName, deprecate ...@@ -84,22 +81,6 @@ func pflagRegisterDeprecated(global, local *pflag.FlagSet, globalName, deprecate
local.Lookup(normalize(globalName)).Deprecated = deprecated local.Lookup(normalize(globalName)).Deprecated = deprecated
} }
// addCredentialProviderFlags adds flags from k8s.io/kubernetes/pkg/credentialprovider
func addCredentialProviderFlags(fs *pflag.FlagSet) {
// lookup flags in global flag set and re-register the values with our flagset
global := pflag.CommandLine
local := pflag.NewFlagSet(os.Args[0], pflag.ExitOnError)
// Note this is deprecated in the library that provides it, so we just allow that deprecation
// notice to pass through our registration here.
pflagRegister(global, local, "google-json-key")
// TODO(#58034): This is not a static file, so it's not quite as straightforward as --google-json-key.
// We need to figure out how ACR users can dynamically provide pull credentials before we can deprecate this.
pflagRegister(global, local, "azure-container-registry-config")
fs.AddFlagSet(local)
}
// addGlogFlags adds flags from github.com/golang/glog // addGlogFlags adds flags from github.com/golang/glog
func addGlogFlags(fs *pflag.FlagSet) { func addGlogFlags(fs *pflag.FlagSet) {
// lookup flags in global flag set and re-register the values with our flagset // lookup flags in global flag set and re-register the values with our flagset
......
...@@ -18,47 +18,22 @@ package app ...@@ -18,47 +18,22 @@ package app
// This file exists to force the desired plugin implementations to be linked. // This file exists to force the desired plugin implementations to be linked.
import ( import (
// Credential providers
_ "k8s.io/kubernetes/pkg/credentialprovider/aws"
_ "k8s.io/kubernetes/pkg/credentialprovider/azure"
_ "k8s.io/kubernetes/pkg/credentialprovider/gcp"
_ "k8s.io/kubernetes/pkg/credentialprovider/rancher"
// Network plugins // Network plugins
"k8s.io/kubernetes/pkg/kubelet/network" "k8s.io/kubernetes/pkg/kubelet/network"
"k8s.io/kubernetes/pkg/kubelet/network/cni" "k8s.io/kubernetes/pkg/kubelet/network/cni"
"k8s.io/kubernetes/pkg/kubelet/network/kubenet"
// Volume plugins // Volume plugins
"k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume"
"k8s.io/kubernetes/pkg/volume/aws_ebs"
"k8s.io/kubernetes/pkg/volume/azure_dd"
"k8s.io/kubernetes/pkg/volume/azure_file"
"k8s.io/kubernetes/pkg/volume/cephfs"
"k8s.io/kubernetes/pkg/volume/cinder"
"k8s.io/kubernetes/pkg/volume/configmap" "k8s.io/kubernetes/pkg/volume/configmap"
"k8s.io/kubernetes/pkg/volume/csi" "k8s.io/kubernetes/pkg/volume/csi"
"k8s.io/kubernetes/pkg/volume/downwardapi" "k8s.io/kubernetes/pkg/volume/downwardapi"
"k8s.io/kubernetes/pkg/volume/empty_dir" "k8s.io/kubernetes/pkg/volume/empty_dir"
"k8s.io/kubernetes/pkg/volume/fc"
"k8s.io/kubernetes/pkg/volume/flexvolume" "k8s.io/kubernetes/pkg/volume/flexvolume"
"k8s.io/kubernetes/pkg/volume/flocker"
"k8s.io/kubernetes/pkg/volume/gce_pd"
"k8s.io/kubernetes/pkg/volume/git_repo" "k8s.io/kubernetes/pkg/volume/git_repo"
"k8s.io/kubernetes/pkg/volume/glusterfs"
"k8s.io/kubernetes/pkg/volume/host_path" "k8s.io/kubernetes/pkg/volume/host_path"
"k8s.io/kubernetes/pkg/volume/iscsi"
"k8s.io/kubernetes/pkg/volume/local" "k8s.io/kubernetes/pkg/volume/local"
"k8s.io/kubernetes/pkg/volume/nfs" "k8s.io/kubernetes/pkg/volume/nfs"
"k8s.io/kubernetes/pkg/volume/photon_pd"
"k8s.io/kubernetes/pkg/volume/portworx"
"k8s.io/kubernetes/pkg/volume/projected" "k8s.io/kubernetes/pkg/volume/projected"
"k8s.io/kubernetes/pkg/volume/quobyte"
"k8s.io/kubernetes/pkg/volume/rbd"
"k8s.io/kubernetes/pkg/volume/scaleio"
"k8s.io/kubernetes/pkg/volume/secret" "k8s.io/kubernetes/pkg/volume/secret"
"k8s.io/kubernetes/pkg/volume/storageos"
"k8s.io/kubernetes/pkg/volume/vsphere_volume"
// Cloud providers
_ "k8s.io/kubernetes/pkg/cloudprovider/providers"
// features check // features check
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
...@@ -74,32 +49,15 @@ func ProbeVolumePlugins() []volume.VolumePlugin { ...@@ -74,32 +49,15 @@ func ProbeVolumePlugins() []volume.VolumePlugin {
// //
// Kubelet does not currently need to configure volume plugins. // Kubelet does not currently need to configure volume plugins.
// If/when it does, see kube-controller-manager/app/plugins.go for example of using volume.VolumeConfig // If/when it does, see kube-controller-manager/app/plugins.go for example of using volume.VolumeConfig
allPlugins = append(allPlugins, aws_ebs.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, empty_dir.ProbeVolumePlugins()...) allPlugins = append(allPlugins, empty_dir.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, gce_pd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, git_repo.ProbeVolumePlugins()...) allPlugins = append(allPlugins, git_repo.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, host_path.ProbeVolumePlugins(volume.VolumeConfig{})...) allPlugins = append(allPlugins, host_path.ProbeVolumePlugins(volume.VolumeConfig{})...)
allPlugins = append(allPlugins, nfs.ProbeVolumePlugins(volume.VolumeConfig{})...) allPlugins = append(allPlugins, nfs.ProbeVolumePlugins(volume.VolumeConfig{})...)
allPlugins = append(allPlugins, secret.ProbeVolumePlugins()...) allPlugins = append(allPlugins, secret.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, iscsi.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, glusterfs.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, cinder.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, quobyte.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, cephfs.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, downwardapi.ProbeVolumePlugins()...) allPlugins = append(allPlugins, downwardapi.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, flocker.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, azure_file.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, configmap.ProbeVolumePlugins()...) allPlugins = append(allPlugins, configmap.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, vsphere_volume.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, azure_dd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, photon_pd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, projected.ProbeVolumePlugins()...) allPlugins = append(allPlugins, projected.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, portworx.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, local.ProbeVolumePlugins()...) allPlugins = append(allPlugins, local.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) { if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) {
allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...) allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
} }
...@@ -119,7 +77,6 @@ func ProbeNetworkPlugins(cniConfDir, cniBinDir string) []network.NetworkPlugin { ...@@ -119,7 +77,6 @@ func ProbeNetworkPlugins(cniConfDir, cniBinDir string) []network.NetworkPlugin {
// for each existing plugin, add to the list // for each existing plugin, add to the list
allPlugins = append(allPlugins, cni.ProbeNetworkPlugins(cniConfDir, cniBinDir)...) allPlugins = append(allPlugins, cni.ProbeNetworkPlugins(cniConfDir, cniBinDir)...)
