Page MenuHomePhabricator

kube-apiserver flag --admission-control has been deprecated
Open, Needs TriagePublic

Description

Flag --admission-control has been deprecated, Use --enable-admission-plugins or --disable-admission-plugins instead. Will be removed in a future version.

Event Timeline

JMeybohm renamed this task from Flag --admission-control has been deprecated to kube-apiserver flag --admission-control has been deprecated.Dec 18 2020, 2:05 PM

Change 677922 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] kube-apiserver: Use --enable-admission-plugins argument

https://gerrit.wikimedia.org/r/677922

Change 677923 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] kube-apiserver: Update the list of enabled admission controllers

https://gerrit.wikimedia.org/r/677923

We should take the chance and refactor this a bit.
According to kube-apiserver -h we don't need to list the default admission controllers via --enable-admission-plugins anymore and, even worse, they won't get disabled when left out. From the help output:

Admission flags:

      --admission-control strings              Admission is divided into two phases. In the first phase, only mutating admission plugins run. In the second phase, only validating admission plugins run. The names in the below list may represent a validating plugin, a mutating plugin, or both. The order of plugins in which they are passed to this flag does not matter. Comma-delimited list of: <stripped>. (DEPRECATED: Use --enable-admission-plugins or --disable-admission-plugins instead. Will be removed in a future version.)

      --disable-admission-plugins strings      admission plugins that should be disabled although they are in the default enabled plugins list (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, RuntimeClass, ResourceQuota). Comma-delimited list of admission plugins: <stripped>. The order of plugins in this flag does not matter.

      --enable-admission-plugins strings       admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, RuntimeClass, ResourceQuota). Comma-delimited list of admission plugins: <stripped>. The order of plugins in this flag does not matter.

Change 677923 abandoned by JMeybohm:

[operations/puppet@production] kube-apiserver: Update the list of enabled admission controllers

Reason:

See https://gerrit.wikimedia.org/r/c/operations/puppet/ /677922

https://gerrit.wikimedia.org/r/677923