use the upstream admission plugin construction

Author: deads2k

pkg/assets/apiserver/asset_apiserver.go

@@ -32,7 +32,6 @@ import (
 	"github.com/openshift/origin/pkg/cmd/server/crypto"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
 	oauthutil "github.com/openshift/origin/pkg/oauth/util"
-	clusterresourceoverrideapi "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride/api"
 	"github.com/openshift/origin/pkg/util/httprequest"
 	oversion "github.com/openshift/origin/pkg/version"
 )
@@ -44,8 +43,7 @@ const (
 type AssetServerConfig struct {
 	GenericConfig *genericapiserver.Config
 
-	Options               oapi.AssetConfig
-	LimitRequestOverrides *clusterresourceoverrideapi.ClusterResourceOverrideConfig
+	Options oapi.AssetConfig
 
 	PublicURL url.URL
 }
@@ -218,20 +216,19 @@ func (c *completedAssetServerConfig) addWebConsoleConfig(serverMux *genericmux.P
 
 	// Generated web console config and server version
 	config := assets.WebConsoleConfig{
-		APIGroupAddr:          masterURL.Host,
-		APIGroupPrefix:        server.APIGroupPrefix,
-		MasterAddr:            masterURL.Host,
-		MasterPrefix:          api.Prefix,
-		KubernetesAddr:        masterURL.Host,
-		KubernetesPrefix:      server.DefaultLegacyAPIPrefix,
-		OAuthAuthorizeURI:     oauthutil.OpenShiftOAuthAuthorizeURL(masterURL.String()),
-		OAuthTokenURI:         oauthutil.OpenShiftOAuthTokenURL(masterURL.String()),
-		OAuthRedirectBase:     c.Options.PublicURL,
-		OAuthClientID:         OpenShiftWebConsoleClientID,
-		LogoutURI:             c.Options.LogoutURL,
-		LoggingURL:            c.Options.LoggingPublicURL,
-		MetricsURL:            c.Options.MetricsPublicURL,
-		LimitRequestOverrides: c.LimitRequestOverrides,
+		APIGroupAddr:      masterURL.Host,
+		APIGroupPrefix:    server.APIGroupPrefix,
+		MasterAddr:        masterURL.Host,
+		MasterPrefix:      api.Prefix,
+		KubernetesAddr:    masterURL.Host,
+		KubernetesPrefix:  server.DefaultLegacyAPIPrefix,
+		OAuthAuthorizeURI: oauthutil.OpenShiftOAuthAuthorizeURL(masterURL.String()),
+		OAuthTokenURI:     oauthutil.OpenShiftOAuthTokenURL(masterURL.String()),
+		OAuthRedirectBase: c.Options.PublicURL,
+		OAuthClientID:     OpenShiftWebConsoleClientID,
+		LogoutURI:         c.Options.LogoutURL,
+		LoggingURL:        c.Options.LoggingPublicURL,
+		MetricsURL:        c.Options.MetricsPublicURL,
 	}
 	kVersionInfo := kversion.Get()
 	oVersionInfo := oversion.Get()

pkg/cmd/server/api/install/install.go

@@ -5,6 +5,8 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/apis/apiserver"
+	apiserverv1alpha1 "k8s.io/apiserver/pkg/apis/apiserver/v1alpha1"
 	"k8s.io/apiserver/pkg/apis/audit"
 	auditv1alpha1 "k8s.io/apiserver/pkg/apis/audit/v1alpha1"
 
@@ -33,6 +35,8 @@ func init() {
 	// policy file inside master-config.yaml
 	audit.AddToScheme(configapi.Scheme)
 	auditv1alpha1.AddToScheme(configapi.Scheme)
+	apiserver.AddToScheme(configapi.Scheme)
+	apiserverv1alpha1.AddToScheme(configapi.Scheme)
 }
 
 func interfacesFor(version schema.GroupVersion) (*meta.VersionInterfaces, error) {

pkg/cmd/server/api/latest/helpers.go

@@ -11,7 +11,9 @@ import (
 	"github.com/ghodss/yaml"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
 	kyaml "k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/apiserver/pkg/apis/apiserver"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 )
@@ -158,3 +160,31 @@ func IsAdmissionPluginActivated(reader io.Reader, defaultValue bool) (bool, erro
 
