Merge pull request kubernetes-retired#1066 from zonzamas/podpriority_…

…admissioncontrol Added Priority to the admissioncontrol list
iflix · Dec 26, 2017 · c0ab6f0 · c0ab6f0
2 parents ae23d78 + 09e51c4
commit c0ab6f0
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 3 deletions.
diff --git a/core/controlplane/config/config.go b/core/controlplane/config/config.go
@@ -50,6 +50,9 @@ func NewDefaultCluster() *Cluster {
 			Initializers{
 				Enabled: false,
 			},
+			Priority{
+				Enabled: false,
+			},
 		},
 		AuditLog: AuditLog{
 			Enabled: false,
@@ -529,6 +532,7 @@ type Admission struct {
 	AlwaysPullImages   AlwaysPullImages   `yaml:"alwaysPullImages"`
 	DenyEscalatingExec DenyEscalatingExec `yaml:"denyEscalatingExec"`
 	Initializers       Initializers       `yaml:"initializers"`
+	Priority           Priority           `yaml:"priority"`
 }
 
 type AlwaysPullImages struct {
@@ -547,6 +551,10 @@ type Initializers struct {
 	Enabled bool `yaml:"enabled"`
 }
 
+type Priority struct {
+	Enabled bool `yaml:"enabled"`
+}
+
 type AuditLog struct {
 	Enabled bool   `yaml:"enabled"`
 	MaxAge  int    `yaml:"maxage"`

diff --git a/core/controlplane/config/templates/cloud-config-controller b/core/controlplane/config/templates/cloud-config-controller
@@ -292,7 +292,9 @@ coreos:
         {{ if .KubeDns.NodeLocalResolver }}--cluster-dns=${COREOS_PRIVATE_IPV4} \
         {{ else }}--cluster-dns={{.DNSServiceIP}} \
         {{ end }}--cluster-domain=cluster.local \
-        --cloud-provider=aws \
+        --cloud-provider=aws \{{if .Experimental.Admission.Priority.Enabled}}
+        --feature-gates=PodPriority=true \
+        {{end}}\
         $KUBELET_OPTS
         Restart=always
         RestartSec=10
@@ -2020,7 +2022,7 @@ write_files:
           - --authentication-token-webhook-cache-ttl={{ .Experimental.Authentication.Webhook.CacheTTL }}
           {{ end }}
           - --advertise-address=$private_ipv4
-          - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass{{if .Experimental.Admission.PodSecurityPolicy.Enabled}},PodSecurityPolicy{{ end }}{{if .Experimental.Admission.AlwaysPullImages.Enabled}},AlwaysPullImages{{ end }}{{if .Experimental.NodeAuthorizer.Enabled}},NodeRestriction{{end}},ResourceQuota{{if .Experimental.Admission.DenyEscalatingExec.Enabled}},DenyEscalatingExec{{end}}{{if .Experimental.Admission.Initializers.Enabled}},Initializers{{end}}
+          - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass{{if .Experimental.Admission.PodSecurityPolicy.Enabled}},PodSecurityPolicy{{ end }}{{if .Experimental.Admission.AlwaysPullImages.Enabled}},AlwaysPullImages{{ end }}{{if .Experimental.NodeAuthorizer.Enabled}},NodeRestriction{{end}},ResourceQuota{{if .Experimental.Admission.DenyEscalatingExec.Enabled}},DenyEscalatingExec{{end}}{{if .Experimental.Admission.Initializers.Enabled}},Initializers{{end}}{{if .Experimental.Admission.Priority.Enabled}},Priority{{end}}
           - --anonymous-auth=false
           {{if .Experimental.Oidc.Enabled}}
           - --oidc-issuer-url={{.Experimental.Oidc.IssuerUrl}}
@@ -2037,7 +2039,10 @@ write_files:
           - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
           - --client-ca-file=/etc/kubernetes/ssl/ca.pem
           - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
-          - --runtime-config=extensions/v1beta1/networkpolicies=true,batch/v2alpha1=true{{if .Experimental.Admission.PodSecurityPolicy.Enabled}},extensions/v1beta1/podsecuritypolicy=true{{ end }}{{if .Experimental.Admission.Initializers.Enabled}},admissionregistration.k8s.io/v1alpha1{{end}}
+          - --runtime-config=extensions/v1beta1/networkpolicies=true,batch/v2alpha1=true{{if .Experimental.Admission.PodSecurityPolicy.Enabled}},extensions/v1beta1/podsecuritypolicy=true{{ end }}{{if .Experimental.Admission.Initializers.Enabled}},admissionregistration.k8s.io/v1alpha1{{end}}{{if .Experimental.Admission.Priority.Enabled}},scheduling.k8s.io/v1alpha1=true{{end}}
+         {{if .Experimental.Admission.Priority.Enabled}}
+          - --feature-gates=PodPriority=true
+         {{end}}
           - --cloud-provider=aws
           {{range $f := .APIServerFlags}}
           - --{{$f.Name}}={{$f.Value}}
@@ -2204,6 +2209,9 @@ write_files:
           - scheduler
           - --master=http://127.0.0.1:8080
           - --leader-elect=true
+         {{if .Experimental.Admission.Priority.Enabled}}
+          - --feature-gates=PodPriority=true
+         {{end}}
           resources:
             requests:
               cpu: 100m

