mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-01-06 07:57:35 +00:00
cmd/kube-controller-manager
This commit is contained in:
Chao Xu
@@ -24,8 +24,9 @@ import (
|
||||
"github.com/golang/glog"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
apierrors "k8s.io/kubernetes/pkg/api/errors"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/pkg/client/cache"
|
||||
clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
|
||||
clientset "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5"
|
||||
clientretry "k8s.io/kubernetes/pkg/client/retry"
|
||||
"k8s.io/kubernetes/pkg/fields"
|
||||
"k8s.io/kubernetes/pkg/registry/core/secret"
|
||||
@@ -91,14 +92,14 @@ func NewTokensController(cl clientset.Interface, options TokensControllerOptions
|
||||
|
||||
e.serviceAccounts, e.serviceAccountController = cache.NewInformer(
|
||||
&cache.ListWatch{
|
||||
ListFunc: func(options api.ListOptions) (runtime.Object, error) {
|
||||
return e.client.Core().ServiceAccounts(api.NamespaceAll).List(options)
|
||||
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
|
||||
return e.client.Core().ServiceAccounts(v1.NamespaceAll).List(options)
|
||||
},
|
||||
WatchFunc: func(options api.ListOptions) (watch.Interface, error) {
|
||||
return e.client.Core().ServiceAccounts(api.NamespaceAll).Watch(options)
|
||||
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
|
||||
return e.client.Core().ServiceAccounts(v1.NamespaceAll).Watch(options)
|
||||
},
|
||||
},
|
||||
&api.ServiceAccount{},
|
||||
&v1.ServiceAccount{},
|
||||
options.ServiceAccountResync,
|
||||
cache.ResourceEventHandlerFuncs{
|
||||
AddFunc: e.queueServiceAccountSync,
|
||||
@@ -107,19 +108,19 @@ func NewTokensController(cl clientset.Interface, options TokensControllerOptions
|
||||
},
|
||||
)
|
||||
|
||||
tokenSelector := fields.SelectorFromSet(map[string]string{api.SecretTypeField: string(api.SecretTypeServiceAccountToken)})
|
||||
tokenSelector := fields.SelectorFromSet(map[string]string{api.SecretTypeField: string(v1.SecretTypeServiceAccountToken)})
|
||||
e.secrets, e.secretController = cache.NewIndexerInformer(
|
||||
&cache.ListWatch{
|
||||
ListFunc: func(options api.ListOptions) (runtime.Object, error) {
|
||||
options.FieldSelector = tokenSelector
|
||||
return e.client.Core().Secrets(api.NamespaceAll).List(options)
|
||||
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
|
||||
options.FieldSelector = tokenSelector.String()
|
||||
return e.client.Core().Secrets(v1.NamespaceAll).List(options)
|
||||
},
|
||||
WatchFunc: func(options api.ListOptions) (watch.Interface, error) {
|
||||
options.FieldSelector = tokenSelector
|
||||
return e.client.Core().Secrets(api.NamespaceAll).Watch(options)
|
||||
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
|
||||
options.FieldSelector = tokenSelector.String()
|
||||
return e.client.Core().Secrets(v1.NamespaceAll).Watch(options)
|
||||
},
|
||||
},
|
||||
&api.Secret{},
|
||||
&v1.Secret{},
|
||||
options.SecretResync,
|
||||
cache.ResourceEventHandlerFuncs{
|
||||
AddFunc: e.queueSecretSync,
|
||||
@@ -190,13 +191,13 @@ func (e *TokensController) Run(workers int, stopCh <-chan struct{}) {
|
||||
}
|
||||
|
||||
func (e *TokensController) queueServiceAccountSync(obj interface{}) {
|
||||
if serviceAccount, ok := obj.(*api.ServiceAccount); ok {
|
||||
if serviceAccount, ok := obj.(*v1.ServiceAccount); ok {
|
||||
e.syncServiceAccountQueue.Add(makeServiceAccountKey(serviceAccount))
|
||||
}
|
||||
}
|
||||
|
||||
func (e *TokensController) queueServiceAccountUpdateSync(oldObj interface{}, newObj interface{}) {
