-->

How to obtain the enable admission controller list

2020-08-25 05:46发布

问题:

AFAIK, the admission controller is the last pass before the submission to the database.

However I cannot know which one is enabled, Is there a way to know which one is taking effect?

Thanks.

回答1:

The kube-apiserver is running in your kube-apiserver-< example.com > container. The application does not have a get method at the moment to obtain the enabled admission plugins, but you can get the startup parameters from its command line.

kubectl -n kube-system describe po kube-apiserver-example.com

Another way, to see what is in the container: unfortunately there is no "ps" command in the container, but you can get the initial process command parameters from /proc , something like that:

kubectl -n kube-system exec kube-apiserver-example.com -- sed 's/--/\n/g' /proc/1/cmdline

It will be probably like :

enable-admission-plugins=NodeRestriction



回答2:

You may find the list of default enabled admission controllers in doc: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options, search for "--enable-admission-plugins"; or equivalently in code: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubeapiserver/options/plugins.go#L131-L145

For customized ones, you may run cmd in any master node: cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep -E "(enable|disable)-admission-plugins".



回答3:

ImagePolicyWebhook uses a configuration file to set options for the behavior of the backend

Create one of these pods by running kubectl create -f examples/<name>.yaml. In this you can verify the user id under which the pod ran by inspecting the logs, for example:

$ kubectl create -f examples/pod-with-defaults.yaml

$ kubectl logs pod-with-defaults