2019-01-12 04:58:27 +00:00
|
|
|
/*
|
|
|
|
Copyright 2014 The Kubernetes Authors.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package options
|
|
|
|
|
|
|
|
// This file exists to force the desired plugin implementations to be linked.
|
|
|
|
// This should probably be part of some configuration fed into the build for a
|
|
|
|
// given binary target.
|
|
|
|
import (
|
|
|
|
// Admission policies
|
2019-08-30 18:33:25 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/admit"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/antiaffinity"
|
2020-03-26 21:07:15 +00:00
|
|
|
certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval"
|
|
|
|
certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing"
|
|
|
|
certsubjectrestriction "k8s.io/kubernetes/plugin/pkg/admission/certificates/subjectrestriction"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/defaultingressclass"
|
2019-01-12 04:58:27 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/defaulttolerationseconds"
|
2019-08-30 18:33:25 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/deny"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/eventratelimit"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/exec"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/extendedresourcetoleration"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/gc"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/imagepolicy"
|
2019-01-12 04:58:27 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/limitranger"
|
2019-08-30 18:33:25 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
|
2019-04-07 17:07:55 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
|
2019-01-31 22:42:07 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/nodetaint"
|
2019-08-30 18:33:25 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/podtolerationrestriction"
|
2019-01-12 04:58:27 +00:00
|
|
|
podpriority "k8s.io/kubernetes/plugin/pkg/admission/priority"
|
2019-09-27 21:51:53 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/runtimeclass"
|
2019-08-30 18:33:25 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny"
|
2019-01-12 04:58:27 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
|
2019-08-30 18:33:25 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/label"
|
2019-01-12 04:58:27 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/resize"
|
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/storage/storageclass/setdefault"
|
2019-08-30 18:33:25 +00:00
|
|
|
"k8s.io/kubernetes/plugin/pkg/admission/storage/storageobjectinuseprotection"
|
2019-01-12 04:58:27 +00:00
|
|
|
|
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
|
|
|
"k8s.io/apiserver/pkg/admission"
|
|
|
|
"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
|
2020-12-01 01:06:26 +00:00
|
|
|
"k8s.io/apiserver/pkg/admission/plugin/resourcequota"
|
2019-01-12 04:58:27 +00:00
|
|
|
mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
|
|
|
|
validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
|
|
|
|
)
|
|
|
|
|
|
|
|
// AllOrderedPlugins is the list of all the plugins in order.
|
|
|
|
var AllOrderedPlugins = []string{
|
2019-08-30 18:33:25 +00:00
|
|
|
admit.PluginName, // AlwaysAdmit
|
|
|
|
autoprovision.PluginName, // NamespaceAutoProvision
|
2019-04-07 17:07:55 +00:00
|
|
|
lifecycle.PluginName, // NamespaceLifecycle
|
2019-08-30 18:33:25 +00:00
|
|
|
exists.PluginName, // NamespaceExists
|
|
|
|
scdeny.PluginName, // SecurityContextDeny
|
|
|
|
antiaffinity.PluginName, // LimitPodHardAntiAffinityTopology
|
2019-04-07 17:07:55 +00:00
|
|
|
limitranger.PluginName, // LimitRanger
|
|
|
|
serviceaccount.PluginName, // ServiceAccount
|
|
|
|
noderestriction.PluginName, // NodeRestriction
|
|
|
|
nodetaint.PluginName, // TaintNodesByCondition
|
2019-08-30 18:33:25 +00:00
|
|
|
alwayspullimages.PluginName, // AlwaysPullImages
|
|
|
|
imagepolicy.PluginName, // ImagePolicyWebhook
|
|
|
|
podsecuritypolicy.PluginName, // PodSecurityPolicy
|
|
|
|
podnodeselector.PluginName, // PodNodeSelector
|
2019-04-07 17:07:55 +00:00
|
|
|
podpriority.PluginName, // Priority
|
|
|
|
defaulttolerationseconds.PluginName, // DefaultTolerationSeconds
|
2019-08-30 18:33:25 +00:00
|
|
|
podtolerationrestriction.PluginName, // PodTolerationRestriction
|
|
|
|
exec.DenyEscalatingExec, // DenyEscalatingExec
|
|
|
|
exec.DenyExecOnPrivileged, // DenyExecOnPrivileged
|
|
|
|
eventratelimit.PluginName, // EventRateLimit
|
|
|
|
extendedresourcetoleration.PluginName, // ExtendedResourceToleration
|
|
|
|
label.PluginName, // PersistentVolumeLabel
|
2019-04-07 17:07:55 +00:00
|
|
|
setdefault.PluginName, // DefaultStorageClass
|
2019-08-30 18:33:25 +00:00
|
|
|
storageobjectinuseprotection.PluginName, // StorageObjectInUseProtection
|
|
|
|
gc.PluginName, // OwnerReferencesPermissionEnforcement
|
2019-04-07 17:07:55 +00:00
|
|
|
resize.PluginName, // PersistentVolumeClaimResize
|
2020-03-26 21:07:15 +00:00
|
|
|
runtimeclass.PluginName, // RuntimeClass
|
|
|
|
certapproval.PluginName, // CertificateApproval
|
|
|
|
certsigning.PluginName, // CertificateSigning
|
|
|
|
certsubjectrestriction.PluginName, // CertificateSubjectRestriction
|
|
|
|
defaultingressclass.PluginName, // DefaultIngressClass
|
|
|
|
|
|
|
|
// new admission plugins should generally be inserted above here
|
|
|
|
// webhook, resourcequota, and deny plugins must go at the end
|
|
|
|
|
|
|
|
mutatingwebhook.PluginName, // MutatingAdmissionWebhook
|
|
|
|
validatingwebhook.PluginName, // ValidatingAdmissionWebhook
|
|
|
|
resourcequota.PluginName, // ResourceQuota
|
|
|
|
deny.PluginName, // AlwaysDeny
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// RegisterAllAdmissionPlugins registers all admission plugins and
|
|
|
|
// sets the recommended plugins order.
