Fix setting admission plugins on local-up-cluster.sh #69243
Conversation
k8s-ci-robot
added
release-note-none
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
/assign @dims |
hack/local-up-cluster.sh
Outdated
| ENABLE_ADMISSION_PLUGINS=${ENABLE_ADMISSION_PLUGINS:-""} | ||
| # Default list of admission Controllers to invoke prior to persisting objects in cluster | ||
| # The order defined here does not matter. | ||
| DEFAULT_ENABLE_ADMISSION_PLUGINS="LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,StorageObjectInUseProtection" |
There was a problem hiding this comment.
the default on plugins are defined in:
kubernetes/pkg/kubeapiserver/options/plugins.go
Lines 132 to 142 in 72dd54e
so we can trim the list, amiright?
There was a problem hiding this comment.
The only plugin that is in the list but not in the default on plugins list is StorageObjectInUseProtection which according to the cli feature gates docs is enabled by default.
Regardless of the above, as a user using local-up-cluster.sh I would expect that the default plugins are loaded unless I specify additional plugins using ENABLE_ADMISSION_PLUGINS (or disable plugins using DISABLE_ADMISSION_PLUGINS)
WDYT?
| # Admission Controllers to invoke prior to persisting objects in cluster | ||
| # | ||
| # The order defined here dose not matter. | ||
| ENABLE_ADMISSION_PLUGINS=LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,StorageObjectInUseProtection |
There was a problem hiding this comment.
what about removing L106 and change this line to
ENABLE_ADMISSION_PLUGINS=${ENABLE_ADMISSION_PLUGINS:-""}${security_admission}
There was a problem hiding this comment.
I've removed the additional DEFAULT_ variable but left (and updated) the list to match the recommended defaults from the docs
It is my understanding that if --enable-admission-plugins is passed with an empty value/list, no plugins will be loaded.
There was a problem hiding this comment.
thx so much for fixing this @jfchevrette ! if memory serves, i hit the exact same problem before. 🎉
|
/assign |
k8s-ci-robot
added
sig/cluster-lifecycle
|
@yue9944882 I just found out that kube-apiserver / hyperkube can return the list of default plugins. We can use that to generate the list dynamically and that would avoid the need to keep a static list up-to-date. |
|
/test pull-kubernetes-e2e-kops-aws |
|
/assign |
|
/approve |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims, jfchevrette The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What this PR does / why we need it:
hack/local-up-cluster.shcurrently do not honor settingENABLE_ADMISSION_PLUGINSbecause the list is overriden later on in the script before the apiserver is started.This PR moves the list higher up as a default list of admission plugins and then allows overriding the defaults via the expected ENV variable when starting the cluster.
Which issue(s) this PR fixes
No issue created. Should I create one?
Special notes for your reviewer:
I have not found tests for this script. I did run it and was able to manually validate that the list of admission plugin is either set to default or to those I chose via the environment variable.
This is a first contribution. I will appreciate any comments on how I can improve future contributions.
Release note: