mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 19:31:44 +00:00
Merge pull request #107737 from gnufied/enable-node-restriction-default
Enable node restriction plugin by default for local clusters
This commit is contained in:
commit
a07241e3e0
@ -27,7 +27,6 @@ DOCKER_ROOT=${DOCKER_ROOT:-""}
|
||||
ALLOW_PRIVILEGED=${ALLOW_PRIVILEGED:-""}
|
||||
DENY_SECURITY_CONTEXT_ADMISSION=${DENY_SECURITY_CONTEXT_ADMISSION:-""}
|
||||
PSP_ADMISSION=${PSP_ADMISSION:-""}
|
||||
NODE_ADMISSION=${NODE_ADMISSION:-""}
|
||||
RUNTIME_CONFIG=${RUNTIME_CONFIG:-""}
|
||||
KUBELET_AUTHORIZATION_WEBHOOK=${KUBELET_AUTHORIZATION_WEBHOOK:-""}
|
||||
KUBELET_AUTHENTICATION_WEBHOOK=${KUBELET_AUTHENTICATION_WEBHOOK:-""}
|
||||
@ -111,7 +110,7 @@ export KUBE_PANIC_WATCH_DECODE_ERROR
|
||||
|
||||
# Default list of admission Controllers to invoke prior to persisting objects in cluster
|
||||
# The order defined here does not matter.
|
||||
ENABLE_ADMISSION_PLUGINS=${ENABLE_ADMISSION_PLUGINS:-"NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,Priority,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"}
|
||||
ENABLE_ADMISSION_PLUGINS=${ENABLE_ADMISSION_PLUGINS:-"NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,Priority,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction"}
|
||||
DISABLE_ADMISSION_PLUGINS=${DISABLE_ADMISSION_PLUGINS:-""}
|
||||
ADMISSION_CONTROL_CONFIG_FILE=${ADMISSION_CONTROL_CONFIG_FILE:-""}
|
||||
|
||||
@ -473,9 +472,6 @@ function start_apiserver {
|
||||
if [[ -n "${PSP_ADMISSION}" ]]; then
|
||||
security_admission=",PodSecurityPolicy"
|
||||
fi
|
||||
if [[ -n "${NODE_ADMISSION}" ]]; then
|
||||
security_admission=",NodeRestriction"
|
||||
fi
|
||||
|
||||
# Append security_admission plugin
|
||||
ENABLE_ADMISSION_PLUGINS="${ENABLE_ADMISSION_PLUGINS}${security_admission}"
|
||||
|
Loading…
Reference in New Issue
Block a user