diff --git a/assets/apps/0000_50_cluster_policy_controller_deploy.yaml b/assets/apps/0000_50_cluster_policy_controller_deploy.yaml new file mode 100644 index 0000000000..fa089e6903 --- /dev/null +++ b/assets/apps/0000_50_cluster_policy_controller_deploy.yaml @@ -0,0 +1,91 @@ +# static pod container cluster-policy-controller +# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/pod.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: openshift-kube-controller-manager + name: openshift-cluster-policy-controller + labels: + app: openshift-cluster-policy-controller +spec: + replicas: 1 + selector: + matchLabels: + app: openshift-cluster-policy-controller + template: + metadata: + name: openshift-cluster-policy-controller + labels: + app: openshift-cluster-policy-controller + spec: + serviceAccountName: openshift-cluster-policy-controller-sa + containers: + - name: cluster-policy-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: {{ .ReleaseImage.cluster_policy_controller }} + imagePullPolicy: IfNotPresent + terminationMessagePolicy: FallbackToLogsOnError + command: ["/bin/bash", "-euxo", "pipefail", "-c"] + args: + - | + timeout 3m /bin/bash -exuo pipefail -c 'while [ -n "$(ss -Htanop \( sport = 10357 \))" ]; do sleep 1; done' + exec cluster-policy-controller start --config=/var/run/config/config.yaml + resources: + requests: + memory: 200Mi + cpu: 10m + ports: + - containerPort: 10357 + volumeMounts: + - mountPath: /var/run/kubeadmin + name: kubeconfig-dir + - mountPath: /var/run/secrets + name: signing-key + - mountPath: /var/run/configmaps/signing-cabundle + name: signing-cabundle + - mountPath: /var/run/config + name: config + startupProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 0 + timeoutSeconds: 3 + livenessProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 45 + timeoutSeconds: 10 + readinessProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 10 + timeoutSeconds: 10 + hostNetwork: true + priorityClassName: system-node-critical + volumes: + - name: kubeconfig-dir + hostPath: + path: {{.KubeConfigDir}} + - name: signing-key + hostPath: + path: {{.KeyDir}} + - name: config + hostPath: + path: {{.ConfigDir}} + - hostPath: + path: {{.CADir}} + name: signing-cabundle diff --git a/assets/core/0000_50_cluster-openshift-cluster-policy-controller_00_namespace.yaml b/assets/core/0000_50_cluster-openshift-cluster-policy-controller_00_namespace.yaml new file mode 100644 index 0000000000..d281830955 --- /dev/null +++ b/assets/core/0000_50_cluster-openshift-cluster-policy-controller_00_namespace.yaml @@ -0,0 +1,13 @@ +# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/ns.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: "" + workload.openshift.io/allowed: "management" + labels: + # set value to avoid depending on kube admission that depends on openshift apis + openshift.io/run-level: "0" + # allow openshift-monitoring to look for ServiceMonitor objects in this namespace + openshift.io/cluster-monitoring: "true" + name: openshift-kube-controller-manager diff --git a/assets/core/0000_50_cluster-openshift-cluster-policy-controller_service-account.yaml b/assets/core/0000_50_cluster-openshift-cluster-policy-controller_service-account.yaml new file mode 100644 index 0000000000..e9735a2cc0 --- /dev/null +++ b/assets/core/0000_50_cluster-openshift-cluster-policy-controller_service-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: openshift-kube-controller-manager + name: openshift-cluster-policy-controller-sa diff --git a/assets/core/0000_50_namespace-security-allocation-controller_sa.yaml b/assets/core/0000_50_namespace-security-allocation-controller_sa.yaml new file mode 100644 index 0000000000..15d7b3717d --- /dev/null +++ b/assets/core/0000_50_namespace-security-allocation-controller_sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: openshift-infra + name: namespace-security-allocation-controller diff --git a/assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml b/assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml new file mode 100644 index 0000000000..800fae5a60 --- /dev/null +++ b/assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml @@ -0,0 +1,50 @@ +# https://github.com/openshift/api/blob/release-4.8/securityinternal/v1/0000_03_securityinternal-openshift_02_rangeallocation.crd.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/751 + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: rangeallocations.security.internal.openshift.io +spec: + group: security.internal.openshift.io + names: + kind: RangeAllocation + listKind: RangeAllocationList + plural: rangeallocations + singular: rangeallocation + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: RangeAllocation is used so we can easily expose a RangeAllocation + typed for security group This is an internal API, not intended for external + consumption. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + data: + description: data is a byte array representing the serialized state of + a range allocation. It is a bitmap with each bit set to one to represent + a range is taken. + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + range: + description: range is a string representing a unique label for a range + of uids, "1000000000-2000000000/10000". + type: string + type: object + served: true + storage: true diff --git a/assets/rbac/0000_50_cluster-policy-controller_clusterrole.yaml b/assets/rbac/0000_50_cluster-policy-controller_clusterrole.yaml new file mode 100644 index 0000000000..771c439404 --- /dev/null +++ b/assets/rbac/0000_50_cluster-policy-controller_clusterrole.yaml @@ -0,0 +1,34 @@ +# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/namespace-security-allocation-controller-clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + name: namespace-security-allocation-controller +rules: +- apiGroups: + - security.openshift.io + - security.internal.openshift.io + resources: + - rangeallocations + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - update + - watch + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update diff --git