-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix setting admission plugins on local-up-cluster.sh #69243
Fix setting admission plugins on local-up-cluster.sh #69243
Conversation
/ok-to-test |
/assign @dims |
hack/local-up-cluster.sh
Outdated
ENABLE_ADMISSION_PLUGINS=${ENABLE_ADMISSION_PLUGINS:-""} | ||
# Default list of admission Controllers to invoke prior to persisting objects in cluster | ||
# The order defined here does not matter. | ||
DEFAULT_ENABLE_ADMISSION_PLUGINS="LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,StorageObjectInUseProtection" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the default on plugins are defined in:
kubernetes/pkg/kubeapiserver/options/plugins.go
Lines 132 to 142 in 72dd54e
defaultOnPlugins := sets.NewString( | |
lifecycle.PluginName, //NamespaceLifecycle | |
limitranger.PluginName, //LimitRanger | |
serviceaccount.PluginName, //ServiceAccount | |
setdefault.PluginName, //DefaultStorageClass | |
resize.PluginName, //PersistentVolumeClaimResize | |
defaulttolerationseconds.PluginName, //DefaultTolerationSeconds | |
mutatingwebhook.PluginName, //MutatingAdmissionWebhook | |
validatingwebhook.PluginName, //ValidatingAdmissionWebhook | |
resourcequota.PluginName, //ResourceQuota | |
) |
so we can trim the list, amiright?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only plugin that is in the list but not in the default on plugins list is StorageObjectInUseProtection
which according to the cli feature gates docs is enabled by default.
Regardless of the above, as a user using local-up-cluster.sh I would expect that the default plugins are loaded unless I specify additional plugins using ENABLE_ADMISSION_PLUGINS (or disable plugins using DISABLE_ADMISSION_PLUGINS)
WDYT?
# Admission Controllers to invoke prior to persisting objects in cluster | ||
# | ||
# The order defined here dose not matter. | ||
ENABLE_ADMISSION_PLUGINS=LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,StorageObjectInUseProtection |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about removing L106 and change this line to
ENABLE_ADMISSION_PLUGINS=${ENABLE_ADMISSION_PLUGINS:-""}${security_admission}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've removed the additional DEFAULT_
variable but left (and updated) the list to match the recommended defaults from the docs
It is my understanding that if --enable-admission-plugins is passed with an empty value/list, no plugins will be loaded.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thx so much for fixing this @jfchevrette ! if memory serves, i hit the exact same problem before. 🎉
/assign |
@yue9944882 I just found out that kube-apiserver / hyperkube can return the list of default plugins. We can use that to generate the list dynamically and that would avoid the need to keep a static list up-to-date.
|
/test pull-kubernetes-e2e-kops-aws |
/assign |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims, jfchevrette The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
hack/local-up-cluster.sh
currently do not honor settingENABLE_ADMISSION_PLUGINS
because the list is overriden later on in the script before the apiserver is started.This PR moves the list higher up as a default list of admission plugins and then allows overriding the defaults via the expected ENV variable when starting the cluster.
Which issue(s) this PR fixes
No issue created. Should I create one?
Special notes for your reviewer:
I have not found tests for this script. I did run it and was able to manually validate that the list of admission plugin is either set to default or to those I chose via the environment variable.
This is a first contribution. I will appreciate any comments on how I can improve future contributions.
Release note: