From b63328984c4f8fc10720af63b9c0b041136700fe Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Thu, 1 Jun 2017 14:39:29 -0700 Subject: [PATCH 1/2] gce/gke: enable Node authorizer and NodeRestriction admission controller --- cluster/gce/config-default.sh | 2 +- cluster/gce/config-test.sh | 2 +- cluster/gce/gci/configure-helper.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index f454de48759..259a4704f3f 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -225,7 +225,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota +ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 7d82a495fad..1d8df0e055e 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -255,7 +255,7 @@ if [ ${ENABLE_IP_ALIASES} = true ]; then fi # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota}" +ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota}" # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 71068f9ffe4..0c7971b97bd 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1288,7 +1288,7 @@ function start-kube-apiserver { fi - local authorization_mode="RBAC" + local authorization_mode="Node,RBAC" local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" # Enable ABAC mode unless the user explicitly opts out with ENABLE_LEGACY_ABAC=false From 76493fcb7d702a94fe2e5a8ffa1fe57425d2cddb Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Mon, 12 Jun 2017 14:28:28 -0700 Subject: [PATCH 2/2] set max concurrent namespace syncs to 10 --- cmd/kube-controller-manager/app/options/options.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/kube-controller-manager/app/options/options.go b/cmd/kube-controller-manager/app/options/options.go index 7d81d8e276d..dec8d1f1adc 100644 --- a/cmd/kube-controller-manager/app/options/options.go +++ b/cmd/kube-controller-manager/app/options/options.go @@ -67,7 +67,7 @@ func NewCMServer() *CMServer { ConcurrentJobSyncs: 5, ConcurrentResourceQuotaSyncs: 5, ConcurrentDeploymentSyncs: 5, - ConcurrentNamespaceSyncs: 5, + ConcurrentNamespaceSyncs: 10, ConcurrentSATokenSyncs: 5, LookupCacheSizeForRC: 4096, LookupCacheSizeForRS: 4096,