From 61be3683f3feee1169a47e52a92fe54635f4e9dc Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Wed, 9 Jan 2019 11:46:53 -0500
Subject: [PATCH] Deprecate DenyEscalatingExec and DenyExecOnPrivileged
 admission plugins

---
 plugin/pkg/admission/exec/BUILD        |  1 +
 plugin/pkg/admission/exec/admission.go | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/plugin/pkg/admission/exec/BUILD b/plugin/pkg/admission/exec/BUILD
index 4d571efc75b..2b53a313aeb 100644
--- a/plugin/pkg/admission/exec/BUILD
+++ b/plugin/pkg/admission/exec/BUILD
@@ -16,6 +16,7 @@ go_library(
         "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/admission/initializer:go_default_library",
         "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
+        "//vendor/k8s.io/klog:go_default_library",
     ],
 )
 
diff --git a/plugin/pkg/admission/exec/admission.go b/plugin/pkg/admission/exec/admission.go
index b6cbf94bc3a..c4ed9282fb4 100644
--- a/plugin/pkg/admission/exec/admission.go
+++ b/plugin/pkg/admission/exec/admission.go
@@ -25,25 +25,33 @@ import (
 	"k8s.io/apiserver/pkg/admission"
 	genericadmissioninitializer "k8s.io/apiserver/pkg/admission/initializer"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/klog"
 )
 
 const (
 	// DenyEscalatingExec indicates name of admission plugin.
+	// Deprecated, will be removed in v1.18.
+	// Use of PodSecurityPolicy or a custom admission plugin to limit creation of pods is recommended instead.
 	DenyEscalatingExec = "DenyEscalatingExec"
 	// DenyExecOnPrivileged indicates name of admission plugin.
-	// Deprecated, should use DenyEscalatingExec instead.
+	// Deprecated, will be removed in v1.18.
+	// Use of PodSecurityPolicy or a custom admission plugin to limit creation of pods is recommended instead.
 	DenyExecOnPrivileged = "DenyExecOnPrivileged"
 )
 
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(DenyEscalatingExec, func(config io.Reader) (admission.Interface, error) {
+		klog.Warningf("the %s admission plugin is deprecated and will be removed in v1.18", DenyEscalatingExec)
+		klog.Warningf("use of PodSecurityPolicy or a custom admission plugin to limit creation of pods is recommended instead")
 		return NewDenyEscalatingExec(), nil
 	})
 
 	// This is for legacy support of the DenyExecOnPrivileged admission controller.  Most
 	// of the time DenyEscalatingExec should be preferred.
 	plugins.Register(DenyExecOnPrivileged, func(config io.Reader) (admission.Interface, error) {
+		klog.Warningf("the %s admission plugin is deprecated and will be removed in v1.18", DenyExecOnPrivileged)
+		klog.Warningf("use of PodSecurityPolicy or a custom admission plugin to limit creation of pods is recommended instead")
 		return NewDenyExecOnPrivileged(), nil
 	})
 }