diff --git a/core/controlplane/config/templates/cluster.yaml b/core/controlplane/config/templates/cluster.yaml
@@ -546,6 +546,9 @@ worker:
 #            Description=Example Custom Service
 #            [Service]
 #            ExecStart=/bin/rkt run --set-env TAGS=Controller ...
+#      # Enable PodPriority (it only makes sense if you enabled priority admission control in experimental section)
+#      featureGates:
+#        PodPriority: true
 
 # Maximum time to wait for worker creation
 #workerCreateTimeout: PT15M
@@ -1214,6 +1217,10 @@ experimental:
       enabled: false
     initializers:
       enabled: false
+    # Priority enables PodPriority in the API server, scheduler and kubelet. you need to manually add the
+    # featureGate PodPriority:true in the worker
+    priority:
+      enabled: false
 
   # Used to provide `/etc/environment` env vars with values from arbitrary CloudFormation refs
   awsEnvironment:

diff --git a/test/integration/maincluster_test.go b/test/integration/maincluster_test.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"reflect"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -89,6 +90,9 @@ func TestMainClusterConfig(t *testing.T) {
 				DenyEscalatingExec: controlplane_config.DenyEscalatingExec{
 					Enabled: false,
 				},
+				Priority: controlplane_config.Priority{
+					Enabled: false,
+				},
 			},
 			AuditLog: controlplane_config.AuditLog{
 				Enabled: false,
@@ -1161,6 +1165,8 @@ experimental:
       enabled: true
     alwaysPullImages:
       enabled: true
+    priority:
+      enabled: true
   auditLog:
     enabled: true
     maxage: 100
@@ -1227,6 +1233,9 @@ worker:
 							DenyEscalatingExec: controlplane_config.DenyEscalatingExec{
 								Enabled: true,
 							},
+							Priority: controlplane_config.Priority{
+								Enabled: true,
+							},
 						},
 						AuditLog: controlplane_config.AuditLog{
 							Enabled: true,
@@ -1297,10 +1306,28 @@ worker:
 					if reflect.DeepEqual(expected, p.Experimental) {
 						t.Errorf("experimental settings shouldn't be inherited to a node pool but it did : toplevel=%v nodepool=%v", expected, p.Experimental)
 					}
+
 				},
 			},
 			assertCluster: []ClusterTester{
 				hasDefaultCluster,
+				func(c root.Cluster, t *testing.T) {
+					cp := c.ControlPlane()
+					controllerUserdataS3Part := cp.UserDataController.Parts[model.USERDATA_S3].Asset.Content
+					if !strings.Contains(controllerUserdataS3Part, `--feature-gates=PodPriority=true`) {
+						t.Error("missing controller feature gate: PodPriority=true")
+					}
+
+					if !strings.Contains(controllerUserdataS3Part, `scheduling.k8s.io/v1alpha1=true`) {
+						t.Error("missing controller runtime config: scheduling.k8s.io/v1alpha1=true")
+					}
+
+					re, _ := regexp.Compile("--admission-control=[a-zA-z,]*,Priority")
+					if len(re.FindString(controllerUserdataS3Part)) == 0 {
+						t.Error("missing controller --admission-control config: Priority")
+					}
+
+				},
 			},
 		},
 		{