Add denyserviceexternalips admission

2025-09-21 09:57:52 +00:00 · 2020-12-18 14:37:16 -08:00
parent 02b77861ec
commit a8299079a5
6 changed files with 295 additions and 14 deletions
--- a/pkg/kubeapiserver/options/BUILD
+++ b/pkg/kubeapiserver/options/BUILD
@@ -36,6 +36,7 @@ go_library(
        "//plugin/pkg/admission/namespace/autoprovision:go_default_library",
        "//plugin/pkg/admission/namespace/exists:go_default_library",
        "//plugin/pkg/admission/network/defaultingressclass:go_default_library",
+        "//plugin/pkg/admission/network/denyserviceexternalips:go_default_library",
        "//plugin/pkg/admission/noderestriction:go_default_library",
        "//plugin/pkg/admission/nodetaint:go_default_library",
        "//plugin/pkg/admission/podnodeselector:go_default_library",
--- a/pkg/kubeapiserver/options/plugins.go
+++ b/pkg/kubeapiserver/options/plugins.go
@@ -38,6 +38,7 @@ import (
 	"k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision"
 	"k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
 	"k8s.io/kubernetes/plugin/pkg/admission/network/defaultingressclass"
+	"k8s.io/kubernetes/plugin/pkg/admission/network/denyserviceexternalips"
 	"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
 	"k8s.io/kubernetes/plugin/pkg/admission/nodetaint"
 	"k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
@@ -93,6 +94,7 @@ var AllOrderedPlugins = []string{
 	certsigning.PluginName,                  // CertificateSigning
 	certsubjectrestriction.PluginName,       // CertificateSubjectRestriction
 	defaultingressclass.PluginName,          // DefaultIngressClass
+	denyserviceexternalips.PluginName,       // DenyServiceExternalIPs

 	// new admission plugins should generally be inserted above here
 	// webhook, resourcequota, and deny plugins must go at the end
@@ -111,6 +113,7 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
 	antiaffinity.Register(plugins)
 	defaulttolerationseconds.Register(plugins)
 	defaultingressclass.Register(plugins)
+	denyserviceexternalips.Register(plugins)
 	deny.Register(plugins) // DEPRECATED as no real meaning
 	eventratelimit.Register(plugins)
 	exec.Register(plugins)
@@ -142,23 +145,23 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
 // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
 func DefaultOffAdmissionPlugins() sets.String {
 	defaultOnPlugins := sets.NewString(
-		lifecycle.PluginName,                    //NamespaceLifecycle
-		limitranger.PluginName,                  //LimitRanger
-		serviceaccount.PluginName,               //ServiceAccount
-		setdefault.PluginName,                   //DefaultStorageClass
-		resize.PluginName,                       //PersistentVolumeClaimResize
-		defaulttolerationseconds.PluginName,     //DefaultTolerationSeconds
-		mutatingwebhook.PluginName,              //MutatingAdmissionWebhook
-		validatingwebhook.PluginName,            //ValidatingAdmissionWebhook
-		resourcequota.PluginName,                //ResourceQuota
-		storageobjectinuseprotection.PluginName, //StorageObjectInUseProtection
-		podpriority.PluginName,                  //PodPriority
-		nodetaint.PluginName,                    //TaintNodesByCondition
-		runtimeclass.PluginName,                 //RuntimeClass
+		lifecycle.PluginName,                    // NamespaceLifecycle
+		limitranger.PluginName,                  // LimitRanger
+		serviceaccount.PluginName,               // ServiceAccount
+		setdefault.PluginName,                   // DefaultStorageClass
+		resize.PluginName,                       // PersistentVolumeClaimResize
+		defaulttolerationseconds.PluginName,     // DefaultTolerationSeconds
+		mutatingwebhook.PluginName,              // MutatingAdmissionWebhook
+		validatingwebhook.PluginName,            // ValidatingAdmissionWebhook
+		resourcequota.PluginName,                // ResourceQuota
+		storageobjectinuseprotection.PluginName, // StorageObjectInUseProtection
+		podpriority.PluginName,                  // PodPriority
+		nodetaint.PluginName,                    // TaintNodesByCondition
+		runtimeclass.PluginName,                 // RuntimeClass
 		certapproval.PluginName,                 // CertificateApproval
 		certsigning.PluginName,                  // CertificateSigning
 		certsubjectrestriction.PluginName,       // CertificateSubjectRestriction
-		defaultingressclass.PluginName,          //DefaultIngressClass
+		defaultingressclass.PluginName,          // DefaultIngressClass
 	)

 	return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins)