mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-06 10:43:56 +00:00
Merge pull request #74610 from oomichi/issue/74038-2
Enable StorageObjectInUseProtection by default
This commit is contained in:
commit
98b6f35999
@ -39,7 +39,7 @@ function run_kube_apiserver() {
|
|||||||
|
|
||||||
# Admission Controllers to invoke prior to persisting objects in cluster
|
# Admission Controllers to invoke prior to persisting objects in cluster
|
||||||
ENABLE_ADMISSION_PLUGINS="LimitRanger,ResourceQuota"
|
ENABLE_ADMISSION_PLUGINS="LimitRanger,ResourceQuota"
|
||||||
DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook"
|
DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,StorageObjectInUseProtection"
|
||||||
|
|
||||||
# Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
|
# Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
|
||||||
AUTHORIZATION_MODE="RBAC,AlwaysAllow"
|
AUTHORIZATION_MODE="RBAC,AlwaysAllow"
|
||||||
|
@ -45,7 +45,7 @@ RUNTIME_CONFIG=""
|
|||||||
ETCDCTL=$(which etcdctl)
|
ETCDCTL=$(which etcdctl)
|
||||||
KUBECTL="${KUBE_OUTPUT_HOSTBIN}/kubectl"
|
KUBECTL="${KUBE_OUTPUT_HOSTBIN}/kubectl"
|
||||||
UPDATE_ETCD_OBJECTS_SCRIPT="${KUBE_ROOT}/cluster/update-storage-objects.sh"
|
UPDATE_ETCD_OBJECTS_SCRIPT="${KUBE_ROOT}/cluster/update-storage-objects.sh"
|
||||||
DISABLE_ADMISSION_PLUGINS="ServiceAccount,NamespaceLifecycle,LimitRanger,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PersistentVolumeLabel,DefaultStorageClass"
|
DISABLE_ADMISSION_PLUGINS="ServiceAccount,NamespaceLifecycle,LimitRanger,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PersistentVolumeLabel,DefaultStorageClass,StorageObjectInUseProtection"
|
||||||
|
|
||||||
function startApiServer() {
|
function startApiServer() {
|
||||||
local storage_versions=${1:-""}
|
local storage_versions=${1:-""}
|
||||||
|
@ -128,15 +128,16 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
|
|||||||
// DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
|
// DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
|
||||||
func DefaultOffAdmissionPlugins() sets.String {
|
func DefaultOffAdmissionPlugins() sets.String {
|
||||||
defaultOnPlugins := sets.NewString(
|
defaultOnPlugins := sets.NewString(
|
||||||
lifecycle.PluginName, //NamespaceLifecycle
|
lifecycle.PluginName, //NamespaceLifecycle
|
||||||
limitranger.PluginName, //LimitRanger
|
limitranger.PluginName, //LimitRanger
|
||||||
serviceaccount.PluginName, //ServiceAccount
|
serviceaccount.PluginName, //ServiceAccount
|
||||||
setdefault.PluginName, //DefaultStorageClass
|
setdefault.PluginName, //DefaultStorageClass
|
||||||
resize.PluginName, //PersistentVolumeClaimResize
|
resize.PluginName, //PersistentVolumeClaimResize
|
||||||
defaulttolerationseconds.PluginName, //DefaultTolerationSeconds
|
defaulttolerationseconds.PluginName, //DefaultTolerationSeconds
|
||||||
mutatingwebhook.PluginName, //MutatingAdmissionWebhook
|
mutatingwebhook.PluginName, //MutatingAdmissionWebhook
|
||||||
validatingwebhook.PluginName, //ValidatingAdmissionWebhook
|
validatingwebhook.PluginName, //ValidatingAdmissionWebhook
|
||||||
resourcequota.PluginName, //ResourceQuota
|
resourcequota.PluginName, //ResourceQuota
|
||||||
|
storageobjectinuseprotection.PluginName, //StorageObjectInUseProtection
|
||||||
)
|
)
|
||||||
|
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.PodPriority) {
|
if utilfeature.DefaultFeatureGate.Enabled(features.PodPriority) {
|
||||||
|
Loading…
Reference in New Issue
Block a user