Skip to content

Commit dc9c4c3

Browse files
Merge pull request #16089 from deads2k/controller-10-bare-kube
Automatic merge from submit-queue (batch tested with PRs 16089, 16305, 16219, 15934, 16366) run the bare kube controllers This runs the kube controllers separately based on their command to avoid any customization and set us up to run them as-is, without modification in a future release (double lease thing). @smarterclayton
2 parents 5584aad + 30df806 commit dc9c4c3

File tree

5 files changed

+297
-131
lines changed

5 files changed

+297
-131
lines changed

pkg/cmd/server/start/controllers.go

+1-42
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,9 @@
11
package start
22

33
import (
4-
"k8s.io/apimachinery/pkg/runtime"
5-
"k8s.io/apimachinery/pkg/runtime/schema"
64
"k8s.io/client-go/rest"
75
cmapp "k8s.io/kubernetes/cmd/kube-controller-manager/app"
86
cmappoptions "k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
9-
kexternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions"
107
"k8s.io/kubernetes/pkg/cloudprovider"
118
"k8s.io/kubernetes/pkg/controller"
129

@@ -46,45 +43,7 @@ func getControllerContext(options configapi.MasterConfig, controllerManagerOptio
4643
AuthenticationClient: kubeExternal.Authentication(),
4744
Namespace: "kube-system",
4845
},
49-
InformerFactory: genericInformers{
50-
SharedInformerFactory: informers.GetExternalKubeInformers(),
51-
generic: []GenericResourceInformer{
52-
// use our existing internal informers to satisfy the generic informer requests (which don't require strong
53-
// types).
54-
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
55-
return informers.appInformers.ForResource(resource)
56-
}),
57-
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
58-
return informers.authorizationInformers.ForResource(resource)
59-
}),
60-
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
61-
return informers.buildInformers.ForResource(resource)
62-
}),
63-
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
64-
return informers.imageInformers.ForResource(resource)
65-
}),
66-
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
67-
return informers.quotaInformers.ForResource(resource)
68-
}),
69-
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
70-
return informers.securityInformers.ForResource(resource)
71-
}),
72-
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
73-
return informers.templateInformers.ForResource(resource)
74-
}),
75-
informers.externalKubeInformers,
76-
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
77-
return informers.internalKubeInformers.ForResource(resource)
78-
}),
79-
},
80-
bias: map[schema.GroupVersionResource]schema.GroupVersionResource{
81-
{Group: "rbac.authorization.k8s.io", Resource: "rolebindings", Version: "v1beta1"}: {Group: "rbac.authorization.k8s.io", Resource: "rolebindings", Version: runtime.APIVersionInternal},
82-
{Group: "rbac.authorization.k8s.io", Resource: "clusterrolebindings", Version: "v1beta1"}: {Group: "rbac.authorization.k8s.io", Resource: "clusterrolebindings", Version: runtime.APIVersionInternal},
83-
{Group: "rbac.authorization.k8s.io", Resource: "roles", Version: "v1beta1"}: {Group: "rbac.authorization.k8s.io", Resource: "roles", Version: runtime.APIVersionInternal},
84-
{Group: "rbac.authorization.k8s.io", Resource: "clusterroles", Version: "v1beta1"}: {Group: "rbac.authorization.k8s.io", Resource: "clusterroles", Version: runtime.APIVersionInternal},
85-
{Group: "", Resource: "securitycontextconstraints", Version: "v1"}: {Group: "", Resource: "securitycontextconstraints", Version: runtime.APIVersionInternal},
86-
},
87-
},
46+
InformerFactory: newGenericInformers(informers),
8847
Options: *controllerManagerOptions,
8948
AvailableResources: availableResources,
9049
Cloud: cloudProvider,

pkg/cmd/server/start/start_kube_controller_manager.go

+244-1
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,27 @@
11
package start
22

33
import (
4-
"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
4+
"strconv"
5+
6+
"github.com/golang/glog"
7+
"github.com/spf13/pflag"
8+
9+
"k8s.io/apimachinery/pkg/runtime"
10+
"k8s.io/apimachinery/pkg/runtime/schema"
11+
kerrors "k8s.io/apimachinery/pkg/util/errors"
12+
controllerapp "k8s.io/kubernetes/cmd/kube-controller-manager/app"
13+
controlleroptions "k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
514
"k8s.io/kubernetes/pkg/api/v1"
615
kapiv1 "k8s.io/kubernetes/pkg/api/v1"
16+
kexternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions"
17+
kinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions"
18+
"k8s.io/kubernetes/pkg/controller"
719
"k8s.io/kubernetes/pkg/volume"
20+
_ "k8s.io/kubernetes/plugin/pkg/scheduler/algorithmprovider"
21+
22+
"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
23+
cmdflags "github.com/openshift/origin/pkg/cmd/util/flags"
24+
"k8s.io/kubernetes/pkg/apis/componentconfig"
825
)
926

1027
// newPersistentVolumeRecyclerPodTemplate provides a function which makes our recycler pod template for use in the kube-controller-manager
@@ -26,3 +43,229 @@ func newPersistentVolumeRecyclerPodTemplate(recyclerImageName string) func() *v1
2643
return defaultScrubPod
2744
}
2845
}
46+
47+
// newControllerContext provides a function which overrides the default and plugs a different set of informers in
48+
func newControllerContext(informers *informers) func(s *controlleroptions.CMServer, rootClientBuilder, clientBuilder controller.ControllerClientBuilder, stop <-chan struct{}) (controllerapp.ControllerContext, error) {
49+
oldContextFunc := controllerapp.CreateControllerContext
50+
return func(s *controlleroptions.CMServer, rootClientBuilder, clientBuilder controller.ControllerClientBuilder, stop <-chan struct{}) (controllerapp.ControllerContext, error) {
51+
ret, err := oldContextFunc(s, rootClientBuilder, clientBuilder, stop)
52+
if err != nil {
53+
return controllerapp.ControllerContext{}, err
54+
}
55+
56+
// Overwrite the informers. Since nothing accessed the existing informers that we're overwriting, they are inert.
57+
// TODO Remove this. It keeps in-process memory utilization down, but we shouldn't do it.
58+
ret.InformerFactory = newGenericInformers(informers)
59+
60+
return ret, nil
61+
}
62+
}
63+
64+
func kubeControllerManagerAddFlags(cmserver *controlleroptions.CMServer) func(flags *pflag.FlagSet) {
65+
return func(flags *pflag.FlagSet) {
66+
cmserver.AddFlags(flags, controllerapp.KnownControllers(), controllerapp.ControllersDisabledByDefault.List())
67+
}
68+
}
69+
70+
func newKubeControllerManager(kubeconfigFile, saPrivateKeyFile, saRootCAFile, podEvictionTimeout string, dynamicProvisioningEnabled bool, cmdLineArgs map[string][]string) (*controlleroptions.CMServer, error) {
71+
if cmdLineArgs == nil {
72+
cmdLineArgs = map[string][]string{}
73+
}
74+
75+
if _, ok := cmdLineArgs["controllers"]; !ok {
76+
cmdLineArgs["controllers"] = []string{
77+
"*", // start everything but the exceptions}
78+
// not used in openshift
79+
"-ttl",
80+
"-bootstrapsigner",
81+
"-tokencleaner",
82+
// we have to configure this separately until it is generic
83+
"-horizontalpodautoscaling",
84+
// we carry patches on this. For now....
85+
"-serviceaccount-token",
86+
}
87+
}
88+
if _, ok := cmdLineArgs["service-account-private-key-file"]; !ok {
89+
cmdLineArgs["service-account-private-key-file"] = []string{saPrivateKeyFile}
90+
}
91+
if _, ok := cmdLineArgs["root-ca-file"]; !ok {
92+
cmdLineArgs["root-ca-file"] = []string{saRootCAFile}
93+
}
94+
if _, ok := cmdLineArgs["kubeconfig"]; !ok {
95+
cmdLineArgs["kubeconfig"] = []string{kubeconfigFile}
96+
}
97+
if _, ok := cmdLineArgs["pod-eviction-timeout"]; !ok {
98+
cmdLineArgs["pod-eviction-timeout"] = []string{podEvictionTimeout}
99+
}
100+
if _, ok := cmdLineArgs["enable-dynamic-provisioning"]; !ok {
101+
cmdLineArgs["enable-dynamic-provisioning"] = []string{strconv.FormatBool(dynamicProvisioningEnabled)}
102+
}
103+
104+
// disable serving http since we didn't used to expose it
105+
if _, ok := cmdLineArgs["port"]; !ok {
106+
cmdLineArgs["port"] = []string{"-1"}
107+
}
108+
109+
// these force "default" values to match what we want
110+
if _, ok := cmdLineArgs["use-service-account-credentials"]; !ok {
111+
cmdLineArgs["use-service-account-credentials"] = []string{"true"}
112+
}
113+
if _, ok := cmdLineArgs["cluster-signing-cert-file"]; !ok {
114+
cmdLineArgs["cluster-signing-cert-file"] = []string{""}
115+
}
116+
if _, ok := cmdLineArgs["cluster-signing-key-file"]; !ok {
117+
cmdLineArgs["cluster-signing-key-file"] = []string{""}
118+
}
119+
if _, ok := cmdLineArgs["experimental-cluster-signing-duration"]; !ok {
120+
cmdLineArgs["experimental-cluster-signing-duration"] = []string{"0s"}
121+
}
122+
if _, ok := cmdLineArgs["leader-elect-retry-period"]; !ok {
123+
cmdLineArgs["leader-elect-retry-period"] = []string{"3s"}
124+
}
125+
if _, ok := cmdLineArgs["leader-elect-resource-lock"]; !ok {
126+
cmdLineArgs["leader-elect-resource-lock"] = []string{"configmaps"}
