From c05d14112843f9869f2f278051b5d64e33eb3f19 Mon Sep 17 00:00:00 2001 From: gbolo Date: Sun, 16 Apr 2017 22:03:45 -0400 Subject: [PATCH] allow admission control plug-ins to be easily customized --- roles/kubernetes/master/defaults/main.yml | 7 +++++++ .../master/templates/manifests/kube-apiserver.manifest.j2 | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml index 016df0c64..593ffd9cd 100644 --- a/roles/kubernetes/master/defaults/main.yml +++ b/roles/kubernetes/master/defaults/main.yml @@ -36,6 +36,13 @@ kube_apiserver_cpu_limit: 800m kube_apiserver_memory_requests: 256M kube_apiserver_cpu_requests: 100m +# Admission control plug-ins +kube_apiserver_admission_control: + - NamespaceLifecycle + - LimitRanger + - ServiceAccount + - DefaultStorageClass + - ResourceQuota ## Enable/Disable Kube API Server Authentication Methods kube_basic_auth: true diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index 967f0a9cb..36bcbc3f6 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -33,7 +33,7 @@ spec: - --etcd-keyfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem - --insecure-bind-address={{ kube_apiserver_insecure_bind_address }} - --apiserver-count={{ kube_apiserver_count }} - - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota + - --admission-control={{ kube_apiserver_admission_control | join(',') }} - --service-cluster-ip-range={{ kube_service_addresses }} - --service-node-port-range={{ kube_apiserver_node_port_range }} - --client-ca-file={{ kube_cert_dir }}/ca.pem