mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 12:15:52 +00:00
Disable initializers by default
This commit is contained in:
parent
3b269e182d
commit
d98cbb2332
@ -124,7 +124,7 @@ export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"}
|
|||||||
# modification is overwritten.
|
# modification is overwritten.
|
||||||
# If we included ResourceQuota, we should keep it at the end of the list to
|
# If we included ResourceQuota, we should keep it at the end of the list to
|
||||||
# prevent incrementing quota usage prematurely.
|
# prevent incrementing quota usage prematurely.
|
||||||
export ADMISSION_CONTROL=${ADMISSION_CONTROL:-"Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeClaimResize,DefaultTolerationSeconds,Priority,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"}
|
export ADMISSION_CONTROL=${ADMISSION_CONTROL:-"NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeClaimResize,DefaultTolerationSeconds,Priority,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"}
|
||||||
|
|
||||||
# Extra options to set on the Docker command line.
|
# Extra options to set on the Docker command line.
|
||||||
# This is useful for setting --insecure-registry for local registries.
|
# This is useful for setting --insecure-registry for local registries.
|
||||||
|
@ -338,7 +338,7 @@ if [[ -n "${GCE_GLBC_IMAGE:-}" ]]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Admission Controllers to invoke prior to persisting objects in cluster
|
# Admission Controllers to invoke prior to persisting objects in cluster
|
||||||
ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,PersistentVolumeClaimResize,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection
|
ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,PersistentVolumeClaimResize,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection
|
||||||
|
|
||||||
if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
|
if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
|
||||||
ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy"
|
ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy"
|
||||||
|
@ -345,7 +345,7 @@ if [[ -n "${GCE_GLBC_IMAGE:-}" ]]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -z "${KUBE_ADMISSION_CONTROL:-}" ]]; then
|
if [[ -z "${KUBE_ADMISSION_CONTROL:-}" ]]; then
|
||||||
ADMISSION_CONTROL="Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection"
|
ADMISSION_CONTROL="NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection"
|
||||||
if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
|
if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
|
||||||
ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy"
|
ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy"
|
||||||
fi
|
fi
|
||||||
|
@ -1248,7 +1248,6 @@ def configure_apiserver(etcd_connection_string):
|
|||||||
api_opts['etcd-servers'] = etcd_connection_string
|
api_opts['etcd-servers'] = etcd_connection_string
|
||||||
|
|
||||||
admission_control_pre_1_9 = [
|
admission_control_pre_1_9 = [
|
||||||
'Initializers',
|
|
||||||
'NamespaceLifecycle',
|
'NamespaceLifecycle',
|
||||||
'LimitRanger',
|
'LimitRanger',
|
||||||
'ServiceAccount',
|
'ServiceAccount',
|
||||||
@ -1278,9 +1277,6 @@ def configure_apiserver(etcd_connection_string):
|
|||||||
if kube_version < (1, 6):
|
if kube_version < (1, 6):
|
||||||
hookenv.log('Removing DefaultTolerationSeconds from admission-control')
|
hookenv.log('Removing DefaultTolerationSeconds from admission-control')
|
||||||
admission_control_pre_1_9.remove('DefaultTolerationSeconds')
|
admission_control_pre_1_9.remove('DefaultTolerationSeconds')
|
||||||
if kube_version < (1, 7):
|
|
||||||
hookenv.log('Removing Initializers from admission-control')
|
|
||||||
admission_control_pre_1_9.remove('Initializers')
|
|
||||||
if kube_version < (1, 9):
|
if kube_version < (1, 9):
|
||||||
api_opts['admission-control'] = ','.join(admission_control_pre_1_9)
|
api_opts['admission-control'] = ','.join(admission_control_pre_1_9)
|
||||||
else:
|
else:
|
||||||
|
@ -89,7 +89,7 @@ TEST_CLUSTER_API_CONTENT_TYPE="${TEST_CLUSTER_API_CONTENT_TYPE:-}"
|
|||||||
|
|
||||||
KUBEMARK_MASTER_COMPONENTS_QPS_LIMITS="${KUBEMARK_MASTER_COMPONENTS_QPS_LIMITS:-}"
|
KUBEMARK_MASTER_COMPONENTS_QPS_LIMITS="${KUBEMARK_MASTER_COMPONENTS_QPS_LIMITS:-}"
|
||||||
|
|
||||||
CUSTOM_ADMISSION_PLUGINS="${CUSTOM_ADMISSION_PLUGINS:-Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota}"
|
CUSTOM_ADMISSION_PLUGINS="${CUSTOM_ADMISSION_PLUGINS:-NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota}"
