kubernetes
diff --git a/‎nodeup/pkg/model/tests/golden/audit/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/audit/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/dedicated-apiserver/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/dedicated-apiserver/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/envvars/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/envvars/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/minimal/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/minimal/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/oidc/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/oidc/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-amd64.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-amd64.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-arm64.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-arm64.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/without-etcd-events/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/without-etcd-events/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/model/components/apiserver.go
Lines changed: 7 additions & 7 deletions b/‎pkg/model/components/apiserver.go
Lines changed: 7 additions & 7 deletions
@@ -34,7 +34,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -48,7 +48,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -24,7 +24,7 @@ contents: |
       - --authorization-mode=AlwaysAllow
       - --bind-address=0.0.0.0
       - --client-ca-file=/srv/kubernetes/ca.crt
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -147,21 +147,21 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(cluster *kops.Cluster) error
 		}
 	}
 
-	// TODO: We can probably rewrite these more clearly in descending order
 	// Based on recommendations from:
-	// https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use
+	// https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
 	{
 		c.EnableAdmissionPlugins = []string{
-			"NamespaceLifecycle",
-			"LimitRanger",
-			"ServiceAccount",
-			//"PersistentVolumeLabel",
 			"DefaultStorageClass",
 			"DefaultTolerationSeconds",
+			"LimitRanger",
 			"MutatingAdmissionWebhook",
-			"ValidatingAdmissionWebhook",
+			"NamespaceLifecycle",
 			"NodeRestriction",
 			"ResourceQuota",
+			"RuntimeClass",
+			"ServiceAccount",
+			"ValidatingAdmissionPolicy",
+			"ValidatingAdmissionWebhook",
 		}
 		c.EnableAdmissionPlugins = append(c.EnableAdmissionPlugins, c.AppendAdmissionPlugins...)
 	}
Original file line number	Diff line number	Diff line change
`@@ -147,21 +147,21 @@ func (b KubeAPIServerOptionsBuilder) BuildOptions(cluster kops.Cluster) error`
`147`	`147`	`}`
`148`	`148`	`}`
`149`	`149`
`150`		`- // TODO: We can probably rewrite these more clearly in descending order`
`151`	`150`	`// Based on recommendations from:`
`152`		`- // https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use`
	`151`	`+ // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/`
`153`	`152`	`{`
`154`	`153`	`c.EnableAdmissionPlugins = []string{`
`155`		`- "NamespaceLifecycle",`
`156`		`- "LimitRanger",`
`157`		`- "ServiceAccount",`
`158`		`- //"PersistentVolumeLabel",`
`159`	`154`	`"DefaultStorageClass",`
`160`	`155`	`"DefaultTolerationSeconds",`
	`156`	`+ "LimitRanger",`
`161`	`157`	`"MutatingAdmissionWebhook",`
`162`		`- "ValidatingAdmissionWebhook",`
	`158`	`+ "NamespaceLifecycle",`
`163`	`159`	`"NodeRestriction",`
`164`	`160`	`"ResourceQuota",`
	`161`	`+ "RuntimeClass",`
	`162`	`+ "ServiceAccount",`
	`163`	`+ "ValidatingAdmissionPolicy",`
	`164`	`+ "ValidatingAdmissionWebhook",`
`165`	`165`	`}`
`166`	`166`	`c.EnableAdmissionPlugins = append(c.EnableAdmissionPlugins, c.AppendAdmissionPlugins...)`
`167`	`167`	`}`