set default enabled admission plugins by official document

2018-01-23 20:12:10 +08:00 · 2018-01-23 20:12:10 +08:00 · 27f3fd2d79
parent 4327bc92ae
commit 27f3fd2d79
7 changed files with 20 additions and 6 deletions
--- a/hack/make-rules/test-cmd.sh
+++ b/hack/make-rules/test-cmd.sh
@ -35,6 +35,7 @@ function run_kube_apiserver() {

  # Admission Controllers to invoke prior to persisting objects in cluster
  ENABLE_ADMISSION_PLUGINS="Initializers,LimitRanger,ResourceQuota"
+  DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook"

  # Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
  AUTHORIZATION_MODE="RBAC,AlwaysAllow"
@ -46,6 +47,7 @@ function run_kube_apiserver() {
    --authorization-mode="${AUTHORIZATION_MODE}" \
    --secure-port="${SECURE_API_PORT}" \
    --enable-admission-plugins="${ENABLE_ADMISSION_PLUGINS}" \
+    --disable-admission-plugins="${DISABLE_ADMISSION_PLUGINS}" \
    --etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
    --runtime-config=api/v1 \
    --storage-media-type="${KUBE_TEST_API_STORAGE_TYPE-}" \
--- a/hack/test-update-storage-objects.sh
+++ b/hack/test-update-storage-objects.sh
@ -46,6 +46,7 @@ RUNTIME_CONFIG=""
 ETCDCTL=$(which etcdctl)
 KUBECTL="${KUBE_OUTPUT_HOSTBIN}/kubectl"
 UPDATE_ETCD_OBJECTS_SCRIPT="${KUBE_ROOT}/cluster/update-storage-objects.sh"
+DISABLE_ADMISSION_PLUGINS="ServiceAccount,NamespaceLifecycle,LimitRanger,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PersistentVolumeLabel,DefaultStorageClass"

 function startApiServer() {
  local storage_versions=${1:-""}
@ -64,6 +65,7 @@ function startApiServer() {
    --etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
    --etcd-prefix="/${ETCD_PREFIX}" \
    --runtime-config="${RUNTIME_CONFIG}" \
+    --disable-admission-plugins="${DISABLE_ADMISSION_PLUGINS}" \
    --cert-dir="${TMPDIR:-/tmp/}" \
    --service-cluster-ip-range="10.0.0.0/24" \
    --storage-versions="${storage_versions}" \
--- a/pkg/kubeapiserver/options/plugins.go
+++ b/pkg/kubeapiserver/options/plugins.go
@ -130,8 +130,17 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {

 // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
 func DefaultOffAdmissionPlugins() sets.String {
-	defaultOffPlugins := sets.NewString(AllOrderedPlugins...)
-	defaultOffPlugins.Delete(lifecycle.PluginName)
+	defaultOnPlugins := sets.NewString(
+		lifecycle.PluginName,                //NamespaceLifecycle
+		limitranger.PluginName,              //LimitRanger
+		serviceaccount.PluginName,           //ServiceAccount
+		label.PluginName,                    //PersistentVolumeLabel
+		setdefault.PluginName,               //DefaultStorageClass
+		defaulttolerationseconds.PluginName, //DefaultTolerationSeconds
+		mutatingwebhook.PluginName,          //MutatingAdmissionWebhook
+		validatingwebhook.PluginName,        //ValidatingAdmissionWebhook
+		resourcequota.PluginName,            //ResourceQuota
+	)

-	return defaultOffPlugins
+	return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins)
 }
--- a/staging/src/k8s.io/apiserver/pkg/server/options/admission.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/admission.go
@ -79,7 +79,7 @@ func NewAdmissionOptions() *AdmissionOptions {
 		// after all the mutating ones, so their relative order in this list
 		// doesn't matter.
 		RecommendedPluginOrder: []string{lifecycle.PluginName, initialization.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName},
-		DefaultOffPlugins:      sets.NewString(initialization.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName),
+		DefaultOffPlugins:      sets.NewString(initialization.PluginName),
 	}
 	server.RegisterAllAdmissionPlugins(options.Plugins)
 	return options
--- a/staging/src/k8s.io/apiserver/pkg/server/options/admission_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/admission_test.go
@ -36,7 +36,7 @@ func TestEnabledPluginNames(t *testing.T) {
 	}{
 		// scenario 0: check if a call to enabledPluginNames sets expected values.
 		{
-			expectedPluginNames: []string{"NamespaceLifecycle"},
+			expectedPluginNames: []string{"NamespaceLifecycle", "MutatingAdmissionWebhook", "ValidatingAdmissionWebhook"},
 		},

 		// scenario 1: use default off plugins if no specified
--- a/test/e2e_node/services/apiserver.go
+++ b/test/e2e_node/services/apiserver.go
@ -52,6 +52,7 @@ func (a *APIServer) Start() error {
 	}
 	config.ServiceClusterIPRange = *ipnet
 	config.AllowPrivileged = true
+	config.Admission.GenericAdmission.DisablePlugins = []string{"ServiceAccount"}
 	errCh := make(chan error)
 	go func() {
 		defer close(errCh)
--- a/test/integration/etcd/etcd_storage_path_test.go
+++ b/test/integration/etcd/etcd_storage_path_test.go
@ -728,13 +728,13 @@ func startRealMasterOrDie(t *testing.T, certDir string) (*allClient, clientv3.KV
 		}

 		kubeAPIServerOptions := options.NewServerRunOptions()
-
 		kubeAPIServerOptions.SecureServing.Listener = listener
 		kubeAPIServerOptions.SecureServing.ServerCert.CertDirectory = certDir
 		kubeAPIServerOptions.Etcd.StorageConfig.ServerList = []string{framework.GetEtcdURL()}
 		kubeAPIServerOptions.Etcd.DefaultStorageMediaType = runtime.ContentTypeJSON // TODO use protobuf?
 		kubeAPIServerOptions.ServiceClusterIPRange = *defaultServiceClusterIPRange
 		kubeAPIServerOptions.Authorization.Mode = "RBAC"
+		kubeAPIServerOptions.Admission.GenericAdmission.DisablePlugins = []string{"ServiceAccount"}

 		tunneler, proxyTransport, err := app.CreateNodeDialer(kubeAPIServerOptions)
 		if err != nil {