github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-06 10:43:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #74610 from oomichi/issue/74038-2

Browse Source 
Enable StorageObjectInUseProtection by default
This commit is contained in:
Kubernetes Prow Robot 2019-04-16 02:11:29 -07:00 committed by GitHub
commit 98b6f35999
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hack/make-rules/test-cmd.sh
View File

@ -39,7 +39,7 @@ function run_kube_apiserver() {
# Admission Controllers to invoke prior to persisting objects in cluster # Admission Controllers to invoke prior to persisting objects in cluster
ENABLE_ADMISSION_PLUGINS="LimitRanger,ResourceQuota" ENABLE_ADMISSION_PLUGINS="LimitRanger,ResourceQuota"
DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook" DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,StorageObjectInUseProtection"
# Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions # Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
AUTHORIZATION_MODE="RBAC,AlwaysAllow" AUTHORIZATION_MODE="RBAC,AlwaysAllow"

2
hack/test-update-storage-objects.sh
View File

@ -45,7 +45,7 @@ RUNTIME_CONFIG=""
ETCDCTL=$(which etcdctl) ETCDCTL=$(which etcdctl)
KUBECTL="${KUBE_OUTPUT_HOSTBIN}/kubectl" KUBECTL="${KUBE_OUTPUT_HOSTBIN}/kubectl"
UPDATE_ETCD_OBJECTS_SCRIPT="${KUBE_ROOT}/cluster/update-storage-objects.sh" UPDATE_ETCD_OBJECTS_SCRIPT="${KUBE_ROOT}/cluster/update-storage-objects.sh"
DISABLE_ADMISSION_PLUGINS="ServiceAccount,NamespaceLifecycle,LimitRanger,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PersistentVolumeLabel,DefaultStorageClass" DISABLE_ADMISSION_PLUGINS="ServiceAccount,NamespaceLifecycle,LimitRanger,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PersistentVolumeLabel,DefaultStorageClass,StorageObjectInUseProtection"
function startApiServer() { function startApiServer() {
local storage_versions=${1:-""} local storage_versions=${1:-""}

19
pkg/kubeapiserver/options/plugins.go
View File

@ -128,15 +128,16 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
// DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver. // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
func DefaultOffAdmissionPlugins() sets.String { func DefaultOffAdmissionPlugins() sets.String {
defaultOnPlugins := sets.NewString( defaultOnPlugins := sets.NewString(
lifecycle.PluginName, //NamespaceLifecycle lifecycle.PluginName, //NamespaceLifecycle
limitranger.PluginName, //LimitRanger limitranger.PluginName, //LimitRanger
serviceaccount.PluginName, //ServiceAccount serviceaccount.PluginName, //ServiceAccount
setdefault.PluginName, //DefaultStorageClass setdefault.PluginName, //DefaultStorageClass
resize.PluginName, //PersistentVolumeClaimResize resize.PluginName, //PersistentVolumeClaimResize
defaulttolerationseconds.PluginName, //DefaultTolerationSeconds defaulttolerationseconds.PluginName, //DefaultTolerationSeconds
mutatingwebhook.PluginName, //MutatingAdmissionWebhook mutatingwebhook.PluginName, //MutatingAdmissionWebhook
validatingwebhook.PluginName, //ValidatingAdmissionWebhook validatingwebhook.PluginName, //ValidatingAdmissionWebhook
resourcequota.PluginName, //ResourceQuota resourcequota.PluginName, //ResourceQuota
storageobjectinuseprotection.PluginName, //StorageObjectInUseProtection
) )
if utilfeature.DefaultFeatureGate.Enabled(features.PodPriority) { if utilfeature.DefaultFeatureGate.Enabled(features.PodPriority) {