// ensureDefaultNamespaceServiceAccountRoles initializes roles for service accounts in the default namespace
func (c *MasterConfig) ensureDefaultNamespaceServiceAccountRoles() {
const ServiceAccountRolesInitializedAnnotation = "openshift.io/sa.initialized-roles"
// Wait for the default namespace
var defaultNamespace *kapi.Namespace
for i := 0; i < 30; i++ {
ns, err := c.KubeClient().Namespaces().Get(kapi.NamespaceDefault)
if err == nil {
defaultNamespace = ns
break
}
if kapierror.IsNotFound(err) {
time.Sleep(time.Second)
continue
}
glog.Errorf("Error adding service account roles to default namespace: %v", err)
return
}
if defaultNamespace == nil {
glog.Errorf("Default namespace not found, could not initialize default service account roles")
return
}
// Short-circuit if we're already initialized
if defaultNamespace.Annotations[ServiceAccountRolesInitializedAnnotation] == "true" {
return
}
hasErrors := false
for _, binding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(kapi.NamespaceDefault) {
addRole := &policy.RoleModificationOptions{
RoleName: binding.RoleRef.Name,
RoleNamespace: binding.RoleRef.Namespace,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(kapi.NamespaceDefault, c.ServiceAccountRoleBindingClient()),
Users: binding.Users.List(),
Groups: binding.Groups.List(),
}
if err := addRole.AddRole(); err != nil {
glog.Errorf("Could not add service accounts to the %v role in the %v namespace: %v\n", binding.RoleRef.Name, kapi.NamespaceDefault, err)
hasErrors = true
}
}
// If we had errors, don't register initialization so we can try again
if !hasErrors {
if defaultNamespace.Annotations == nil {
defaultNamespace.Annotations = map[string]string{}
}
defaultNamespace.Annotations[ServiceAccountRolesInitializedAnnotation] = "true"
if _, err := c.KubeClient().Namespaces().Update(defaultNamespace); err != nil {
glog.Errorf("Error recording adding service account roles to default namespace: %v", err)
}
}
}
// syncNamespace makes namespace life-cycle decisions
func syncNamespace(kubeClient client.Interface, namespace api.Namespace) (err error) {
if namespace.DeletionTimestamp == nil {
return nil
}
// if there is a deletion timestamp, and the status is not terminating, then update status
if !namespace.DeletionTimestamp.IsZero() && namespace.Status.Phase != api.NamespaceTerminating {
newNamespace := api.Namespace{}
newNamespace.ObjectMeta = namespace.ObjectMeta
newNamespace.Status = namespace.Status
newNamespace.Status.Phase = api.NamespaceTerminating
result, err := kubeClient.Namespaces().Status(&newNamespace)
if err != nil {
return err
}
// work with the latest copy so we can proceed to clean up right away without another interval
namespace = *result
}
// if the namespace is already finalized, delete it
if finalized(namespace) {
err = kubeClient.Namespaces().Delete(namespace.Name)
if err != nil && !errors.IsNotFound(err) {
return err
}
return nil
}
// there may still be content for us to remove
err = deleteAllContent(kubeClient, namespace.Name)
if err != nil {
return err
}
// we have removed content, so mark it finalized by us
result, err := finalize(kubeClient, namespace)
if err != nil {
return err
}
// now check if all finalizers have reported that we delete now
if finalized(*result) {
err = kubeClient.Namespaces().Delete(namespace.Name)
if err != nil && !errors.IsNotFound(err) {
return err
}
}
return nil
}
// finalize will finalize the namespace for kubernetes
func finalize(kubeClient client.Interface, namespace api.Namespace) (*api.Namespace, error) {
namespaceFinalize := api.Namespace{}
namespaceFinalize.ObjectMeta = namespace.ObjectMeta
namespaceFinalize.Spec = namespace.Spec
finalizerSet := util.NewStringSet()
for i := range namespace.Spec.Finalizers {
if namespace.Spec.Finalizers[i] != api.FinalizerKubernetes {
finalizerSet.Insert(string(namespace.Spec.Finalizers[i]))
}
}
namespaceFinalize.Spec.Finalizers = make([]api.FinalizerName, 0, len(finalizerSet))
for _, value := range finalizerSet.List() {
namespaceFinalize.Spec.Finalizers = append(namespaceFinalize.Spec.Finalizers, api.FinalizerName(value))
}
return kubeClient.Namespaces().Finalize(&namespaceFinalize)
}
// ValidateNamespaceStatusUpdate tests to see if the update is legal for an end user to make. newNamespace is updated with fields
// that cannot be changed.
