/assign @sttts @deads2k

And after this , the document also need revise.

This is a huge change. I'm strongly in favor, but we need to agree that we're willing to do this.

1. People who previously controlled the admission chain using --admission-control will be fine and their options are still respected.
2. People who specified no admission chains had a scarily exposed cluster they could not run securely, but now they'll suddenly get the admission chain and potentially breaks as things like service accounts will now be require. We've long recommended this, but we've never turned them on by default before.

@smarterclayton @bgrant0607 @kubernetes/api-approvers @lavalamp @erictune @liggitt for comment on having a default admission chain.

ping @smarterclayton @bgrant0607 @kubernetes/api-approvers @lavalamp @erictune @liggitt for comment on having a default admission chain.

I am in favor of fixing this but I'm not sure this is the right way to do it.

• I think the UX is super confusing. It's not good to break naive users (e.g., I bet this breaks the local-up script). So, at a minimum I think we need users to opt-in to the new system.
• Changing entries in a default-on list is always going to be a breaking change. I think the right way to do this is to have apiserver store the list, probably somewhere in etcd. If the list is unset, then we write the defaults; otherwise, we use the list. That way, we could change the defaults without totally breaking everyone on upgrades.

I think the UX is super confusing. It's not good to break naive users (e.g., I bet this breaks the local-up script). So, at a minimum I think we need users to opt-in to the new system.

I'm ok with having a --disable-admission flag (which is what this would be). I'd like to have a timeline for having --disable-admission default to false.

Changing entries in a default-on list is always going to be a breaking change. I think the right way to do this is to have apiserver store the list, probably somewhere in etcd. If the list is unset, then we write the defaults; otherwise, we use the list. That way, we could change the defaults without totally breaking everyone on upgrades.

The idea of a "default on" list is that we think these are a good default for a safe and sane cluster, it's not a guarantee of particular plugins being on or off. Think about things like the PodToleration plugin. If you don't enable it in the same release that you added taint and toleration support, the feature presents
a risk to your cluster. Most cluster-admins probably want to have their safe cluster continue being safe.

How many (non-toy/dev) clusters are out there without --admission-control?

Compared with the big switch to RBAC-by-default, any serious cluster probably has admission plugins enabled anyway. This was very different for RBAC.

We need to think carefully about what we're trying to achieve.

If we want to make it easier for users to stay up to date with recommended admission controllers, I suggest a new flag along the lines of --enable-recommended-admission-controllers, and a warning if the existing flag is otherwise left unset.

I'm in favor of making this change, and having it be opt-out.

The release note needs to be more specific. Maybe append something like this:

If you previously had not set the `--admission-control` flag, your cluster behavior may change (to be more standard).  See [https://kubernetes.io/docs/admin/admission-controllers/] for explanation of admission control.

@erictune ok, will update today.

so many case failed with ServiceAccount plugin enabled.

so many case failed with ServiceAccount plugin enabled.

controllers not running maybe?

Sorry, I didn't see that this got itself sorted out.

/lgtm

squash up when you rebase

@deads2k @sttts squashed and rebased

/lgtm

run gofmt

/lgtm

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, hzxuzhonghu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

/test all [submit-queue is verifying that this PR is safe to merge]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.