added infra namespace to PV recycler

UPGRADE.md

@@ -90,3 +90,4 @@ references:
 
 1.  The existing docker registry images will not be able to support auto-provisioning of image streams based on docker pushes against new API servers.
   Upgrade your docker registry image to make auto-provisioning work again.
+1. New service accounts specific to the PersistentVolume operations of binding, recycling, and provisioning were added.  Run `oadm policy reconcile-sccs --confirm` to update your SecurityContextConstraints.

pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go

@@ -251,10 +251,10 @@ func GetBoostrapSCCAccess(infraNamespace string) (map[string][]string, map[strin
 	}
 
 	buildControllerUsername := serviceaccount.MakeUsername(infraNamespace, InfraBuildControllerServiceAccountName)
-	pvControllerUsername := serviceaccount.MakeUsername(infraNamespace, InfraPersistentVolumeBinderControllerServiceAccountName)
+	pvRecyclerControllerUsername := serviceaccount.MakeUsername(infraNamespace, InfraPersistentVolumeRecyclerControllerServiceAccountName)
 	users := map[string][]string{
 		SecurityContextConstraintPrivileged:         {buildControllerUsername},
-		SecurityContextConstraintHostMountAndAnyUID: {pvControllerUsername},
+		SecurityContextConstraintHostMountAndAnyUID: {pvRecyclerControllerUsername},
 	}
 	return groups, users
 }

pkg/cmd/server/bootstrappolicy/securitycontextconstraints_test.go

@@ -69,10 +69,10 @@ func getExpectedAccess() (map[string][]string, map[string][]string) {
 	}
 
 	buildControllerUsername := serviceaccount.MakeUsername(DefaultOpenShiftInfraNamespace, InfraBuildControllerServiceAccountName)
-	pvControllerUsername := serviceaccount.MakeUsername(DefaultOpenShiftInfraNamespace, InfraPersistentVolumeBinderControllerServiceAccountName)
+	pvRecyclerControllerUsername := serviceaccount.MakeUsername(DefaultOpenShiftInfraNamespace, InfraPersistentVolumeRecyclerControllerServiceAccountName)
 	users := map[string][]string{
 		SecurityContextConstraintPrivileged:         {buildControllerUsername},
-		SecurityContextConstraintHostMountAndAnyUID: {pvControllerUsername},
+		SecurityContextConstraintHostMountAndAnyUID: {pvRecyclerControllerUsername},
 	}
 	return groups, users
 }

pkg/cmd/server/kubernetes/master.go

@@ -116,9 +116,10 @@ func (c *MasterConfig) RunPersistentVolumeProvisioner(client *client.Client) {
 	}
 }
 
-func (c *MasterConfig) RunPersistentVolumeClaimRecycler(recyclerImageName string, client *client.Client) {
+func (c *MasterConfig) RunPersistentVolumeClaimRecycler(recyclerImageName string, client *client.Client, namespace string) {
 	uid := int64(0)
 	defaultScrubPod := volume.NewPersistentVolumeRecyclerPodTemplate()
+	defaultScrubPod.Namespace = namespace
 	defaultScrubPod.Spec.Containers[0].Image = recyclerImageName
 	defaultScrubPod.Spec.Containers[0].Command = []string{"/usr/bin/recycle"}
 	defaultScrubPod.Spec.Containers[0].Args = []string{"/scrub"}

pkg/cmd/server/start/start_master.go

@@ -565,7 +565,7 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro
 		kc.RunNamespaceController()
 		kc.RunPersistentVolumeClaimBinder(binderClient)
 		kc.RunPersistentVolumeProvisioner(provisionerClient)
-		kc.RunPersistentVolumeClaimRecycler(oc.ImageFor("recycler"), recyclerClient)
+		kc.RunPersistentVolumeClaimRecycler(oc.ImageFor("recycler"), recyclerClient, oc.Options.PolicyConfig.OpenShiftInfrastructureNamespace)
 
 		glog.Infof("Started Kubernetes Controllers")
 	}