// RunSecurityAllocationController starts the security allocation controller process.
func (c *MasterConfig) RunSecurityAllocationController() {
alloc := c.Options.ProjectConfig.SecurityAllocator
if alloc == nil {
glog.V(3).Infof("Security allocator is disabled - no UIDs assigned to projects")
return
}
// TODO: move range initialization to run_config
uidRange, err := uid.ParseRange(alloc.UIDAllocatorRange)
if err != nil {
glog.Fatalf("Unable to describe UID range: %v", err)
}
opts, err := c.RESTOptionsGetter.GetRESTOptions(unversioned.GroupResource{Resource: "securityuidranges"})
if err != nil {
glog.Fatalf("Unable to load storage options for security UID ranges")
}
var etcdAlloc *etcdallocator.Etcd
uidAllocator := uidallocator.New(uidRange, func(max int, rangeSpec string) allocator.Interface {
mem := allocator.NewContiguousAllocationMap(max, rangeSpec)
etcdAlloc = etcdallocator.NewEtcd(mem, "/ranges/uids", kapi.Resource("uidallocation"), opts.StorageConfig)
return etcdAlloc
})
mcsRange, err := mcs.ParseRange(alloc.MCSAllocatorRange)
if err != nil {
glog.Fatalf("Unable to describe MCS category range: %v", err)
}
kclient := c.SecurityAllocationControllerClient()
repair := securitycontroller.NewRepair(time.Minute, kclient.Namespaces(), uidRange, etcdAlloc)
if err := repair.RunOnce(); err != nil {
// TODO: v scary, may need to use direct etcd calls?
// If the security controller fails during RunOnce it could mean a
// couple of things:
// 1. an unexpected etcd error occurred getting an allocator or the namespaces
// 2. the allocation blocks were full - would result in an admission controller that is unable
// to create the strategies correctly which would likely mean that the cluster
// would not admit pods the the majority of users.
// 3. an unexpected error persisting an allocation for a namespace has occurred - same as above
// In all cases we do not want to continue normal operations, this should be fatal.
glog.Fatalf("Unable to initialize namespaces: %v", err)
}
factory := securitycontroller.AllocationFactory{
UIDAllocator: uidAllocator,
MCSAllocator: securitycontroller.DefaultMCSAllocation(uidRange, mcsRange, alloc.MCSLabelsPerProject),
Client: kclient.Namespaces(),
// TODO: reuse namespace cache
}
controller := factory.Create()
controller.Run()
}
// RunSecurityAllocationController starts the security allocation controller process.
func (c *MasterConfig) RunSecurityAllocationController() {
alloc := c.Options.ProjectConfig.SecurityAllocator
if alloc == nil {
glog.V(3).Infof("Security allocator is disabled - no UIDs assigned to projects")
return
}
// TODO: move range initialization to run_config
uidRange, err := uid.ParseRange(alloc.UIDAllocatorRange)
if err != nil {
glog.Fatalf("Unable to describe UID range: %v", err)
}
var etcdAlloc *etcdallocator.Etcd
uidAllocator := uidallocator.New(uidRange, func(max int, rangeSpec string) allocator.Interface {
mem := allocator.NewContiguousAllocationMap(max, rangeSpec)
etcdAlloc = etcdallocator.NewEtcd(mem, "/ranges/uids", "uidallocation", c.EtcdHelper)
return etcdAlloc
})
mcsRange, err := mcs.ParseRange(alloc.MCSAllocatorRange)
if err != nil {
glog.Fatalf("Unable to describe MCS category range: %v", err)
}
kclient := c.SecurityAllocationControllerClient()
repair := securitycontroller.NewRepair(time.Minute, kclient.Namespaces(), uidRange, etcdAlloc)
if err := repair.RunOnce(); err != nil {
// TODO: v scary, may need to use direct etcd calls?
glog.Fatalf("Unable to initialize namespaces: %v", err)
}
factory := securitycontroller.AllocationFactory{
UIDAllocator: uidAllocator,
MCSAllocator: securitycontroller.DefaultMCSAllocation(uidRange, mcsRange, alloc.MCSLabelsPerProject),
Client: kclient.Namespaces(),
// TODO: reuse namespace cache
}
controller := factory.Create()
controller.Run()
}