|
|
|
|
func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
|
2019-08-30 18:33:25 +00:00
|
|
|
admit.Register(plugins) // DEPRECATED as no real meaning
|
|
|
|
alwayspullimages.Register(plugins)
|
|
|
|
antiaffinity.Register(plugins)
|
2019-01-12 04:58:27 +00:00
|
|
|
defaulttolerationseconds.Register(plugins)
|
2020-03-26 21:07:15 +00:00
|
|
|
defaultingressclass.Register(plugins)
|
2019-08-30 18:33:25 +00:00
|
|
|
deny.Register(plugins) // DEPRECATED as no real meaning
|
|
|
|
eventratelimit.Register(plugins)
|
|
|
|
exec.Register(plugins)
|
|
|
|
extendedresourcetoleration.Register(plugins)
|
|
|
|
gc.Register(plugins)
|
|
|
|
imagepolicy.Register(plugins)
|
2019-01-12 04:58:27 +00:00
|
|
|
limitranger.Register(plugins)
|
2019-08-30 18:33:25 +00:00
|
|
|
autoprovision.Register(plugins)
|
|
|
|
exists.Register(plugins)
|
2019-04-07 17:07:55 +00:00
|
|
|
noderestriction.Register(plugins)
|
2019-01-31 22:42:07 +00:00
|
|
|
nodetaint.Register(plugins)
|
2019-08-30 18:33:25 +00:00
|
|
|
label.Register(plugins) // DEPRECATED, future PVs should not rely on labels for zone topology
|
|
|
|
podnodeselector.Register(plugins)
|
|
|
|
podtolerationrestriction.Register(plugins)
|
2019-09-27 21:51:53 +00:00
|
|
|
runtimeclass.Register(plugins)
|
2019-01-12 04:58:27 +00:00
|
|
|
resourcequota.Register(plugins)
|
2019-08-30 18:33:25 +00:00
|
|
|
podsecuritypolicy.Register(plugins)
|
2019-01-12 04:58:27 +00:00
|
|
|
podpriority.Register(plugins)
|
2019-08-30 18:33:25 +00:00
|
|
|
scdeny.Register(plugins)
|
2019-01-12 04:58:27 +00:00
|
|
|
serviceaccount.Register(plugins)
|
|
|
|
setdefault.Register(plugins)
|
|
|
|
resize.Register(plugins)
|
2019-08-30 18:33:25 +00:00
|
|
|
storageobjectinuseprotection.Register(plugins)
|
2020-03-26 21:07:15 +00:00
|
|
|
certapproval.Register(plugins)
|
|
|
|
certsigning.Register(plugins)
|
|
|
|
certsubjectrestriction.Register(plugins)
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
|
|
|
|
func DefaultOffAdmissionPlugins() sets.String {
|
|
|
|
defaultOnPlugins := sets.NewString(
|
2019-08-30 18:33:25 +00:00
|
|
|
lifecycle.PluginName, //NamespaceLifecycle
|
|
|
|
limitranger.PluginName, //LimitRanger
|
|
|
|
serviceaccount.PluginName, //ServiceAccount
|
|
|
|
setdefault.PluginName, //DefaultStorageClass
|
|
|
|
resize.PluginName, //PersistentVolumeClaimResize
|
|
|
|
defaulttolerationseconds.PluginName, //DefaultTolerationSeconds
|
|
|
|
mutatingwebhook.PluginName, //MutatingAdmissionWebhook
|
|
|
|
validatingwebhook.PluginName, //ValidatingAdmissionWebhook
|
|
|
|
resourcequota.PluginName, //ResourceQuota
|
|
|
|
storageobjectinuseprotection.PluginName, //StorageObjectInUseProtection
|
2019-09-27 21:51:53 +00:00
|
|
|
podpriority.PluginName, //PodPriority
|
2019-12-12 01:27:03 +00:00
|
|
|
nodetaint.PluginName, //TaintNodesByCondition
|
2020-12-01 01:06:26 +00:00
|
|
|
runtimeclass.PluginName, //RuntimeClass
|
2020-03-26 21:07:15 +00:00
|
|
|
certapproval.PluginName, // CertificateApproval
|
|
|
|
certsigning.PluginName, // CertificateSigning
|
|
|
|
certsubjectrestriction.PluginName, // CertificateSubjectRestriction
|
|
|
|
defaultingressclass.PluginName, //DefaultIngressClass
|
2019-01-12 04:58:27 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins)
|
|
|
|
}
|