|
||||
if serviceAccount, ok := newObj.(*api.ServiceAccount); ok {
|
||||
if serviceAccount, ok := newObj.(*v1.ServiceAccount); ok {
|
||||
e.syncServiceAccountQueue.Add(makeServiceAccountKey(serviceAccount))
|
||||
}
|
||||
}
|
||||
@@ -219,13 +220,13 @@ func (e *TokensController) retryOrForget(queue workqueue.RateLimitingInterface,
|
||||
}
|
||||
|
||||
func (e *TokensController) queueSecretSync(obj interface{}) {
|
||||
if secret, ok := obj.(*api.Secret); ok {
|
||||
if secret, ok := obj.(*v1.Secret); ok {
|
||||
e.syncSecretQueue.Add(makeSecretQueueKey(secret))
|
||||
}
|
||||
}
|
||||
|
||||
func (e *TokensController) queueSecretUpdateSync(oldObj interface{}, newObj interface{}) {
|
||||
if secret, ok := newObj.(*api.Secret); ok {
|
||||
if secret, ok := newObj.(*v1.Secret); ok {
|
||||
e.syncSecretQueue.Add(makeSecretQueueKey(secret))
|
||||
}
|
||||
}
|
||||
@@ -256,7 +257,7 @@ func (e *TokensController) syncServiceAccount() {
|
||||
case sa == nil:
|
||||
// service account no longer exists, so delete related tokens
|
||||
glog.V(4).Infof("syncServiceAccount(%s/%s), service account deleted, removing tokens", saInfo.namespace, saInfo.name)
|
||||
sa = &api.ServiceAccount{ObjectMeta: api.ObjectMeta{Namespace: saInfo.namespace, Name: saInfo.name, UID: saInfo.uid}}
|
||||
sa = &v1.ServiceAccount{ObjectMeta: v1.ObjectMeta{Namespace: saInfo.namespace, Name: saInfo.name, UID: saInfo.uid}}
|
||||
if retriable, err := e.deleteTokens(sa); err != nil {
|
||||
glog.Errorf("error deleting serviceaccount tokens for %s/%s: %v", saInfo.namespace, saInfo.name, err)
|
||||
retry = retriable
|
||||
@@ -328,7 +329,7 @@ func (e *TokensController) syncSecret() {
|
||||
}
|
||||
}
|
||||
|
||||
func (e *TokensController) deleteTokens(serviceAccount *api.ServiceAccount) ( /*retry*/ bool, error) {
|
||||
func (e *TokensController) deleteTokens(serviceAccount *v1.ServiceAccount) ( /*retry*/ bool, error) {
|
||||
tokens, err := e.listTokenSecrets(serviceAccount)
|
||||
if err != nil {
|
||||
// don't retry on cache lookup errors
|
||||
@@ -349,9 +350,9 @@ func (e *TokensController) deleteTokens(serviceAccount *api.ServiceAccount) ( /*
|
||||
}
|
||||
|
||||
func (e *TokensController) deleteToken(ns, name string, uid types.UID) ( /*retry*/ bool, error) {
|
||||
var opts *api.DeleteOptions
|
||||
var opts *v1.DeleteOptions
|
||||
if len(uid) > 0 {
|
||||
opts = &api.DeleteOptions{Preconditions: &api.Preconditions{UID: &uid}}
|
||||
opts = &v1.DeleteOptions{Preconditions: &v1.Preconditions{UID: &uid}}
|
||||
}
|
||||
err := e.client.Core().Secrets(ns).Delete(name, opts)
|
||||
// NotFound doesn't need a retry (it's already been deleted)
|
||||
@@ -364,7 +365,7 @@ func (e *TokensController) deleteToken(ns, name string, uid types.UID) ( /*retry
|
||||
}
|
||||
|
||||
// ensureReferencedToken makes sure at least one ServiceAccountToken secret exists, and is included in the serviceAccount's Secrets list
|
||||
func (e *TokensController) ensureReferencedToken(serviceAccount *api.ServiceAccount) ( /* retry */ bool, error) {
|
||||
func (e *TokensController) ensureReferencedToken(serviceAccount *v1.ServiceAccount) ( /* retry */ bool, error) {
|
||||
if len(serviceAccount.Secrets) > 0 {
|
||||
allSecrets, err := e.listTokenSecrets(serviceAccount)
|
||||
if err != nil {
|
||||
@@ -396,16 +397,16 @@ func (e *TokensController) ensureReferencedToken(serviceAccount *api.ServiceAcco
|
||||
}
|
||||
|
||||
// Build the secret
|
||||
secret := &api.Secret{
|
||||
ObjectMeta: api.ObjectMeta{
|
||||
secret := &v1.Secret{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: secret.Strategy.GenerateName(fmt.Sprintf("%s-token-", serviceAccount.Name)),
|
||||
Namespace: serviceAccount.Namespace,
|
||||
Annotations: map[string]string{
|
||||
api.ServiceAccountNameKey: serviceAccount.Name,
|
||||
api.ServiceAccountUIDKey: string(serviceAccount.UID),
|
||||
v1.ServiceAccountNameKey: serviceAccount.Name,
|
||||
v1.ServiceAccountUIDKey: string(serviceAccount.UID),
|
||||
},
|
||||
},
|
||||
Type: api.SecretTypeServiceAccountToken,
|
||||
Type: v1.SecretTypeServiceAccountToken,
|
||||
Data: map[string][]byte{},
|
||||
}
|
||||
|
||||
@@ -415,10 +416,10 @@ func (e *TokensController) ensureReferencedToken(serviceAccount *api.ServiceAcco
|
||||
// retriable error
|
||||
return true, err
|
||||
}
|
||||
secret.Data[api.ServiceAccountTokenKey] = []byte(token)
|
||||
secret.Data[api.ServiceAccountNamespaceKey] = []byte(serviceAccount.Namespace)
|
||||
secret.Data[v1.ServiceAccountTokenKey] = []byte(token)
|
||||
secret.Data[v1.ServiceAccountNamespaceKey] = []byte(serviceAccount.Namespace)
|
||||
if e.rootCA != nil && len(e.rootCA) > 0 {
|
||||
secret.Data[api.ServiceAccountRootCAKey] = e.rootCA
|
||||
secret.Data[v1.ServiceAccountRootCAKey] = e.rootCA
|
||||
}
|
||||
|
||||
// Save the secret
|
||||
@@ -431,12 +432,12 @@ func (e *TokensController) ensureReferencedToken(serviceAccount *api.ServiceAcco
|
||||
// This prevents the service account update (below) triggering another token creation, if the referenced token couldn't be found in the store
|
||||
e.secrets.Add(createdToken)
|
||||
|
||||
liveServiceAccount.Secrets = append(liveServiceAccount.Secrets, api.ObjectReference{Name: secret.Name})
|
||||
liveServiceAccount.Secrets = append(liveServiceAccount.Secrets, v1.ObjectReference{Name: secret.Name})
|
||||
|
||||
if _, err = serviceAccounts.Update(liveServiceAccount); err != nil {
|
||||
// we weren't able to use the token, try to clean it up.
|
||||
glog.V(2).Infof("deleting secret %s/%s because reference couldn't be added (%v)", secret.Namespace, secret.Name, err)
|
||||
deleteOpts := &api.DeleteOptions{Preconditions: &api.Preconditions{UID: &createdToken.UID}}
|
||||
deleteOpts := &v1.DeleteOptions{Preconditions: &v1.Preconditions{UID: &createdToken.UID}}
|
||||
if deleteErr := e.client.Core().Secrets(createdToken.Namespace).Delete(createdToken.Name, deleteOpts); deleteErr != nil {
|
||||
glog.Error(deleteErr) // if we fail, just log it
|
||||
}
|
||||
@@ -454,20 +455,20 @@ func (e *TokensController) ensureReferencedToken(serviceAccount *api.ServiceAcco
|
||||
return false, nil
|
||||
}
|
||||
|
||||
func (e *TokensController) secretUpdateNeeded(secret *api.Secret) (bool, bool, bool) {
|
||||
caData := secret.Data[api.ServiceAccountRootCAKey]
|
||||
func (e *TokensController) secretUpdateNeeded(secret *v1.Secret) (bool, bool, bool) {
|
||||
caData := secret.Data[v1.ServiceAccountRootCAKey]
|
||||
needsCA := len(e.rootCA) > 0 && bytes.Compare(caData, e.rootCA) != 0
|
||||
|
||||
needsNamespace := len(secret.Data[api.ServiceAccountNamespaceKey]) == 0
|
||||
needsNamespace := len(secret.Data[v1.ServiceAccountNamespaceKey]) == 0
|
||||
|
||||
tokenData := secret.Data[api.ServiceAccountTokenKey]
|
||||
tokenData := secret.Data[v1.ServiceAccountTokenKey]
|
||||
needsToken := len(tokenData) == 0
|
||||
|
||||
return needsCA, needsNamespace, needsToken
|
||||
}
|
||||
|
||||
// generateTokenIfNeeded populates the token data for the given Secret if not already set
|
||||