allPlugins = append(allPlugins, kubenet.NewPlugin(cniBinDir))
return allPlugins return allPlugins
} }
...@@ -26,7 +26,6 @@ import ( ...@@ -26,7 +26,6 @@ import (
"net" "net"
"net/http" "net/http"
_ "net/http/pprof" _ "net/http/pprof"
"net/url"
"os" "os"
"path" "path"
"path/filepath" "path/filepath"
...@@ -74,14 +73,11 @@ import ( ...@@ -74,14 +73,11 @@ import (
"k8s.io/kubernetes/pkg/kubelet/cm" "k8s.io/kubernetes/pkg/kubelet/cm"
"k8s.io/kubernetes/pkg/kubelet/config" "k8s.io/kubernetes/pkg/kubelet/config"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
"k8s.io/kubernetes/pkg/kubelet/dockershim"
dockerremote "k8s.io/kubernetes/pkg/kubelet/dockershim/remote"
"k8s.io/kubernetes/pkg/kubelet/eviction" "k8s.io/kubernetes/pkg/kubelet/eviction"
evictionapi "k8s.io/kubernetes/pkg/kubelet/eviction/api" evictionapi "k8s.io/kubernetes/pkg/kubelet/eviction/api"
dynamickubeletconfig "k8s.io/kubernetes/pkg/kubelet/kubeletconfig" dynamickubeletconfig "k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
"k8s.io/kubernetes/pkg/kubelet/kubeletconfig/configfiles" "k8s.io/kubernetes/pkg/kubelet/kubeletconfig/configfiles"
"k8s.io/kubernetes/pkg/kubelet/server" "k8s.io/kubernetes/pkg/kubelet/server"
"k8s.io/kubernetes/pkg/kubelet/server/streaming"
kubetypes "k8s.io/kubernetes/pkg/kubelet/types" kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
"k8s.io/kubernetes/pkg/util/configz" "k8s.io/kubernetes/pkg/util/configz"
utilfs "k8s.io/kubernetes/pkg/util/filesystem" utilfs "k8s.io/kubernetes/pkg/util/filesystem"
...@@ -221,13 +217,6 @@ HTTP server: The kubelet can also listen for HTTP and respond to a simple API ...@@ -221,13 +217,6 @@ HTTP server: The kubelet can also listen for HTTP and respond to a simple API
// add the kubelet config controller to kubeletDeps // add the kubelet config controller to kubeletDeps
kubeletDeps.KubeletConfigController = kubeletConfigController kubeletDeps.KubeletConfigController = kubeletConfigController
// start the experimental docker shim, if enabled
if kubeletServer.KubeletFlags.ExperimentalDockershim {
if err := RunDockershim(&kubeletServer.KubeletFlags, kubeletConfig); err != nil {
glog.Fatal(err)
}
}
// run the kubelet // run the kubelet
if err := Run(kubeletServer, kubeletDeps); err != nil { if err := Run(kubeletServer, kubeletDeps); err != nil {
glog.Fatal(err) glog.Fatal(err)
...@@ -338,21 +327,11 @@ func UnsecuredDependencies(s *options.KubeletServer) (*kubelet.Dependencies, err ...@@ -338,21 +327,11 @@ func UnsecuredDependencies(s *options.KubeletServer) (*kubelet.Dependencies, err
writer = &kubeio.NsenterWriter{} writer = &kubeio.NsenterWriter{}
} }
var dockerClientConfig *dockershim.ClientConfig
if s.ContainerRuntime == kubetypes.DockerContainerRuntime {
dockerClientConfig = &dockershim.ClientConfig{
DockerEndpoint: s.DockerEndpoint,
RuntimeRequestTimeout: s.RuntimeRequestTimeout.Duration,
ImagePullProgressDeadline: s.ImagePullProgressDeadline.Duration,
}
}
return &kubelet.Dependencies{ return &kubelet.Dependencies{
Auth: nil, // default does not enforce auth[nz] Auth: nil, // default does not enforce auth[nz]
CAdvisorInterface: nil, // cadvisor.New launches background processes (bg http.ListenAndServe, and some bg cleaners), not set here CAdvisorInterface: nil, // cadvisor.New launches background processes (bg http.ListenAndServe, and some bg cleaners), not set here
Cloud: nil, // cloud provider might start background processes Cloud: nil, // cloud provider might start background processes
ContainerManager: nil, ContainerManager: nil,
DockerClientConfig: dockerClientConfig,
KubeClient: nil, KubeClient: nil,
HeartbeatClient: nil, HeartbeatClient: nil,
ExternalKubeClient: nil, ExternalKubeClient: nil,
...@@ -1099,52 +1078,3 @@ func BootstrapKubeletConfigController(defaultConfig *kubeletconfiginternal.Kubel ...@@ -1099,52 +1078,3 @@ func BootstrapKubeletConfigController(defaultConfig *kubeletconfiginternal.Kubel
return kc, c, nil return kc, c, nil
} }
// RunDockershim only starts the dockershim in current process. This is only used for cri validate testing purpose
// TODO(random-liu): Move this to a separate binary.
func RunDockershim(f *options.KubeletFlags, c *kubeletconfiginternal.KubeletConfiguration) error {
r := &f.ContainerRuntimeOptions
// Initialize docker client configuration.
dockerClientConfig := &dockershim.ClientConfig{
DockerEndpoint: r.DockerEndpoint,
RuntimeRequestTimeout: c.RuntimeRequestTimeout.Duration,
ImagePullProgressDeadline: r.ImagePullProgressDeadline.Duration,
}
// Initialize network plugin settings.
nh := &kubelet.NoOpLegacyHost{}
pluginSettings := dockershim.NetworkPluginSettings{
HairpinMode: kubeletconfiginternal.HairpinMode(c.HairpinMode),
NonMasqueradeCIDR: f.NonMasqueradeCIDR,
PluginName: r.NetworkPluginName,
PluginConfDir: r.CNIConfDir,
PluginBinDir: r.CNIBinDir,
MTU: int(r.NetworkPluginMTU),
LegacyRuntimeHost: nh,
}
// Initialize streaming configuration. (Not using TLS now)
streamingConfig := &streaming.Config{
// Use a relative redirect (no scheme or host).
BaseURL: &url.URL{Path: "/cri/"},
StreamIdleTimeout: c.StreamingConnectionIdleTimeout.Duration,
StreamCreationTimeout: streaming.DefaultConfig.StreamCreationTimeout,
SupportedRemoteCommandProtocols: streaming.DefaultConfig.SupportedRemoteCommandProtocols,
SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols,
}
ds, err := dockershim.NewDockerService(dockerClientConfig, r.PodSandboxImage, streamingConfig, &pluginSettings,
f.RuntimeCgroups, c.CgroupDriver, r.DockershimRootDirectory, r.DockerDisableSharedPID)
if err != nil {
return err
}
glog.V(2).Infof("Starting the GRPC server for the docker CRI shim.")
server := dockerremote.NewDockerServer(f.RemoteRuntimeEndpoint, ds)
if err := server.Start(); err != nil {
return err
}
// Start the streaming server
addr := net.JoinHostPort(c.Address, strconv.Itoa(int(c.Port)))
return http.ListenAndServe(addr, ds)
}
...@@ -4867,12 +4867,12 @@ func validateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList ...@@ -4867,12 +4867,12 @@ func validateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList
if ip.IsUnspecified() { if ip.IsUnspecified() {
allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be unspecified (0.0.0.0)")) allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be unspecified (0.0.0.0)"))
} }
if ip.IsLoopback() { //if ip.IsLoopback() {
allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the loopback range (127.0.0.0/8)")) // allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the loopback range (127.0.0.0/8)"))
} //}
if ip.IsLinkLocalUnicast() { //if ip.IsLinkLocalUnicast() {
allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the link-local range (169.254.0.0/16)")) // allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the link-local range (169.254.0.0/16)"))
} //}
if ip.IsLinkLocalMulticast() { if ip.IsLinkLocalMulticast() {
allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the link-local multicast range (224.0.0.0/24)")) allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the link-local multicast range (224.0.0.0/24)"))
} }
......
...@@ -45,15 +45,6 @@ const ( ...@@ -45,15 +45,6 @@ const (
// RangeAllocatorType is the allocator that uses an internal CIDR // RangeAllocatorType is the allocator that uses an internal CIDR
// range allocator to do node CIDR range allocations. // range allocator to do node CIDR range allocations.
RangeAllocatorType CIDRAllocatorType = "RangeAllocator" RangeAllocatorType CIDRAllocatorType = "RangeAllocator"
// CloudAllocatorType is the allocator that uses cloud platform
// support to do node CIDR range allocations.
CloudAllocatorType CIDRAllocatorType = "CloudAllocator"
// IPAMFromClusterAllocatorType uses the ipam controller sync'ing the node
// CIDR range allocations from the cluster to the cloud.
IPAMFromClusterAllocatorType = "IPAMFromCluster"
// IPAMFromCloudAllocatorType uses the ipam controller sync'ing the node
// CIDR range allocations from the cloud to the cluster.
IPAMFromCloudAllocatorType = "IPAMFromCloud"
) )
// TODO: figure out the good setting for those constants. // TODO: figure out the good setting for those constants.
...@@ -100,8 +91,6 @@ func New(kubeClient clientset.Interface, cloud cloudprovider.Interface, nodeInfo ...@@ -100,8 +91,6 @@ func New(kubeClient clientset.Interface, cloud cloudprovider.Interface, nodeInfo
switch allocatorType { switch allocatorType {
case RangeAllocatorType: case RangeAllocatorType:
return NewCIDRRangeAllocator(kubeClient, nodeInformer, clusterCIDR, serviceCIDR, nodeCIDRMaskSize, nodeList) return NewCIDRRangeAllocator(kubeClient, nodeInformer, clusterCIDR, serviceCIDR, nodeCIDRMaskSize, nodeList)
case CloudAllocatorType:
return NewCloudCIDRAllocator(kubeClient, cloud, nodeInformer)
default: default:
return nil, fmt.Errorf("Invalid CIDR allocator type: %v", allocatorType) return nil, fmt.Errorf("Invalid CIDR allocator type: %v", allocatorType)
} }
......
...@@ -18,8 +18,6 @@ package nodeipam ...@@ -18,8 +18,6 @@ package nodeipam
import ( import (
"net" "net"
"time"
"github.com/golang/glog" "github.com/golang/glog"
utilruntime "k8s.io/apimachinery/pkg/util/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime"
...@@ -35,7 +33,6 @@ import ( ...@@ -35,7 +33,6 @@ import (
"k8s.io/kubernetes/pkg/cloudprovider" "k8s.io/kubernetes/pkg/cloudprovider"
"k8s.io/kubernetes/pkg/controller" "k8s.io/kubernetes/pkg/controller"
"k8s.io/kubernetes/pkg/controller/nodeipam/ipam" "k8s.io/kubernetes/pkg/controller/nodeipam/ipam"
nodesync "k8s.io/kubernetes/pkg/controller/nodeipam/ipam/sync"
"k8s.io/kubernetes/pkg/util/metrics" "k8s.io/kubernetes/pkg/util/metrics"
) )
...@@ -44,18 +41,6 @@ func init() { ...@@ -44,18 +41,6 @@ func init() {
Register() Register()
} }
const (
// ipamResyncInterval is the amount of time between when the cloud and node
// CIDR range assignments are synchronized.
ipamResyncInterval = 30 * time.Second
// ipamMaxBackoff is the maximum backoff for retrying synchronization of a
// given in the error state.
ipamMaxBackoff = 10 * time.Second
// ipamInitialRetry is the initial retry interval for retrying synchronization of a
// given in the error state.
ipamInitialBackoff = 250 * time.Millisecond
)
// Controller is the controller that manages node ipam state. // Controller is the controller that manages node ipam state.
