mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
move the MutatingAdmissionWebhook to the last in the mutating amdission
plugin chain.
This commit is contained in:
Chao Xu
parent
6b1b6d504a
commit
8e8e32fa05
@ -316,12 +316,12 @@ if [[ -n "${GCE_GLBC_IMAGE:-}" ]]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -z "${KUBE_ADMISSION_CONTROL:-}" ]]; then
|
if [[ -z "${KUBE_ADMISSION_CONTROL:-}" ]]; then
|
||||||
ADMISSION_CONTROL="MutatingAdmissionWebhook,Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority"
|
ADMISSION_CONTROL="Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority"
|
||||||
if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
|
if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
|
||||||
ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy"
|
ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy"
|
||||||
fi
|
fi
|
||||||
# ResourceQuota must come last, or a creation is recorded, but the pod may be forbidden.
|
# ResourceQuota must come last, or a creation is recorded, but the pod may be forbidden.
|
||||||
ADMISSION_CONTROL="${ADMISSION_CONTROL},ValidatingAdmissionWebhook,ResourceQuota"
|
ADMISSION_CONTROL="${ADMISSION_CONTROL},MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"
|
||||||
else
|
else
|
||||||
ADMISSION_CONTROL=${KUBE_ADMISSION_CONTROL}
|
ADMISSION_CONTROL=${KUBE_ADMISSION_CONTROL}
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -104,8 +104,8 @@ func TestAddFlags(t *testing.T) {
|
|||||||
MinRequestTimeout: 1800,
|
MinRequestTimeout: 1800,
|
||||||
},
|
},
|
||||||
Admission: &apiserveroptions.AdmissionOptions{
|
Admission: &apiserveroptions.AdmissionOptions{
|
||||||
RecommendedPluginOrder: []string{"MutatingAdmissionWebhook", "NamespaceLifecycle", "Initializers", "ValidatingAdmissionWebhook"},
|
RecommendedPluginOrder: []string{"NamespaceLifecycle", "Initializers", "MutatingAdmissionWebhook", "ValidatingAdmissionWebhook"},
|
||||||
DefaultOffPlugins: []string{"MutatingAdmissionWebhook", "Initializers", "ValidatingAdmissionWebhook"},
|
DefaultOffPlugins: []string{"Initializers", "MutatingAdmissionWebhook", "ValidatingAdmissionWebhook"},
|
||||||
PluginNames: []string{"AlwaysDeny"},
|
PluginNames: []string{"AlwaysDeny"},
|
||||||
ConfigFile: "/admission-control-config",
|
ConfigFile: "/admission-control-config",
|
||||||
Plugins: s.Admission.Plugins,
|
Plugins: s.Admission.Plugins,
|
||||||
|
|||||||
@ -419,7 +419,9 @@ function start_apiserver {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Admission Controllers to invoke prior to persisting objects in cluster
|
# Admission Controllers to invoke prior to persisting objects in cluster
|
||||||
ADMISSION_CONTROL=MutatingAdmissionWebhook,Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,ValidatingAdmissionWebhook,ResourceQuota
|
#
|
||||||
|
# ResourceQuota must come last, or a creation is recorded, but the pod may be forbidden.
|
||||||
|
ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
|
||||||
# This is the default dir and filename where the apiserver will generate a self-signed cert
|
# This is the default dir and filename where the apiserver will generate a self-signed cert
|
||||||
# which should be able to be used as the CA to verify itself
|
# which should be able to be used as the CA to verify itself
|
||||||
|
|
||||||
|
|||||||
@ -59,10 +59,14 @@ type AdmissionOptions struct {
|
|||||||
// Servers that do care can overwrite/append that field after creation.
|
// Servers that do care can overwrite/append that field after creation.
|
||||||
func NewAdmissionOptions() *AdmissionOptions {
|
func NewAdmissionOptions() *AdmissionOptions {
|
||||||
options := &AdmissionOptions{
|
options := &AdmissionOptions{
|
||||||
Plugins: admission.NewPlugins(),
|
Plugins: admission.NewPlugins(),
|
||||||
PluginNames: []string{},
|
PluginNames: []string{},
|
||||||
RecommendedPluginOrder: []string{mutatingwebhook.PluginName, lifecycle.PluginName, initialization.PluginName, validatingwebhook.PluginName},
|
// This list is mix of mutating admission plugins and validating
|
||||||
DefaultOffPlugins: []string{mutatingwebhook.PluginName, initialization.PluginName, validatingwebhook.PluginName},
|
// admission plugins. The apiserver always runs the validating ones
|
||||||
|
// after all the mutating ones, so their relative order in this list
|
||||||
|
// doesn't matter.
|
||||||
|
RecommendedPluginOrder: []string{lifecycle.PluginName, initialization.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName},
|
||||||
|
DefaultOffPlugins: []string{initialization.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName},
|
||||||
}
|
}
|
||||||
apiserverapi.AddToScheme(options.Plugins.ConfigScheme)
|
apiserverapi.AddToScheme(options.Plugins.ConfigScheme)
|
||||||
apiserverapiv1alpha1.AddToScheme(options.Plugins.ConfigScheme)
|
apiserverapiv1alpha1.AddToScheme(options.Plugins.ConfigScheme)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user