 	return !activationConfig.Disable, nil
 }
+
+func ConvertOpenshiftAdmissionConfigToKubeAdmissionConfig(in map[string]configapi.AdmissionPluginConfig) (*apiserver.AdmissionConfiguration, error) {
+	ret := &apiserver.AdmissionConfiguration{}
+
+	for _, pluginName := range sets.StringKeySet(in).List() {
+		openshiftConfig := in[pluginName]
+
+		fmt.Printf("#### adding for %T\n", openshiftConfig.Configuration)
+		kubeConfig := apiserver.AdmissionPluginConfiguration{
+			Name: pluginName,
+			Path: openshiftConfig.Location,
+		}
+
+		if openshiftConfig.Configuration != nil {
+			configBytes, err := runtime.Encode(Codec, openshiftConfig.Configuration)
+			if err != nil {
+				return nil, err
+			}
+			kubeConfig.Configuration = &runtime.Unknown{
+				Raw: configBytes,
+			}
+		}
+
+		ret.Plugins = append(ret.Plugins, kubeConfig)
+	}
+
+	return ret, nil
+}

pkg/cmd/server/api/latest/latest.go

@@ -22,4 +22,8 @@ var OldestVersion = schema.GroupVersion{Group: "", Version: "v1"}
 // with a set of versions to choose.
 var Versions = []schema.GroupVersion{{Group: "", Version: "v1"}}
 
-var Codec = serializer.NewCodecFactory(configapi.Scheme).LegacyCodec(schema.GroupVersion{Group: "", Version: "v1"})
+var Codec = serializer.NewCodecFactory(configapi.Scheme).LegacyCodec(
+	schema.GroupVersion{Group: "", Version: "v1"},
+	schema.GroupVersion{Group: "apiserver.k8s.io", Version: "v1alpha1"},
+	schema.GroupVersion{Group: "audit.k8s.io", Version: "v1alpha1"},
+)

pkg/cmd/server/origin/admission/chain_builder.go

@@ -5,21 +5,20 @@ import (
 	"io"
 	"io/ioutil"
 	"net"
+	"os"
 	"reflect"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
-	kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	noderestriction "k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
 	saadmit "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
 	storageclassdefaultadmission "k8s.io/kubernetes/plugin/pkg/admission/storageclass/setdefault"
 
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
-	configlatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
-	"github.com/openshift/origin/pkg/cmd/util/pluginconfig"
+	configapilatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
 	imageadmission "github.com/openshift/origin/pkg/image/admission"
 	imagepolicy "github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
 	ingressadmission "github.com/openshift/origin/pkg/ingress/admission"
@@ -131,12 +130,36 @@ func fixupAdmissionPlugins(plugins []string) []string {
 
 func NewAdmissionChains(
 	options configapi.MasterConfig,
-	kubeClientSet kclientsetinternal.Interface,
 	admissionInitializer admission.PluginInitializer,
 ) (admission.Interface, error) {
 	admissionPluginConfigFilename := ""
 	if len(options.KubernetesMasterConfig.APIServerArguments["admission-control-config-file"]) > 0 {
 		admissionPluginConfigFilename = options.KubernetesMasterConfig.APIServerArguments["admission-control-config-file"][0]
+
+	} else {
+		pluginConfig := map[string]configapi.AdmissionPluginConfig{}
+		for pluginName, config := range options.AdmissionConfig.PluginConfig {
+			pluginConfig[pluginName] = config
+		}
+		upstreamAdmissionConfig, err := configapilatest.ConvertOpenshiftAdmissionConfigToKubeAdmissionConfig(pluginConfig)
+		if err != nil {
+			return nil, err
+		}
+		configBytes, err := configapilatest.WriteYAML(upstreamAdmissionConfig)
+		if err != nil {
+			return nil, err
+		}
+
+		tempFile, err := ioutil.TempFile("", "master-config.yaml")
+		if err != nil {
+			return nil, err
+		}
+		defer os.Remove(tempFile.Name())
+		if _, err := tempFile.Write(configBytes); err != nil {
+			return nil, err
+		}
+		tempFile.Close()
+		admissionPluginConfigFilename = tempFile.Name()
 	}
 
 	admissionPluginNames := combinedAdmissionControlPlugins
@@ -145,13 +168,8 @@ func NewAdmissionChains(
 	}
 	admissionPluginNames = fixupAdmissionPlugins(admissionPluginNames)
 
-	// if we have a unified chain, build the combined config
-	pluginConfig := map[string]configapi.AdmissionPluginConfig{}
-	for pluginName, config := range options.AdmissionConfig.PluginConfig {
-		pluginConfig[pluginName] = config
-	}
+	admissionChain, err := newAdmissionChainFunc(admissionPluginNames, admissionPluginConfigFilename, options, admissionInitializer)
 
