Merge pull request #3763 from dkhater-redhat/mco-565b

MCO-565: MCO-568: MCO-659: MCO-660 On-cluster build opt-in function, building machine-os-builder stub, RBAC and service acct inclusions

Makefile

@@ -1,5 +1,5 @@
 MCO_COMPONENTS = daemon controller server operator
-EXTRA_COMPONENTS = apiserver-watcher
+EXTRA_COMPONENTS = apiserver-watcher machine-os-builder
 ALL_COMPONENTS = $(patsubst %,machine-config-%,$(MCO_COMPONENTS)) $(EXTRA_COMPONENTS)
 PREFIX ?= /usr
 GO111MODULE?=on

cmd/machine-os-builder/main.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"time"
+
+	"github.com/spf13/cobra"
+)
+
+const componentName = "machine-os-builder"
+
+var (
+	rootCmd = &cobra.Command{
+		Use:   componentName,
+		Short: "Run Machine OS Builder",
+		Long:  "",
+	}
+)
+
+func init() {
+	rootCmd.PersistentFlags().AddGoFlagSet(flag.CommandLine)
+}
+
+func main() {
+	fmt.Println("Hello, World!")
+	<-time.After(876000 * time.Hour)
+}

cmd/machine-os-builder/start.go

@@ -0,0 +1,38 @@
+package main
+
+import (
+	"flag"
+
+	"github.com/openshift/machine-config-operator/pkg/version"
+	"github.com/spf13/cobra"
+	"k8s.io/klog/v2"
+)
+
+var (
+	startCmd = &cobra.Command{
+		Use:   "start",
+		Short: "Starts Machine OS Builder",
+		Long:  "",
+		Run:   runStartCmd,
+	}
+
+	startOpts struct {
+		kubeconfig string
+	}
+)
+
+func init() {
+	rootCmd.AddCommand(startCmd)
+	startCmd.PersistentFlags().StringVar(&startOpts.kubeconfig, "kubeconfig", "", "Kubeconfig file to access a remote cluster (testing only)")
+}
+
+func runStartCmd(_ *cobra.Command, _ []string) {
+	flag.Set("logtostderr", "true")
+	flag.Parse()
+
+	klog.V(2).Infof("Options parsed: %+v", startOpts)
+
+	// To help debugging, immediately log version
+	klog.Infof("Version: %+v (%s)", version.Raw, version.Hash)
+
+}

cmd/machine-os-builder/version.go

@@ -0,0 +1,32 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+
+	"github.com/openshift/machine-config-operator/pkg/version"
+	"github.com/spf13/cobra"
+)
+
+var (
+	versionCmd = &cobra.Command{
+		Use:   "version",
+		Short: "Print the version number of Machine OS Builder",
+		Long:  `All software has versions. This is Machine OS Builder's.`,
+		Run:   runVersionCmd,
+	}
+)
+
+func init() {
+	rootCmd.AddCommand(versionCmd)
+}
+
+func runVersionCmd(_ *cobra.Command, _ []string) {
+	flag.Set("logtostderr", "true")
+	flag.Parse()
+
+	program := "MachineConfigController"
+	version := version.Raw + "-" + version.Hash
+
+	fmt.Println(program, version)
+}

