From ac18f6cf8b9d12297b52d42492e995f9805d1740 Mon Sep 17 00:00:00 2001 From: Robert Everson Date: Thu, 2 Aug 2018 11:10:40 -0700 Subject: [PATCH 1/4] Add support for admission controllers in 1.10 and above --- roles/kubernetes/master/templates/kubeadm-config.yaml.j2 | 4 ++++ .../master/templates/manifests/kube-apiserver.manifest.j2 | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 index 0852a37b4..4479eb95f 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 @@ -34,7 +34,11 @@ apiServerExtraArgs: bind-address: {{ kube_apiserver_bind_address }} insecure-bind-address: {{ kube_apiserver_insecure_bind_address }} insecure-port: "{{ kube_apiserver_insecure_port }}" +{% if kube_version | version_compare('v1.10', '<') %} admission-control: {{ kube_apiserver_admission_control | join(',') }} +{% else %} + enable-admission-plugins: {{ kube_apiserver_admission_control | join(',') }} +{% endif %} apiserver-count: "{{ kube_apiserver_count }}" {% if kube_version | version_compare('v1.9', '>=') %} endpoint-reconciler-type: lease diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index c688e1285..02a550d7b 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -45,7 +45,11 @@ spec: {% if kube_version | version_compare('v1.9', '>=') %} - --endpoint-reconciler-type=lease {% endif %} +{% if kube_version | version_compare('v1.10', '<') %} - --admission-control={{ kube_apiserver_admission_control | join(',') }} +{% else %} + - --enable-admission-plugins={{ kube_apiserver_admission_control | join(',') }} +{% endif %} - --service-cluster-ip-range={{ kube_service_addresses }} - --service-node-port-range={{ kube_apiserver_node_port_range }} - --client-ca-file={{ kube_cert_dir }}/ca.pem From 6ed65d762bd7f0367981ab825d2631148342f07b Mon Sep 17 00:00:00 2001 From: Robert Everson Date: Fri, 3 Aug 2018 11:58:03 -0700 Subject: [PATCH 2/4] Separate out plugins into 2 variables --- roles/kubernetes/master/defaults/main.yml | 14 ++++++++++++++ .../master/templates/kubeadm-config.yaml.j2 | 3 ++- .../templates/manifests/kube-apiserver.manifest.j2 | 3 ++- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml index a050be1da..a2199e6ef 100644 --- a/roles/kubernetes/master/defaults/main.yml +++ b/roles/kubernetes/master/defaults/main.yml @@ -56,6 +56,20 @@ kube_apiserver_admission_control: {%- endif -%} - ResourceQuota +# 1.10+ admission plugins +kube_apiserver_enable_admission_plugins: + - NamespaceLifecycle + - LimitRanger + - ServiceAccount + - DefaultStorageClass + - DefaultTolerationSeconds + - MutatingAdmissionWebhook + - ValidatingAdmissionWebhook + - ResourceQuota + +# 1.10+ list of disabled admission plugins +kube_apiserver_disable_admission_plugins: [] + # extra runtime config kube_api_runtime_config: - admissionregistration.k8s.io/v1alpha1 diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 index 4479eb95f..438b900a9 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 @@ -37,7 +37,8 @@ apiServerExtraArgs: {% if kube_version | version_compare('v1.10', '<') %} admission-control: {{ kube_apiserver_admission_control | join(',') }} {% else %} - enable-admission-plugins: {{ kube_apiserver_admission_control | join(',') }} + enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }} + disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }} {% endif %} apiserver-count: "{{ kube_apiserver_count }}" {% if kube_version | version_compare('v1.9', '>=') %} diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index 02a550d7b..c373ee285 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -48,7 +48,8 @@ spec: {% if kube_version | version_compare('v1.10', '<') %} - --admission-control={{ kube_apiserver_admission_control | join(',') }} {% else %} - - --enable-admission-plugins={{ kube_apiserver_admission_control | join(',') }} + - --enable-admission-plugins={{ kube_apiserver_enable_admission_plugins | join(',') }} + - --disable-admission-plugins={{ kube_apiserver_disable_admission_plugins | join(',') }} {% endif %} - --service-cluster-ip-range={{ kube_service_addresses }} - --service-node-port-range={{ kube_apiserver_node_port_range }} From 99c5aa5a0219b648b0bb65d2778ec380bfb9407f Mon Sep 17 00:00:00 2001 From: Robert Everson Date: Mon, 6 Aug 2018 10:54:20 -0700 Subject: [PATCH 3/4] Use k8s default plugin list --- roles/kubernetes/master/defaults/main.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml index a2199e6ef..eda412999 100644 --- a/roles/kubernetes/master/defaults/main.yml +++ b/roles/kubernetes/master/defaults/main.yml @@ -57,15 +57,7 @@ kube_apiserver_admission_control: - ResourceQuota # 1.10+ admission plugins -kube_apiserver_enable_admission_plugins: - - NamespaceLifecycle - - LimitRanger - - ServiceAccount - - DefaultStorageClass - - DefaultTolerationSeconds - - MutatingAdmissionWebhook - - ValidatingAdmissionWebhook - - ResourceQuota +kube_apiserver_enable_admission_plugins: [] # 1.10+ list of disabled admission plugins kube_apiserver_disable_admission_plugins: [] From 4eadf3228eee99ba3b37c64665f9f2bc52ceef37 Mon Sep 17 00:00:00 2001 From: Robert Everson Date: Mon, 6 Aug 2018 11:50:48 -0700 Subject: [PATCH 4/4] Only add admission plugins if defined --- roles/kubernetes/master/defaults/main.yml | 2 +- roles/kubernetes/master/templates/kubeadm-config.yaml.j2 | 4 ++++ .../master/templates/manifests/kube-apiserver.manifest.j2 | 4 ++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml index eda412999..82669e8b3 100644 --- a/roles/kubernetes/master/defaults/main.yml +++ b/roles/kubernetes/master/defaults/main.yml @@ -41,7 +41,7 @@ kube_apiserver_cpu_limit: 800m kube_apiserver_memory_requests: 256M kube_apiserver_cpu_requests: 100m -# Admission control plug-ins +# 1.9 and below Admission control plug-ins kube_apiserver_admission_control: - Initializers - NamespaceLifecycle diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 index 438b900a9..401892ca9 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 @@ -37,8 +37,12 @@ apiServerExtraArgs: {% if kube_version | version_compare('v1.10', '<') %} admission-control: {{ kube_apiserver_admission_control | join(',') }} {% else %} +{% if kube_apiserver_enable_admission_plugins|length > 0 %} enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }} +{% endif %} +{% if kube_apiserver_disable_admission_plugins|length > 0 %} disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }} +{% endif %} {% endif %} apiserver-count: "{{ kube_apiserver_count }}" {% if kube_version | version_compare('v1.9', '>=') %} diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index c373ee285..82bd1db93 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -48,8 +48,12 @@ spec: {% if kube_version | version_compare('v1.10', '<') %} - --admission-control={{ kube_apiserver_admission_control | join(',') }} {% else %} +{% if kube_apiserver_enable_admission_plugins|length > 0 %} - --enable-admission-plugins={{ kube_apiserver_enable_admission_plugins | join(',') }} +{% endif %} +{% if kube_apiserver_disable_admission_plugins|length > 0 %} - --disable-admission-plugins={{ kube_apiserver_disable_admission_plugins | join(',') }} +{% endif %} {% endif %} - --service-cluster-ip-range={{ kube_service_addresses }} - --service-node-port-range={{ kube_apiserver_node_port_range }}