func (e *TokensController) generateTokenIfNeeded(serviceAccount *api.ServiceAccount, cachedSecret *api.Secret) ( /* retry */ bool, error) {
|
||||
func (e *TokensController) generateTokenIfNeeded(serviceAccount *v1.ServiceAccount, cachedSecret *v1.Secret) ( /* retry */ bool, error) {
|
||||
// Check the cached secret to see if changes are needed
|
||||
if needsCA, needsNamespace, needsToken := e.secretUpdateNeeded(cachedSecret); !needsCA && !needsToken && !needsNamespace {
|
||||
return false, nil
|
||||
@@ -502,11 +503,11 @@ func (e *TokensController) generateTokenIfNeeded(serviceAccount *api.ServiceAcco
|
||||
|
||||
// Set the CA
|
||||
if needsCA {
|
||||
liveSecret.Data[api.ServiceAccountRootCAKey] = e.rootCA
|
||||
liveSecret.Data[v1.ServiceAccountRootCAKey] = e.rootCA
|
||||
}
|
||||
// Set the namespace
|
||||
if needsNamespace {
|
||||
liveSecret.Data[api.ServiceAccountNamespaceKey] = []byte(liveSecret.Namespace)
|
||||
liveSecret.Data[v1.ServiceAccountNamespaceKey] = []byte(liveSecret.Namespace)
|
||||
}
|
||||
|
||||
// Generate the token
|
||||
@@ -515,12 +516,12 @@ func (e *TokensController) generateTokenIfNeeded(serviceAccount *api.ServiceAcco
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
liveSecret.Data[api.ServiceAccountTokenKey] = []byte(token)
|
||||
liveSecret.Data[v1.ServiceAccountTokenKey] = []byte(token)
|
||||
}
|
||||
|
||||
// Set annotations
|
||||
liveSecret.Annotations[api.ServiceAccountNameKey] = serviceAccount.Name
|
||||
liveSecret.Annotations[api.ServiceAccountUIDKey] = string(serviceAccount.UID)
|
||||
liveSecret.Annotations[v1.ServiceAccountNameKey] = serviceAccount.Name
|
||||
liveSecret.Annotations[v1.ServiceAccountUIDKey] = string(serviceAccount.UID)
|
||||
|
||||
// Save the secret
|
||||
_, err = secrets.Update(liveSecret)
|
||||
@@ -560,7 +561,7 @@ func (e *TokensController) removeSecretReference(saNamespace string, saName stri
|
||||
}
|
||||
|
||||
// Remove the secret
|
||||
secrets := []api.ObjectReference{}
|
||||
secrets := []v1.ObjectReference{}
|
||||
for _, s := range serviceAccount.Secrets {
|
||||
if s.Name != secretName {
|
||||
secrets = append(secrets, s)
|
||||
@@ -575,16 +576,16 @@ func (e *TokensController) removeSecretReference(saNamespace string, saName stri
|
||||
return err
|
||||
}
|
||||
|
||||
func (e *TokensController) getServiceAccount(ns string, name string, uid types.UID, fetchOnCacheMiss bool) (*api.ServiceAccount, error) {
|
||||
func (e *TokensController) getServiceAccount(ns string, name string, uid types.UID, fetchOnCacheMiss bool) (*v1.ServiceAccount, error) {
|
||||
// Look up in cache
|
||||
obj, exists, err := e.serviceAccounts.GetByKey(makeCacheKey(ns, name))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if exists {
|
||||
sa, ok := obj.(*api.ServiceAccount)
|
||||
sa, ok := obj.(*v1.ServiceAccount)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("expected *api.ServiceAccount, got %#v", sa)
|
||||
return nil, fmt.Errorf("expected *v1.ServiceAccount, got %#v", sa)
|
||||
}
|
||||
// Ensure UID matches if given
|
||||
if len(uid) == 0 || uid == sa.UID {
|
||||
@@ -611,16 +612,16 @@ func (e *TokensController) getServiceAccount(ns string, name string, uid types.U
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
func (e *TokensController) getSecret(ns string, name string, uid types.UID, fetchOnCacheMiss bool) (*api.Secret, error) {
|
||||
func (e *TokensController) getSecret(ns string, name string, uid types.UID, fetchOnCacheMiss bool) (*v1.Secret, error) {
|
||||
// Look up in cache
|
||||
