Admission 插件¶
检查默认启用的admission plugins¶
kube-apiserver提供了查询哪些插件是默认启用:
检查默认启用的Admission Plugins¶
kube-apiserver -h | grep enable-admission-plugins
不过,需要注意的是,默认通过 Kubespray 部署的 kube-apiserver 容器内部没有提供任何 sh 命令,所以我参考 How to access kube-apiserver on command line? 想要登陆到容器内部并没有成功。不过,还是可以通过以下命令观察:
通过
kubectl 运行pod内部的 kube-apiserver 检查默认启用的Admission Plugins¶kubectl exec -it kube-apiserver-y-k8s-m-1 -n kube-system -- kube-apiserver -h | grep enable-admission-plugins
输出类似(注意:输出实际是一行,我这里为了方便查看做了多行格式化)
通过
kubectl 运行pod内部的 kube-apiserver 检查默认启用的Admission Plugins 输出¶...
--enable-admission-plugins strings admission plugins that should be enabled in addition to default enabled ones
(NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass,
StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction,
DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook, ResourceQuota).
Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning,
CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit,
ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision,
NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel,
PodNodeSelector, PodSecurity, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount,
StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook.
The order of plugins in this flag does not matter.
Admission Plugin DefaultStorageClass¶
Admission Plugin DefaultStorageClass 为 没有请求任何特定存储类 的 PersistentVolumeClaim (PVC) 对象的创建请求,自动添加默认存储类。这样用户无需关心存储类型(很多用户也不care),就可以自动完成配置。
注意,当没有配置默认存储类是,这个Adminssion Controller不执行任何操作。而且,如果有多个存储类被标记为默认存储类,也会导致该控制器拒绝所有创建 PVC 的请求并返回错误。