From 4ce3907639bbee68e66f589dadeb219602e28f2b Mon Sep 17 00:00:00 2001 From: Clayton Coleman Date: Fri, 26 May 2017 00:10:00 -0400 Subject: [PATCH] Add Initializers to all admission control paths by default --- cluster/centos/config-default.sh | 2 +- cluster/gce/config-default.sh | 2 +- cluster/gce/config-test.sh | 2 +- .../kubernetes-master/reactive/kubernetes_master.py | 1 + cluster/libvirt-coreos/util.sh | 2 +- .../kubernetes-heat/fragments/configure-salt.yaml | 2 +- .../templates/create-dynamic-salt-files.sh | 2 +- cluster/vagrant/config-default.sh | 2 +- cmd/kubeadm/app/constants/constants.go | 2 +- cmd/kubeadm/app/master/manifests_test.go | 8 ++++---- federation/cluster/common.sh | 2 +- federation/pkg/kubefed/init/init.go | 2 +- federation/pkg/kubefed/init/init_test.go | 2 +- hack/local-up-cluster.sh | 2 +- hack/make-rules/test-cmd.sh | 2 +- hack/make-rules/test-federation-cmd.sh | 2 +- .../doc-yaml/admin/high-availability/kube-apiserver.yaml | 2 +- .../coreos/cloud-configs/master.yaml | 2 +- test/kubemark/start-kubemark.sh | 2 +- 19 files changed, 22 insertions(+), 21 deletions(-) diff --git a/cluster/centos/config-default.sh b/cluster/centos/config-default.sh index d73364c976..c66c839269 100755 --- a/cluster/centos/config-default.sh +++ b/cluster/centos/config-default.sh @@ -120,7 +120,7 @@ export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"} # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -export ADMISSION_CONTROL=${ADMISSION_CONTROL:-"NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,ResourceQuota"} +export ADMISSION_CONTROL=${ADMISSION_CONTROL:-"Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,ResourceQuota"} # Extra options to set on the Docker command line. # This is useful for setting --insecure-registry for local registries. diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index f5470c647f..7b188c045a 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -217,7 +217,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota +ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 5eb9a68af3..1e66722b84 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -247,7 +247,7 @@ if [ ${ENABLE_IP_ALIASES} = true ]; then fi # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota}" +ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota}" # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py index fbe2b45af7..226a12d738 100644 --- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py +++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py @@ -791,6 +791,7 @@ def configure_master_services(): api_opts.add('insecure-port', '8080') api_opts.add('storage-backend', 'etcd2') # FIXME: add etcd3 support admission_control = [ + 'Initializers', 'NamespaceLifecycle', 'LimitRanger', 'ServiceAccount', diff --git a/cluster/libvirt-coreos/util.sh b/cluster/libvirt-coreos/util.sh index be4589807d..334557ea93 100644 --- a/cluster/libvirt-coreos/util.sh +++ b/cluster/libvirt-coreos/util.sh @@ -27,7 +27,7 @@ source "$KUBE_ROOT/cluster/common.sh" export LIBVIRT_DEFAULT_URI=qemu:///system export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-true} -export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota} +export ADMISSION_CONTROL=${ADMISSION_CONTROL:-Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota} readonly POOL=kubernetes readonly POOL_PATH=/var/lib/libvirt/images/kubernetes diff --git a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml index 4f526b6f2c..04862affe4 100644 --- a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml +++ b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml @@ -57,7 +57,7 @@ write_files: dns_domain: cluster.local enable_dns_horizontal_autoscaler: "false" instance_prefix: kubernetes - admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota + admission_control: Initializers,NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota enable_cpu_cfs_quota: "true" network_provider: none cluster_cidr: "$cluster_cidr" diff --git a/cluster/photon-controller/templates/create-dynamic-salt-files.sh b/cluster/photon-controller/templates/create-dynamic-salt-files.sh index 86af586503..4319f02e3b 100755 --- a/cluster/photon-controller/templates/create-dynamic-salt-files.sh +++ b/cluster/photon-controller/templates/create-dynamic-salt-files.sh @@ -122,5 +122,5 @@ dns_domain: $DNS_DOMAIN e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}" cluster_cidr: "$NODE_IP_RANGES" allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}" -admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota +admission_control: Initializers,NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota EOF diff --git a/cluster/vagrant/config-default.sh b/cluster/vagrant/config-default.sh index c307b8bd38..7eea6e8e77 100755 --- a/cluster/vagrant/config-default.sh +++ b/cluster/vagrant/config-default.sh @@ -56,7 +56,7 @@ MASTER_PASSWD="${MASTER_PASSWD:-vagrant}" # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota +ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota # Optional: Enable node logging. ENABLE_NODE_LOGGING=false diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go index 13eb5c18cb..862f1b3e4c 100644 --- a/cmd/kubeadm/app/constants/constants.go +++ b/cmd/kubeadm/app/constants/constants.go @@ -91,7 +91,7 @@ const ( MinExternalEtcdVersion = "3.0.14" // DefaultAdmissionControl specifies the default admission control options that will be used - DefaultAdmissionControl = "NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds" + DefaultAdmissionControl = "Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds" ) var ( diff --git a/cmd/kubeadm/app/master/manifests_test.go b/cmd/kubeadm/app/master/manifests_test.go index 7b34c3db0d..2fa5d5d091 100644 --- a/cmd/kubeadm/app/master/manifests_test.go +++ b/cmd/kubeadm/app/master/manifests_test.go @@ -520,7 +520,7 @@ func TestGetAPIServerCommand(t *testing.T) { expected: []string{ "kube-apiserver", "--insecure-port=0", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", + "--admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--service-cluster-ip-range=bar", "--service-account-key-file=" + testCertsDir + "/sa.pub", "--client-ca-file=" + testCertsDir + "/ca.crt", @@ -552,7 +552,7 @@ func TestGetAPIServerCommand(t *testing.T) { expected: []string{ "kube-apiserver", "--insecure-port=0", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", + "--admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--service-cluster-ip-range=bar", "--service-account-key-file=" + testCertsDir + "/sa.pub", "--client-ca-file=" + testCertsDir + "/ca.crt", @@ -585,7 +585,7 @@ func TestGetAPIServerCommand(t *testing.T) { expected: []string{ "kube-apiserver", "--insecure-port=0", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", + "--admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--service-cluster-ip-range=bar", "--service-account-key-file=" + testCertsDir + "/sa.pub", "--client-ca-file=" + testCertsDir + "/ca.crt", @@ -620,7 +620,7 @@ func TestGetAPIServerCommand(t *testing.T) { expected: []string{ "kube-apiserver", "--insecure-port=0", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", + "--admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--service-cluster-ip-range=bar", "--service-account-key-file=" + testCertsDir + "/sa.pub", "--client-ca-file=" + testCertsDir + "/ca.crt", diff --git a/federation/cluster/common.sh b/federation/cluster/common.sh index ff355d6d5b..37fe14a6ec 100644 --- a/federation/cluster/common.sh +++ b/federation/cluster/common.sh @@ -258,7 +258,7 @@ function create-federation-api-objects { export FEDERATION_APISERVER_KEY_BASE64="${FEDERATION_APISERVER_KEY_BASE64}" # Enable the NamespaceLifecycle admission control by default. - export FEDERATION_ADMISSION_CONTROL="${FEDERATION_ADMISSION_CONTROL:-NamespaceLifecycle}" + export FEDERATION_ADMISSION_CONTROL="${FEDERATION_ADMISSION_CONTROL:-Initializers,NamespaceLifecycle}" for file in federation-etcd-pvc.yaml federation-apiserver-{deployment,secrets}.yaml federation-controller-manager-deployment.yaml; do echo "Creating manifest: ${file}" diff --git a/federation/pkg/kubefed/init/init.go b/federation/pkg/kubefed/init/init.go index 13388216ef..d94a8abd3d 100644 --- a/federation/pkg/kubefed/init/init.go +++ b/federation/pkg/kubefed/init/init.go @@ -692,7 +692,7 @@ func createAPIServer(clientset client.Interface, namespace, name, federationName "--client-ca-file": "/etc/federation/apiserver/ca.crt", "--tls-cert-file": "/etc/federation/apiserver/server.crt", "--tls-private-key-file": "/etc/federation/apiserver/server.key", - "--admission-control": "NamespaceLifecycle", + "--admission-control": "Initializers,NamespaceLifecycle", } if advertiseAddress != "" { diff --git a/federation/pkg/kubefed/init/init_test.go b/federation/pkg/kubefed/init/init_test.go index 765bbad5ff..60a847f3f6 100644 --- a/federation/pkg/kubefed/init/init_test.go +++ b/federation/pkg/kubefed/init/init_test.go @@ -869,7 +869,7 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na fmt.Sprintf("--secure-port=%d", apiServerSecurePort), "--tls-cert-file=/etc/federation/apiserver/server.crt", "--tls-private-key-file=/etc/federation/apiserver/server.key", - "--admission-control=NamespaceLifecycle", + "--admission-control=Initializers,NamespaceLifecycle", fmt.Sprintf("--advertise-address=%s", address), } diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index f5f5554bba..d5fc8aac09 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -401,7 +401,7 @@ function start_apiserver { fi # Admission Controllers to invoke prior to persisting objects in cluster - ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},ResourceQuota,DefaultStorageClass,DefaultTolerationSeconds + ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},ResourceQuota,DefaultStorageClass,DefaultTolerationSeconds # This is the default dir and filename where the apiserver will generate a self-signed cert # which should be able to be used as the CA to verify itself diff --git a/hack/make-rules/test-cmd.sh b/hack/make-rules/test-cmd.sh index 9728367e00..a87a8dc088 100755 --- a/hack/make-rules/test-cmd.sh +++ b/hack/make-rules/test-cmd.sh @@ -34,7 +34,7 @@ function run_kube_apiserver() { kube::log::status "Starting kube-apiserver" # Admission Controllers to invoke prior to persisting objects in cluster - ADMISSION_CONTROL="NamespaceLifecycle,LimitRanger,ResourceQuota" + ADMISSION_CONTROL="Initializers,NamespaceLifecycle,LimitRanger,ResourceQuota" # Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions AUTHORIZATION_MODE="RBAC,AlwaysAllow" diff --git a/hack/make-rules/test-federation-cmd.sh b/hack/make-rules/test-federation-cmd.sh index 45e49a5d30..65e6f6594c 100755 --- a/hack/make-rules/test-federation-cmd.sh +++ b/hack/make-rules/test-federation-cmd.sh @@ -34,7 +34,7 @@ function run_federation_apiserver() { kube::log::status "Starting federation-apiserver" # Admission Controllers to invoke prior to persisting objects in cluster - ADMISSION_CONTROL="NamespaceLifecycle" + ADMISSION_CONTROL="Initializers,NamespaceLifecycle" "${KUBE_OUTPUT_HOSTBIN}/federation-apiserver" \ --insecure-port="${API_PORT}" \ diff --git a/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml b/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml index 33d5cff5cd..6150aa737b 100644 --- a/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml +++ b/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml @@ -11,7 +11,7 @@ spec: - /bin/sh - -c - /usr/local/bin/kube-apiserver --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001 - --cloud-provider=gce --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota + --cloud-provider=gce --admission-control=Initializers,NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range=10.0.0.0/16 --client-ca-file=/srv/kubernetes/ca.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --cluster-name=e2e-test-bburns --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key diff --git a/test/fixtures/doc-yaml/getting-started-guides/coreos/cloud-configs/master.yaml b/test/fixtures/doc-yaml/getting-started-guides/coreos/cloud-configs/master.yaml index be82a97f24..bc1ee220e5 100644 --- a/test/fixtures/doc-yaml/getting-started-guides/coreos/cloud-configs/master.yaml +++ b/test/fixtures/doc-yaml/getting-started-guides/coreos/cloud-configs/master.yaml @@ -91,7 +91,7 @@ coreos: ExecStart=/opt/bin/kube-apiserver \ --service-account-key-file=/opt/bin/kube-serviceaccount.key \ --service-account-lookup=true \ - --admission-control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \ + --admission-control=Initializers,NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \ --runtime-config=api/v1 \ --allow-privileged=true \ --insecure-bind-address=0.0.0.0 \ diff --git a/test/kubemark/start-kubemark.sh b/test/kubemark/start-kubemark.sh index f64f48620b..06ae0818b7 100755 --- a/test/kubemark/start-kubemark.sh +++ b/test/kubemark/start-kubemark.sh @@ -70,7 +70,7 @@ SCHEDULER_TEST_ARGS="${SCHEDULER_TEST_ARGS:-}" APISERVER_TEST_ARGS="${APISERVER_TEST_ARGS:-}" STORAGE_BACKEND="${STORAGE_BACKEND:-}" NUM_NODES="${NUM_NODES:-}" -CUSTOM_ADMISSION_PLUGINS="${CUSTOM_ADMISSION_PLUGINS:-NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota}" +CUSTOM_ADMISSION_PLUGINS="${CUSTOM_ADMISSION_PLUGINS:-Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota}" EOF echo "Created the environment file for master." }