|
||||||
|
|
||||||
# Master components' test arguments.
|
# Master components' test arguments.
|
||||||
APISERVER_TEST_ARGS="${KUBEMARK_APISERVER_TEST_ARGS:-} --vmodule=httplog=3 --runtime-config=extensions/v1beta1,scheduling.k8s.io/v1alpha1 ${API_SERVER_TEST_LOG_LEVEL} ${TEST_CLUSTER_MAX_REQUESTS_INFLIGHT} ${TEST_CLUSTER_DELETE_COLLECTION_WORKERS}"
|
APISERVER_TEST_ARGS="${KUBEMARK_APISERVER_TEST_ARGS:-} --vmodule=httplog=3 --runtime-config=extensions/v1beta1,scheduling.k8s.io/v1alpha1 ${API_SERVER_TEST_LOG_LEVEL} ${TEST_CLUSTER_MAX_REQUESTS_INFLIGHT} ${TEST_CLUSTER_DELETE_COLLECTION_WORKERS}"
|
||||||
|
@ -481,7 +481,7 @@ function start_apiserver {
|
|||||||
# Admission Controllers to invoke prior to persisting objects in cluster
|
# Admission Controllers to invoke prior to persisting objects in cluster
|
||||||
#
|
#
|
||||||
# The order defined here dose not matter.
|
# The order defined here dose not matter.
|
||||||
ENABLE_ADMISSION_PLUGINS=Initializers,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,StorageObjectInUseProtection
|
ENABLE_ADMISSION_PLUGINS=LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,StorageObjectInUseProtection
|
||||||
|
|
||||||
audit_arg=""
|
audit_arg=""
|
||||||
APISERVER_BASIC_AUDIT_LOG=""
|
APISERVER_BASIC_AUDIT_LOG=""
|
||||||
|
@ -34,7 +34,7 @@ function run_kube_apiserver() {
|
|||||||
kube::log::status "Starting kube-apiserver"
|
kube::log::status "Starting kube-apiserver"
|
||||||
|
|
||||||
# Admission Controllers to invoke prior to persisting objects in cluster
|
# Admission Controllers to invoke prior to persisting objects in cluster
|
||||||
ENABLE_ADMISSION_PLUGINS="Initializers,LimitRanger,ResourceQuota"
|
ENABLE_ADMISSION_PLUGINS="LimitRanger,ResourceQuota"
|
||||||
DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook"
|
DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook"
|
||||||
|
|
||||||
# Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
|
# Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
|
||||||
|
@ -11,7 +11,7 @@ spec:
|
|||||||
- /bin/sh
|
- /bin/sh
|
||||||
- -c
|
- -c
|
||||||
- /usr/local/bin/kube-apiserver --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001
|
- /usr/local/bin/kube-apiserver --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001
|
||||||
--cloud-provider=gce --admission-control=Initializers,NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
|
--cloud-provider=gce --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
|
||||||
--service-cluster-ip-range=10.0.0.0/16 --client-ca-file=/srv/kubernetes/ca.crt
|
--service-cluster-ip-range=10.0.0.0/16 --client-ca-file=/srv/kubernetes/ca.crt
|
||||||
--basic-auth-file=/srv/kubernetes/basic_auth.csv --cluster-name=e2e-test-bburns
|
--basic-auth-file=/srv/kubernetes/basic_auth.csv --cluster-name=e2e-test-bburns
|
||||||
--tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key
|
--tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key
|
||||||
|
Loading…
Reference in New Issue
Block a user