type Controller struct { type Controller struct {
allocatorType ipam.CIDRAllocatorType allocatorType ipam.CIDRAllocatorType
...@@ -123,34 +108,12 @@ func NewNodeIpamController( ...@@ -123,34 +108,12 @@ func NewNodeIpamController(
allocatorType: allocatorType, allocatorType: allocatorType,
} }
// TODO: Abstract this check into a generic controller manager should run method.
if ic.allocatorType == ipam.IPAMFromClusterAllocatorType || ic.allocatorType == ipam.IPAMFromCloudAllocatorType {
cfg := &ipam.Config{
Resync: ipamResyncInterval,
MaxBackoff: ipamMaxBackoff,
InitialRetry: ipamInitialBackoff,
}
switch ic.allocatorType {
case ipam.IPAMFromClusterAllocatorType:
cfg.Mode = nodesync.SyncFromCluster
case ipam.IPAMFromCloudAllocatorType:
cfg.Mode = nodesync.SyncFromCloud
}
ipamc, err := ipam.NewController(cfg, kubeClient, cloud, clusterCIDR, serviceCIDR, nodeCIDRMaskSize)
if err != nil {
glog.Fatalf("Error creating ipam controller: %v", err)
}
if err := ipamc.Start(nodeInformer); err != nil {
glog.Fatalf("Error trying to Init(): %v", err)
}
} else {
var err error var err error
ic.cidrAllocator, err = ipam.New( ic.cidrAllocator, err = ipam.New(
kubeClient, cloud, nodeInformer, ic.allocatorType, ic.clusterCIDR, ic.serviceCIDR, nodeCIDRMaskSize) kubeClient, cloud, nodeInformer, ic.allocatorType, ic.clusterCIDR, ic.serviceCIDR, nodeCIDRMaskSize)
if err != nil { if err != nil {
return nil, err return nil, err
} }
}
ic.nodeLister = nodeInformer.Lister() ic.nodeLister = nodeInformer.Lister()
ic.nodeInformerSynced = nodeInformer.Informer().HasSynced ic.nodeInformerSynced = nodeInformer.Informer().HasSynced
...@@ -169,9 +132,7 @@ func (nc *Controller) Run(stopCh <-chan struct{}) { ...@@ -169,9 +132,7 @@ func (nc *Controller) Run(stopCh <-chan struct{}) {
return return
} }
if nc.allocatorType != ipam.IPAMFromClusterAllocatorType && nc.allocatorType != ipam.IPAMFromCloudAllocatorType {
go nc.cidrAllocator.Run(stopCh) go nc.cidrAllocator.Run(stopCh)
}
<-stopCh <-stopCh
} }
...@@ -19,14 +19,11 @@ package authorizer ...@@ -19,14 +19,11 @@ package authorizer
import ( import (
"errors" "errors"
"fmt" "fmt"
"time"
"k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory" "k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/pkg/authorization/union" "k8s.io/apiserver/pkg/authorization/union"
"k8s.io/apiserver/plugin/pkg/authorizer/webhook"
versionedinformers "k8s.io/client-go/informers" versionedinformers "k8s.io/client-go/informers"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/auth/nodeidentifier" "k8s.io/kubernetes/pkg/auth/nodeidentifier"
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
...@@ -38,20 +35,6 @@ import ( ...@@ -38,20 +35,6 @@ import (
type AuthorizationConfig struct { type AuthorizationConfig struct {
AuthorizationModes []string AuthorizationModes []string
// Options for ModeABAC
// Path to an ABAC policy file.
PolicyFile string
// Options for ModeWebhook
// Kubeconfig file for Webhook authorization plugin.
WebhookConfigFile string
// TTL for caching of authorized responses from the webhook server.
WebhookCacheAuthorizedTTL time.Duration
// TTL for caching of unauthorized responses from the webhook server.
WebhookCacheUnauthorizedTTL time.Duration
InformerFactory informers.SharedInformerFactory InformerFactory informers.SharedInformerFactory
VersionedInformerFactory versionedinformers.SharedInformerFactory VersionedInformerFactory versionedinformers.SharedInformerFactory
} }
...@@ -95,28 +78,6 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR ...@@ -95,28 +78,6 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
alwaysDenyAuthorizer := authorizerfactory.NewAlwaysDenyAuthorizer() alwaysDenyAuthorizer := authorizerfactory.NewAlwaysDenyAuthorizer()
authorizers = append(authorizers, alwaysDenyAuthorizer) authorizers = append(authorizers, alwaysDenyAuthorizer)
ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer) ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer)
case modes.ModeABAC:
if config.PolicyFile == "" {
return nil, nil, errors.New("ABAC's authorization policy file not passed")
}
abacAuthorizer, err := abac.NewFromFile(config.PolicyFile)
if err != nil {
return nil, nil, err
}
authorizers = append(authorizers, abacAuthorizer)
ruleResolvers = append(ruleResolvers, abacAuthorizer)
case modes.ModeWebhook:
if config.WebhookConfigFile == "" {
return nil, nil, errors.New("Webhook's configuration file not passed")
}
webhookAuthorizer, err := webhook.New(config.WebhookConfigFile,
config.WebhookCacheAuthorizedTTL,
config.WebhookCacheUnauthorizedTTL)
if err != nil {
return nil, nil, err
}
authorizers = append(authorizers, webhookAuthorizer)
ruleResolvers = append(ruleResolvers, webhookAuthorizer)
case modes.ModeRBAC: case modes.ModeRBAC:
rbacAuthorizer := rbac.New( rbacAuthorizer := rbac.New(
&rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()}, &rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()},
...@@ -132,12 +93,5 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR ...@@ -132,12 +93,5 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
authorizerMap[authorizationMode] = true authorizerMap[authorizationMode] = true
} }
if !authorizerMap[modes.ModeABAC] && config.PolicyFile != "" {
return nil, nil, errors.New("Cannot specify --authorization-policy-file without mode ABAC")
}
if !authorizerMap[modes.ModeWebhook] && config.WebhookConfigFile != "" {
return nil, nil, errors.New("Cannot specify --authorization-webhook-config-file without mode Webhook")
}
return union.New(authorizers...), union.NewRuleResolvers(ruleResolvers...), nil return union.New(authorizers...), union.NewRuleResolvers(ruleResolvers...), nil
} }
...@@ -21,13 +21,11 @@ import "k8s.io/apimachinery/pkg/util/sets" ...@@ -21,13 +21,11 @@ import "k8s.io/apimachinery/pkg/util/sets"
const ( const (
ModeAlwaysAllow string = "AlwaysAllow" ModeAlwaysAllow string = "AlwaysAllow"
ModeAlwaysDeny string = "AlwaysDeny" ModeAlwaysDeny string = "AlwaysDeny"
ModeABAC string = "ABAC"
ModeWebhook string = "Webhook"
ModeRBAC string = "RBAC" ModeRBAC string = "RBAC"
ModeNode string = "Node" ModeNode string = "Node"
) )
var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC, ModeWebhook, ModeRBAC, ModeNode} var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeRBAC, ModeNode}
// IsValidAuthorizationMode returns true if the given authorization mode is a valid one for the apiserver // IsValidAuthorizationMode returns true if the given authorization mode is a valid one for the apiserver
func IsValidAuthorizationMode(authzMode string) bool { func IsValidAuthorizationMode(authzMode string) bool {
......
...@@ -18,7 +18,6 @@ package options ...@@ -18,7 +18,6 @@ package options
import ( import (
"strings" "strings"
"time"
"github.com/spf13/pflag" "github.com/spf13/pflag"
...@@ -30,17 +29,11 @@ import ( ...@@ -30,17 +29,11 @@ import (
type BuiltInAuthorizationOptions struct { type BuiltInAuthorizationOptions struct {
Mode string Mode string
PolicyFile string
WebhookConfigFile string
WebhookCacheAuthorizedTTL time.Duration
WebhookCacheUnauthorizedTTL time.Duration
} }
func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions { func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions {
return &BuiltInAuthorizationOptions{ return &BuiltInAuthorizationOptions{
Mode: authzmodes.ModeAlwaysAllow, Mode: authzmodes.ModeNode + "," + authzmodes.ModeAlwaysAllow,
WebhookCacheAuthorizedTTL: 5 * time.Minute,
WebhookCacheUnauthorizedTTL: 30 * time.Second,
} }
} }
...@@ -54,21 +47,6 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -54,21 +47,6 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+ "Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+
strings.Join(authzmodes.AuthorizationModeChoices, ",")+".") strings.Join(authzmodes.AuthorizationModeChoices, ",")+".")
fs.StringVar(&s.PolicyFile, "authorization-policy-file", s.PolicyFile, ""+
"File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.")
fs.StringVar(&s.WebhookConfigFile, "authorization-webhook-config-file", s.WebhookConfigFile, ""+
"File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "+
"The API server will query the remote service to determine access on the API server's secure port.")
fs.DurationVar(&s.WebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl",
s.WebhookCacheAuthorizedTTL,
"The duration to cache 'authorized' responses from the webhook authorizer.")
fs.DurationVar(&s.WebhookCacheUnauthorizedTTL,
"authorization-webhook-cache-unauthorized-ttl", s.WebhookCacheUnauthorizedTTL,
"The duration to cache 'unauthorized' responses from the webhook authorizer.")
fs.String("authorization-rbac-super-user", "", ""+ fs.String("authorization-rbac-super-user", "", ""+
"If specified, a username which avoids RBAC authorization checks and role binding "+ "If specified, a username which avoids RBAC authorization checks and role binding "+
"privilege escalation checks, to be used with --authorization-mode=RBAC.") "privilege escalation checks, to be used with --authorization-mode=RBAC.")
...@@ -87,10 +65,6 @@ func (s *BuiltInAuthorizationOptions) Modes() []string { ...@@ -87,10 +65,6 @@ func (s *BuiltInAuthorizationOptions) Modes() []string {
func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory, versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig { func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory, versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig {
return authorizer.AuthorizationConfig{ return authorizer.AuthorizationConfig{
AuthorizationModes: s.Modes(), AuthorizationModes: s.Modes(),
PolicyFile: s.PolicyFile,
WebhookConfigFile: s.WebhookConfigFile,
WebhookCacheAuthorizedTTL: s.WebhookCacheAuthorizedTTL,
WebhookCacheUnauthorizedTTL: s.WebhookCacheUnauthorizedTTL,
InformerFactory: informerFactory, InformerFactory: informerFactory,
VersionedInformerFactory: versionedInformerFactory, VersionedInformerFactory: versionedInformerFactory,
} }
......
...@@ -20,126 +20,36 @@ package options ...@@ -20,126 +20,36 @@ package options
// This should probably be part of some configuration fed into the build for a // This should probably be part of some configuration fed into the build for a
// given binary target. // given binary target.
import ( import (
// Cloud providers
_ "k8s.io/kubernetes/pkg/cloudprovider/providers"
// Admission policies
"k8s.io/kubernetes/plugin/pkg/admission/admit"
"k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"
"k8s.io/kubernetes/plugin/pkg/admission/antiaffinity"
"k8s.io/kubernetes/plugin/pkg/admission/defaulttolerationseconds"
"k8s.io/kubernetes/plugin/pkg/admission/deny"
"k8s.io/kubernetes/plugin/pkg/admission/eventratelimit"
"k8s.io/kubernetes/plugin/pkg/admission/exec"
"k8s.io/kubernetes/plugin/pkg/admission/extendedresourcetoleration"
"k8s.io/kubernetes/plugin/pkg/admission/gc"
"k8s.io/kubernetes/plugin/pkg/admission/imagepolicy"
"k8s.io/kubernetes/plugin/pkg/admission/initialresources"
"k8s.io/kubernetes/plugin/pkg/admission/limitranger"
"k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision"
"k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
"k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/label"
"k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/resize"
"k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
"k8s.io/kubernetes/plugin/pkg/admission/podpreset"
"k8s.io/kubernetes/plugin/pkg/admission/podtolerationrestriction"
podpriority "k8s.io/kubernetes/plugin/pkg/admission/priority"
"k8s.io/kubernetes/plugin/pkg/admission/resourcequota"
"k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy"
"k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny"
"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount" "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
"k8s.io/kubernetes/plugin/pkg/admission/storage/storageclass/setdefault" "k8s.io/kubernetes/plugin/pkg/admission/storage/storageclass/setdefault"
"k8s.io/kubernetes/plugin/pkg/admission/storage/storageobjectinuseprotection"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
"k8s.io/apiserver/pkg/admission/plugin/initialization" "k8s.io/apiserver/pkg/admission/plugin/initialization"
"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle" "k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
) )
// AllOrderedPlugins is the list of all the plugins in order. // AllOrderedPlugins is the list of all the plugins in order.
var AllOrderedPlugins = []string{ var AllOrderedPlugins = []string{
admit.PluginName, // AlwaysAdmit
autoprovision.PluginName, // NamespaceAutoProvision
lifecycle.PluginName, // NamespaceLifecycle lifecycle.PluginName, // NamespaceLifecycle
exists.PluginName, // NamespaceExists
scdeny.PluginName, // SecurityContextDeny
antiaffinity.PluginName, // LimitPodHardAntiAffinityTopology
initialresources.PluginName, // InitialResources
podpreset.PluginName, // PodPreset
limitranger.PluginName, // LimitRanger
serviceaccount.PluginName, // ServiceAccount serviceaccount.PluginName, // ServiceAccount
noderestriction.PluginName, // NodeRestriction
alwayspullimages.PluginName, // AlwaysPullImages
imagepolicy.PluginName, // ImagePolicyWebhook
podsecuritypolicy.PluginName, // PodSecurityPolicy
podnodeselector.PluginName, // PodNodeSelector
podpriority.PluginName, // Priority
defaulttolerationseconds.PluginName, // DefaultTolerationSeconds
podtolerationrestriction.PluginName, // PodTolerationRestriction
exec.DenyEscalatingExec, // DenyEscalatingExec
exec.DenyExecOnPrivileged, // DenyExecOnPrivileged
eventratelimit.PluginName, // EventRateLimit
extendedresourcetoleration.PluginName, // ExtendedResourceToleration
label.PluginName, // PersistentVolumeLabel
setdefault.PluginName, // DefaultStorageClass setdefault.PluginName, // DefaultStorageClass
storageobjectinuseprotection.PluginName, // StorageObjectInUseProtection
gc.PluginName, // OwnerReferencesPermissionEnforcement
resize.PluginName, // PersistentVolumeClaimResize
mutatingwebhook.PluginName, // MutatingAdmissionWebhook
initialization.PluginName, // Initializers initialization.PluginName, // Initializers
validatingwebhook.PluginName, // ValidatingAdmissionWebhook
resourcequota.PluginName, // ResourceQuota
deny.PluginName, // AlwaysDeny
} }
// RegisterAllAdmissionPlugins registers all admission plugins and // RegisterAllAdmissionPlugins registers all admission plugins and
// sets the recommended plugins order. // sets the recommended plugins order.
func RegisterAllAdmissionPlugins(plugins *admission.Plugins) { func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
admit.Register(plugins) // DEPRECATED as no real meaning
alwayspullimages.Register(plugins)
antiaffinity.Register(plugins)
defaulttolerationseconds.Register(plugins)
deny.Register(plugins) // DEPRECATED as no real meaning
eventratelimit.Register(plugins)
exec.Register(plugins)
extendedresourcetoleration.Register(plugins)
gc.Register(plugins)
imagepolicy.Register(plugins)
initialresources.Register(plugins)
limitranger.Register(plugins)
autoprovision.Register(plugins)
exists.Register(plugins)
noderestriction.Register(plugins)
label.Register(plugins) // DEPRECATED in favor of NewPersistentVolumeLabelController in CCM
podnodeselector.Register(plugins)
podpreset.Register(plugins)
podtolerationrestriction.Register(plugins)
resourcequota.Register(plugins)
podsecuritypolicy.Register(plugins)
podpriority.Register(plugins)
scdeny.Register(plugins)
serviceaccount.Register(plugins) serviceaccount.Register(plugins)
setdefault.Register(plugins) setdefault.Register(plugins)
resize.Register(plugins)
storageobjectinuseprotection.Register(plugins)
} }
// DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver. // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
func DefaultOffAdmissionPlugins() sets.String { func DefaultOffAdmissionPlugins() sets.String {
defaultOnPlugins := sets.NewString( defaultOnPlugins := sets.NewString(
lifecycle.PluginName, //NamespaceLifecycle lifecycle.PluginName, //NamespaceLifecycle
limitranger.PluginName, //LimitRanger
serviceaccount.PluginName, //ServiceAccount serviceaccount.PluginName, //ServiceAccount
label.PluginName, //PersistentVolumeLabel
setdefault.PluginName, //DefaultStorageClass setdefault.PluginName, //DefaultStorageClass
defaulttolerationseconds.PluginName, //DefaultTolerationSeconds
mutatingwebhook.PluginName, //MutatingAdmissionWebhook
validatingwebhook.PluginName, //ValidatingAdmissionWebhook
resourcequota.PluginName, //ResourceQuota
) )
return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins) return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins)
......
...@@ -36,10 +36,6 @@ type imageFsInfoProvider struct { ...@@ -36,10 +36,6 @@ type imageFsInfoProvider struct {
// For remote runtimes, it handles additional runtimes natively understood by cAdvisor. // For remote runtimes, it handles additional runtimes natively understood by cAdvisor.
func (i *imageFsInfoProvider) ImageFsInfoLabel() (string, error) { func (i *imageFsInfoProvider) ImageFsInfoLabel() (string, error) {
switch i.runtime { switch i.runtime {
case types.DockerContainerRuntime:
return cadvisorfs.LabelDockerImages, nil
case types.RktContainerRuntime:
return cadvisorfs.LabelRktImages, nil
case types.RemoteContainerRuntime: case types.RemoteContainerRuntime:
// This is a temporary workaround to get stats for cri-o from cadvisor // This is a temporary workaround to get stats for cri-o from cadvisor
// and should be removed. // and should be removed.
......
...@@ -17,8 +17,6 @@ limitations under the License. ...@@ -17,8 +17,6 @@ limitations under the License.
package cadvisor package cadvisor
import ( import (
goruntime "runtime"
cadvisorapi "github.com/google/cadvisor/info/v1" cadvisorapi "github.com/google/cadvisor/info/v1"
cadvisorapi2 "github.com/google/cadvisor/info/v2" cadvisorapi2 "github.com/google/cadvisor/info/v2"
"k8s.io/api/core/v1" "k8s.io/api/core/v1"
...@@ -26,7 +24,6 @@ import ( ...@@ -26,7 +24,6 @@ import (
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper" v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
) )
const ( const (
...@@ -75,7 +72,5 @@ func EphemeralStorageCapacityFromFsInfo(info cadvisorapi2.FsInfo) v1.ResourceLis ...@@ -75,7 +72,5 @@ func EphemeralStorageCapacityFromFsInfo(info cadvisorapi2.FsInfo) v1.ResourceLis
// https://github.com/kubernetes/kubernetes/issues/51798 // https://github.com/kubernetes/kubernetes/issues/51798
// UsingLegacyCadvisorStats returns true if container stats are provided by cadvisor instead of through the CRI // UsingLegacyCadvisorStats returns true if container stats are provided by cadvisor instead of through the CRI
func UsingLegacyCadvisorStats(runtime, runtimeEndpoint string) bool { func UsingLegacyCadvisorStats(runtime, runtimeEndpoint string) bool {
return runtime == kubetypes.RktContainerRuntime || return runtimeEndpoint == CrioSocket
(runtime == kubetypes.DockerContainerRuntime && goruntime.GOOS == "linux") ||
runtimeEndpoint == CrioSocket
} }
...@@ -23,7 +23,6 @@ import ( ...@@ -23,7 +23,6 @@ import (
"math" "math"
"net" "net"
"net/http" "net/http"
"net/url"
"os" "os"
"path" "path"
"sort" "sort"
...@@ -65,12 +64,9 @@ import ( ...@@ -65,12 +64,9 @@ import (
"k8s.io/kubernetes/pkg/kubelet/config" "k8s.io/kubernetes/pkg/kubelet/config"
"k8s.io/kubernetes/pkg/kubelet/configmap" "k8s.io/kubernetes/pkg/kubelet/configmap"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
"k8s.io/kubernetes/pkg/kubelet/dockershim"
dockerremote "k8s.io/kubernetes/pkg/kubelet/dockershim/remote"
"k8s.io/kubernetes/pkg/kubelet/events" "k8s.io/kubernetes/pkg/kubelet/events"
"k8s.io/kubernetes/pkg/kubelet/eviction" "k8s.io/kubernetes/pkg/kubelet/eviction"
"k8s.io/kubernetes/pkg/kubelet/gpu" "k8s.io/kubernetes/pkg/kubelet/gpu"
"k8s.io/kubernetes/pkg/kubelet/gpu/nvidia"
"k8s.io/kubernetes/pkg/kubelet/images" "k8s.io/kubernetes/pkg/kubelet/images"
"k8s.io/kubernetes/pkg/kubelet/kubeletconfig" "k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
"k8s.io/kubernetes/pkg/kubelet/kuberuntime" "k8s.io/kubernetes/pkg/kubelet/kuberuntime"
...@@ -86,11 +82,9 @@ import ( ...@@ -86,11 +82,9 @@ import (
"k8s.io/kubernetes/pkg/kubelet/prober" "k8s.io/kubernetes/pkg/kubelet/prober"
proberesults "k8s.io/kubernetes/pkg/kubelet/prober/results" proberesults "k8s.io/kubernetes/pkg/kubelet/prober/results"
"k8s.io/kubernetes/pkg/kubelet/remote" "k8s.io/kubernetes/pkg/kubelet/remote"
"k8s.io/kubernetes/pkg/kubelet/rkt"
"k8s.io/kubernetes/pkg/kubelet/secret" "k8s.io/kubernetes/pkg/kubelet/secret"
"k8s.io/kubernetes/pkg/kubelet/server" "k8s.io/kubernetes/pkg/kubelet/server"
serverstats "k8s.io/kubernetes/pkg/kubelet/server/stats" serverstats "k8s.io/kubernetes/pkg/kubelet/server/stats"
"k8s.io/kubernetes/pkg/kubelet/server/streaming"
"k8s.io/kubernetes/pkg/kubelet/stats" "k8s.io/kubernetes/pkg/kubelet/stats"
"k8s.io/kubernetes/pkg/kubelet/status" "k8s.io/kubernetes/pkg/kubelet/status"
"k8s.io/kubernetes/pkg/kubelet/sysctl" "k8s.io/kubernetes/pkg/kubelet/sysctl"
...@@ -234,7 +228,6 @@ type Dependencies struct { ...@@ -234,7 +228,6 @@ type Dependencies struct {
CAdvisorInterface cadvisor.Interface CAdvisorInterface cadvisor.Interface
Cloud cloudprovider.Interface Cloud cloudprovider.Interface
ContainerManager cm.ContainerManager ContainerManager cm.ContainerManager
DockerClientConfig *dockershim.ClientConfig
EventClient v1core.EventsGetter EventClient v1core.EventsGetter
HeartbeatClient v1core.CoreV1Interface HeartbeatClient v1core.CoreV1Interface
OnHeartbeatFailure func() OnHeartbeatFailure func()
...@@ -583,30 +576,8 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, ...@@ -583,30 +576,8 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
} }
} }
// TODO: These need to become arguments to a standalone docker shim.
pluginSettings := dockershim.NetworkPluginSettings{
HairpinMode: hairpinMode,
NonMasqueradeCIDR: nonMasqueradeCIDR,
PluginName: crOptions.NetworkPluginName,
PluginConfDir: crOptions.CNIConfDir,
PluginBinDir: crOptions.CNIBinDir,
MTU: int(crOptions.NetworkPluginMTU),
}
klet.resourceAnalyzer = serverstats.NewResourceAnalyzer(klet, kubeCfg.VolumeStatsAggPeriod.Duration) klet.resourceAnalyzer = serverstats.NewResourceAnalyzer(klet, kubeCfg.VolumeStatsAggPeriod.Duration)
// Remote runtime shim just cannot talk back to kubelet, so it doesn't
// support bandwidth shaping or hostports till #35457. To enable legacy
// features, replace with networkHost.
var nl *NoOpLegacyHost
pluginSettings.LegacyRuntimeHost = nl
if containerRuntime == kubetypes.RktContainerRuntime {
glog.Warningln("rktnetes has been deprecated in favor of rktlet. Please see https://github.com/kubernetes-incubator/rktlet for more information.")
}
// rktnetes cannot be run with CRI.
if containerRuntime != kubetypes.RktContainerRuntime {
// kubelet defers to the runtime shim to setup networking. Setting // kubelet defers to the runtime shim to setup networking. Setting
// this to nil will prevent it from trying to invoke the plugin. // this to nil will prevent it from trying to invoke the plugin.
// It's easier to always probe and initialize plugins till cri // It's easier to always probe and initialize plugins till cri
...@@ -616,38 +587,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, ...@@ -616,38 +587,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
var legacyLogProvider kuberuntime.LegacyLogProvider var legacyLogProvider kuberuntime.LegacyLogProvider
switch containerRuntime { switch containerRuntime {
case kubetypes.DockerContainerRuntime:
// Create and start the CRI shim running as a grpc server.
streamingConfig := getStreamingConfig(kubeCfg, kubeDeps)
ds, err := dockershim.NewDockerService(kubeDeps.DockerClientConfig, crOptions.PodSandboxImage, streamingConfig,
&pluginSettings, runtimeCgroups, kubeCfg.CgroupDriver, crOptions.DockershimRootDirectory,
crOptions.DockerDisableSharedPID)
if err != nil {
return nil, err
}
// For now, the CRI shim redirects the streaming requests to the
// kubelet, which handles the requests using DockerService..
klet.criHandler = ds
// The unix socket for kubelet <-> dockershim communication.
glog.V(5).Infof("RemoteRuntimeEndpoint: %q, RemoteImageEndpoint: %q",
remoteRuntimeEndpoint,
remoteImageEndpoint)
glog.V(2).Infof("Starting the GRPC server for the docker CRI shim.")
server := dockerremote.NewDockerServer(remoteRuntimeEndpoint, ds)
if err := server.Start(); err != nil {
return nil, err
}
// Create dockerLegacyService when the logging driver is not supported.
supported, err := ds.IsCRISupportedLogDriver()
if err != nil {
return nil, err
}
if !supported {
klet.dockerLegacyService = ds
legacyLogProvider = ds
}
case kubetypes.RemoteContainerRuntime: case kubetypes.RemoteContainerRuntime:
// No-op. // No-op.
break break
...@@ -702,45 +641,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, ...@@ -702,45 +641,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
imageService, imageService,
stats.NewLogMetricsService()) stats.NewLogMetricsService())
} }
} else {
// rkt uses the legacy, non-CRI, integration. Configure it the old way.
// TODO: Include hairpin mode settings in rkt?
conf := &rkt.Config{
Path: crOptions.RktPath,
Stage1Image: crOptions.RktStage1Image,
InsecureOptions: "image,ondisk",
}
runtime, err := rkt.New(
crOptions.RktAPIEndpoint,
conf,
klet,
kubeDeps.Recorder,
containerRefManager,
klet,
klet.livenessManager,
httpClient,
klet.networkPlugin,
hairpinMode == kubeletconfiginternal.HairpinVeth,
utilexec.New(),
kubecontainer.RealOS{},
imageBackOff,
kubeCfg.SerializeImagePulls,
float32(kubeCfg.RegistryPullQPS),
int(kubeCfg.RegistryBurst),
kubeCfg.RuntimeRequestTimeout.Duration,
)
if err != nil {
return nil, err
}
klet.containerRuntime = runtime
klet.runner = kubecontainer.DirectStreamingRunner(runtime)
klet.StatsProvider = stats.NewCadvisorStatsProvider(
klet.cadvisor,
klet.resourceAnalyzer,
klet.podManager,
klet.runtimeCache,
klet.containerRuntime)
}
klet.pleg = pleg.NewGenericPLEG(klet.containerRuntime, plegChannelCapacity, plegRelistPeriod, klet.podCache, clock.RealClock{}) klet.pleg = pleg.NewGenericPLEG(klet.containerRuntime, plegChannelCapacity, plegRelistPeriod, klet.podCache, clock.RealClock{})
klet.runtimeState = newRuntimeState(maxWaitForContainerRuntime) klet.runtimeState = newRuntimeState(maxWaitForContainerRuntime)
...@@ -902,15 +802,8 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, ...@@ -902,15 +802,8 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator)) klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator))
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewNoNewPrivsAdmitHandler(klet.containerRuntime)) klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewNoNewPrivsAdmitHandler(klet.containerRuntime))
if utilfeature.DefaultFeatureGate.Enabled(features.Accelerators) { if utilfeature.DefaultFeatureGate.Enabled(features.Accelerators) {
if containerRuntime == kubetypes.DockerContainerRuntime {
glog.Warningln("Accelerators feature is deprecated and will be removed in v1.11. Please use device plugins instead. They can be enabled using the DevicePlugins feature gate.")
if klet.gpuManager, err = nvidia.NewNvidiaGPUManager(klet, kubeDeps.DockerClientConfig); err != nil {
return nil, err
}
} else {
glog.Errorf("Accelerators feature is supported with docker runtime only. Disabling this feature internally.") glog.Errorf("Accelerators feature is supported with docker runtime only. Disabling this feature internally.")
