Merge pull request #55976 from caesarxuchao/move-mutating-to-last

Automatic merge from submit-queue (batch tested with PRs 51321, 55969, 55039, 56183, 55976). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Move mutating to run last in the mutating admission plugin chain ref: kubernetes/features#492 Follow up on #54892. (see https://github.com/kubernetes/kubernetes/pull/54892#discussion_r151333585) Only the last commit is relevant. The reasons are: * Mutating webhooks are dynamic, they can always adjust according to the behavior of compiled-in admission plugins, but not the other-way around. * We'll document that if user deploys mutating webhooks that over some built-in mutating plugins decision, user needs also to disable the built-in validating plugins, otherwise the cluster might block.
2025-11-04 04:08:16 +00:00 · 2017-11-22 12:00:01 -08:00
parent 6d519edfbd 8e8e32fa05
commit f8ffbd9d61
4 changed files with 15 additions and 9 deletions
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@@ -316,12 +316,12 @@ if [[ -n "${GCE_GLBC_IMAGE:-}" ]]; then
 fi
 if [[ -z "${KUBE_ADMISSION_CONTROL:-}" ]]; then
-  ADMISSION_CONTROL="MutatingAdmissionWebhook,Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority"
+  ADMISSION_CONTROL="Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,PodPreset,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority"
  if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
    ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy"
  fi
  # ResourceQuota must come last, or a creation is recorded, but the pod may be forbidden.
-  ADMISSION_CONTROL="${ADMISSION_CONTROL},ValidatingAdmissionWebhook,ResourceQuota"
+  ADMISSION_CONTROL="${ADMISSION_CONTROL},MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"
 else
  ADMISSION_CONTROL=${KUBE_ADMISSION_CONTROL}
 fi
--- a/cmd/kube-apiserver/app/options/options_test.go
+++ b/cmd/kube-apiserver/app/options/options_test.go
@@ -104,8 +104,8 @@ func TestAddFlags(t *testing.T) {
 			MinRequestTimeout:           1800,
 		},
 		Admission: &apiserveroptions.AdmissionOptions{
-			RecommendedPluginOrder: []string{"MutatingAdmissionWebhook", "NamespaceLifecycle", "Initializers", "ValidatingAdmissionWebhook"},
+			RecommendedPluginOrder: []string{"NamespaceLifecycle", "Initializers", "MutatingAdmissionWebhook", "ValidatingAdmissionWebhook"},
-			DefaultOffPlugins:      []string{"MutatingAdmissionWebhook", "Initializers", "ValidatingAdmissionWebhook"},
+			DefaultOffPlugins:      []string{"Initializers", "MutatingAdmissionWebhook", "ValidatingAdmissionWebhook"},
 			PluginNames:            []string{"AlwaysDeny"},
 			ConfigFile:             "/admission-control-config",
 			Plugins:                s.Admission.Plugins,
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -419,7 +419,9 @@ function start_apiserver {
    fi
    # Admission Controllers to invoke prior to persisting objects in cluster
-    ADMISSION_CONTROL=MutatingAdmissionWebhook,Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,ValidatingAdmissionWebhook,ResourceQuota
+    #
    # ResourceQuota must come last, or a creation is recorded, but the pod may be forbidden.
    ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
    # This is the default dir and filename where the apiserver will generate a self-signed cert
    # which should be able to be used as the CA to verify itself
--- a/staging/src/k8s.io/apiserver/pkg/server/options/admission.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/admission.go
@@ -59,10 +59,14 @@ type AdmissionOptions struct {
 //  Servers that do care can overwrite/append that field after creation.
 func NewAdmissionOptions() *AdmissionOptions {
 	options := &AdmissionOptions{
-		Plugins:                admission.NewPlugins(),
+		Plugins:     admission.NewPlugins(),
-		PluginNames:            []string{},
+		PluginNames: []string{},
-		RecommendedPluginOrder: []string{mutatingwebhook.PluginName, lifecycle.PluginName, initialization.PluginName, validatingwebhook.PluginName},
+		// This list is mix of mutating admission plugins and validating
-		DefaultOffPlugins:      []string{mutatingwebhook.PluginName, initialization.PluginName, validatingwebhook.PluginName},
+		// admission plugins. The apiserver always runs the validating ones
 		// after all the mutating ones, so their relative order in this list
 		// doesn't matter.
 		RecommendedPluginOrder: []string{lifecycle.PluginName, initialization.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName},
 		DefaultOffPlugins:      []string{initialization.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName},
 	}
 	apiserverapi.AddToScheme(options.Plugins.ConfigScheme)
 	apiserverapiv1alpha1.AddToScheme(options.Plugins.ConfigScheme)