github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-20 02:11:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #72737 from liggitt/deprecate-deny-exec-admission

Browse Source 
Deprecate DenyEscalatingExec and DenyExecOnPrivileged admission plugins
This commit is contained in:
Kubernetes Prow Robot 2019-01-11 03:30:48 -08:00 committed by GitHub
commit 33a9c6e892
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
plugin/pkg/admission/exec/BUILD
View File

@ -16,6 +16,7 @@ go_library(
"//staging/src/k8s.io/apiserver/pkg/admission:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/admission/initializer:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission/initializer:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
"//vendor/k8s.io/klog:go_default_library",
], ],
) )

10
plugin/pkg/admission/exec/admission.go
View File

@ -25,25 +25,33 @@ import (
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
genericadmissioninitializer "k8s.io/apiserver/pkg/admission/initializer" genericadmissioninitializer "k8s.io/apiserver/pkg/admission/initializer"
"k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes"
"k8s.io/klog"
) )
const ( const (
// DenyEscalatingExec indicates name of admission plugin. // DenyEscalatingExec indicates name of admission plugin.
// Deprecated, will be removed in v1.18.
// Use of PodSecurityPolicy or a custom admission plugin to limit creation of pods is recommended instead.
DenyEscalatingExec = "DenyEscalatingExec" DenyEscalatingExec = "DenyEscalatingExec"
// DenyExecOnPrivileged indicates name of admission plugin. // DenyExecOnPrivileged indicates name of admission plugin.
// Deprecated, should use DenyEscalatingExec instead. // Deprecated, will be removed in v1.18.
// Use of PodSecurityPolicy or a custom admission plugin to limit creation of pods is recommended instead.
DenyExecOnPrivileged = "DenyExecOnPrivileged" DenyExecOnPrivileged = "DenyExecOnPrivileged"
) )
// Register registers a plugin // Register registers a plugin
func Register(plugins *admission.Plugins) { func Register(plugins *admission.Plugins) {
plugins.Register(DenyEscalatingExec, func(config io.Reader) (admission.Interface, error) { plugins.Register(DenyEscalatingExec, func(config io.Reader) (admission.Interface, error) {
klog.Warningf("the %s admission plugin is deprecated and will be removed in v1.18", DenyEscalatingExec)
klog.Warningf("use of PodSecurityPolicy or a custom admission plugin to limit creation of pods is recommended instead")
return NewDenyEscalatingExec(), nil return NewDenyEscalatingExec(), nil
}) })
// This is for legacy support of the DenyExecOnPrivileged admission controller. Most // This is for legacy support of the DenyExecOnPrivileged admission controller. Most
// of the time DenyEscalatingExec should be preferred. // of the time DenyEscalatingExec should be preferred.
plugins.Register(DenyExecOnPrivileged, func(config io.Reader) (admission.Interface, error) { plugins.Register(DenyExecOnPrivileged, func(config io.Reader) (admission.Interface, error) {
klog.Warningf("the %s admission plugin is deprecated and will be removed in v1.18", DenyExecOnPrivileged)
klog.Warningf("use of PodSecurityPolicy or a custom admission plugin to limit creation of pods is recommended instead")
return NewDenyExecOnPrivileged(), nil return NewDenyExecOnPrivileged(), nil
}) })
} }