Flag --admission-control has been deprecated, Use --enable-admission-plugins or --disable-admission-plugins instead. Will be removed in a future version.
Description
Description
Details
Details
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | akosiaris | T244335 Upgrade kubernetes clusters to v1.16 | |||
| Resolved | JMeybohm | T270063 kube-apiserver flag --admission-control has been deprecated |
Event Timeline
Comment Actions
Change 677922 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] kube-apiserver: Use --enable-admission-plugins argument
Comment Actions
Change 677923 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] kube-apiserver: Update the list of enabled admission controllers
Comment Actions
We should take the chance and refactor this a bit.
According to kube-apiserver -h we don't need to list the default admission controllers via --enable-admission-plugins anymore and, even worse, they won't get disabled when left out. From the help output:
Admission flags:
--admission-control strings Admission is divided into two phases. In the first phase, only mutating admission plugins run. In the second phase, only validating admission plugins run. The names in the below list may represent a validating plugin, a mutating plugin, or both. The order of plugins in which they are passed to this flag does not matter. Comma-delimited list of: <stripped>. (DEPRECATED: Use --enable-admission-plugins or --disable-admission-plugins instead. Will be removed in a future version.)
--disable-admission-plugins strings admission plugins that should be disabled although they are in the default enabled plugins list (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, RuntimeClass, ResourceQuota). Comma-delimited list of admission plugins: <stripped>. The order of plugins in this flag does not matter.
--enable-admission-plugins strings admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, RuntimeClass, ResourceQuota). Comma-delimited list of admission plugins: <stripped>. The order of plugins in this flag does not matter.Comment Actions
Change 677923 abandoned by JMeybohm:
[operations/puppet@production] kube-apiserver: Update the list of enabled admission controllers
Reason:
See https://gerrit.wikimedia.org/r/c/operations/puppet/ /677922
Comment Actions
Change 677922 merged by JMeybohm:
[operations/puppet@production] kube-apiserver: Update admission controller config