k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/pkg/kubeapiserver/options/plugins.go

k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/pkg/kubeapiserver/options/plugins.go (about)

     1  /*
     2  Copyright 2014 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package options
    18  
    19  // This file exists to force the desired plugin implementations to be linked.
    20  // This should probably be part of some configuration fed into the build for a
    21  // given binary target.
    22  import (
    23  	validatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/policy/validating"
    24  	// Admission policies
    25  	"k8s.io/kubernetes/plugin/pkg/admission/admit"
    26  	"k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"
    27  	"k8s.io/kubernetes/plugin/pkg/admission/antiaffinity"
    28  	certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval"
    29  	"k8s.io/kubernetes/plugin/pkg/admission/certificates/ctbattest"
    30  	certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing"
    31  	certsubjectrestriction "k8s.io/kubernetes/plugin/pkg/admission/certificates/subjectrestriction"
    32  	"k8s.io/kubernetes/plugin/pkg/admission/defaulttolerationseconds"
    33  	"k8s.io/kubernetes/plugin/pkg/admission/deny"
    34  	"k8s.io/kubernetes/plugin/pkg/admission/disableservicelinks"
    35  	"k8s.io/kubernetes/plugin/pkg/admission/eventratelimit"
    36  	"k8s.io/kubernetes/plugin/pkg/admission/extendedresourcetoleration"
    37  	"k8s.io/kubernetes/plugin/pkg/admission/gc"
    38  	"k8s.io/kubernetes/plugin/pkg/admission/imagepolicy"
    39  	"k8s.io/kubernetes/plugin/pkg/admission/limitranger"
    40  	"k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision"
    41  	"k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
    42  	"k8s.io/kubernetes/plugin/pkg/admission/network/defaultingressclass"
    43  	"k8s.io/kubernetes/plugin/pkg/admission/network/denyserviceexternalips"
    44  	"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
    45  	"k8s.io/kubernetes/plugin/pkg/admission/nodetaint"
    46  	"k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
    47  	"k8s.io/kubernetes/plugin/pkg/admission/podtolerationrestriction"
    48  	podpriority "k8s.io/kubernetes/plugin/pkg/admission/priority"
    49  	"k8s.io/kubernetes/plugin/pkg/admission/runtimeclass"
    50  	"k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity"
    51  	"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
    52  	"k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/resize"
    53  	"k8s.io/kubernetes/plugin/pkg/admission/storage/storageclass/setdefault"
    54  	"k8s.io/kubernetes/plugin/pkg/admission/storage/storageobjectinuseprotection"
    55  
    56  	"k8s.io/apimachinery/pkg/util/sets"
    57  	"k8s.io/apiserver/pkg/admission"
    58  	"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
    59  	"k8s.io/apiserver/pkg/admission/plugin/resourcequota"
    60  	mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
    61  	validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
    62  )
    63  
    64  // AllOrderedPlugins is the list of all the plugins in order.
    65  var AllOrderedPlugins = []string{
    66  	admit.PluginName,                        // AlwaysAdmit
    67  	autoprovision.PluginName,                // NamespaceAutoProvision
    68  	lifecycle.PluginName,                    // NamespaceLifecycle
    69  	exists.PluginName,                       // NamespaceExists
    70  	antiaffinity.PluginName,                 // LimitPodHardAntiAffinityTopology
    71  	limitranger.PluginName,                  // LimitRanger
    72  	serviceaccount.PluginName,               // ServiceAccount
    73  	noderestriction.PluginName,              // NodeRestriction
    74  	nodetaint.PluginName,                    // TaintNodesByCondition
    75  	alwayspullimages.PluginName,             // AlwaysPullImages
    76  	imagepolicy.PluginName,                  // ImagePolicyWebhook
    77  	podsecurity.PluginName,                  // PodSecurity
    78  	podnodeselector.PluginName,              // PodNodeSelector
    79  	podpriority.PluginName,                  // Priority
    80  	defaulttolerationseconds.PluginName,     // DefaultTolerationSeconds
    81  	podtolerationrestriction.PluginName,     // PodTolerationRestriction
    82  	eventratelimit.PluginName,               // EventRateLimit
    83  	extendedresourcetoleration.PluginName,   // ExtendedResourceToleration
    84  	setdefault.PluginName,                   // DefaultStorageClass
    85  	storageobjectinuseprotection.PluginName, // StorageObjectInUseProtection
    86  	gc.PluginName,                           // OwnerReferencesPermissionEnforcement
    87  	resize.PluginName,                       // PersistentVolumeClaimResize
    88  	runtimeclass.PluginName,                 // RuntimeClass
    89  	certapproval.PluginName,                 // CertificateApproval
    90  	certsigning.PluginName,                  // CertificateSigning
    91  	ctbattest.PluginName,                    // ClusterTrustBundleAttest
    92  	certsubjectrestriction.PluginName,       // CertificateSubjectRestriction
    93  	defaultingressclass.PluginName,          // DefaultIngressClass
    94  	denyserviceexternalips.PluginName,       // DenyServiceExternalIPs
    95  	disableservicelinks.PluginName,          // DisableServiceLinks
    96  
    97  	// new admission plugins should generally be inserted above here
    98  	// webhook, resourcequota, and deny plugins must go at the end
    99  
   100  	mutatingwebhook.PluginName,           // MutatingAdmissionWebhook
   101  	validatingadmissionpolicy.PluginName, // ValidatingAdmissionPolicy
   102  	validatingwebhook.PluginName,         // ValidatingAdmissionWebhook
   103  	resourcequota.PluginName,             // ResourceQuota
   104  	deny.PluginName,                      // AlwaysDeny
   105  }
   106  
   107  // RegisterAllAdmissionPlugins registers all admission plugins.
