richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add ResourceQuota plugin configuration (#11814) 

This enables [configuration](https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default) of the [ResourceQuota AdmissionController plugin](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#resourcequota). The configuration file will be empty by default when no limitedResources are set.
pull/11826/head
Chad Swenson 4 months ago
committed by GitHub
parent
bf70335493
commit
2fbf4806ed
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
3 changed files with 20 additions and 0 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      roles/kubernetes/control-plane/defaults/main/main.yml
  2. 8
      roles/kubernetes/control-plane/templates/resourcequota.yaml.j2
  3. 1
      roles/kubernetes/control-plane/vars/main.yaml

11
roles/kubernetes/control-plane/defaults/main/main.yml
View File

@ -107,6 +107,7 @@ kube_apiserver_admission_control_config_file: false
# cache_size: <cache_size_value> # cache_size: <cache_size_value>
kube_apiserver_admission_event_rate_limits: {} kube_apiserver_admission_event_rate_limits: {}
## PodSecurityAdmission plugin configuration
kube_pod_security_use_default: false kube_pod_security_use_default: false
kube_pod_security_default_enforce: baseline kube_pod_security_default_enforce: baseline
kube_pod_security_default_enforce_version: "{{ kube_major_version }}" kube_pod_security_default_enforce_version: "{{ kube_major_version }}"
@ -119,6 +120,16 @@ kube_pod_security_exemptions_runtime_class_names: []
kube_pod_security_exemptions_namespaces: kube_pod_security_exemptions_namespaces:
- kube-system - kube-system
## ResourceQuota plugin configuration
## Resources that ResourceQuota should limit by default if no quota exists
## Example below enforces quota on all storage classes
# kube_resource_quota_limited_resources:
# - apiGroup: ""
# resource: persistentvolumeclaims
# matchContains:
# - .storageclass.storage.k8s.io/requests.storage
kube_resource_quota_limited_resources: []
# 1.10+ list of disabled admission plugins # 1.10+ list of disabled admission plugins
kube_apiserver_disable_admission_plugins: [] kube_apiserver_disable_admission_plugins: []

8
roles/kubernetes/control-plane/templates/resourcequota.yaml.j2
View File

@ -0,0 +1,8 @@
apiVersion: apiserver.config.k8s.io/v1
kind: ResourceQuotaConfiguration
{% if kube_resource_quota_limited_resources | d(false) -%}
limitedResources:
{{ kube_resource_quota_limited_resources | to_nice_yaml(indent=2, sort_keys=false) }}
{% else %}
# No limitedResources configured. If limitedResources are required, please set kube_resource_quota_limited_resources.
{%- endif %}

1
roles/kubernetes/control-plane/vars/main.yaml
View File

@ -6,3 +6,4 @@ kube_apiserver_admission_plugins_needs_configuration:
- ImagePolicyWebhook - ImagePolicyWebhook
- PodSecurity - PodSecurity
- PodNodeSelector - PodNodeSelector
- ResourceQuota
Write Preview
Loading…
Cancel
Save