diff --git a/cluster/aws/config-default.sh b/cluster/aws/config-default.sh index 2b138173bb9..ac30612169b 100644 --- a/cluster/aws/config-default.sh +++ b/cluster/aws/config-default.sh @@ -135,7 +135,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota # Optional: Enable/disable public IP assignment for minions. # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes! diff --git a/cluster/aws/config-test.sh b/cluster/aws/config-test.sh index 4f5c4d151d5..a2d8e942854 100755 --- a/cluster/aws/config-test.sh +++ b/cluster/aws/config-test.sh @@ -121,7 +121,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota # Optional: Enable/disable public IP assignment for minions. # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes! diff --git a/cluster/azure-legacy/config-default.sh b/cluster/azure-legacy/config-default.sh index 4a23c81d2d8..20687b9311d 100644 --- a/cluster/azure-legacy/config-default.sh +++ b/cluster/azure-legacy/config-default.sh @@ -57,4 +57,4 @@ ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-influxdb}" ENABLE_CLUSTER_UI="${KUBE_ENABLE_CLUSTER_UI:-true}" # Admission Controllers to invoke prior to persisting objects in cluster -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota diff --git a/cluster/centos/config-default.sh b/cluster/centos/config-default.sh index 6bfdbece84d..2fd596e2e6f 100755 --- a/cluster/centos/config-default.sh +++ b/cluster/centos/config-default.sh @@ -42,7 +42,7 @@ export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"} # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,SimpleDefaultStorageClassForPVC,ResourceQuota +export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,DefaultStorageClass,ResourceQuota # Extra options to set on the Docker command line. # This is useful for setting --insecure-registry for local registries. diff --git a/cluster/centos/master/scripts/apiserver.sh b/cluster/centos/master/scripts/apiserver.sh index 45e610bd393..29bcc985bbf 100755 --- a/cluster/centos/master/scripts/apiserver.sh +++ b/cluster/centos/master/scripts/apiserver.sh @@ -56,7 +56,7 @@ KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" # Comma-delimited list of: # LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists, # NamespaceLifecycle, NamespaceAutoProvision, -# AlwaysAdmit, ServiceAccount, ResourceQuota, SimpleDefaultStorageClassForPVC +# AlwaysAdmit, ServiceAccount, ResourceQuota, DefaultStorageClass KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL}" # --client-ca-file="": If set, any request presenting a client certificate signed diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 12a54075320..24466af0bfa 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -130,7 +130,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index e8870acbac3..2eb13a872d3 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -149,7 +149,7 @@ if [[ "${ENABLE_CLUSTER_AUTOSCALER}" == "true" ]]; then fi # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,SimpleDefaultStorageClassForPVC,ResourceQuota}" +ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota}" # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/images/hyperkube/static-pods/master-multi.json b/cluster/images/hyperkube/static-pods/master-multi.json index 8c6090fbc59..b69da036a15 100644 --- a/cluster/images/hyperkube/static-pods/master-multi.json +++ b/cluster/images/hyperkube/static-pods/master-multi.json @@ -36,7 +36,7 @@ "--service-cluster-ip-range=10.0.0.1/24", "--insecure-bind-address=0.0.0.0", "--etcd-servers=http://127.0.0.1:2379", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota", "--client-ca-file=/srv/kubernetes/ca.crt", "--basic-auth-file=/srv/kubernetes/basic_auth.csv", "--min-request-timeout=300", diff --git a/cluster/images/hyperkube/static-pods/master.json b/cluster/images/hyperkube/static-pods/master.json index 152cba50a4e..704f8f9076c 100644 --- a/cluster/images/hyperkube/static-pods/master.json +++ b/cluster/images/hyperkube/static-pods/master.json @@ -36,7 +36,7 @@ "--service-cluster-ip-range=10.0.0.1/24", "--insecure-bind-address=127.0.0.1", "--etcd-servers=http://127.0.0.1:2379", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota", "--client-ca-file=/srv/kubernetes/ca.crt", "--basic-auth-file=/srv/kubernetes/basic_auth.csv", "--min-request-timeout=300", diff --git a/cluster/juju/layers/kubernetes/templates/master.json b/cluster/juju/layers/kubernetes/templates/master.json index 2eebcdf5b19..007405a7c58 100644 --- a/cluster/juju/layers/kubernetes/templates/master.json +++ b/cluster/juju/layers/kubernetes/templates/master.json @@ -38,7 +38,7 @@ "--etcd-certfile={{ etcd_cert }}", {%- endif %} "--etcd-servers={{ connection_string }}", - "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota", "--client-ca-file=/srv/kubernetes/ca.crt", "--basic-auth-file=/srv/kubernetes/basic_auth.csv", "--min-request-timeout=300", diff --git a/cluster/libvirt-coreos/util.sh b/cluster/libvirt-coreos/util.sh index 07e403242eb..c3a6fb6b887 100644 --- a/cluster/libvirt-coreos/util.sh +++ b/cluster/libvirt-coreos/util.sh @@ -25,7 +25,7 @@ source "$KUBE_ROOT/cluster/common.sh" export LIBVIRT_DEFAULT_URI=qemu:///system export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false} -export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota} +export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota} readonly POOL=kubernetes readonly POOL_PATH=/var/lib/libvirt/images/kubernetes diff --git a/cluster/mesos/docker/docker-compose.yml b/cluster/mesos/docker/docker-compose.yml index dc2eb421093..1f7d5c0be0e 100644 --- a/cluster/mesos/docker/docker-compose.yml +++ b/cluster/mesos/docker/docker-compose.yml @@ -77,7 +77,7 @@ apiserver: --external-hostname=apiserver --etcd-servers=http://etcd:4001 --port=8888 - --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota + --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota --authorization-mode=AlwaysAllow --token-auth-file=/var/run/kubernetes/auth/token-users --basic-auth-file=/var/run/kubernetes/auth/basic-users diff --git a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml index 388dcbfd93d..d70edce9dbe 100644 --- a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml +++ b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml @@ -49,7 +49,7 @@ write_files: dns_domain: cluster.local federations_domain_map: '' instance_prefix: kubernetes - admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota + admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota enable_cpu_cfs_quota: "true" network_provider: none opencontrail_tag: R2.20 diff --git a/cluster/photon-controller/templates/create-dynamic-salt-files.sh b/cluster/photon-controller/templates/create-dynamic-salt-files.sh index 7ddf2a56af2..0bb568ff471 100755 --- a/cluster/photon-controller/templates/create-dynamic-salt-files.sh +++ b/cluster/photon-controller/templates/create-dynamic-salt-files.sh @@ -124,5 +124,5 @@ federations_domain_map: '' e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}" cluster_cidr: "$NODE_IP_RANGES" allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}" -admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota +admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota EOF diff --git a/cluster/ubuntu/config-default.sh b/cluster/ubuntu/config-default.sh index ea3a00fe680..34463e205a0 100755 --- a/cluster/ubuntu/config-default.sh +++ b/cluster/ubuntu/config-default.sh @@ -68,7 +68,7 @@ FLANNEL_OTHER_NET_CONFIG='' # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,SimpleDefaultStorageClassForPVC,ResourceQuota +export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,DefaultStorageClass,ResourceQuota # Path to the config file or directory of files of kubelet export KUBELET_CONFIG=${KUBELET_CONFIG:-""} diff --git a/cluster/vagrant/config-default.sh b/cluster/vagrant/config-default.sh index 29d7713abc1..1f97b9bb833 100755 --- a/cluster/vagrant/config-default.sh +++ b/cluster/vagrant/config-default.sh @@ -56,7 +56,7 @@ MASTER_PASSWD="${MASTER_PASSWD:-vagrant}" # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota # Optional: Enable node logging. ENABLE_NODE_LOGGING=false diff --git a/cluster/vsphere/templates/create-dynamic-salt-files.sh b/cluster/vsphere/templates/create-dynamic-salt-files.sh index f495bf4afd7..291b5555cd8 100755 --- a/cluster/vsphere/templates/create-dynamic-salt-files.sh +++ b/cluster/vsphere/templates/create-dynamic-salt-files.sh @@ -124,7 +124,7 @@ federations_domain_map: '' e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}" cluster_cidr: "$NODE_IP_RANGES" allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}" -admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,SimpleDefaultStorageClassForPVC,ResourceQuota +admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota EOF mkdir -p /srv/salt-overlay/salt/nginx diff --git a/cmd/kube-apiserver/app/plugins.go b/cmd/kube-apiserver/app/plugins.go index 8b1b82897c0..e0f57e899b1 100644 --- a/cmd/kube-apiserver/app/plugins.go +++ b/cmd/kube-apiserver/app/plugins.go @@ -35,9 +35,9 @@ import ( _ "k8s.io/kubernetes/plugin/pkg/admission/namespace/exists" _ "k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle" _ "k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/label" - _ "k8s.io/kubernetes/plugin/pkg/admission/persistentvolumeclaim/default" _ "k8s.io/kubernetes/plugin/pkg/admission/resourcequota" _ "k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy" _ "k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny" _ "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount" + _ "k8s.io/kubernetes/plugin/pkg/admission/storageclass/default" ) diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index 388e35de608..2ef17fc8ab3 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -264,9 +264,9 @@ function set_service_accounts { function start_apiserver { # Admission Controllers to invoke prior to persisting objects in cluster if [[ -z "${ALLOW_SECURITY_CONTEXT}" ]]; then - ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,SimpleDefaultStorageClassForPVC + ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,DefaultStorageClass else - ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,SimpleDefaultStorageClassForPVC + ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,DefaultStorageClass fi # This is the default dir and filename where the apiserver will generate a self-signed cert # which should be able to be used as the CA to verify itself diff --git a/plugin/pkg/admission/persistentvolumeclaim/default/admission.go b/plugin/pkg/admission/storageclass/default/admission.go similarity index 99% rename from plugin/pkg/admission/persistentvolumeclaim/default/admission.go rename to plugin/pkg/admission/storageclass/default/admission.go index b1ae84e2537..c6728db7df1 100644 --- a/plugin/pkg/admission/persistentvolumeclaim/default/admission.go +++ b/plugin/pkg/admission/storageclass/default/admission.go @@ -33,7 +33,7 @@ import ( ) const ( - PluginName = "SimpleDefaultStorageClassForPVC" + PluginName = "DefaultStorageClass" ) func init() { diff --git a/plugin/pkg/admission/persistentvolumeclaim/default/admission_test.go b/plugin/pkg/admission/storageclass/default/admission_test.go similarity index 100% rename from plugin/pkg/admission/persistentvolumeclaim/default/admission_test.go rename to plugin/pkg/admission/storageclass/default/admission_test.go