make external ip ranger admission config based

hack/import-restrictions.json

@@ -618,7 +618,7 @@
       "github.com/openshift/origin/pkg/route/generator",
       "github.com/openshift/origin/pkg/security/apis/security",
       "github.com/openshift/origin/pkg/security/securitycontextconstraints/util",
-      "github.com/openshift/origin/pkg/service/admission",
+      "github.com/openshift/origin/pkg/service/admission/externalipranger",
       "github.com/openshift/origin/pkg/template/apis/template",
       "github.com/openshift/origin/pkg/template/apis/template/validation",
       "github.com/openshift/origin/pkg/template/client/internalversion",

hack/update-generated-deep-copies.sh

@@ -27,6 +27,8 @@ ALL_FQ_APIS=(
     github.com/openshift/origin/pkg/router/f5/testing
     github.com/openshift/origin/pkg/scheduler/admission/apis/podnodeconstraints
     github.com/openshift/origin/pkg/scheduler/admission/apis/podnodeconstraints/v1
+    github.com/openshift/origin/pkg/service/admission/apis/externalipranger
+    github.com/openshift/origin/pkg/service/admission/apis/externalipranger/v1
     github.com/openshift/origin/pkg/service/admission/apis/restrictedendpoints
     github.com/openshift/origin/pkg/service/admission/apis/restrictedendpoints/v1
     github.com/openshift/origin/pkg/template/servicebroker/apis/config

pkg/cmd/openshift-kube-apiserver/cmd.go

@@ -89,7 +89,6 @@ func (o *OpenShiftKubeAPIServerServer) RunAPIServer() error {
 		return err
 	}
 
-	// convert the networkconfig to admissionconfig
 	if err := ConvertNetworkConfigToAdmissionConfig(masterConfig); err != nil {
 		return err
 	}

pkg/cmd/openshift-kube-apiserver/conversion.go

@@ -1,7 +1,10 @@
 package openshift_kube_apiserver
 
 import (
+	"net"
+
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
+	"github.com/openshift/origin/pkg/service/admission/apis/externalipranger"
 	"github.com/openshift/origin/pkg/service/admission/apis/restrictedendpoints"
 )
 
@@ -16,13 +19,24 @@ func ConvertNetworkConfigToAdmissionConfig(masterConfig *configapi.MasterConfig)
 	for _, cidr := range masterConfig.NetworkConfig.ClusterNetworks {
 		restricted = append(restricted, cidr.CIDR)
 	}
-
 	restrictedEndpointConfig := &restrictedendpoints.RestrictedEndpointsAdmissionConfig{
 		RestrictedCIDRs: restricted,
 	}
 	masterConfig.AdmissionConfig.PluginConfig["openshift.io/RestrictedEndpointsAdmission"] = &configapi.AdmissionPluginConfig{
 		Configuration: restrictedEndpointConfig,
 	}
 
+	allowIngressIP := false
+	if _, ipNet, err := net.ParseCIDR(masterConfig.NetworkConfig.IngressIPNetworkCIDR); err == nil && !ipNet.IP.IsUnspecified() {
+		allowIngressIP = true
+	}
+	externalIPRangerAdmissionConfig := &externalipranger.ExternalIPRangerAdmissionConfig{
+		ExternalIPNetworkCIDRs: masterConfig.NetworkConfig.ExternalIPNetworkCIDRs,
+		AllowIngressIP:         allowIngressIP,
+	}
+	masterConfig.AdmissionConfig.PluginConfig["ExternalIPRanger"] = &configapi.AdmissionPluginConfig{
+		Configuration: externalIPRangerAdmissionConfig,
+	}
+
 	return nil
 }

pkg/cmd/server/apis/config/install/install.go

@@ -16,6 +16,7 @@ import (
 	clusterresourceoverrideinstall "github.com/openshift/origin/pkg/quota/apiserver/admission/apis/clusterresourceoverride/install"
 	runoncedurationinstall "github.com/openshift/origin/pkg/quota/apiserver/admission/apis/runonceduration/install"
 	podnodeconstraintsinstall "github.com/openshift/origin/pkg/scheduler/admission/apis/podnodeconstraints/install"
+	externaliprangerinstall "github.com/openshift/origin/pkg/service/admission/apis/externalipranger/install"
 	restrictedendpointsinstall "github.com/openshift/origin/pkg/service/admission/apis/restrictedendpoints/install"
 )
 
@@ -46,4 +47,5 @@ func InstallLegacyInternal(scheme *runtime.Scheme) {
 	runoncedurationinstall.InstallLegacyInternal(scheme)
 	podnodeconstraintsinstall.InstallLegacyInternal(scheme)
 	restrictedendpointsinstall.InstallLegacyInternal(scheme)
+	externaliprangerinstall.InstallLegacyInternal(scheme)
 }

pkg/cmd/server/origin/admission/chain_builder.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"io"
 	"io/ioutil"
-	"net"
 	"os"
 	"reflect"
 
@@ -26,7 +25,7 @@ import (
 	ingressadmission "github.com/openshift/origin/pkg/network/apiserver/admission"
 	overrideapi "github.com/openshift/origin/pkg/quota/apiserver/admission/apis/clusterresourceoverride"
 	"github.com/openshift/origin/pkg/security/apiserver/admission/sccadmission"
-	serviceadmit "github.com/openshift/origin/pkg/service/admission"
+	"github.com/openshift/origin/pkg/service/admission/externalipranger"
 	"github.com/openshift/origin/pkg/service/admission/restrictedendpoints"
 )
 
@@ -75,7 +74,7 @@ var (
 		"OriginPodNodeEnvironment",
 		"PodNodeSelector",
 		overrideapi.PluginName,
-		serviceadmit.ExternalIPPluginName,
+		externalipranger.ExternalIPPluginName,
 		restrictedendpoints.RestrictedEndpointsPluginName,
 		imagepolicy.PluginName,
 		"ImagePolicyWebhook",
@@ -131,7 +130,7 @@ var (
 		"OriginPodNodeEnvironment",
 		"PodNodeSelector",
 		overrideapi.PluginName,
-		serviceadmit.ExternalIPPluginName,
+		externalipranger.ExternalIPPluginName,
 		restrictedendpoints.RestrictedEndpointsPluginName,
 		imagepolicy.PluginName,
 		"ImagePolicyWebhook",
@@ -236,20 +235,6 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, opt
 		)
 
 		switch pluginName {
-		case serviceadmit.ExternalIPPluginName:
-			// this needs to be moved upstream to be part of core config
-			reject, admit, err := serviceadmit.ParseRejectAdmitCIDRRules(options.NetworkConfig.ExternalIPNetworkCIDRs)
-			if err != nil {
-				// should have been caught with validation
-				return nil, err
-			}
-			allowIngressIP := false
-			if _, ipNet, err := net.ParseCIDR(options.NetworkConfig.IngressIPNetworkCIDR); err == nil && !ipNet.IP.IsUnspecified() {
-				allowIngressIP = true
-			}
-			plugin = serviceadmit.NewExternalIPRanger(reject, admit, allowIngressIP)
-			admissionInitializer.Initialize(plugin)
-
 		case saadmit.PluginName:
 			// we need to set some custom parameters on the service account admission controller, so create that one by hand
 			saAdmitter := saadmit.NewServiceAccount()

pkg/cmd/server/origin/admission/config_test.go

@@ -11,7 +11,7 @@ import (
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	overrideapi "github.com/openshift/origin/pkg/quota/apiserver/admission/apis/clusterresourceoverride"
 	"github.com/openshift/origin/pkg/security/apiserver/admission/sccadmission"
-	serviceadmit "github.com/openshift/origin/pkg/service/admission"
+	"github.com/openshift/origin/pkg/service/admission/externalipranger"
 )
 
