Browse Source

Update default k8s admission controller list

There are two issues with current k8s admission controller list:

1. The default existing list is not consistent when user passes
in extra controller or not
2. The existing list is out of date.

The new list are based on below consideration:
1. Get the default list based on k8s v1.16.x[1] because it's the
supported oldest version.
2. Keep it consistent when user passes in extra controllers or not
3. Keep all the admission controllers we has used in the code

[1] https://v1-16.docs.kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#which-plugins-are-enabled-by-default

Task: 40767
Story: 2008076

Change-Id: Ie5b89b97710d2e2d41c9ce4f3ec30046390acbeb
changes/89/748389/5
Feilong Wang 11 months ago
parent
commit
a837b5c03d
  1. 2
      magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
  2. 2
      magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml

2
magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh

@ -60,7 +60,7 @@ cat > /etc/kubernetes/apiserver <<EOF
KUBE_API_ADDRESS="--insecure-bind-address=127.0.0.1"
KUBE_ETCD_SERVERS="--etcd-servers=http://127.0.0.1:2379,http://127.0.0.1:4001"
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
KUBE_ADMISSION_CONTROL="--admission-control=NodeRestriction,${ADMISSION_CONTROL_LIST}"
KUBE_API_ARGS=""
EOF

2
magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml

@ -222,7 +222,7 @@ parameters:
type: string
description: >
List of admission control plugins to activate
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"
default: "NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass"
kube_allow_priv:
type: string

Loading…
Cancel
Save