kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[zh] sync admission-controllers.md

pull/42379/head
windsonsea 2023-08-04 10:14:37 +08:00
parent e168005b37
commit c035f29749
1 changed files with 169 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
content/zh-cn/docs/reference/access-authn-authz/admission-controllers.md
View File

@ -204,6 +204,11 @@ the `admissionregistration.k8s.io/v1alpha1` API.
{{< feature-state for_k8s_version="v1.13" state="deprecated" >}} {{< feature-state for_k8s_version="v1.13" state="deprecated" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller allows all pods into the cluster. It is **deprecated** because This admission controller allows all pods into the cluster. It is **deprecated** because
its behavior is the same as if there were no admission controller at all. its behavior is the same as if there were no admission controller at all.
@ -214,6 +219,11 @@ its behavior is the same as if there were no admission controller at all.
{{< feature-state for_k8s_version="v1.13" state="deprecated" >}} {{< feature-state for_k8s_version="v1.13" state="deprecated" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
Rejects all requests. AlwaysDeny is **deprecated** as it has no real meaning. Rejects all requests. AlwaysDeny is **deprecated** as it has no real meaning.
--> -->
@ -238,6 +248,11 @@ required.
### CertificateApproval {#certificateapproval} ### CertificateApproval {#certificateapproval}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller observes requests to approve CertificateSigningRequest resources and performs additional This admission controller observes requests to approve CertificateSigningRequest resources and performs additional
authorization checks to ensure the approving user has permission to **approve** certificate requests with the authorization checks to ensure the approving user has permission to **approve** certificate requests with the
@ -256,6 +271,11 @@ information on the permissions required to perform different actions on Certific
### CertificateSigning {#certificatesigning} ### CertificateSigning {#certificatesigning}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller observes updates to the `status.certificate` field of CertificateSigningRequest resources This admission controller observes updates to the `status.certificate` field of CertificateSigningRequest resources
and performs an additional authorization checks to ensure the signing user has permission to **sign** certificate and performs an additional authorization checks to ensure the signing user has permission to **sign** certificate
@ -274,6 +294,11 @@ information on the permissions required to perform different actions on Certific
### CertificateSubjectRestriction {#certificatesubjectrestriction} ### CertificateSubjectRestriction {#certificatesubjectrestriction}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller observes creation of CertificateSigningRequest resources that have a `spec.signerName` This admission controller observes creation of CertificateSigningRequest resources that have a `spec.signerName`
of `kubernetes.io/kube-apiserver-client`. It rejects any request that specifies a 'group' (or 'organization attribute') of `kubernetes.io/kube-apiserver-client`. It rejects any request that specifies a 'group' (or 'organization attribute')
@ -285,6 +310,11 @@ CertificateSigningRequest 资源创建请求,并拒绝所有将 “group”
### DefaultIngressClass {#defaultingressclass} ### DefaultIngressClass {#defaultingressclass}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!-- <!--
This admission controller observes creation of `Ingress` objects that do not request any specific This admission controller observes creation of `Ingress` objects that do not request any specific
ingress class and automatically adds a default ingress class to them. This way, users that do not ingress class and automatically adds a default ingress class to them. This way, users that do not
@ -316,6 +346,11 @@ classes and how to mark one as default.
### DefaultStorageClass {#defaultstorageclass} ### DefaultStorageClass {#defaultstorageclass}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!-- <!--
This admission controller observes creation of `PersistentVolumeClaim` objects that do not request any specific storage class This admission controller observes creation of `PersistentVolumeClaim` objects that do not request any specific storage class
and automatically adds a default storage class to them. and automatically adds a default storage class to them.
@ -346,6 +381,11 @@ storage classes and how to mark a storage class as default.
### DefaultTolerationSeconds {#defaulttolerationseconds} ### DefaultTolerationSeconds {#defaulttolerationseconds}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!-- <!--
This admission controller sets the default forgiveness toleration for pods to tolerate This admission controller sets the default forgiveness toleration for pods to tolerate
the taints `notready:NoExecute` and `unreachable:NoExecute` based on the k8s-apiserver input parameters the taints `notready:NoExecute` and `unreachable:NoExecute` based on the k8s-apiserver input parameters
@ -364,6 +404,11 @@ The default value for `default-not-ready-toleration-seconds` and `default-unreac
### DenyServiceExternalIPs {#denyserviceexternalips} ### DenyServiceExternalIPs {#denyserviceexternalips}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller rejects all net-new usage of the `Service` field `externalIPs`. This This admission controller rejects all net-new usage of the `Service` field `externalIPs`. This
feature is very powerful (allows network traffic interception) and not well feature is very powerful (allows network traffic interception) and not well
@ -393,6 +438,11 @@ This admission controller is disabled by default.
{{< feature-state for_k8s_version="v1.13" state="alpha" >}} {{< feature-state for_k8s_version="v1.13" state="alpha" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller mitigates the problem where the API server gets flooded by This admission controller mitigates the problem where the API server gets flooded by
requests to store new Events. The cluster admin can specify event rate limits by: requests to store new Events. The cluster admin can specify event rate limits by:
@ -465,6 +515,11 @@ This admission controller is disabled by default.
### ExtendedResourceToleration {#extendedresourcetoleration} ### ExtendedResourceToleration {#extendedresourcetoleration}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!-- <!--
This plug-in facilitates creation of dedicated nodes with extended resources. This plug-in facilitates creation of dedicated nodes with extended resources.
If operators want to create dedicated nodes with extended resources (like GPUs, FPGAs etc.), they are expected to If operators want to create dedicated nodes with extended resources (like GPUs, FPGAs etc.), they are expected to
@ -485,6 +540,11 @@ This admission controller is disabled by default.
### ImagePolicyWebhook {#imagepolicywebhook} ### ImagePolicyWebhook {#imagepolicywebhook}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
The ImagePolicyWebhook admission controller allows a backend webhook to make admission decisions. The ImagePolicyWebhook admission controller allows a backend webhook to make admission decisions.
@ -753,6 +813,11 @@ In any case, the annotations are provided by the user and are not validated by K
### LimitPodHardAntiAffinityTopology {#limitpodhardantiaffinitytopology} ### LimitPodHardAntiAffinityTopology {#limitpodhardantiaffinitytopology}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller denies any pod that defines `AntiAffinity` topology key other than This admission controller denies any pod that defines `AntiAffinity` topology key other than
`kubernetes.io/hostname` in `requiredDuringSchedulingRequiredDuringExecution`. `kubernetes.io/hostname` in `requiredDuringSchedulingRequiredDuringExecution`.
@ -766,6 +831,11 @@ This admission controller is disabled by default.
### LimitRanger {#limitranger} ### LimitRanger {#limitranger}
<!--
**Type**: Mutating and Validating.
-->
**类别**:变更和验证。
<!-- <!--
This admission controller will observe the incoming request and ensure that it does not violate This admission controller will observe the incoming request and ensure that it does not violate
any of the constraints enumerated in the `LimitRange` object in a `Namespace`. If you are using any of the constraints enumerated in the `LimitRange` object in a `Namespace`. If you are using
@ -790,6 +860,11 @@ for more details.
### MutatingAdmissionWebhook {#mutatingadmissionwebhook} ### MutatingAdmissionWebhook {#mutatingadmissionwebhook}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!-- <!--
This admission controller calls any mutating webhooks which match the request. Matching This admission controller calls any mutating webhooks which match the request. Matching
webhooks are called in serial; each one may modify the object if it desires. webhooks are called in serial; each one may modify the object if it desires.
@ -844,6 +919,11 @@ group/version via the `--runtime-config` flag, both are on by default.
### NamespaceAutoProvision {#namespaceautoprovision} ### NamespaceAutoProvision {#namespaceautoprovision}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!-- <!--
This admission controller examines all incoming requests on namespaced resources and checks This admission controller examines all incoming requests on namespaced resources and checks
if the referenced namespace does exist. if the referenced namespace does exist.
@ -857,6 +937,11 @@ a namespace prior to its usage.
### NamespaceExists {#namespaceexists} ### NamespaceExists {#namespaceexists}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller checks all requests on namespaced resources other than `Namespace` itself. This admission controller checks all requests on namespaced resources other than `Namespace` itself.
If the namespace referenced from a request doesn't exist, the request is rejected. If the namespace referenced from a request doesn't exist, the request is rejected.
@ -866,6 +951,11 @@ If the namespace referenced from a request doesn't exist, the request is rejecte
### NamespaceLifecycle {#namespacelifecycle} ### NamespaceLifecycle {#namespacelifecycle}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller enforces that a `Namespace` that is undergoing termination cannot have This admission controller enforces that a `Namespace` that is undergoing termination cannot have
new objects created in it, and ensures that requests in a non-existent `Namespace` are rejected. new objects created in it, and ensures that requests in a non-existent `Namespace` are rejected.