127+
}
128+
129+
// resolve arguments
130+
controllerManager := controlleroptions.NewCMServer()
131+
if err := cmdflags.Resolve(cmdLineArgs, kubeControllerManagerAddFlags(controllerManager)); len(err) > 0 {
132+
return nil, kerrors.NewAggregate(err)
133+
}
134+
135+
// TODO make this configurable or discoverable. This is going to prevent us from running the stock GC controller
136+
// IF YOU ADD ANYTHING TO THIS LIST, MAKE SURE THAT YOU UPDATE THEIR STRATEGIES TO PREVENT GC FINALIZERS
137+
controllerManager.GCIgnoredResources = append(controllerManager.GCIgnoredResources,
138+
// explicitly disabled from GC for now - not enough value to track them
139+
componentconfig.GroupResource{Group: "authorization.openshift.io", Resource: "rolebindingrestrictions"},
140+
componentconfig.GroupResource{Group: "network.openshift.io", Resource: "clusternetworks"},
141+
componentconfig.GroupResource{Group: "network.openshift.io", Resource: "egressnetworkpolicies"},
142+
componentconfig.GroupResource{Group: "network.openshift.io", Resource: "hostsubnets"},
143+
componentconfig.GroupResource{Group: "network.openshift.io", Resource: "netnamespaces"},
144+
componentconfig.GroupResource{Group: "oauth.openshift.io", Resource: "oauthclientauthorizations"},
145+
componentconfig.GroupResource{Group: "oauth.openshift.io", Resource: "oauthclients"},
146+
componentconfig.GroupResource{Group: "quota.openshift.io", Resource: "clusterresourcequotas"},
147+
componentconfig.GroupResource{Group: "user.openshift.io", Resource: "groups"},
148+
componentconfig.GroupResource{Group: "user.openshift.io", Resource: "identities"},
149+
componentconfig.GroupResource{Group: "user.openshift.io", Resource: "users"},
150+
componentconfig.GroupResource{Group: "image.openshift.io", Resource: "images"},
151+
152+
// virtual resource
153+
componentconfig.GroupResource{Group: "project.openshift.io", Resource: "projects"},
154+
// these resources contain security information in their names, and we don't need to track them
155+
componentconfig.GroupResource{Group: "oauth.openshift.io", Resource: "oauthaccesstokens"},
156+
componentconfig.GroupResource{Group: "oauth.openshift.io", Resource: "oauthauthorizetokens"},
157+
// exposed already as cronjobs
158+
componentconfig.GroupResource{Group: "batch", Resource: "scheduledjobs"},
159+
// exposed already as extensions v1beta1 by other controllers
160+
componentconfig.GroupResource{Group: "apps", Resource: "deployments"},
161+
// exposed as autoscaling v1
162+
componentconfig.GroupResource{Group: "extensions", Resource: "horizontalpodautoscalers"},
163+
// exposed as security.openshift.io v1
164+
componentconfig.GroupResource{Group: "", Resource: "securitycontextconstraints"},
165+
)
166+
167+
return controllerManager, nil
168+
}
169+
170+
func runEmbeddedKubeControllerManager(kubeconfigFile, saPrivateKeyFile, saRootCAFile, podEvictionTimeout string, dynamicProvisioningEnabled bool, cmdLineArgs map[string][]string,
171+
recyclerImage string, informers *informers) {
172+
volume.NewPersistentVolumeRecyclerPodTemplate = newPersistentVolumeRecyclerPodTemplate(recyclerImage)
173+
controllerapp.CreateControllerContext = newControllerContext(informers)
174+
controllerapp.StartInformers = func(stop <-chan struct{}) {
175+
informers.Start(stop)
176+
}
177+
178+
// TODO we need a real identity for this. Right now it's just using the loopback connection like it used to.
179+
controllerManager, err := newKubeControllerManager(kubeconfigFile, saPrivateKeyFile, saRootCAFile, podEvictionTimeout, dynamicProvisioningEnabled, cmdLineArgs)
180+
if err != nil {
181+
glog.Fatal(err)
182+
}
183+
// this does a second leader election, but doing the second leader election will allow us to move out process in
184+
// 3.8 if we so choose.
185+
if err := controllerapp.Run(controllerManager); err != nil {
186+
glog.Fatal(err)
187+
}
188+
}
189+
190+
type GenericResourceInformer interface {
191+
ForResource(resource schema.GroupVersionResource) (kinformers.GenericInformer, error)
192+
}
193+
194+