} }
}
// Set GPU manager to a stub implementation if it is not enabled or cannot be supported. // Set GPU manager to a stub implementation if it is not enabled or cannot be supported.
if klet.gpuManager == nil { if klet.gpuManager == nil {
klet.gpuManager = gpu.NewGPUManagerStub() klet.gpuManager = gpu.NewGPUManagerStub()
...@@ -1193,10 +1086,6 @@ type Kubelet struct { ...@@ -1193,10 +1086,6 @@ type Kubelet struct {
// GPU Manager // GPU Manager
gpuManager gpu.GPUManager gpuManager gpu.GPUManager
// dockerLegacyService contains some legacy methods for backward compatibility.
// It should be set only when docker is using non json-file logging driver.
dockerLegacyService dockershim.DockerLegacyService
// StatsProvider provides the node and the container stats. // StatsProvider provides the node and the container stats.
*stats.StatsProvider *stats.StatsProvider
...@@ -2114,9 +2003,6 @@ func (kl *Kubelet) updateRuntimeUp() { ...@@ -2114,9 +2003,6 @@ func (kl *Kubelet) updateRuntimeUp() {
glog.Errorf("Container runtime sanity check failed: %v", err) glog.Errorf("Container runtime sanity check failed: %v", err)
return return
} }
// rkt uses the legacy, non-CRI integration. Don't check the runtime
// conditions for it.
if kl.containerRuntimeName != kubetypes.RktContainerRuntime {
if s == nil { if s == nil {
glog.Errorf("Container runtime status is nil") glog.Errorf("Container runtime status is nil")
return return
...@@ -2142,7 +2028,6 @@ func (kl *Kubelet) updateRuntimeUp() { ...@@ -2142,7 +2028,6 @@ func (kl *Kubelet) updateRuntimeUp() {
glog.Errorf("Container runtime not ready: %v", runtimeReady) glog.Errorf("Container runtime not ready: %v", runtimeReady)
return return
} }
}
kl.oneTimeInitializer.Do(kl.initializeRuntimeDependentModules) kl.oneTimeInitializer.Do(kl.initializeRuntimeDependentModules)
kl.runtimeState.setRuntimeSync(kl.clock.Now()) kl.runtimeState.setRuntimeSync(kl.clock.Now())
} }
...@@ -2212,20 +2097,3 @@ func isSyncPodWorthy(event *pleg.PodLifecycleEvent) bool { ...@@ -2212,20 +2097,3 @@ func isSyncPodWorthy(event *pleg.PodLifecycleEvent) bool {
return event.Type != pleg.ContainerRemoved return event.Type != pleg.ContainerRemoved
} }
// Gets the streaming server configuration to use with in-process CRI shims.
func getStreamingConfig(kubeCfg *kubeletconfiginternal.KubeletConfiguration, kubeDeps *Dependencies) *streaming.Config {
config := &streaming.Config{
// Use a relative redirect (no scheme or host).
BaseURL: &url.URL{
Path: "/cri/",
},
StreamIdleTimeout: kubeCfg.StreamingConnectionIdleTimeout.Duration,
StreamCreationTimeout: streaming.DefaultConfig.StreamCreationTimeout,
SupportedRemoteCommandProtocols: streaming.DefaultConfig.SupportedRemoteCommandProtocols,
SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols,
}
if kubeDeps.TLSOptions != nil {
config.TLSConfig = kubeDeps.TLSOptions.Config
}
return config
}
...@@ -26,7 +26,6 @@ import ( ...@@ -26,7 +26,6 @@ import (
"k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig" "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
"k8s.io/kubernetes/pkg/kubelet/network" "k8s.io/kubernetes/pkg/kubelet/network"
kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
utiliptables "k8s.io/kubernetes/pkg/util/iptables" utiliptables "k8s.io/kubernetes/pkg/util/iptables"
) )
...@@ -128,17 +127,8 @@ func effectiveHairpinMode(hairpinMode kubeletconfig.HairpinMode, containerRuntim ...@@ -128,17 +127,8 @@ func effectiveHairpinMode(hairpinMode kubeletconfig.HairpinMode, containerRuntim
// - It's set to "none". // - It's set to "none".
if hairpinMode == kubeletconfig.PromiscuousBridge || hairpinMode == kubeletconfig.HairpinVeth { if hairpinMode == kubeletconfig.PromiscuousBridge || hairpinMode == kubeletconfig.HairpinVeth {
// Only on docker. // Only on docker.
if containerRuntime != kubetypes.DockerContainerRuntime {
glog.Warningf("Hairpin mode set to %q but container runtime is %q, ignoring", hairpinMode, containerRuntime) glog.Warningf("Hairpin mode set to %q but container runtime is %q, ignoring", hairpinMode, containerRuntime)
return kubeletconfig.HairpinNone, nil return kubeletconfig.HairpinNone, nil
}
if hairpinMode == kubeletconfig.PromiscuousBridge && networkPlugin != "kubenet" {
// This is not a valid combination, since promiscuous-bridge only works on kubenet. Users might be using the
// default values (from before the hairpin-mode flag existed) and we
// should keep the old behavior.
glog.Warningf("Hairpin mode set to %q but kubenet is not enabled, falling back to %q", hairpinMode, kubeletconfig.HairpinVeth)
return kubeletconfig.HairpinVeth, nil
}
} else if hairpinMode != kubeletconfig.HairpinNone { } else if hairpinMode != kubeletconfig.HairpinNone {
return "", fmt.Errorf("unknown value: %q", hairpinMode) return "", fmt.Errorf("unknown value: %q", hairpinMode)
} }
......
...@@ -1233,12 +1233,6 @@ func (kl *Kubelet) GetKubeletContainerLogs(podFullName, containerName string, lo ...@@ -1233,12 +1233,6 @@ func (kl *Kubelet) GetKubeletContainerLogs(podFullName, containerName string, lo
return err return err
} }
if kl.dockerLegacyService != nil {
// dockerLegacyService should only be non-nil when we actually need it, so
// inject it into the runtimeService.
// TODO(random-liu): Remove this hack after deprecating unsupported log driver.
return kl.dockerLegacyService.GetContainerLogs(pod, containerID, logOptions, stdout, stderr)
}
return kl.containerRuntime.GetContainerLogs(pod, containerID, logOptions, stdout, stderr) return kl.containerRuntime.GetContainerLogs(pod, containerID, logOptions, stdout, stderr)
} }
......
...@@ -188,36 +188,6 @@ func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult ...@@ -188,36 +188,6 @@ func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
} }
// Always admit runtimes except docker. // Always admit runtimes except docker.
if a.Runtime.Type() != kubetypes.DockerContainerRuntime {
return PodAdmitResult{Admit: true}
}
// Make sure docker api version is valid.
rversion, err := a.Runtime.APIVersion()
if err != nil {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
}
}
v, err := rversion.Compare("1.23.0")
if err != nil {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
}
}
// If the version is less than 1.23 it will return -1 above.
if v == -1 {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: docker runtime API version %q must be greater than or equal to 1.23", rversion.String()),
}
}
return PodAdmitResult{Admit: true} return PodAdmitResult{Admit: true}
} }
......
...@@ -21,8 +21,6 @@ const ( ...@@ -21,8 +21,6 @@ const (
ResolvConfDefault = "/etc/resolv.conf" ResolvConfDefault = "/etc/resolv.conf"
// different container runtimes // different container runtimes
DockerContainerRuntime = "docker"
RktContainerRuntime = "rkt"
RemoteContainerRuntime = "remote" RemoteContainerRuntime = "remote"
// User visible keys for managing node allocatable enforcement on the node. // User visible keys for managing node allocatable enforcement on the node.
......
...@@ -112,7 +112,7 @@ func validateHost(runtime string) error { ...@@ -112,7 +112,7 @@ func validateHost(runtime string) error {
} }
// Check runtime support. Currently only Docker is supported. // Check runtime support. Currently only Docker is supported.
if runtime != kubetypes.DockerContainerRuntime && runtime != kubetypes.RemoteContainerRuntime { if runtime != kubetypes.RemoteContainerRuntime {
return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q.", runtime) return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q.", runtime)
} }
......
