/
plugins.go
93 lines (82 loc) · 4.44 KB
/
plugins.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
// Copyright Contributors to the Open Cluster Management project
package options
// refer to https://github.com/kubernetes/kubernetes/blob/v1.26.1/pkg/kubeapiserver/options/plugins.go
// This file exists to force the desired plugin implementations to be linked.
// This should probably be part of some configuration fed into the build for a
// given binary target.
import (
"k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval"
certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing"
certsubjectrestriction "k8s.io/kubernetes/plugin/pkg/admission/certificates/subjectrestriction"
"k8s.io/kubernetes/plugin/pkg/admission/eventratelimit"
"k8s.io/kubernetes/plugin/pkg/admission/gc"
"k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision"
"k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/admission"
"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
"k8s.io/apiserver/pkg/admission/plugin/resourcequota"
mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
"open-cluster-management.io/multicluster-controlplane/plugin/admission/managedclustermutating"
"open-cluster-management.io/multicluster-controlplane/plugin/admission/managedclustersetbindingvalidating"
"open-cluster-management.io/multicluster-controlplane/plugin/admission/managedclustervalidating"
"open-cluster-management.io/multicluster-controlplane/plugin/admission/manifestworkvalidating"
)
// AllOrderedPlugins is the list of all the plugins in order.
var AllOrderedPlugins = []string{
autoprovision.PluginName, // NamespaceAutoProvision
lifecycle.PluginName, // NamespaceLifecycle
exists.PluginName, // NamespaceExists
serviceaccount.PluginName, // ServiceAccount
eventratelimit.PluginName, // EventRateLimit
gc.PluginName, // OwnerReferencesPermissionEnforcement
certapproval.PluginName, // CertificateApproval
certsigning.PluginName, // CertificateSigning
certsubjectrestriction.PluginName, // CertificateSubjectRestriction
// self-defined plugins
managedclustermutating.PluginName, // ManagedClusterMutating
managedclustervalidating.PluginName, // ManagedClusterValidating
managedclustersetbindingvalidating.PluginName, // ManagedClusterSetBindingValidating
manifestworkvalidating.PluginName, // ManifestWorkValidating
// new admission plugins should generally be inserted above here
// webhook, resourcequota, and deny plugins must go at the end
mutatingwebhook.PluginName, // MutatingAdmissionWebhook
validatingadmissionpolicy.PluginName, // ValidatingAdmissionPolicy
validatingwebhook.PluginName, // ValidatingAdmissionWebhook
resourcequota.PluginName, // ResourceQuota
}
// RegisterAllAdmissionPlugins registers all admission plugins.
// The order of registration is irrelevant, see AllOrderedPlugins for execution order.
func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
eventratelimit.Register(plugins)
gc.Register(plugins)
autoprovision.Register(plugins)
exists.Register(plugins)
resourcequota.Register(plugins)
serviceaccount.Register(plugins)
certapproval.Register(plugins)
certsigning.Register(plugins)
certsubjectrestriction.Register(plugins)
// self-defined admission plugins
managedclustermutating.Register(plugins)
managedclustervalidating.Register(plugins)
managedclustersetbindingvalidating.Register(plugins)
manifestworkvalidating.Register(plugins)
}
// DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
func DefaultOffAdmissionPlugins() sets.Set[string] {
defaultOnPlugins := sets.New(
lifecycle.PluginName, // NamespaceLifecycle
serviceaccount.PluginName, // ServiceAccount
mutatingwebhook.PluginName, // MutatingAdmissionWebhook
validatingwebhook.PluginName, // ValidatingAdmissionWebhook
resourcequota.PluginName, // ResourceQuota
certapproval.PluginName, // CertificateApproval
certsigning.PluginName, // CertificateSigning
certsubjectrestriction.PluginName, // CertificateSubjectRestriction
)
return sets.New(AllOrderedPlugins...).Difference(defaultOnPlugins)
}