// genericInternalResourceInformerFunc will return an internal informer for any resource matching
195+
// its group resource, instead of the external version. Only valid for use where the type is accessed
196+
// via generic interfaces, such as the garbage collector with ObjectMeta.
197+
type genericInternalResourceInformerFunc func(resource schema.GroupVersionResource) (kinformers.GenericInformer, error)
198+
199+
func (fn genericInternalResourceInformerFunc) ForResource(resource schema.GroupVersionResource) (kinformers.GenericInformer, error) {
200+
resource.Version = runtime.APIVersionInternal
201+
return fn(resource)
202+
}
203+
204+
type genericInformers struct {
205+
kinformers.SharedInformerFactory
206+
generic []GenericResourceInformer
207+
// bias is a map that tries loading an informer from another GVR before using the original
208+
bias map[schema.GroupVersionResource]schema.GroupVersionResource
209+
}
210+
211+
func newGenericInformers(informers *informers) genericInformers {
212+
return genericInformers{
213+
SharedInformerFactory: informers.GetExternalKubeInformers(),
214+
generic: []GenericResourceInformer{
215+
// use our existing internal informers to satisfy the generic informer requests (which don't require strong
216+
// types).
217+
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
218+
return informers.appInformers.ForResource(resource)
219+
}),
220+
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
221+
return informers.authorizationInformers.ForResource(resource)
222+
}),
223+
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
224+
return informers.buildInformers.ForResource(resource)
225+
}),
226+
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
227+
return informers.imageInformers.ForResource(resource)
228+
}),
229+
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
230+
return informers.quotaInformers.ForResource(resource)
231+
}),
232+
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
233+
return informers.securityInformers.ForResource(resource)
234+
}),
235+
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
236+
return informers.templateInformers.ForResource(resource)
237+
}),
238+
informers.externalKubeInformers,
239+
genericInternalResourceInformerFunc(func(resource schema.GroupVersionResource) (kexternalinformers.GenericInformer, error) {
240+
return informers.internalKubeInformers.ForResource(resource)
241+
}),
242+
},
243+
bias: map[schema.GroupVersionResource]schema.GroupVersionResource{
244+
{Group: "rbac.authorization.k8s.io", Resource: "rolebindings", Version: "v1beta1"}: {Group: "rbac.authorization.k8s.io", Resource: "rolebindings", Version: runtime.APIVersionInternal},
245+
{Group: "rbac.authorization.k8s.io", Resource: "clusterrolebindings", Version: "v1beta1"}: {Group: "rbac.authorization.k8s.io", Resource: "clusterrolebindings", Version: runtime.APIVersionInternal},
246+
{Group: "rbac.authorization.k8s.io", Resource: "roles", Version: "v1beta1"}: {Group: "rbac.authorization.k8s.io", Resource: "roles", Version: runtime.APIVersionInternal},
247+
{Group: "rbac.authorization.k8s.io", Resource: "clusterroles", Version: "v1beta1"}: {Group: "rbac.authorization.k8s.io", Resource: "clusterroles", Version: runtime.APIVersionInternal},
248+
{Group: "", Resource: "securitycontextconstraints", Version: "v1"}: {Group: "", Resource: "securitycontextconstraints", Version: runtime.APIVersionInternal},
249+
},
250+
}
251+
}
252+
253+
func (i genericInformers) ForResource(resource schema.GroupVersionResource) (kinformers.GenericInformer, error) {
254+
if try, ok := i.bias[resource]; ok {
255+
if res, err := i.ForResource(try); err == nil {
256+
return res, nil
257+
}
258+
}
259+
260+
informer, firstErr := i.SharedInformerFactory.ForResource(resource)
261+
if firstErr == nil {
262+
return informer, nil
263+
}
264+
for _, generic := range i.generic {
265+
if informer, err := generic.ForResource(resource); err == nil {
266+
return informer, nil
267+
}
268+
}
269+
glog.V(4).Infof("Couldn't find informer for %v", resource)
270+
return nil, firstErr
271+
}

0 commit comments

Comments
 (0)