forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
admission.go
113 lines (101 loc) · 4.46 KB
/
admission.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package start
import (
"io"
"github.com/golang/glog"
"k8s.io/kubernetes/pkg/admission"
"k8s.io/kubernetes/pkg/util/sets"
// Admission control plug-ins used by OpenShift
_ "github.com/openshift/origin/pkg/authorization/admission/restrictusers"
_ "github.com/openshift/origin/pkg/build/admission/defaults"
_ "github.com/openshift/origin/pkg/build/admission/jenkinsbootstrapper"
_ "github.com/openshift/origin/pkg/build/admission/overrides"
_ "github.com/openshift/origin/pkg/build/admission/secretinjector"
_ "github.com/openshift/origin/pkg/build/admission/strategyrestrictions"
_ "github.com/openshift/origin/pkg/image/admission"
_ "github.com/openshift/origin/pkg/image/admission/imagepolicy"
_ "github.com/openshift/origin/pkg/ingress/admission"
_ "github.com/openshift/origin/pkg/project/admission/lifecycle"
_ "github.com/openshift/origin/pkg/project/admission/nodeenv"
_ "github.com/openshift/origin/pkg/project/admission/requestlimit"
_ "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride"
_ "github.com/openshift/origin/pkg/quota/admission/clusterresourcequota"
_ "github.com/openshift/origin/pkg/quota/admission/resourcequota"
_ "github.com/openshift/origin/pkg/quota/admission/runonceduration"
_ "github.com/openshift/origin/pkg/scheduler/admission/podnodeconstraints"
_ "github.com/openshift/origin/pkg/security/admission"
_ "k8s.io/kubernetes/plugin/pkg/admission/admit"
_ "k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"
_ "k8s.io/kubernetes/plugin/pkg/admission/exec"
_ "k8s.io/kubernetes/plugin/pkg/admission/limitranger"
_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle"
_ "k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/label"
_ "k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
_ "k8s.io/kubernetes/plugin/pkg/admission/resourcequota"
_ "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
storageclassdefaultadmission "k8s.io/kubernetes/plugin/pkg/admission/storageclass/default"
imageadmission "github.com/openshift/origin/pkg/image/admission"
imagepolicy "github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
overrideapi "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride/api"
quotaadmission "github.com/openshift/origin/pkg/quota/admission/resourcequota"
serviceadmit "github.com/openshift/origin/pkg/service/admission"
"k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle"
configlatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
)
var (
defaultOnPlugins = sets.NewString(
"OriginNamespaceLifecycle",
"openshift.io/JenkinsBootstrapper",
"openshift.io/BuildConfigSecretInjector",
"BuildByStrategy",
storageclassdefaultadmission.PluginName,
imageadmission.PluginName,
lifecycle.PluginName,
"OriginPodNodeEnvironment",
"PodNodeSelector",
serviceadmit.ExternalIPPluginName,
serviceadmit.RestrictedEndpointsPluginName,
"LimitRanger",
"ServiceAccount",
"SecurityContextConstraint",
"SCCExecRestrictions",
"PersistentVolumeLabel",
"DefaultStorageClass",
"OwnerReferencesPermissionEnforcement",
quotaadmission.PluginName,
"openshift.io/ClusterResourceQuota",
"openshift.io/IngressAdmission",
)
// defaultOffPlugins includes plugins which require explicit configuration to run
// if you wire them incorrectly, they may prevent the server from starting
defaultOffPlugins = sets.NewString(
"ProjectRequestLimit",
"RunOnceDuration",
"PodNodeConstraints",
overrideapi.PluginName,
imagepolicy.PluginName,
"AlwaysPullImages",
"ImagePolicyWebhook",
"openshift.io/RestrictSubjectBindings",
"LimitPodHardAntiAffinityTopology",
)
)
func init() {
admission.PluginEnabledFn = IsAdmissionPluginActivated
}
func IsAdmissionPluginActivated(name string, config io.Reader) bool {
// only intercept if we have an explicit enable or disable. If the check fails in any way,
// assume that the config was a different type and let the actual admission plugin check it
if defaultOnPlugins.Has(name) {
if enabled, err := configlatest.IsAdmissionPluginActivated(config, true); err == nil && !enabled {
glog.V(2).Infof("Admission plugin %v is disabled. It will not be started.", name)
return false
}
} else if defaultOffPlugins.Has(name) {
if enabled, err := configlatest.IsAdmissionPluginActivated(config, false); err == nil && !enabled {
glog.V(2).Infof("Admission plugin %v is not enabled. It will not be started.", name)
return false
}
}
return true
}