multus: add admission controller

bindata/network/multus/admission-controller.yaml

@@ -0,0 +1,207 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: kube-system
+  name: net-attach-def-admission-controller-sa
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: net-attach-def-admission-controller-sa-secret
+  namespace: kube-system
+  annotations:
+    kubernetes.io/service-account.name: net-attach-def-admission-controller-sa
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: net-attach-def-admission-controller
+rules:
+- apiGroups:
+  - ""
+  - k8s.cni.cncf.io
+  resources:
+  - pods
+  - network-attachment-definitions
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: net-attach-def-admission-controller-certificates
+rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  - certificatesigningrequests/approval
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: net-attach-def-admission-controller-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: net-attach-def-admission-controller-webhook-configs
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: net-attach-def-admission-controller-service
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: net-attach-def-admission-controller-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: net-attach-def-admission-controller
+subjects:
+- kind: ServiceAccount
+  name: net-attach-def-admission-controller-sa
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: net-attach-def-admission-controller-certificates-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: net-attach-def-admission-controller-certificates
+subjects:
+- kind: ServiceAccount
+  name: net-attach-def-admission-controller-sa
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: net-attach-def-admission-controller-secrets-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: net-attach-def-admission-controller-secrets
+subjects:
+- kind: ServiceAccount
+  name: net-attach-def-admission-controller-sa
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: net-attach-def-admission-controller-webhook-configs-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: net-attach-def-admission-controller-webhook-configs
+subjects:
+- kind: ServiceAccount
+  name: net-attach-def-admission-controller-sa
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: net-attach-def-admission-controller-service-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: net-attach-def-admission-controller-service
+subjects:
+- kind: ServiceAccount
+  name: net-attach-def-admission-controller-sa
+  namespace: kube-system
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    app: net-attach-def-admission-controller
+  name: install-net-attach-def-admission-controller
+  namespace: kube-system
+spec:
+  template:
+    spec:
+      serviceAccount: net-attach-def-admission-controller-sa
+      containers:
+      - name: install-net-attach-def-admission-controller-deps
+        image: nfvpe/net-attach-def-admission-controller:snapshot
+        command:
+        - installer
+        args:
+        - -namespace=kube-system
+        - -alsologtostderr
+        imagePullPolicy: IfNotPresent
+      restartPolicy: Never
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: net-attach-def-admission-controller
+  name: net-attach-def-admission-controller-server
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: net-attach-def-admission-controller
+  template:
+    metadata:
+      labels:
+        app: net-attach-def-admission-controller
+    spec:
+      containers:
+      - name: net-attach-def-admission-controller
+        image: {{.NADAdmissionControllerImage}}
+        command:
+        - webhook
+        args:
+        - -bind-address=0.0.0.0
+        - -port=443
+        - -tls-private-key-file=/webhook/tls/key.pem
+        - -tls-cert-file=/webhook/tls/cert.pem
+        - -alsologtostderr=true
+        volumeMounts:
+        - mountPath: /webhook/tls
+          name: net-attach-def-admission-controller-secret
+          readOnly: True
+        imagePullPolicy: IfNotPresent
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      restartPolicy: Always
+      volumes:
+      - name: net-attach-def-admission-controller-secret
+        secret:
+          secretName: net-attach-def-admission-controller-secret
+

manifests/0000_07_cluster-network-operator_03_daemonset.yaml

@@ -34,6 +34,8 @@ spec:
           value: "docker.io/openshift/origin-hypershift:v4.0.0"
         - name: MULTUS_IMAGE
           value: "docker.io/nfvpe/multus:snapshot"
+        - name: NAD_ADMISSION_CONTROLLER_IMAGE
+          value: "nfvpe/net-attach-def-admission-controller:snapshot"
         - name: POD_NAME
           valueFrom:
             fieldRef:

pkg/network/multus.go

@@ -15,6 +15,7 @@ func renderMultusConfig(manifestDir string) ([]*uns.Unstructured, error) {
 	// render the manifests on disk
 	data := render.MakeRenderData()
 	data.Data["MultusImage"] = os.Getenv("MULTUS_IMAGE")
+	data.Data["NADAdmissionControllerImage"] = os.Getenv("NAD_ADMISSION_CONTROLLER_IMAGE")
 
 	manifests, err := render.RenderDir(filepath.Join(manifestDir, "network/multus"), &data)
 	if err != nil {

pkg/network/multus_test.go

@@ -52,13 +52,27 @@ func TestRenderMultus(t *testing.T) {
 	g.Expect(objs).To(ContainElement(HaveKubernetesID("DaemonSet", "multus", "multus")))
 
 	// It's important that the namespace is first
-	g.Expect(len(objs)).To(Equal(6))
+	g.Expect(len(objs)).To(Equal(20))
 	g.Expect(objs[0]).To(HaveKubernetesID("CustomResourceDefinition", "", "network-attachment-definitions.k8s.cni.cncf.io"))
 	g.Expect(objs).To(ContainElement(HaveKubernetesID("Namespace", "", "multus")))
 	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRole", "", "multus")))
 	g.Expect(objs).To(ContainElement(HaveKubernetesID("ServiceAccount", "multus", "multus")))
 	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRoleBinding", "", "multus")))
 	g.Expect(objs).To(ContainElement(HaveKubernetesID("DaemonSet", "multus", "multus")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("Job", "kube-system", "install-net-attach-def-admission-controller")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("ServiceAccount", "kube-system", "net-attach-def-admission-controller-sa")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("Secret", "kube-system", "net-attach-def-admission-controller-sa-secret")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRole", "", "net-attach-def-admission-controller")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRole", "", "net-attach-def-admission-controller-certificates")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRole", "", "net-attach-def-admission-controller-secrets")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRole", "", "net-attach-def-admission-controller-webhook-configs")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRole", "", "net-attach-def-admission-controller-service")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRoleBinding", "", "net-attach-def-admission-controller-role-binding")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRoleBinding", "", "net-attach-def-admission-controller-certificates-role-binding")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRoleBinding", "", "net-attach-def-admission-controller-secrets-role-binding")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRoleBinding", "", "net-attach-def-admission-controller-webhook-configs-role-binding")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRoleBinding", "", "net-attach-def-admission-controller-service-role-binding")))
+	g.Expect(objs).To(ContainElement(HaveKubernetesID("Deployment", "kube-system", "net-attach-def-admission-controller-server")))
 
 	// make sure all deployments are in the master
 	for _, obj := range objs {