[k8s] Fix default admission controller

The default admission controller list of k8s is being updated in this patch by removing the SecurityContextDeny controller, which will fix the k8s dashboard and metrics/prometheus creating issue. Story: 2008426 Change-Id: I2cd53bc9c59a60b90f708b1434381f120ace8c49
2020-12-08 08:47:03 +13:00 · 2020-12-08 08:47:03 +13:00 · fade245170
parent 1af0cd0a97
commit fade245170
2 changed files with 6 additions and 1 deletions
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
@ -222,7 +222,7 @@ parameters:
    type: string
    description: >
      List of admission control plugins to activate
-    default: "NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass"
+    default: "PodSecurityPolicy,NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass"

  kube_allow_priv:
    type: string
--- a/releasenotes/notes/default-admission-controller-04398548cf63597c.yaml
+++ b/releasenotes/notes/default-admission-controller-04398548cf63597c.yaml
@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    Now the default admission controller list is updated by as
+    "NodeRestriction, PodSecurityPolicy, NamespaceLifecycle, LimitRanger, ServiceAccount, ResourceQuota, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, RuntimeClass"