ResourceQuota should be last admission controller

2016-04-04 14:47:44 -04:00 · 2016-04-04 14:47:44 -04:00 · e3d58499db
parent 6ff05bb9e1
commit e3d58499db
7 changed files with 13 additions and 6 deletions
--- a/cluster/aws/config-default.sh
+++ b/cluster/aws/config-default.sh
@ -134,7 +134,8 @@ if [[ "${ENABLE_NODE_AUTOSCALER}" == "true" ]]; then
 fi

 # Admission Controllers to invoke prior to persisting objects in cluster
-ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,PersistentVolumeLabel
+# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
+ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,PersistentVolumeLabel,ResourceQuota

 # Optional: Enable/disable public IP assignment for minions.
 # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes!
--- a/cluster/aws/config-test.sh
+++ b/cluster/aws/config-test.sh
@ -120,7 +120,8 @@ if [[ "${ENABLE_NODE_AUTOSCALER}" == "true" ]]; then
 fi

 # Admission Controllers to invoke prior to persisting objects in cluster
-ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,PersistentVolumeLabel
+# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
+ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,PersistentVolumeLabel,ResourceQuota

 # Optional: Enable/disable public IP assignment for minions.
 # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes!
--- a/cluster/centos/config-default.sh
+++ b/cluster/centos/config-default.sh
@ -41,7 +41,8 @@ export SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE:-"192.168.3.0/24"}
 export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"}

 # Admission Controllers to invoke prior to persisting objects in cluster
-export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,ResourceQuota,SecurityContextDeny
+# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
+export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota

 # Extra options to set on the Docker command line.
 # This is useful for setting --insecure-registry for local registries.
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@ -114,7 +114,8 @@ if [[ "${ENABLE_NODE_AUTOSCALER}" == "true" ]]; then
 fi

 # Admission Controllers to invoke prior to persisting objects in cluster
-ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,PersistentVolumeLabel
+# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
+ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota

 # Optional: if set to true kube-up will automatically check for existing resources and clean them up.
 KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false}
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@ -128,7 +128,8 @@ if [[ "${ENABLE_NODE_AUTOSCALER}" == "true" ]]; then
  TARGET_NODE_UTILIZATION="${KUBE_TARGET_NODE_UTILIZATION:-0.7}"
 fi

-ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,PersistentVolumeLabel}"
+# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
+ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota}"

 # Optional: if set to true kube-up will automatically check for existing resources and clean them up.
 KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false}
--- a/cluster/ubuntu/config-default.sh
+++ b/cluster/ubuntu/config-default.sh
@ -67,7 +67,8 @@ export FLANNEL_OTHER_NET_CONFIG
 FLANNEL_OTHER_NET_CONFIG=''

 # Admission Controllers to invoke prior to persisting objects in cluster
-export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,SecurityContextDeny
+# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
+export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota

 # Path to the config file or directory of files of kubelet
 export KUBELET_CONFIG=${KUBELET_CONFIG:-""}
--- a/cluster/vagrant/config-default.sh
+++ b/cluster/vagrant/config-default.sh
@ -55,6 +55,7 @@ MASTER_USER=vagrant
 MASTER_PASSWD=vagrant

 # Admission Controllers to invoke prior to persisting objects in cluster
+# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
 ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota

 # Optional: Enable node logging.