k8s.io/kubernetes@v1.29.3/pkg/kubeapiserver/options/plugins.go (about) 1 /* 2 Copyright 2014 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package options 18 19 // This file exists to force the desired plugin implementations to be linked. 20 // This should probably be part of some configuration fed into the build for a 21 // given binary target. 22 import ( 23 "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy" 24 // Admission policies 25 "k8s.io/kubernetes/plugin/pkg/admission/admit" 26 "k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages" 27 "k8s.io/kubernetes/plugin/pkg/admission/antiaffinity" 28 certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval" 29 "k8s.io/kubernetes/plugin/pkg/admission/certificates/ctbattest" 30 certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing" 31 certsubjectrestriction "k8s.io/kubernetes/plugin/pkg/admission/certificates/subjectrestriction" 32 "k8s.io/kubernetes/plugin/pkg/admission/defaulttolerationseconds" 33 "k8s.io/kubernetes/plugin/pkg/admission/deny" 34 "k8s.io/kubernetes/plugin/pkg/admission/eventratelimit" 35 "k8s.io/kubernetes/plugin/pkg/admission/extendedresourcetoleration" 36 "k8s.io/kubernetes/plugin/pkg/admission/gc" 37 "k8s.io/kubernetes/plugin/pkg/admission/imagepolicy" 38 "k8s.io/kubernetes/plugin/pkg/admission/limitranger" 39 "k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision" 40 "k8s.io/kubernetes/plugin/pkg/admission/namespace/exists" 41 "k8s.io/kubernetes/plugin/pkg/admission/network/defaultingressclass" 42 "k8s.io/kubernetes/plugin/pkg/admission/network/denyserviceexternalips" 43 "k8s.io/kubernetes/plugin/pkg/admission/noderestriction" 44 "k8s.io/kubernetes/plugin/pkg/admission/nodetaint" 45 "k8s.io/kubernetes/plugin/pkg/admission/podnodeselector" 46 "k8s.io/kubernetes/plugin/pkg/admission/podtolerationrestriction" 47 podpriority "k8s.io/kubernetes/plugin/pkg/admission/priority" 48 "k8s.io/kubernetes/plugin/pkg/admission/runtimeclass" 49 "k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity" 50 "k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny" 51 "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount" 52 "k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/label" 53 "k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/resize" 54 "k8s.io/kubernetes/plugin/pkg/admission/storage/storageclass/setdefault" 55 "k8s.io/kubernetes/plugin/pkg/admission/storage/storageobjectinuseprotection" 56 57 "k8s.io/apimachinery/pkg/util/sets" 58 "k8s.io/apiserver/pkg/admission" 59 "k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle" 60 "k8s.io/apiserver/pkg/admission/plugin/resourcequota" 61 mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating" 62 validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating" 63 ) 64 65 // AllOrderedPlugins is the list of all the plugins in order. 66 var AllOrderedPlugins = []string{ 67 admit.PluginName, // AlwaysAdmit 68 autoprovision.PluginName, // NamespaceAutoProvision 69 lifecycle.PluginName, // NamespaceLifecycle 70 exists.PluginName, // NamespaceExists 71 scdeny.PluginName, // SecurityContextDeny 72 antiaffinity.PluginName, // LimitPodHardAntiAffinityTopology 73 limitranger.PluginName, // LimitRanger 74 serviceaccount.PluginName, // ServiceAccount 75 noderestriction.PluginName, // NodeRestriction 76 nodetaint.PluginName, // TaintNodesByCondition 77 alwayspullimages.PluginName, // AlwaysPullImages 78 imagepolicy.PluginName, // ImagePolicyWebhook 79 podsecurity.PluginName, // PodSecurity 80 podnodeselector.PluginName, // PodNodeSelector 81 podpriority.PluginName, // Priority 82 defaulttolerationseconds.PluginName, // DefaultTolerationSeconds 83 podtolerationrestriction.PluginName, // PodTolerationRestriction 84 eventratelimit.PluginName, // EventRateLimit 85 extendedresourcetoleration.PluginName, // ExtendedResourceToleration 86 label.PluginName, // PersistentVolumeLabel 87 setdefault.PluginName, // DefaultStorageClass 