diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index ae5d1b1cf9f..9491ecb1f69 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -441,12 +441,12 @@ function start_apiserver { fi RUNTIME_CONFIG+="scheduling.k8s.io/v1alpha1=true" fi - + # Admission Controllers to invoke prior to persisting objects in cluster # # The order defined here dose not matter. - ENABLE_ADMISSION_PLUGINS=Initializers,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodPreset + ENABLE_ADMISSION_PLUGINS=Initializers,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodPreset,StorageObjectInUseProtection audit_arg="" APISERVER_BASIC_AUDIT_LOG="" diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index e704f958de8..09b3b9a3d6b 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -203,7 +203,7 @@ const ( BlockVolume utilfeature.Feature = "BlockVolume" // owner: @pospispa - // alpha: v1.9 + // beta: v1.10 // // Postpone deletion of a PV or a PVC when they are being used StorageObjectInUseProtection utilfeature.Feature = "StorageObjectInUseProtection" @@ -280,7 +280,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS CSIPersistentVolume: {Default: true, PreRelease: utilfeature.Beta}, CustomPodDNS: {Default: false, PreRelease: utilfeature.Alpha}, BlockVolume: {Default: false, PreRelease: utilfeature.Alpha}, - StorageObjectInUseProtection: {Default: false, PreRelease: utilfeature.Alpha}, + StorageObjectInUseProtection: {Default: true, PreRelease: utilfeature.Beta}, ResourceLimitsPriorityFunction: {Default: false, PreRelease: utilfeature.Alpha}, SupportIPVSProxyMode: {Default: false, PreRelease: utilfeature.Beta}, SupportPodPidsLimit: {Default: false, PreRelease: utilfeature.Alpha}, diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml index ff5d47867bb..4bb97a4d338 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml @@ -255,6 +255,40 @@ items: - kind: ServiceAccount name: pod-garbage-collector namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:pv-protection-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:pv-protection-controller + subjects: + - kind: ServiceAccount + name: pv-protection-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:pvc-protection-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:pvc-protection-controller + subjects: + - kind: ServiceAccount + name: pvc-protection-controller + namespace: kube-system - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index f6f542e4e0e..2de2b2b9ba5 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -772,6 +772,68 @@ items: - nodes verbs: - list +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:pv-protection-controller + rules: + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - update + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:pvc-protection-controller + rules: + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - update + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: