kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #42379 from windsonsea/admcon 

[zh] sync admission-controllers.md
pull/42393/head
Kubernetes Prow Robot 2023-08-04 08:58:24 -07:00 committed by GitHub
parent 17c3af6339 c035f29749
commit ac9880b608
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 169 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
content/zh-cn/docs/reference/access-authn-authz/admission-controllers.md
View File

@ -204,6 +204,11 @@ the `admissionregistration.k8s.io/v1alpha1` API.
{{< feature-state for_k8s_version="v1.13" state="deprecated" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller allows all pods into the cluster. It is **deprecated** because
its behavior is the same as if there were no admission controller at all.
@ -214,6 +219,11 @@ its behavior is the same as if there were no admission controller at all.
{{< feature-state for_k8s_version="v1.13" state="deprecated" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
Rejects all requests. AlwaysDeny is **deprecated** as it has no real meaning.
-->
@ -238,6 +248,11 @@ required.
### CertificateApproval {#certificateapproval}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller observes requests to approve CertificateSigningRequest resources and performs additional
authorization checks to ensure the approving user has permission to **approve** certificate requests with the
@ -256,6 +271,11 @@ information on the permissions required to perform different actions on Certific
### CertificateSigning {#certificatesigning}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller observes updates to the `status.certificate` field of CertificateSigningRequest resources
and performs an additional authorization checks to ensure the signing user has permission to **sign** certificate
@ -274,6 +294,11 @@ information on the permissions required to perform different actions on Certific
### CertificateSubjectRestriction {#certificatesubjectrestriction}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller observes creation of CertificateSigningRequest resources that have a `spec.signerName`
of `kubernetes.io/kube-apiserver-client`. It rejects any request that specifies a 'group' (or 'organization attribute')
@ -285,6 +310,11 @@ CertificateSigningRequest 资源创建请求,并拒绝所有将 “group”
### DefaultIngressClass {#defaultingressclass}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!--
This admission controller observes creation of `Ingress` objects that do not request any specific
ingress class and automatically adds a default ingress class to them. This way, users that do not
@ -316,6 +346,11 @@ classes and how to mark one as default.
### DefaultStorageClass {#defaultstorageclass}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!--
This admission controller observes creation of `PersistentVolumeClaim` objects that do not request any specific storage class
and automatically adds a default storage class to them.
@ -346,6 +381,11 @@ storage classes and how to mark a storage class as default.
### DefaultTolerationSeconds {#defaulttolerationseconds}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!--
This admission controller sets the default forgiveness toleration for pods to tolerate
the taints `notready:NoExecute` and `unreachable:NoExecute` based on the k8s-apiserver input parameters
@ -364,6 +404,11 @@ The default value for `default-not-ready-toleration-seconds` and `default-unreac
### DenyServiceExternalIPs {#denyserviceexternalips}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller rejects all net-new usage of the `Service` field `externalIPs`. This
feature is very powerful (allows network traffic interception) and not well
@ -393,6 +438,11 @@ This admission controller is disabled by default.
{{< feature-state for_k8s_version="v1.13" state="alpha" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller mitigates the problem where the API server gets flooded by
requests to store new Events. The cluster admin can specify event rate limits by:
@ -465,6 +515,11 @@ This admission controller is disabled by default.
### ExtendedResourceToleration {#extendedresourcetoleration}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!--
This plug-in facilitates creation of dedicated nodes with extended resources.
If operators want to create dedicated nodes with extended resources (like GPUs, FPGAs etc.), they are expected to
@ -485,6 +540,11 @@ This admission controller is disabled by default.
### ImagePolicyWebhook {#imagepolicywebhook}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
The ImagePolicyWebhook admission controller allows a backend webhook to make admission decisions.
@ -753,6 +813,11 @@ In any case, the annotations are provided by the user and are not validated by K
### LimitPodHardAntiAffinityTopology {#limitpodhardantiaffinitytopology}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller denies any pod that defines `AntiAffinity` topology key other than
`kubernetes.io/hostname` in `requiredDuringSchedulingRequiredDuringExecution`.
@ -766,6 +831,11 @@ This admission controller is disabled by default.
### LimitRanger {#limitranger}
<!--
**Type**: Mutating and Validating.
-->
**类别**:变更和验证。
<!--
This admission controller will observe the incoming request and ensure that it does not violate
any of the constraints enumerated in the `LimitRange` object in a `Namespace`. If you are using
@ -790,6 +860,11 @@ for more details.
### MutatingAdmissionWebhook {#mutatingadmissionwebhook}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!--
This admission controller calls any mutating webhooks which match the request. Matching
webhooks are called in serial; each one may modify the object if it desires.
@ -844,6 +919,11 @@ group/version via the `--runtime-config` flag, both are on by default.
### NamespaceAutoProvision {#namespaceautoprovision}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!--
This admission controller examines all incoming requests on namespaced resources and checks
if the referenced namespace does exist.
@ -857,6 +937,11 @@ a namespace prior to its usage.
### NamespaceExists {#namespaceexists}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller checks all requests on namespaced resources other than `Namespace` itself.
If the namespace referenced from a request doesn't exist, the request is rejected.
@ -866,6 +951,11 @@ If the namespace referenced from a request doesn't exist, the request is rejecte
### NamespaceLifecycle {#namespacelifecycle}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller enforces that a `Namespace` that is undergoing termination cannot have
new objects created in it, and ensures that requests in a non-existent `Namespace` are rejected.
