diff --git a/cluster/gce/addons/admission-resource-quota-critical-pods/resource-quota.yaml b/cluster/gce/addons/admission-resource-quota-critical-pods/resource-quota.yaml new file mode 100644 index 00000000000..222042ef5c5 --- /dev/null +++ b/cluster/gce/addons/admission-resource-quota-critical-pods/resource-quota.yaml @@ -0,0 +1,18 @@ +# critical pods are configured as a limited resource by admission_controller_config.yaml, +# which means they are disallowed unless explicitly allowed by a namespaced quota object. +# This quota effectively removes the restriction on the number of critical pods allowed in the kube-system namespace. +apiVersion: v1 +kind: ResourceQuota +metadata: + name: gcp-critical-pods + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile +spec: + hard: + pods: "1000000000" + scopeSelector: + matchExpressions: + - operator : In + scopeName: PriorityClass + values: ["system-node-critical", "system-cluster-critical"] diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 0d41abf263f..6213d498986 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -915,6 +915,20 @@ kind: AdmissionConfiguration plugins: EOF + # Add resourcequota config to limit critical pods to kube-system by default + cat <>/etc/srv/kubernetes/admission_controller_config.yaml +- name: "ResourceQuota" + configuration: + apiVersion: apiserver.config.k8s.io/v1 + kind: ResourceQuotaConfiguration + limitedResources: + - resource: pods + matchScopes: + - scopeName: PriorityClass + operator: In + values: ["system-node-critical", "system-cluster-critical"] +EOF + if [[ "${ADMISSION_CONTROL:-}" == *"ImagePolicyWebhook"* ]]; then if [[ -z "${GCP_IMAGE_VERIFICATION_URL:-}" ]]; then 1>&2 echo "The ImagePolicyWebhook admission control plugin was requested, but GCP_IMAGE_VERIFICATION_URL was not provided." @@ -2528,6 +2542,7 @@ EOF if echo "${ADMISSION_CONTROL:-}" | grep -q "LimitRanger"; then setup-addon-manifests "admission-controls" "limit-range" "gce" fi + setup-addon-manifests "addons" "admission-resource-quota-critical-pods" if [[ "${NETWORK_POLICY_PROVIDER:-}" == "calico" ]]; then setup-addon-manifests "addons" "calico-policy-controller"