229ab73ada
Automatic merge from submit-queue (batch tested with PRs 58784, 62057, 62621, 62652, 62656). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. remove deprecated initresource admission plugin **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: xref https://github.com/kubernetes/kubernetes/pull/55375#issuecomment-360329586 **Special notes for your reviewer**: /assign @piosz @deads2k **Release note**: ```release-note remove deprecated initresource admission plugin ```
144 lines
6.7 KiB
Go
144 lines
6.7 KiB
Go
/*
|
|
Copyright 2014 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package options
|
|
|
|
// This file exists to force the desired plugin implementations to be linked.
|
|
// This should probably be part of some configuration fed into the build for a
|
|
// given binary target.
|
|
import (
|
|
// Cloud providers
|
|
_ "k8s.io/kubernetes/pkg/cloudprovider/providers"
|
|
|
|
// Admission policies
|
|
"k8s.io/kubernetes/plugin/pkg/admission/admit"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/antiaffinity"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/defaulttolerationseconds"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/deny"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/eventratelimit"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/exec"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/extendedresourcetoleration"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/gc"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/imagepolicy"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/limitranger"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/podpreset"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/podtolerationrestriction"
|
|
podpriority "k8s.io/kubernetes/plugin/pkg/admission/priority"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/resourcequota"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/label"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/resize"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/storage/storageclass/setdefault"
|
|
"k8s.io/kubernetes/plugin/pkg/admission/storage/storageobjectinuseprotection"
|
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
|
"k8s.io/apiserver/pkg/admission"
|
|
"k8s.io/apiserver/pkg/admission/plugin/initialization"
|
|
"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
|
|
mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
|
|
validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
|
|
)
|
|
|
|
// AllOrderedPlugins is the list of all the plugins in order.
|
|
var AllOrderedPlugins = []string{
|
|
admit.PluginName, // AlwaysAdmit
|
|
autoprovision.PluginName, // NamespaceAutoProvision
|
|
lifecycle.PluginName, // NamespaceLifecycle
|
|
exists.PluginName, // NamespaceExists
|
|
scdeny.PluginName, // SecurityContextDeny
|
|
antiaffinity.PluginName, // LimitPodHardAntiAffinityTopology
|
|
podpreset.PluginName, // PodPreset
|
|
limitranger.PluginName, // LimitRanger
|
|
serviceaccount.PluginName, // ServiceAccount
|
|
noderestriction.PluginName, // NodeRestriction
|
|
alwayspullimages.PluginName, // AlwaysPullImages
|
|
imagepolicy.PluginName, // ImagePolicyWebhook
|
|
podsecuritypolicy.PluginName, // PodSecurityPolicy
|
|
podnodeselector.PluginName, // PodNodeSelector
|
|
podpriority.PluginName, // Priority
|
|
defaulttolerationseconds.PluginName, // DefaultTolerationSeconds
|
|
podtolerationrestriction.PluginName, // PodTolerationRestriction
|
|
exec.DenyEscalatingExec, // DenyEscalatingExec
|
|
exec.DenyExecOnPrivileged, // DenyExecOnPrivileged
|
|
eventratelimit.PluginName, // EventRateLimit
|
|
extendedresourcetoleration.PluginName, // ExtendedResourceToleration
|
|
label.PluginName, // PersistentVolumeLabel
|
|
setdefault.PluginName, // DefaultStorageClass
|
|
storageobjectinuseprotection.PluginName, // StorageObjectInUseProtection
|
|
gc.PluginName, // OwnerReferencesPermissionEnforcement
|
|
resize.PluginName, // PersistentVolumeClaimResize
|
|
mutatingwebhook.PluginName, // MutatingAdmissionWebhook
|
|
initialization.PluginName, // Initializers
|
|
validatingwebhook.PluginName, // ValidatingAdmissionWebhook
|
|
resourcequota.PluginName, // ResourceQuota
|
|
deny.PluginName, // AlwaysDeny
|
|
}
|
|
|
|
// RegisterAllAdmissionPlugins registers all admission plugins and
|
|
// sets the recommended plugins order.
|
|
func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
|
|
admit.Register(plugins) // DEPRECATED as no real meaning
|
|
alwayspullimages.Register(plugins)
|
|
antiaffinity.Register(plugins)
|
|
defaulttolerationseconds.Register(plugins)
|
|
deny.Register(plugins) // DEPRECATED as no real meaning
|
|
eventratelimit.Register(plugins)
|
|
exec.Register(plugins)
|
|
extendedresourcetoleration.Register(plugins)
|
|
gc.Register(plugins)
|
|
imagepolicy.Register(plugins)
|
|
limitranger.Register(plugins)
|
|
autoprovision.Register(plugins)
|
|
exists.Register(plugins)
|
|
noderestriction.Register(plugins)
|
|
label.Register(plugins) // DEPRECATED in favor of NewPersistentVolumeLabelController in CCM
|
|
podnodeselector.Register(plugins)
|
|
podpreset.Register(plugins)
|
|
podtolerationrestriction.Register(plugins)
|
|
resourcequota.Register(plugins)
|
|
podsecuritypolicy.Register(plugins)
|
|
podpriority.Register(plugins)
|
|
scdeny.Register(plugins)
|
|
serviceaccount.Register(plugins)
|
|
setdefault.Register(plugins)
|
|
resize.Register(plugins)
|
|
storageobjectinuseprotection.Register(plugins)
|
|
}
|
|
|
|
// DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
|
|
func DefaultOffAdmissionPlugins() sets.String {
|
|
defaultOnPlugins := sets.NewString(
|
|
lifecycle.PluginName, //NamespaceLifecycle
|
|
limitranger.PluginName, //LimitRanger
|
|
serviceaccount.PluginName, //ServiceAccount
|
|
label.PluginName, //PersistentVolumeLabel
|
|
setdefault.PluginName, //DefaultStorageClass
|
|
defaulttolerationseconds.PluginName, //DefaultTolerationSeconds
|
|
mutatingwebhook.PluginName, //MutatingAdmissionWebhook
|
|
validatingwebhook.PluginName, //ValidatingAdmissionWebhook
|
|
resourcequota.PluginName, //ResourceQuota
|
|
)
|
|
|
|
return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins)
|
|
}
|