From d98cbb2332aca8cbe0f4dea15895834d2c38b0a8 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 10 Jul 2018 15:14:32 -0400 Subject: [PATCH] Disable initializers by default --- cluster/centos/config-default.sh | 2 +- cluster/gce/config-default.sh | 2 +- cluster/gce/config-test.sh | 2 +- .../layers/kubernetes-master/reactive/kubernetes_master.py | 4 ---- cluster/kubemark/gce/config-default.sh | 2 +- hack/local-up-cluster.sh | 2 +- hack/make-rules/test-cmd.sh | 2 +- .../doc-yaml/admin/high-availability/kube-apiserver.yaml | 2 +- 8 files changed, 7 insertions(+), 11 deletions(-) diff --git a/cluster/centos/config-default.sh b/cluster/centos/config-default.sh index 0da86f28fd4..4d33d4ab201 100755 --- a/cluster/centos/config-default.sh +++ b/cluster/centos/config-default.sh @@ -124,7 +124,7 @@ export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"} # modification is overwritten. # If we included ResourceQuota, we should keep it at the end of the list to # prevent incrementing quota usage prematurely. -export ADMISSION_CONTROL=${ADMISSION_CONTROL:-"Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeClaimResize,DefaultTolerationSeconds,Priority,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"} +export ADMISSION_CONTROL=${ADMISSION_CONTROL:-"NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeClaimResize,DefaultTolerationSeconds,Priority,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"} # Extra options to set on the Docker command line. # This is useful for setting --insecure-registry for local registries. diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index c7600253031..1b0cdf7e464 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -338,7 +338,7 @@ if [[ -n "${GCE_GLBC_IMAGE:-}" ]]; then fi # Admission Controllers to invoke prior to persisting objects in cluster -ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,PersistentVolumeClaimResize,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection +ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,PersistentVolumeClaimResize,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy" diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index a29d9ee4328..438c551a6a3 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -345,7 +345,7 @@ if [[ -n "${GCE_GLBC_IMAGE:-}" ]]; then fi if [[ -z "${KUBE_ADMISSION_CONTROL:-}" ]]; then - ADMISSION_CONTROL="Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection" + ADMISSION_CONTROL="NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection" if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy" fi diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py index c34739b5fea..ed98cf7c1ba 100644 --- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py +++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py @@ -1248,7 +1248,6 @@ def configure_apiserver(etcd_connection_string): api_opts['etcd-servers'] = etcd_connection_string admission_control_pre_1_9 = [ - 'Initializers', 'NamespaceLifecycle', 'LimitRanger', 'ServiceAccount', @@ -1278,9 +1277,6 @@ def configure_apiserver(etcd_connection_string): if kube_version < (1, 6): hookenv.log('Removing DefaultTolerationSeconds from admission-control') admission_control_pre_1_9.remove('DefaultTolerationSeconds') - if kube_version < (1, 7): - hookenv.log('Removing Initializers from admission-control') - admission_control_pre_1_9.remove('Initializers') if kube_version < (1, 9): api_opts['admission-control'] = ','.join(admission_control_pre_1_9) else: diff --git a/cluster/kubemark/gce/config-default.sh b/cluster/kubemark/gce/config-default.sh index 659a57653d8..2414499927e 100644 --- a/cluster/kubemark/gce/config-default.sh +++ b/cluster/kubemark/gce/config-default.sh @@ -89,7 +89,7 @@ TEST_CLUSTER_API_CONTENT_TYPE="${TEST_CLUSTER_API_CONTENT_TYPE:-}" KUBEMARK_MASTER_COMPONENTS_QPS_LIMITS="${KUBEMARK_MASTER_COMPONENTS_QPS_LIMITS:-}" -CUSTOM_ADMISSION_PLUGINS="${CUSTOM_ADMISSION_PLUGINS:-Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota}" +CUSTOM_ADMISSION_PLUGINS="${CUSTOM_ADMISSION_PLUGINS:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota}" # Master components' test arguments. APISERVER_TEST_ARGS="${KUBEMARK_APISERVER_TEST_ARGS:-} --vmodule=httplog=3 --runtime-config=extensions/v1beta1,scheduling.k8s.io/v1alpha1 ${API_SERVER_TEST_LOG_LEVEL} ${TEST_CLUSTER_MAX_REQUESTS_INFLIGHT} ${TEST_CLUSTER_DELETE_COLLECTION_WORKERS}" diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index d83c49d482b..93acacada32 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -481,7 +481,7 @@ function start_apiserver { # Admission Controllers to invoke prior to persisting objects in cluster # # The order defined here dose not matter. - ENABLE_ADMISSION_PLUGINS=Initializers,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,StorageObjectInUseProtection + ENABLE_ADMISSION_PLUGINS=LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,StorageObjectInUseProtection audit_arg="" APISERVER_BASIC_AUDIT_LOG="" diff --git a/hack/make-rules/test-cmd.sh b/hack/make-rules/test-cmd.sh index e5763dc2321..4e92fdc61bf 100755 --- a/hack/make-rules/test-cmd.sh +++ b/hack/make-rules/test-cmd.sh @@ -34,7 +34,7 @@ function run_kube_apiserver() { kube::log::status "Starting kube-apiserver" # Admission Controllers to invoke prior to persisting objects in cluster - ENABLE_ADMISSION_PLUGINS="Initializers,LimitRanger,ResourceQuota" + ENABLE_ADMISSION_PLUGINS="LimitRanger,ResourceQuota" DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook" # Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions diff --git a/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml b/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml index a415ebc19d9..b2540000d39 100644 --- a/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml +++ b/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml @@ -11,7 +11,7 @@ spec: - /bin/sh - -c - /usr/local/bin/kube-apiserver --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001 - --cloud-provider=gce --admission-control=Initializers,NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota + --cloud-provider=gce --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range=10.0.0.0/16 --client-ca-file=/srv/kubernetes/ca.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --cluster-name=e2e-test-bburns --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key