diff --git a/hack/make-rules/test-cmd.sh b/hack/make-rules/test-cmd.sh index 474cc69d31..b68f1eecad 100755 --- a/hack/make-rules/test-cmd.sh +++ b/hack/make-rules/test-cmd.sh @@ -35,6 +35,7 @@ function run_kube_apiserver() { # Admission Controllers to invoke prior to persisting objects in cluster ENABLE_ADMISSION_PLUGINS="Initializers,LimitRanger,ResourceQuota" + DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook" # Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions AUTHORIZATION_MODE="RBAC,AlwaysAllow" @@ -46,6 +47,7 @@ function run_kube_apiserver() { --authorization-mode="${AUTHORIZATION_MODE}" \ --secure-port="${SECURE_API_PORT}" \ --enable-admission-plugins="${ENABLE_ADMISSION_PLUGINS}" \ + --disable-admission-plugins="${DISABLE_ADMISSION_PLUGINS}" \ --etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \ --runtime-config=api/v1 \ --storage-media-type="${KUBE_TEST_API_STORAGE_TYPE-}" \ diff --git a/hack/test-update-storage-objects.sh b/hack/test-update-storage-objects.sh index efb20c9795..b568a30850 100755 --- a/hack/test-update-storage-objects.sh +++ b/hack/test-update-storage-objects.sh @@ -46,6 +46,7 @@ RUNTIME_CONFIG="" ETCDCTL=$(which etcdctl) KUBECTL="${KUBE_OUTPUT_HOSTBIN}/kubectl" UPDATE_ETCD_OBJECTS_SCRIPT="${KUBE_ROOT}/cluster/update-storage-objects.sh" +DISABLE_ADMISSION_PLUGINS="ServiceAccount,NamespaceLifecycle,LimitRanger,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PersistentVolumeLabel,DefaultStorageClass" function startApiServer() { local storage_versions=${1:-""} @@ -64,6 +65,7 @@ function startApiServer() { --etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \ --etcd-prefix="/${ETCD_PREFIX}" \ --runtime-config="${RUNTIME_CONFIG}" \ + --disable-admission-plugins="${DISABLE_ADMISSION_PLUGINS}" \ --cert-dir="${TMPDIR:-/tmp/}" \ --service-cluster-ip-range="10.0.0.0/24" \ --storage-versions="${storage_versions}" \ diff --git a/pkg/kubeapiserver/options/plugins.go b/pkg/kubeapiserver/options/plugins.go index 31e83ba51f..f3d50f0379 100644 --- a/pkg/kubeapiserver/options/plugins.go +++ b/pkg/kubeapiserver/options/plugins.go @@ -130,8 +130,17 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) { // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver. func DefaultOffAdmissionPlugins() sets.String { - defaultOffPlugins := sets.NewString(AllOrderedPlugins...) - defaultOffPlugins.Delete(lifecycle.PluginName) + defaultOnPlugins := sets.NewString( + lifecycle.PluginName, //NamespaceLifecycle + limitranger.PluginName, //LimitRanger + serviceaccount.PluginName, //ServiceAccount + label.PluginName, //PersistentVolumeLabel + setdefault.PluginName, //DefaultStorageClass + defaulttolerationseconds.PluginName, //DefaultTolerationSeconds + mutatingwebhook.PluginName, //MutatingAdmissionWebhook + validatingwebhook.PluginName, //ValidatingAdmissionWebhook + resourcequota.PluginName, //ResourceQuota + ) - return defaultOffPlugins + return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins) } diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/admission.go b/staging/src/k8s.io/apiserver/pkg/server/options/admission.go index 7dd0b641c5..80c2204f8b 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/admission.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/admission.go @@ -79,7 +79,7 @@ func NewAdmissionOptions() *AdmissionOptions { // after all the mutating ones, so their relative order in this list // doesn't matter. RecommendedPluginOrder: []string{lifecycle.PluginName, initialization.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName}, - DefaultOffPlugins: sets.NewString(initialization.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName), + DefaultOffPlugins: sets.NewString(initialization.PluginName), } server.RegisterAllAdmissionPlugins(options.Plugins) return options diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/admission_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/admission_test.go index c9fb1a928e..71961a8ff0 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/admission_test.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/admission_test.go @@ -36,7 +36,7 @@ func TestEnabledPluginNames(t *testing.T) { }{ // scenario 0: check if a call to enabledPluginNames sets expected values. { - expectedPluginNames: []string{"NamespaceLifecycle"}, + expectedPluginNames: []string{"NamespaceLifecycle", "MutatingAdmissionWebhook", "ValidatingAdmissionWebhook"}, }, // scenario 1: use default off plugins if no specified diff --git a/test/e2e_node/services/apiserver.go b/test/e2e_node/services/apiserver.go index 607824d3df..dc7c0c2bdd 100644 --- a/test/e2e_node/services/apiserver.go +++ b/test/e2e_node/services/apiserver.go @@ -52,6 +52,7 @@ func (a *APIServer) Start() error { } config.ServiceClusterIPRange = *ipnet config.AllowPrivileged = true + config.Admission.GenericAdmission.DisablePlugins = []string{"ServiceAccount"} errCh := make(chan error) go func() { defer close(errCh) diff --git a/test/integration/etcd/etcd_storage_path_test.go b/test/integration/etcd/etcd_storage_path_test.go index 24c44ba62c..0df6490531 100644 --- a/test/integration/etcd/etcd_storage_path_test.go +++ b/test/integration/etcd/etcd_storage_path_test.go @@ -728,13 +728,13 @@ func startRealMasterOrDie(t *testing.T, certDir string) (*allClient, clientv3.KV } kubeAPIServerOptions := options.NewServerRunOptions() - kubeAPIServerOptions.SecureServing.Listener = listener kubeAPIServerOptions.SecureServing.ServerCert.CertDirectory = certDir kubeAPIServerOptions.Etcd.StorageConfig.ServerList = []string{framework.GetEtcdURL()} kubeAPIServerOptions.Etcd.DefaultStorageMediaType = runtime.ContentTypeJSON // TODO use protobuf? kubeAPIServerOptions.ServiceClusterIPRange = *defaultServiceClusterIPRange kubeAPIServerOptions.Authorization.Mode = "RBAC" + kubeAPIServerOptions.Admission.GenericAdmission.DisablePlugins = []string{"ServiceAccount"} tunneler, proxyTransport, err := app.CreateNodeDialer(kubeAPIServerOptions) if err != nil {