88 storageobjectinuseprotection.PluginName, // StorageObjectInUseProtection 89 gc.PluginName, // OwnerReferencesPermissionEnforcement 90 resize.PluginName, // PersistentVolumeClaimResize 91 runtimeclass.PluginName, // RuntimeClass 92 certapproval.PluginName, // CertificateApproval 93 certsigning.PluginName, // CertificateSigning 94 ctbattest.PluginName, // ClusterTrustBundleAttest 95 certsubjectrestriction.PluginName, // CertificateSubjectRestriction 96 defaultingressclass.PluginName, // DefaultIngressClass 97 denyserviceexternalips.PluginName, // DenyServiceExternalIPs 98 99 // new admission plugins should generally be inserted above here 100 // webhook, resourcequota, and deny plugins must go at the end 101 102 mutatingwebhook.PluginName, // MutatingAdmissionWebhook 103 validatingadmissionpolicy.PluginName, // ValidatingAdmissionPolicy 104 validatingwebhook.PluginName, // ValidatingAdmissionWebhook 105 resourcequota.PluginName, // ResourceQuota 106 deny.PluginName, // AlwaysDeny 107 } 108 109 // RegisterAllAdmissionPlugins registers all admission plugins. 110 // The order of registration is irrelevant, see AllOrderedPlugins for execution order. 111 func RegisterAllAdmissionPlugins(plugins *admission.Plugins) { 112 admit.Register(plugins) // DEPRECATED as no real meaning 113 alwayspullimages.Register(plugins) 114 antiaffinity.Register(plugins) 115 defaulttolerationseconds.Register(plugins) 116 defaultingressclass.Register(plugins) 117 denyserviceexternalips.Register(plugins) 118 deny.Register(plugins) // DEPRECATED as no real meaning 119 eventratelimit.Register(plugins) 120 extendedresourcetoleration.Register(plugins) 121 gc.Register(plugins) 122 imagepolicy.Register(plugins) 123 limitranger.Register(plugins) 124 autoprovision.Register(plugins) 125 exists.Register(plugins) 126 noderestriction.Register(plugins) 127 nodetaint.Register(plugins) 128 label.Register(plugins) // DEPRECATED, future PVs should not rely on labels for zone topology 129 podnodeselector.Register(plugins) 130 podtolerationrestriction.Register(plugins) 131 runtimeclass.Register(plugins) 132 resourcequota.Register(plugins) 133 podsecurity.Register(plugins) 134 podpriority.Register(plugins) 135 scdeny.Register(plugins) 136 serviceaccount.Register(plugins) 137 setdefault.Register(plugins) 138 resize.Register(plugins) 139 storageobjectinuseprotection.Register(plugins) 140 certapproval.Register(plugins) 141 certsigning.Register(plugins) 142 ctbattest.Register(plugins) 143 certsubjectrestriction.Register(plugins) 144 } 145 146 // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver. 147 func DefaultOffAdmissionPlugins() sets.String { 148 defaultOnPlugins := sets.NewString( 149 lifecycle.PluginName, // NamespaceLifecycle 150 limitranger.PluginName, // LimitRanger 151 serviceaccount.PluginName, // ServiceAccount 152 setdefault.PluginName, // DefaultStorageClass 153 resize.PluginName, // PersistentVolumeClaimResize 154 defaulttolerationseconds.PluginName, // DefaultTolerationSeconds 155 mutatingwebhook.PluginName, // MutatingAdmissionWebhook 156 validatingwebhook.PluginName, // ValidatingAdmissionWebhook 157 resourcequota.PluginName, // ResourceQuota 158 storageobjectinuseprotection.PluginName, // StorageObjectInUseProtection 159 podpriority.PluginName, // Priority 160 nodetaint.PluginName, // TaintNodesByCondition 161 runtimeclass.PluginName, // RuntimeClass 162 certapproval.PluginName, // CertificateApproval 163 certsigning.PluginName, // CertificateSigning 164 ctbattest.PluginName, // ClusterTrustBundleAttest 165 certsubjectrestriction.PluginName, // CertificateSubjectRestriction 166 defaultingressclass.PluginName, // DefaultIngressClass 167 podsecurity.PluginName, // PodSecurity 168 validatingadmissionpolicy.PluginName, // ValidatingAdmissionPolicy, only active when feature gate ValidatingAdmissionPolicy is enabled 169 ) 170 171 return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins) 172 }