Skip to content

Commit

Permalink
Merge pull request #25381 from apcera/allow_security_context_aws
Browse files Browse the repository at this point in the history
Automatic merge from submit-queue

AWS kube-up: Remove SecurityContextDeny admission controller (to mirror GCE)

This PR allows the user to tune the ADMISSION_CONTROL options for AWS environments (much like local-up-cluser.sh). The main impetus is to allow users to exclude the SecurityContextDeny admission controller which causes e2e AWS based tests to fail with `pod.Spec.SecurityContext.SELinuxOptions is forbidden`.

Now AWS e2e tests are happy and can actually go green.
  • Loading branch information
k8s-merge-robot committed Jun 5, 2016
2 parents 1c860c9 + 07f8d02 commit 411696d
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion cluster/aws/config-default.sh
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ fi

# Admission Controllers to invoke prior to persisting objects in cluster
# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,PersistentVolumeLabel,ResourceQuota
ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota

# Optional: Enable/disable public IP assignment for minions.
# Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes!
Expand Down
2 changes: 1 addition & 1 deletion cluster/aws/config-test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ fi

# Admission Controllers to invoke prior to persisting objects in cluster
# If we included ResourceQuota, we should keep it at the end of the list to prevent incremeting quota usage prematurely.
ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,PersistentVolumeLabel,ResourceQuota
ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,ResourceQuota

# Optional: Enable/disable public IP assignment for minions.
# Important Note: disable only if you have setup a NAT instance for internet access and configured appropriate routes!
Expand Down

0 comments on commit 411696d

Please sign in to comment.