Merge pull request #58567 from hzxuzhonghu/admission-01

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kube-apiserver flag --admision-control is deprecated, use the new --e… …nable-admission-plugins **What this PR does / why we need it**: 1. As #58123 mark kube-apiserver flag `admission-control` deprecated, replace it in some places. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ``` /assign @liggitt @deads2k @sttts
2018-01-30 09:21:38 -08:00 · 2018-01-30 09:21:38 -08:00 · 9e2878d93c
parent e72c6c69bb 0a230fad17
commit 9e2878d93c
3 changed files with 12 additions and 12 deletions
--- a/cmd/kube-apiserver/app/options/options_test.go
+++ b/cmd/kube-apiserver/app/options/options_test.go
@ -43,7 +43,7 @@ func TestAddFlags(t *testing.T) {
 	s.AddFlags(f)
 	args := []string{
-		"--admission-control=AlwaysDeny",
+		"--enable-admission-plugins=AlwaysDeny",
 		"--admission-control-config-file=/admission-control-config",
 		"--advertise-address=192.168.10.10",
 		"--allow-privileged=false",
@ -111,10 +111,10 @@ func TestAddFlags(t *testing.T) {
 			MinRequestTimeout:           1800,
 		},
 		Admission: &kubeoptions.AdmissionOptions{
 			PluginNames: []string{"AlwaysDeny"},
 			GenericAdmission: &apiserveroptions.AdmissionOptions{
 				RecommendedPluginOrder: s.Admission.GenericAdmission.RecommendedPluginOrder,
 				DefaultOffPlugins:      s.Admission.GenericAdmission.DefaultOffPlugins,
 				EnablePlugins:          []string{"AlwaysDeny"},
 				ConfigFile:             "/admission-control-config",
 				Plugins:                s.Admission.GenericAdmission.Plugins,
 			},
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@ -97,7 +97,8 @@ export KUBE_CACHE_MUTATION_DETECTOR
 KUBE_PANIC_WATCH_DECODE_ERROR="${KUBE_PANIC_WATCH_DECODE_ERROR:-true}"
 export KUBE_PANIC_WATCH_DECODE_ERROR
-ADMISSION_CONTROL=${ADMISSION_CONTROL:-""}
+ENABLE_ADMISSION_PLUGINS=${ENABLE_ADMISSION_PLUGINS:-""}
 DISABLE_ADMISSION_PLUGINS=${DISABLE_ADMISSION_PLUGINS:-""}
 ADMISSION_CONTROL_CONFIG_FILE=${ADMISSION_CONTROL_CONFIG_FILE:-""}
 # START_MODE can be 'all', 'kubeletonly', or 'nokubelet'
@ -436,10 +437,8 @@ function start_apiserver {
    # Admission Controllers to invoke prior to persisting objects in cluster
    #
-    # ResourceQuota must come last, or a creation is recorded, but the pod may be forbidden.
+    # The order defined here dose not matter.
-    ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodPreset
+    ENABLE_ADMISSION_PLUGINS=Initializers,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodPreset
    # This is the default dir and filename where the apiserver will generate a self-signed cert
    # which should be able to be used as the CA to verify itself
    audit_arg=""
    APISERVER_BASIC_AUDIT_LOG=""
@ -473,14 +472,14 @@ function start_apiserver {
      priv_arg="--allow-privileged "
    fi
-    if [[ ${ADMISSION_CONTROL} == *"Initializers"* ]]; then
+    if [[ ${ENABLE_ADMISSION_PLUGINS} == *"Initializers"* ]]; then
        if [[ -n "${RUNTIME_CONFIG}" ]]; then
          RUNTIME_CONFIG+=","
        fi
        RUNTIME_CONFIG+="admissionregistration.k8s.io/v1alpha1"
    fi
-    if [[ ${ADMISSION_CONTROL} == *"PodPreset"* ]]; then
+    if [[ ${ENABLE_ADMISSION_PLUGINS} == *"PodPreset"* ]]; then
        if [[ -n "${RUNTIME_CONFIG}" ]]; then
            RUNTIME_CONFIG+=","
        fi
@ -548,7 +547,8 @@ function start_apiserver {
      --client-ca-file="${CERT_DIR}/client-ca.crt" \
      --service-account-key-file="${SERVICE_ACCOUNT_KEY}" \
      --service-account-lookup="${SERVICE_ACCOUNT_LOOKUP}" \
-      --admission-control="${ADMISSION_CONTROL}" \
+      --enable-admission-plugins="${ENABLE_ADMISSION_PLUGINS}" \
      --disable-admission-plugins="${DISABLE_ADMISSION_PLUGINS}" \
      --admission-control-config-file="${ADMISSION_CONTROL_CONFIG_FILE}" \
      --bind-address="${API_BIND_ADDR}" \
      --secure-port="${API_SECURE_PORT}" \
--- a/hack/make-rules/test-cmd.sh
+++ b/hack/make-rules/test-cmd.sh
@ -34,7 +34,7 @@ function run_kube_apiserver() {
  kube::log::status "Starting kube-apiserver"
  # Admission Controllers to invoke prior to persisting objects in cluster
-  ADMISSION_CONTROL="Initializers,NamespaceLifecycle,LimitRanger,ResourceQuota"
+  ENABLE_ADMISSION_PLUGINS="Initializers,LimitRanger,ResourceQuota"
  # Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
  AUTHORIZATION_MODE="RBAC,AlwaysAllow"
@ -45,7 +45,7 @@ function run_kube_apiserver() {
    --insecure-port="${API_PORT}" \
    --authorization-mode="${AUTHORIZATION_MODE}" \
    --secure-port="${SECURE_API_PORT}" \
-    --admission-control="${ADMISSION_CONTROL}" \
+    --enable-admission-plugins="${ENABLE_ADMISSION_PLUGINS}" \
    --etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
    --runtime-config=api/v1 \
    --storage-media-type="${KUBE_TEST_API_STORAGE_TYPE-}" \