- Sort Score
- Result 10 results
- Languages All
Results 1 - 10 of 21 for NodeRestriction (0.18 sec)
-
pkg/kubeapiserver/options/plugins.go
antiaffinity.PluginName, // LimitPodHardAntiAffinityTopology limitranger.PluginName, // LimitRanger serviceaccount.PluginName, // ServiceAccount noderestriction.PluginName, // NodeRestriction nodetaint.PluginName, // TaintNodesByCondition alwayspullimages.PluginName, // AlwaysPullImages imagepolicy.PluginName, // ImagePolicyWebhook
Registered: Sat Jun 15 01:39:40 UTC 2024 - Last Modified: Mon May 20 17:20:46 UTC 2024 - 8.2K bytes - Viewed (0) -
pkg/kubeapiserver/options/admission_test.go
options.GenericAdmission.EnablePlugins = []string{"NodeRestriction"} if len(options.Validate()) == 0 { t.Errorf("Expect error, but got none") } // 2. Both `--admission-control` and `--disable-admission-plugins` are specified options = NewAdmissionOptions() options.PluginNames = []string{"ServiceAccount"} options.GenericAdmission.DisablePlugins = []string{"NodeRestriction"} if len(options.Validate()) == 0 {
Registered: Sat Jun 15 01:39:40 UTC 2024 - Last Modified: Thu Dec 15 01:51:35 UTC 2022 - 3.4K bytes - Viewed (0) -
cmd/kubeadm/app/phases/controlplane/manifests_test.go
CertificatesDir: testCertsDir, }, endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"}, expected: []string{ "kube-apiserver", "--enable-admission-plugins=NodeRestriction", "--service-cluster-ip-range=bar", "--service-account-key-file=" + filepath.Join(testCertsDir, "sa.pub"), "--service-account-signing-key-file=" + filepath.Join(testCertsDir, "sa.key"),
Registered: Sat Jun 15 01:39:40 UTC 2024 - Last Modified: Sun Mar 03 14:43:47 UTC 2024 - 48.5K bytes - Viewed (0) -
plugin/pkg/auth/authorizer/node/node_authorizer.go
// edge from the existing slice object to the node, which is the case if the // existing object has the node in its NodeName field. For create, the access gets // granted because the noderestriction admission plugin checks that the NodeName // is set to the node. // 5. For other resources, authorize all nodes uniformly using statically defined rules type NodeAuthorizer struct { graph *Graph
Registered: Sat Jun 15 01:39:40 UTC 2024 - Last Modified: Thu Mar 07 21:22:55 UTC 2024 - 16K bytes - Viewed (0) -
staging/src/k8s.io/api/core/v1/well_known_labels.go
LabelNamespaceSuffixNode = "node.kubernetes.io" // LabelNamespaceNodeRestriction is a forbidden label namespace that kubelets may not self-set when the NodeRestriction admission plugin is enabled LabelNamespaceNodeRestriction = "node-restriction.kubernetes.io" // IsHeadlessService is added by Controller to an Endpoint denoting if its parent
Registered: Sat Jun 15 01:39:40 UTC 2024 - Last Modified: Wed Jul 19 00:36:22 UTC 2023 - 3.8K bytes - Viewed (0) -
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
// Needed for the node to create/delete mirror pods. // Use the NodeRestriction admission plugin to limit a node to creating/deleting mirror pods bound to itself. rbacv1helpers.NewRule("create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(), // Needed for the node to report status of pods it is running. // Use the NodeRestriction admission plugin to limit a node to updating status of pods bound to itself.
Registered: Sat Jun 15 01:39:40 UTC 2024 - Last Modified: Fri Mar 08 19:25:10 UTC 2024 - 34.4K bytes - Viewed (0) -
plugin/pkg/admission/noderestriction/admission.go
// PluginName is a string with the name of the plugin const PluginName = "NodeRestriction" // Register registers a plugin func Register(plugins *admission.Plugins) { plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) { return NewPlugin(nodeidentifier.NewDefaultNodeIdentifier()), nil }) } // NewPlugin creates a new NodeRestriction admission plugin. // This plugin identifies requests from nodes
Registered: Sat Jun 15 01:39:40 UTC 2024 - Last Modified: Thu Mar 07 21:22:55 UTC 2024 - 23.6K bytes - Viewed (0) -
cmd/kubeadm/app/phases/controlplane/manifests.go
defaultArguments := []kubeadmapi.Arg{ {Name: "advertise-address", Value: localAPIEndpoint.AdvertiseAddress}, {Name: "enable-admission-plugins", Value: "NodeRestriction"}, {Name: "service-cluster-ip-range", Value: cfg.Networking.ServiceSubnet}, {Name: "service-account-key-file", Value: filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPublicKeyName)},
Registered: Sat Jun 15 01:39:40 UTC 2024 - Last Modified: Sun Mar 03 14:43:47 UTC 2024 - 17.8K bytes - Viewed (0) -
plugin/pkg/auth/authorizer/node/graph.go
// Short-circuit adding edges to other resources for mirror pods. // A node must never be able to create a pod that grants them permissions on other API objects. // The NodeRestriction admission plugin prevents creation of such pods, but short-circuiting here gives us defense in depth. if _, isMirrorPod := pod.Annotations[corev1.MirrorPodAnnotationKey]; isMirrorPod { return }
Registered: Sat Jun 15 01:39:40 UTC 2024 - Last Modified: Thu Mar 07 21:22:55 UTC 2024 - 17.5K bytes - Viewed (0) -
cluster/gce/config-test.sh
fi CUSTOM_INGRESS_YAML=${CUSTOM_INGRESS_YAML:-} if [[ -z "${KUBE_ADMISSION_CONTROL:-}" ]]; then ADMISSION_CONTROL='NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection,PersistentVolumeClaimResize,RuntimeClass' # ResourceQuota must come last, or a creation is recorded, but the pod may be forbidden.
Registered: Sat Jun 15 01:39:40 UTC 2024 - Last Modified: Thu Apr 18 17:20:24 UTC 2024 - 29.8K bytes - Viewed (0)