[Azure] Filters service account secret volume mount for Windows (#60)
* filters the SA secret volume for windows * make it a map * bettern go convention
This commit is contained in:
chshou
@@ -9,6 +9,8 @@ import (
|
|||||||
"log"
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
|
"reflect"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/virtual-kubelet/virtual-kubelet/manager"
|
"github.com/virtual-kubelet/virtual-kubelet/manager"
|
||||||
@@ -20,19 +22,22 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// The service account secret mount path.
|
||||||
|
const serviceAccountSecretMountPath = "/var/run/secrets/kubernetes.io/serviceaccount"
|
||||||
|
|
||||||
// ACIProvider implements the virtual-kubelet provider interface and communicates with Azure's ACI APIs.
|
// ACIProvider implements the virtual-kubelet provider interface and communicates with Azure's ACI APIs.
|
||||||
type ACIProvider struct {
|
type ACIProvider struct {
|
||||||
aciClient *aci.Client
|
aciClient *aci.Client
|
||||||
resourceManager *manager.ResourceManager
|
resourceManager *manager.ResourceManager
|
||||||
resourceGroup string
|
resourceGroup string
|
||||||
region string
|
region string
|
||||||
nodeName string
|
nodeName string
|
||||||
operatingSystem string
|
operatingSystem string
|
||||||
cpu string
|
cpu string
|
||||||
memory string
|
memory string
|
||||||
pods string
|
pods string
|
||||||
internalIP string
|
internalIP string
|
||||||
daemonEndpointPort int32
|
daemonEndpointPort int32
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthConfig is the secret returned from an ImageRegistryCredential
|
// AuthConfig is the secret returned from an ImageRegistryCredential
|
||||||
@@ -125,6 +130,8 @@ func (p *ACIProvider) CreatePod(pod *v1.Pod) error {
|
|||||||
containerGroup.ContainerGroupProperties.Volumes = volumes
|
containerGroup.ContainerGroupProperties.Volumes = volumes
|
||||||
containerGroup.ContainerGroupProperties.ImageRegistryCredentials = creds
|
containerGroup.ContainerGroupProperties.ImageRegistryCredentials = creds
|
||||||
|
|
||||||
|
filterServiceAccountSecretVolume(p.operatingSystem, &containerGroup)
|
||||||
|
|
||||||
// create ipaddress if containerPort is used
|
// create ipaddress if containerPort is used
|
||||||
count := 0
|
count := 0
|
||||||
for _, container := range containers {
|
for _, container := range containers {
|
||||||
@@ -196,7 +203,7 @@ func (p *ACIProvider) GetPod(namespace, name string) (*v1.Pod, error) {
|
|||||||
return containerGroupToPod(cg)
|
return containerGroupToPod(cg)
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetPodLogs returns the logs of a pod by name that is running inside ACI.
|
// GetContainerLogs returns the logs of a pod by name that is running inside ACI.
|
||||||
func (p *ACIProvider) GetContainerLogs(namespace, podName, containerName string, tail int) (string, error) {
|
func (p *ACIProvider) GetContainerLogs(namespace, podName, containerName string, tail int) (string, error) {
|
||||||
logContent := ""
|
logContent := ""
|
||||||
cg, err, _ := p.aciClient.GetContainerGroup(p.resourceGroup, fmt.Sprintf("%s-%s", namespace, podName))
|
cg, err, _ := p.aciClient.GetContainerGroup(p.resourceGroup, fmt.Sprintf("%s-%s", namespace, podName))
|
||||||
@@ -710,3 +717,39 @@ func aciContainerStateToContainerState(cs aci.ContainerState) v1.ContainerState
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Filters service account secret volume for Windows.
|
||||||
|
// Service account secret volume gets automatically turned on if not specified otherwise.
|
||||||
|
// ACI doesn't support secret volume for Windows, so we need to filter it.
|
||||||
|
func filterServiceAccountSecretVolume(osType string, containerGroup *aci.ContainerGroup) {
|
||||||
|
if strings.EqualFold(osType, "Windows") {
|
||||||
|
serviceAccountSecretVolumeName := make(map[string]bool)
|
||||||
|
|
||||||
|
for index, container := range containerGroup.ContainerGroupProperties.Containers {
|
||||||
|
volumeMounts := make([]aci.VolumeMount, 0, len(container.VolumeMounts))
|
||||||
|
for _, volumeMount := range container.VolumeMounts {
|
||||||
|
if !strings.EqualFold(serviceAccountSecretMountPath, volumeMount.MountPath) {
|
||||||
|
volumeMounts = append(volumeMounts, volumeMount)
|
||||||
|
} else {
|
||||||
|
serviceAccountSecretVolumeName[volumeMount.Name] = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
containerGroup.ContainerGroupProperties.Containers[index].VolumeMounts = volumeMounts
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(serviceAccountSecretVolumeName) == 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("Ignoring service account secret volumes '%v' for Windows", reflect.ValueOf(serviceAccountSecretVolumeName).MapKeys())
|
||||||
|
|
||||||
|
volumes := make([]aci.Volume, 0, len(containerGroup.ContainerGroupProperties.Volumes))
|
||||||
|
for _, volume := range containerGroup.ContainerGroupProperties.Volumes {
|
||||||
|
if _, ok := serviceAccountSecretVolumeName[volume.Name]; !ok {
|
||||||
|
volumes = append(volumes, volume)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
containerGroup.ContainerGroupProperties.Volumes = volumes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -64,6 +64,9 @@ func New(nodeName, operatingSystem, namespace, kubeConfig, taint, provider, prov
|
|||||||
rm := manager.NewResourceManager(clientset)
|
rm := manager.NewResourceManager(clientset)
|
||||||
|
|
||||||
daemonEndpointPortEnv := os.Getenv("KUBELET_PORT")
|
daemonEndpointPortEnv := os.Getenv("KUBELET_PORT")
|
||||||
|
if daemonEndpointPortEnv == "" {
|
||||||
|
daemonEndpointPortEnv = "10250"
|
||||||
|
}
|
||||||
i64value, err := strconv.ParseInt(daemonEndpointPortEnv, 10, 32)
|
i64value, err := strconv.ParseInt(daemonEndpointPortEnv, 10, 32)
|
||||||
daemonEndpointPort := int32(i64value)
|
daemonEndpointPort := int32(i64value)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user