From e3d58499db08eb053fbd53ecef254f03d6e8e6ba Mon Sep 17 00:00:00 2001 From: derekwaynecarr Date: Mon, 4 Apr 2016 14:47:44 -0400 Subject: [PATCH] ResourceQuota should be last admission controller --- cluster/aws/config-default.sh | 3 ++- cluster/aws/config-test.sh | 3 ++- cluster/centos/config-default.sh | 3 ++- cluster/gce/config-default.sh | 3 ++- cluster/gce/config-test.sh | 3 ++- cluster/ubuntu/config-default.sh | 3 ++- cluster/vagrant/config-default.sh | 1 + 7 files changed, 13 insertions(+), 6 deletions(-) diff --git a/cluster/aws/config-default.sh b/cluster/aws/config-default.sh index d3a240e67a..4ff07ad782 100644 --- a/cluster/aws/config-default.sh +++ b/cluster/aws/config-default.sh @@ -134,7 +134,8 @@ if [[ "${ENABLE_NODE_AUTOSCALER}" == "true" ]]; then fi # Admission Controllers to invoke prior to persisting objects in cluster -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,PersistentVolumeLabel +# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,PersistentVolumeLabel,ResourceQuota # Optional: Enable/disable public IP assignment for minions. # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes! diff --git a/cluster/aws/config-test.sh b/cluster/aws/config-test.sh index a0712b7960..3c1b1dfb05 100755 --- a/cluster/aws/config-test.sh +++ b/cluster/aws/config-test.sh @@ -120,7 +120,8 @@ if [[ "${ENABLE_NODE_AUTOSCALER}" == "true" ]]; then fi # Admission Controllers to invoke prior to persisting objects in cluster -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,PersistentVolumeLabel +# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,PersistentVolumeLabel,ResourceQuota # Optional: Enable/disable public IP assignment for minions. # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes! diff --git a/cluster/centos/config-default.sh b/cluster/centos/config-default.sh index 116e6f4617..7a2e2dee94 100755 --- a/cluster/centos/config-default.sh +++ b/cluster/centos/config-default.sh @@ -41,7 +41,8 @@ export SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE:-"192.168.3.0/24"} export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"} # Admission Controllers to invoke prior to persisting objects in cluster -export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,ResourceQuota,SecurityContextDeny +# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. +export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota # Extra options to set on the Docker command line. # This is useful for setting --insecure-registry for local registries. diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index f398e66af3..0733836ad3 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -114,7 +114,8 @@ if [[ "${ENABLE_NODE_AUTOSCALER}" == "true" ]]; then fi # Admission Controllers to invoke prior to persisting objects in cluster -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,PersistentVolumeLabel +# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 17b368c746..915df4eb11 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -128,7 +128,8 @@ if [[ "${ENABLE_NODE_AUTOSCALER}" == "true" ]]; then TARGET_NODE_UTILIZATION="${KUBE_TARGET_NODE_UTILIZATION:-0.7}" fi -ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,PersistentVolumeLabel}" +# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. +ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota}" # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/ubuntu/config-default.sh b/cluster/ubuntu/config-default.sh index f74c022034..f5c6b378e2 100755 --- a/cluster/ubuntu/config-default.sh +++ b/cluster/ubuntu/config-default.sh @@ -67,7 +67,8 @@ export FLANNEL_OTHER_NET_CONFIG FLANNEL_OTHER_NET_CONFIG='' # Admission Controllers to invoke prior to persisting objects in cluster -export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,SecurityContextDeny +# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. +export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota # Path to the config file or directory of files of kubelet export KUBELET_CONFIG=${KUBELET_CONFIG:-""} diff --git a/cluster/vagrant/config-default.sh b/cluster/vagrant/config-default.sh index dbe40ba91f..710d6a3fed 100755 --- a/cluster/vagrant/config-default.sh +++ b/cluster/vagrant/config-default.sh @@ -55,6 +55,7 @@ MASTER_USER=vagrant MASTER_PASSWD=vagrant # Admission Controllers to invoke prior to persisting objects in cluster +# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota # Optional: Enable node logging.