@ -886,6 +976,11 @@ running this admission controller.
### NodeRestriction {#noderestriction}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller limits the `Node` and `Pod` objects a kubelet can modify. In order to be limited by this admission controller,
kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`.
@ -943,6 +1038,11 @@ permissions required to operate correctly.
### OwnerReferencesPermissionEnforcement {#ownerreferencespermissionenforcement}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller protects the access to the `metadata.ownerReferences` of an object
so that only users with **delete** permission to the object can change it.
@ -960,6 +1060,11 @@ subresource of the referenced *owner* can change it.
{{< feature-state for_k8s_version="v1.24" state="stable" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller implements additional validations for checking incoming
`PersistentVolumeClaim` resize requests.
@ -1003,6 +1108,11 @@ For more information about persistent volume claims, see [PersistentVolumeClaims
{{< feature-state for_k8s_version="v1.13" state="deprecated" >}}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!--
This admission controller automatically attaches region or zone labels to PersistentVolumes
as defined by the cloud provider (for example, Azure or GCP).
@ -1027,6 +1137,11 @@ This admission controller is disabled by default.
{{< feature-state for_k8s_version="v1.5" state="alpha" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller defaults and limits what node selectors may be used within a namespace
by reading a namespace annotation and a global configuration.
@ -1133,6 +1248,11 @@ PodNodeSelector 允许 Pod 强制在特定标签的节点上运行。
{{< feature-state for_k8s_version="v1.25" state="stable" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
The PodSecurity admission controller checks new Pods before they are
admitted, determines if it should be admitted based on the requested security context and the restrictions on permitted
@ -1159,6 +1279,11 @@ PodSecurity 取代了一个名为 PodSecurityPolicy 的旧准入控制器。
{{< feature-state for_k8s_version="v1.7" state="alpha" >}}
<!--
**Type**: Mutating and Validating.
-->
**类别**:变更和验证。
<!--
The PodTolerationRestriction admission controller verifies any conflict between tolerations of a
pod and the tolerations of its namespace.
@ -1211,17 +1336,26 @@ This admission controller is disabled by default.
<!--
### Priority {#priority}
**Type**: Mutating and Validating.
The priority admission controller uses the `priorityClassName` field and populates the integer
value of the priority.
If the priority class is not found, the Pod is rejected.
-->
### 优先级 {#priority}
**类别**:变更和验证。
优先级准入控制器使用 `priorityClassName` 字段并用整型值填充优先级。
如果找不到优先级,则拒绝 Pod。
### ResourceQuota {#resourcequota}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller will observe the incoming request and ensure that it does not violate
any of the constraints enumerated in the `ResourceQuota` object in a `Namespace`. If you are
@ -1242,6 +1376,11 @@ and the [example of Resource Quota](/docs/concepts/policy/resource-quotas/) for
### RuntimeClass {#runtimeclass}
<!--
**Type**: Mutating and Validating.
-->
**类别**:变更和验证。
<!--
If you define a RuntimeClass with [Pod overhead](/docs/concepts/scheduling-eviction/pod-overhead/)
configured, this admission controller checks incoming Pods.
@ -1264,6 +1403,11 @@ for more information.
### SecurityContextDeny {#securitycontextdeny}
<!--
**Type**: Validating.
-->
**类别**:验证。
{{< feature-state for_k8s_version="v1.27" state="deprecated" >}}
{{< caution >}}
@ -1333,6 +1477,11 @@ article details the PodSecurityPolicy historical context and the birth of the
### ServiceAccount {#serviceaccount}
<!--
**Type**: Mutating and Validating.
-->
**类别**:变更和验证。
<!--
This admission controller implements automation for
[serviceAccounts](/docs/tasks/configure-pod-container/configure-service-account/).
@ -1347,6 +1496,11 @@ You should enable this admission controller if you intend to make any use of Kub
### StorageObjectInUseProtection {#storageobjectinuseprotection}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!--
The `StorageObjectInUseProtection` plugin adds the `kubernetes.io/pvc-protection` or `kubernetes.io/pv-protection`
finalizers to newly created Persistent Volume Claims (PVCs) or Persistent Volumes (PV).
@ -1364,6 +1518,11 @@ for more detailed information.
### TaintNodesByCondition {#taintnodesbycondition}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!--
This admission controller {{< glossary_tooltip text="taints" term_id="taint" >}} newly created
Nodes as `NotReady` and `NoSchedule`. That tainting avoids a race condition that could cause Pods
@ -1377,6 +1536,11 @@ conditions.
### ValidatingAdmissionPolicy {#validatingadmissionpolicy}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
[This admission controller](/docs/reference/access-authn-authz/validating-admission-policy/) implements the CEL validation for incoming matched requests.
It is enabled when both feature gate `validatingadmissionpolicy` and `admissionregistration.k8s.io/v1alpha1` group/version are enabled.
@ -1388,6 +1552,11 @@ CEL 校验。当 `validatingadmissionpolicy` 和 `admissionregistration.k8s.io/v
### ValidatingAdmissionWebhook {#validatingadmissionwebhook}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!--
This admission controller calls any validating webhooks which match the request. Matching
webhooks are called in parallel; if any of them rejects the request, the request