a/assets/rbac/0000_50_cluster-policy-controller_clusterrolebinding.yaml b/assets/rbac/0000_50_cluster-policy-controller_clusterrolebinding.yaml new file mode 100644 index 0000000000..c178c1f1e0 --- /dev/null +++ b/assets/rbac/0000_50_cluster-policy-controller_clusterrolebinding.yaml @@ -0,0 +1,13 @@ +# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/namespace-security-allocation-controller-clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: namespace-security-allocation-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: namespace-security-allocation-controller +subjects: +- kind: ServiceAccount + name: namespace-security-allocation-controller + namespace: openshift-infra diff --git a/pkg/assets/apps/bindata.go b/pkg/assets/apps/bindata.go index 87a822ae54..5e274f9bfe 100644 --- a/pkg/assets/apps/bindata.go +++ b/pkg/assets/apps/bindata.go @@ -1,6 +1,7 @@ // Package assets Code generated by go-bindata. (@generated) DO NOT EDIT. // sources: // assets/apps/0000_00_flannel-daemonset.yaml +// assets/apps/0000_50_cluster_policy_controller_deploy.yaml // assets/apps/0000_60_service-ca_05_deploy.yaml // assets/apps/0000_70_dns_01-dns-daemonset.yaml // assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml @@ -179,6 +180,114 @@ func assetsApps0000_00_flannelDaemonsetYaml() (*asset, error) { return a, nil } +var _assetsApps0000_50_cluster_policy_controller_deployYaml = []byte(`# static pod container cluster-policy-controller +# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/pod.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: openshift-kube-controller-manager + name: openshift-cluster-policy-controller + labels: + app: openshift-cluster-policy-controller +spec: + replicas: 1 + selector: + matchLabels: + app: openshift-cluster-policy-controller + template: + metadata: + name: openshift-cluster-policy-controller + labels: + app: openshift-cluster-policy-controller + spec: + serviceAccountName: openshift-cluster-policy-controller-sa + containers: + - name: cluster-policy-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: {{ .ReleaseImage.cluster_policy_controller }} + imagePullPolicy: IfNotPresent + terminationMessagePolicy: FallbackToLogsOnError + command: ["/bin/bash", "-euxo", "pipefail", "-c"] + args: + - | + timeout 3m /bin/bash -exuo pipefail -c 'while [ -n "$(ss -Htanop \( sport = 10357 \))" ]; do sleep 1; done' + exec cluster-policy-controller start --config=/var/run/config/config.yaml + resources: + requests: + memory: 200Mi + cpu: 10m + ports: + - containerPort: 10357 + volumeMounts: + - mountPath: /var/run/kubeadmin + name: kubeconfig-dir + - mountPath: /var/run/secrets + name: signing-key + - mountPath: /var/run/configmaps/signing-cabundle + name: signing-cabundle + - mountPath: /var/run/config + name: config + startupProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 0 + timeoutSeconds: 3 + livenessProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 45 + timeoutSeconds: 10 + readinessProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 10 + timeoutSeconds: 10 + hostNetwork: true + priorityClassName: system-node-critical + volumes: + - name: kubeconfig-dir + hostPath: + path: {{.KubeConfigDir}} + - name: signing-key + hostPath: + path: {{.KeyDir}} + - name: config + hostPath: + path: {{.ConfigDir}} + - hostPath: + path: {{.CADir}} + name: signing-cabundle +`) + +func assetsApps0000_50_cluster_policy_controller_deployYamlBytes() ([]byte, error) { + return _assetsApps0000_50_cluster_policy_controller_deployYaml, nil +} + +func assetsApps0000_50_cluster_policy_controller_deployYaml() (*asset, error) { + bytes, err := assetsApps0000_50_cluster_policy_controller_deployYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/apps/0000_50_cluster_policy_controller_deploy.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsApps0000_60_serviceCa_05_deployYaml = []byte(`apiVersion: apps/v1 kind: Deployment metadata: @@ -795,12 +904,13 @@ func AssetNames() []string { // _bindata is a table, holding each asset generator, mapped to its name. var _bindata = map[string]func() (*asset, error){ - "assets/apps/0000_00_flannel-daemonset.yaml": assetsApps0000_00_flannelDaemonsetYaml, - "assets/apps/0000_60_service-ca_05_deploy.yaml": assetsApps0000_60_serviceCa_05_deployYaml, - "assets/apps/0000_70_dns_01-dns-daemonset.yaml": assetsApps0000_70_dns_01DnsDaemonsetYaml, - "assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml": assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, - "assets/apps/0000_80_openshift-router-deployment.yaml": assetsApps0000_80_openshiftRouterDeploymentYaml, - "assets/apps/000_80_hostpath-provisioner-daemonset.yaml": assetsApps000_80_hostpathProvisionerDaemonsetYaml, + "assets/apps/0000_00_flannel-daemonset.yaml": assetsApps0000_00_flannelDaemonsetYaml, + "assets/apps/0000_50_cluster_policy_controller_deploy.yaml": assetsApps0000_50_cluster_policy_controller_deployYaml, + "assets/apps/0000_60_service-ca_05_deploy.yaml": assetsApps0000_60_serviceCa_05_deployYaml, + "assets/apps/0000_70_dns_01-dns-daemonset.yaml": assetsApps0000_70_dns_01DnsDaemonsetYaml, + "assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml": assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, + "assets/apps/0000_80_openshift-router-deployment.yaml": assetsApps0000_80_openshiftRouterDeploymentYaml, + "assets/apps/000_80_hostpath-provisioner-daemonset.yaml": assetsApps000_80_hostpathProvisionerDaemonsetYaml, } // AssetDir returns the file names below a certain @@ -846,12 +956,13 @@ type bintree struct { var _bintree = &bintree{nil, map[string]*bintree{ "assets": {nil, map[string]*bintree{ "apps": {nil, map[string]*bintree{ - "0000_00_flannel-daemonset.yaml": {assetsApps0000_00_flannelDaemonsetYaml, map[string]*bintree{}}, - "0000_60_service-ca_05_deploy.yaml": {assetsApps0000_60_serviceCa_05_deployYaml, map[string]*bintree{}}, - "0000_70_dns_01-dns-daemonset.yaml": {assetsApps0000_70_dns_01DnsDaemonsetYaml, map[string]*bintree{}}, - "0000_70_dns_01-node-resolver-daemonset.yaml": {assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, map[string]*bintree{}}, - "0000_80_openshift-router-deployment.yaml": {assetsApps0000_80_openshiftRouterDeploymentYaml, map[string]*bintree{}}, - "000_80_hostpath-provisioner-daemonset.yaml": {assetsApps000_80_hostpathProvisionerDaemonsetYaml, map[string]*bintree{}}, + "0000_00_flannel-daemonset.yaml": {assetsApps0000_00_flannelDaemonsetYaml, map[string]*bintree{}}, + "0000_50_cluster_policy_controller_deploy.yaml": {assetsApps0000_50_cluster_policy_controller_deployYaml, map[string]*bintree{}}, + "0000_60_service-ca_05_deploy.yaml": {assetsApps0000_60_serviceCa_05_deployYaml, map[string]*bintree{}}, + "0000_70_dns_01-dns-daemonset.yaml": {assetsApps0000_70_dns_01DnsDaemonsetYaml, map[string]*bintree{}}, + "0000_70_dns_01-node-resolver-daemonset.yaml": {assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, map[string]*bintree{}}, + "0000_80_openshift-router-deployment.yaml": {assetsApps0000_80_openshiftRouterDeploymentYaml, map[string]*bintree{}}, + "000_80_hostpath-provisioner-daemonset.yaml": {assetsApps000_80_hostpathProvisionerDaemonsetYaml, map[string]*bintree{}}, }}, }}, }} diff --git a/pkg/assets/core/bindata.go b/pkg/assets/core/bindata.go index dfacf35ac9..6c7b3eaacd 100644 --- a/pkg/assets/core/bindata.go +++ b/pkg/assets/core/bindata.go @@ -2,7 +2,10 @@ // sources: // assets/core/0000_00_flannel-configmap.yaml // assets/core/0000_00_flannel-service-account.yaml +// assets/core/0000_50_cluster-openshift-cluster-policy-controller_00_namespace.yaml +// assets/core/0000_50_cluster-openshift-cluster-policy-controller_service-account.yaml // assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml +// assets/core/0000_50_namespace-security-allocation-controller_sa.yaml // assets/core/0000_60_service-ca_01_namespace.yaml // assets/core/0000_60_service-ca_04_configmap.yaml // assets/core/0000_60_service-ca_04_sa.yaml @@ -146,6 +149,58 @@ func assetsCore0000_00_flannelServiceAccountYaml() (*asset, error) { return a, nil } +var _assetsCore0000_50_clusterOpenshiftClusterPolicyController_00_namespaceYaml = []byte(`# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/ns.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: "" + workload.openshift.io/allowed: "management" + labels: + # set value to avoid depending on kube admission that depends on openshift apis + openshift.io/run-level: "0" + # allow openshift-monitoring to look for ServiceMonitor objects in this namespace + openshift.io/cluster-monitoring: "true" + name: openshift-kube-controller-manager +`) + +func assetsCore0000_50_clusterOpenshiftClusterPolicyController_00_namespaceYamlBytes() ([]byte, error) { + return _assetsCore0000_50_clusterOpenshiftClusterPolicyController_00_namespaceYaml, nil +} + +func assetsCore0000_50_clusterOpenshiftClusterPolicyController_00_namespaceYaml() (*asset, error) { + bytes, err := assetsCore0000_50_clusterOpenshiftClusterPolicyController_00_namespaceYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/core/0000_50_cluster-openshift-cluster-policy-controller_00_namespace.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsCore0000_50_clusterOpenshiftClusterPolicyController_serviceAccountYaml = []byte(`apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: openshift-kube-controller-manager + name: openshift-cluster-policy-controller-sa +`) + +func assetsCore0000_50_clusterOpenshiftClusterPolicyController_serviceAccountYamlBytes() ([]byte, error) { + return _assetsCore0000_50_clusterOpenshiftClusterPolicyController_serviceAccountYaml, nil +} + +func assetsCore0000_50_clusterOpenshiftClusterPolicyController_serviceAccountYaml() (*asset, error) { + bytes, err := assetsCore0000_50_clusterOpenshiftClusterPolicyController_serviceAccountYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/core/0000_50_cluster-openshift-cluster-policy-controller_service-account.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml = []byte(`apiVersion: v1 kind: Namespace metadata: @@ -172,6 +227,28 @@ func assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml() (*as return a, nil } +var _assetsCore0000_50_namespaceSecurityAllocationController_saYaml = []byte(`apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: openshift-infra + name: namespace-security-allocation-controller +`) + +func assetsCore0000_50_namespaceSecurityAllocationController_saYamlBytes() ([]byte, error) { + return _assetsCore0000_50_namespaceSecurityAllocationController_saYaml, nil +} + +func assetsCore0000_50_namespaceSecurityAllocationController_saYaml() (*asset, error) { + bytes, err := assetsCore0000_50_namespaceSecurityAllocationController_saYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/core/0000_50_namespace-security-allocation-controller_sa.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsCore0000_60_serviceCa_01_namespaceYaml = []byte(`apiVersion: v1 kind: Namespace metadata: @@ -690,25 +767,28 @@ func AssetNames() []string { // _bindata is a table, holding each asset generator, mapped to its name. var _bindata = map[string]func() (*asset, error){ - "assets/core/0000_00_flannel-configmap.yaml": assetsCore0000_00_flannelConfigmapYaml, - "assets/core/0000_00_flannel-service-account.yaml": assetsCore0000_00_flannelServiceAccountYaml, - "assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml": assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, - "assets/core/0000_60_service-ca_01_namespace.yaml": assetsCore0000_60_serviceCa_01_namespaceYaml, - "assets/core/0000_60_service-ca_04_configmap.yaml": assetsCore0000_60_serviceCa_04_configmapYaml, - "assets/core/0000_60_service-ca_04_sa.yaml": assetsCore0000_60_serviceCa_04_saYaml, - "assets/core/0000_60_service-ca_04_secret.yaml": assetsCore0000_60_serviceCa_04_secretYaml, - "assets/core/0000_70_dns_00-namespace.yaml": assetsCore0000_70_dns_00NamespaceYaml, - "assets/core/0000_70_dns_01-configmap.yaml": assetsCore0000_70_dns_01ConfigmapYaml, - "assets/core/0000_70_dns_01-dns-service-account.yaml": assetsCore0000_70_dns_01DnsServiceAccountYaml, - "assets/core/0000_70_dns_01-node-resolver-service-account.yaml": assetsCore0000_70_dns_01NodeResolverServiceAccountYaml, - "assets/core/0000_70_dns_01-service.yaml": assetsCore0000_70_dns_01ServiceYaml, - "assets/core/0000_80_hostpath-provisioner-namespace.yaml": assetsCore0000_80_hostpathProvisionerNamespaceYaml, - "assets/core/0000_80_hostpath-provisioner-serviceaccount.yaml": assetsCore0000_80_hostpathProvisionerServiceaccountYaml, - "assets/core/0000_80_openshift-router-cm.yaml": assetsCore0000_80_openshiftRouterCmYaml, - "assets/core/0000_80_openshift-router-external-service.yaml": assetsCore0000_80_openshiftRouterExternalServiceYaml, - "assets/core/0000_80_openshift-router-namespace.yaml": assetsCore0000_80_openshiftRouterNamespaceYaml, - "assets/core/0000_80_openshift-router-service-account.yaml": assetsCore0000_80_openshiftRouterServiceAccountYaml, - "assets/core/0000_80_openshift-router-service.yaml": assetsCore0000_80_openshiftRouterServiceYaml, + "assets/core/0000_00_flannel-configmap.yaml": assetsCore0000_00_flannelConfigmapYaml, + "assets/core/0000_00_flannel-service-account.yaml": assetsCore0000_00_flannelServiceAccountYaml, + "assets/core/0000_50_cluster-openshift-cluster-policy-controller_00_namespace.yaml": assetsCore0000_50_clusterOpenshiftClusterPolicyController_00_namespaceYaml, + "assets/core/0000_50_cluster-openshift-cluster-policy-controller_service-account.yaml": assetsCore0000_50_clusterOpenshiftClusterPolicyController_serviceAccountYaml, + "assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml": assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, + "assets/core/0000_50_namespace-security-allocation-controller_sa.yaml": assetsCore0000_50_namespaceSecurityAllocationController_saYaml, + "assets/core/0000_60_service-ca_01_namespace.yaml": assetsCore0000_60_serviceCa_01_namespaceYaml, + "assets/core/0000_60_service-ca_04_configmap.yaml": assetsCore0000_60_serviceCa_04_configmapYaml, + "assets/core/0000_60_service-ca_04_sa.yaml": assetsCore0000_60_serviceCa_04_saYaml, + "assets/core/0000_60_service-ca_04_secret.yaml": assetsCore0000_60_serviceCa_04_secretYaml, + "assets/core/0000_70_dns_00-namespace.yaml": assetsCore0000_70_dns_00NamespaceYaml, + "assets/core/0000_70_dns_01-configmap.yaml": assetsCore0000_70_dns_01ConfigmapYaml, + "assets/core/0000_70_dns_01-dns-service-account.yaml": assetsCore0000_70_dns_01DnsServiceAccountYaml, + "assets/core/0000_70_dns_01-node-resolver-service-account.yaml": assetsCore0000_70_dns_01NodeResolverServiceAccountYaml, + "assets/core/0000_70_dns_01-service.yaml": assetsCore0000_70_dns_01ServiceYaml, + "assets/core/0000_80_hostpath-provisioner-namespace.yaml": assetsCore0000_80_hostpathProvisionerNamespaceYaml, + "assets/core/0000_80_hostpath-provisioner-serviceaccount.yaml": assetsCore0000_80_hostpathProvisionerServiceaccountYaml, + "assets/core/0000_80_openshift-router-cm.yaml": assetsCore0000_80_openshiftRouterCmYaml, + "assets/core/0000_80_openshift-router-external-service.yaml": assetsCore0000_80_openshiftRouterExternalServiceYaml, + "assets/core/0000_80_openshift-router-namespace.yaml": assetsCore0000_80_openshiftRouterNamespaceYaml, + "assets/core/0000_80_openshift-router-service-account.yaml": assetsCore0000_80_openshiftRouterServiceAccountYaml, + "assets/core/0000_80_openshift-router-service.yaml": assetsCore0000_80_openshiftRouterServiceYaml, } // AssetDir returns the file names below a certain @@ -754,25 +834,28 @@ type bintree struct { var _bintree = &bintree{nil, map[string]*bintree{ "assets": {nil, map[string]*bintree{ "core": {nil, map[string]*bintree{ - "0000_00_flannel-configmap.yaml": {assetsCore0000_00_flannelConfigmapYaml, map[string]*bintree{}}, - "0000_00_flannel-service-account.yaml": {assetsCore0000_00_flannelServiceAccountYaml, map[string]*bintree{}}, - "0000_50_cluster-openshift-controller-manager_00_namespace.yaml": {assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, map[string]*bintree{}}, - "0000_60_service-ca_01_namespace.yaml": {assetsCore0000_60_serviceCa_01_namespaceYaml, map[string]*bintree{}}, - "0000_60_service-ca_04_configmap.yaml": {assetsCore0000_60_serviceCa_04_configmapYaml, map[string]*bintree{}}, - "0000_60_service-ca_04_sa.yaml": {assetsCore0000_60_serviceCa_04_saYaml, map[string]*bintree{}}, - "0000_60_service-ca_04_secret.yaml": {assetsCore0000_60_serviceCa_04_secretYaml, map[string]*bintree{}}, - "0000_70_dns_00-namespace.yaml": {assetsCore0000_70_dns_00NamespaceYaml, map[string]*bintree{}}, - "0000_70_dns_01-configmap.yaml": {assetsCore0000_70_dns_01ConfigmapYaml, map[string]*bintree{}}, - "0000_70_dns_01-dns-service-account.yaml": {assetsCore0000_70_dns_01DnsServiceAccountYaml, map[string]*bintree{}}, - "0000_70_dns_01-node-resolver-service-account.yaml": {assetsCore0000_70_dns_01NodeResolverServiceAccountYaml, map[string]*bintree{}}, - "0000_70_dns_01-service.yaml": {assetsCore0000_70_dns_01ServiceYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-namespace.yaml": {assetsCore0000_80_hostpathProvisionerNamespaceYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-serviceaccount.yaml": {assetsCore0000_80_hostpathProvisionerServiceaccountYaml, map[string]*bintree{}}, - "0000_80_openshift-router-cm.yaml": {assetsCore0000_80_openshiftRouterCmYaml, map[string]*bintree{}}, - "0000_80_openshift-router-external-service.yaml": {assetsCore0000_80_openshiftRouterExternalServiceYaml, map[string]*bintree{}}, - "0000_80_openshift-router-namespace.yaml": {assetsCore0000_80_openshiftRouterNamespaceYaml, map[string]*bintree{}}, - "0000_80_openshift-router-service-account.yaml": {assetsCore0000_80_openshiftRouterServiceAccountYaml, map[string]*bintree{}}, - "0000_80_openshift-router-service.yaml": {assetsCore0000_80_openshiftRouterServiceYaml, map[string]*bintree{}}, + "0000_00_flannel-configmap.yaml": {assetsCore0000_00_flannelConfigmapYaml, map[string]*bintree{}}, + "0000_00_flannel-service-account.yaml": {assetsCore0000_00_flannelServiceAccountYaml, map[string]*bintree{}}, + "0000_50_cluster-openshift-cluster-policy-controller_00_namespace.yaml": {assetsCore0000_50_clusterOpenshiftClusterPolicyController_00_namespaceYaml, map[string]*bintree{}}, + "0000_50_cluster-openshift-cluster-policy-controller_service-account.yaml": {assetsCore0000_50_clusterOpenshiftClusterPolicyController_serviceAccountYaml, map[string]*bintree{}}, + "0000_50_cluster-openshift-controller-manager_00_namespace.yaml": {assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, map[string]*bintree{}}, + "0000_50_namespace-security-allocation-controller_sa.yaml": {assetsCore0000_50_namespaceSecurityAllocationController_saYaml, map[string]*bintree{}}, + "0000_60_service-ca_01_namespace.yaml": {assetsCore0000_60_serviceCa_01_namespaceYaml, map[string]*bintree{}}, + "0000_60_service-ca_04_configmap.yaml": {assetsCore0000_60_serviceCa_04_configmapYaml, map[string]*bintree{}}, + "0000_60_service-ca_04_sa.yaml": {assetsCore0000_60_serviceCa_04_saYaml, map[string]*bintree{}}, + "0000_60_service-ca_04_secret.yaml": {assetsCore0000_60_serviceCa_04_secretYaml, map[string]*bintree{}}, + "0000_70_dns_00-namespace.yaml": {assetsCore0000_70_dns_00NamespaceYaml, map[string]*bintree{}}, + "0000_70_dns_01-configmap.yaml": {assetsCore0000_70_dns_01ConfigmapYaml, map[string]*bintree{}}, + "0000_70_dns_01-dns-service-account.yaml": {assetsCore0000_70_dns_01DnsServiceAccountYaml, map[string]*bintree{}}, + "0000_70_dns_01-node-resolver-service-account.yaml": {assetsCore0000_70_dns_01NodeResolverServiceAccountYaml, map[string]*bintree{}}, + "0000_70_dns_01-service.yaml": {assetsCore0000_70_dns_01ServiceYaml, map[string]*bintree{}}, + "0000_80_hostpath-provisioner-namespace.yaml": {assetsCore0000_80_hostpathProvisionerNamespaceYaml, map[string]*bintree{}}, + "0000_80_hostpath-provisioner-serviceaccount.yaml": {assetsCore0000_80_hostpathProvisionerServiceaccountYaml, map[string]*bintree{}}, + "0000_80_openshift-router-cm.yaml": {assetsCore0000_80_openshiftRouterCmYaml, map[string]*bintree{}}, + "0000_80_openshift-router-external-service.yaml": {assetsCore0000_80_openshiftRouterExternalServiceYaml, map[string]*bintree{}}, + "0000_80_openshift-router-namespace.yaml": {assetsCore0000_80_openshiftRouterNamespaceYaml, map[string]*bintree{}}, + "0000_80_openshift-router-service-account.yaml": {assetsCore0000_80_openshiftRouterServiceAccountYaml, map[string]*bintree{}}, + "0000_80_openshift-router-service.yaml": {assetsCore0000_80_openshiftRouterServiceYaml, map[string]*bintree{}}, }}, }}, }} diff --git a/pkg/assets/crd.go b/pkg/assets/crd.go index 88f3072e4a..7f719e3527 100755 --- a/pkg/assets/crd.go +++ b/pkg/assets/crd.go @@ -34,6 +34,7 @@ var ( apiExtensionsCodecs = serializer.NewCodecFactory(apiExtensionsScheme) crds = []string{ "assets/crd/0000_03_security-openshift_01_scc.crd.yaml", + "assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml", "assets/crd/0000_11_imageregistry-configs.crd.yaml", "assets/crd/0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml", "assets/crd/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml", diff --git a/pkg/assets/crd/bindata.go b/pkg/assets/crd/bindata.go index 7c6bd0dbe3..34db7b4043 100644 --- a/pkg/assets/crd/bindata.go +++ b/pkg/assets/crd/bindata.go @@ -4,6 +4,7 @@ // assets/crd/0000_03_config-operator_01_proxy.crd.yaml // assets/crd/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml // assets/crd/0000_03_security-openshift_01_scc.crd.yaml +// assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml // assets/crd/0000_10_config-operator_01_build.crd.yaml // assets/crd/0000_10_config-operator_01_featuregate.crd.yaml // assets/crd/0000_10_config-operator_01_image.crd.yaml @@ -1067,6 +1068,73 @@ func assetsCrd0000_03_securityOpenshift_01_sccCrdYaml() (*asset, error) { return a, nil } +var _assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYaml = []byte(`# https://github.com/openshift/api/blob/release-4.8/securityinternal/v1/0000_03_securityinternal-openshift_02_rangeallocation.crd.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/751 + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: rangeallocations.security.internal.openshift.io +spec: + group: security.internal.openshift.io + names: + kind: RangeAllocation + listKind: RangeAllocationList + plural: rangeallocations + singular: rangeallocation + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: RangeAllocation is used so we can easily expose a RangeAllocation + typed for security group This is an internal API, not intended for external + consumption. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + data: + description: data is a byte array representing the serialized state of + a range allocation. It is a bitmap with each bit set to one to represent + a range is taken. + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + range: + description: range is a string representing a unique label for a range + of uids, "1000000000-2000000000/10000". + type: string + type: object + served: true + storage: true +`) + +func assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYamlBytes() ([]byte, error) { + return _assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYaml, nil +} + +func assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYaml() (*asset, error) { + bytes, err := assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsCrd0000_10_configOperator_01_buildCrdYaml = []byte(`apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -3487,6 +3555,7 @@ var _bindata = map[string]func() (*asset, error){ "assets/crd/0000_03_config-operator_01_proxy.crd.yaml": assetsCrd0000_03_configOperator_01_proxyCrdYaml, "assets/crd/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml": assetsCrd0000_03_quotaOpenshift_01_clusterresourcequotaCrdYaml, "assets/crd/0000_03_security-openshift_01_scc.crd.yaml": assetsCrd0000_03_securityOpenshift_01_sccCrdYaml, + "assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml": assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYaml, "assets/crd/0000_10_config-operator_01_build.crd.yaml": assetsCrd0000_10_configOperator_01_buildCrdYaml, "assets/crd/0000_10_config-operator_01_featuregate.crd.yaml": assetsCrd0000_10_configOperator_01_featuregateCrdYaml, "assets/crd/0000_10_config-operator_01_image.crd.yaml": assetsCrd0000_10_configOperator_01_imageCrdYaml, @@ -3541,6 +3610,7 @@ var _bintree = &bintree{nil, map[string]*bintree{ "0000_03_config-operator_01_proxy.crd.yaml": {assetsCrd0000_03_configOperator_01_proxyCrdYaml, map[string]*bintree{}}, "0000_03_quota-openshift_01_clusterresourcequota.crd.yaml": {assetsCrd0000_03_quotaOpenshift_01_clusterresourcequotaCrdYaml, map[string]*bintree{}}, "0000_03_security-openshift_01_scc.crd.yaml": {assetsCrd0000_03_securityOpenshift_01_sccCrdYaml, map[string]*bintree{}}, + "0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml": {assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYaml, map[string]*bintree{}}, "0000_10_config-operator_01_build.crd.yaml": {assetsCrd0000_10_configOperator_01_buildCrdYaml, map[string]*bintree{}}, "0000_10_config-operator_01_featuregate.crd.yaml": {assetsCrd0000_10_configOperator_01_featuregateCrdYaml, map[string]*bintree{}}, "0000_10_config-operator_01_image.crd.yaml": {assetsCrd0000_10_configOperator_01_imageCrdYaml, map[string]*bintree{}}, diff --git a/pkg/assets/rbac/bindata.go b/pkg/assets/rbac/bindata.go index 6f5979161a..555c2a9d24 100644 --- a/pkg/assets/rbac/bindata.go +++ b/pkg/assets/rbac/bindata.go @@ -3,6 +3,8 @@ // assets/rbac/0000_00_flannel-clusterrole.yaml // assets/rbac/0000_00_flannel-clusterrolebinding.yaml // assets/rbac/0000_00_podsecuritypolicy-flannel.yaml +// assets/rbac/0000_50_cluster-policy-controller_clusterrole.yaml +// assets/rbac/0000_50_cluster-policy-controller_clusterrolebinding.yaml // assets/rbac/0000_60_service-ca_00_clusterrole.yaml // assets/rbac/0000_60_service-ca_00_clusterrolebinding.yaml // assets/rbac/0000_60_service-ca_00_role.yaml @@ -200,6 +202,87 @@ func assetsRbac0000_00_podsecuritypolicyFlannelYaml() (*asset, error) { return a, nil } +var _assetsRbac0000_50_clusterPolicyController_clusterroleYaml = []byte(`# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/namespace-security-allocation-controller-clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + name: namespace-security-allocation-controller +rules: +- apiGroups: + - security.openshift.io + - security.internal.openshift.io + resources: + - rangeallocations + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - update + - watch + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +`) + +func assetsRbac0000_50_clusterPolicyController_clusterroleYamlBytes() ([]byte, error) { + return _assetsRbac0000_50_clusterPolicyController_clusterroleYaml, nil +} + +func assetsRbac0000_50_clusterPolicyController_clusterroleYaml() (*asset, error) { + bytes, err := assetsRbac0000_50_clusterPolicyController_clusterroleYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/rbac/0000_50_cluster-policy-controller_clusterrole.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsRbac0000_50_clusterPolicyController_clusterrolebindingYaml = []byte(`# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/namespace-security-allocation-controller-clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: namespace-security-allocation-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: namespace-security-allocation-controller +subjects: +- kind: ServiceAccount + name: namespace-security-allocation-controller + namespace: openshift-infra +`) + +func assetsRbac0000_50_clusterPolicyController_clusterrolebindingYamlBytes() ([]byte, error) { + return _assetsRbac0000_50_clusterPolicyController_clusterrolebindingYaml, nil +} + +func assetsRbac0000_50_clusterPolicyController_clusterrolebindingYaml() (*asset, error) { + bytes, err := assetsRbac0000_50_clusterPolicyController_clusterrolebindingYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/rbac/0000_50_cluster-policy-controller_clusterrolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsRbac0000_60_serviceCa_00_clusterroleYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -712,19 +795,21 @@ func AssetNames() []string { // _bindata is a table, holding each asset generator, mapped to its name. var _bindata = map[string]func() (*asset, error){ - "assets/rbac/0000_00_flannel-clusterrole.yaml": assetsRbac0000_00_flannelClusterroleYaml, - "assets/rbac/0000_00_flannel-clusterrolebinding.yaml": assetsRbac0000_00_flannelClusterrolebindingYaml, - "assets/rbac/0000_00_podsecuritypolicy-flannel.yaml": assetsRbac0000_00_podsecuritypolicyFlannelYaml, - "assets/rbac/0000_60_service-ca_00_clusterrole.yaml": assetsRbac0000_60_serviceCa_00_clusterroleYaml, - "assets/rbac/0000_60_service-ca_00_clusterrolebinding.yaml": assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml, - "assets/rbac/0000_60_service-ca_00_role.yaml": assetsRbac0000_60_serviceCa_00_roleYaml, - "assets/rbac/0000_60_service-ca_00_rolebinding.yaml": assetsRbac0000_60_serviceCa_00_rolebindingYaml, - "assets/rbac/0000_70_dns_01-cluster-role-binding.yaml": assetsRbac0000_70_dns_01ClusterRoleBindingYaml, - "assets/rbac/0000_70_dns_01-cluster-role.yaml": assetsRbac0000_70_dns_01ClusterRoleYaml, - "assets/rbac/0000_80_hostpath-provisioner-clusterrole.yaml": assetsRbac0000_80_hostpathProvisionerClusterroleYaml, - "assets/rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml": assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml, - "assets/rbac/0000_80_openshift-router-cluster-role-binding.yaml": assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml, - "assets/rbac/0000_80_openshift-router-cluster-role.yaml": assetsRbac0000_80_openshiftRouterClusterRoleYaml, + "assets/rbac/0000_00_flannel-clusterrole.yaml": assetsRbac0000_00_flannelClusterroleYaml, + "assets/rbac/0000_00_flannel-clusterrolebinding.yaml": assetsRbac0000_00_flannelClusterrolebindingYaml, + "assets/rbac/0000_00_podsecuritypolicy-flannel.yaml": assetsRbac0000_00_podsecuritypolicyFlannelYaml, + "assets/rbac/0000_50_cluster-policy-controller_clusterrole.yaml": assetsRbac0000_50_clusterPolicyController_clusterroleYaml, + "assets/rbac/0000_50_cluster-policy-controller_clusterrolebinding.yaml": assetsRbac0000_50_clusterPolicyController_clusterrolebindingYaml, + "assets/rbac/0000_60_service-ca_00_clusterrole.yaml": assetsRbac0000_60_serviceCa_00_clusterroleYaml, + "assets/rbac/0000_60_service-ca_00_clusterrolebinding.yaml": assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml, + "assets/rbac/0000_60_service-ca_00_role.yaml": assetsRbac0000_60_serviceCa_00_roleYaml, + "assets/rbac/0000_60_service-ca_00_rolebinding.yaml": assetsRbac0000_60_serviceCa_00_rolebindingYaml, + "assets/rbac/0000_70_dns_01-cluster-role-binding.yaml": assetsRbac0000_70_dns_01ClusterRoleBindingYaml, + "assets/rbac/0000_70_dns_01-cluster-role.yaml": assetsRbac0000_70_dns_01ClusterRoleYaml, + "assets/rbac/0000_80_hostpath-provisioner-clusterrole.yaml": assetsRbac0000_80_hostpathProvisionerClusterroleYaml, + "assets/rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml": assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml, + "assets/rbac/0000_80_openshift-router-cluster-role-binding.yaml": assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml, + "assets/rbac/0000_80_openshift-router-cluster-role.yaml": assetsRbac0000_80_openshiftRouterClusterRoleYaml, } // AssetDir returns the file names below a certain @@ -770,19 +855,21 @@ type bintree struct { var _bintree = &bintree{nil, map[string]*bintree{ "assets": {nil, map[string]*bintree{ "rbac": {nil, map[string]*bintree{ - "0000_00_flannel-clusterrole.yaml": {assetsRbac0000_00_flannelClusterroleYaml, map[string]*bintree{}}, - "0000_00_flannel-clusterrolebinding.yaml": {assetsRbac0000_00_flannelClusterrolebindingYaml, map[string]*bintree{}}, - "0000_00_podsecuritypolicy-flannel.yaml": {assetsRbac0000_00_podsecuritypolicyFlannelYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_clusterrole.yaml": {assetsRbac0000_60_serviceCa_00_clusterroleYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_clusterrolebinding.yaml": {assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_role.yaml": {assetsRbac0000_60_serviceCa_00_roleYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_rolebinding.yaml": {assetsRbac0000_60_serviceCa_00_rolebindingYaml, map[string]*bintree{}}, - "0000_70_dns_01-cluster-role-binding.yaml": {assetsRbac0000_70_dns_01ClusterRoleBindingYaml, map[string]*bintree{}}, - "0000_70_dns_01-cluster-role.yaml": {assetsRbac0000_70_dns_01ClusterRoleYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-clusterrole.yaml": {assetsRbac0000_80_hostpathProvisionerClusterroleYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-clusterrolebinding.yaml": {assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml, map[string]*bintree{}}, - "0000_80_openshift-router-cluster-role-binding.yaml": {assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml, map[string]*bintree{}}, - "0000_80_openshift-router-cluster-role.yaml": {assetsRbac0000_80_openshiftRouterClusterRoleYaml, map[string]*bintree{}}, + "0000_00_flannel-clusterrole.yaml": {assetsRbac0000_00_flannelClusterroleYaml, map[string]*bintree{}}, + "0000_00_flannel-clusterrolebinding.yaml": {assetsRbac0000_00_flannelClusterrolebindingYaml, map[string]*bintree{}}, + "0000_00_podsecuritypolicy-flannel.yaml": {assetsRbac0000_00_podsecuritypolicyFlannelYaml, map[string]*bintree{}}, + "0000_50_cluster-policy-controller_clusterrole.yaml": {assetsRbac0000_50_clusterPolicyController_clusterroleYaml, map[string]*bintree{}}, + "0000_50_cluster-policy-controller_clusterrolebinding.yaml": {assetsRbac0000_50_clusterPolicyController_clusterrolebindingYaml, map[string]*bintree{}}, + "0000_60_service-ca_00_clusterrole.yaml": {assetsRbac0000_60_serviceCa_00_clusterroleYaml, map[string]*bintree{}}, + "0000_60_service-ca_00_clusterrolebinding.yaml": {assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml, map[string]*bintree{}}, + "0000_60_service-ca_00_role.yaml": {assetsRbac0000_60_serviceCa_00_roleYaml, map[string]*bintree{}}, + "0000_60_service-ca_00_rolebinding.yaml": {assetsRbac0000_60_serviceCa_00_rolebindingYaml, map[string]*bintree{}}, + "0000_70_dns_01-cluster-role-binding.yaml": {assetsRbac0000_70_dns_01ClusterRoleBindingYaml, map[string]*bintree{}}, + "0000_70_dns_01-cluster-role.yaml": {assetsRbac0000_70_dns_01ClusterRoleYaml, map[string]*bintree{}}, + "0000_80_hostpath-provisioner-clusterrole.yaml": {assetsRbac0000_80_hostpathProvisionerClusterroleYaml, map[string]*bintree{}}, + "0000_80_hostpath-provisioner-clusterrolebinding.yaml": {assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml, map[string]*bintree{}}, + "0000_80_openshift-router-cluster-role-binding.yaml": {assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml, map[string]*bintree{}}, + "0000_80_openshift-router-cluster-role.yaml": {assetsRbac0000_80_openshiftRouterClusterRoleYaml, map[string]*bintree{}}, }}, }}, }} diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go index 12c6961e96..eaa24d4ec8 100644 --- a/pkg/cmd/init.go +++ b/pkg/cmd/init.go @@ -139,6 +139,12 @@ func initCerts(cfg *config.MicroshiftConfig) error { "openshift-oauth-apiserver.svc", "kubernetes.default.svc", "kubernetes.default", "kubernetes", "localhost"}); err != nil { return err } + if err := util.GenCerts("openshift-cluster-policy-controller", cfg.DataDir+"/resources/openshift-cluster-policy-controller/secrets", + "tls.crt", "tls.key", + []string{"openshift-cluster-policy-controller", cfg.NodeName, cfg.NodeIP, "127.0.0.1", "kubernetes.default.svc", "kubernetes.default", + "kubernetes", "localhost"}); err != nil { + return err + } return nil } diff --git a/pkg/components/components.go b/pkg/components/components.go index 5bd937fd20..3a8c5101fc 100755 --- a/pkg/components/components.go +++ b/pkg/components/components.go @@ -20,10 +20,17 @@ func StartComponents(cfg *config.MicroshiftConfig) error { logrus.Warningf("failed to start ingress router controller: %v", err) return err } + if err := startDNSController(cfg, cfg.DataDir+"/resources/kubeadmin/kubeconfig"); err != nil { logrus.Warningf("failed to start DNS controller: %v", err) return err } + + if err := startClusterPolicyController(cfg, cfg.DataDir+"/resources/kubeadmin/kubeconfig"); err != nil { + logrus.Warningf("failed to start openshift-cluster-policy controller: %v", err) + return err + } + if err := startFlannel(cfg.DataDir + "/resources/kubeadmin/kubeconfig"); err != nil { logrus.Warningf("failed to start Flannel: %v", err) return err diff --git a/pkg/components/controllers.go b/pkg/components/controllers.go index 75c1244a7b..6f5f0a54f4 100644 --- a/pkg/components/controllers.go +++ b/pkg/components/controllers.go @@ -1,7 +1,9 @@ package components import ( + "io/ioutil" "os" + "path/filepath" "github.com/openshift/microshift/pkg/assets" "github.com/openshift/microshift/pkg/config" @@ -9,6 +11,53 @@ import ( "github.com/sirupsen/logrus" ) +func startClusterPolicyController(cfg *config.MicroshiftConfig, kubeconfigPath string) error { + if err := writeConfig(cfg); err != nil { + logrus.Fatalf("Failed to write openshift-cluster-policy-controller config: %v", err) + } + + var ( + clusterRole = []string{ + "assets/rbac/0000_50_cluster-policy-controller_clusterrole.yaml", + } + clusterRoleBinding = []string{ + "assets/rbac/0000_50_cluster-policy-controller_clusterrolebinding.yaml", + } + apps = []string{ + "assets/apps/0000_50_cluster_policy_controller_deploy.yaml", + } + ns = []string{ + "assets/core/0000_50_cluster-openshift-cluster-policy-controller_00_namespace.yaml", + } + sa = []string{ + "assets/core/0000_50_cluster-openshift-cluster-policy-controller_service-account.yaml", + "assets/core/0000_50_namespace-security-allocation-controller_sa.yaml", + } + ) + if err := assets.ApplyNamespaces(ns, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply ns %v: %v", ns, err) + return err + } + if err := assets.ApplyClusterRoles(clusterRole, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply clusterRolebinding %v: %v", clusterRole, err) + return err + } + if err := assets.ApplyClusterRoleBindings(clusterRoleBinding, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply clusterRolebinding %v: %v", clusterRoleBinding, err) + return err + } + if err := assets.ApplyServiceAccounts(sa, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply sa %v: %v", sa, err) + return err + } + if err := assets.ApplyDeployments(apps, renderClusterPolicyController, assets.RenderParams{"DataDir": cfg.DataDir}, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply apps %v: %v", apps, err) + return err + } + + return nil +} + func startServiceCAController(cfg *config.MicroshiftConfig, kubeconfigPath string) error { var ( //TODO: fix the rolebinding and sa @@ -217,3 +266,19 @@ func startDNSController(cfg *config.MicroshiftConfig, kubeconfigPath string) err } return nil } + +func writeConfig(cfg *config.MicroshiftConfig) error { + data := []byte(`apiVersion: openshiftcontrolplane.config.openshift.io/v1 +kind: OpenShiftControllerManagerConfig +kubeClientConfig: + kubeConfig: /var/run/kubeadmin/kubeconfig +servingInfo: + bindAddress: "0.0.0.0:10357" + certFile: /var/run/secrets/tls.crt + keyFile: /var/run/secrets/tls.key + clientCA: /var/run/configmaps/signing-cabundle/ca-bundle.crt`) + + path := filepath.Join(cfg.DataDir, "resources", "openshift-cluster-policy-controller", "config", "config.yaml") + os.MkdirAll(filepath.Dir(path), os.FileMode(0755)) + return ioutil.WriteFile(path, data, 0644) +} diff --git a/pkg/components/render.go b/pkg/components/render.go index 86a104c59f..abee3b87cf 100755 --- a/pkg/components/render.go +++ b/pkg/components/render.go @@ -8,6 +8,26 @@ import ( "github.com/openshift/microshift/pkg/release" ) +func renderClusterPolicyController(b []byte, p assets.RenderParams) ([]byte, error) { + data := struct { + ReleaseImage assets.RenderParams + KeyDir, CADir, KubeConfigDir, ConfigDir string + }{ + ReleaseImage: release.Image, + KeyDir: p["DataDir"] + "/resources/openshift-cluster-policy-controller/secrets", + ConfigDir: p["DataDir"] + "/resources/openshift-cluster-policy-controller/config", + KubeConfigDir: p["DataDir"] + "/resources/kubeadmin", + CADir: p["DataDir"] + "/certs/ca-bundle", + } + tpl := template.Must(template.New("cpc").Parse(string(b))) + var byteBuff bytes.Buffer + + if err := tpl.Execute(&byteBuff, data); err != nil { + return nil, err + } + return byteBuff.Bytes(), nil +} + func renderServiceCAController(b []byte, p assets.RenderParams) ([]byte, error) { data := struct { ReleaseImage assets.RenderParams diff --git a/pkg/release/release.go b/pkg/release/release.go index b6951dc388..5ef9c8fdba 100644 --- a/pkg/release/release.go +++ b/pkg/release/release.go @@ -20,6 +20,7 @@ var Base = "4.8.0-0.okd-2021-10-10-030117" var Image = map[string]string{ "cli": "quay.io/microshift/cli:" + Base, + "cluster_policy_controller": "quay.io/microshift/cluster-policy-controller:" + Base, "coredns": "quay.io/microshift/coredns:" + Base, "haproxy_router": "quay.io/microshift/haproxy-router:" + Base, "kube_flannel": "quay.io/microshift/flannel:" + Base, diff --git a/pkg/release/release_amd64.go b/pkg/release/release_amd64.go index 2727358a2b..b55f2c680f 100644 --- a/pkg/release/release_amd64.go +++ b/pkg/release/release_amd64.go @@ -22,6 +22,7 @@ package release func init() { Image = map[string]string{ "cli": "quay.io/openshift/okd-content@sha256:27f7918b5f0444e278118b2ee054f5b6fadfc4005cf91cb78106c3f5e1833edd", + "cluster_policy_controller": "quay.io/openshift/okd-content@sha256:caf8254cbd4f3fc3e923682106a39f3bcfc62e9746ca909ed50b930e2d17a166", "coredns": "quay.io/openshift/okd-content@sha256:bcdefdbcee8af1e634e68a850c52fe1e9cb31364525e30f5b20ee4eacb93c3e8", "haproxy_router": "quay.io/openshift/okd-content@sha256:01cfbbfdc11e2cbb8856f31a65c83acc7cfbd1986c1309f58c255840efcc0b64", "kube_flannel": "quay.io/coreos/flannel:v0.14.0", diff --git a/scripts/rebase.sh b/scripts/rebase.sh index 5c9b62b3be..9520f96ce5 100755 --- a/scripts/rebase.sh +++ b/scripts/rebase.sh @@ -25,7 +25,7 @@ REPOROOT="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/../")" STAGING_DIR="$REPOROOT/_output/staging" EMBEDDED_COMPONENTS="etcd hyperkube openshift-apiserver openshift-controller-manager" -LOADED_COMPONENTS="cluster-dns-operator cluster-ingress-operator service-ca-operator" +LOADED_COMPONENTS="cluster-dns-operator cluster-ingress-operator openshift-cluster-policy-controller service-ca-operator" title() {