Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
aa9957e7
Commit
aa9957e7
authored
Oct 06, 2015
by
Abhi Shah
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #15035 from ArtfulCoder/admissionChange
Removed DenyEscalatingExec from the list of default admission control…
parents
f4bbb32b
a1b6dbe8
Hide whitespace changes
Inline
Side-by-side
Showing
12 changed files
with
13 additions
and
14 deletions
+13
-14
config-default.sh
cluster/aws/config-default.sh
+1
-1
config-test.sh
cluster/aws/config-test.sh
+1
-1
config-default.sh
cluster/azure/config-default.sh
+1
-1
apiserver.sh
cluster/centos/master/scripts/apiserver.sh
+1
-1
config-default.sh
cluster/gce/config-default.sh
+1
-1
config-test.sh
cluster/gce/config-test.sh
+1
-1
docker-compose.yml
cluster/mesos/docker/docker-compose.yml
+1
-1
config-default.sh
cluster/vagrant/config-default.sh
+1
-1
admission-controllers.md
docs/admin/admission-controllers.md
+1
-1
kube-apiserver.yaml
docs/admin/high-availability/kube-apiserver.yaml
+1
-1
master.yaml
docs/getting-started-guides/coreos/cloud-configs/master.yaml
+1
-1
local-up-cluster.sh
hack/local-up-cluster.sh
+2
-3
No files found.
cluster/aws/config-default.sh
View file @
aa9957e7
...
...
@@ -87,7 +87,7 @@ DNS_REPLICAS=1
ENABLE_CLUSTER_UI
=
"
${
KUBE_ENABLE_CLUSTER_UI
:-
true
}
"
# Admission Controllers to invoke prior to persisting objects in cluster
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,
DenyEscalatingExec,
ResourceQuota
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
# Optional: Enable/disable public IP assignment for minions.
# Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes!
...
...
cluster/aws/config-test.sh
View file @
aa9957e7
...
...
@@ -83,7 +83,7 @@ DNS_REPLICAS=1
ENABLE_CLUSTER_UI
=
"
${
KUBE_ENABLE_CLUSTER_UI
:-
true
}
"
# Admission Controllers to invoke prior to persisting objects in cluster
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,
DenyEscalatingExec,
ResourceQuota
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
# Optional: Enable/disable public IP assignment for minions.
# Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes!
...
...
cluster/azure/config-default.sh
View file @
aa9957e7
...
...
@@ -55,4 +55,4 @@ ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-influxdb}"
ENABLE_CLUSTER_UI
=
"
${
KUBE_ENABLE_CLUSTER_UI
:-
true
}
"
# Admission Controllers to invoke prior to persisting objects in cluster
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,
DenyEscalatingExec,
ResourceQuota
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
cluster/centos/master/scripts/apiserver.sh
View file @
aa9957e7
...
...
@@ -51,7 +51,7 @@ KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"
# to do admission control of resources into cluster.
# Comma-delimited list of:
# LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists,
# NamespaceLifecycle, NamespaceAutoProvision,
DenyEscalatingExec,
# NamespaceLifecycle, NamespaceAutoProvision,
# AlwaysAdmit, ServiceAccount, ResourceQuota
#KUBE_ADMISSION_CONTROL="--admission-control=\"
${
ADMISSION_CONTROL
}
\""
...
...
cluster/gce/config-default.sh
View file @
aa9957e7
...
...
@@ -110,7 +110,7 @@ if [[ "${ENABLE_DEPLOYMENTS}" == "true" ]]; then
fi
# Admission Controllers to invoke prior to persisting objects in cluster
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,
DenyEscalatingExec,
ResourceQuota
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
# Optional: if set to true kube-up will automatically check for existing resources and clean them up.
KUBE_UP_AUTOMATIC_CLEANUP
=
${
KUBE_UP_AUTOMATIC_CLEANUP
:-
false
}
...