@ -886,6 +976,11 @@ running this admission controller.
### NodeRestriction {#noderestriction} ### NodeRestriction {#noderestriction}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller limits the `Node` and `Pod` objects a kubelet can modify. In order to be limited by this admission controller, This admission controller limits the `Node` and `Pod` objects a kubelet can modify. In order to be limited by this admission controller,
kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`. kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`.
@ -943,6 +1038,11 @@ permissions required to operate correctly.
### OwnerReferencesPermissionEnforcement {#ownerreferencespermissionenforcement} ### OwnerReferencesPermissionEnforcement {#ownerreferencespermissionenforcement}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller protects the access to the `metadata.ownerReferences` of an object This admission controller protects the access to the `metadata.ownerReferences` of an object
so that only users with **delete** permission to the object can change it. so that only users with **delete** permission to the object can change it.
@ -960,6 +1060,11 @@ subresource of the referenced *owner* can change it.
{{< feature-state for_k8s_version="v1.24" state="stable" >}} {{< feature-state for_k8s_version="v1.24" state="stable" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller implements additional validations for checking incoming This admission controller implements additional validations for checking incoming
`PersistentVolumeClaim` resize requests. `PersistentVolumeClaim` resize requests.
@ -1003,6 +1108,11 @@ For more information about persistent volume claims, see [PersistentVolumeClaims
{{< feature-state for_k8s_version="v1.13" state="deprecated" >}} {{< feature-state for_k8s_version="v1.13" state="deprecated" >}}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!-- <!--
This admission controller automatically attaches region or zone labels to PersistentVolumes This admission controller automatically attaches region or zone labels to PersistentVolumes
as defined by the cloud provider (for example, Azure or GCP). as defined by the cloud provider (for example, Azure or GCP).
@ -1027,6 +1137,11 @@ This admission controller is disabled by default.
{{< feature-state for_k8s_version="v1.5" state="alpha" >}} {{< feature-state for_k8s_version="v1.5" state="alpha" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller defaults and limits what node selectors may be used within a namespace This admission controller defaults and limits what node selectors may be used within a namespace
by reading a namespace annotation and a global configuration. by reading a namespace annotation and a global configuration.
@ -1133,6 +1248,11 @@ PodNodeSelector 允许 Pod 强制在特定标签的节点上运行。
{{< feature-state for_k8s_version="v1.25" state="stable" >}} {{< feature-state for_k8s_version="v1.25" state="stable" >}}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
The PodSecurity admission controller checks new Pods before they are The PodSecurity admission controller checks new Pods before they are
admitted, determines if it should be admitted based on the requested security context and the restrictions on permitted admitted, determines if it should be admitted based on the requested security context and the restrictions on permitted
@ -1159,6 +1279,11 @@ PodSecurity 取代了一个名为 PodSecurityPolicy 的旧准入控制器。
{{< feature-state for_k8s_version="v1.7" state="alpha" >}} {{< feature-state for_k8s_version="v1.7" state="alpha" >}}
<!--
**Type**: Mutating and Validating.
-->
**类别**:变更和验证。
<!-- <!--
The PodTolerationRestriction admission controller verifies any conflict between tolerations of a The PodTolerationRestriction admission controller verifies any conflict between tolerations of a
pod and the tolerations of its namespace. pod and the tolerations of its namespace.
@ -1211,17 +1336,26 @@ This admission controller is disabled by default.
<!-- <!--
### Priority {#priority} ### Priority {#priority}
**Type**: Mutating and Validating.
The priority admission controller uses the `priorityClassName` field and populates the integer The priority admission controller uses the `priorityClassName` field and populates the integer
value of the priority. value of the priority.
If the priority class is not found, the Pod is rejected. If the priority class is not found, the Pod is rejected.
