Fix admission-controllers section #4751
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Deploy preview ready! Built with commit d4b9363 https://deploy-preview-4751--kubernetes-io-master-staging.netlify.com |
|
To reviewers: this git diff is showing the patch in a funny way ... however, as summarized in the commit message, this patch did NOT change contents about documented controllers besides reordering them. |
tengqm
force-pushed
the
admission-controller-fix
branch
from
dae39e6 to
87f0acb
Compare
docs/admin/admission-controllers.md
Outdated
|
|
||
| This plug-in sets the default forgiveness toleration for pods, which have no forgiveness tolerations, to tolerate | ||
| the taints `notready:NoExecute` and `unreachable:NoExecute` for 5 minutes. | ||
| This plug-in automatically attach region or zone labels to PersistentVolumes |
docs/admin/admission-controllers.md
Outdated
| ### PodPreset | ||
|
|
||
| This plug-in injects a pod with the fields specified in a matching PodPreset. | ||
| See also [Inject Information into Pods Using a PodPreset](/docs/tasks/inject-data-application/podpreset.md) |
There was a problem hiding this comment.
The URL should be /docs/tasks/inject-data-application/podpreset/.
docs/admin/admission-controllers.md
Outdated
| Future versions may add additional restrictions to ensure kubelets have the minimal set of permissions required to operate correctly. | ||
| This plug-in first verifies any conflict between a pod's tolerations and its | ||
| namespace's tolerations, and rejects the pod request if there is a conflict. | ||
| It then merge the namespace's tolerations into the pod's tolerations. |
docs/admin/admission-controllers.md
Outdated
| namespace's tolerations, and rejects the pod request if there is a conflict. | ||
| It then merge the namespace's tolerations into the pod's tolerations. | ||
| The resulting tolerations are checked against the namespace's whitelist of | ||
| tolerations. If the checking succeeds, the pod request is admitted otherwise |
docs/admin/admission-controllers.md
Outdated
| This plug-in does not do anything when no default storage class is configured. When more than one storage | ||
| class is marked as default, it rejects any creation of `PersistentVolumeClaim` with an error and administrator | ||
| must revisit `StorageClass` objects and mark only one as default. | ||
| This plugin ignores any `PersistentVolumeClaim` updates, it acts only on creation. |
docs/admin/admission-controllers.md
Outdated
|
|
||
| It is strongly encouraged that this plug-in is configured last in the sequence of admission control plug-ins. This is | ||
| so that quota is not prematurely incremented only for the request to be rejected later in admission control. | ||
| ### InitialResources (experimental) |
docs/admin/admission-controllers.md
Outdated
| See [persistent volume](/docs/user-guide/persistent-volumes) documentation about persistent volume claims and | ||
| storage classes and how to mark a storage class as default. | ||
| This plug-in protects the access to the `blockOwnerDeletion` property of an object | ||
| so that only users with "delete" permission to the object can change it. |
There was a problem hiding this comment.
This plug-in protects the access to metadata.ownerReferences of an object so that only users with "delete" permission to the object can change it.
This plug-in also protects the access to metadata.ownerReferences[x].blockOwnerDeletion of an object, so that only users with "delete" permission to the owner, i.e., the object referred by the ownerReference[x], can change it.
|
Also these sections lgtm:
|
tengqm
force-pushed
the
admission-controller-fix
branch
2 times, most recently
from
4e14448 to
97f72f7
Compare
|
@caesarxuchao Has everything been addressed? |
|
@caesarxuchao PTAL, thanks. |
|
@caesarxuchao Ping. |
docs/admin/admission-controllers.md
Outdated
| This plug-in protects the access to the `metadata.ownerReferences` of an object | ||
| so that only users with "delete" permission to the object can change it. | ||
| This plug-in also protects the access to `metadata.ownerReferences[x].blockOwnerDeletion` | ||
| of an object, so that only users with "delete" permission to the *owner* (i.e, |
There was a problem hiding this comment.
