Enable StorageObjectInUseProtection by default

StorageObjectInUseProtection plugin of admission controller adds the flag `kubernetes.io/pvc-protection` or `kubernetes.io/pv-protection` to newly created PVCs or PV. In case a user deletes a PVC or PV the PVC or PV is not removed until the finalizer is removed from the PVC or PV by PVC or PV Protection Controller. We are testing this plugin on the e2e tests of "PV Protection" because most setup scripts enable that like: * cluster/centos/config-default.sh: Enabled * cluster/gce/config-default.sh: Enabled * cluster/gce/config-test.sh: Enabled * cluster/kubemark/gce/config-default.sh: Enabled * hack/local-up-cluster.sh: Enabled * cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py: Disabled As we are testing it normally, it is nice to enable the plugin by default.
2019-02-26 18:07:18 +00:00 · 2019-02-26 18:07:18 +00:00 · ede5477697
parent d262343acd
commit ede5477697
3 changed files with 12 additions and 11 deletions
--- a/hack/make-rules/test-cmd.sh
+++ b/hack/make-rules/test-cmd.sh
@ -35,7 +35,7 @@ function run_kube_apiserver() {

  # Admission Controllers to invoke prior to persisting objects in cluster
  ENABLE_ADMISSION_PLUGINS="LimitRanger,ResourceQuota"
-  DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook"
+  DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,StorageObjectInUseProtection"

  # Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
  AUTHORIZATION_MODE="RBAC,AlwaysAllow"
--- a/hack/test-update-storage-objects.sh
+++ b/hack/test-update-storage-objects.sh
@ -45,7 +45,7 @@ RUNTIME_CONFIG=""
 ETCDCTL=$(which etcdctl)
 KUBECTL="${KUBE_OUTPUT_HOSTBIN}/kubectl"
 UPDATE_ETCD_OBJECTS_SCRIPT="${KUBE_ROOT}/cluster/update-storage-objects.sh"
-DISABLE_ADMISSION_PLUGINS="ServiceAccount,NamespaceLifecycle,LimitRanger,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PersistentVolumeLabel,DefaultStorageClass"
+DISABLE_ADMISSION_PLUGINS="ServiceAccount,NamespaceLifecycle,LimitRanger,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PersistentVolumeLabel,DefaultStorageClass,StorageObjectInUseProtection"

 function startApiServer() {
  local storage_versions=${1:-""}
--- a/pkg/kubeapiserver/options/plugins.go
+++ b/pkg/kubeapiserver/options/plugins.go
@ -137,6 +137,7 @@ func DefaultOffAdmissionPlugins() sets.String {
 		mutatingwebhook.PluginName,              //MutatingAdmissionWebhook
 		validatingwebhook.PluginName,            //ValidatingAdmissionWebhook
 		resourcequota.PluginName,                //ResourceQuota
+		storageobjectinuseprotection.PluginName, //StorageObjectInUseProtection
 	)

 	if utilfeature.DefaultFeatureGate.Enabled(features.PodPriority) {