kubeadm: do not use --admission-control for the API server

[neolit123]

What this PR does / why we need it:
The API server argument --admission-control is deprecated.
Use the following arguments instead:
--enable-admission-plugins=NodeRestriction
--disable-admission-plugins=PersistentVolumeLabel

Add comment that PersistentVolumeLabel should be removed at some
point in 1.11.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Updates kubernetes/kubeadm#840

Special notes for your reviewer:
NONE

Release note:

kubeadm: when starting the API server use the arguments --enable-admission-plugins and --disable-admission-plugins instead of the deprecated --admission-control.

@luxas
@kubernetes/sig-cluster-lifecycle-pr-reviews
/area kubeadm

[timothysc]

If this is deprecated I don't know why we need to explicitly specify.

[neolit123]

@luxas can comment further i guess, i was just following the guide here:
kubernetes/kubeadm#840

[luxas]

It's still enabled by default which is a bug. Until that bug is fixed, let's leave it out here.

[timothysc]

I'm fine with defaulting off, but lets cross-link an issue.

[neolit123]

should i cross link to this (i.e. adding a comment with link in the code)?:
kubernetes/kubeadm#840

[timothysc]

@neolit123 I'm thinking about the api-server deprecation default issue, should be in the main repo somewhere.

[neolit123]

i can't seem to find it. only found the PR that deprecated admission-control: #58123

[luxas]

#64326 and #52617 and #52618

[luxas]

Thanks @neolit123! Can you use kubeadm with this patch to start up both a v1.10 cluster and a v1.11-beta.0 API server and post the final admission chain that was loaded (it's printed in the API server logs in the beginning), so we have a double-check that everything we want to be running actually is?
/approve

[luxas]

please remove the unused variable

[neolit123]

will do.

edit: done

[neolit123]

Thanks @neolit123! Can you use kubeadm with this patch to start up both a v1.10 cluster and a v1.11-beta.0 API server and post the final admission chain that was loaded (it's printed in the API server logs in the beginning), so we have a double-check that everything we want to be running actually is?
/approve

ha!! as long as my control plane even starts. my setup is beyond broken ATM and it's not really kubeadm's fault. i can try...

[stealthybox]

@neolit123 if your personal lab is non-functional, this should serve the need:
https://github.com/kubernetes/kubeadm/tree/master/vagrant

just change the package versions in the Vagrantfile to 1.10.2 instead of 1.9.7 and then follow the guide for comparing different builds with the already installed kubeadm binary

[neolit123]

yeah @stealthybox . we spoke about it at KubeCon.
i didn't had the time to try it, but i definitely need to find the time...

[neolit123]

^ added link to the issue here.

[neolit123]

/test pull-kubernetes-kubemark-e2e-gce-big
/test pull-kubernetes-node-e2e

[neolit123]

/test pull-kubernetes-node-e2e
/test pull-kubernetes-kubemark-e2e-gce-big

[luxas]

Please fix these comments. After that this LGTM

[luxas]

I'm not sure we should have this here...

[luxas]

Add a TODO to remove this in kubeadm v1.11, as it's automatically disabled in v1.11, and reference #64326.
We can't skip it now as we support v1.10 clusters still.

[luxas]

These are actually called enable/disable-admission-plugins

[luxas]

#64326 and #52617 and #52618

[neolit123]

updated.

• fixed typo - missing s in argument keys
• add TODO comment above PersistentVolumeLabel usage

added the same TODO note here and also made this PR not close the issue:
kubernetes/kubeadm#840

[luxas]

/lgtm

[luxas]

/retest

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: luxas, neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/kubeadm/OWNERS [luxas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[neolit123]

/test pull-kubernetes-e2e-gce-100-performance
/test pull-kubernetes-e2e-gce
/test pull-kubernetes-e2e-gce-device-plugin-gpu

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 64308, 64367, 64165, 64274). If you want to cherry-pick this change to another branch, please follow the instructions here.

[Arnavion]

Using minikube to create a 1.11.0 cluster puts this in /etc/kubernetes/manifests/kube-apiserver.yaml :

spec:
  containers:
  - command:
    - kube-apiserver
    - --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
    <snip>
    - --disable-admission-plugins=PersistentVolumeLabel
    - --enable-admission-plugins=NodeRestriction

so apiserver fails to start because admission-control and enable-admission-plugins/disable-admission-plugins flags are mutually exclusive

$ minikube version

minikube version: v0.28.0

and inside the cluster VM:

$ kubeadm version 

kubeadm version: &version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:14:41Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}

The enable/disable parameters are presumably coming because of this PR, so is there some place left that's still creating the default admission control parameter list?

[neolit123]

the --admission-control part should not be there. it's unclear to me what's adding it.

[Arnavion]

Ah, it's coming from the MasterConfiguration/apiServerExtraArgs in the config file passed to kubeadm. So this is probably minikube creating the file incorrectly. Will follow up there.

[neolit123]

@Arnavion
yes, these come from Minikube:
https://github.com/kubernetes/minikube/blob/master/pkg/util/constants.go#L35
https://github.com/kubernetes/minikube/blob/master/pkg/minikube/bootstrapper/kubeadm/versions.go#L205

this usage is out of date with k8s 1.11.

[Arnavion]

Yeah, just found it. I'll file a bug there.