From 8c0345edcfdbd7798a2a6f78541289d5c8b1ce38 Mon Sep 17 00:00:00 2001 From: chshou Date: Mon, 22 Jan 2018 11:19:53 -0800 Subject: [PATCH] [Azure] Filters service account secret volume mount for Windows (#60) * filters the SA secret volume for windows * make it a map * bettern go convention --- providers/azure/aci.go | 67 ++++++++++++++++++++++++++++++++++-------- vkubelet/vkubelet.go | 3 ++ 2 files changed, 58 insertions(+), 12 deletions(-) diff --git a/providers/azure/aci.go b/providers/azure/aci.go index a1144e430..ca5fa1558 100644 --- a/providers/azure/aci.go +++ b/providers/azure/aci.go @@ -9,6 +9,8 @@ import ( "log" "net/http" "os" + "reflect" + "strings" "time" "github.com/virtual-kubelet/virtual-kubelet/manager" @@ -20,19 +22,22 @@ import ( "k8s.io/apimachinery/pkg/types" ) +// The service account secret mount path. +const serviceAccountSecretMountPath = "/var/run/secrets/kubernetes.io/serviceaccount" + // ACIProvider implements the virtual-kubelet provider interface and communicates with Azure's ACI APIs. type ACIProvider struct { - aciClient *aci.Client - resourceManager *manager.ResourceManager - resourceGroup string - region string - nodeName string - operatingSystem string - cpu string - memory string - pods string - internalIP string - daemonEndpointPort int32 + aciClient *aci.Client + resourceManager *manager.ResourceManager + resourceGroup string + region string + nodeName string + operatingSystem string + cpu string + memory string + pods string + internalIP string + daemonEndpointPort int32 } // AuthConfig is the secret returned from an ImageRegistryCredential @@ -125,6 +130,8 @@ func (p *ACIProvider) CreatePod(pod *v1.Pod) error { containerGroup.ContainerGroupProperties.Volumes = volumes containerGroup.ContainerGroupProperties.ImageRegistryCredentials = creds + filterServiceAccountSecretVolume(p.operatingSystem, &containerGroup) + // create ipaddress if containerPort is used count := 0 for _, container := range containers { @@ -196,7 +203,7 @@ func (p *ACIProvider) GetPod(namespace, name string) (*v1.Pod, error) { return containerGroupToPod(cg) } -// GetPodLogs returns the logs of a pod by name that is running inside ACI. +// GetContainerLogs returns the logs of a pod by name that is running inside ACI. func (p *ACIProvider) GetContainerLogs(namespace, podName, containerName string, tail int) (string, error) { logContent := "" cg, err, _ := p.aciClient.GetContainerGroup(p.resourceGroup, fmt.Sprintf("%s-%s", namespace, podName)) @@ -710,3 +717,39 @@ func aciContainerStateToContainerState(cs aci.ContainerState) v1.ContainerState }, } } + +// Filters service account secret volume for Windows. +// Service account secret volume gets automatically turned on if not specified otherwise. +// ACI doesn't support secret volume for Windows, so we need to filter it. +func filterServiceAccountSecretVolume(osType string, containerGroup *aci.ContainerGroup) { + if strings.EqualFold(osType, "Windows") { + serviceAccountSecretVolumeName := make(map[string]bool) + + for index, container := range containerGroup.ContainerGroupProperties.Containers { + volumeMounts := make([]aci.VolumeMount, 0, len(container.VolumeMounts)) + for _, volumeMount := range container.VolumeMounts { + if !strings.EqualFold(serviceAccountSecretMountPath, volumeMount.MountPath) { + volumeMounts = append(volumeMounts, volumeMount) + } else { + serviceAccountSecretVolumeName[volumeMount.Name] = true + } + } + containerGroup.ContainerGroupProperties.Containers[index].VolumeMounts = volumeMounts + } + + if len(serviceAccountSecretVolumeName) == 0 { + return + } + + log.Printf("Ignoring service account secret volumes '%v' for Windows", reflect.ValueOf(serviceAccountSecretVolumeName).MapKeys()) + + volumes := make([]aci.Volume, 0, len(containerGroup.ContainerGroupProperties.Volumes)) + for _, volume := range containerGroup.ContainerGroupProperties.Volumes { + if _, ok := serviceAccountSecretVolumeName[volume.Name]; !ok { + volumes = append(volumes, volume) + } + } + + containerGroup.ContainerGroupProperties.Volumes = volumes + } +} diff --git a/vkubelet/vkubelet.go b/vkubelet/vkubelet.go index 23be43fa3..796b1d387 100644 --- a/vkubelet/vkubelet.go +++ b/vkubelet/vkubelet.go @@ -64,6 +64,9 @@ func New(nodeName, operatingSystem, namespace, kubeConfig, taint, provider, prov rm := manager.NewResourceManager(clientset) daemonEndpointPortEnv := os.Getenv("KUBELET_PORT") + if daemonEndpointPortEnv == "" { + daemonEndpointPortEnv = "10250" + } i64value, err := strconv.ParseInt(daemonEndpointPortEnv, 10, 32) daemonEndpointPort := int32(i64value)