manifests/machineosbuilder/clusterrole.yaml

@@ -0,0 +1,66 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: machine-os-builder
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list", "watch", "patch"]
+- apiGroups: ["machineconfiguration.openshift.io"]
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: [""]
+  resources: ["configmaps", "secrets"]
+  verbs: ["*"]
+- apiGroups: ["config.openshift.io"]
+  resources: ["images", "clusterversions", "featuregates", "nodes", "nodes/status"]
+  verbs: ["*"]
+- apiGroups: ["config.openshift.io"]
+  resources: ["schedulers", "apiservers", "infrastructures", "imagedigestmirrorsets", "imagetagmirrorsets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["operator.openshift.io"]
+  resources: ["imagecontentsourcepolicies"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["operator.openshift.io"]
+  resources: ["etcds"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["image.openshift.io"]
+  resources: ["images"]
+  verbs: ["get","list","watch","create","update","patch","delete"]
+- apiGroups: ["image.openshift.io"]
+  resources: ["imagestreams"]
+  verbs: ["get","list","watch","create","update","patch","delete"]
+- apiGroups: ["build.openshift.io"]
+  resources: ["builds","buildconfigs","buildconfigs/instantiate"]
+  verbs: ["get","list","watch","create","update","patch","delete"]
+- apiGroups: [""]
+  resources: ["pods/eviction"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "create", "delete"]
+- apiGroups: ["extensions"]
+  resources: ["daemonsets"]
+  verbs: ["get"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  verbs: ["get"]
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  - subjectaccessreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - "*"

manifests/machineosbuilder/clusterrolebinding-anyuid.yaml

@@ -0,0 +1,16 @@
+# (zzlotnik): Grant the machine-os-builder service account the ability to start
+# pods with UID 1000 for builds. This allows us to run Buildah in an
+# unprivileged pod for better security than allowing it to run in a privileged
+# pod.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: machine-os-builder-anyuid
+roleRef:
+  name: "system:openshift:scc:anyuid"
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+subjects:
+  - name: machine-os-builder
+    kind: ServiceAccount
+    namespace: "{{.TargetNamespace}}"

manifests/machineosbuilder/clusterrolebinding-service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: machine-os-builder
+roleRef:
+  kind: ClusterRole
+  name: machine-os-builder
+subjects:
+  - kind: ServiceAccount
+    namespace: "{{.TargetNamespace}}"
+    name: machine-os-builder

manifests/machineosbuilder/deployment.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: machine-os-builder
+  namespace: "{{.TargetNamespace}}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: machine-os-builder
+  template:
+    metadata:
+      labels:
+        k8s-app: machine-os-builder
+      annotations:
+        target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+    spec:
+      containers:
+      - name: machine-os-builder
+        image: "{{.Images.MachineConfigOperator}}"
+        command: ["/usr/bin/machine-os-builder"]
+        args:
+        - start
+        - -v4
+      serviceAccountName: machine-os-builder

manifests/machineosbuilder/events-clusterrole.yaml

@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: machine-os-builder-events
+rules:
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]

manifests/machineosbuilder/events-rolebinding-default.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: machine-os-builder-events
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: machine-os-builder-events
+subjects:
+- kind: ServiceAccount
+  namespace: {{.TargetNamespace}}
+  name: machine-os-builder

manifests/machineosbuilder/events-rolebinding-target.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: machine-os-builder-events
+  namespace: {{.TargetNamespace}}
+roleRef:
+  kind: ClusterRole
+  name: machine-os-builder-events
+subjects:
+- kind: ServiceAccount
+  namespace: {{.TargetNamespace}}
+  name: machine-os-builder

manifests/machineosbuilder/sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{.TargetNamespace}}
+  name: machine-os-builder

pkg/controller/common/constants.go

@@ -39,6 +39,7 @@ const (
 
 	// MachineConfigPoolMaster is the MachineConfigPool name given to the master
 	MachineConfigPoolMaster = "master"
+
 	// MachineConfigPoolWorker is the MachineConfigPool name given to the worker
 	MachineConfigPoolWorker = "worker"
 

pkg/operator/operator.go

@@ -362,6 +362,7 @@ func (optr *Operator) sync(key string) error {
 		{"MachineConfigDaemon", optr.syncMachineConfigDaemon},
 		{"MachineConfigController", optr.syncMachineConfigController},
 		{"MachineConfigServer", optr.syncMachineConfigServer},
+		{"MachineOSBuilder", optr.syncMachineOSBuilder},
 		// this check must always run last since it makes sure the pools are in sync/upgrading correctly
 		{"RequiredPools", optr.syncRequiredMachineConfigPools},
 	}