...@@ -26,12 +26,9 @@ import ( ...@@ -26,12 +26,9 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/group" "k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/anonymous" "k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/headerrequest" "k8s.io/apiserver/pkg/authentication/request/headerrequest"
unionauth "k8s.io/apiserver/pkg/authentication/request/union" unionauth "k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/request/websocket"
"k8s.io/apiserver/pkg/authentication/request/x509" "k8s.io/apiserver/pkg/authentication/request/x509"
webhooktoken "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1" authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
"k8s.io/client-go/util/cert" "k8s.io/client-go/util/cert"
) )
...@@ -83,23 +80,6 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.Secur ...@@ -83,23 +80,6 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.Secur
authenticators = append(authenticators, x509.New(verifyOpts, x509.CommonNameUserConversion)) authenticators = append(authenticators, x509.New(verifyOpts, x509.CommonNameUserConversion))
} }
if c.TokenAccessReviewClient != nil {
tokenAuth, err := webhooktoken.NewFromInterface(c.TokenAccessReviewClient, c.CacheTTL)
if err != nil {
return nil, nil, err
}
authenticators = append(authenticators, bearertoken.New(tokenAuth), websocket.NewProtocolAuthenticator(tokenAuth))
securityDefinitions["BearerToken"] = &spec.SecurityScheme{
SecuritySchemeProps: spec.SecuritySchemeProps{
Type: "apiKey",
Name: "authorization",
In: "header",
Description: "Bearer Token authentication",
},
}
}
if len(authenticators) == 0 { if len(authenticators) == 0 {
if c.Anonymous { if c.Anonymous {
return anonymous.NewAuthenticator(), &securityDefinitions, nil return anonymous.NewAuthenticator(), &securityDefinitions, nil
......
...@@ -29,8 +29,6 @@ import ( ...@@ -29,8 +29,6 @@ import (
admissionmetrics "k8s.io/apiserver/pkg/admission/metrics" admissionmetrics "k8s.io/apiserver/pkg/admission/metrics"
"k8s.io/apiserver/pkg/admission/plugin/initialization" "k8s.io/apiserver/pkg/admission/plugin/initialization"
"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle" "k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
apiserverapi "k8s.io/apiserver/pkg/apis/apiserver" apiserverapi "k8s.io/apiserver/pkg/apis/apiserver"
apiserverapiv1alpha1 "k8s.io/apiserver/pkg/apis/apiserver/v1alpha1" apiserverapiv1alpha1 "k8s.io/apiserver/pkg/apis/apiserver/v1alpha1"
"k8s.io/apiserver/pkg/server" "k8s.io/apiserver/pkg/server"
...@@ -78,7 +76,7 @@ func NewAdmissionOptions() *AdmissionOptions { ...@@ -78,7 +76,7 @@ func NewAdmissionOptions() *AdmissionOptions {
// admission plugins. The apiserver always runs the validating ones // admission plugins. The apiserver always runs the validating ones
// after all the mutating ones, so their relative order in this list // after all the mutating ones, so their relative order in this list
// doesn't matter. // doesn't matter.
RecommendedPluginOrder: []string{lifecycle.PluginName, initialization.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName}, RecommendedPluginOrder: []string{lifecycle.PluginName, initialization.PluginName},
DefaultOffPlugins: sets.NewString(initialization.PluginName), DefaultOffPlugins: sets.NewString(initialization.PluginName),
} }
server.RegisterAllAdmissionPlugins(options.Plugins) server.RegisterAllAdmissionPlugins(options.Plugins)
......
...@@ -18,7 +18,6 @@ package options ...@@ -18,7 +18,6 @@ package options
import ( import (
"fmt" "fmt"
"net/http"
"strconv" "strconv"
"strings" "strings"
"time" "time"
...@@ -30,9 +29,7 @@ import ( ...@@ -30,9 +29,7 @@ import (
"k8s.io/apiserver/pkg/registry/generic" "k8s.io/apiserver/pkg/registry/generic"
genericregistry "k8s.io/apiserver/pkg/registry/generic/registry" genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
"k8s.io/apiserver/pkg/server" "k8s.io/apiserver/pkg/server"
"k8s.io/apiserver/pkg/server/healthz"
serverstorage "k8s.io/apiserver/pkg/server/storage" serverstorage "k8s.io/apiserver/pkg/server/storage"
"k8s.io/apiserver/pkg/storage/etcd3/preflight"
"k8s.io/apiserver/pkg/storage/storagebackend" "k8s.io/apiserver/pkg/storage/storagebackend"
) )
...@@ -60,7 +57,6 @@ type EtcdOptions struct { ...@@ -60,7 +57,6 @@ type EtcdOptions struct {
var storageTypes = sets.NewString( var storageTypes = sets.NewString(
storagebackend.StorageTypeUnset, storagebackend.StorageTypeUnset,
storagebackend.StorageTypeETCD2,
storagebackend.StorageTypeETCD3, storagebackend.StorageTypeETCD3,
) )
...@@ -78,20 +74,7 @@ func NewEtcdOptions(backendConfig *storagebackend.Config) *EtcdOptions { ...@@ -78,20 +74,7 @@ func NewEtcdOptions(backendConfig *storagebackend.Config) *EtcdOptions {
} }
func (s *EtcdOptions) Validate() []error { func (s *EtcdOptions) Validate() []error {
if s == nil {
return nil return nil
}
allErrors := []error{}
if len(s.StorageConfig.ServerList) == 0 {
allErrors = append(allErrors, fmt.Errorf("--etcd-servers must be specified"))
}
if !storageTypes.Has(s.StorageConfig.Type) {
allErrors = append(allErrors, fmt.Errorf("--storage-backend invalid, must be 'etcd3' or 'etcd2'. If not specified, it will default to 'etcd3'"))
}
return allErrors
} }
// AddEtcdFlags adds flags related to etcd storage for a specific APIServer to the specified FlagSet // AddEtcdFlags adds flags related to etcd storage for a specific APIServer to the specified FlagSet
...@@ -167,30 +150,15 @@ func (s *EtcdOptions) ApplyTo(c *server.Config) error { ...@@ -167,30 +150,15 @@ func (s *EtcdOptions) ApplyTo(c *server.Config) error {
return nil return nil
} }
s.addEtcdHealthEndpoint(c)
c.RESTOptionsGetter = &SimpleRestOptionsFactory{Options: *s} c.RESTOptionsGetter = &SimpleRestOptionsFactory{Options: *s}
return nil return nil
} }
func (s *EtcdOptions) ApplyWithStorageFactoryTo(factory serverstorage.StorageFactory, c *server.Config) error { func (s *EtcdOptions) ApplyWithStorageFactoryTo(factory serverstorage.StorageFactory, c *server.Config) error {
s.addEtcdHealthEndpoint(c)
c.RESTOptionsGetter = &storageFactoryRestOptionsFactory{Options: *s, StorageFactory: factory} c.RESTOptionsGetter = &storageFactoryRestOptionsFactory{Options: *s, StorageFactory: factory}
return nil return nil
} }
func (s *EtcdOptions) addEtcdHealthEndpoint(c *server.Config) {
c.HealthzChecks = append(c.HealthzChecks, healthz.NamedCheck("etcd", func(r *http.Request) error {
done, err := preflight.EtcdConnection{ServerList: s.StorageConfig.ServerList}.CheckEtcdServers()
if !done {
return fmt.Errorf("etcd failed")
}
if err != nil {
return err
}
return nil
}))
}
type SimpleRestOptionsFactory struct { type SimpleRestOptionsFactory struct {
Options EtcdOptions Options EtcdOptions
} }
......
...@@ -31,9 +31,6 @@ import ( ...@@ -31,9 +31,6 @@ import (
type RecommendedOptions struct { type RecommendedOptions struct {
Etcd *EtcdOptions Etcd *EtcdOptions
SecureServing *SecureServingOptionsWithLoopback SecureServing *SecureServingOptionsWithLoopback
Authentication *DelegatingAuthenticationOptions
Authorization *DelegatingAuthorizationOptions
Audit *AuditOptions
Features *FeatureOptions Features *FeatureOptions
CoreAPI *CoreAPIOptions CoreAPI *CoreAPIOptions
...@@ -55,9 +52,6 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio ...@@ -55,9 +52,6 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio
return &RecommendedOptions{ return &RecommendedOptions{
Etcd: NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)), Etcd: NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)),
SecureServing: WithLoopback(sso), SecureServing: WithLoopback(sso),
Authentication: NewDelegatingAuthenticationOptions(),
Authorization: NewDelegatingAuthorizationOptions(),
Audit: NewAuditOptions(),
Features: NewFeatureOptions(), Features: NewFeatureOptions(),
CoreAPI: NewCoreAPIOptions(), CoreAPI: NewCoreAPIOptions(),
ExtraAdmissionInitializers: func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error) { return nil, nil }, ExtraAdmissionInitializers: func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error) { return nil, nil },
...@@ -68,9 +62,6 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio ...@@ -68,9 +62,6 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio
func (o *RecommendedOptions) AddFlags(fs *pflag.FlagSet) { func (o *RecommendedOptions) AddFlags(fs *pflag.FlagSet) {
o.Etcd.AddFlags(fs) o.Etcd.AddFlags(fs)
o.SecureServing.AddFlags(fs) o.SecureServing.AddFlags(fs)
o.Authentication.AddFlags(fs)
o.Authorization.AddFlags(fs)
o.Audit.AddFlags(fs)
o.Features.AddFlags(fs) o.Features.AddFlags(fs)
o.CoreAPI.AddFlags(fs) o.CoreAPI.AddFlags(fs)
o.Admission.AddFlags(fs) o.Admission.AddFlags(fs)
...@@ -86,15 +77,6 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r ...@@ -86,15 +77,6 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r
if err := o.SecureServing.ApplyTo(&config.Config); err != nil { if err := o.SecureServing.ApplyTo(&config.Config); err != nil {
return err return err
} }
if err := o.Authentication.ApplyTo(&config.Config.Authentication, config.SecureServing, config.OpenAPIConfig); err != nil {
return err
}
if err := o.Authorization.ApplyTo(&config.Config.Authorization); err != nil {
return err
}
if err := o.Audit.ApplyTo(&config.Config); err != nil {
return err
}
if err := o.Features.ApplyTo(&config.Config); err != nil { if err := o.Features.ApplyTo(&config.Config); err != nil {
return err return err
} }
...@@ -114,9 +96,6 @@ func (o *RecommendedOptions) Validate() []error { ...@@ -114,9 +96,6 @@ func (o *RecommendedOptions) Validate() []error {
errors := []error{} errors := []error{}
errors = append(errors, o.Etcd.Validate()...) errors = append(errors, o.Etcd.Validate()...)
errors = append(errors, o.SecureServing.Validate()...) errors = append(errors, o.SecureServing.Validate()...)
errors = append(errors, o.Authentication.Validate()...)
errors = append(errors, o.Authorization.Validate()...)
errors = append(errors, o.Audit.Validate()...)
errors = append(errors, o.Features.Validate()...) errors = append(errors, o.Features.Validate()...)
errors = append(errors, o.CoreAPI.Validate()...) errors = append(errors, o.CoreAPI.Validate()...)
errors = append(errors, o.Admission.Validate()...) errors = append(errors, o.Admission.Validate()...)
