From cd427fa4bece7d0add1be70d12e347e60b637f50 Mon Sep 17 00:00:00 2001 From: Kevin Date: Tue, 21 Feb 2017 23:30:05 +0800 Subject: [PATCH] enable DefaultTolerationSeconds admission controller by default --- cluster/aws/config-default.sh | 2 +- cluster/aws/config-test.sh | 2 +- cluster/azure-legacy/config-default.sh | 2 +- cluster/centos/config-default.sh | 2 +- cluster/centos/master/scripts/apiserver.sh | 4 ++-- cluster/gce/config-default.sh | 2 +- cluster/gce/config-test.sh | 2 +- cluster/images/hyperkube/static-pods/master-multi.json | 2 +- cluster/images/hyperkube/static-pods/master.json | 2 +- .../kubernetes-master/templates/kube-apiserver.defaults | 2 +- cluster/libvirt-coreos/util.sh | 2 +- .../kubernetes-heat/fragments/configure-salt.yaml | 2 +- .../templates/create-dynamic-salt-files.sh | 2 +- cluster/rackspace/cloud-config/master-cloud-config.yaml | 2 +- cluster/ubuntu/config-default.sh | 2 +- cluster/vagrant/config-default.sh | 2 +- cmd/kube-apiserver/app/BUILD | 1 + cmd/kube-apiserver/app/plugins.go | 1 + cmd/kubeadm/app/master/manifests.go | 2 +- cmd/kubeadm/app/master/manifests_test.go | 6 +++--- hack/local-up-cluster.sh | 2 +- plugin/pkg/admission/defaulttolerationseconds/admission.go | 2 +- 22 files changed, 25 insertions(+), 23 deletions(-) diff --git a/cluster/aws/config-default.sh b/cluster/aws/config-default.sh index 23fa3237a2a..138a920d759 100644 --- a/cluster/aws/config-default.sh +++ b/cluster/aws/config-default.sh @@ -138,7 +138,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds # Optional: Enable/disable public IP assignment for minions. # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes! diff --git a/cluster/aws/config-test.sh b/cluster/aws/config-test.sh index 27b4d7563e7..97381617d3d 100755 --- a/cluster/aws/config-test.sh +++ b/cluster/aws/config-test.sh @@ -124,7 +124,7 @@ fi # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds # Optional: Enable/disable public IP assignment for minions. # Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes! diff --git a/cluster/azure-legacy/config-default.sh b/cluster/azure-legacy/config-default.sh index 20687b9311d..d3d7028dc2c 100644 --- a/cluster/azure-legacy/config-default.sh +++ b/cluster/azure-legacy/config-default.sh @@ -57,4 +57,4 @@ ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-influxdb}" ENABLE_CLUSTER_UI="${KUBE_ENABLE_CLUSTER_UI:-true}" # Admission Controllers to invoke prior to persisting objects in cluster -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds diff --git a/cluster/centos/config-default.sh b/cluster/centos/config-default.sh index d5409f1ddc0..e80f2b61083 100755 --- a/cluster/centos/config-default.sh +++ b/cluster/centos/config-default.sh @@ -117,7 +117,7 @@ export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"} # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota +export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,DefaultTolerationSeconds # Extra options to set on the Docker command line. # This is useful for setting --insecure-registry for local registries. diff --git a/cluster/centos/master/scripts/apiserver.sh b/cluster/centos/master/scripts/apiserver.sh index 2db77443656..de68c5ead5c 100755 --- a/cluster/centos/master/scripts/apiserver.sh +++ b/cluster/centos/master/scripts/apiserver.sh @@ -55,8 +55,8 @@ KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" # to do admission control of resources into cluster. # Comma-delimited list of: # LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists, -# NamespaceLifecycle, NamespaceAutoProvision, -# AlwaysAdmit, ServiceAccount, ResourceQuota, DefaultStorageClass +# NamespaceLifecycle, NamespaceAutoProvision, AlwaysAdmit, +# ServiceAccount, ResourceQuota, DefaultStorageClass, DefaultTolerationSeconds KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL}" # --client-ca-file="": If set, any request presenting a client certificate signed diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 56d772c605a..bd178193584 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -167,7 +167,7 @@ ENABLE_RESCHEDULER="${KUBE_ENABLE_RESCHEDULER:-true}" # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 463cc46c40d..df422be4e90 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -191,7 +191,7 @@ fi ENABLE_RESCHEDULER="${KUBE_ENABLE_RESCHEDULER:-true}" # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota}" +ADMISSION_CONTROL="${KUBE_ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds}" # Optional: if set to true kube-up will automatically check for existing resources and clean them up. KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false} diff --git a/cluster/images/hyperkube/static-pods/master-multi.json b/cluster/images/hyperkube/static-pods/master-multi.json index 73fd4db3f59..48b47709c22 100644 --- a/cluster/images/hyperkube/static-pods/master-multi.json +++ b/cluster/images/hyperkube/static-pods/master-multi.json @@ -38,7 +38,7 @@ "--service-cluster-ip-range=10.0.0.1/24", "--insecure-bind-address=0.0.0.0", "--etcd-servers=http://127.0.0.1:2379", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--client-ca-file=/srv/kubernetes/ca.crt", "--basic-auth-file=/srv/kubernetes/basic_auth.csv", "--min-request-timeout=300", diff --git a/cluster/images/hyperkube/static-pods/master.json b/cluster/images/hyperkube/static-pods/master.json index a7096691d5c..479213c806e 100644 --- a/cluster/images/hyperkube/static-pods/master.json +++ b/cluster/images/hyperkube/static-pods/master.json @@ -37,7 +37,7 @@ "--service-cluster-ip-range=10.0.0.1/24", "--insecure-bind-address=127.0.0.1", "--etcd-servers=http://127.0.0.1:2379", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--client-ca-file=/srv/kubernetes/ca.crt", "--basic-auth-file=/srv/kubernetes/basic_auth.csv", "--min-request-timeout=300", diff --git a/cluster/juju/layers/kubernetes-master/templates/kube-apiserver.defaults b/cluster/juju/layers/kubernetes-master/templates/kube-apiserver.defaults index 9f528f87e11..5fdf32f2ad2 100644 --- a/cluster/juju/layers/kubernetes-master/templates/kube-apiserver.defaults +++ b/cluster/juju/layers/kubernetes-master/templates/kube-apiserver.defaults @@ -11,7 +11,7 @@ KUBE_API_ADDRESS="--insecure-bind-address=127.0.0.1" KUBE_API_PORT="--insecure-port=8080" # default admission control policies -KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota" +KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,DefaultTolerationSeconds" # Add your own! KUBE_API_ARGS="{{ kube_apiserver_flags }}" diff --git a/cluster/libvirt-coreos/util.sh b/cluster/libvirt-coreos/util.sh index 6c6afab18ff..7154deb1e91 100644 --- a/cluster/libvirt-coreos/util.sh +++ b/cluster/libvirt-coreos/util.sh @@ -27,7 +27,7 @@ source "$KUBE_ROOT/cluster/common.sh" export LIBVIRT_DEFAULT_URI=qemu:///system export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false} -export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota} +export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds} readonly POOL=kubernetes readonly POOL_PATH=/var/lib/libvirt/images/kubernetes diff --git a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml index ec2d4a9c6eb..760fae114c8 100644 --- a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml +++ b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml @@ -58,7 +58,7 @@ write_files: enable_dns_horizontal_autoscaler: "false" federations_domain_map: '' instance_prefix: kubernetes - admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota + admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds enable_cpu_cfs_quota: "true" network_provider: none cluster_cidr: "$cluster_cidr" diff --git a/cluster/photon-controller/templates/create-dynamic-salt-files.sh b/cluster/photon-controller/templates/create-dynamic-salt-files.sh index e07fcd9b052..27610398edb 100755 --- a/cluster/photon-controller/templates/create-dynamic-salt-files.sh +++ b/cluster/photon-controller/templates/create-dynamic-salt-files.sh @@ -123,5 +123,5 @@ federations_domain_map: '' e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}" cluster_cidr: "$NODE_IP_RANGES" allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}" -admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota +admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds EOF diff --git a/cluster/rackspace/cloud-config/master-cloud-config.yaml b/cluster/rackspace/cloud-config/master-cloud-config.yaml index 160195931e2..af4fb937508 100644 --- a/cluster/rackspace/cloud-config/master-cloud-config.yaml +++ b/cluster/rackspace/cloud-config/master-cloud-config.yaml @@ -136,7 +136,7 @@ coreos: --v=2 \ --service-account-key-file=/var/run/kubernetes/kube-serviceaccount.key \ --service-account-lookup=false \ - --admission-control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota + --admission-control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,DefaultTolerationSeconds Restart=always RestartSec=5 - name: apiserver-advertiser.service diff --git a/cluster/ubuntu/config-default.sh b/cluster/ubuntu/config-default.sh index efa10f73757..2df4251fcbc 100755 --- a/cluster/ubuntu/config-default.sh +++ b/cluster/ubuntu/config-default.sh @@ -84,7 +84,7 @@ FLANNEL_OTHER_NET_CONFIG=${FLANNEL_OTHER_NET_CONFIG:-""} # for release >= 1.4.0; see that doc for the recommended settings for # earlier releases. -export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota +export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds # Path to the pod manifest file or directory of files of kubelet export KUBELET_POD_MANIFEST_PATH=${KUBELET_POD_MANIFEST_PATH:-""} diff --git a/cluster/vagrant/config-default.sh b/cluster/vagrant/config-default.sh index bf8c14166e3..8de21a94570 100755 --- a/cluster/vagrant/config-default.sh +++ b/cluster/vagrant/config-default.sh @@ -56,7 +56,7 @@ MASTER_PASSWD="${MASTER_PASSWD:-vagrant}" # Admission Controllers to invoke prior to persisting objects in cluster # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. -ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds # Optional: Enable node logging. ENABLE_NODE_LOGGING=false diff --git a/cmd/kube-apiserver/app/BUILD b/cmd/kube-apiserver/app/BUILD index d8c7a47cf09..7e8290488d7 100644 --- a/cmd/kube-apiserver/app/BUILD +++ b/cmd/kube-apiserver/app/BUILD @@ -35,6 +35,7 @@ go_library( "//plugin/pkg/admission/admit:go_default_library", "//plugin/pkg/admission/alwayspullimages:go_default_library", "//plugin/pkg/admission/antiaffinity:go_default_library", + "//plugin/pkg/admission/defaulttolerationseconds:go_default_library", "//plugin/pkg/admission/deny:go_default_library", "//plugin/pkg/admission/exec:go_default_library", "//plugin/pkg/admission/gc:go_default_library", diff --git a/cmd/kube-apiserver/app/plugins.go b/cmd/kube-apiserver/app/plugins.go index 5bc86aec8ed..4e8057b4cc9 100644 --- a/cmd/kube-apiserver/app/plugins.go +++ b/cmd/kube-apiserver/app/plugins.go @@ -27,6 +27,7 @@ import ( _ "k8s.io/kubernetes/plugin/pkg/admission/admit" _ "k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages" _ "k8s.io/kubernetes/plugin/pkg/admission/antiaffinity" + _ "k8s.io/kubernetes/plugin/pkg/admission/defaulttolerationseconds" _ "k8s.io/kubernetes/plugin/pkg/admission/deny" _ "k8s.io/kubernetes/plugin/pkg/admission/exec" _ "k8s.io/kubernetes/plugin/pkg/admission/gc" diff --git a/cmd/kubeadm/app/master/manifests.go b/cmd/kubeadm/app/master/manifests.go index a3d9d04f447..abac19775a1 100644 --- a/cmd/kubeadm/app/master/manifests.go +++ b/cmd/kubeadm/app/master/manifests.go @@ -304,7 +304,7 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [ command = append(getComponentBaseCommand(apiServer), "--insecure-bind-address=127.0.0.1", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--service-cluster-ip-range="+cfg.Networking.ServiceSubnet, "--service-account-key-file="+getCertFilePath(kubeadmconstants.ServiceAccountPublicKeyName), "--client-ca-file="+getCertFilePath(kubeadmconstants.CACertName), diff --git a/cmd/kubeadm/app/master/manifests_test.go b/cmd/kubeadm/app/master/manifests_test.go index 353ff5459b5..7c0d9440b10 100644 --- a/cmd/kubeadm/app/master/manifests_test.go +++ b/cmd/kubeadm/app/master/manifests_test.go @@ -370,7 +370,7 @@ func TestGetAPIServerCommand(t *testing.T) { expected: []string{ "kube-apiserver", "--insecure-bind-address=127.0.0.1", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--service-cluster-ip-range=bar", "--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub", "--client-ca-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/ca.crt", @@ -399,7 +399,7 @@ func TestGetAPIServerCommand(t *testing.T) { expected: []string{ "kube-apiserver", "--insecure-bind-address=127.0.0.1", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--service-cluster-ip-range=bar", "--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub", "--client-ca-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/ca.crt", @@ -430,7 +430,7 @@ func TestGetAPIServerCommand(t *testing.T) { expected: []string{ "kube-apiserver", "--insecure-bind-address=127.0.0.1", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--service-cluster-ip-range=bar", "--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub", "--client-ca-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/ca.crt", diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index 7357f5314fa..b02d1a0ba1f 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -374,7 +374,7 @@ function start_apiserver { fi # Admission Controllers to invoke prior to persisting objects in cluster - ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},ResourceQuota,DefaultStorageClass + ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},ResourceQuota,DefaultStorageClass,DefaultTolerationSeconds # This is the default dir and filename where the apiserver will generate a self-signed cert # which should be able to be used as the CA to verify itself diff --git a/plugin/pkg/admission/defaulttolerationseconds/admission.go b/plugin/pkg/admission/defaulttolerationseconds/admission.go index 0cd692cb8f3..e54bb34dd33 100644 --- a/plugin/pkg/admission/defaulttolerationseconds/admission.go +++ b/plugin/pkg/admission/defaulttolerationseconds/admission.go @@ -30,7 +30,7 @@ import ( var ( defaultNotReadyTolerationSeconds = flag.Int64("default-not-ready-toleration-seconds", 300, - "Indicates the tolerationSeconds of the toleration for `notReady:NoExecute`"+ + "Indicates the tolerationSeconds of the toleration for notReady:NoExecute"+ " that is added by default to every pod that does not already have such a toleration.") defaultUnreachableTolerationSeconds = flag.Int64("default-unreachable-toleration-seconds", 300,