 // TestAdmissionPluginChains makes sure that the admission plugin lists are coherent.
@@ -64,7 +64,7 @@ var legacyOpenshiftAdmissionPlugins = sets.NewString(
 	"RunOnceDuration",
 	"OriginPodNodeEnvironment",
 	overrideapi.PluginName,
-	serviceadmit.ExternalIPPluginName,
+	externalipranger.ExternalIPPluginName,
 	sccadmission.PluginName,
 	"SCCExecRestrictions",
 	"ResourceQuota",

pkg/cmd/server/origin/admission/register.go

@@ -25,7 +25,6 @@ import (
 	quotarunonceduration "github.com/openshift/origin/pkg/quota/apiserver/admission/runonceduration"
 	schedulerpodnodeconstraints "github.com/openshift/origin/pkg/scheduler/admission/podnodeconstraints"
 	securityadmission "github.com/openshift/origin/pkg/security/apiserver/admission/sccadmission"
-	serviceadmit "github.com/openshift/origin/pkg/service/admission"
 
 	"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
 	expandpvcadmission "k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/resize"
@@ -36,6 +35,7 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
 
 	configlatest "github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
+	"github.com/openshift/origin/pkg/service/admission/externalipranger"
 	"github.com/openshift/origin/pkg/service/admission/restrictedendpoints"
 )
 
@@ -69,7 +69,7 @@ func registerOpenshiftAdmissionPlugins(plugins *admission.Plugins) {
 	schedulerpodnodeconstraints.Register(plugins)
 	securityadmission.Register(plugins)
 	securityadmission.RegisterSCCExecRestrictions(plugins)
-	serviceadmit.RegisterExternalIP(plugins)
+	externalipranger.RegisterExternalIP(plugins)
 	restrictedendpoints.RegisterRestrictedEndpoints(plugins)
 }
 
@@ -84,7 +84,7 @@ var (
 		"OriginPodNodeEnvironment",
 		"PodNodeSelector",
 		"Priority",
-		serviceadmit.ExternalIPPluginName,
+		externalipranger.ExternalIPPluginName,
 		restrictedendpoints.RestrictedEndpointsPluginName,
 		"LimitRanger",
 		"ServiceAccount",

pkg/cmd/server/start/start_master.go

@@ -449,7 +449,6 @@ func (m *Master) Start() error {
 			etcdserver.RunEtcd(m.config.EtcdConfig)
 		}
 
-		// convert the networkconfig to admissionconfig
 		if err := openshift_kube_apiserver.ConvertNetworkConfigToAdmissionConfig(m.config); err != nil {
 			return err
 		}

pkg/oc/cli/admin/diagnostics/diagnostics/cluster/service_externalip.go

@@ -13,7 +13,7 @@ import (
 	hostdiag "github.com/openshift/origin/pkg/oc/cli/admin/diagnostics/diagnostics/host"
 	"github.com/openshift/origin/pkg/oc/cli/admin/diagnostics/diagnostics/log"
 	"github.com/openshift/origin/pkg/oc/cli/admin/diagnostics/diagnostics/types"
-	"github.com/openshift/origin/pkg/service/admission"
+	"github.com/openshift/origin/pkg/service/admission/externalipranger"
 )
 
 // ServiceExternalIPs is a Diagnostic to check for the services in the cluster
@@ -67,7 +67,7 @@ func (d *ServiceExternalIPs) Check() types.DiagnosticResult {
 	admit, reject := []*net.IPNet{}, []*net.IPNet{}
 	var err error
 	if cidrs := d.masterConfig.NetworkConfig.ExternalIPNetworkCIDRs; cidrs != nil {
-		reject, admit, err = admission.ParseRejectAdmitCIDRRules(cidrs)
+		reject, admit, err = externalipranger.ParseRejectAdmitCIDRRules(cidrs)
 		if err != nil {
 			r.Error("DH2007", err, fmt.Sprintf("Could not parse master config NetworkConfig.ExternalIPNetworkCIDRs: (%[1]T) %[1]v", err))
 			return r
@@ -93,7 +93,7 @@ func (d *ServiceExternalIPs) Check() types.DiagnosticResult {
 			if ip == nil {
 				continue // we don't really care for the purposes of this diagnostic
 			}
-			if admission.NetworkSlice(reject).Contains(ip) || !admission.NetworkSlice(admit).Contains(ip) {
+			if externalipranger.NetworkSlice(reject).Contains(ip) || !externalipranger.NetworkSlice(admit).Contains(ip) {
 				errList = append(errList, fmt.Sprintf("Service %s.%s specifies ExternalIP %s that is not permitted by the master ExternalIPNetworkCIDRs setting.", service.Namespace, service.Name, ipString))
 			}
 		}