This one needs update after kubernetes/kubernetes#49133 gets merged.
so that only users with "update" permission to the `finalizers` subresource of the referenced *owner* can change it.
docs/admin/admission-controllers.md
Outdated
|
|
||
| This plug-in observes creation of `PersistentVolumeClaim` objects that do not request any specific storage class | ||
| and automatically adds a default storage class to them. | ||
| This way, users that do not request any special storage class do no need to care about them at all and they |
docs/admin/admission-controllers.md
Outdated
|
|
||
| ### SecurityContextDeny | ||
| This plug-in is related to the [Dynamic Admission Control](/docs/admin/extensible-admission-controllers) | ||
| introduced in v1.7. |
There was a problem hiding this comment.
I think you can explain further:
It determines initializers of a resource based on existing
InitializerConfigurations , sets the pending initializers on the resource metadata and blocks the Create request until all pending initializers complete.
this is my understanding, @caesarxuchao to confirm
There was a problem hiding this comment.
Thanks for the suggestion. Description revised.
tengqm
force-pushed
the
admission-controller-fix
branch
from
97f72f7 to
0f50a9e
Compare
k8s-ci-robot
added
the
size/L
docs/admin/admission-controllers.md
Outdated
| ### DefaultTolerationSeconds | ||
|
|
||
| This plug-in sets the default forgiveness toleration for pods, which have no forgiveness tolerations, to tolerate | ||
| the taints `notready:NoExecute` and `unreachable:NoExecute` for 5 minutes. |
There was a problem hiding this comment.
This seems to be a little more accurate: "This plug-in sets the default forgiveness toleration for pods to tolerate the taints notready:NoExecute and unreachable:NoExecute for 5 minutes, if the pods don't already have toleration for taints notready:NoExecute or unreachable:NoExecute."
| @@ -78,6 +98,11 @@ If your cluster supports containers that run with escalated privileges, and you | |||
| restrict the ability of end-users to exec commands in those containers, we strongly encourage | |||
| enabling this plug-in. | |||
|
|
|||
| ### GenericAdmissionWebhook (alpha) | |||
|
|
|||
| This plug-in is related to the [Dynamic Admission Control](/docs/admin/extensible-admission-controllers) | |||
There was a problem hiding this comment.
This plug-in calls the webhooks configured via ExternalAdmissionHookConfiguration, and only admits the operation if all the webhooks admit it. Currently the plugin always fails open, i.e., ignore the failed call to a webhook.
docs/admin/admission-controllers.md
Outdated
| introduced in v1.7. | ||
| The plug-in determines the initializers of a resource based on the existing | ||
| `InitializerConfiguration`s. It sets the pending initializers by modifying the | ||
| metadata of the resource to be created and and then blocks the resource create |
There was a problem hiding this comment.
and and then blocks the resource create request until all pending initializers have completed is not very accurate. The apiserver blocks the CREATE call for 30s and then returns a 504. I think it's fine if we end the description at by modifying the metadata of the resource. Readers can refer to the linked doc for details.
docs/admin/admission-controllers.md
Outdated
|
|
||
| This plug-in will deny any pod that attempts to set certain escalating [SecurityContext](/docs/user-guide/security-context) fields. This should be enabled if a cluster doesn't utilize [pod security policies](/docs/user-guide/pod-security-policy) to restrict the set of values a security context can take. | ||
| This plug-in observes pod creation requests. If a container omits compute resource requests and limits, | ||
| then the plug-in auto-populates a compute resource request based on historical usage of containers running the same image. |
There was a problem hiding this comment.
I think it's worth mentioning the estimated resource requests are set in annotations, rather than the actual container.resources fields.
There was a problem hiding this comment.
the description already uses "annotates" as the verb, but I'm okay with more clarifications.
This patch refactors the admin/admission-controllers section: - Reorder the built-in controllers based on their names - Added controllers that were not documented: * GenericAdmissionWebhook * Initializers * LimitPodHardAntiAffinity * NamespaceAutoProvision * NamespaceExists * OwnerReferencesPermissionEnforcement * PersistenVolumeLabel * PodPreset * PodTolerationRestriction
tengqm
force-pushed
the
admission-controller-fix
branch
from
0f50a9e to
d4b9363
Compare
This patch refactors the admin/admission-controllers section:
Reorder the built-in controllers based on their names
Added controllers that were not documented:
This change is