mirror of https://github.com/k3s-io/k3s
Merge pull request #58567 from hzxuzhonghu/admission-01
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kube-apiserver flag --admision-control is deprecated, use the new --e… …nable-admission-plugins **What this PR does / why we need it**: 1. As #58123 mark kube-apiserver flag `admission-control` deprecated, replace it in some places. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ``` /assign @liggitt @deads2k @stttspull/6/head
Kubernetes Submit Queue
GitHub
commit
9e2878d93c
|
|
@ -43,7 +43,7 @@ func TestAddFlags(t *testing.T) {
|
|||
s.AddFlags(f)
|
||||
|
||||
args := []string{
|
||||
"--admission-control=AlwaysDeny",
|
||||
"--enable-admission-plugins=AlwaysDeny",
|
||||
"--admission-control-config-file=/admission-control-config",
|
||||
"--advertise-address=192.168.10.10",
|
||||
"--allow-privileged=false",
|
||||
|
|
@ -111,10 +111,10 @@ func TestAddFlags(t *testing.T) {
|
|||
MinRequestTimeout: 1800,
|
||||
},
|
||||
Admission: &kubeoptions.AdmissionOptions{
|
||||
PluginNames: []string{"AlwaysDeny"},
|
||||
GenericAdmission: &apiserveroptions.AdmissionOptions{
|
||||
RecommendedPluginOrder: s.Admission.GenericAdmission.RecommendedPluginOrder,
|
||||
DefaultOffPlugins: s.Admission.GenericAdmission.DefaultOffPlugins,
|
||||
EnablePlugins: []string{"AlwaysDeny"},
|
||||
ConfigFile: "/admission-control-config",
|
||||
Plugins: s.Admission.GenericAdmission.Plugins,
|
||||
},
|
||||
|
|
|
|||
|
|
@ -97,7 +97,8 @@ export KUBE_CACHE_MUTATION_DETECTOR
|
|||
KUBE_PANIC_WATCH_DECODE_ERROR="${KUBE_PANIC_WATCH_DECODE_ERROR:-true}"
|
||||
export KUBE_PANIC_WATCH_DECODE_ERROR
|
||||
|
||||
ADMISSION_CONTROL=${ADMISSION_CONTROL:-""}
|
||||
ENABLE_ADMISSION_PLUGINS=${ENABLE_ADMISSION_PLUGINS:-""}
|
||||
DISABLE_ADMISSION_PLUGINS=${DISABLE_ADMISSION_PLUGINS:-""}
|
||||
ADMISSION_CONTROL_CONFIG_FILE=${ADMISSION_CONTROL_CONFIG_FILE:-""}
|
||||
|
||||
# START_MODE can be 'all', 'kubeletonly', or 'nokubelet'
|
||||
|
|
@ -436,10 +437,8 @@ function start_apiserver {
|
|||
|
||||
# Admission Controllers to invoke prior to persisting objects in cluster
|
||||
#
|
||||
# ResourceQuota must come last, or a creation is recorded, but the pod may be forbidden.
|
||||
ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodPreset
|
||||
# This is the default dir and filename where the apiserver will generate a self-signed cert
|
||||
# which should be able to be used as the CA to verify itself
|
||||
# The order defined here dose not matter.
|
||||
ENABLE_ADMISSION_PLUGINS=Initializers,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodPreset
|
||||
|
||||
audit_arg=""
|
||||
APISERVER_BASIC_AUDIT_LOG=""
|
||||
|
|
@ -473,14 +472,14 @@ function start_apiserver {
|
|||
priv_arg="--allow-privileged "
|
||||
fi
|
||||
|
||||
if [[ ${ADMISSION_CONTROL} == *"Initializers"* ]]; then
|
||||
if [[ ${ENABLE_ADMISSION_PLUGINS} == *"Initializers"* ]]; then
|
||||
if [[ -n "${RUNTIME_CONFIG}" ]]; then
|
||||
RUNTIME_CONFIG+=","
|
||||
fi
|
||||
RUNTIME_CONFIG+="admissionregistration.k8s.io/v1alpha1"
|
||||
fi
|
||||
|
||||
if [[ ${ADMISSION_CONTROL} == *"PodPreset"* ]]; then
|
||||
if [[ ${ENABLE_ADMISSION_PLUGINS} == *"PodPreset"* ]]; then
|
||||
if [[ -n "${RUNTIME_CONFIG}" ]]; then
|
||||
RUNTIME_CONFIG+=","
|
||||
fi
|
||||
|
|
@ -548,7 +547,8 @@ function start_apiserver {
|
|||
--client-ca-file="${CERT_DIR}/client-ca.crt" \
|
||||
--service-account-key-file="${SERVICE_ACCOUNT_KEY}" \
|
||||
--service-account-lookup="${SERVICE_ACCOUNT_LOOKUP}" \
|
||||
--admission-control="${ADMISSION_CONTROL}" \
|
||||
--enable-admission-plugins="${ENABLE_ADMISSION_PLUGINS}" \
|
||||
--disable-admission-plugins="${DISABLE_ADMISSION_PLUGINS}" \
|
||||
--admission-control-config-file="${ADMISSION_CONTROL_CONFIG_FILE}" \
|
||||
--bind-address="${API_BIND_ADDR}" \
|
||||
--secure-port="${API_SECURE_PORT}" \
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ function run_kube_apiserver() {
|
|||
kube::log::status "Starting kube-apiserver"
|
||||
|
||||
# Admission Controllers to invoke prior to persisting objects in cluster
|
||||
ADMISSION_CONTROL="Initializers,NamespaceLifecycle,LimitRanger,ResourceQuota"
|
||||
ENABLE_ADMISSION_PLUGINS="Initializers,LimitRanger,ResourceQuota"
|
||||
|
||||
# Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
|
||||
AUTHORIZATION_MODE="RBAC,AlwaysAllow"
|
||||
|
|
@ -45,7 +45,7 @@ function run_kube_apiserver() {
|
|||
--insecure-port="${API_PORT}" \
|
||||
--authorization-mode="${AUTHORIZATION_MODE}" \
|
||||
--secure-port="${SECURE_API_PORT}" \
|
||||
--admission-control="${ADMISSION_CONTROL}" \
|
||||
--enable-admission-plugins="${ENABLE_ADMISSION_PLUGINS}" \
|
||||
--etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
|
||||
--runtime-config=api/v1 \
|
||||
--storage-media-type="${KUBE_TEST_API_STORAGE_TYPE-}" \
|
||||
|
|
|
|||
Loading…
Reference in New Issue