diff --git a/pkg/cmd/server/origin/admission/chain_builder.go b/pkg/cmd/server/origin/admission/chain_builder.go index 13fecaeece72..9f82a310b4cd 100644 --- a/pkg/cmd/server/origin/admission/chain_builder.go +++ b/pkg/cmd/server/origin/admission/chain_builder.go @@ -11,6 +11,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apiserver/pkg/admission" + admissionmetrics "k8s.io/apiserver/pkg/admission/metrics" "k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle" noderestriction "k8s.io/kubernetes/plugin/pkg/admission/noderestriction" saadmit "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount" @@ -245,11 +246,12 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, opt admissionInitializer.Initialize(plugin) default: - pluginsConfigProvider, err := admission.ReadAdmissionConfiguration([]string{pluginName}, admissionConfigFilename) + // TODO this needs to be refactored to use the admission scheme we created upstream. I think this holds us for the rebase. + pluginsConfigProvider, err := admission.ReadAdmissionConfiguration([]string{pluginName}, admissionConfigFilename, configapi.Scheme) if err != nil { return nil, err } - plugin, err = OriginAdmissionPlugins.NewFromPlugins([]string{pluginName}, pluginsConfigProvider, admissionInitializer) + plugin, err = OriginAdmissionPlugins.NewFromPlugins([]string{pluginName}, pluginsConfigProvider, admissionInitializer, admissionmetrics.WithControllerMetrics) if err != nil { // should have been caught with validation return nil, err diff --git a/pkg/cmd/server/origin/admission/plugin_initializer.go b/pkg/cmd/server/origin/admission/plugin_initializer.go index 3dd48a9f3324..a015156c84c8 100644 --- a/pkg/cmd/server/origin/admission/plugin_initializer.go +++ b/pkg/cmd/server/origin/admission/plugin_initializer.go @@ -26,19 +26,22 @@ import ( templateclient "github.com/openshift/origin/pkg/template/generated/internalclientset" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission/initializer" + webhookconfig "k8s.io/apiserver/pkg/admission/plugin/webhook/config" + webhookinitializer "k8s.io/apiserver/pkg/admission/plugin/webhook/initializer" "k8s.io/apiserver/pkg/authorization/authorizer" genericapiserver "k8s.io/apiserver/pkg/server" "k8s.io/client-go/discovery" cacheddiscovery "k8s.io/client-go/discovery/cached" kexternalinformers "k8s.io/client-go/informers" kubeclientgoinformers "k8s.io/client-go/informers" - kclientsetexternal "k8s.io/client-go/kubernetes" kubeclientgoclient "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver" + "k8s.io/kubernetes/pkg/api/legacyscheme" kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" kadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" @@ -68,10 +71,6 @@ func NewPluginInitializer( if err != nil { return nil, nil, err } - kubeExternalClient, err := kclientsetexternal.NewForConfig(privilegedLoopbackConfig) - if err != nil { - return nil, nil, err - } kubeClientGoClientSet, err := kubeclientgoclient.NewForConfig(privilegedLoopbackConfig) if err != nil { return nil, nil, err @@ -138,25 +137,30 @@ func NewPluginInitializer( } } // note: we are passing a combined quota registry here... - genericInitializer, err := initializer.New(kubeClientGoClientSet, informers.GetClientGoKubeInformers(), authorizer) - if err != nil { - return nil, nil, err - } + genericInitializer := initializer.New( + kubeClientGoClientSet, + informers.GetClientGoKubeInformers(), + authorizer, + legacyscheme.Scheme, + ) kubePluginInitializer := kadmission.NewPluginInitializer( kubeInternalClient, - kubeExternalClient, informers.GetInternalKubeInformers(), - authorizer, cloudConfig, restMapper, - quotaRegistry) - // upstream broke this, so we can't use their mechanism. We need to get an actual client cert and practically speaking privileged loopback will always have one - kubePluginInitializer.SetClientCert(privilegedLoopbackConfig.TLSClientConfig.CertData, privilegedLoopbackConfig.TLSClientConfig.KeyData) - // this is a really problematic thing, because it breaks DNS resolution and IP routing, but its for an alpha feature that - // I need to work cluster-up - kubePluginInitializer.SetServiceResolver(aggregatorapiserver.NewClusterIPServiceResolver( - informers.GetClientGoKubeInformers().Core().V1().Services().Lister(), - )) + generic.NewConfiguration(quotaRegistry.List(), map[schema.GroupResource]struct{}{})) + + webhookInitializer := webhookinitializer.NewPluginInitializer( + func(delegate webhookconfig.AuthenticationInfoResolver) webhookconfig.AuthenticationInfoResolver { + return webhookconfig.AuthenticationInfoResolverFunc(func(server string) (*rest.Config, error) { + if server == "kubernetes.default.svc" { + return rest.CopyConfig(privilegedLoopbackConfig), nil + } + return delegate.ClientConfigFor(server) + }) + }, + aggregatorapiserver.NewClusterIPServiceResolver(informers.GetClientGoKubeInformers().Core().V1().Services().Lister()), + ) openshiftPluginInitializer := &oadmission.PluginInitializer{ OpenshiftInternalAuthorizationClient: authorizationClient, @@ -178,7 +182,7 @@ func NewPluginInitializer( UserInformers: informers.GetUserInformers(), } - return admission.PluginInitializers{genericInitializer, kubePluginInitializer, openshiftPluginInitializer}, + return admission.PluginInitializers{genericInitializer, webhookInitializer, kubePluginInitializer, openshiftPluginInitializer}, func(context genericapiserver.PostStartHookContext) error { restMapper.Reset() go func() {