--> -->
### 优先级 {#priority} ### 优先级 {#priority}
**类别**:变更和验证。
优先级准入控制器使用 `priorityClassName` 字段并用整型值填充优先级。 优先级准入控制器使用 `priorityClassName` 字段并用整型值填充优先级。
如果找不到优先级,则拒绝 Pod。 如果找不到优先级,则拒绝 Pod。
### ResourceQuota {#resourcequota} ### ResourceQuota {#resourcequota}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller will observe the incoming request and ensure that it does not violate This admission controller will observe the incoming request and ensure that it does not violate
any of the constraints enumerated in the `ResourceQuota` object in a `Namespace`. If you are any of the constraints enumerated in the `ResourceQuota` object in a `Namespace`. If you are
@ -1242,6 +1376,11 @@ and the [example of Resource Quota](/docs/concepts/policy/resource-quotas/) for
### RuntimeClass {#runtimeclass} ### RuntimeClass {#runtimeclass}
<!--
**Type**: Mutating and Validating.
-->
**类别**:变更和验证。
<!-- <!--
If you define a RuntimeClass with [Pod overhead](/docs/concepts/scheduling-eviction/pod-overhead/) If you define a RuntimeClass with [Pod overhead](/docs/concepts/scheduling-eviction/pod-overhead/)
configured, this admission controller checks incoming Pods. configured, this admission controller checks incoming Pods.
@ -1264,6 +1403,11 @@ for more information.
### SecurityContextDeny {#securitycontextdeny} ### SecurityContextDeny {#securitycontextdeny}
<!--
**Type**: Validating.
-->
**类别**:验证。
{{< feature-state for_k8s_version="v1.27" state="deprecated" >}} {{< feature-state for_k8s_version="v1.27" state="deprecated" >}}
{{< caution >}} {{< caution >}}
@ -1333,6 +1477,11 @@ article details the PodSecurityPolicy historical context and the birth of the
### ServiceAccount {#serviceaccount} ### ServiceAccount {#serviceaccount}
<!--
**Type**: Mutating and Validating.
-->
**类别**:变更和验证。
<!-- <!--
This admission controller implements automation for This admission controller implements automation for
[serviceAccounts](/docs/tasks/configure-pod-container/configure-service-account/). [serviceAccounts](/docs/tasks/configure-pod-container/configure-service-account/).
@ -1347,6 +1496,11 @@ You should enable this admission controller if you intend to make any use of Kub
### StorageObjectInUseProtection {#storageobjectinuseprotection} ### StorageObjectInUseProtection {#storageobjectinuseprotection}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!-- <!--
The `StorageObjectInUseProtection` plugin adds the `kubernetes.io/pvc-protection` or `kubernetes.io/pv-protection` The `StorageObjectInUseProtection` plugin adds the `kubernetes.io/pvc-protection` or `kubernetes.io/pv-protection`
finalizers to newly created Persistent Volume Claims (PVCs) or Persistent Volumes (PV). finalizers to newly created Persistent Volume Claims (PVCs) or Persistent Volumes (PV).
@ -1364,6 +1518,11 @@ for more detailed information.
### TaintNodesByCondition {#taintnodesbycondition} ### TaintNodesByCondition {#taintnodesbycondition}
<!--
**Type**: Mutating.
-->
**类别**:变更。
<!-- <!--
This admission controller {{< glossary_tooltip text="taints" term_id="taint" >}} newly created This admission controller {{< glossary_tooltip text="taints" term_id="taint" >}} newly created
Nodes as `NotReady` and `NoSchedule`. That tainting avoids a race condition that could cause Pods Nodes as `NotReady` and `NoSchedule`. That tainting avoids a race condition that could cause Pods
@ -1377,6 +1536,11 @@ conditions.
### ValidatingAdmissionPolicy {#validatingadmissionpolicy} ### ValidatingAdmissionPolicy {#validatingadmissionpolicy}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
[This admission controller](/docs/reference/access-authn-authz/validating-admission-policy/) implements the CEL validation for incoming matched requests. [This admission controller](/docs/reference/access-authn-authz/validating-admission-policy/) implements the CEL validation for incoming matched requests.
It is enabled when both feature gate `validatingadmissionpolicy` and `admissionregistration.k8s.io/v1alpha1` group/version are enabled. It is enabled when both feature gate `validatingadmissionpolicy` and `admissionregistration.k8s.io/v1alpha1` group/version are enabled.
@ -1388,6 +1552,11 @@ CEL 校验。当 `validatingadmissionpolicy` 和 `admissionregistration.k8s.io/v
### ValidatingAdmissionWebhook {#validatingadmissionwebhook} ### ValidatingAdmissionWebhook {#validatingadmissionwebhook}
<!--
**Type**: Validating.
-->
**类别**:验证。
<!-- <!--
This admission controller calls any validating webhooks which match the request. Matching This admission controller calls any validating webhooks which match the request. Matching
webhooks are called in parallel; if any of them rejects the request, the request webhooks are called in parallel; if any of them rejects the request, the request