/
register.go
103 lines (94 loc) · 4.61 KB
/
register.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
package kubeadmission
import (
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/admission"
mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
"github.com/openshift/origin/pkg/admission/customresourcevalidation/customresourcevalidationregistration"
authorizationrestrictusers "github.com/openshift/origin/pkg/authorization/apiserver/admission/restrictusers"
quotaclusterresourceoverride "github.com/openshift/origin/pkg/autoscaling/admission/clusterresourceoverride"
quotarunonceduration "github.com/openshift/origin/pkg/autoscaling/admission/runonceduration"
imagepolicyapiv1 "github.com/openshift/origin/pkg/image/apiserver/admission/apis/imagepolicy/v1"
"github.com/openshift/origin/pkg/image/apiserver/admission/imagepolicy"
"github.com/openshift/origin/pkg/network/admission/externalipranger"
"github.com/openshift/origin/pkg/network/admission/restrictedendpoints"
quotaclusterresourcequota "github.com/openshift/origin/pkg/quota/apiserver/admission/clusterresourcequota"
ingressadmission "github.com/openshift/origin/pkg/route/apiserver/admission"
projectnodeenv "github.com/openshift/origin/pkg/scheduler/admission/nodeenv"
schedulerpodnodeconstraints "github.com/openshift/origin/pkg/scheduler/admission/podnodeconstraints"
securityadmission "github.com/openshift/origin/pkg/security/apiserver/admission/sccadmission"
)
func RegisterOpenshiftKubeAdmissionPlugins(plugins *admission.Plugins) {
authorizationrestrictusers.Register(plugins)
imagepolicy.Register(plugins)
ingressadmission.Register(plugins)
projectnodeenv.Register(plugins)
quotaclusterresourceoverride.Register(plugins)
quotaclusterresourcequota.Register(plugins)
quotarunonceduration.Register(plugins)
schedulerpodnodeconstraints.Register(plugins)
securityadmission.Register(plugins)
securityadmission.RegisterSCCExecRestrictions(plugins)
externalipranger.RegisterExternalIP(plugins)
restrictedendpoints.RegisterRestrictedEndpoints(plugins)
}
var (
// these are admission plugins that cannot be applied until after the kubeapiserver starts.
// TODO if nothing comes to mind in 3.10, kill this
SkipRunLevelZeroPlugins = sets.NewString()
// these are admission plugins that cannot be applied until after the openshiftapiserver apiserver starts.
SkipRunLevelOnePlugins = sets.NewString(
"authorization.openshift.io/RestrictSubjectBindings",
imagepolicyapiv1.PluginName, // "image.openshift.io/ImagePolicy"
"quota.openshift.io/ClusterResourceQuota",
"security.openshift.io/SecurityContextConstraint",
"security.openshift.io/SCCExecRestrictions",
)
// AfterKubeAdmissionPlugins are the admission plugins to add after kube admission, before mutating webhooks
openshiftAdmissionPluginsForKube = []string{
"autoscaling.openshift.io/ClusterResourceOverride",
"authorization.openshift.io/RestrictSubjectBindings",
"autoscaling.openshift.io/RunOnceDuration",
"scheduling.openshift.io/PodNodeConstraints",
"scheduling.openshift.io/OriginPodNodeEnvironment",
"network.openshift.io/ExternalIPRanger",
"network.openshift.io/RestrictedEndpointsAdmission",
imagepolicyapiv1.PluginName, // "image.openshift.io/ImagePolicy"
"security.openshift.io/SecurityContextConstraint",
"security.openshift.io/SCCExecRestrictions",
"route.openshift.io/IngressAdmission",
"quota.openshift.io/ClusterResourceQuota",
}
// additionalDefaultOnPlugins is a list of plugins we turn on by default that core kube does not.
additionalDefaultOnPlugins = sets.NewString(
"NodeRestriction",
"OwnerReferencesPermissionEnforcement",
"PersistentVolumeLabel",
"PodNodeSelector",
"PodTolerationRestriction",
"Priority",
imagepolicyapiv1.PluginName, // "image.openshift.io/ImagePolicy"
"StorageObjectInUseProtection",
)
)
func NewOrderedKubeAdmissionPlugins(kubeAdmissionOrder []string) []string {
ret := []string{}
for _, curr := range kubeAdmissionOrder {
if curr == mutatingwebhook.PluginName {
ret = append(ret, openshiftAdmissionPluginsForKube...)
ret = append(ret, customresourcevalidationregistration.AllCustomResourceValidators...)
}
ret = append(ret, curr)
}
return ret
}
func NewDefaultOffPluginsFunc(kubeDefaultOffAdmission sets.String) func() sets.String {
return func() sets.String {
kubeOff := sets.NewString(kubeDefaultOffAdmission.UnsortedList()...)
kubeOff.Delete(additionalDefaultOnPlugins.List()...)
kubeOff.Delete(openshiftAdmissionPluginsForKube...)
kubeOff.Delete(customresourcevalidationregistration.AllCustomResourceValidators...)
// temporarily disable RBR until we move it to a CRD (it is causing install timeout failures)
kubeOff.Insert("authorization.openshift.io/RestrictSubjectBindings")
return kubeOff
}
}