func ValidateNamespaceStatusUpdate(newNamespace, oldNamespace *api.Namespace) errs.ValidationErrorList {
allErrs := errs.ValidationErrorList{}
allErrs = append(allErrs, ValidateObjectMetaUpdate(&oldNamespace.ObjectMeta, &newNamespace.ObjectMeta).Prefix("metadata")...)
if newNamespace.Status.Phase != oldNamespace.Status.Phase {
allErrs = append(allErrs, errs.NewFieldInvalid("status.phase", newNamespace.Status.Phase, "namespace phase cannot be changed directly"))
}
newNamespace.Spec = oldNamespace.Spec
return allErrs
}
// finalizeInternal will update the namespace finalizer list to either have or not have origin finalizer
func finalizeInternal(kubeClient kclient.Interface, namespace *kapi.Namespace, withOrigin bool) (*kapi.Namespace, error) {
namespaceFinalize := kapi.Namespace{}
namespaceFinalize.ObjectMeta = namespace.ObjectMeta
namespaceFinalize.Spec = namespace.Spec
finalizerSet := util.NewStringSet()
for i := range namespace.Spec.Finalizers {
finalizerSet.Insert(string(namespace.Spec.Finalizers[i]))
}
if withOrigin {
finalizerSet.Insert(string(api.FinalizerOrigin))
} else {
finalizerSet.Delete(string(api.FinalizerOrigin))
}
namespaceFinalize.Spec.Finalizers = make([]kapi.FinalizerName, 0, len(finalizerSet))
for _, value := range finalizerSet.List() {
namespaceFinalize.Spec.Finalizers = append(namespaceFinalize.Spec.Finalizers, kapi.FinalizerName(value))
}
return kubeClient.Namespaces().Finalize(&namespaceFinalize)
}
// ValidateNamespaceUpdate tests to make sure a mamespace update can be applied. Modifies oldNamespace.
func ValidateNamespaceUpdate(oldNamespace *api.Namespace, namespace *api.Namespace) errs.ValidationErrorList {
allErrs := errs.ValidationErrorList{}
allErrs = append(allErrs, ValidateObjectMetaUpdate(&oldNamespace.ObjectMeta, &namespace.ObjectMeta).Prefix("metadata")...)
// TODO: move reset function to its own location
// Ignore metadata changes now that they have been tested
oldNamespace.ObjectMeta = namespace.ObjectMeta
// TODO: Add a 'real' ValidationError type for this error and provide print actual diffs.
if !api.Semantic.DeepEqual(oldNamespace, namespace) {
glog.V(4).Infof("Update failed validation %#v vs %#v", oldNamespace, namespace)
allErrs = append(allErrs, fmt.Errorf("update contains more than labels or annotation changes"))
}
return allErrs
}
// Next processes a changed namespace and tries to allocate a uid range for it. If it is
// successful, an mcs label corresponding to the relative position of the range is also
// set.
func (c *Allocation) Next(ns *kapi.Namespace) error {
tx := &tx{}
defer tx.Rollback()
if _, ok := ns.Annotations[security.UIDRangeAnnotation]; ok {
return nil
}
if ns.Annotations == nil {
ns.Annotations = make(map[string]string)
}
// do uid allocation
block, err := c.uid.AllocateNext()
if err != nil {
return err
}
tx.Add(func() error { return c.uid.Release(block) })
ns.Annotations[security.UIDRangeAnnotation] = block.String()
if _, ok := ns.Annotations[security.MCSAnnotation]; !ok {
if label := c.mcs(block); label != nil {
ns.Annotations[security.MCSAnnotation] = label.String()
}
}
// TODO: could use a client.GuaranteedUpdate/Merge function
for i := 0; i < retryCount; i++ {
_, err := c.client.Update(ns)
if err == nil {
// commit and exit
tx.Commit()
return nil
}
if errors.IsNotFound(err) {
return nil
}
if !errors.IsConflict(err) {
return err
}
newNs, err := c.client.Get(ns.Name)
if errors.IsNotFound(err) {
return nil
}
if err != nil {
return err
}
if changedAndSetAnnotations(ns, newNs) {
return nil
}
// try again
if newNs.Annotations == nil {
newNs.Annotations = make(map[string]string)
}
newNs.Annotations[security.UIDRangeAnnotation] = ns.Annotations[security.UIDRangeAnnotation]
newNs.Annotations[security.MCSAnnotation] = ns.Annotations[security.MCSAnnotation]
ns = newNs
}
return fmt.Errorf("unable to allocate security info on %q after %d retries", ns.Name, retryCount)
}