pkg/service/admission/apis/externalipranger/doc.go

@@ -0,0 +1,4 @@
+// +k8s:deepcopy-gen=package,register
+
+// Package externalipranger is the internal version of the API.
+package externalipranger

pkg/service/admission/apis/externalipranger/install/install.go

@@ -0,0 +1,14 @@
+package install
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+
+	"github.com/openshift/origin/pkg/service/admission/apis/externalipranger"
+	"github.com/openshift/origin/pkg/service/admission/apis/externalipranger/v1"
+)
+
+func InstallLegacyInternal(scheme *runtime.Scheme) {
+	utilruntime.Must(externalipranger.InstallLegacy(scheme))
+	utilruntime.Must(v1.InstallLegacy(scheme))
+}

pkg/service/admission/apis/externalipranger/register.go

@@ -0,0 +1,20 @@
+package externalipranger
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var SchemeGroupVersion = schema.GroupVersion{Group: "", Version: runtime.APIVersionInternal}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	InstallLegacy = SchemeBuilder.AddToScheme
+)
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&ExternalIPRangerAdmissionConfig{},
+	)
+	return nil
+}

pkg/service/admission/apis/externalipranger/types.go

@@ -0,0 +1,20 @@
+package externalipranger
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RestrictedEndpointsAdmissionConfig is the configuration for which CIDRs services can't manage
+type ExternalIPRangerAdmissionConfig struct {
+	metav1.TypeMeta
+
+	// ExternalIPNetworkCIDRs controls what values are acceptable for the service external IP field. If empty, no externalIP
+	// may be set. It may contain a list of CIDRs which are checked for access. If a CIDR is prefixed with !, IPs in that
+	// CIDR will be rejected. Rejections will be applied first, then the IP checked against one of the allowed CIDRs. You
+	// should ensure this range does not overlap with your nodes, pods, or service CIDRs for security reasons.
+	ExternalIPNetworkCIDRs []string
+	// AllowIngressIP indicates that ingress IPs should be allowed
+	AllowIngressIP bool
+}

pkg/service/admission/apis/externalipranger/v1/doc.go

@@ -0,0 +1,4 @@
+// +k8s:deepcopy-gen=package,register
+
+// Package v1 is the v1 version of the API.
+package v1

pkg/service/admission/apis/externalipranger/v1/register.go

@@ -0,0 +1,26 @@
+package v1
+
+import (
+	"github.com/openshift/origin/pkg/service/admission/apis/restrictedendpoints"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: "", Version: "v1"}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(
+		addKnownTypes,
+		restrictedendpoints.InstallLegacy,
+	)
+	InstallLegacy = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&ExternalIPRangerAdmissionConfig{},
+	)
+	return nil
+}

pkg/service/admission/apis/externalipranger/v1/types.go

@@ -0,0 +1,20 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ExternalIPRangerAdmissionConfig is the configuration for which CIDRs services can't manage
+type ExternalIPRangerAdmissionConfig struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// ExternalIPNetworkCIDRs controls what values are acceptable for the service external IP field. If empty, no externalIP
+	// may be set. It may contain a list of CIDRs which are checked for access. If a CIDR is prefixed with !, IPs in that
+	// CIDR will be rejected. Rejections will be applied first, then the IP checked against one of the allowed CIDRs. You
+	// should ensure this range does not overlap with your nodes, pods, or service CIDRs for security reasons.
+	ExternalIPNetworkCIDRs []string `json:"externalIPNetworkCIDRs"`
+	// AllowIngressIP indicates that ingress IPs should be allowed
+	AllowIngressIP bool `json:"allowIngressIP"`
+}