......
...@@ -40,6 +40,9 @@ type SecureServingOptions struct { ...@@ -40,6 +40,9 @@ type SecureServingOptions struct {
// "tcp4", and "tcp6". // "tcp4", and "tcp6".
BindNetwork string BindNetwork string
PublicIP *net.IP
PublicPort int
// Listener is the secure server network listener. // Listener is the secure server network listener.
// either Listener or BindAddress/BindPort/BindNetwork is set, // either Listener or BindAddress/BindPort/BindNetwork is set,
// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork. // if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
......
...@@ -75,5 +75,11 @@ func (s *SecureServingOptionsWithLoopback) ApplyTo(c *server.Config) error { ...@@ -75,5 +75,11 @@ func (s *SecureServingOptionsWithLoopback) ApplyTo(c *server.Config) error {
c.SecureServing.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert c.SecureServing.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert
} }
if s.PublicIP != nil {
c.PublicAddress = *s.PublicIP
}
if s.PublicPort > 0 {
c.ReadWritePort = s.PublicPort
}
return nil return nil
} }
...@@ -21,14 +21,10 @@ import ( ...@@ -21,14 +21,10 @@ import (
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
"k8s.io/apiserver/pkg/admission/plugin/initialization" "k8s.io/apiserver/pkg/admission/plugin/initialization"
"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle" "k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
) )
// RegisterAllAdmissionPlugins registers all admission plugins // RegisterAllAdmissionPlugins registers all admission plugins
func RegisterAllAdmissionPlugins(plugins *admission.Plugins) { func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
lifecycle.Register(plugins) lifecycle.Register(plugins)
initialization.Register(plugins) initialization.Register(plugins)
validatingwebhook.Register(plugins)
mutatingwebhook.Register(plugins)
} }
...@@ -35,11 +35,7 @@ func (oa OpenAPI) Install(c *restful.Container, mux *mux.PathRecorderMux) { ...@@ -35,11 +35,7 @@ func (oa OpenAPI) Install(c *restful.Container, mux *mux.PathRecorderMux) {
// NOTE: [DEPRECATION] We will announce deprecation for format-separated endpoints for OpenAPI spec, // NOTE: [DEPRECATION] We will announce deprecation for format-separated endpoints for OpenAPI spec,
// and switch to a single /openapi/v2 endpoint in Kubernetes 1.10. The design doc and deprecation process // and switch to a single /openapi/v2 endpoint in Kubernetes 1.10. The design doc and deprecation process
// are tracked at: https://docs.google.com/document/d/19lEqE9lc4yHJ3WJAJxS_G7TcORIJXGHyq3wpwcH28nU. // are tracked at: https://docs.google.com/document/d/19lEqE9lc4yHJ3WJAJxS_G7TcORIJXGHyq3wpwcH28nU.
_, err := handler.BuildAndRegisterOpenAPIService("/swagger.json", c.RegisteredWebServices(), oa.Config, mux) _, err := handler.BuildAndRegisterOpenAPIVersionedService("/openapi/v2", c.RegisteredWebServices(), oa.Config, mux)
if err != nil {
glog.Fatalf("Failed to register open api spec for root: %v", err)
}
_, err = handler.BuildAndRegisterOpenAPIVersionedService("/openapi/v2", c.RegisteredWebServices(), oa.Config, mux)
if err != nil { if err != nil {
glog.Fatalf("Failed to register versioned open api spec for root: %v", err) glog.Fatalf("Failed to register versioned open api spec for root: %v", err)
} }
......
...@@ -25,8 +25,7 @@ import ( ...@@ -25,8 +25,7 @@ import (
"k8s.io/apimachinery/pkg/runtime/serializer/recognizer" "k8s.io/apimachinery/pkg/runtime/serializer/recognizer"
"k8s.io/apiserver/pkg/storage/storagebackend" "k8s.io/apiserver/pkg/storage/storagebackend"
"github.com/golang/glog" )
)
// StorageCodecConfig are the arguments passed to newStorageCodecFn // StorageCodecConfig are the arguments passed to newStorageCodecFn
type StorageCodecConfig struct { type StorageCodecConfig struct {
...@@ -48,11 +47,6 @@ func NewStorageCodec(opts StorageCodecConfig) (runtime.Codec, error) { ...@@ -48,11 +47,6 @@ func NewStorageCodec(opts StorageCodecConfig) (runtime.Codec, error) {
return nil, fmt.Errorf("%q is not a valid mime-type", opts.StorageMediaType) return nil, fmt.Errorf("%q is not a valid mime-type", opts.StorageMediaType)
} }
if opts.Config.Type == storagebackend.StorageTypeETCD2 && mediaType != "application/json" {
glog.Warningf(`storage type %q does not support media type %q, using "application/json"`, storagebackend.StorageTypeETCD2, mediaType)
mediaType = "application/json"
}
serializer, ok := runtime.SerializerInfoForMediaType(opts.StorageSerializer.SupportedMediaTypes(), mediaType) serializer, ok := runtime.SerializerInfoForMediaType(opts.StorageSerializer.SupportedMediaTypes(), mediaType)
if !ok { if !ok {
return nil, fmt.Errorf("unable to find serializer for %q", mediaType) return nil, fmt.Errorf("unable to find serializer for %q", mediaType)
...@@ -60,11 +54,6 @@ func NewStorageCodec(opts StorageCodecConfig) (runtime.Codec, error) { ...@@ -60,11 +54,6 @@ func NewStorageCodec(opts StorageCodecConfig) (runtime.Codec, error) {
s := serializer.Serializer s := serializer.Serializer
// make sure the selected encoder supports string data
if !serializer.EncodesAsText && opts.Config.Type == storagebackend.StorageTypeETCD2 {
return nil, fmt.Errorf("storage type %q does not support binary media type %q", storagebackend.StorageTypeETCD2, mediaType)
}
// Give callers the opportunity to wrap encoders and decoders. For decoders, each returned decoder will // Give callers the opportunity to wrap encoders and decoders. For decoders, each returned decoder will
// be passed to the recognizer so that multiple decoders are available. // be passed to the recognizer so that multiple decoders are available.
var encoder runtime.Encoder = s var encoder runtime.Encoder = s
......
...@@ -25,7 +25,6 @@ import ( ...@@ -25,7 +25,6 @@ import (
const ( const (
StorageTypeUnset = "" StorageTypeUnset = ""
StorageTypeETCD2 = "etcd2"
StorageTypeETCD3 = "etcd3" StorageTypeETCD3 = "etcd3"
DefaultCompactInterval = 5 * time.Minute DefaultCompactInterval = 5 * time.Minute
......
...@@ -29,8 +29,6 @@ type DestroyFunc func() ...@@ -29,8 +29,6 @@ type DestroyFunc func()
// Create creates a storage backend based on given config. // Create creates a storage backend based on given config.
func Create(c storagebackend.Config) (storage.Interface, DestroyFunc, error) { func Create(c storagebackend.Config) (storage.Interface, DestroyFunc, error) {
switch c.Type { switch c.Type {
case storagebackend.StorageTypeETCD2:
return newETCD2Storage(c)
case storagebackend.StorageTypeUnset, storagebackend.StorageTypeETCD3: case storagebackend.StorageTypeUnset, storagebackend.StorageTypeETCD3:
// TODO: We have the following features to implement: // TODO: We have the following features to implement:
// - Support secure connection by using key, cert, and CA files. // - Support secure connection by using key, cert, and CA files.
......
...@@ -79,8 +79,8 @@ func (t *Trace) logWithStepThreshold(stepThreshold time.Duration) { ...@@ -79,8 +79,8 @@ func (t *Trace) logWithStepThreshold(stepThreshold time.Duration) {
func (t *Trace) LogIfLong(threshold time.Duration) { func (t *Trace) LogIfLong(threshold time.Duration) {
if time.Since(t.startTime) >= threshold { if time.Since(t.startTime) >= threshold {
// if any step took more than it's share of the total allowed time, it deserves a higher log level // if any step took more than it's share of the total allowed time, it deserves a higher log level
stepThreshold := threshold / time.Duration(len(t.steps)+1) //stepThreshold := threshold / time.Duration(len(t.steps)+1)
t.logWithStepThreshold(stepThreshold) t.logWithStepThreshold(0)
} }
} }
......
...@@ -21,5 +21,4 @@ import ( ...@@ -21,5 +21,4 @@ import (
_ "k8s.io/client-go/plugin/pkg/client/auth/azure" _ "k8s.io/client-go/plugin/pkg/client/auth/azure"
_ "k8s.io/client-go/plugin/pkg/client/auth/gcp" _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
_ "k8s.io/client-go/plugin/pkg/client/auth/oidc" _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
_ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
) )
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment