From 5969f108cf30c6d1156760dc217a5b7d8625cbf2 Mon Sep 17 00:00:00 2001
From: wangdepeng <wangdepeng_yewu@cmss.chinamobile.com>
Date: Fri, 31 May 2024 14:49:28 +0800
Subject: [PATCH] fix: add kube-nest-admission-plugins flag for virtual-cluster
 operator

Signed-off-by: wangdepeng <wangdepeng_yewu@cmss.chinamobile.com>
(cherry picked from commit 66125dce874c58cef00bbd115e74d42aea007dd7)
---
 cmd/kubenest/operator/app/options/options.go  |  6 +++--
 pkg/kubenest/controlplane/apiserver.go        |  9 +++++---
 .../apiserver/mainfests_deployment.go         |  6 +++++
 pkg/kubenest/tasks/anp.go                     | 22 ++++++++++---------
 pkg/kubenest/tasks/apiserver.go               |  1 +
 5 files changed, 29 insertions(+), 15 deletions(-)

diff --git a/cmd/kubenest/operator/app/options/options.go b/cmd/kubenest/operator/app/options/options.go
index 9f5133566..0a587b3e7 100644
--- a/cmd/kubenest/operator/app/options/options.go
+++ b/cmd/kubenest/operator/app/options/options.go
@@ -24,8 +24,9 @@ type KubernetesOptions struct {
 }
 
 type KubeNestOptions struct {
-	ForceDestroy bool
-	AnpMode      string
+	ForceDestroy     bool
+	AnpMode          string
+	AdmissionPlugins bool
 }
 
 func NewOptions() *Options {
@@ -55,4 +56,5 @@ func (o *Options) AddFlags(flags *pflag.FlagSet) {
 	flags.BoolVar(&o.KosmosJoinController, "kosmos-join-controller", false, "Turn on or off kosmos-join-controller.")
 	flags.BoolVar(&o.KubeNestOptions.ForceDestroy, "kube-nest-force-destroy", false, "Force destroy the node.If it set true.If set to true, Kubernetes will not evict the existing nodes on the node when joining nodes to the tenant's control plane, but will instead force destroy.")
 	flags.StringVar(&o.KubeNestOptions.AnpMode, "kube-nest-anp-mode", "tcp", "kube-apiserver network proxy mode, must be set to tcp or uds. uds mode the replicas for apiserver should be one, and tcp for multi apiserver replicas.")
+	flags.BoolVar(&o.KubeNestOptions.AdmissionPlugins, "kube-nest-admission-plugins", false, "kube-apiserver network disable-admission-plugins, false for - --disable-admission-plugins=License, true for remove the --disable-admission-plugins=License flag .")
 }
diff --git a/pkg/kubenest/controlplane/apiserver.go b/pkg/kubenest/controlplane/apiserver.go
index 95122f51c..396d5f20d 100644
--- a/pkg/kubenest/controlplane/apiserver.go
+++ b/pkg/kubenest/controlplane/apiserver.go
@@ -8,13 +8,14 @@ import (
 	"k8s.io/apimachinery/pkg/util/yaml"
 	clientset "k8s.io/client-go/kubernetes"
 
+	"github.com/kosmos.io/kosmos/cmd/kubenest/operator/app/options"
 	"github.com/kosmos.io/kosmos/pkg/kubenest/constants"
 	"github.com/kosmos.io/kosmos/pkg/kubenest/manifest/controlplane/apiserver"
 	"github.com/kosmos.io/kosmos/pkg/kubenest/util"
 )
 
-func EnsureVirtualClusterAPIServer(client clientset.Interface, name, namespace string, portMap map[string]int32) error {
-	if err := installAPIServer(client, name, namespace, portMap); err != nil {
+func EnsureVirtualClusterAPIServer(client clientset.Interface, name, namespace string, portMap map[string]int32, opt *options.KubeNestOptions) error {
+	if err := installAPIServer(client, name, namespace, portMap, opt); err != nil {
 		return fmt.Errorf("failed to install virtual cluster apiserver, err: %w", err)
 	}
 	return nil
@@ -28,7 +29,7 @@ func DeleteVirtualClusterAPIServer(client clientset.Interface, name, namespace s
 	return nil
 }
 
