mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Merge pull request #74610 from oomichi/issue/74038-2
Enable StorageObjectInUseProtection by default
This commit is contained in:
commit
98b6f35999
@ -39,7 +39,7 @@ function run_kube_apiserver() {
|
||||
|
||||
# Admission Controllers to invoke prior to persisting objects in cluster
|
||||
ENABLE_ADMISSION_PLUGINS="LimitRanger,ResourceQuota"
|
||||
DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook"
|
||||
DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,StorageObjectInUseProtection"
|
||||
|
||||
# Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
|
||||
AUTHORIZATION_MODE="RBAC,AlwaysAllow"
|
||||
|
@ -45,7 +45,7 @@ RUNTIME_CONFIG=""
|
||||
ETCDCTL=$(which etcdctl)
|
||||
KUBECTL="${KUBE_OUTPUT_HOSTBIN}/kubectl"
|
||||
UPDATE_ETCD_OBJECTS_SCRIPT="${KUBE_ROOT}/cluster/update-storage-objects.sh"
|
||||
DISABLE_ADMISSION_PLUGINS="ServiceAccount,NamespaceLifecycle,LimitRanger,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PersistentVolumeLabel,DefaultStorageClass"
|
||||
DISABLE_ADMISSION_PLUGINS="ServiceAccount,NamespaceLifecycle,LimitRanger,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PersistentVolumeLabel,DefaultStorageClass,StorageObjectInUseProtection"
|
||||
|
||||
function startApiServer() {
|
||||
local storage_versions=${1:-""}
|
||||
|
@ -128,15 +128,16 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
|
||||
// DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
|
||||
func DefaultOffAdmissionPlugins() sets.String {
|
||||
defaultOnPlugins := sets.NewString(
|
||||
lifecycle.PluginName, //NamespaceLifecycle
|
||||
limitranger.PluginName, //LimitRanger
|
||||
serviceaccount.PluginName, //ServiceAccount
|
||||
setdefault.PluginName, //DefaultStorageClass
|
||||
resize.PluginName, //PersistentVolumeClaimResize
|
||||
defaulttolerationseconds.PluginName, //DefaultTolerationSeconds
|
||||
mutatingwebhook.PluginName, //MutatingAdmissionWebhook
|
||||
validatingwebhook.PluginName, //ValidatingAdmissionWebhook
|
||||
resourcequota.PluginName, //ResourceQuota
|
||||
lifecycle.PluginName, //NamespaceLifecycle
|
||||
limitranger.PluginName, //LimitRanger
|
||||
serviceaccount.PluginName, //ServiceAccount
|
||||
setdefault.PluginName, //DefaultStorageClass
|
||||
resize.PluginName, //PersistentVolumeClaimResize
|
||||
defaulttolerationseconds.PluginName, //DefaultTolerationSeconds
|
||||
mutatingwebhook.PluginName, //MutatingAdmissionWebhook
|
||||
validatingwebhook.PluginName, //ValidatingAdmissionWebhook
|
||||
resourcequota.PluginName, //ResourceQuota
|
||||
storageobjectinuseprotection.PluginName, //StorageObjectInUseProtection
|
||||
)
|
||||
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.PodPriority) {
|
||||
|
Loading…
Reference in New Issue
Block a user