Yuvipanda has uploaded a new change for review.
https://gerrit.wikimedia.org/r/288600
Change subject: [WIP] Add 'hostautomounter' admission controller
......................................................................
[WIP] Add 'hostautomounter' admission controller
Ensures that a given set of paths are always mounted readonly
from the host the containers run on to the containers
Change-Id: I25ab0b3cdcaf5d48898fef1f6ffa64d958b0d299
---
M cmd/kube-apiserver/app/plugins.go
A plugin/pkg/admission/hostautomounter/admission.go
2 files changed, 115 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/software/kubernetes
refs/changes/00/288600/1
diff --git a/cmd/kube-apiserver/app/plugins.go
b/cmd/kube-apiserver/app/plugins.go
index 807c366..8174029 100644
--- a/cmd/kube-apiserver/app/plugins.go
+++ b/cmd/kube-apiserver/app/plugins.go
@@ -28,6 +28,7 @@
_ "k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"
_ "k8s.io/kubernetes/plugin/pkg/admission/deny"
_ "k8s.io/kubernetes/plugin/pkg/admission/exec"
+ _ "k8s.io/kubernetes/plugin/pkg/admission/hostautomounter"
_ "k8s.io/kubernetes/plugin/pkg/admission/initialresources"
_ "k8s.io/kubernetes/plugin/pkg/admission/limitranger"
_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision"
diff --git a/plugin/pkg/admission/hostautomounter/admission.go
b/plugin/pkg/admission/hostautomounter/admission.go
new file mode 100644
index 0000000..f5c3c0e
--- /dev/null
+++ b/plugin/pkg/admission/hostautomounter/admission.go
@@ -0,0 +1,114 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+Copyright 2016 Yuvi Panda <[email protected]>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package hostautomounter
+
+import (
+ "io"
+ "strings"
+
+ clientset
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+
+ "k8s.io/kubernetes/pkg/admission"
+ "k8s.io/kubernetes/pkg/api"
+ "k8s.io/kubernetes/pkg/util/sets"
+)
+
+var (
+ hostautomounts = flag.String("host-automounts", "", "Comma separated
list of paths that will be automatically mounted from container host to
container")
+)
+
+func init() {
+ admission.RegisterPlugin("HostAutomounter", func(client
clientset.Interface, config io.Reader) (admission.Interface, error) {
+ hostmountset := set.NewString(strings.split(*hostautomounts,
",")...)
+ admission := NewHostAutomounter(client, hostmountset)
+ return admission, nil
+ })
+}
+
+type serviceAccount struct {
+ *admission.Handler
+
+ mounts sets.String
+}
+
+// NewServiceAccount returns an admission.Interface implementation which
modifies new pods
+// to make sure they have mounted all the mounts specified in *mounts from the
host that
+// containers are running on to the container itself.
+// As an example, this can be used to ensure that all containers mount an
nslcd or nscd socket.
+func NewServiceAccount(cl clientset.Interface, mounts sets.String)
*serviceAccount {
+ return &serviceAccount{
+ Handler: admission.NewHandler(admission.Create),
+ mounts: mounts,
+ }
+}
+
+func (s *serviceAccount) Admit(a admission.Attributes) (err error) {
+ if a.GetResource() != api.Resource("pods") {
+ return nil
+ }
+ obj := a.GetObject()
+ if obj == nil {
+ return nil
+ }
+ pod, ok := obj.(*api.Pod)
+ if !ok {
+ return nil
+ }
+
+ allVolumePaths = sets.NewString()
+ for _, volume := range pod.Spec.Volumes {
+ if volume.HostPath != nil {
+ allVolumePaths.Insert(volume.HostPath.Path)
+ }
+ }
+
+ neededVolumePaths := s.mounts.Difference(allVolumePaths)
+
+ for volumePath := range neededVolumePaths {
+ volume := api.Volume{
+ // FIXME: Make sure this is unique somehow?
+ Name: strings.Replace(volumePath, "/", "-", -1),
+ VolumeSource: api.VolumeSource{
+ HostPath: &api.HostPathVolumeSource{
+ Path: volumePath,
+ },
+ },
+ }
+ pod.Spec.Volumes = append(pod.Spec.Volumes, volume)
+ }
+
+ for i, container := range pod.Spec.Containers {
+ containerMounts := sets.NewString()
+ for _, volumeMount := range container.VolumeMounts {
+ if volumeMount.MountPath {
+ containerMounts.Insert(volumeMount.MountPath)
+ }
+ }
+
+ requiredMounts := neededVolumePaths.Difference(containerMounts)
+ for mountPath := range requiredMounts {
+ volumeMount := api.VolumeMount{
+ Name: strings.Replace(mountPath, "/", "-",
-1),
+ ReadOnly: true,
+ MountPath: mountPath,
+ }
+ }
+ }
+
+ return nil
+}
--
To view, visit https://gerrit.wikimedia.org/r/288600
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I25ab0b3cdcaf5d48898fef1f6ffa64d958b0d299
Gerrit-PatchSet: 1
Gerrit-Project: operations/software/kubernetes
Gerrit-Branch: master
Gerrit-Owner: Yuvipanda <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
