kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix up admission config documentation

This commit is contained in:
Jordan Liggitt 2018-01-18 01:34:14 -05:00
parent ac1cc4e9b6
commit 1b216ccb51
No known key found for this signature in database
GPG Key ID: 39928704103C7229
1 changed files with 60 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
docs/admin/admission-controllers.md
View File

@ -140,8 +140,17 @@ event requests. The cluster admin can specify event rate limits by:
* Ensuring that `eventratelimit.admission.k8s.io/v1alpha1=true` is included in the * Ensuring that `eventratelimit.admission.k8s.io/v1alpha1=true` is included in the
`--runtime-config` flag for the API server; `--runtime-config` flag for the API server;
* Enabling the `EventRateLimit` admission controller; * Enabling the `EventRateLimit` admission controller;
* Including a `EventRateLimit` configuration in the file provided to the API * Referencing a `EventRateLimit` configuration file from the file provided to the API
server's command line flag `--admission-control-config-file`. server's command line flag `--admission-control-config-file`:
```yaml
kind: AdmissionConfiguration
apiVersion: apiserver.k8s.io/v1alpha1
plugins:
- name: EventRateLimit
path: eventconfig.yaml
...
```
There are four types of limits that can be specified in the configuration: There are four types of limits that can be specified in the configuration:
@ -151,16 +160,17 @@ There are four types of limits that can be specified in the configuration:
* `SourceAndObject`: A bucket is assigned by each combination of source and * `SourceAndObject`: A bucket is assigned by each combination of source and
involved object of the event. involved object of the event.
Below is a sample snippet for such a configuration: Below is a sample `eventconfig.yaml` for such a configuration:
```yaml ```yaml
EventRateLimit: kind: Configuration
limits: apiVersion: eventratelimit.admission.k8s.io/v1alpha1
- type: Namespace limits:
- type: Namespace
qps: 50 qps: 50
burst: 100 burst: 100
cacheSize: 2000 cacheSize: 2000
- type: User - type: User
qps: 10 qps: 10
burst: 50 burst: 50
``` ```
@ -185,21 +195,35 @@ The ImagePolicyWebhook admission controller allows a backend webhook to make adm
``` ```
#### Configuration File Format #### Configuration File Format
ImagePolicyWebhook uses the admission config file `--admission-control-config-file` to set configuration options for the behavior of the backend. This file may be json or yaml and has the following format:
```javascript ImagePolicyWebhook uses a configuration file to set options for the behavior of the backend.
{ This file may be json or yaml and has the following format:
"imagePolicy": {
"kubeConfigFile": "path/to/kubeconfig/for/backend", ```yaml
"allowTTL": 50, // time in s to cache approval imagePolicy:
"denyTTL": 50, // time in s to cache denial kubeConfigFile: /path/to/kubeconfig/for/backend
"retryBackoff": 500, // time in ms to wait between retries # time in s to cache approval
"defaultAllow": true // determines behavior if the webhook backend fails allowTTL: 50
} # time in s to cache denial
} denyTTL: 50
# time in ms to wait between retries
retryBackoff: 500
# determines behavior if the webhook backend fails
defaultAllow: true
``` ```
The config file must reference a [kubeconfig](/docs/concepts/cluster-administration/authenticate-across-clusters-kubeconfig/) formatted file which sets up the connection to the backend. It is required that the backend communicate over TLS. Reference the ImagePolicyWebhook configuration file from the file provided to the API server's command line flag `--admission-control-config-file`:
```yaml
kind: AdmissionConfiguration
apiVersion: apiserver.k8s.io/v1alpha1
plugins:
- name: ImagePolicyWebhook
path: imagepolicyconfig.yaml
...
```
The ImagePolicyWebhook config file must reference a [kubeconfig](/docs/concepts/cluster-administration/authenticate-across-clusters-kubeconfig/) formatted file which sets up the connection to the backend. It is required that the backend communicate over TLS.
The kubeconfig file's cluster field must point to the remote service, and the user field must contain the returned authorizer. The kubeconfig file's cluster field must point to the remote service, and the user field must contain the returned authorizer.
@ -409,10 +433,9 @@ a different zone.
This admission controller defaults and limits what node selectors may be used within a namespace by reading a namespace annotation and a global configuration. This admission controller defaults and limits what node selectors may be used within a namespace by reading a namespace annotation and a global configuration.
#### Configuration File Format #### Configuration File Format
PodNodeSelector uses the admission config file `--admission-control-config-file` to set configuration options for the behavior of the backend.
PodNodeSelector uses a configuration file to set options for the behavior of the backend.
Note that the configuration file format will move to a versioned file in a future release. Note that the configuration file format will move to a versioned file in a future release.
This file may be json or yaml and has the following format: This file may be json or yaml and has the following format:
```yaml ```yaml
@ -422,6 +445,17 @@ podNodeSelectorPluginConfig:
namespace2: <node-selectors-labels> namespace2: <node-selectors-labels>
``` ```
Reference the PodNodeSelector configuration file from the file provided to the API server's command line flag `--admission-control-config-file`:
```yaml
kind: AdmissionConfiguration
apiVersion: apiserver.k8s.io/v1alpha1
plugins:
- name: PodNodeSelector
path: podnodeselector.yaml
...
```
#### Configuration Annotation Format #### Configuration Annotation Format
PodNodeSelector uses the annotation key `scheduler.alpha.kubernetes.io/node-selector` to assign node selectors to namespaces. PodNodeSelector uses the annotation key `scheduler.alpha.kubernetes.io/node-selector` to assign node selectors to namespaces.