From 0a230fad17ee6e0b531c990d7297b4cc3637eb36 Mon Sep 17 00:00:00 2001
From: hzxuzhonghu <xuzhonghu@huawei.com>
Date: Sat, 20 Jan 2018 16:57:51 +0800
Subject: [PATCH] kube-apiserver flag --admision-control is deprecated, use the
 new --enable-admission-plugins

---
 cmd/kube-apiserver/app/options/options_test.go |  4 ++--
 hack/local-up-cluster.sh                       | 16 ++++++++--------
 hack/make-rules/test-cmd.sh                    |  4 ++--
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go
index 5b7c9f2aac..38d95b4c04 100644
--- a/cmd/kube-apiserver/app/options/options_test.go
+++ b/cmd/kube-apiserver/app/options/options_test.go
@@ -43,7 +43,7 @@ func TestAddFlags(t *testing.T) {
 	s.AddFlags(f)
 
 	args := []string{
-		"--admission-control=AlwaysDeny",
+		"--enable-admission-plugins=AlwaysDeny",
 		"--admission-control-config-file=/admission-control-config",
 		"--advertise-address=192.168.10.10",
 		"--allow-privileged=false",
@@ -111,10 +111,10 @@ func TestAddFlags(t *testing.T) {
 			MinRequestTimeout:           1800,
 		},
 		Admission: &kubeoptions.AdmissionOptions{
-			PluginNames: []string{"AlwaysDeny"},
 			GenericAdmission: &apiserveroptions.AdmissionOptions{
 				RecommendedPluginOrder: s.Admission.GenericAdmission.RecommendedPluginOrder,
 				DefaultOffPlugins:      s.Admission.GenericAdmission.DefaultOffPlugins,
+				EnablePlugins:          []string{"AlwaysDeny"},
 				ConfigFile:             "/admission-control-config",
 				Plugins:                s.Admission.GenericAdmission.Plugins,
 			},
diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
index 0d48496d47..f8512bd92e 100755
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -97,7 +97,8 @@ export KUBE_CACHE_MUTATION_DETECTOR
 KUBE_PANIC_WATCH_DECODE_ERROR="${KUBE_PANIC_WATCH_DECODE_ERROR:-true}"
 export KUBE_PANIC_WATCH_DECODE_ERROR
 
-ADMISSION_CONTROL=${ADMISSION_CONTROL:-""}
+ENABLE_ADMISSION_PLUGINS=${ENABLE_ADMISSION_PLUGINS:-""}
+DISABLE_ADMISSION_PLUGINS=${DISABLE_ADMISSION_PLUGINS:-""}
 ADMISSION_CONTROL_CONFIG_FILE=${ADMISSION_CONTROL_CONFIG_FILE:-""}
 
 # START_MODE can be 'all', 'kubeletonly', or 'nokubelet'
@@ -436,10 +437,8 @@ function start_apiserver {
 
     # Admission Controllers to invoke prior to persisting objects in cluster
     #
-    # ResourceQuota must come last, or a creation is recorded, but the pod may be forbidden.
-    ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodPreset
-    # This is the default dir and filename where the apiserver will generate a self-signed cert
-    # which should be able to be used as the CA to verify itself
+    # The order defined here dose not matter.
+    ENABLE_ADMISSION_PLUGINS=Initializers,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodPreset
 
     audit_arg=""
     APISERVER_BASIC_AUDIT_LOG=""
@@ -473,14 +472,14 @@ function start_apiserver {
       priv_arg="--allow-privileged "
     fi
 
-    if [[ ${ADMISSION_CONTROL} == *"Initializers"* ]]; then
+    if [[ ${ENABLE_ADMISSION_PLUGINS} == *"Initializers"* ]]; then
         if [[ -n "${RUNTIME_CONFIG}" ]]; then
           RUNTIME_CONFIG+=","
         fi
         RUNTIME_CONFIG+="admissionregistration.k8s.io/v1alpha1"
     fi
 
-    if [[ ${ADMISSION_CONTROL} == *"PodPreset"* ]]; then
+    if [[ ${ENABLE_ADMISSION_PLUGINS} == *"PodPreset"* ]]; then
         if [[ -n "${RUNTIME_CONFIG}" ]]; then
             RUNTIME_CONFIG+=","
         fi
@@ -548,7 +547,8 @@ function start_apiserver {
       --client-ca-file="${CERT_DIR}/client-ca.crt" \
       --service-account-key-file="${SERVICE_ACCOUNT_KEY}" \
       --service-account-lookup="${SERVICE_ACCOUNT_LOOKUP}" \
-      --admission-control="${ADMISSION_CONTROL}" \
+      --enable-admission-plugins="${ENABLE_ADMISSION_PLUGINS}" \
+      --disable-admission-plugins="${DISABLE_ADMISSION_PLUGINS}" \
       --admission-control-config-file="${ADMISSION_CONTROL_CONFIG_FILE}" \
       --bind-address="${API_BIND_ADDR}" \
       --secure-port="${API_SECURE_PORT}" \
diff --git a/hack/make-rules/test-cmd.sh b/hack/make-rules/test-cmd.sh
index a690081e82..474cc69d31 100755
--- a/hack/make-rules/test-cmd.sh
+++ b/hack/make-rules/test-cmd.sh
@@ -34,7 +34,7 @@ function run_kube_apiserver() {
   kube::log::status "Starting kube-apiserver"
 
   # Admission Controllers to invoke prior to persisting objects in cluster
-  ADMISSION_CONTROL="Initializers,NamespaceLifecycle,LimitRanger,ResourceQuota"
+  ENABLE_ADMISSION_PLUGINS="Initializers,LimitRanger,ResourceQuota"
 
   # Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
   AUTHORIZATION_MODE="RBAC,AlwaysAllow"
@@ -45,7 +45,7 @@ function run_kube_apiserver() {
     --insecure-port="${API_PORT}" \
     --authorization-mode="${AUTHORIZATION_MODE}" \
     --secure-port="${SECURE_API_PORT}" \
-    --admission-control="${ADMISSION_CONTROL}" \
+    --enable-admission-plugins="${ENABLE_ADMISSION_PLUGINS}" \
     --etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
     --runtime-config=api/v1 \
     --storage-media-type="${KUBE_TEST_API_STORAGE_TYPE-}" \