   108  // The order of registration is irrelevant, see AllOrderedPlugins for execution order.
   109  func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
   110  	admit.Register(plugins) // DEPRECATED as no real meaning
   111  	alwayspullimages.Register(plugins)
   112  	antiaffinity.Register(plugins)
   113  	defaulttolerationseconds.Register(plugins)
   114  	defaultingressclass.Register(plugins)
   115  	denyserviceexternalips.Register(plugins)
   116  	deny.Register(plugins) // DEPRECATED as no real meaning
   117  	disableservicelinks.Register(plugins)
   118  	eventratelimit.Register(plugins)
   119  	extendedresourcetoleration.Register(plugins)
   120  	gc.Register(plugins)
   121  	imagepolicy.Register(plugins)
   122  	limitranger.Register(plugins)
   123  	autoprovision.Register(plugins)
   124  	exists.Register(plugins)
   125  	noderestriction.Register(plugins)
   126  	nodetaint.Register(plugins)
   127  	podnodeselector.Register(plugins)
   128  	podtolerationrestriction.Register(plugins)
   129  	runtimeclass.Register(plugins)
   130  	resourcequota.Register(plugins)
   131  	podsecurity.Register(plugins)
   132  	podpriority.Register(plugins)
   133  	serviceaccount.Register(plugins)
   134  	setdefault.Register(plugins)
   135  	resize.Register(plugins)
   136  	storageobjectinuseprotection.Register(plugins)
   137  	certapproval.Register(plugins)
   138  	certsigning.Register(plugins)
   139  	ctbattest.Register(plugins)
   140  	certsubjectrestriction.Register(plugins)
   141  }
   142  
   143  // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
   144  func DefaultOffAdmissionPlugins() sets.Set[string] {
   145  	defaultOnPlugins := sets.New(
   146  		lifecycle.PluginName,                    // NamespaceLifecycle
   147  		limitranger.PluginName,                  // LimitRanger
   148  		serviceaccount.PluginName,               // ServiceAccount
   149  		setdefault.PluginName,                   // DefaultStorageClass
   150  		resize.PluginName,                       // PersistentVolumeClaimResize
   151  		defaulttolerationseconds.PluginName,     // DefaultTolerationSeconds
   152  		mutatingwebhook.PluginName,              // MutatingAdmissionWebhook
   153  		validatingwebhook.PluginName,            // ValidatingAdmissionWebhook
   154  		resourcequota.PluginName,                // ResourceQuota
   155  		storageobjectinuseprotection.PluginName, // StorageObjectInUseProtection
   156  		podpriority.PluginName,                  // Priority
   157  		nodetaint.PluginName,                    // TaintNodesByCondition
   158  		runtimeclass.PluginName,                 // RuntimeClass
   159  		certapproval.PluginName,                 // CertificateApproval
   160  		certsigning.PluginName,                  // CertificateSigning
   161  		ctbattest.PluginName,                    // ClusterTrustBundleAttest
   162  		certsubjectrestriction.PluginName,       // CertificateSubjectRestriction
   163  		defaultingressclass.PluginName,          // DefaultIngressClass
   164  		podsecurity.PluginName,                  // PodSecurity
   165  		validatingadmissionpolicy.PluginName,    // ValidatingAdmissionPolicy, only active when feature gate ValidatingAdmissionPolicy is enabled
   166  	)
   167  
   168  	return sets.New(AllOrderedPlugins...).Difference(defaultOnPlugins)
   169  }