-func installAPIServer(client clientset.Interface, name, namespace string, portMap map[string]int32) error {
+func installAPIServer(client clientset.Interface, name, namespace string, portMap map[string]int32, opt *options.KubeNestOptions) error {
 	imageRepository, imageVersion := util.GetImageMessage()
 	clusterIp, err := util.GetEtcdServiceClusterIp(namespace, name+constants.EtcdSuffix, client)
 	if err != nil {
@@ -41,6 +42,7 @@ func installAPIServer(client clientset.Interface, name, namespace string, portMa
 		Replicas                                                               int32
 		EtcdListenClientPort                                                   int32
 		ClusterPort                                                            int32
+		AdmissionPlugins                                                       bool
 	}{
 		DeploymentName:            fmt.Sprintf("%s-%s", name, "apiserver"),
 		Namespace:                 namespace,
@@ -53,6 +55,7 @@ func installAPIServer(client clientset.Interface, name, namespace string, portMa
 		Replicas:                  constants.ApiServerReplicas,
 		EtcdListenClientPort:      constants.ApiServerEtcdListenClientPort,
 		ClusterPort:               portMap[constants.ApiServerPortKey],
+		AdmissionPlugins:          opt.AdmissionPlugins,
 	})
 	if err != nil {
 		return fmt.Errorf("error when parsing virtual cluster apiserver deployment template: %w", err)
diff --git a/pkg/kubenest/manifest/controlplane/apiserver/mainfests_deployment.go b/pkg/kubenest/manifest/controlplane/apiserver/mainfests_deployment.go
index bd76bd505..3a3768e51 100644
--- a/pkg/kubenest/manifest/controlplane/apiserver/mainfests_deployment.go
+++ b/pkg/kubenest/manifest/controlplane/apiserver/mainfests_deployment.go
@@ -90,6 +90,9 @@ spec:
         - --max-mutating-requests-inflight=500
         - --v=4
         - --advertise-address=$(PODIP)
+        {{ if not .AdmissionPlugins }}
+        - --disable-admission-plugins=License
+        {{ end }}
         livenessProbe:
           failureThreshold: 8
           httpGet:
@@ -222,6 +225,9 @@ spec:
         - --v=4
         - --advertise-address=$(PODIP)
         - --egress-selector-config-file=/etc/kubernetes/konnectivity-server-config/{{ .Namespace }}/{{ .Name }}/egress_selector_configuration.yaml
+        {{ if not .AdmissionPlugins }}
+        - --disable-admission-plugins=License
+        {{ end }}
         livenessProbe:
           failureThreshold: 8
           httpGet:
diff --git a/pkg/kubenest/tasks/anp.go b/pkg/kubenest/tasks/anp.go
index 0a6fb2cc3..4914ac168 100644
--- a/pkg/kubenest/tasks/anp.go
+++ b/pkg/kubenest/tasks/anp.go
@@ -70,17 +70,19 @@ func runAnpServer(r workflow.RunData) error {
 	portMap := data.HostPortMap()
 	// install egress_selector_configuration config map
 	egressSelectorConfig, err := util.ParseTemplate(apiserver.EgressSelectorConfiguration, struct {
-		Namespace       string
-		Name            string
-		AnpMode         string
-		ProxyServerPort int32
-		SvcName         string
+		Namespace        string
+		Name             string
+		AnpMode          string
+		ProxyServerPort  int32
+		SvcName          string
+		AdmissionPlugins bool
 	}{
-		Namespace:       namespace,
-		Name:            name,
-		ProxyServerPort: portMap[constants.ApiServerNetworkProxyServerPortKey],
-		SvcName:         fmt.Sprintf("%s-konnectivity-server.%s.svc.cluster.local", name, namespace),
-		AnpMode:         kubeNestOpt.AnpMode,
+		Namespace:        namespace,
+		Name:             name,
+		ProxyServerPort:  portMap[constants.ApiServerNetworkProxyServerPortKey],
+		SvcName:          fmt.Sprintf("%s-konnectivity-server.%s.svc.cluster.local", name, namespace),
+		AnpMode:          kubeNestOpt.AnpMode,
+		AdmissionPlugins: kubeNestOpt.AdmissionPlugins,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to parse egress_selector_configuration config map template, err: %w", err)
diff --git a/pkg/kubenest/tasks/apiserver.go b/pkg/kubenest/tasks/apiserver.go
index 93f803f47..68be48d74 100644
--- a/pkg/kubenest/tasks/apiserver.go
+++ b/pkg/kubenest/tasks/apiserver.go
@@ -51,6 +51,7 @@ func runVirtualClusterAPIServer(r workflow.RunData) error {
 		data.GetName(),
 		data.GetNamespace(),
 		data.HostPortMap(),
+		data.KubeNestOpt(),
 	)
 	if err != nil {
 		return fmt.Errorf("failed to install virtual cluster apiserver component, err: %w", err)