-
Notifications
You must be signed in to change notification settings - Fork 413
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
On-cluster build opt-in function, building machine-os-builder stub, R…
…BAC and service acct inclusion, e2e tests
- Loading branch information
1 parent
9ad6ee9
commit 777d777
Showing
17 changed files
with
511 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
package main | ||
|
||
import ( | ||
"flag" | ||
"fmt" | ||
"time" | ||
|
||
"github.com/spf13/cobra" | ||
) | ||
|
||
const componentName = "machine-os-builder" | ||
|
||
var ( | ||
rootCmd = &cobra.Command{ | ||
Use: componentName, | ||
Short: "Run Machine OS Builder", | ||
Long: "", | ||
} | ||
) | ||
|
||
func init() { | ||
rootCmd.PersistentFlags().AddGoFlagSet(flag.CommandLine) | ||
} | ||
|
||
func main() { | ||
fmt.Println("Hello, World!") | ||
<-time.After(876000 * time.Hour) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
package main | ||
|
||
import ( | ||
"flag" | ||
|
||
"github.com/openshift/machine-config-operator/pkg/version" | ||
"github.com/spf13/cobra" | ||
"k8s.io/klog/v2" | ||
) | ||
|
||
var ( | ||
startCmd = &cobra.Command{ | ||
Use: "start", | ||
Short: "Starts Machine OS Builder", | ||
Long: "", | ||
Run: runStartCmd, | ||
} | ||
|
||
startOpts struct { | ||
kubeconfig string | ||
} | ||
) | ||
|
||
func init() { | ||
rootCmd.AddCommand(startCmd) | ||
startCmd.PersistentFlags().StringVar(&startOpts.kubeconfig, "kubeconfig", "", "Kubeconfig file to access a remote cluster (testing only)") | ||
} | ||
|
||
func runStartCmd(_ *cobra.Command, _ []string) { | ||
flag.Set("logtostderr", "true") | ||
flag.Parse() | ||
|
||
klog.V(2).Infof("Options parsed: %+v", startOpts) | ||
|
||
// To help debugging, immediately log version | ||
klog.Infof("Version: %+v (%s)", version.Raw, version.Hash) | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
package main | ||
|
||
import ( | ||
"flag" | ||
"fmt" | ||
|
||
"github.com/openshift/machine-config-operator/pkg/version" | ||
"github.com/spf13/cobra" | ||
) | ||
|
||
var ( | ||
versionCmd = &cobra.Command{ | ||
Use: "version", | ||
Short: "Print the version number of Machine OS Builder", | ||
Long: `All software has versions. This is Machine OS Builder's.`, | ||
Run: runVersionCmd, | ||
} | ||
) | ||
|
||
func init() { | ||
rootCmd.AddCommand(versionCmd) | ||
} | ||
|
||
func runVersionCmd(_ *cobra.Command, _ []string) { | ||
flag.Set("logtostderr", "true") | ||
flag.Parse() | ||
|
||
program := "MachineConfigController" | ||
version := version.Raw + "-" + version.Hash | ||
|
||
fmt.Println(program, version) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: machine-os-builder | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["nodes"] | ||
verbs: ["get", "list", "watch", "patch"] | ||
- apiGroups: ["machineconfiguration.openshift.io"] | ||
resources: ["*"] | ||
verbs: ["*"] | ||
- apiGroups: [""] | ||
resources: ["configmaps", "secrets"] | ||
verbs: ["*"] | ||
- apiGroups: ["config.openshift.io"] | ||
resources: ["images", "clusterversions", "featuregates", "nodes", "nodes/status"] | ||
verbs: ["*"] | ||
- apiGroups: ["config.openshift.io"] | ||
resources: ["schedulers", "apiservers", "infrastructures", "imagedigestmirrorsets", "imagetagmirrorsets"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["operator.openshift.io"] | ||
resources: ["imagecontentsourcepolicies"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["operator.openshift.io"] | ||
resources: ["etcds"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["image.openshift.io"] | ||
resources: ["images"] | ||
verbs: ["get","list","watch","create","update","patch","delete"] | ||
- apiGroups: ["image.openshift.io"] | ||
resources: ["imagestreams"] | ||
verbs: ["get","list","watch","create","update","patch","delete"] | ||
- apiGroups: ["build.openshift.io"] | ||
resources: ["builds","buildconfigs","buildconfigs/instantiate"] | ||
verbs: ["get","list","watch","create","update","patch","delete"] | ||
- apiGroups: [""] | ||
resources: ["pods/eviction"] | ||
verbs: ["create"] | ||
- apiGroups: [""] | ||
resources: ["pods"] | ||
verbs: ["get", "list", "create", "delete"] | ||
- apiGroups: ["extensions"] | ||
resources: ["daemonsets"] | ||
verbs: ["get"] | ||
- apiGroups: ["apps"] | ||
resources: ["daemonsets"] | ||
verbs: ["get"] | ||
- apiGroups: | ||
- authentication.k8s.io | ||
resources: | ||
- tokenreviews | ||
- subjectaccessreviews | ||
verbs: | ||
- create | ||
- apiGroups: | ||
- authorization.k8s.io | ||
resources: | ||
- subjectaccessreviews | ||
verbs: | ||
- create | ||
- apiGroups: | ||
- coordination.k8s.io | ||
resources: | ||
- leases | ||
verbs: | ||
- "*" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# (zzlotnik): Grant the machine-os-builder service account the ability to start | ||
# pods with UID 1000 for builds. This allows us to run Buildah in an | ||
# unprivileged pod for better security than allowing it to run in a privileged | ||
# pod. | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: machine-os-builder-anyuid | ||
roleRef: | ||
name: "system:openshift:scc:anyuid" | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
subjects: | ||
- name: machine-os-builder | ||
kind: ServiceAccount | ||
namespace: "{{.TargetNamespace}}" |
11 changes: 11 additions & 0 deletions
11
manifests/machineosbuilder/clusterrolebinding-service-account.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: machine-os-builder | ||
roleRef: | ||
kind: ClusterRole | ||
name: machine-os-builder | ||
subjects: | ||
- kind: ServiceAccount | ||
namespace: "{{.TargetNamespace}}" | ||
name: machine-os-builder |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: machine-os-builder | ||
namespace: "{{.TargetNamespace}}" | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
k8s-app: machine-os-builder | ||
template: | ||
metadata: | ||
labels: | ||
k8s-app: machine-os-builder | ||
annotations: | ||
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' | ||
spec: | ||
containers: | ||
- name: machine-os-builder | ||
image: "{{.Images.MachineConfigOperator}}" | ||
command: ["/usr/bin/machine-os-builder"] | ||
args: | ||
- start | ||
- -v4 | ||
serviceAccountName: machine-os-builder |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: machine-os-builder-events | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["events"] | ||
verbs: ["create", "patch"] |
12 changes: 12 additions & 0 deletions
12
manifests/machineosbuilder/events-rolebinding-default.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: machine-os-builder-events | ||
namespace: default | ||
roleRef: | ||
kind: ClusterRole | ||
name: machine-os-builder-events | ||
subjects: | ||
- kind: ServiceAccount | ||
namespace: {{.TargetNamespace}} | ||
name: machine-os-builder |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: machine-os-builder-events | ||
namespace: {{.TargetNamespace}} | ||
roleRef: | ||
kind: ClusterRole | ||
name: machine-os-builder-events | ||
subjects: | ||
- kind: ServiceAccount | ||
namespace: {{.TargetNamespace}} | ||
name: machine-os-builder |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
namespace: {{.TargetNamespace}} | ||
name: machine-os-builder |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.