-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: do not use --admission-control for the API server #64165
kubeadm: do not use --admission-control for the API server #64165
Conversation
@@ -154,7 +154,8 @@ func TestGetAPIServerCommand(t *testing.T) { | |||
expected: []string{ | |||
"kube-apiserver", | |||
"--insecure-port=0", | |||
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota", | |||
"--enable-admission-plugin=NodeRestriction", | |||
"--disable-admission-plugin=PersistentVolumeLabel", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is deprecated I don't know why we need to explicitly specify.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@luxas can comment further i guess, i was just following the guide here:
kubernetes/kubeadm#840
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's still enabled by default which is a bug. Until that bug is fixed, let's leave it out here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with defaulting off, but lets cross-link an issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should i cross link to this (i.e. adding a comment with link in the code)?:
kubernetes/kubeadm#840
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@neolit123 I'm thinking about the api-server deprecation default issue, should be in the main repo somewhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i can't seem to find it. only found the PR that deprecated admission-control
: #58123
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @neolit123! Can you use kubeadm with this patch to start up both a v1.10 cluster and a v1.11-beta.0 API server and post the final admission chain that was loaded (it's printed in the API server logs in the beginning), so we have a double-check that everything we want to be running actually is?
/approve
@@ -143,7 +143,8 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration) []string { | |||
defaultArguments := map[string]string{ | |||
"advertise-address": cfg.API.AdvertiseAddress, | |||
"insecure-port": "0", | |||
"admission-control": defaultAdmissionControl, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please remove the unused variable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do.
edit: done
ha!! as long as my control plane even starts. my setup is beyond broken ATM and it's not really kubeadm's fault. i can try... |
@neolit123 if your personal lab is non-functional, this should serve the need: just change the package versions in the |
3cad80a
to
c16ff56
Compare
yeah @stealthybox . we spoke about it at KubeCon. |
c16ff56
to
876547f
Compare
@@ -143,7 +141,9 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration) []string { | |||
defaultArguments := map[string]string{ | |||
"advertise-address": cfg.API.AdvertiseAddress, | |||
"insecure-port": "0", | |||
"admission-control": defaultAdmissionControl, | |||
// https://github.com/kubernetes/kubeadm/issues/840 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
^ added link to the issue here.
876547f
to
077ba44
Compare
/test pull-kubernetes-kubemark-e2e-gce-big |
/test pull-kubernetes-node-e2e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fix these comments. After that this LGTM
"admission-control": defaultAdmissionControl, | ||
"advertise-address": cfg.API.AdvertiseAddress, | ||
"insecure-port": "0", | ||
// https://github.com/kubernetes/kubernetes/pull/58123 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure we should have this here...
"insecure-port": "0", | ||
// https://github.com/kubernetes/kubernetes/pull/58123 | ||
"enable-admission-plugin": "NodeRestriction", | ||
"disable-admission-plugin": "PersistentVolumeLabel", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a TODO to remove this in kubeadm v1.11, as it's automatically disabled in v1.11, and reference #64326.
We can't skip it now as we support v1.10 clusters still.
"advertise-address": cfg.API.AdvertiseAddress, | ||
"insecure-port": "0", | ||
// https://github.com/kubernetes/kubernetes/pull/58123 | ||
"enable-admission-plugin": "NodeRestriction", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are actually called enable/disable-admission-plugins
@@ -154,7 +154,8 @@ func TestGetAPIServerCommand(t *testing.T) { | |||
expected: []string{ | |||
"kube-apiserver", | |||
"--insecure-port=0", | |||
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota", | |||
"--enable-admission-plugin=NodeRestriction", | |||
"--disable-admission-plugin=PersistentVolumeLabel", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
077ba44
to
c61004c
Compare
updated.
added the same TODO note here and also made this PR not close the issue: |
The API server argument --admission-control is deprecated. Use the following arguments instead: --enable-admission-plugins=NodeRestriction --disable-admission-plugins=PersistentVolumeLabel Add comment that PersistentVolumeLabel should be removed at some point in 1.11.
c61004c
to
8d84ef6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/retest |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: luxas, neolit123 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kubernetes-e2e-gce-100-performance |
/retest Review the full test history for this PR. Silence the bot with an |
Automatic merge from submit-queue (batch tested with PRs 64308, 64367, 64165, 64274). If you want to cherry-pick this change to another branch, please follow the instructions here. |
Using minikube to create a 1.11.0 cluster puts this in spec:
containers:
- command:
- kube-apiserver
- --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
<snip>
- --disable-admission-plugins=PersistentVolumeLabel
- --enable-admission-plugins=NodeRestriction so apiserver fails to start because
and inside the cluster VM:
The enable/disable parameters are presumably coming because of this PR, so is there some place left that's still creating the default admission control parameter list? |
the |
Ah, it's coming from the MasterConfiguration/apiServerExtraArgs in the config file passed to kubeadm. So this is probably minikube creating the file incorrectly. Will follow up there. |
@Arnavion this usage is out of date with k8s 1.11. |
Yeah, just found it. I'll file a bug there. |
What this PR does / why we need it:
The API server argument --admission-control is deprecated.
Use the following arguments instead:
--enable-admission-plugins=NodeRestriction
--disable-admission-plugins=PersistentVolumeLabel
Add comment that PersistentVolumeLabel should be removed at some
point in 1.11.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Updates kubernetes/kubeadm#840
Special notes for your reviewer:
NONE
Release note:
@luxas
@kubernetes/sig-cluster-lifecycle-pr-reviews
/area kubeadm