Add docs for KEP 2200 (DenyServiceExternalIPs) #26297
Conversation
|
Deploy preview for kubernetes-io-vnext-staging processing. Building with commit c111b4a https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/6021d5b63510b400084cad5d |
k8s-ci-robot
added
the
size/XXL
|
Ugh, master not synced, will rebase. |
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
language/ko
k8s-ci-robot
added
size/L
|
/assign @bowei @rramkumar1 for the ingress block |
|
/remove-language es fr id it ja ko zh |
k8s-ci-robot
removed
language/es
|
/uncc |
|
nits fixed |
|
/retitle Add docs for KEP 2200 (DenyServiceExternalIPs) |
k8s-ci-robot
changed the title
|
This looks ready for tech review (which, I'm hoping, is straightforward). |
|
This will be a short review, I hope :) @bowei for Ingress paragraph /assign bowei |
content/en/docs/reference/command-line-tools-reference/kube-apiserver.md
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/admission-controllers.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/admission-controllers.md
Outdated
Show resolved
Hide resolved
|
/assign @PI-Victor |
| @@ -94,7 +94,7 @@ kube-apiserver -h | grep enable-admission-plugins | |||
| In the current version, the default ones are: | |||
|
|
|||
| ```shell | |||
| NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota | |||
| AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook | |||
There was a problem hiding this comment.
This doesn't look right to me. Isn't this just all of them? I think the default list is defined here: https://github.com/kubernetes/kubernetes/blob/1119a505aca14467accedf850daf30aa9c532ef2/pkg/kubeapiserver/options/plugins.go#L143-L161
There was a problem hiding this comment.
Good catch. I cut-and-pasted the wrong list. That said, is it really worthwhile to list "in the current version" in docs - that doesn't help much. What version? Maybe we should just nix this block?
There was a problem hiding this comment.
I'll update the list, but still think we should remove it totally.
There was a problem hiding this comment.
Yeah, I think just giving the command should be sufficient, or maybe even linking to the code. I could go either way.
There was a problem hiding this comment.
If I'm remembering this correctly, the order of this list matters. Is that still the case? I just noticed that the list is now in alphabetic order.
There was a problem hiding this comment.
When using --enable-admission-plugins/--disable-admission-plugins, the order is unimportant. That just toggles them on/off, but the order is predetermined.
|
|
||
| The DenyEscalatingExec admission plugin is deprecated and will be removed in v1.18. | ||
| This functionality has been merged into [DenyEscalatingExec](#denyescalatingexec). | ||
| The DenyExecOnPrivileged admission plugin is deprecated and will be removed in v1.18. |
There was a problem hiding this comment.
Thanks Jordan. Let's update this to say v1.21 (same above)
* Document DenyServiceExternalIPs admission controller * Re-order other admission controller blocks to be alphabetical * Document DefaultIngressClass (missing)
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: a6ff8b5ed255331976f8f2f343b2322b49647e37
|
|
/assign |
| "ingressclass.kubernetes.io/is-default-class"). This admission controller ignores any `Ingress` | ||
| updates; it acts only on creation. | ||
|
|
||
| See the [ingress](/docs/concepts/services-networking/ingress/) documentation for more about ingress |
There was a problem hiding this comment.
mini nit:
| See the [ingress](/docs/concepts/services-networking/ingress/) documentation for more about ingress | |
| See the [Ingress](/docs/concepts/services-networking/ingress/) documentation for more about ingress |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
KEP: kubernetes/enhancements#2200
Code: kubernetes/kubernetes#97395