-	admissionChain, err := newAdmissionChainFunc(admissionPluginNames, admissionPluginConfigFilename, pluginConfig, options, kubeClientSet, admissionInitializer)
 	if err != nil {
 		return nil, err
 	}
@@ -162,12 +180,11 @@ func NewAdmissionChains(
 // newAdmissionChainFunc is for unit testing only.  You should NEVER OVERRIDE THIS outside of a unit test.
 var newAdmissionChainFunc = newAdmissionChain
 
-func newAdmissionChain(pluginNames []string, admissionConfigFilename string, pluginConfig map[string]configapi.AdmissionPluginConfig, options configapi.MasterConfig, kubeClientSet kclientsetinternal.Interface, admissionInitializer admission.PluginInitializer) (admission.Interface, error) {
+func newAdmissionChain(pluginNames []string, admissionConfigFilename string, options configapi.MasterConfig, admissionInitializer admission.PluginInitializer) (admission.Interface, error) {
 	plugins := []admission.Interface{}
 	for _, pluginName := range pluginNames {
 		var (
-			plugin             admission.Interface
-			skipInitialization bool
+			plugin admission.Interface
 		)
 
 		switch pluginName {
@@ -189,6 +206,7 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, plu
 				return nil, err
 			}
 			plugin = lc
+			admissionInitializer.Initialize(plugin)
 
 		case serviceadmit.ExternalIPPluginName:
 			// this needs to be moved upstream to be part of core config
@@ -202,6 +220,7 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, plu
 				allowIngressIP = true
 			}
 			plugin = serviceadmit.NewExternalIPRanger(reject, admit, allowIngressIP)
+			admissionInitializer.Initialize(plugin)
 
 		case serviceadmit.RestrictedEndpointsPluginName:
 			// we need to set some customer parameters, so create by hand
@@ -216,46 +235,32 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, plu
 				return nil, err
 			}
 			plugin = serviceadmit.NewRestrictedEndpointsAdmission(restrictedNetworks)
+			admissionInitializer.Initialize(plugin)
 
 		case saadmit.PluginName:
 			// we need to set some custom parameters on the service account admission controller, so create that one by hand
 			saAdmitter := saadmit.NewServiceAccount()
-			saAdmitter.SetInternalKubeClientSet(kubeClientSet)
 			saAdmitter.LimitSecretReferences = options.ServiceAccountConfig.LimitSecretReferences
 			plugin = saAdmitter
+			admissionInitializer.Initialize(plugin)
 
 		default:
-			configFile, err := pluginconfig.GetAdmissionConfigurationFile(pluginConfig, pluginName, admissionConfigFilename)
-			if err != nil {
-				return nil, err
-			}
-			configReader, err := admission.ReadAdmissionConfiguration([]string{pluginName}, configFile)
+			pluginsConfigProvider, err := admission.ReadAdmissionConfiguration([]string{pluginName}, admissionConfigFilename)
 			if err != nil {
 				return nil, err
 			}
-			pluginConfigReader, err := configReader.ConfigFor(pluginName)
-			if err != nil {
-				return nil, err
-			}
-
-			plugin, err = OriginAdmissionPlugins.InitPlugin(pluginName, pluginConfigReader, admissionInitializer)
+			plugin, err = OriginAdmissionPlugins.NewFromPlugins([]string{pluginName}, pluginsConfigProvider, admissionInitializer)
 			if err != nil {
 				// should have been caught with validation
 				return nil, err
 			}
 			if plugin == nil {
 				continue
 			}
-
-			// skip initialization below because admission.InitPlugin does all the work
-			skipInitialization = true
 		}
 
 		plugins = append(plugins, plugin)
 
-		if !skipInitialization {
-			admissionInitializer.Initialize(plugin)
-		}
 	}
 
 	// ensure that plugins have been properly initialized
@@ -307,7 +312,7 @@ func filterEnableAdmissionConfigs(delegate admission.Factory) admission.Factory
 		}
 		// if the config isn't a DefaultAdmissionConfig, then assume we're enabled (we were called after all)
 		// if the config *is* a DefaultAdmissionConfig and it explicitly said
-		obj, err := configlatest.ReadYAML(config1)
+		obj, err := configapilatest.ReadYAML(config1)
 		// if we can't read it, let the plugin deal with it
 		if err != nil {
 			return delegate(config2)

pkg/cmd/server/origin/admission/config_test.go

@@ -8,7 +8,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
-	kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	overrideapi "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride/api"
@@ -107,14 +106,14 @@ func TestSeparateAdmissionChainDetection(t *testing.T) {
 	testCases := []struct {
 		name                  string
 		options               configapi.MasterConfig
-		admissionChainBuilder func(pluginNames []string, admissionConfigFilename string, pluginConfig map[string]configapi.AdmissionPluginConfig, options configapi.MasterConfig, kubeClientSet kclientset.Interface, pluginInitializer admission.PluginInitializer) (admission.Interface, error)
+		admissionChainBuilder func(pluginNames []string, admissionConfigFilename string, options configapi.MasterConfig, pluginInitializer admission.PluginInitializer) (admission.Interface, error)
 	}{
 		{
 			name: "stock everything",
 			options: configapi.MasterConfig{
 				KubernetesMasterConfig: &configapi.KubernetesMasterConfig{},
 			},
-			admissionChainBuilder: func(pluginNames []string, admissionConfigFilename string, pluginConfig map[string]configapi.AdmissionPluginConfig, options configapi.MasterConfig, kubeClientSet kclientset.Interface, pluginInitializer admission.PluginInitializer) (admission.Interface, error) {
+			admissionChainBuilder: func(pluginNames []string, admissionConfigFilename string, options configapi.MasterConfig, pluginInitializer admission.PluginInitializer) (admission.Interface, error) {
 				if !reflect.DeepEqual(pluginNames, combinedAdmissionControlPlugins) {
 					t.Errorf("%s: expected %v, got %v", "stock everything", combinedAdmissionControlPlugins, pluginNames)
 				}
@@ -129,7 +128,7 @@ func TestSeparateAdmissionChainDetection(t *testing.T) {
 					PluginOrderOverride: []string{"foo"},
 				},
 			},
-			admissionChainBuilder: func(pluginNames []string, admissionConfigFilename string, pluginConfig map[string]configapi.AdmissionPluginConfig, options configapi.MasterConfig, kubeClientSet kclientset.Interface, pluginInitializer admission.PluginInitializer) (admission.Interface, error) {
+			admissionChainBuilder: func(pluginNames []string, admissionConfigFilename string, options configapi.MasterConfig, pluginInitializer admission.PluginInitializer) (admission.Interface, error) {
 				isKube := reflect.DeepEqual(pluginNames, combinedAdmissionControlPlugins)
 
 				expectedOrigin := []string{"foo"}
@@ -151,7 +150,7 @@ func TestSeparateAdmissionChainDetection(t *testing.T) {
 					},
 				},
 			},
-			admissionChainBuilder: func(pluginNames []string, admissionConfigFilename string, pluginConfig map[string]configapi.AdmissionPluginConfig, options configapi.MasterConfig, kubeClientSet kclientset.Interface, pluginInitializer admission.PluginInitializer) (admission.Interface, error) {
+			admissionChainBuilder: func(pluginNames []string, admissionConfigFilename string, options configapi.MasterConfig, pluginInitializer admission.PluginInitializer) (admission.Interface, error) {
 				isKube := reflect.DeepEqual(pluginNames, combinedAdmissionControlPlugins)
 				isOrigin := reflect.DeepEqual(pluginNames, combinedAdmissionControlPlugins)
 				if !isKube && !isOrigin {
@@ -172,7 +171,7 @@ func TestSeparateAdmissionChainDetection(t *testing.T) {
 					},
 				},
 			},
-			admissionChainBuilder: func(pluginNames []string, admissionConfigFilename string, pluginConfig map[string]configapi.AdmissionPluginConfig, options configapi.MasterConfig, kubeClientSet kclientset.Interface, pluginInitializer admission.PluginInitializer) (admission.Interface, error) {
+			admissionChainBuilder: func(pluginNames []string, admissionConfigFilename string, options configapi.MasterConfig, pluginInitializer admission.PluginInitializer) (admission.Interface, error) {
 				if !reflect.DeepEqual(pluginNames, combinedAdmissionControlPlugins) {
 					t.Errorf("%s: expected %v, got %v", "specified, non-conflicting plugin configs 01", combinedAdmissionControlPlugins, pluginNames)
 				}
@@ -183,7 +182,7 @@ func TestSeparateAdmissionChainDetection(t *testing.T) {
 
 	for _, tc := range testCases {
 		newAdmissionChainFunc = tc.admissionChainBuilder
-		_, _ = NewAdmissionChains(tc.options, nil, nil)
+		_, _ = NewAdmissionChains(tc.options, nil)
 	}
 }