func deleteServiceAccounts(kubeClient client.Interface, ns string) error {
items, err := kubeClient.ServiceAccounts(ns).List(unversioned.ListOptions{})
if err != nil {
return err
}
for i := range items.Items {
err := kubeClient.ServiceAccounts(ns).Delete(items.Items[i].Name)
if err != nil && !errors.IsNotFound(err) {
return err
}
}
return nil
}
func deleteServiceAccounts(kubeClient client.Interface, ns string) error {
items, err := kubeClient.ServiceAccounts(ns).List(labels.Everything(), fields.Everything())
if err != nil {
return err
}
for i := range items.Items {
err := kubeClient.ServiceAccounts(ns).Delete(items.Items[i].Name)
if err != nil && !errors.IsNotFound(err) {
return err
}
}
return nil
}
// NewServiceAccount returns an admission.Interface implementation which limits admission of Pod CREATE requests based on the pod's ServiceAccount:
// 1. If the pod does not specify a ServiceAccount, it sets the pod's ServiceAccount to "default"
// 2. It ensures the ServiceAccount referenced by the pod exists
// 3. If LimitSecretReferences is true, it rejects the pod if the pod references Secret objects which the pod's ServiceAccount does not reference
// 4. If the pod does not contain any ImagePullSecrets, the ImagePullSecrets of the service account are added.
// 5. If MountServiceAccountToken is true, it adds a VolumeMount with the pod's ServiceAccount's api token secret to containers
func NewServiceAccount(cl client.Interface) *serviceAccount {
serviceAccountsIndexer, serviceAccountsReflector := cache.NewNamespaceKeyedIndexerAndReflector(
&cache.ListWatch{
ListFunc: func(options unversioned.ListOptions) (runtime.Object, error) {
return cl.ServiceAccounts(api.NamespaceAll).List(options)
},
WatchFunc: func(options unversioned.ListOptions) (watch.Interface, error) {
return cl.ServiceAccounts(api.NamespaceAll).Watch(options)
},
},
&api.ServiceAccount{},
0,
)
tokenSelector := fields.SelectorFromSet(map[string]string{client.SecretType: string(api.SecretTypeServiceAccountToken)})
secretsIndexer, secretsReflector := cache.NewNamespaceKeyedIndexerAndReflector(
&cache.ListWatch{
ListFunc: func(options unversioned.ListOptions) (runtime.Object, error) {
options.FieldSelector.Selector = tokenSelector
return cl.Secrets(api.NamespaceAll).List(options)
},
WatchFunc: func(options unversioned.ListOptions) (watch.Interface, error) {
options.FieldSelector.Selector = tokenSelector
return cl.Secrets(api.NamespaceAll).Watch(options)
},
},
&api.Secret{},
0,
)
return &serviceAccount{
Handler: admission.NewHandler(admission.Create),
// TODO: enable this once we've swept secret usage to account for adding secret references to service accounts
LimitSecretReferences: false,
// Auto mount service account API token secrets
MountServiceAccountToken: true,
// Reject pod creation until a service account token is available
RequireAPIToken: true,
client: cl,
serviceAccounts: serviceAccountsIndexer,
serviceAccountsReflector: serviceAccountsReflector,
secrets: secretsIndexer,
secretsReflector: secretsReflector,
}
}
func GetAllocatedID(kClient client.Interface, pod *api.Pod, annotation string) (*int64, error) {
if len(pod.Spec.ServiceAccountName) > 0 {
sa, err := kClient.ServiceAccounts(pod.Namespace).Get(pod.Spec.ServiceAccountName)
if err != nil {
return nil, err
}
sUID, ok := sa.Annotations[annotation]
if !ok {
return nil, fmt.Errorf("Unable to find annotation %s on service account %s", annotation, pod.Spec.ServiceAccountName)
}
return AnnotationToIntPtr(sUID)
} else {
ns, err := kClient.Namespaces().Get(pod.Namespace)
if err != nil {
return nil, err
}
sUID, ok := ns.Annotations[annotation]
if !ok {
return nil, fmt.Errorf("Unable to find annotation %s on namespace %s", annotation, pod.Namespace)
}
return AnnotationToIntPtr(sUID)
}
}
// InstallRouter installs a default router on the OpenShift server
func (h *Helper) InstallRouter(kubeClient kclient.Interface, f *clientcmd.Factory, configDir, images, hostIP string, portForwarding bool, out io.Writer) error {
_, err := kubeClient.Services(DefaultNamespace).Get(SvcRouter)
if err == nil {
// Router service already exists, nothing to do
return nil
}
if !apierrors.IsNotFound(err) {
return errors.NewError("error retrieving router service").WithCause(err).WithDetails(h.OriginLog())
}
masterDir := filepath.Join(configDir, "master")
// Create service account for router
routerSA := &kapi.ServiceAccount{}
routerSA.Name = "router"
_, err = kubeClient.ServiceAccounts("default").Create(routerSA)
if err != nil {
return errors.NewError("cannot create router service account").WithCause(err).WithDetails(h.OriginLog())
}
// Add router SA to privileged SCC
privilegedSCC, err := kubeClient.SecurityContextConstraints().Get("privileged")
if err != nil {
return errors.NewError("cannot retrieve privileged SCC").WithCause(err).WithDetails(h.OriginLog())
}
privilegedSCC.Users = append(privilegedSCC.Users, serviceaccount.MakeUsername("default", "router"))
_, err = kubeClient.SecurityContextConstraints().Update(privilegedSCC)
if err != nil {
return errors.NewError("cannot update privileged SCC").WithCause(err).WithDetails(h.OriginLog())
}
// Create router cert
cmdOutput := &bytes.Buffer{}
createCertOptions := &admin.CreateServerCertOptions{
SignerCertOptions: &admin.SignerCertOptions{
CertFile: filepath.Join(masterDir, "ca.crt"),
KeyFile: filepath.Join(masterDir, "ca.key"),
SerialFile: filepath.Join(masterDir, "ca.serial.txt"),
},
Overwrite: true,
Hostnames: []string{fmt.Sprintf("%s.xip.io", hostIP)},
CertFile: filepath.Join(masterDir, "router.crt"),
KeyFile: filepath.Join(masterDir, "router.key"),
Output: cmdOutput,
}
_, err = createCertOptions.CreateServerCert()
if err != nil {
return errors.NewError("cannot create router cert").WithCause(err)
}
err = catFiles(filepath.Join(masterDir, "router.pem"),
filepath.Join(masterDir, "router.crt"),
filepath.Join(masterDir, "router.key"),
filepath.Join(masterDir, "ca.crt"))
if err != nil {
return err
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = images
cfg := &router.RouterConfig{
Name: "router",
Type: "haproxy-router",
ImageTemplate: imageTemplate,
Ports: "80:80,443:443",
Replicas: 1,
Labels: "router=<name>",
Credentials: filepath.Join(masterDir, "admin.kubeconfig"),
DefaultCertificate: filepath.Join(masterDir, "router.pem"),
StatsPort: 1936,
StatsUsername: "******",
HostNetwork: !portForwarding,
HostPorts: true,
ServiceAccount: "router",
}
output := &bytes.Buffer{}
cmd := router.NewCmdRouter(f, "", "router", out)
cmd.SetOutput(output)
err = router.RunCmdRouter(f, cmd, output, cfg, []string{})
glog.V(4).Infof("Router command output:\n%s", output.String())
if err != nil {
return errors.NewError("cannot install router").WithCause(err).WithDetails(h.OriginLog())
}
return nil
}