obj, exists, err := e.secrets.GetByKey(makeCacheKey(ns, name))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if exists {
|
||||
secret, ok := obj.(*api.Secret)
|
||||
secret, ok := obj.(*v1.Secret)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("expected *api.Secret, got %#v", secret)
|
||||
return nil, fmt.Errorf("expected *v1.Secret, got %#v", secret)
|
||||
}
|
||||
// Ensure UID matches if given
|
||||
if len(uid) == 0 || uid == secret.UID {
|
||||
@@ -649,15 +650,15 @@ func (e *TokensController) getSecret(ns string, name string, uid types.UID, fetc
|
||||
|
||||
// listTokenSecrets returns a list of all of the ServiceAccountToken secrets that
|
||||
// reference the given service account's name and uid
|
||||
func (e *TokensController) listTokenSecrets(serviceAccount *api.ServiceAccount) ([]*api.Secret, error) {
|
||||
func (e *TokensController) listTokenSecrets(serviceAccount *v1.ServiceAccount) ([]*v1.Secret, error) {
|
||||
namespaceSecrets, err := e.secrets.ByIndex("namespace", serviceAccount.Namespace)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
items := []*api.Secret{}
|
||||
items := []*v1.Secret{}
|
||||
for _, obj := range namespaceSecrets {
|
||||
secret := obj.(*api.Secret)
|
||||
secret := obj.(*v1.Secret)
|
||||
|
||||
if serviceaccount.IsServiceAccountToken(secret, serviceAccount) {
|
||||
items = append(items, secret)
|
||||
@@ -669,14 +670,14 @@ func (e *TokensController) listTokenSecrets(serviceAccount *api.ServiceAccount)
|
||||
// serviceAccountNameAndUID is a helper method to get the ServiceAccount Name and UID from the given secret
|
||||
// Returns "","" if the secret is not a ServiceAccountToken secret
|
||||
// If the name or uid annotation is missing, "" is returned instead
|
||||
func serviceAccountNameAndUID(secret *api.Secret) (string, string) {
|
||||
if secret.Type != api.SecretTypeServiceAccountToken {
|
||||
func serviceAccountNameAndUID(secret *v1.Secret) (string, string) {
|
||||
if secret.Type != v1.SecretTypeServiceAccountToken {
|
||||
return "", ""
|
||||
}
|
||||
return secret.Annotations[api.ServiceAccountNameKey], secret.Annotations[api.ServiceAccountUIDKey]
|
||||
return secret.Annotations[v1.ServiceAccountNameKey], secret.Annotations[v1.ServiceAccountUIDKey]
|
||||
}
|
||||
|
||||
func getSecretReferences(serviceAccount *api.ServiceAccount) sets.String {
|
||||
func getSecretReferences(serviceAccount *v1.ServiceAccount) sets.String {
|
||||
references := sets.NewString()
|
||||
for _, secret := range serviceAccount.Secrets {
|
||||
references.Insert(secret.Name)
|
||||
@@ -693,7 +694,7 @@ type serviceAccountQueueKey struct {
|
||||
uid types.UID
|
||||
}
|
||||
|
||||
func makeServiceAccountKey(sa *api.ServiceAccount) interface{} {
|
||||
func makeServiceAccountKey(sa *v1.ServiceAccount) interface{} {
|
||||
return serviceAccountQueueKey{
|
||||
namespace: sa.Namespace,
|
||||
name: sa.Name,
|
||||
@@ -721,13 +722,13 @@ type secretQueueKey struct {
|
||||
saUID types.UID
|
||||
}
|
||||
|
||||
func makeSecretQueueKey(secret *api.Secret) interface{} {
|
||||
func makeSecretQueueKey(secret *v1.Secret) interface{} {
|
||||
return secretQueueKey{
|
||||
namespace: secret.Namespace,
|
||||
name: secret.Name,
|
||||
uid: secret.UID,
|
||||
saName: secret.Annotations[api.ServiceAccountNameKey],
|
||||
saUID: types.UID(secret.Annotations[api.ServiceAccountUIDKey]),
|
||||
saName: secret.Annotations[v1.ServiceAccountNameKey],
|
||||
saUID: types.UID(secret.Annotations[v1.ServiceAccountUIDKey]),
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user