...
cluster/gce/config-test.sh
View file @
aa9957e7
...
...
@@ -117,7 +117,7 @@ if [[ "${ENABLE_DEPLOYMENTS}" == "true" ]]; then
ENABLE_EXPERIMENTAL_API
=
true
fi
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,
DenyEscalatingExec,
ResourceQuota
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
# Optional: if set to true kube-up will automatically check for existing resources and clean them up.
KUBE_UP_AUTOMATIC_CLEANUP
=
${
KUBE_UP_AUTOMATIC_CLEANUP
:-
false
}
...
...
cluster/mesos/docker/docker-compose.yml
View file @
aa9957e7
...
...
@@ -74,7 +74,7 @@ apiserver:
--external-hostname=apiserver
--etcd-servers=http://etcd:4001
--port=8888
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,
DenyEscalatingExec,
ResourceQuota
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
--authorization-mode=AlwaysAllow
--token-auth-file=/var/run/kubernetes/auth/token-users
--basic-auth-file=/var/run/kubernetes/auth/basic-users
...
...
cluster/vagrant/config-default.sh
View file @
aa9957e7
...
...
@@ -53,7 +53,7 @@ MASTER_USER=vagrant
MASTER_PASSWD
=
vagrant
# Admission Controllers to invoke prior to persisting objects in cluster
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,
DenyEscalatingExec,
ResourceQuota
ADMISSION_CONTROL
=
NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
# Optional: Enable experimental API features
ENABLE_EXPERIMENTAL_API
=
"
${
KUBE_ENABLE_EXPERIMENTAL_API
:-
true
}
"
...
...
docs/admin/admission-controllers.md
View file @
aa9957e7
...
...
@@ -172,7 +172,7 @@ Yes.
For Kubernetes 1.0, we strongly recommend running the following set of admission control plug-ins (order matters):
```
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,
DenyEscalatingExec,
ResourceQuota
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
```
...
...
docs/admin/high-availability/kube-apiserver.yaml
View file @
aa9957e7
...
...
@@ -11,7 +11,7 @@ spec:
-
/bin/sh
-
-c
-
/usr/local/bin/kube-apiserver --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001
--cloud-provider=gce --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,
DenyEscalatingExec,
ResourceQuota
--cloud-provider=gce --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
--service-cluster-ip-range=10.0.0.0/16 --client-ca-file=/srv/kubernetes/ca.crt
--basic-auth-file=/srv/kubernetes/basic_auth.csv --cluster-name=e2e-test-bburns
--tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key
...
...
docs/getting-started-guides/coreos/cloud-configs/master.yaml
View file @
aa9957e7
...
...
@@ -89,7 +89,7 @@ coreos:
ExecStart=/opt/bin/kube-apiserver \
--service-account-key-file=/opt/bin/kube-serviceaccount.key \
--service-account-lookup=false \
--admission-control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,
DenyEscalatingExec,
ResourceQuota \
--admission-control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \
--runtime-config=api/v1 \
--allow-privileged=true \
--insecure-bind-address=0.0.0.0 \
...
...
hack/local-up-cluster.sh
View file @
aa9957e7
...
...
@@ -203,11 +203,10 @@ function set_service_accounts {
function
start_apiserver
{
# Admission Controllers to invoke prior to persisting objects in cluster
if
[[
-z
"
${
ALLOW_SECURITY_CONTEXT
}
"
]]
;
then
ADMISSION_CONTROL
=
NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,
DenyEscalatingExec,
ResourceQuota
ADMISSION_CONTROL
=
NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
else
ADMISSION_CONTROL
=
NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,ServiceAccount,
DenyEscalatingExec,
ResourceQuota
ADMISSION_CONTROL
=
NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,ServiceAccount,ResourceQuota
fi
# This is the default dir and filename where the apiserver will generate a self-signed cert
# which should be able to be used as the CA to verify itself
CERT_DIR
=
/var/run/kubernetes
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment